Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Brandon P. <bpe...@gm...>]

Also, when testing, ensure a space is following the comment directly,
otherwise the comment syntax will be malformed. You are testing against a
mssql db, so I think the valid comment syntax will be --<space>

On Tue, Apr 28, 2015 at 9:07 AM, Brandon Perry <bpe...@gm...>
wrote:

> Technically, it shouldn't*
>
> On Tue, Apr 28, 2015 at 9:07 AM, Brandon Perry <bpe...@gm...>
> wrote:
>
>> The injections I see like those are all suffixed with the start of a
>> comment (# or --). So, technically it should matter if single quotes are
>> used in the latter part of the boolean clause.
>>
>> For instance, SELECT * FROM blah WHERE foo = 'fdsa' with value 'fdsa'
>> being injectable. Using fdsa' AND 1=1# would result with the trailing
>> single quote being part of the comment and ignored by MySQL.
>>
>> Can you exploit the injection by hand using 1=1# or 1=1--?
>>
>> On Tue, Apr 28, 2015 at 8:15 AM, Alistair Johnson <amc...@gm...>
>> wrote:
>>
>>> Hi Brandon,
>>>
>>> Thanks for your comment. Confirming that i've tried risk=3 with
>>> level=5 with the same results. I've looked more closely at the
>>> requests that sqlmap is sending to check if the parameter is
>>> injectable. It is testing the Sec paramater with values such as:
>>>
>>> PackageSelection) AND 1477=7114
>>> PackageSelection) AND 1631=1631
>>> PackageSelection') AND 5603=7729
>>> PackageSelection') AND 1631=1631
>>> PackageSelection' AND 3943=9381
>>> PackageSelection' AND 1631=1631
>>> PackageSelection" AND 3324=4690
>>> PackageSelection" AND 1631=1631
>>> PackageSelection) AND 4734=6616 AND (6346=6346
>>> PackageSelection)) AND 7350=9272 AND (8861=8861
>>>
>>> When in fact, i assume it would need to use logic like I used to get
>>> distinguishable responses:
>>>
>>> PackageSelection (returns response A)
>>> PackageSelection' AND '1'='1 (returns response A)
>>> PackageSelection' AND '1'='2 (returns response B)
>>>
>>> In a nutshell, it doesn't appear to be trying single quotes and values
>>> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
>>> typical format for checking boolean-based blind SQLi.
>>>
>>> Cheers,
>>>
>>> Alistair.
>>>
>>> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
>>> <bpe...@gm...> wrote:
>>> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
>>> >
>>> > Alistair, have you tried --risk=3 with --level=5 yet?
>>> >
>>> > Sent from a phone
>>> >
>>> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <
>>> mir...@gm...>
>>> > wrote:
>>> >
>>> > Can you please send the unredacted content of request.txt to my
>>> address?
>>> >
>>> > If not, then please at least send me the content of traffic file which
>>> you
>>> > can obtain by just appending the "-t traffic.txt" to the regular
>>> sqlmap's
>>> > run.
>>> >
>>> > Bye
>>> >
>>> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <
>>> amc...@gm...>
>>> > wrote:
>>> >>
>>> >> Thanks for the quick reply.
>>> >>
>>> >> The contents of the request file are as follows:
>>> >>
>>> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
>>> >> Host: <redacted>
>>> >> Accept: */*
>>> >> Accept-Language: en
>>> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
>>> >> x64; Trident/5.0)
>>> >> Connection: close
>>> >> Referer: <redacted>
>>> >> Cookie: <redacted>
>>> >>
>>> >> I've redacted some of the details as it's not appropriate to draw
>>> >> attention to an internet facing application's SQLi vulnerability.
>>> >>
>>> >> When providing the request file as part of the following command:
>>> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>>> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>>> >> 'industries' -v 1
>>> >>
>>> >> sqlmap executes as normal but cannot identify (and therefore cannot
>>> >> exploit) the boolean-based blind vulnerability which I've verified
>>> >> manually.
>>> >>
>>> >> Thanks again,
>>> >>
>>> >> Al.
>>> >>
>>> >>
>>> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
>>> >> <mir...@gm...> wrote:
>>> >> > And what is the content of request file?
>>> >> >
>>> >> > Bye
>>> >> >
>>> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
>>> >> > <amc...@gm...>
>>> >> > wrote:
>>> >> >>
>>> >> >> Hi sqlmappers,
>>> >> >>
>>> >> >> I'm a fairly experienced user of sqlmap having used it extensively
>>> in
>>> >> >> the past. I came across what appeared to pretty typical
>>> boolean-based
>>> >> >> blind SQLi in an application I'm (legally) testing. However, for
>>> the
>>> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
>>> >> >> vulnerable to exploit it further. And as we know, manually
>>> exploiting
>>> >> >> blind SQLi is cumbersome to say the least.
>>> >> >>
>>> >> >> Here is a summary of the requests i've made to manually confirm the
>>> >> >> vulnerability.
>>> >> >>
>>> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
>>> response
>>> >> >> A)
>>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
>>> response
>>> >> >> B)
>>> >> >>
>>> >> >> I've tried various sqlmap flags and thought the following command
>>> >> >> would give me the best chance of success:
>>> >> >>
>>> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>>> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>>> >> >> 'industries' -v 1
>>> >> >>
>>> >> >> Note: the string 'industries' is text that appears in response A
>>> but
>>> >> >> not response B.
>>> >> >>
>>> >> >> I've looked at the requests that sqlmap is sending in the
>>> background
>>> >> >> (proxied through burp). It appears that it's attempting to exploit
>>> >> >> this with the AND statement as it should but is not using single
>>> >> >> quotes as per my example above.
>>> >> >>
>>> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap,
>>> i'd be
>>> >> >> more than happy to contribute some time to improve it so it can
>>> >> >> identify injectable parameters such as these in the future.
>>> >> >>
>>> >> >> Thanks,
>>> >> >>
>>> >> >> Al.
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> ------------------------------------------------------------------------------
>>> >> >> One dashboard for servers and applications across
>>> >> >> Physical-Virtual-Cloud
>>> >> >> Widest out-of-the-box monitoring support with 50+ applications
>>> >> >> Performance metrics, stats and reports that give you Actionable
>>> >> >> Insights
>>> >> >> Deep dive visibility with transaction tracing using APM Insight.
>>> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> >> >> _______________________________________________
>>> >> >> sqlmap-users mailing list
>>> >> >> sql...@li...
>>> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Miroslav Stampar
>>> >> > http://about.me/stamparm
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Miroslav Stampar
>>> > http://about.me/stamparm
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > One dashboard for servers and applications across
>>> Physical-Virtual-Cloud
>>> > Widest out-of-the-box monitoring support with 50+ applications
>>> > Performance metrics, stats and reports that give you Actionable
>>> Insights
>>> > Deep dive visibility with transaction tracing using APM Insight.
>>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> >
>>> > _______________________________________________
>>> > sqlmap-users mailing list
>>> > sql...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website