[sqlmap-users] Weird behavior with injection in cookie value
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Weird behavior with injection in cookie value
|
From: Dennis <kor...@ya...> - 2012-11-14 17:33:46
|
Hi guys, I'm experiencing a weird behavior when injecting into a cookie value. The cookie in the request looks like this (yes the spaces are intentional): Cookie: foocookie=asd ,rrr-123 ,tzu-345 The injection is possible after the rrr-123 and before the first space. Neat and straight-forward boolean based blind. Something like Cookie: foocookie=asd ,rrr-123' and 34=34 and 'qe'='qe ,tzu-345 or Cookie: foocookie=asd ,rrr-123' and 34+2=36 and 'qe'='qe ,tzu-345 gets the job done. First problem: It seems I cannot define custom injection points (*) in cookies. I fixed this by using a request file and terminating the cookie string after rrr-123 and adding the rest of the cookie value as --suffix=" ,tzu-345". Works fine. Second problem: sqlmap thinks it finds the boolean based injection, then wildly tries to union inject. This fails and the boolean based injection is discarded as false positive. Checking the payloads in burp, it seems that sqlmap does the following checks: Cookie: foocookie=asd ,rrr-123' and 3456=3456 ,tzu-345 Cookie: foocookie=asd ,rrr-123') and 5678=5678 ,tzu-345 Cookie: foocookie=asd ,rrr-123')) and 1234=1234 ,tzu-345 and so on but never tries the obvious (and correct) Cookie: foocookie=asd ,rrr-123' and 'qwer'='qwer ,tzu-345 With higher level it then goes on with boolean based (comment), etc. Comparing the payloads, they don't seem to differ from the normal boolean based payloads. I think there might be a bug? Cheers Dennis |
