Re: [sqlmap-users] Trouble With an Injection
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Trouble With an Injection
|
From: Miroslav S. <mir...@gm...> - 2011-12-15 10:15:04
|
Hi. I believe that in your case that "appears to be" caused a little misguidance. With the latest commit that message should be restrained to 1 appearance per target, so there won't be such large number of those. "Appears to be" is just a friendly log message. Be sure that sqlmap checks that "appears to be" is really a chance for injecting. I would say that you should skip this target because of one strong reasons: - you've received "appears to be" for different boundaries (prefix/suffix combinations) which is impossible for a positive injectionable target Kind regards On Wed, Dec 14, 2011 at 4:51 PM, Chris Oakley <chr...@gm...>wrote: > Hi All > > I'm having problems with an injection that I think is real. > > It's a standard POST request with one of the parameters of the data sent > being vulnerable. This all happens in an unauthenticated area of the > application, so there's no need to set the cookie value etc. > > The injection point was found with Burp Scanner. It has the following to > say: > > *Issue detail* > The BLAH parameter appears to be vulnerable to SQL injection attacks. The > payload %00' was submitted in the BLAH parameter, and a database error > message was returned. You should review the contents of the error message, > and the application's handling of other input, to confirm whether a > vulnerability is present. The database appears to be PostgreSQL. The > application attempts to block SQL injection attacks but this can be > circumvented by submitting a URL-encoded NULL byte (%00) before the > characters that are being blocked. > > The server response looks like this: > > HTTP/1.1 202 Accepted > Server: Apache-Coyote/1.1 > Vary: Accept-Encoding > Cache-Control: no-cache > Content-Type: text/xml;charset=UTF-8 > Date: Wed, 14 Dec 2011 12:48:30 GMT > Content-Length: 7754 > > <?xml version="1.0" encoding="UTF-8"?> > <errors><error><text><![CDATA[could not load an entity: > [vyre.content.CollectionSchema#165']; nested exception is > org.hibernate.exception.DataException: could not load an entity: > [vyre.content.CollectionSchema#165']]]></text><stack-trace><![CDATA[org.springframework.dao.InvalidDataAccessResourceUsageException: > could not load an entity: [vyre.content.CollectionSchema#165'] > at > org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:618) > at > org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412) > at > org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:424) > at > org.springframework.orm.hibernate3.HibernateTemplate.executeWithNativeSession(HibernateTemplate.java:374) > at > org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:560) > at > org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:554) > at > vyre.core.entity.pl.HibernateStringIdentifierEntityDAO.load(HibernateStringIdentifierEntityDAO.java:47) > at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149) > at > org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) > at > org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) > at $Proxy17.load(Unknown Source) > at > vyre.publishing.ContentGatewayAjaxListener.handle(ContentGatewayAjaxListener.java:146) > at > vyre.publishing.ajax.AjaxControllerServlet.service(AjaxControllerServlet.java:88) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at vyre.delivery.MainFilter.doFilter(MainFilter.java:145) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > vyre.content.search.permissions.ViewPermissionFilter.doFilter(ViewPermissionFilter.java:27) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > com.virginholidays.filter.CacheControlFilter.doFilter(CacheControlFilter.java:26) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > vyre.utils.filters.login.AbstractLoginFilter.doFilter(AbstractLoginFilter.java:95) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) > at java.lang.Thread.run(Thread.java:619) > Caused by: org.hibernate.exception.DataException: could not load an > entity: [vyre.content.CollectionSchema#165'] > at > org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:77) > at > org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43) > at org.hibernate.loader.Loader.loadEntity(Loader.java:1874) > at > org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:48) > at > org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:42) > at > org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3049) > at > org.hibernate.event.def.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:399) > at > org.hibernate.event.def.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:375) > at > org.hibernate.event.def.DefaultLoadEventListener.load(DefaultLoadEventListener.java:139) > at > org.hibernate.event.def.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:179) > at > org.hibernate.event.def.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:103) > at org.hibernate.impl.SessionImpl.fireLoad(SessionImpl.java:878) > at org.hibernate.impl.SessionImpl.load(SessionImpl.java:795) > at org.hibernate.impl.SessionImpl.load(SessionImpl.java:788) > at > org.springframework.orm.hibernate3.HibernateTemplate$3.doInHibernate(HibernateTemplate.java:566) > at > org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:419) > ... 46 more > Caused by: org.postgresql.util.PSQLException: ERROR: invalid byte sequence > for encoding "UTF8": 0x00 > at > org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102) > at > org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835) > at > org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273) > at > org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) > at > org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) > at > org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186) > at org.hibernate.loader.Loader.getResultSet(Loader.java:1787) > at org.hibernate.loader.Loader.doQuery(Loader.java:674) > at > org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236) > at org.hibernate.loader.Loader.loadEntity(Loader.java:1860) > ... 59 more > ]]></stack-trace></error></errors> > > I've worked my way up to the following sqlmap command: > > C:\Program Files\sqlmap>python sqlmap.py -u "http://www.**********/servlet/ajax" > --data "..........&BLAH=165" -p BLAH --level=5 --risk=2 --dbms=postgresql > --union-char=1 --tamper=appendnullbyte -f -b > > sqlmap/1.0-dev (r4577) - automatic SQL injection and database takeover > tool > http://www.sqlmap.org > > [!] legal disclaimer: usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsi > bility to obey all applicable local, state and federal laws. Authors > assume no liability and are not responsible for any misuse or > damage caused by this program > > [*] starting at 15:33:52 > > [15:33:52] [INFO] loading tamper script 'appendnullbyte' > [15:33:53] [INFO] using '*****\session' as session file > [15:33:53] [INFO] testing connection to the target url > [15:34:00] [WARNING] provided parameter 'BLAH' is not inside the Cookie > [15:34:00] [INFO] testing if the url is stable, wait a few seconds > [15:34:03] [INFO] url is stable > [15:34:03] [INFO] heuristic test shows that POST parameter 'BLAH' might be > injectable (possible DBMS: PostgreSQL) > [15:34:03] [INFO] testing sql injection on POST parameter 'BLAH' > [15:34:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > [15:34:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause (Generic comment)' > [15:34:16] [INFO] testing 'Generic boolean-based blind - Parameter replace > (original value)' > [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and > ORDER BY clauses' > [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and > ORDER BY clauses (original value)' > [15:34:16] [INFO] testing 'PostgreSQL boolean-based blind - Parameter > replace (GENERATE_SERIES - original value)' > [15:34:17] [INFO] testing 'PostgreSQL stacked conditional-error blind > queries' > [15:34:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING > clause' > [15:34:27] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING > clause' > [15:34:32] [INFO] testing 'PostgreSQL error-based - Parameter replace' > [15:34:32] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY > clauses' > [15:34:32] [INFO] testing 'PostgreSQL > 8.1 stacked queries' > [15:34:35] [INFO] testing 'PostgreSQL stacked queries (heavy query)' > [15:34:37] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)' > [15:34:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' > [15:34:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind (comment)' > [15:34:44] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)' > [15:34:47] [INFO] testing 'PostgreSQL AND time-based blind (heavy query - > comment)' > [15:34:49] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns' > [15:34:50] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:51] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:53] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:55] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:56] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:58] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:59] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:01] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:02] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:04] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:06] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:07] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:09] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:10] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:11] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:13] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:14] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:16] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:17] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:19] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:20] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:22] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:23] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:25] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:27] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:29] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:30] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:32] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:33] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:35] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:36] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:37] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:39] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:40] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:42] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:42] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns' > [15:36:29] [INFO] testing 'Generic UNION query (1) - 21 to 30 columns' > [15:37:15] [INFO] testing 'Generic UNION query (1) - 31 to 40 columns' > [15:38:01] [INFO] testing 'Generic UNION query (1) - 41 to 50 columns' > [15:38:46] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to 10 > columns' > [15:38:47] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:50] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:51] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:53] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:54] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:56] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:57] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:59] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:00] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:03] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:04] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:05] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:07] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:08] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:10] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:11] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:13] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:14] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:16] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:18] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:19] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:21] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:22] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:24] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:25] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:27] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:28] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:30] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:31] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:33] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:35] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:37] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:38] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:40] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:41] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:41] [INFO] testing 'Generic UNION query (NUL comment) (1) - 11 to > 20 columns' > [15:40:27] [INFO] testing 'Generic UNION query (NUL comment) (1) - 21 to > 30 columns' > [15:41:11] [INFO] testing 'Generic UNION query (NUL comment) (1) - 31 to > 40 columns' > [15:41:56] [INFO] testing 'Generic UNION query (NUL comment) (1) - 41 to > 50 columns' > [15:42:42] [WARNING] POST parameter 'BLAH' is not injectable > [15:42:42] [CRITICAL] all parameters appear to be not injectable. Try to > increase --level/--risk values to perform more tests. As > heuristic test turned out positive you are strongly advised to continue on > with the tests. Please, consider usage of tampering scr > ipts as your target might filter the queries. Also, you can try to rerun > by providing either a valid --string or a valid --regexp, > refer to the user's manual for details > > [*] shutting down at 15:42:42 > > I didn't start with all of those arguments for sqlmap - I've tried it > without: --level=5, --risk=2, --dbms=postgresql, --union-char=1 and > --tamper=appendnullbyte and got pretty much the same results for each. > > Maybe it's not injectable, but I'd like peoples input before I write it > off, since it looks very suspect to me. > > Thanks > > Chris > > > > > > ------------------------------------------------------------------------------ > Cloud Computing - Latest Buzzword or a Glimpse of the Future? > This paper surveys cloud computing today: What are the benefits? > Why are businesses embracing it? What are its payoffs and pitfalls? > http://www.accelacomm.com/jaw/sdnl/114/51425149/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
