Re: [sqlmap-users] sqlmap-users Digest, Vol 48, Issue 3
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] sqlmap-users Digest, Vol 48, Issue 3
|
From: Christopher D. <chr...@ch...> - 2015-05-29 22:09:01
|
I tried that with a custom mark for --data. My point I need to hit is the RemotingMessage AMF object with the data Params of "RemoteUsername=null" and "RemotePassword=null" this triggers the exception by hand. I'm trying to figure out if I can get sqlmap to do this. It's not looking like it. *"1432680462000 onFault ñ9com.chromeriver.exception.CrException: com.cougar.lang.CGException: DB Error: 1452-23000-Cannot add or update a child row: a foreign key constraint fails (`xxxxx_expense`.`tbl_PersonPassword`, CONSTRAINT `FK_tbl_PersonPassword_UK` FOREIGN KEY (`PersonID`) REFERENCES `tbl_Person` (`PersonID`)) at "* I know the shady lady is there .... So close ;) Thanks Guys. Chris. On Fri, May 29, 2015 at 7:01 AM, <sql...@li... > wrote: > Send sqlmap-users mailing list submissions to > sql...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > or, via email, send a message with subject or body 'help' to > sql...@li... > > You can reach the person managing the list at > sql...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of sqlmap-users digest..." > > > Today's Topics: > > 1. AMF sqli injection (Christopher Downs) > 2. Re: AMF sqli injection (Brandon Perry) > 3. Re: AMF sqli injection (Brandon Perry) > 4. Re: AMF sqli injection (Chris Oakley) > 5. Re: AMF sqli injection (Brandon Perry) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 28 May 2015 13:21:51 -0500 > From: Christopher Downs <chr...@ch...> > Subject: [sqlmap-users] AMF sqli injection > To: sql...@li... > Message-ID: > < > CAF...@ma...> > Content-Type: text/plain; charset="utf-8" > > Good afternoon gents, > I am a profession penetration tester and have a rather difficult injection > point for one of my customers. > > I can trigger the exception by pausing traffic with burp and inserting > NULL's into the user | pass via a back end flex call. Is there a way to > take advantage of sqlmap to inject via flex remoting objects ? > > If not I will have to write this myself but I thought I may ask the list > first. > > Thanks. > Sincerely, > Christopher M Downs > > -- > [image: Description: Chrome] > > Chris Downs | System Administrator > > main > > 888.781.0088 > > email > > *chr...@ch... <chr...@ch...>* > > web > > www.chromeriver.com > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 2 > Date: Thu, 28 May 2015 13:59:12 -0500 > From: Brandon Perry <bpe...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Christopher Downs <chr...@ch...> > Cc: sqlmap users <sql...@li...> > Message-ID: > < > CAO...@ma...> > Content-Type: text/plain; charset="utf-8" > > Flex is hard because you have to update the integer that tells flex how > long a string is, unless I am mistaken. > > If not, you could try with the * marker to tell sqlmap exactly where the > injection point is. > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > chr...@ch...> wrote: > > > Good afternoon gents, > > I am a profession penetration tester and have a rather difficult > injection > > point for one of my customers. > > > > I can trigger the exception by pausing traffic with burp and inserting > > NULL's into the user | pass via a back end flex call. Is there a way to > > take advantage of sqlmap to inject via flex remoting objects ? > > > > If not I will have to write this myself but I thought I may ask the list > > first. > > > > Thanks. > > Sincerely, > > Christopher M Downs > > > > -- > > [image: Description: Chrome] > > > > Chris Downs | System Administrator > > > > main > > > > 888.781.0088 > > > > email > > > > *chr...@ch... <chr...@ch...>* > > > > web > > > > www.chromeriver.com > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 3 > Date: Thu, 28 May 2015 14:17:07 -0500 > From: Brandon Perry <bpe...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Christopher Downs <chr...@ch...> > Cc: sqlmap users <sql...@li...> > Message-ID: > <CAOJKFBAH7_-ARCWR= > xWv...@ma...> > Content-Type: text/plain; charset="utf-8" > > FWIW here is an exploit a wrote a long while back that partly abuses a weak > AMF endpoint (xxe, not sqli...). > > > http://packetstormsecurity.com/files/126703/HP-Release-Control-9.20.0000-Build-395-XXE.html > > However, I distinctly remember having to keep the admin password the same > length as my base AMF request (because I was lazy and didn't feel like > having to update the integer as well). See the change_admin_password > method. I basically base64 encoded the request in order to store the base > request, then decoded it and modified it based on what I wanted to do. > > You could make a few requests with different sized usernames to find the > integer that you will need to manipulate during exploitation. > > On Thu, May 28, 2015 at 1:59 PM, Brandon Perry <bpe...@gm...> > wrote: > > > Flex is hard because you have to update the integer that tells flex how > > long a string is, unless I am mistaken. > > > > If not, you could try with the * marker to tell sqlmap exactly where the > > injection point is. > > > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > > chr...@ch...> wrote: > > > >> Good afternoon gents, > >> I am a profession penetration tester and have a rather difficult > >> injection point for one of my customers. > >> > >> I can trigger the exception by pausing traffic with burp and inserting > >> NULL's into the user | pass via a back end flex call. Is there a way to > >> take advantage of sqlmap to inject via flex remoting objects ? > >> > >> If not I will have to write this myself but I thought I may ask the list > >> first. > >> > >> Thanks. > >> Sincerely, > >> Christopher M Downs > >> > >> -- > >> [image: Description: Chrome] > >> > >> Chris Downs | System Administrator > >> > >> main > >> > >> 888.781.0088 > >> > >> email > >> > >> *chr...@ch... <chr...@ch...>* > >> > >> web > >> > >> www.chromeriver.com > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > -- > > http://volatile-minds.blogspot.com -- blog > > http://www.volatileminds.net -- website > > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 4 > Date: Thu, 28 May 2015 15:24:36 -0400 > From: Chris Oakley <chr...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Brandon Perry <bpe...@gm...> > Cc: sqlmap users <sql...@li...>, Christopher > Downs <chr...@ch...> > Message-ID: > <CAF6VE= > qRa...@ma...> > Content-Type: text/plain; charset="utf-8" > > "Flex is hard because you have to update the integer that tells flex how > long a string is" > > It might be possible to address this with the --eval option > > On 28 May 2015 at 14:59, Brandon Perry <bpe...@gm...> wrote: > > > Flex is hard because you have to update the integer that tells flex how > > long a string is, unless I am mistaken. > > > > If not, you could try with the * marker to tell sqlmap exactly where the > > injection point is. > > > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > > chr...@ch...> wrote: > > > >> Good afternoon gents, > >> I am a profession penetration tester and have a rather difficult > >> injection point for one of my customers. > >> > >> I can trigger the exception by pausing traffic with burp and inserting > >> NULL's into the user | pass via a back end flex call. Is there a way to > >> take advantage of sqlmap to inject via flex remoting objects ? > >> > >> If not I will have to write this myself but I thought I may ask the list > >> first. > >> > >> Thanks. > >> Sincerely, > >> Christopher M Downs > >> > >> -- > >> [image: Description: Chrome] > >> > >> Chris Downs | System Administrator > >> > >> main > >> > >> 888.781.0088 > >> > >> email > >> > >> *chr...@ch... <chr...@ch...>* > >> > >> web > >> > >> www.chromeriver.com > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > -- > > http://volatile-minds.blogspot.com -- blog > > http://www.volatileminds.net -- website > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 5 > Date: Thu, 28 May 2015 15:12:57 -0500 > From: Brandon Perry <bpe...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Chris Oakley <chr...@gm...> > Cc: sqlmap users <sql...@li...>, Christopher > Downs <chr...@ch...> > Message-ID: > < > CAO...@ma...> > Content-Type: text/plain; charset="utf-8" > > That could work. > > On Thu, May 28, 2015 at 2:24 PM, Chris Oakley < > chr...@gm...> > wrote: > > > "Flex is hard because you have to update the integer that tells flex how > > long a string is" > > > > It might be possible to address this with the --eval option > > > > On 28 May 2015 at 14:59, Brandon Perry <bpe...@gm...> > wrote: > > > >> Flex is hard because you have to update the integer that tells flex how > >> long a string is, unless I am mistaken. > >> > >> If not, you could try with the * marker to tell sqlmap exactly where the > >> injection point is. > >> > >> On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > >> chr...@ch...> wrote: > >> > >>> Good afternoon gents, > >>> I am a profession penetration tester and have a rather difficult > >>> injection point for one of my customers. > >>> > >>> I can trigger the exception by pausing traffic with burp and inserting > >>> NULL's into the user | pass via a back end flex call. Is there a way to > >>> take advantage of sqlmap to inject via flex remoting objects ? > >>> > >>> If not I will have to write this myself but I thought I may ask the > list > >>> first. > >>> > >>> Thanks. > >>> Sincerely, > >>> Christopher M Downs > >>> > >>> -- > >>> [image: Description: Chrome] > >>> > >>> Chris Downs | System Administrator > >>> > >>> main > >>> > >>> 888.781.0088 > >>> > >>> email > >>> > >>> *chr...@ch... <chr...@ch...>* > >>> > >>> web > >>> > >>> www.chromeriver.com > >>> > >>> > >>> > ------------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> sqlmap-users mailing list > >>> sql...@li... > >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >>> > >>> > >> > >> > >> -- > >> http://volatile-minds.blogspot.com -- blog > >> http://www.volatileminds.net -- website > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > > ------------------------------------------------------------------------------ > > > ------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > End of sqlmap-users Digest, Vol 48, Issue 3 > ******************************************* > -- [image: Description: Chrome] Chris Downs | System Administrator main 888.781.0088 email *chr...@ch... <chr...@ch...>* web www.chromeriver.com |
