[sqlmap-users] HTTP Parameter Pollution (was Re: Sqlmap missing a get param?)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 02/05/2011 03:23 AM, Miroslav Stampar wrote:
> Hi again.
> 
> I was giving it a thought and the final for now is no. This would
> break the concept of sqlmap a lot.
> 
> We are identifying injection points by parameter names (also
> considering the place where it's located - e.g. GET/id).
> 
> In case where we would "modify" sqlmap to accept these "cases" we
> would need not just replace dictionary with list, but to change the
> whole data model. This moment we have more priority stuff to do.

I would agree.  The only thing I've really found HTTP Parameter
Pollution useful for so far is XSS filtering workarounds, both for the
IE 8 client side filter and WAF type tech.  I can't think of too many
places where it would be directly useful for SQL injection.  Definitely
a corner case for that application probably is best handled by a human
brain.

The problem with web security in general is the amount of corner cases
is huge, and most tools don't even do a good job of hitting the easy
cases yet.  Sqlmap is definitely ahead of the curve for SQL injection tools.

Speaking of which, have you given sqlmap a try on WAVSEP yet? I've used
it a bit for XSS tool vetting and development the past few weeks(and am
adding some more test cases), but haven't looked at if for SQL injection
yet.

http://code.google.com/p/wavsep/

> Three things I would suggest so you could make a scan "compliant" to sqlmap is:
> 1) either use URI injection mark * to tell sqlmap where to look for
> injection (e.g. ./sqlmap.py -u
> "www.test.com/index.php?idA=1&idB=2&idA=3*&idC=1")
> or
> 2) concatenate/adjust the URI yourself manually - so, if you see that
> there are two idA parameters try to manually play around and see what
> web servers does with those - try to concatenate and/or delete first
> one
> or
> 3) be realistic. there are lots of "junk" URIs in the wild that can be
> "beautified" by yourself - e.g.
> ?search=some%XXshitty%XXquery%XXthere%XXis -> ?search=test
> 
> kr

-- 
 | Steven Pinkham, Security Consultant    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |