8
R-C-D
5y

Looking for bug bountry online and trying to find sqli bug.
I tried using sqlmap but no success.
Is it about WAF they're using or sqlmap is not complete ?
(I set the level and risk to highest possible)

Thanks
@ExGetMessage

Comments
  • 2
    Could be a WAF, could be Mod Security, or just could be lack of a vulnerability.
  • 0
    @C0D4 no way to attack ?
    Ok I'll go for another vuln
  • 3
    Is this the first time you are trying something like this?

    You dont find SQL injections just because you are using sqlmap with some default settings/presets... I bet thousand script kiddies tried that before. You should put more effort and research in a topic like this.
  • 2
    @R1100 if the target uri (generally a dynamic Id) for sqli has been sanitised and/or has sql attack preventions in place then it's unlikely it will pick anything up.

    But that doesn't mean another uri doesn't exist that isn't protected.
  • 2
    All you have to do is to use prepared statements and there won't be any SQL Injection possible. Prepared statements were new and fairly unused maybe 10-6 years ago, but I imagine they are much more widespread now.
  • 1
    @arraysstartat1
    This. And every OR mapper generates prepared statements.
Add Comment