Re: [sqlmap-users] SQLmap -l option bug

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hey,

burp acts as you suspected. Here's an example of https://google.de
logged from a burp pro v1.4.12:

======================================================
11:05:56  https://www.google.de:443  [173.194.35.184]
======================================================
GET / HTTP/1.1
Host: www.google.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101
Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: xxx
Pragma: no-cache
Cache-Control: no-cache

======================================================

The same goes for burp's "Copy to File" feature. I usually use the
--force-ssl flag to circumvent this.

Cheers,
Dennis

Am 09.10.2012 10:49, schrieb Miroslav Stampar:
> Hi again.
>
> It's a preamble, but the request itself is down below. We process
> requests, not preambles. As we need to support generic LOG files, we
> are "hunting" for requests itself.
>
> If somebody could confirm that Burp really strips any HTTPS "tips"
> from the requests and just puts those in preambles (like in your
> case), I'll gladly do the "patching".
>
> Kind regards,
> Miroslav Stampar
>
> On Tue, Oct 9, 2012 at 10:44 AM, Karel Marhoul <rez...@se...
> <mailto:rez...@se...>> wrote:
>
>     Hello Miroslav, there is a mention of port 443 in the request
>     "preamble", see:
>
>     >     ======================================================
>     >     12:40:22 https://www.xxx.cz:443  [81.91.80.92]
>     >     ======================================================
>
>     That specific request came from HTTPS page and landed toward HTTP,
>     I'm sure of that.
>
>     I suggest sqlmap log parser should first look at the port in the
>     request preamble and then send the request to this port - is that
>     possible to implement?
>
>     Regards
>
>     Karel
>
>     On 9.10.2012 10:30, Miroslav Stampar wrote:
>
>         Hi Karel.
>
>         Strictly speaking there is no bug here. If you take a look
>         carefully
>         into the HTTP request inside you'll see that there is no
>         mention of
>         either HTTPS nor 443 inside the request itself. It seems like the
>         request came from the https page (referer header), but landed
>         toward the
>         HTTP land.
>
>         I would suggest you to just try to append the :443 to the Host
>         header
>         value (Host: www.xxx.cz <http://www.xxx.cz>
>         <http://www.xxx.cz> -> Host: www.xxx.cz:443
>         <http://www.xxx.cz:443>
>         <http://www.xxx.cz:443>)
>
>         Kind regards,
>         Miroslav Stampar
>
>         On Sun, Oct 7, 2012 at 1:37 PM, Karel Marhoul
>         <rez...@se... <mailto:rez...@se...>
>         <mailto:rez...@se... <mailto:rez...@se...>>>
>         wrote:
>
>             Hello, I came across a bug while using sqlmap with -l
>         parameter. I have
>             burp log file with following content (only one request to
>         https port):
>
>             ======================================================
>             12:40:22 https://www.xxx.cz:443  [81.91.80.92]
>             ======================================================
>             GET
>            
>         /index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120
>             HTTP/1.1
>             Host: www.xxx.cz <http://www.xxx.cz> <http://www.xxx.cz>
>             User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0)
>         Gecko/20100101
>             Firefox/15.0.1
>             Accept: image/png,image/*;q=0.8,*/*;q=0.5
>             Accept-Language: en-us,en;q=0.5
>             Accept-Encoding: gzip, deflate
>             Connection: keep-alive
>             Referer: https://www.xxx.cz/
>             Cookie:
>         __utma=148540003.1998141124.1349164485.1349423437.1349599213.20;
>            
>         __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>             theme_cookie=life;
>             e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0;
>             __utmc=148540003
>             Cache-Control: max-age=0
>
>             ======================================================
>
>             Then I start sqlmap this way:
>
>             ./sqlmap.py -l /root/burp.log --batch --threads=10
>             --scope=www.xxx.cz <http://www.xxx.cz> <http://www.xxx.cz>
>
>             And sqlmap instead of sending request to https (443) port
>         it will use
>             http (80) port instead:
>
>             ---------------------------------------------------------
>             [13:21:55] [INFO] using regular expression 'www.xxx.cz
>         <http://www.xxx.cz>
>             <http://www.xxx.cz>' for filtering
>             targets
>             [13:21:55] [INFO] sqlmap parsed 1 testable requests from
>         the targets
>             list
>             [13:21:55] [INFO] url 1:
>             GET
>            
>         http://www.xxx.cz:80/index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120
>             Cookie:
>         __utma=148540003.1998141124.1349164485.1349423437.1349599213.20;
>            
>         __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>             theme_cookie=life;
>             e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0;
>             __utmc=148540003
>             do you want to test this url? [Y/n/q]
>               > Y
>             [snip]
>             ---------------------------------------------------------
>
>             Could you please fix this?
>
>             Regards
>
>             Karel Marhoul
>
>            
>         ------------------------------------------------------------------------------
>             Don't let slow site performance ruin your business. Deploy
>         New Relic APM
>             Deploy New Relic app performance management and know exactly
>             what is happening inside your Ruby, Python, PHP, Java, and
>         .NET app
>             Try New Relic at no cost today and get our sweet Data Nerd
>         shirt too!
>             http://p.sf.net/sfu/newrelic-dev2dev
>             _______________________________________________
>             sqlmap-users mailing list
>             sql...@li...
>         <mailto:sql...@li...>
>             <mailto:sql...@li...
>         <mailto:sql...@li...>>
>             https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
>         --
>         Miroslav Stampar
>         http://about.me/stamparm
>
>
>
>
>
> -- 
> Miroslav Stampar
> http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
>
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users