Re: [sqlmap-users] hmm
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] hmm
|
From: Ignacio H. <nac...@gm...> - 2010-05-20 11:49:07
|
It's a known flag on sqlmap the false negatives and they are working on it. Is a complex task as some pages output the url you are using to inject the the output page. For example if sqlmap is checking if injection works and try: "vuln.php?id=1 and 1=1", on the output page it can be echoed something like: <a href="http://www.site.com/vuln.php?id=1 and 1=1&otherparam=2"> and that can mess up the detection engine... I tryed to make an aporoach to solve this but definitively my python (and general programming )knowledge was not enought to work on a project like sqlmap. :) To get data faster from slow sites you can try a semi blid technique i discovered some time ago (well, i think it was already discovered by someone else but i hadn't notice). It is some kind of semi-blind injection using arithmetical based injection. For example if you are trying to inject on the news app of a web site they can sometimes echo to the response page something like "This is the X news posted here" where x is the news id selected. The url could be something like: site.com?newsid=6 you can inject something like this to get one char for each query you make: vuln.php?newsid=128-(ascii(mid( (select version()),1,1))) So if its echoed: "This is the 51 news posted here" you know the char is "M" (128-51=77, 77=M). You can make an script to automatize this. I made one but i cant find it right now. I hope it helps, Regards. 2010/5/20 <ja...@ev...> > > Yeah, Thats the weird thing. Stacked SHOULD be enabled. Also no UNION > > ability. I guess im boned. :) The injection doesnt respond to any errors.. > > Thats actually how i found it. Feeding "'" to an arg gave me a blank page > > which is usually good. I suppose it could be a false negative. I will > > inspect further. Also; > > > > A general message to the SQLmap users: > > > > Have you noted that SQLMap misses a lot of vulns? Simple ones like > > windowsistrash.asp?id=1';waitfor delay '00:00:15' > > And also more complex POST vulns? I've been using SQLNinja on the advice > > of my friend Bert and it appears to pwn windoze better than SQLmap... > > > > Bernardo -- Any clue on this? I can provide a few examples of sites in > > private where SQLNinja succeded and SQLMap failed to detect the GET or POST > > vuln. > > Im always using SVN too, btw. > > > > If anyone else has noticed this.. please reply.. lets squash this bug... > > > > James @ EV6.net > > > > > > On Thu, 20 May 2010 12:19:45 +0100, "Bernardo Damele A. G." > > <ber...@gm...> wrote: > > > James, > > > > > > On Thu, May 20, 2010 at 06:14, <ja...@ev...> wrote: > > >> ... > > >> Im currently attempting to attack an interesting setup.. A > > >> RedHat(Apache) > > >> > > >> box with a PHP front end linked to a MS SQL db. > > > > > > It's a quite common setup. I've seen also Windows/Apache/PHP(or Perl) > > > with back-end MSSQL or MySQL recently. > > > > > >> Since its Apache+Linux it > > >> > > >> doesnt support stacked queries.. > > > > > > Mmmh, PHP does support stacked queries when the back-end is MSSQL. Try > > > yourself with a SQL payload like ; WAITFOR DELAY '0:2:00';-- > > > > > >> Its also slow as dog crap going up a hill > > >> > > >> with the blind injection. Does anyone know of a way to use the > > OPENROWSET > > >> > > >> type attack without stacked queries? > > > > > > You can try with UNION ALL SELECT 'foobar' FROM OPENROWSET... > > > > > >> Or basically have any ideas how I can > > >> > > >> get enough proof of data from this box relatively quick? > > > > > > If it is affected by an error-based SQL injection also, something like > > > AND 1=(SELECT ...) might do the trick otherwise a UNION query SQL > > > injection can help, if vulnerable. > > > > > > Cheers, > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
