Re: [sqlmap-users] Weird payload generated
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Weird payload generated
|
From: Raphael G. <rap...@gm...> - 2013-10-04 07:27:47
|
Hi, Thanks a lot. Yes with * it's easier than with prefix/suffix ... but I'm not sure I was clear enough because my problem is still there :) Here is my Request : POST target_url ... param=&other_param=... if param - is empty, - or contains a number - or contains a select sub-statement that returns a number => returns 200 with other info if param - contains a string - or contains a select sub-statement that returns a string => returns 302 to error page so using the * I still get some strange payload , for example [PAYLOAD] -9402 OR (9544=9561) I think it comes from the "<where>2</where> in the payloads.xml file (for OR boolean-based blind) ... because if I add a test case with <where>1</where> then the generated payload seems ok (and then the blind injection is detected) I have also a second problem when the response is 302, the error message is contained in the location (and also in the body as a HREF), as very often with asp (but if I follow the redirection the next page don't contains the message) => so it's not detected because of URL encoded, specially "+" character) I can turn around this by using a proxy and modifying the response before it returns to sqlmap but it would be more convenient to do that in sqlmap. Is there a way ? (for example and option similar to tamper to call a function on the response before it is processed by sqlmap) Thanks again Raphael On Wed, Oct 2, 2013 at 10:18 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > --prefix is a formation that is going in between of *value* and *payload*: > > ...=*value prefix payload*... > > This simply means that you've forgot for the complete *value* thing in > your case. > > In your case usage of custom injection mark (*) is more appropriate: > > python sqlmap.py -u "www.target.com/vuln.php?param=(select name from > sysusers where udi=-1 *)" > > Kind regards, > Miroslav Stampar > > > On Wed, Oct 2, 2013 at 2:29 PM, Raphael GONZALEZ <rap...@gm...>wrote: > >> Hi, >> >> sqlmap/1.0-dev-25eca9d >> >> I don't manage to get Sqlmap generating the good payload ! >> >> Here is my entry point : >> (dbms = MSSQL) >> >> I got this with manual tries in burp : >> >> param value : (select name from sysusers where udi=-1) >> - if the select returns no value => HTTP request returns 200 >> - otherwise returns 302 to an error page >> >> so >> with param value : (select name from sysusers where udi=-1 or 1=1) => >> returns error >> with param value : (select name from sysusers where udi=-1 or 1=2) => >> returns 200 >> >> I thought I could make Sqlmap find a boolean based blind test with OR >> statements >> So I tried this command : >> ./sqlmap.py -r myreq.txt -p param --level=3 --risk=3 --prefix="(select >> name from sysusers where udi=-1 " --suffix=")" >> >> nothing is founded >> but when I look at generated payloads, I get >> [PAYLOAD] -9402(select name from sysusers where udi=-1 OR (9544=9561)) >> >> so I always get a number generated before my command >> >> Where am I wrong ? >> >> Thanks >> >> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
