[sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi
|
From: Alistair J. <amc...@gm...> - 2015-04-28 11:03:52
|
Hi sqlmappers, I'm a fairly experienced user of sqlmap having used it extensively in the past. I came across what appeared to pretty typical boolean-based blind SQLi in an application I'm (legally) testing. However, for the first time, I'm unable to get sqlmap to recognise the parameter as vulnerable to exploit it further. And as we know, manually exploiting blind SQLi is cumbersome to say the least. Here is a summary of the requests i've made to manually confirm the vulnerability. /help/UserGuide.aspx?Sec=PackageSelection (returns response A) /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response A) /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response B) I've tried various sqlmap flags and thought the following command would give me the best chance of success: sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string 'industries' -v 1 Note: the string 'industries' is text that appears in response A but not response B. I've looked at the requests that sqlmap is sending in the background (proxied through burp). It appears that it's attempting to exploit this with the AND statement as it should but is not using single quotes as per my example above. I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be more than happy to contribute some time to improve it so it can identify injectable parameters such as these in the future. Thanks, Al. |
