• caglararli@hotmail.com
  • 05386281520

Is my wesbite stil vulnerable if sqlmap cannot retrieve the database names but CAN successfully inject?

Çağlar Arlı      -    84 Views

Is my wesbite stil vulnerable if sqlmap cannot retrieve the database names but CAN successfully inject?

I am (basically) pen-testing my own website, and I do have a new WAF, but have temporarily taken it down in a safe, testing environment (the one on my actual site is still up.)

This is the same site that was receiving an enormous amount of SSH login attempts, and because I want to make it is really secure after that incident, I have decided to do a self pen-test! To be fair, it has actually very interesting.

Using sqlmap, with my WAF up, it can't inject, even with highly aggressive and intrusive tamper scripts and other evasion methods.

But (it may dramatic) I wanted to test if I could SQLi if my WAF was down.

After a few hours of trying different methods, becoming more and more aggressive, I was a bit surprised that sqlmap had actually found a vulnerability!

But although it successfully injected, it couldn't actually retrieve the --dbs names, as seen below:

[CRITICAL] unable to retrieve the database names

So does this mean I am still vulnerable, without my WAF?

I apologize if this is a stupid question- but I am new to this.