I am doing some pentests against one of my websites that is currently being built (a school project)
And I am trying to make sure it's security at it's best.
(Yes, I do have the correct parameters and the site is vulnerable to SQLi Injections.
It does continue it's scan but it will then ask the [y/n] and I choose [y] and it just stops and doesn't scan. I've tried doing a fresh clone of sqlmap and that didn't work.
Anything that can help would be appreciated.
root@kali:~# sqlmap -u http://myschoolproject.com/ --dbs
[1] 1372
bash: --dbs: command not found
(It will scan until asked a [y/n])
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[1]+ Stopped sqlmap -u http://myschoolproject.com/
That sounds like you have a &
in there. In bash, foo & bar
runs the command foo
in the background and bar
in the foreground.
So if your URL actually looks like http://myschoolproject.com/index.php?cat=4&attr=95,76
, that command is interpreted as
sqlmap -u http://myschoolproject.com/index.php?cat=4 &
attr=95,76 --dbs
The first command runs sqlmap
in the background (with a truncated URL); this explains the [1] 1372
part (that's what bash shows then starting a background process). The second command runs --dbs
in the foreground (with attr
set to 95,76
in the environment); this explains the bash: --dbs: command not found
error.
In any case, the solution is to quote the URL with single quotes:
sqlmap -u 'http://myschoolproject.com/index.php?cat=4&attr=95,76' --dbs