Is my wesbite stil vulnerable if sqlmap cannot retrieve the database names but CAN successfully inject?
I am (basically) pen-testing my own website, and I do have a new WAF, but have temporarily taken it down in a safe, testing environment (the one on my actual site is still up.)
This is the same site that was receiving an enormous amount of SSH login attempts, and because I want to make it is really secure after that incident, I have decided to do a self pen-test! To be fair, it has actually very interesting.
Using sqlmap, with my WAF up, it can't inject, even with highly aggressive and intrusive tamper scripts and other evasion methods.
But (it may dramatic) I wanted to test if I could SQLi if my WAF was down.
After a few hours of trying different methods, becoming more and more aggressive, I was a bit surprised that sqlmap had actually found a vulnerability!
But although it successfully injected, it couldn't actually retrieve the --dbs
names, as seen below:
[CRITICAL] unable to retrieve the database names
So does this mean I am still vulnerable, without my WAF?
I apologize if this is a stupid question- but I am new to this.