Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQ
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi
|
From: Brandon P. <bpe...@gm...> - 2015-04-28 12:36:44
|
It's a GET, so there wouldn't be a content type, unless I am mistaken. Alistair, have you tried --risk=3 with --level=5 yet? Sent from a phone > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <mir...@gm...> wrote: > > Can you please send the unredacted content of request.txt to my address? > > If not, then please at least send me the content of traffic file which you can obtain by just appending the "-t traffic.txt" to the regular sqlmap's run. > > Bye > >> On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amc...@gm...> wrote: >> Thanks for the quick reply. >> >> The contents of the request file are as follows: >> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1 >> Host: <redacted> >> Accept: */* >> Accept-Language: en >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; >> x64; Trident/5.0) >> Connection: close >> Referer: <redacted> >> Cookie: <redacted> >> >> I've redacted some of the details as it's not appropriate to draw >> attention to an internet facing application's SQLi vulnerability. >> >> When providing the request file as part of the following command: >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string >> 'industries' -v 1 >> >> sqlmap executes as normal but cannot identify (and therefore cannot >> exploit) the boolean-based blind vulnerability which I've verified >> manually. >> >> Thanks again, >> >> Al. >> >> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar >> <mir...@gm...> wrote: >> > And what is the content of request file? >> > >> > Bye >> > >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson <amc...@gm...> >> > wrote: >> >> >> >> Hi sqlmappers, >> >> >> >> I'm a fairly experienced user of sqlmap having used it extensively in >> >> the past. I came across what appeared to pretty typical boolean-based >> >> blind SQLi in an application I'm (legally) testing. However, for the >> >> first time, I'm unable to get sqlmap to recognise the parameter as >> >> vulnerable to exploit it further. And as we know, manually exploiting >> >> blind SQLi is cumbersome to say the least. >> >> >> >> Here is a summary of the requests i've made to manually confirm the >> >> vulnerability. >> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A) >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response A) >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response B) >> >> >> >> I've tried various sqlmap flags and thought the following command >> >> would give me the best chance of success: >> >> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string >> >> 'industries' -v 1 >> >> >> >> Note: the string 'industries' is text that appears in response A but >> >> not response B. >> >> >> >> I've looked at the requests that sqlmap is sending in the background >> >> (proxied through burp). It appears that it's attempting to exploit >> >> this with the AND statement as it should but is not using single >> >> quotes as per my example above. >> >> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be >> >> more than happy to contribute some time to improve it so it can >> >> identify injectable parameters such as these in the future. >> >> >> >> Thanks, >> >> >> >> Al. >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> One dashboard for servers and applications across Physical-Virtual-Cloud >> >> Widest out-of-the-box monitoring support with 50+ applications >> >> Performance metrics, stats and reports that give you Actionable Insights >> >> Deep dive visibility with transaction tracing using APM Insight. >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> >> _______________________________________________ >> >> sqlmap-users mailing list >> >> sql...@li... >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > >> > >> > >> > >> > -- >> > Miroslav Stampar >> > http://about.me/stamparm > > > > -- > Miroslav Stampar > http://about.me/stamparm > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
