Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQ
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi
|
From: Miroslav S. <mir...@gm...> - 2015-04-28 11:59:27
|
And what is the content of request file? Bye On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson <amc...@gm...> wrote: > Hi sqlmappers, > > I'm a fairly experienced user of sqlmap having used it extensively in > the past. I came across what appeared to pretty typical boolean-based > blind SQLi in an application I'm (legally) testing. However, for the > first time, I'm unable to get sqlmap to recognise the parameter as > vulnerable to exploit it further. And as we know, manually exploiting > blind SQLi is cumbersome to say the least. > > Here is a summary of the requests i've made to manually confirm the > vulnerability. > > /help/UserGuide.aspx?Sec=PackageSelection (returns response A) > /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response A) > /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response B) > > I've tried various sqlmap flags and thought the following command > would give me the best chance of success: > > sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' > --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string > 'industries' -v 1 > > Note: the string 'industries' is text that appears in response A but > not response B. > > I've looked at the requests that sqlmap is sending in the background > (proxied through burp). It appears that it's attempting to exploit > this with the AND statement as it should but is not using single > quotes as per my example above. > > I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be > more than happy to contribute some time to improve it so it can > identify injectable parameters such as these in the future. > > Thanks, > > Al. > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
