Re: [sqlmap-users] sqlmap not detecting injectable parameter
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] sqlmap not detecting injectable parameter
|
From: Miroslav S. <mir...@gm...> - 2012-04-25 13:44:26
|
p.s. it would be good if you could send a traffic file for this case (-t traffic.txt) On Wed, Apr 25, 2012 at 3:42 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi Robert. > > Could you please update (svn update) to the latest r5018 and retry it > again? > > Kind regards, > Miroslav Stampar > > > On Wed, Apr 25, 2012 at 3:33 PM, Robert Spotswood < > ro...@sp...> wrote: > >> I was going through the Backtrack how-to's forum, and g0tmi1k's posts >> about VulnImage led me to experiment with sqlmap. I'm using Backtrack >> 5R2 and therefore sqlmap version 1.0-dev (r4766). I'm not sure what I'm >> doing wrong. >> >> I created a page with a parameter that is injectable (i.e. no >> sanitation). The php based page connects to a MySQL DB, with 5 columns. >> The actual php select statement is: >> >> $name_bad = stripslashes($_POST['rs_string']); >> $query_bad = "SELECT TestName, Price FROM pricelist WHERE testname = >> '$name_bad'"; >> >> (FYI: The stripslashes is in there because the version of php I'm >> testing on has magic quotes turned on. No login required for this page >> either.) >> >> If I input, manually, >> Code: >> >> ' or 1; -- >> >> then the query spits out every result in the database as it should, >> since the query is now >> >> SELECT TestName, Price FROM pricelist WHERE testname = '' or 1; -- ' >> >> Classic injection - This parameter is vulnerable! (FYI, there is space >> after the second dash and it is required or the query errors out.) >> >> I've gone further, and used the order by to see how many columns the >> select returns (yes, I know it's two, but I'm pretending I don't). So >> >> ' or 1 order by 1; -- ' >> >> orders by testname, and by changing "by 1" to "by 2" I can order by >> price. If I do "by 3", I get an error as expected since there are only >> two columns return. Again, classic injection. This page IS vulnerable. >> >> Now I fire up a burp proxy and browse the page, enter a testname or two >> so it's in the log (this is described in g0tmi1k's posts). Then I fire >> up sqlmap with the command: >> >> ./sqlmap -l /root/burp.log --banner --current-user --current-db --is-dba >> --dbms=MySQL >> >> After testing the correct page, it tells me rs_string is not injectable, >> even if I crank up the level and risk. But is clearly is! I can do it by >> hand. >> >> What am I doing wrong? Or have I found a bug. >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
