Re: [sqlmap-users] Parameter "is not dynamic"
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Parameter "is not dynamic"
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-01-31 00:07:50
|
Hi Roman, Roman Medina-Heigl Hernandez wrote: > ... > The page in question is a user/password form, sent via POST method, where > only the user parameter (called "txtUsuario") is injectable. I manually > checked it and: > - if an arbitrary user is entered, I get a 200 response with "Incorrect > user" message. > - if I enter a "'" char, I get a 500 response and an error message from the > database :) > - if I enter the typical "aaa' or ''='" (which is evaluated to TRUE), I get > a 200 response, this time with "Incorrect password" (so user test is > passed!!!). The comparison and dynamicity test is done based on page content, not on response codes. However, it has been strongly improved for the next release. > Former tests show that it is clearly vulnerable to (blind) sql injection, > but I didn't get it to exploit with sqlmap.... > ... Use the latest version available from sqlmap subversion repository or wait as long as I release it as stable in a few days. > ... > I've sniffed the requests sent by sqlmap and it sent the following 5 requests: > txtUsuario=a&txtPwd=a&Submit=aceptar > txtUsuario=a&txtPwd=a&Submit=aceptar > txtUsuario=a&txtPwd=a&Submit=aceptar > txtUsuario=a&txtPwd=a&Submit=aceptar > txtUsuario=9378&txtPwd=a&Submit=aceptar > > I guess the first requests are tests for stability (that's ok), and the > last one is for "dynamic"-test. Since both "a" and "9378" values return the > same response (code 200, with string "Incorrect user"), it believes the > parameter is not dynamic (I guess). But this logic is non-sense: why is > sqlmap checking for 9378? Why did't it try with a "'"? Is there any way to > disable this "dynamic test"? Try to call sqlmap providing as txtUsuario a valid username rather than 'a'. By the way, sqlmap does not implement yet automatical login bypasses, but you can do that manually using the latest development version by combining options --prefix and --postfix. I went through this topic already on this mailing list, check on the online archives. Regards, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK) PGP Key ID: 0x05F5A30F |
