Kali Linux Web App Pentesting Labs - Lab 6

Hi Jesse,

I’m just following the Labs and it seems that altoromutual.com changed it’s login since you recorded the session.
I could get the injection working manually for the uid field, but I was not able to identify the injection with sqlmap.

I tried the following command:
sqlmap -u "http://altoromutual.com/doLogin" --data "uid=test&passw=test&btnSubmit=Login" -p uid

Both following or not following the redirect did result in a non injectable result for the parameter uid.

Any ideas what’s wrong? Or maybe some hint why sqlmap is not detecting the possible injection?

thx