web application – CRITICAL : all tested parameters do not appear to be injectable


This is all for Educational Purpose.
So, I am trying to access the database of a web application
After successfully creating Interception through Burp Suite I copied ‘Request’ to /tmp/user.request file.

Here is my user.request file

After that i started sqlmap and typed this in terminal :
sqlmap -r /tmp/user.request --dbs --banner --tamper=apostrophemask,apostrophenullencode --level=5 --risk=3
It also showed some ‘CRITICAL’ warnings.
(CRITICAL) previous heuristics detected that the target is protected by some kind of WAF/IPS

After sometime it showed something like this –
REFER THIS
and then I pressed “Y”.
but after that I started getting warnings which mainly said
parameter (parameter name) might not be injectable

one can refer this image here too

Then I got something like this where I pressed “Y” again.
HERE IT IS

At last it ended like this-
CHECK THIS

I even tried with the below syntax ..
sqlmap -u http://websiteurl/ --dbs --banner --tamper=apostrophemask,apostrophenullencode --level=5 --risk=3 --cookie="ASP.NET_SessionId=52c2u1vbvlgr5erosxknimil"

But after 8424 amount of “400 (Bad Request)” the same CRITICAL error popped up
all tested parameters do not appear to be injectable.

sqlmap has given me false information three times ; Giving me three different names for backend databases for this particular web app and every single time I’ve executed the sqlmap it has told me that –

(WARNING) parameter '(parametername)' does not seem to be injectable.

you can check this image here
So, Does this mean this particular web application is not vulnerable to SQL Injection?

Expected behavior
I expect the sqlmap to successfully inject the payloads and give me back the databases on the website.

Running environment:

  • sqlmap version 1.4.9#stable
  • Operating system: Kali Linux (2020.2)

    Target details:

    POST / HTTP/1.1
    Host: website name
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 420
    Origin: http://website url
    Connection: close
    Referer: http://website url
    Cookie: ASP.NET_SessionId=52c2u1vbvlgr5erosxknimil
    Upgrade-Insecure-Requests: 1

If someone could just guide me through the necessary steps It would be of massive help.