Re: [sqlmap-users] Trouble With an Injection
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Trouble With an Injection
|
From: Chris O. <chr...@gm...> - 2011-12-16 09:46:17
|
Thanks to all. Definitely a false positive following all your advice and reasoning. Cheers. On 15 December 2011 10:14, Miroslav Stampar <mir...@gm...>wrote: > Hi. > > I believe that in your case that "appears to be" caused a little > misguidance. With the latest commit that message should be restrained to > 1 appearance per target, so there won't be such large number of those. > > "Appears to be" is just a friendly log message. Be sure that sqlmap checks > that "appears to be" is really a chance for injecting. > > I would say that you should skip this target because of one strong reasons: > - you've received "appears to be" for different boundaries (prefix/suffix > combinations) which is impossible for a positive injectionable target > > Kind regards > > On Wed, Dec 14, 2011 at 4:51 PM, Chris Oakley < > chr...@gm...> wrote: > >> Hi All >> >> I'm having problems with an injection that I think is real. >> >> It's a standard POST request with one of the parameters of the data sent >> being vulnerable. This all happens in an unauthenticated area of the >> application, so there's no need to set the cookie value etc. >> >> The injection point was found with Burp Scanner. It has the following to >> say: >> >> *Issue detail* >> The BLAH parameter appears to be vulnerable to SQL injection attacks. The >> payload %00' was submitted in the BLAH parameter, and a database error >> message was returned. You should review the contents of the error message, >> and the application's handling of other input, to confirm whether a >> vulnerability is present. The database appears to be PostgreSQL. The >> application attempts to block SQL injection attacks but this can be >> circumvented by submitting a URL-encoded NULL byte (%00) before the >> characters that are being blocked. >> >> The server response looks like this: >> >> HTTP/1.1 202 Accepted >> Server: Apache-Coyote/1.1 >> Vary: Accept-Encoding >> Cache-Control: no-cache >> Content-Type: text/xml;charset=UTF-8 >> Date: Wed, 14 Dec 2011 12:48:30 GMT >> Content-Length: 7754 >> >> <?xml version="1.0" encoding="UTF-8"?> >> <errors><error><text><![CDATA[could not load an entity: >> [vyre.content.CollectionSchema#165']; nested exception is >> org.hibernate.exception.DataException: could not load an entity: >> [vyre.content.CollectionSchema#165']]]></text><stack-trace><![CDATA[org.springframework.dao.InvalidDataAccessResourceUsageException: >> could not load an entity: [vyre.content.CollectionSchema#165'] >> at >> org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:618) >> at >> org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412) >> at >> org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:424) >> at >> org.springframework.orm.hibernate3.HibernateTemplate.executeWithNativeSession(HibernateTemplate.java:374) >> at >> org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:560) >> at >> org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:554) >> at >> vyre.core.entity.pl.HibernateStringIdentifierEntityDAO.load(HibernateStringIdentifierEntityDAO.java:47) >> at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >> at java.lang.reflect.Method.invoke(Method.java:597) >> at >> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310) >> at >> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182) >> at >> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149) >> at >> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106) >> at >> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) >> at >> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) >> at $Proxy17.load(Unknown Source) >> at >> vyre.publishing.ContentGatewayAjaxListener.handle(ContentGatewayAjaxListener.java:146) >> at >> vyre.publishing.ajax.AjaxControllerServlet.service(AjaxControllerServlet.java:88) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at vyre.delivery.MainFilter.doFilter(MainFilter.java:145) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> vyre.content.search.permissions.ViewPermissionFilter.doFilter(ViewPermissionFilter.java:27) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198) >> at >> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> com.virginholidays.filter.CacheControlFilter.doFilter(CacheControlFilter.java:26) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> vyre.utils.filters.login.AbstractLoginFilter.doFilter(AbstractLoginFilter.java:95) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> at >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >> at >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) >> at >> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >> at >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >> at java.lang.Thread.run(Thread.java:619) >> Caused by: org.hibernate.exception.DataException: could not load an >> entity: [vyre.content.CollectionSchema#165'] >> at >> org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:77) >> at >> org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43) >> at org.hibernate.loader.Loader.loadEntity(Loader.java:1874) >> at >> org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:48) >> at >> org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:42) >> at >> org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3049) >> at >> org.hibernate.event.def.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:399) >> at >> org.hibernate.event.def.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:375) >> at >> org.hibernate.event.def.DefaultLoadEventListener.load(DefaultLoadEventListener.java:139) >> at >> org.hibernate.event.def.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:179) >> at >> org.hibernate.event.def.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:103) >> at org.hibernate.impl.SessionImpl.fireLoad(SessionImpl.java:878) >> at org.hibernate.impl.SessionImpl.load(SessionImpl.java:795) >> at org.hibernate.impl.SessionImpl.load(SessionImpl.java:788) >> at >> org.springframework.orm.hibernate3.HibernateTemplate$3.doInHibernate(HibernateTemplate.java:566) >> at >> org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:419) >> ... 46 more >> Caused by: org.postgresql.util.PSQLException: ERROR: invalid byte >> sequence for encoding "UTF8": 0x00 >> at >> org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102) >> at >> org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835) >> at >> org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257) >> at >> org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500) >> at >> org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388) >> at >> org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273) >> at >> org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) >> at >> org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) >> at >> org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186) >> at org.hibernate.loader.Loader.getResultSet(Loader.java:1787) >> at org.hibernate.loader.Loader.doQuery(Loader.java:674) >> at >> org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236) >> at org.hibernate.loader.Loader.loadEntity(Loader.java:1860) >> ... 59 more >> ]]></stack-trace></error></errors> >> >> I've worked my way up to the following sqlmap command: >> >> C:\Program Files\sqlmap>python sqlmap.py -u "http://www.**********/servlet/ajax" >> --data "..........&BLAH=165" -p BLAH --level=5 --risk=2 --dbms=postgresql >> --union-char=1 --tamper=appendnullbyte -f -b >> >> sqlmap/1.0-dev (r4577) - automatic SQL injection and database >> takeover tool >> http://www.sqlmap.org >> >> [!] legal disclaimer: usage of sqlmap for attacking targets without prior >> mutual consent is illegal. It is the end user's responsi >> bility to obey all applicable local, state and federal laws. Authors >> assume no liability and are not responsible for any misuse or >> damage caused by this program >> >> [*] starting at 15:33:52 >> >> [15:33:52] [INFO] loading tamper script 'appendnullbyte' >> [15:33:53] [INFO] using '*****\session' as session file >> [15:33:53] [INFO] testing connection to the target url >> [15:34:00] [WARNING] provided parameter 'BLAH' is not inside the Cookie >> [15:34:00] [INFO] testing if the url is stable, wait a few seconds >> [15:34:03] [INFO] url is stable >> [15:34:03] [INFO] heuristic test shows that POST parameter 'BLAH' might >> be injectable (possible DBMS: PostgreSQL) >> [15:34:03] [INFO] testing sql injection on POST parameter 'BLAH' >> [15:34:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> clause' >> [15:34:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> clause (Generic comment)' >> [15:34:16] [INFO] testing 'Generic boolean-based blind - Parameter >> replace (original value)' >> [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and >> ORDER BY clauses' >> [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and >> ORDER BY clauses (original value)' >> [15:34:16] [INFO] testing 'PostgreSQL boolean-based blind - Parameter >> replace (GENERATE_SERIES - original value)' >> [15:34:17] [INFO] testing 'PostgreSQL stacked conditional-error blind >> queries' >> [15:34:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING >> clause' >> [15:34:27] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING >> clause' >> [15:34:32] [INFO] testing 'PostgreSQL error-based - Parameter replace' >> [15:34:32] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY >> clauses' >> [15:34:32] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >> [15:34:35] [INFO] testing 'PostgreSQL stacked queries (heavy query)' >> [15:34:37] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)' >> [15:34:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >> [15:34:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind >> (comment)' >> [15:34:44] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)' >> [15:34:47] [INFO] testing 'PostgreSQL AND time-based blind (heavy query - >> comment)' >> [15:34:49] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns' >> [15:34:50] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:51] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:53] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:55] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:56] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:58] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:59] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:01] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:02] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:04] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:06] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:07] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:09] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:10] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:11] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:13] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:14] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:16] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:17] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:19] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:20] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:22] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:23] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:25] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:27] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:29] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:30] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:32] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:33] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:35] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:36] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:37] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:39] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:40] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:42] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:42] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns' >> [15:36:29] [INFO] testing 'Generic UNION query (1) - 21 to 30 columns' >> [15:37:15] [INFO] testing 'Generic UNION query (1) - 31 to 40 columns' >> [15:38:01] [INFO] testing 'Generic UNION query (1) - 41 to 50 columns' >> [15:38:46] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to >> 10 columns' >> [15:38:47] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:50] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:51] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:53] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:54] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:56] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:57] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:59] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:00] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:03] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:04] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:05] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:07] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:08] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:10] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:11] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:13] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:14] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:16] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:18] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:19] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:21] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:22] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:24] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:25] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:27] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:28] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:30] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:31] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:33] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:35] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:37] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:38] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:40] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:41] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:41] [INFO] testing 'Generic UNION query (NUL comment) (1) - 11 to >> 20 columns' >> [15:40:27] [INFO] testing 'Generic UNION query (NUL comment) (1) - 21 to >> 30 columns' >> [15:41:11] [INFO] testing 'Generic UNION query (NUL comment) (1) - 31 to >> 40 columns' >> [15:41:56] [INFO] testing 'Generic UNION query (NUL comment) (1) - 41 to >> 50 columns' >> [15:42:42] [WARNING] POST parameter 'BLAH' is not injectable >> [15:42:42] [CRITICAL] all parameters appear to be not injectable. Try to >> increase --level/--risk values to perform more tests. As >> heuristic test turned out positive you are strongly advised to continue >> on with the tests. Please, consider usage of tampering scr >> ipts as your target might filter the queries. Also, you can try to rerun >> by providing either a valid --string or a valid --regexp, >> refer to the user's manual for details >> >> [*] shutting down at 15:42:42 >> >> I didn't start with all of those arguments for sqlmap - I've tried it >> without: --level=5, --risk=2, --dbms=postgresql, --union-char=1 and >> --tamper=appendnullbyte and got pretty much the same results for each. >> >> Maybe it's not injectable, but I'd like peoples input before I write it >> off, since it looks very suspect to me. >> >> Thanks >> >> Chris >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Cloud Computing - Latest Buzzword or a Glimpse of the Future? >> This paper surveys cloud computing today: What are the benefits? >> Why are businesses embracing it? What are its payoffs and pitfalls? >> http://www.accelacomm.com/jaw/sdnl/114/51425149/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
