Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQ
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi
|
From: Brandon P. <bpe...@gm...> - 2015-04-28 14:07:39
|
The injections I see like those are all suffixed with the start of a comment (# or --). So, technically it should matter if single quotes are used in the latter part of the boolean clause. For instance, SELECT * FROM blah WHERE foo = 'fdsa' with value 'fdsa' being injectable. Using fdsa' AND 1=1# would result with the trailing single quote being part of the comment and ignored by MySQL. Can you exploit the injection by hand using 1=1# or 1=1--? On Tue, Apr 28, 2015 at 8:15 AM, Alistair Johnson <amc...@gm...> wrote: > Hi Brandon, > > Thanks for your comment. Confirming that i've tried risk=3 with > level=5 with the same results. I've looked more closely at the > requests that sqlmap is sending to check if the parameter is > injectable. It is testing the Sec paramater with values such as: > > PackageSelection) AND 1477=7114 > PackageSelection) AND 1631=1631 > PackageSelection') AND 5603=7729 > PackageSelection') AND 1631=1631 > PackageSelection' AND 3943=9381 > PackageSelection' AND 1631=1631 > PackageSelection" AND 3324=4690 > PackageSelection" AND 1631=1631 > PackageSelection) AND 4734=6616 AND (6346=6346 > PackageSelection)) AND 7350=9272 AND (8861=8861 > > When in fact, i assume it would need to use logic like I used to get > distinguishable responses: > > PackageSelection (returns response A) > PackageSelection' AND '1'='1 (returns response A) > PackageSelection' AND '1'='2 (returns response B) > > In a nutshell, it doesn't appear to be trying single quotes and values > in the ' AND '1'='1 pattern. But i would have thought this is a pretty > typical format for checking boolean-based blind SQLi. > > Cheers, > > Alistair. > > On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry > <bpe...@gm...> wrote: > > It's a GET, so there wouldn't be a content type, unless I am mistaken. > > > > Alistair, have you tried --risk=3 with --level=5 yet? > > > > Sent from a phone > > > > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar < > mir...@gm...> > > wrote: > > > > Can you please send the unredacted content of request.txt to my address? > > > > If not, then please at least send me the content of traffic file which > you > > can obtain by just appending the "-t traffic.txt" to the regular sqlmap's > > run. > > > > Bye > > > > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amc...@gm... > > > > wrote: > >> > >> Thanks for the quick reply. > >> > >> The contents of the request file are as follows: > >> > >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1 > >> Host: <redacted> > >> Accept: */* > >> Accept-Language: en > >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; > >> x64; Trident/5.0) > >> Connection: close > >> Referer: <redacted> > >> Cookie: <redacted> > >> > >> I've redacted some of the details as it's not appropriate to draw > >> attention to an internet facing application's SQLi vulnerability. > >> > >> When providing the request file as part of the following command: > >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' > >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string > >> 'industries' -v 1 > >> > >> sqlmap executes as normal but cannot identify (and therefore cannot > >> exploit) the boolean-based blind vulnerability which I've verified > >> manually. > >> > >> Thanks again, > >> > >> Al. > >> > >> > >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar > >> <mir...@gm...> wrote: > >> > And what is the content of request file? > >> > > >> > Bye > >> > > >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson > >> > <amc...@gm...> > >> > wrote: > >> >> > >> >> Hi sqlmappers, > >> >> > >> >> I'm a fairly experienced user of sqlmap having used it extensively in > >> >> the past. I came across what appeared to pretty typical boolean-based > >> >> blind SQLi in an application I'm (legally) testing. However, for the > >> >> first time, I'm unable to get sqlmap to recognise the parameter as > >> >> vulnerable to exploit it further. And as we know, manually exploiting > >> >> blind SQLi is cumbersome to say the least. > >> >> > >> >> Here is a summary of the requests i've made to manually confirm the > >> >> vulnerability. > >> >> > >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A) > >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns > response > >> >> A) > >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns > response > >> >> B) > >> >> > >> >> I've tried various sqlmap flags and thought the following command > >> >> would give me the best chance of success: > >> >> > >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' > >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string > >> >> 'industries' -v 1 > >> >> > >> >> Note: the string 'industries' is text that appears in response A but > >> >> not response B. > >> >> > >> >> I've looked at the requests that sqlmap is sending in the background > >> >> (proxied through burp). It appears that it's attempting to exploit > >> >> this with the AND statement as it should but is not using single > >> >> quotes as per my example above. > >> >> > >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd > be > >> >> more than happy to contribute some time to improve it so it can > >> >> identify injectable parameters such as these in the future. > >> >> > >> >> Thanks, > >> >> > >> >> Al. > >> >> > >> >> > >> >> > >> >> > ------------------------------------------------------------------------------ > >> >> One dashboard for servers and applications across > >> >> Physical-Virtual-Cloud > >> >> Widest out-of-the-box monitoring support with 50+ applications > >> >> Performance metrics, stats and reports that give you Actionable > >> >> Insights > >> >> Deep dive visibility with transaction tracing using APM Insight. > >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > >> >> _______________________________________________ > >> >> sqlmap-users mailing list > >> >> sql...@li... > >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > > >> > > >> > > >> > > >> > -- > >> > Miroslav Stampar > >> > http://about.me/stamparm > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > > One dashboard for servers and applications across Physical-Virtual-Cloud > > Widest out-of-the-box monitoring support with 50+ applications > > Performance metrics, stats and reports that give you Actionable Insights > > Deep dive visibility with transaction tracing using APM Insight. > > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
