bashsqlmap

bash: --dbs command not found & others


I am doing some pentests against one of my websites that is currently being built (a school project)

And I am trying to make sure it's security at it's best.

(Yes, I do have the correct parameters and the site is vulnerable to SQLi Injections.

It does continue it's scan but it will then ask the [y/n] and I choose [y] and it just stops and doesn't scan. I've tried doing a fresh clone of sqlmap and that didn't work.

Anything that can help would be appreciated.

root@kali:~# sqlmap -u http://myschoolproject.com/ --dbs
[1] 1372
bash: --dbs: command not found

(It will scan until asked a [y/n])



it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y

[1]+  Stopped sqlmap -u http://myschoolproject.com/

Solution

  • That sounds like you have a & in there. In bash, foo & bar runs the command foo in the background and bar in the foreground.

    So if your URL actually looks like http://myschoolproject.com/index.php?cat=4&attr=95,76, that command is interpreted as

    sqlmap -u http://myschoolproject.com/index.php?cat=4 &
    attr=95,76 --dbs
    

    The first command runs sqlmap in the background (with a truncated URL); this explains the [1] 1372 part (that's what bash shows then starting a background process). The second command runs --dbs in the foreground (with attr set to 95,76 in the environment); this explains the bash: --dbs: command not found error.

    In any case, the solution is to quote the URL with single quotes:

    sqlmap -u 'http://myschoolproject.com/index.php?cat=4&attr=95,76' --dbs