Re: [sqlmap-users] Weird payload generated
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Weird payload generated
|
From: Miroslav S. <mir...@gm...> - 2013-10-04 09:09:56
|
On Fri, Oct 4, 2013 at 9:27 AM, Raphael GONZALEZ <rap...@gm...>wrote: > Hi, > > Thanks a lot. > Yes with * it's easier than with prefix/suffix > > ... but I'm not sure I was clear enough because my problem is still there > :) > > Here is my Request : > > POST target_url > ... > > param=&other_param=... > > > > if param > - is empty, > - or contains a number > - or contains a select sub-statement that returns a number > => returns 200 with other info > > if param > - contains a string > - or contains a select sub-statement that returns a string > => returns 302 to error page > > so using the * I still get some strange payload , for example > [PAYLOAD] -9402 OR (9544=9561) > > I think it comes from the "<where>2</where> in the payloads.xml file (for > OR boolean-based blind) > ... because if I add a test case with <where>1</where> then the generated > payload seems ok (and then the blind injection is detected) > Point of the whole OR payload is to generate an "invalid/negative/non-original" response and to combine it with a inference (... OR A=B). That <where>2</where> is there on purpose -> to generate invalid/negative values in case of OR payloads. > > I have also a second problem > when the response is 302, the error message is contained in the location > (and also in the body as a HREF), as very often with asp > (but if I follow the redirection the next page don't contains the message) > Have you tried without following the 302? sqlmap is asking you politely "do you want to follow". > => so it's not detected because of URL encoded, specially "+" character) > > I can turn around this by using a proxy and modifying the response before > it returns to sqlmap but it would be more convenient to do that in sqlmap. > Is there a way ? (for example and option similar to tamper to call a > function on the response before it is processed by sqlmap) > In cases like this when case is seems to be specific, we encourage users to modify sqlmap to suit their needs and/or use (also) other tools. > > Thanks again > Raphael > Bye > > > > > On Wed, Oct 2, 2013 at 10:18 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi. >> >> --prefix is a formation that is going in between of *value* and *payload* >> : >> >> ...=*value prefix payload*... >> >> This simply means that you've forgot for the complete *value* thing in >> your case. >> >> In your case usage of custom injection mark (*) is more appropriate: >> >> python sqlmap.py -u "www.target.com/vuln.php?param=(select name from >> sysusers where udi=-1 *)" >> >> Kind regards, >> Miroslav Stampar >> >> >> On Wed, Oct 2, 2013 at 2:29 PM, Raphael GONZALEZ <rap...@gm...>wrote: >> >>> Hi, >>> >>> sqlmap/1.0-dev-25eca9d >>> >>> I don't manage to get Sqlmap generating the good payload ! >>> >>> Here is my entry point : >>> (dbms = MSSQL) >>> >>> I got this with manual tries in burp : >>> >>> param value : (select name from sysusers where udi=-1) >>> - if the select returns no value => HTTP request returns 200 >>> - otherwise returns 302 to an error page >>> >>> so >>> with param value : (select name from sysusers where udi=-1 or 1=1) => >>> returns error >>> with param value : (select name from sysusers where udi=-1 or 1=2) => >>> returns 200 >>> >>> I thought I could make Sqlmap find a boolean based blind test with OR >>> statements >>> So I tried this command : >>> ./sqlmap.py -r myreq.txt -p param --level=3 --risk=3 --prefix="(select >>> name from sysusers where udi=-1 " --suffix=")" >>> >>> nothing is founded >>> but when I look at generated payloads, I get >>> [PAYLOAD] -9402(select name from sysusers where udi=-1 OR (9544=9561)) >>> >>> so I always get a number generated before my command >>> >>> Where am I wrong ? >>> >>> Thanks >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > -- Miroslav Stampar http://about.me/stamparm |
