Re: [sqlmap-users] Weird behavior with injection in cookie value
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Weird behavior with injection in cookie value
|
From: Miroslav S. <mir...@gm...> - 2012-11-14 17:57:38
|
Hi Dennis. 1) Custom injection marker (*) is not yet supported inside cookie values 2) I believe that you really want to use --suffix="and 'qwer'='qwer ,tzu-345" instead of --suffix=" ,tzu-345" Kind regards, Miroslav Stampar On Wed, Nov 14, 2012 at 6:33 PM, Dennis <kor...@ya...> wrote: > Hi guys, > > I'm experiencing a weird behavior when injecting into a cookie value. > > The cookie in the request looks like this (yes the spaces are intentional): > Cookie: foocookie=asd ,rrr-123 ,tzu-345 > > The injection is possible after the rrr-123 and before the first space. > Neat and straight-forward boolean based blind. Something like > Cookie: foocookie=asd ,rrr-123' and 34=34 and 'qe'='qe ,tzu-345 > or > Cookie: foocookie=asd ,rrr-123' and 34+2=36 and 'qe'='qe ,tzu-345 > gets the job done. > > First problem: It seems I cannot define custom injection points (*) in > cookies. I fixed this by using a request file and terminating the cookie > string after rrr-123 and adding the rest of the cookie value as > --suffix=" ,tzu-345". Works fine. > > Second problem: sqlmap thinks it finds the boolean based injection, then > wildly tries to union inject. This fails and the boolean based injection > is discarded as false positive. > > Checking the payloads in burp, it seems that sqlmap does the following > checks: > Cookie: foocookie=asd ,rrr-123' and 3456=3456 ,tzu-345 > Cookie: foocookie=asd ,rrr-123') and 5678=5678 ,tzu-345 > Cookie: foocookie=asd ,rrr-123')) and 1234=1234 ,tzu-345 > and so on but never tries the obvious (and correct) > Cookie: foocookie=asd ,rrr-123' and 'qwer'='qwer ,tzu-345 > > With higher level it then goes on with boolean based (comment), etc. > Comparing the payloads, they don't seem to differ from the normal > boolean based payloads. I think there might be a bug? > > Cheers > Dennis > > > ------------------------------------------------------------------------------ > Monitor your physical, virtual and cloud infrastructure from a single > web console. Get in-depth insight into apps, servers, databases, vmware, > SAP, cloud infrastructure, etc. Download 30-day Free Trial. > Pricing starts from $795 for 25 servers or applications! > http://p.sf.net/sfu/zoho_dev2dev_nov > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
