sqlmap-users Mailing List for sqlmap (Page 11)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: شرکت ب. <in...@si...> - 2015-06-29 15:55:51
|
به نام خدا بادرود بدینوسیله به استحضار می رساند شرکت بدر الکتریک که دارای نمایندگی های رسمی در موارد نامبرده ذیل می باشد ماشینهای اداری توشیبا ویدیو پروژکتور و نمایشگرهای ان ای سی بردهای هوشمند پرومتین و پروگرس آنتی ویروس بیت دیفندر در راستای ارائه خدمات متمرکز به آدرس تهران میدان هفت تیر خیابان کریمخان زند ابتدای پل پلاک 69 کد پستی 1585695733 شماره تلفن 89397-021 جابجایی مکانی داشته است باتشکر |
|
From: Miroslav S. <mir...@gm...> - 2015-06-23 06:06:19
|
Connections are being created by the web platform itself (e.g. ASP.NET), not at the DBMS level. So, no way to clean it up from the SQLi level. Bye On Jun 23, 2015 12:11 AM, "Rodrigo Zanatta Silva" < rod...@gm...> wrote: > Hi. > > I found a SQL Injection place by error in Microsoft SQL Server. > > But... Every call it create a exception and it start a new connection. > When the stack is full of connection because the sqlexception, it stop and > faill. I need to wait the garbage collection close all this connection! The > easy way to solve this is change the code from the page... But... We know I > can't do it. > > How can I inject a SQL Command to close this connection. Can I do it with > SQL? Or it will be useless because it will first fail and never execute the > rest of SQL? > > > > ------------------------------------------------------------------------------ > Monitor 25 network devices or servers for free with OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & sms > for fault. Monitor 25 devices for free with no restriction. Download now > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Rodrigo Z. S. <rod...@gm...> - 2015-06-22 21:11:11
|
Hi. I found a SQL Injection place by error in Microsoft SQL Server. But... Every call it create a exception and it start a new connection. When the stack is full of connection because the sqlexception, it stop and faill. I need to wait the garbage collection close all this connection! The easy way to solve this is change the code from the page... But... We know I can't do it. How can I inject a SQL Command to close this connection. Can I do it with SQL? Or it will be useless because it will first fail and never execute the rest of SQL? |
|
From: Miroslav S. <mir...@gm...> - 2015-06-22 14:37:29
|
Hi. It works, but in later stage. You can see clearly in the following example that only parameter goButton is being checked for SQLi. $ python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --forms -p goButton _ ___ ___| |_____ ___ ___ {1.0-dev-7d418af} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 16:34:53 [16:34:56] [INFO] testing connection to the target URL [16:35:03] [INFO] searching for forms [#1] form: POST http://testphp.vulnweb.com:80/search.php?test=query POST data: searchFor=&goButton=go do you want to test this form? [Y/n/q] > Edit POST data [default: searchFor=&goButton=go] (Warning: blank fields detected): do you want to fill blank fields with random values? [Y/n] [16:35:14] [INFO] using '/home/stamparm/.sqlmap/output/results-06222015_0435pm.csv' as the CSV results file in multiple targets mode [16:35:18] [INFO] testing if the target URL is stable. This can take a couple of seconds [16:35:19] [INFO] target URL is stable [16:35:19] [WARNING] heuristic (basic) test shows that POST parameter 'goButton' might not be injectable [16:35:20] [INFO] testing for SQL injection on POST parameter 'goButton' [16:35:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [16:35:22] [WARNING] user aborted during detection phase how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] n [16:35:24] [WARNING] POST parameter 'goButton' is not injectable [16:35:24] [ERROR] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next form [16:35:24] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/stamparm/.sqlmap/output/results-06222015_0435pm.csv' [*] shutting down at 16:35:24 Bye 2015-06-17 14:17 GMT+02:00 Marco Mirandola <mm...@gm...>: > If use "--forms" the parameter "-p" don't work > > Best regards > M.M. > -- > > *[image: Descrizione: Descrizione: image002] Rispetta l'ambiente. Non > stampare questa mail se non è necessario* > > *Questa e-mail è riservata compresi gli eventuali allegati. In caso di > ricezione per errore della presente e-mail siete pregati di darne > comunicazione al mittente mediante e-mail di risposta e di cancellare > immediatamente questo messaggio, essendo escluso il consenso in ordine a > qualsiasi tipo di trattamento del suo contenuto e dei relativi allegati. * > > *Vi ringraziamo per la collaborazione. This e-mail and any attachments are > confidential. If you have received this e-mail by mistake, please inform > the sender immediately by reply e-mail and then delete it from your system. > Any processing of this e-mail and its attachments is not authorized. **Thank > you for your cooperation*. > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Hilmi A. <hil...@gm...> - 2015-06-22 02:54:30
|
Please Fix Sqlmapchik,I Can Use Option -D -T -C Please i need it very much Please reply this email King regrad Hilmi.Azizi |
|
From: Miroslav S. <mir...@gm...> - 2015-06-18 09:40:49
|
Hi.
Sending you a sample run from my machine with the latest revision:
---
stamparm@Laptop:~/Dropbox/Work/sqlmap$ pwd
/home/stamparm/Dropbox/Work/sqlmap
stamparm@Laptop:~/Dropbox/Work/sqlmap$ ll /tmp/request.txt
-rw-r--r-- 1 stamparm stamparm 327 Jun 18 11:33 /tmp/request.txt
stamparm@Laptop:~/Dropbox/Work/sqlmap$ ll ../../../../../tmp/request.txt
-rw-r--r-- 1 stamparm stamparm 327 Jun 18 11:33
../../../../../tmp/request.txt
stamparm@Laptop:~/Dropbox/Work/sqlmap$ python sqlmap.py -r
../../../../../tmp/request.txt
_
___ ___| |_____ ___ ___ {1.0-dev-9e5ef09}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 11:35:13
[11:35:13] [INFO] parsing HTTP request from '../../../../../tmp/request.txt'
custom injection marking character ('*') found in option
'--headers/--user-agent/--referer/--cookie'. Do you want to process it?
[Y/n/q]
[11:35:18] [INFO] testing connection to the target URL
...
---
You might have a problem with your environment setup of sqlmap. Do you run
Kali? If you are running its command "sqlmap" it will predefine the current
directory to something else (not sure, as I don't have a installation here).
Kind regards,
Miroslav Stampar
On Thu, Jun 18, 2015 at 10:24 AM, Vojtěch Polášek <kr...@gm...> wrote:
> Hi,
> thank you very much, it works.
> I have another question. Sqlmap can't work with relative paths when using
> -r or -c switch for loading requests or config files. Maybe this is true
> for other switches, but I can confirm it here. It just says that file was
> not found. It works only with absolute paths.
> Is this intentional?
> Thanks,
> Vojta
>
> On 16.6.2015 12:01, Miroslav Stampar wrote:
>
> Hi Vojtěch.
>
> Can you please update and try it now?
>
> Bye
>
> On Mon, Jun 15, 2015 at 11:59 AM, Vojtěch Polášek <kr...@gm...>
> wrote:
>
>> Hi,
>> I am testing an application, which works in this way:
>> You send a request as a POST request and application returns 302 Found.
>> Web browser uses location field to send a GET request for updated site.
>> When I test this with Sqlmap, it asks me whether I want to follow 302
>> redirect (I answer yes) and whether I want to resubmit the request to eh
>> new page (I answer NO).
>> However, when I look at the generated thraffic file, I can see something
>> like this:
>> HTTP request [#1]:
>> POST /target_url HTTP/1.1
>> Accept-language: en-US,en;q=0.5
>> Accept-encoding: gzip, deflate
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0)
>> Gecko/20100101 Firefox/37.0
>> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
>> Host: 192.168.56.102:8443
>> Cookie: JSESSIONID=538470CD02AD9190BCC92DC434C6C9BD
>> Pragma: no-cache
>> Cache-control: no-cache,no-store
>> Referer: https://192.168.56.102:8443/target_url
>> Content-type: application/x-www-form-urlencoded
>> Content-length: 17
>> Connection: close
>>
>> newState=DISABLED
>>
>> HTTP redirect [#1] (302 Found):
>> Content-length: 0
>> Content-language: en-US
>> Server: Apache-Coyote/1.1
>> Connection: close
>> Location: https://192.168.56.102:8443/target_url
>> Date: Fri, 12 Jun 2015 15:16:16 GMT
>>
>>
>> ############################################################################
>>
>> HTTP request [#1]:
>> POST \/target_url HTTP/1.1
>> Accept-language: en-US,en;q=0.5
>> Accept-encoding: gzip, deflate
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0)
>> Gecko/20100101 Firefox/37.0
>> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
>> Host: 192.168.56.102:8443
>> Cookie: JSESSIONID=538470CD02AD9190BCC92DC434C6C9BD
>> Pragma: no-cache
>> Cache-control: no-cache,no-store
>> Referer: https://192.168.56.102:8443/target_url
>> Content-type: application/x-www-form-urlencoded
>> Content-length: 17
>> Connection: close
>>
>> newState=DISABLED
>>
>> HTTP response [#1] (200 OK):
>> Content-language: en-US
>> Transfer-encoding: chunked
>> Uri: https://192.168.56.102:8443/redirected_url
>> Server: Apache-Coyote/1.1
>> Connection: close
>> Date: Fri, 12 Jun 2015 15:16:29 GMT
>> Content-type: text/html;charset=UTF-8
>>
>> <!DOCTYPE html>
>> <html>
>> <head>
>> etc.
>>
>> I have redacted it a but the "target_url" is the same for all requests
>> and responses.
>> So I can see that Sqlmap still POSTs the query to the site pointed by
>> location header instead of just GETting it, although I explicitly denied
>> that.
>> Could you please look into this?
>> Thanks,
>> Vojta
>>
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Vojtěch P. <kr...@gm...> - 2015-06-18 08:24:42
|
Hi, thank you very much, it works. I have another question. Sqlmap can't work with relative paths when using -r or -c switch for loading requests or config files. Maybe this is true for other switches, but I can confirm it here. It just says that file was not found. It works only with absolute paths. Is this intentional? Thanks, Vojta On 16.6.2015 12:01, Miroslav Stampar wrote: > Hi Vojtěch. > > Can you please update and try it now? > > Bye > > On Mon, Jun 15, 2015 at 11:59 AM, Vojtěch Polášek <kr...@gm... > <mailto:kr...@gm...>> wrote: > > Hi, > I am testing an application, which works in this way: > You send a request as a POST request and application returns 302 > Found. > Web browser uses location field to send a GET request for updated > site. > When I test this with Sqlmap, it asks me whether I want to follow 302 > redirect (I answer yes) and whether I want to resubmit the request > to eh > new page (I answer NO). > However, when I look at the generated thraffic file, I can see > something > like this: > HTTP request [#1]: > POST /target_url HTTP/1.1 > Accept-language: en-US,en;q=0.5 > Accept-encoding: gzip, deflate > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) > Gecko/20100101 Firefox/37.0 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: 192.168.56.102:8443 <http://192.168.56.102:8443> > Cookie: JSESSIONID=538470CD02AD9190BCC92DC434C6C9BD > Pragma: no-cache > Cache-control: no-cache,no-store > Referer: https://192.168.56.102:8443/target_url > Content-type: application/x-www-form-urlencoded > Content-length: 17 > Connection: close > > newState=DISABLED > > HTTP redirect [#1] (302 Found): > Content-length: 0 > Content-language: en-US > Server: Apache-Coyote/1.1 > Connection: close > Location: https://192.168.56.102:8443/target_url > Date: Fri, 12 Jun 2015 15:16:16 GMT > > ############################################################################ > > HTTP request [#1]: > POST \/target_url HTTP/1.1 > Accept-language: en-US,en;q=0.5 > Accept-encoding: gzip, deflate > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) > Gecko/20100101 Firefox/37.0 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: 192.168.56.102:8443 <http://192.168.56.102:8443> > Cookie: JSESSIONID=538470CD02AD9190BCC92DC434C6C9BD > Pragma: no-cache > Cache-control: no-cache,no-store > Referer: https://192.168.56.102:8443/target_url > Content-type: application/x-www-form-urlencoded > Content-length: 17 > Connection: close > > newState=DISABLED > > HTTP response [#1] (200 OK): > Content-language: en-US > Transfer-encoding: chunked > Uri: https://192.168.56.102:8443/redirected_url > Server: Apache-Coyote/1.1 > Connection: close > Date: Fri, 12 Jun 2015 15:16:29 GMT > Content-type: text/html;charset=UTF-8 > > <!DOCTYPE html> > <html> > <head> > etc. > > I have redacted it a but the "target_url" is the same for all requests > and responses. > So I can see that Sqlmap still POSTs the query to the site pointed by > location header instead of just GETting it, although I explicitly > denied > that. > Could you please look into this? > Thanks, > Vojta > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Marco M. <mm...@gm...> - 2015-06-17 12:17:42
|
If use "--forms" the parameter "-p" don't work Best regards M.M. -- *[image: Descrizione: Descrizione: image002] Rispetta l'ambiente. Non stampare questa mail se non è necessario* *Questa e-mail è riservata compresi gli eventuali allegati. In caso di ricezione per errore della presente e-mail siete pregati di darne comunicazione al mittente mediante e-mail di risposta e di cancellare immediatamente questo messaggio, essendo escluso il consenso in ordine a qualsiasi tipo di trattamento del suo contenuto e dei relativi allegati. * *Vi ringraziamo per la collaborazione. This e-mail and any attachments are confidential. If you have received this e-mail by mistake, please inform the sender immediately by reply e-mail and then delete it from your system. Any processing of this e-mail and its attachments is not authorized. **Thank you for your cooperation*. |
|
From: Miroslav S. <mir...@gm...> - 2015-06-16 10:01:43
|
Hi Vojtěch. Can you please update and try it now? Bye On Mon, Jun 15, 2015 at 11:59 AM, Vojtěch Polášek <kr...@gm...> wrote: > Hi, > I am testing an application, which works in this way: > You send a request as a POST request and application returns 302 Found. > Web browser uses location field to send a GET request for updated site. > When I test this with Sqlmap, it asks me whether I want to follow 302 > redirect (I answer yes) and whether I want to resubmit the request to eh > new page (I answer NO). > However, when I look at the generated thraffic file, I can see something > like this: > HTTP request [#1]: > POST /target_url HTTP/1.1 > Accept-language: en-US,en;q=0.5 > Accept-encoding: gzip, deflate > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) > Gecko/20100101 Firefox/37.0 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: 192.168.56.102:8443 > Cookie: JSESSIONID=538470CD02AD9190BCC92DC434C6C9BD > Pragma: no-cache > Cache-control: no-cache,no-store > Referer: https://192.168.56.102:8443/target_url > Content-type: application/x-www-form-urlencoded > Content-length: 17 > Connection: close > > newState=DISABLED > > HTTP redirect [#1] (302 Found): > Content-length: 0 > Content-language: en-US > Server: Apache-Coyote/1.1 > Connection: close > Location: https://192.168.56.102:8443/target_url > Date: Fri, 12 Jun 2015 15:16:16 GMT > > > ############################################################################ > > HTTP request [#1]: > POST \/target_url HTTP/1.1 > Accept-language: en-US,en;q=0.5 > Accept-encoding: gzip, deflate > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) > Gecko/20100101 Firefox/37.0 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: 192.168.56.102:8443 > Cookie: JSESSIONID=538470CD02AD9190BCC92DC434C6C9BD > Pragma: no-cache > Cache-control: no-cache,no-store > Referer: https://192.168.56.102:8443/target_url > Content-type: application/x-www-form-urlencoded > Content-length: 17 > Connection: close > > newState=DISABLED > > HTTP response [#1] (200 OK): > Content-language: en-US > Transfer-encoding: chunked > Uri: https://192.168.56.102:8443/redirected_url > Server: Apache-Coyote/1.1 > Connection: close > Date: Fri, 12 Jun 2015 15:16:29 GMT > Content-type: text/html;charset=UTF-8 > > <!DOCTYPE html> > <html> > <head> > etc. > > I have redacted it a but the "target_url" is the same for all requests > and responses. > So I can see that Sqlmap still POSTs the query to the site pointed by > location header instead of just GETting it, although I explicitly denied > that. > Could you please look into this? > Thanks, > Vojta > > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Vojtěch P. <kr...@gm...> - 2015-06-15 09:59:33
|
Hi, I am testing an application, which works in this way: You send a request as a POST request and application returns 302 Found. Web browser uses location field to send a GET request for updated site. When I test this with Sqlmap, it asks me whether I want to follow 302 redirect (I answer yes) and whether I want to resubmit the request to eh new page (I answer NO). However, when I look at the generated thraffic file, I can see something like this: HTTP request [#1]: POST /target_url HTTP/1.1 Accept-language: en-US,en;q=0.5 Accept-encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: 192.168.56.102:8443 Cookie: JSESSIONID=538470CD02AD9190BCC92DC434C6C9BD Pragma: no-cache Cache-control: no-cache,no-store Referer: https://192.168.56.102:8443/target_url Content-type: application/x-www-form-urlencoded Content-length: 17 Connection: close newState=DISABLED HTTP redirect [#1] (302 Found): Content-length: 0 Content-language: en-US Server: Apache-Coyote/1.1 Connection: close Location: https://192.168.56.102:8443/target_url Date: Fri, 12 Jun 2015 15:16:16 GMT ############################################################################ HTTP request [#1]: POST \/target_url HTTP/1.1 Accept-language: en-US,en;q=0.5 Accept-encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: 192.168.56.102:8443 Cookie: JSESSIONID=538470CD02AD9190BCC92DC434C6C9BD Pragma: no-cache Cache-control: no-cache,no-store Referer: https://192.168.56.102:8443/target_url Content-type: application/x-www-form-urlencoded Content-length: 17 Connection: close newState=DISABLED HTTP response [#1] (200 OK): Content-language: en-US Transfer-encoding: chunked Uri: https://192.168.56.102:8443/redirected_url Server: Apache-Coyote/1.1 Connection: close Date: Fri, 12 Jun 2015 15:16:29 GMT Content-type: text/html;charset=UTF-8 <!DOCTYPE html> <html> <head> etc. I have redacted it a but the "target_url" is the same for all requests and responses. So I can see that Sqlmap still POSTs the query to the site pointed by location header instead of just GETting it, although I explicitly denied that. Could you please look into this? Thanks, Vojta |
|
From: Miroslav S. <mir...@gm...> - 2015-06-15 04:51:43
|
Why don't you put that whole request in a file and provide it to sqlmap
with option -r? That would be far easier.
Bye
On Jun 15, 2015 4:09 AM, "guoyangjuan" <guo...@hu...> wrote:
> Yes, I need to provide the JSESSIONID.
>
> If don’t, it will redirect to login page.
>
>
>
>
>
> *发件人:* Brandon Perry [mailto:bpe...@gm...]
> *发送时间:* 2015年6月15日 9:51
> *收件人:* guoyangjuan
> *抄送:* sql...@li...; Longxiang
> *主题:* Re: [sqlmap-users] Cannot identify JSON parameters
>
>
>
> Do you need to provide the JSESSIONID as well?
>
>
>
> On Jun 14, 2015, at 8:34 PM, guoyangjuan <guo...@hu...> wrote:
>
>
>
> Hi,
>
> Thanks for your prompt reply.
>
> I’ve tried outer single quotes just as you suggested, but I still get the
> "no parameter(s) found" message.
>
> Any ideas?
>
>
>
> Kind regards,
>
> Guo
>
>
>
>
>
> *发件人:* Brandon Perry [mailto:bpe...@gm...
> <bpe...@gm...>]
> *发送时间:* 2015年6月12日 21:37
> *收件人:* guoyangjuan
> *抄送:* sql...@li...; Longxiang
> *主题:* Re: [sqlmap-users] Cannot identify JSON parameters
>
>
>
> --data="{"apn":"requestApn","language":"zh_CN"}"
>
> That is not the correct way to specify JSON, should use outer single
> quotes.
>
>
>
> --data='{"apn":"requestApn","language":"zh_CN"}'
>
>
>
> On Fri, Jun 12, 2015 at 4:29 AM, guoyangjuan <guo...@hu...>
> wrote:
>
> Hi,
>
>
>
> I'm using sqlmap/1.0-dev-nongit-20150608 to test the following JSON
> request that
>
> I extracted from Burp and censored a bit:
>
> ----------------------------------------------------------------------
>
> POST /SomeURL/getApns.action HTTP/1.1
>
> Host: IP:8443
>
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101
> Firefox/34.0
>
> Accept: application/json, text/javascript, */*; q=0.01
>
> Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
>
> Accept-Encoding: gzip, deflate
>
> Content-Type: application/json; charset=UTF-8
>
> X-Requested-With: XMLHttpRequest
>
> Referer:
> https://IP:8443/SomeURL/show_apn_page.jsp?now=Fri%20Jun%2012%202015%2009:34:42%20GMT+0800
> <https://ip:8443/SomeURL/show_apn_page.jsp?now=Fri%20Jun%2012%202015%2009:34:42%20GMT+0800>
>
> Content-Length: 39
>
> Cookie: JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN;
> org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN;
> HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true;
> loginUserName=SomeUser; lockScreen=false
>
> Connection: keep-alive
>
> Pragma: no-cache
>
> Cache-Control: no-cache
>
>
>
> {"apn":"requestApn","language":"zh_CN"}
>
> ----------------------------------------------------------------------
>
>
>
>
>
> I tried the following command to do the SQL injection test, but it ended
> up with "no parameter(s) found" message.
>
> -----------------------------------------------------------------------
>
> Command:
>
> sqlmap.py -u "https://SomeURL/getApns.action
> <https://someurl/getApns.action>"
> --cookie="JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN;
>
> org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN;
> HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true;
> loginUserName=SomeUser;
>
> lockScreen=false" --data="{"apn":"requestApn","language":"zh_CN"}"
> --ignore-proxy --dbms "MySQL"
>
> -----------------------------------------------------------------------
>
> Log:
>
> [*] starting at 09:36:31
>
>
>
> [09:36:31] [INFO] testing connection to the target URL
>
> [09:36:33] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
>
> [09:36:35] [INFO] target URL is stable
>
> [09:36:35] [CRITICAL] no parameter(s) found for testing in the provided
> data (e.
>
> g. GET parameter 'id' in 'www.site.com/index.php?id=1')
>
>
>
> [*] shutting down at 09:36:35
>
> -----------------------------------------------------------------------
>
>
>
>
>
> Then I saved the post JSON request to file “testURL.txt” and tried “sqlmap.py
> –r d:\testURL.txt ”,
>
> It can perfectly identify JSON parameters:
>
> -----------------------------------------------------------------------
>
> Log:
>
> [*] starting at 09:43:58
>
>
>
> [09:43:58] [INFO] parsing HTTP request from 'd:\testURL.txt'
>
> JSON data found in POST data. Do you want to process it? [Y/n/q] Y
>
> [09:44:06] [INFO] testing connection to the target URL
>
> [09:44:07] [WARNING] the web server responded with an HTTP error code
> (400) which could interfere with the results of the tests
>
> [09:44:07] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
>
> [09:44:08] [INFO] target URL is stable
>
> [09:44:08] [INFO] testing if (custom) POST parameter 'JSON apn' is dynamic
>
> ...
>
> [09:45:01] [INFO] testing if (custom) POST parameter 'JSON language' is
> dynamic
>
> ...
>
> -----------------------------------------------------------------------
>
>
>
> Why it behaved differently?
>
>
>
> For some reason, I can only use “sqlmap.py –u SomeURL --cookie=SomeCookie
> --data=JSON data” to do the test.
>
> Can sqlmap identify JSON post data using the above command?
>
> How do I achieve this?
>
>
>
> Kind regards,
>
> Guo
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
>
> --
>
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
|
|
From: guoyangjuan <guo...@hu...> - 2015-06-15 02:08:40
|
Yes, I need to provide the JSESSIONID.
If don’t, it will redirect to login page.
发件人: Brandon Perry [mailto:bpe...@gm...]
发送时间: 2015年6月15日 9:51
收件人: guoyangjuan
抄送: sql...@li...; Longxiang
主题: Re: [sqlmap-users] Cannot identify JSON parameters
Do you need to provide the JSESSIONID as well?
On Jun 14, 2015, at 8:34 PM, guoyangjuan <guo...@hu...<mailto:guo...@hu...>> wrote:
Hi,
Thanks for your prompt reply.
I’ve tried outer single quotes just as you suggested, but I still get the "no parameter(s) found" message.
Any ideas?
Kind regards,
Guo
发件人: Brandon Perry [mailto:bpe...@gm...]
发送时间: 2015年6月12日 21:37
收件人: guoyangjuan
抄送: sql...@li...<mailto:sql...@li...>; Longxiang
主题: Re: [sqlmap-users] Cannot identify JSON parameters
--data="{"apn":"requestApn","language":"zh_CN"}"
That is not the correct way to specify JSON, should use outer single quotes.
--data='{"apn":"requestApn","language":"zh_CN"}'
On Fri, Jun 12, 2015 at 4:29 AM, guoyangjuan <guo...@hu...<mailto:guo...@hu...>> wrote:
Hi,
I'm using sqlmap/1.0-dev-nongit-20150608 to test the following JSON request that
I extracted from Burp and censored a bit:
----------------------------------------------------------------------
POST /SomeURL/getApns.action HTTP/1.1
Host: IP:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://IP:8443/SomeURL/show_apn_page.jsp?now=Fri%20Jun%2012%202015%2009:34:42%20GMT+0800<https://ip:8443/SomeURL/show_apn_page.jsp?now=Fri%20Jun%2012%202015%2009:34:42%20GMT+0800>
Content-Length: 39
Cookie: JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN; HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true; loginUserName=SomeUser; lockScreen=false
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"apn":"requestApn","language":"zh_CN"}
----------------------------------------------------------------------
I tried the following command to do the SQL injection test, but it ended up with "no parameter(s) found" message.
-----------------------------------------------------------------------
Command:
sqlmap.py -u "https://SomeURL/getApns.action<https://someurl/getApns.action>" --cookie="JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN;
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN; HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true; loginUserName=SomeUser;
lockScreen=false" --data="{"apn":"requestApn","language":"zh_CN"}" --ignore-proxy --dbms "MySQL"
-----------------------------------------------------------------------
Log:
[*] starting at 09:36:31
[09:36:31] [INFO] testing connection to the target URL
[09:36:33] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:36:35] [INFO] target URL is stable
[09:36:35] [CRITICAL] no parameter(s) found for testing in the provided data (e.
g. GET parameter 'id' in 'www.site.com/index.php?id=1<http://www.site.com/index.php?id=1>')
[*] shutting down at 09:36:35
-----------------------------------------------------------------------
Then I saved the post JSON request to file “testURL.txt” and tried “sqlmap.py –r d:\testURL.txt ”,
It can perfectly identify JSON parameters:
-----------------------------------------------------------------------
Log:
[*] starting at 09:43:58
[09:43:58] [INFO] parsing HTTP request from 'd:\testURL.txt'
JSON data found in POST data. Do you want to process it? [Y/n/q] Y
[09:44:06] [INFO] testing connection to the target URL
[09:44:07] [WARNING] the web server responded with an HTTP error code (400) which could interfere with the results of the tests
[09:44:07] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:44:08] [INFO] target URL is stable
[09:44:08] [INFO] testing if (custom) POST parameter 'JSON apn' is dynamic
...
[09:45:01] [INFO] testing if (custom) POST parameter 'JSON language' is dynamic
...
-----------------------------------------------------------------------
Why it behaved differently?
For some reason, I can only use “sqlmap.py –u SomeURL --cookie=SomeCookie --data=JSON data” to do the test.
Can sqlmap identify JSON post data using the above command?
How do I achieve this?
Kind regards,
Guo
------------------------------------------------------------------------------
_______________________________________________
sqlmap-users mailing list
sql...@li...<mailto:sql...@li...>
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
http://volatile-minds.blogspot.com<http://volatile-minds.blogspot.com/> -- blog
http://www.volatileminds.net<http://www.volatileminds.net/> -- website
|
|
From: Brandon P. <bpe...@gm...> - 2015-06-15 01:50:49
|
Do you need to provide the JSESSIONID as well?
> On Jun 14, 2015, at 8:34 PM, guoyangjuan <guo...@hu...> wrote:
>
> Hi,
> Thanks for your prompt reply.
> I’ve tried outer single quotes just as you suggested, but I still get the "no parameter(s) found" message.
> Any ideas?
>
> Kind regards,
> Guo
>
>
> 发件人: Brandon Perry [mailto:bpe...@gm...]
> 发送时间: 2015年6月12日 21:37
> 收件人: guoyangjuan
> 抄送: sql...@li...; Longxiang
> 主题: Re: [sqlmap-users] Cannot identify JSON parameters
>
> --data="{"apn":"requestApn","language":"zh_CN"}"
>
> That is not the correct way to specify JSON, should use outer single quotes.
>
> --data='{"apn":"requestApn","language":"zh_CN"}'
>
> On Fri, Jun 12, 2015 at 4:29 AM, guoyangjuan <guo...@hu... <mailto:guo...@hu...>> wrote:
> Hi,
>
> I'm using sqlmap/1.0-dev-nongit-20150608 to test the following JSON request that
> I extracted from Burp and censored a bit:
> ----------------------------------------------------------------------
> POST /SomeURL/getApns.action HTTP/1.1
> Host: IP:8443
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
> Accept: application/json, text/javascript, */*; q=0.01
> Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/json; charset=UTF-8
> X-Requested-With: XMLHttpRequest
> Referer: https://IP:8443/SomeURL/show_apn_page.jsp?now=Fri%20Jun%2012%202015%2009:34:42%20GMT+0800 <https://ip:8443/SomeURL/show_apn_page.jsp?now=Fri%20Jun%2012%202015%2009:34:42%20GMT+0800>
> Content-Length: 39
> Cookie: JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN; HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true; loginUserName=SomeUser; lockScreen=false
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache
>
> {"apn":"requestApn","language":"zh_CN"}
> ----------------------------------------------------------------------
>
>
> I tried the following command to do the SQL injection test, but it ended up with "no parameter(s) found" message.
> -----------------------------------------------------------------------
> Command:
> sqlmap.py -u "https://SomeURL/getApns.action <https://someurl/getApns.action>" --cookie="JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN;
> org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN; HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true; loginUserName=SomeUser;
> lockScreen=false" --data="{"apn":"requestApn","language":"zh_CN"}" --ignore-proxy --dbms "MySQL"
> -----------------------------------------------------------------------
> Log:
> [*] starting at 09:36:31
>
> [09:36:31] [INFO] testing connection to the target URL
> [09:36:33] [INFO] testing if the target URL is stable. This can take a couple of seconds
> [09:36:35] [INFO] target URL is stable
> [09:36:35] [CRITICAL] no parameter(s) found for testing in the provided data (e.
> g. GET parameter 'id' in 'www.site.com/index.php?id=1 <http://www.site.com/index.php?id=1>')
>
> [*] shutting down at 09:36:35
> -----------------------------------------------------------------------
>
>
> Then I saved the post JSON request to file “testURL.txt” and tried “sqlmap.py –r d:\testURL.txt ”,
> It can perfectly identify JSON parameters:
> -----------------------------------------------------------------------
> Log:
> [*] starting at 09:43:58
>
> [09:43:58] [INFO] parsing HTTP request from 'd:\testURL.txt'
> JSON data found in POST data. Do you want to process it? [Y/n/q] Y
> [09:44:06] [INFO] testing connection to the target URL
> [09:44:07] [WARNING] the web server responded with an HTTP error code (400) which could interfere with the results of the tests
> [09:44:07] [INFO] testing if the target URL is stable. This can take a couple of seconds
> [09:44:08] [INFO] target URL is stable
> [09:44:08] [INFO] testing if (custom) POST parameter 'JSON apn' is dynamic
> ...
> [09:45:01] [INFO] testing if (custom) POST parameter 'JSON language' is dynamic
> ...
> -----------------------------------------------------------------------
>
> Why it behaved differently?
>
> For some reason, I can only use “sqlmap.py –u SomeURL --cookie=SomeCookie --data=JSON data” to do the test.
> Can sqlmap identify JSON post data using the above command?
> How do I achieve this?
>
> Kind regards,
> Guo
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li... <mailto:sql...@li...>
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>
>
>
> --
> http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog
> http://www.volatileminds.net <http://www.volatileminds.net/> -- website
|
|
From: guoyangjuan <guo...@hu...> - 2015-06-15 01:35:09
|
Hi,
Thanks for your prompt reply.
I’ve tried outer single quotes just as you suggested, but I still get the "no parameter(s) found" message.
Any ideas?
Kind regards,
Guo
发件人: Brandon Perry [mailto:bpe...@gm...]
发送时间: 2015年6月12日 21:37
收件人: guoyangjuan
抄送: sql...@li...; Longxiang
主题: Re: [sqlmap-users] Cannot identify JSON parameters
--data="{"apn":"requestApn","language":"zh_CN"}"
That is not the correct way to specify JSON, should use outer single quotes.
--data='{"apn":"requestApn","language":"zh_CN"}'
On Fri, Jun 12, 2015 at 4:29 AM, guoyangjuan <guo...@hu...<mailto:guo...@hu...>> wrote:
Hi,
I'm using sqlmap/1.0-dev-nongit-20150608 to test the following JSON request that
I extracted from Burp and censored a bit:
----------------------------------------------------------------------
POST /SomeURL/getApns.action HTTP/1.1
Host: IP:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://IP:8443/SomeURL/show_apn_page.jsp?now=Fri%20Jun%2012%202015%2009:34:42%20GMT+0800
Content-Length: 39
Cookie: JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN; HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true; loginUserName=SomeUser; lockScreen=false
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"apn":"requestApn","language":"zh_CN"}
----------------------------------------------------------------------
I tried the following command to do the SQL injection test, but it ended up with "no parameter(s) found" message.
-----------------------------------------------------------------------
Command:
sqlmap.py -u "https://SomeURL/getApns.action" --cookie="JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN;
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN; HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true; loginUserName=SomeUser;
lockScreen=false" --data="{"apn":"requestApn","language":"zh_CN"}" --ignore-proxy --dbms "MySQL"
-----------------------------------------------------------------------
Log:
[*] starting at 09:36:31
[09:36:31] [INFO] testing connection to the target URL
[09:36:33] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:36:35] [INFO] target URL is stable
[09:36:35] [CRITICAL] no parameter(s) found for testing in the provided data (e.
g. GET parameter 'id' in 'www.site.com/index.php?id=1<http://www.site.com/index.php?id=1>')
[*] shutting down at 09:36:35
-----------------------------------------------------------------------
Then I saved the post JSON request to file “testURL.txt” and tried “sqlmap.py –r d:\testURL.txt ”,
It can perfectly identify JSON parameters:
-----------------------------------------------------------------------
Log:
[*] starting at 09:43:58
[09:43:58] [INFO] parsing HTTP request from 'd:\testURL.txt'
JSON data found in POST data. Do you want to process it? [Y/n/q] Y
[09:44:06] [INFO] testing connection to the target URL
[09:44:07] [WARNING] the web server responded with an HTTP error code (400) which could interfere with the results of the tests
[09:44:07] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:44:08] [INFO] target URL is stable
[09:44:08] [INFO] testing if (custom) POST parameter 'JSON apn' is dynamic
...
[09:45:01] [INFO] testing if (custom) POST parameter 'JSON language' is dynamic
...
-----------------------------------------------------------------------
Why it behaved differently?
For some reason, I can only use “sqlmap.py –u SomeURL --cookie=SomeCookie --data=JSON data” to do the test.
Can sqlmap identify JSON post data using the above command?
How do I achieve this?
Kind regards,
Guo
------------------------------------------------------------------------------
_______________________________________________
sqlmap-users mailing list
sql...@li...<mailto:sql...@li...>
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
|
|
From: Brandon P. <bpe...@gm...> - 2015-06-12 13:37:09
|
--data="{"apn":"requestApn","language":"zh_CN"}"
That is not the correct way to specify JSON, should use outer single quotes.
--data='{"apn":"requestApn","language":"zh_CN"}'
On Fri, Jun 12, 2015 at 4:29 AM, guoyangjuan <guo...@hu...> wrote:
> Hi,
>
>
>
> I'm using sqlmap/1.0-dev-nongit-20150608 to test the following JSON
> request that
>
> I extracted from Burp and censored a bit:
>
> ----------------------------------------------------------------------
>
> POST /SomeURL/getApns.action HTTP/1.1
>
> Host: IP:8443
>
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101
> Firefox/34.0
>
> Accept: application/json, text/javascript, */*; q=0.01
>
> Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
>
> Accept-Encoding: gzip, deflate
>
> Content-Type: application/json; charset=UTF-8
>
> X-Requested-With: XMLHttpRequest
>
> Referer:
> https://IP:8443/SomeURL/show_apn_page.jsp?now=Fri%20Jun%2012%202015%2009:34:42%20GMT+0800
>
> Content-Length: 39
>
> Cookie: JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN;
> org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN;
> HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true;
> loginUserName=SomeUser; lockScreen=false
>
> Connection: keep-alive
>
> Pragma: no-cache
>
> Cache-Control: no-cache
>
>
>
> {"apn":"requestApn","language":"zh_CN"}
>
> ----------------------------------------------------------------------
>
>
>
>
>
> I tried the following command to do the SQL injection test, but it ended
> up with "no parameter(s) found" message.
>
> -----------------------------------------------------------------------
>
> Command:
>
> sqlmap.py -u "https://SomeURL/getApns.action"
> --cookie="JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN;
>
> org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN;
> HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true;
> loginUserName=SomeUser;
>
> lockScreen=false" --data="{"apn":"requestApn","language":"zh_CN"}"
> --ignore-proxy --dbms "MySQL"
>
> -----------------------------------------------------------------------
>
> Log:
>
> [*] starting at 09:36:31
>
>
>
> [09:36:31] [INFO] testing connection to the target URL
>
> [09:36:33] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
>
> [09:36:35] [INFO] target URL is stable
>
> [09:36:35] [CRITICAL] no parameter(s) found for testing in the provided
> data (e.
>
> g. GET parameter 'id' in 'www.site.com/index.php?id=1')
>
>
>
> [*] shutting down at 09:36:35
>
> -----------------------------------------------------------------------
>
>
>
>
>
> Then I saved the post JSON request to file “testURL.txt” and tried
> “sqlmap.py –r d:\testURL.txt ”,
>
> It can perfectly identify JSON parameters:
>
> -----------------------------------------------------------------------
>
> Log:
>
> [*] starting at 09:43:58
>
>
>
> [09:43:58] [INFO] parsing HTTP request from 'd:\testURL.txt'
>
> JSON data found in POST data. Do you want to process it? [Y/n/q] Y
>
> [09:44:06] [INFO] testing connection to the target URL
>
> [09:44:07] [WARNING] the web server responded with an HTTP error code
> (400) which could interfere with the results of the tests
>
> [09:44:07] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
>
> [09:44:08] [INFO] target URL is stable
>
> [09:44:08] [INFO] testing if (custom) POST parameter 'JSON apn' is dynamic
>
> ...
>
> [09:45:01] [INFO] testing if (custom) POST parameter 'JSON language' is
> dynamic
>
> ...
>
> -----------------------------------------------------------------------
>
>
>
> Why it behaved differently?
>
>
>
> For some reason, I can only use “sqlmap.py –u SomeURL --cookie=SomeCookie
> --data=JSON data” to do the test.
>
> Can sqlmap identify JSON post data using the above command?
>
> How do I achieve this?
>
>
>
> Kind regards,
>
> Guo
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
|
|
From: guoyangjuan <guo...@hu...> - 2015-06-12 09:29:39
|
Hi,
I'm using sqlmap/1.0-dev-nongit-20150608 to test the following JSON request that
I extracted from Burp and censored a bit:
----------------------------------------------------------------------
POST /SomeURL/getApns.action HTTP/1.1
Host: IP:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://IP:8443/SomeURL/show_apn_page.jsp?now=Fri%20Jun%2012%202015%2009:34:42%20GMT+0800
Content-Length: 39
Cookie: JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN; HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true; loginUserName=SomeUser; lockScreen=false
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"apn":"requestApn","language":"zh_CN"}
----------------------------------------------------------------------
I tried the following command to do the SQL injection test, but it ended up with "no parameter(s) found" message.
-----------------------------------------------------------------------
Command:
sqlmap.py -u "https://SomeURL/getApns.action" --cookie="JSESSIONID=40E3B9CDA12CF88200D301CCC1163F2B; locale=zh_CN;
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh_CN; HttpOnly=true; locked=false; timeNum=1434072883045; timeState=true; loginUserName=SomeUser;
lockScreen=false" --data="{"apn":"requestApn","language":"zh_CN"}" --ignore-proxy --dbms "MySQL"
-----------------------------------------------------------------------
Log:
[*] starting at 09:36:31
[09:36:31] [INFO] testing connection to the target URL
[09:36:33] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:36:35] [INFO] target URL is stable
[09:36:35] [CRITICAL] no parameter(s) found for testing in the provided data (e.
g. GET parameter 'id' in 'www.site.com/index.php?id=1')
[*] shutting down at 09:36:35
-----------------------------------------------------------------------
Then I saved the post JSON request to file "testURL.txt" and tried "sqlmap.py -r d:\testURL.txt ",
It can perfectly identify JSON parameters:
-----------------------------------------------------------------------
Log:
[*] starting at 09:43:58
[09:43:58] [INFO] parsing HTTP request from 'd:\testURL.txt'
JSON data found in POST data. Do you want to process it? [Y/n/q] Y
[09:44:06] [INFO] testing connection to the target URL
[09:44:07] [WARNING] the web server responded with an HTTP error code (400) which could interfere with the results of the tests
[09:44:07] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:44:08] [INFO] target URL is stable
[09:44:08] [INFO] testing if (custom) POST parameter 'JSON apn' is dynamic
...
[09:45:01] [INFO] testing if (custom) POST parameter 'JSON language' is dynamic
...
-----------------------------------------------------------------------
Why it behaved differently?
For some reason, I can only use "sqlmap.py -u SomeURL --cookie=SomeCookie --data=JSON data" to do the test.
Can sqlmap identify JSON post data using the above command?
How do I achieve this?
Kind regards,
Guo
|
|
From: Miroslav S. <mir...@gm...> - 2015-06-09 06:47:18
|
Sqlmap is treating error messages as any other response. I would say that
you have some other problem.
Bye
On Jun 9, 2015 12:03 AM, "Ailton Caetano" <ail...@gm...> wrote:
> Hello everyone,
>
> i'm doing some tests on a web application api and i decided to test
> sqlmap for the first time. I'm having a problem in the tool's analysis
> because it is treating http error 400 ("bad request") as garbage, but this
> exactly where i get the api database error messages.
>
> Do we have anything to tell sqlmap that the web response should not be
> ignored? I found a parameter telling it to ignore 401 errors but it doesn't
> seem to be what i'm looking for.
>
>
> Kind Regards,
>
> Ailton Caetano
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
|
|
From: Ailton C. <ail...@gm...> - 2015-06-08 22:02:48
|
Hello everyone,
i'm doing some tests on a web application api and i decided to test
sqlmap for the first time. I'm having a problem in the tool's analysis
because it is treating http error 400 ("bad request") as garbage, but this
exactly where i get the api database error messages.
Do we have anything to tell sqlmap that the web response should not be
ignored? I found a parameter telling it to ignore 401 errors but it doesn't
seem to be what i'm looking for.
Kind Regards,
Ailton Caetano
|
|
From: Miroslav S. <mir...@gm...> - 2015-06-05 14:28:24
|
"Or why ist this critical:
[09:26:54] [CRITICAL] unable to connect to the target URL or proxy. sqlmap
is going to retry the request"
If something is not "connectable" then sqlmap is in "[CRITICAL]" state
---
"Is there an overview about the different message-states (info, warning,
critcal and so on) and the meaning of them?"
No. I always thought that messages are more or less clear (at least
majority of them)
---
"Why ist the following message a warning:
[09:25:52] [WARNING] GET parameter 'module' is not injectable"
You are being warned that that same parameter that sqlmap tried to
test/exploit it didn't succeed to do so. I am not sure what's the problem
with this one (why are you bothered with this).
---
On Mon, Jun 1, 2015 at 9:20 AM, <gr...@ab...> wrote:
> Hello,
>
> I want to test our written function. So i start testing with the following
> command:
> sqlmap.py -u "
> https://SERVER/index.php?module=upload&func=checkUserForm&c_id=102"
> --banner --auth-type=Basic --auth-cred=name:password
>
> Now I'm wondering about the status of some messages.
>
> Why ist the following message a warning:
> [09:25:52] [WARNING] GET parameter 'module' is not injectable
>
> Or why ist this critical:
> [09:26:54] [CRITICAL] unable to connect to the target URL or proxy. sqlmap
> is going to retry the request
>
> Is there an overview about the different message-states (info, warning,
> critcal and so on) and the meaning of them?
>
>
> A short listing of the whole output:
> [09:24:49] [INFO] testing connection to the target URL
> [09:24:51] [INFO] heuristics detected web page charset 'UTF-8'
> [09:24:51] [WARNING] reflective value(s) found and filtering out
> [09:24:51] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
> [09:24:52] [INFO] target URL is stable
> [09:24:52] [INFO] testing if GET parameter 'module' is dynamic
> [09:24:52] [INFO] confirming that GET parameter 'module' is dynamic
> [09:24:53] [WARNING] GET parameter 'module' does not appear dynamic
> [09:24:53] [WARNING] heuristic (basic) test shows that GET parameter
> 'module' might not be injectable
> [09:24:53] [INFO] testing for SQL injection on GET parameter 'module'
> [09:24:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [09:24:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter
> replace'
> [09:24:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING,
> ORDER BY or GROUP BY clause'
> [09:24:58] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
> clause'
> [09:25:00] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
> WHERE or HAVING clause'
> [09:25:01] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause
> (XMLType)'
> [09:25:03] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
> [09:25:03] [INFO] testing 'MySQL inline queries'
> [09:25:03] [INFO] testing 'PostgreSQL inline queries'
> [09:25:04] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
> [09:25:04] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT -
> comment)'
> [09:25:05] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
> [09:25:07] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries
> (comment)'
> [09:25:08] [INFO] testing 'Oracle stacked queries
> (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
> [09:25:10] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
> [09:25:11] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
> [09:25:13] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
> [09:25:14] [INFO] testing 'Oracle AND time-based blind'
> [09:25:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
> [09:25:16] [WARNING] using unescaped version of the test because of zero
> knowledge of the back-end DBMS. You can try to explicitly set it using
> option
> '--dbms'
> [09:25:32] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
> [09:25:52] [WARNING] GET parameter 'module' is not injectable
> [09:25:52] [INFO] testing if GET parameter 'func' is dynamic
> sqlmap got a 302 redirect to 'https://SERVER:443/index.php'. Do you want
> to follow? [Y/n] n
> [09:26:54] [ERROR] detected invalid data for declared content encoding
> 'gzip' ('unpack requires a string argument of length 4')
> [09:26:54] [WARNING] turning off page compression
> [09:26:54] [CRITICAL] unable to connect to the target URL or proxy. sqlmap
> is going to retry the request
> [09:26:55] [INFO] confirming that GET parameter 'func' is dynamic
> [09:26:55] [WARNING] GET parameter 'func' does not appear dynamic
> [09:26:55] [WARNING] heuristic (basic) test shows that GET parameter
> 'func' might not be injectable
> ...
>
>
> Thank you,
>
> regards Peter
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: <gr...@ab...> - 2015-06-01 07:33:14
|
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hello,</div> <div> </div> <div>I want to test our written function. So i start testing with the following command:</div> <div>sqlmap.py -u "https://SERVER/index.php?module=upload&func=checkUserForm&c_id=102" --banner --auth-type=Basic --auth-cred=name:password</div> <div> </div> <div>Now I'm wondering about the status of some messages.</div> <div> </div> <div>Why ist the following message a warning:</div> <div>[09:25:52] [WARNING] GET parameter 'module' is not injectable</div> <div> </div> <div>Or why ist this critical:</div> <div>[09:26:54] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request</div> <div> </div> <div>Is there an overview about the different message-states (info, warning, critcal and so on) and the meaning of them?</div> <div> </div> <div> </div> <div>A short listing of the whole output:</div> <div> <div>[09:24:49] [INFO] testing connection to the target URL</div> <div>[09:24:51] [INFO] heuristics detected web page charset 'UTF-8'</div> <div>[09:24:51] [WARNING] reflective value(s) found and filtering out</div> <div>[09:24:51] [INFO] testing if the target URL is stable. This can take a couple of seconds</div> <div>[09:24:52] [INFO] target URL is stable</div> <div>[09:24:52] [INFO] testing if GET parameter 'module' is dynamic</div> <div>[09:24:52] [INFO] confirming that GET parameter 'module' is dynamic</div> <div>[09:24:53] [WARNING] GET parameter 'module' does not appear dynamic</div> <div>[09:24:53] [WARNING] heuristic (basic) test shows that GET parameter 'module' might not be injectable</div> <div>[09:24:53] [INFO] testing for SQL injection on GET parameter 'module'</div> <div>[09:24:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'</div> <div>[09:24:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'</div> <div>[09:24:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'</div> <div>[09:24:58] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'</div> <div>[09:25:00] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'</div> <div>[09:25:01] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'</div> <div>[09:25:03] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'</div> <div>[09:25:03] [INFO] testing 'MySQL inline queries'</div> <div>[09:25:03] [INFO] testing 'PostgreSQL inline queries'</div> <div>[09:25:04] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'</div> <div>[09:25:04] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'</div> <div>[09:25:05] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'</div> <div>[09:25:07] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'</div> <div>[09:25:08] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'</div> <div>[09:25:10] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'</div> <div>[09:25:11] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'</div> <div>[09:25:13] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'</div> <div>[09:25:14] [INFO] testing 'Oracle AND time-based blind'</div> <div>[09:25:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'</div> <div>[09:25:16] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option</div> <div>'--dbms'</div> <div>[09:25:32] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'</div> <div>[09:25:52] [WARNING] GET parameter 'module' is not injectable</div> <div>[09:25:52] [INFO] testing if GET parameter 'func' is dynamic</div> <div>sqlmap got a 302 redirect to 'https://SERVER:443/index.php'. Do you want to follow? [Y/n] n</div> <div>[09:26:54] [ERROR] detected invalid data for declared content encoding 'gzip' ('unpack requires a string argument of length 4')</div> <div>[09:26:54] [WARNING] turning off page compression</div> <div>[09:26:54] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request</div> <div>[09:26:55] [INFO] confirming that GET parameter 'func' is dynamic</div> <div>[09:26:55] [WARNING] GET parameter 'func' does not appear dynamic</div> <div>[09:26:55] [WARNING] heuristic (basic) test shows that GET parameter 'func' might not be injectable</div> <div>...</div> <div> </div> <div> </div> <div>Thank you,</div> <div> </div> <div>regards Peter</div> <div> </div> </div> <div class="signature"> </div></div></body></html> |
|
From: Christopher D. <chr...@ch...> - 2015-05-29 22:09:01
|
I tried that with a custom mark for --data. My point I need to hit is the RemotingMessage AMF object with the data Params of "RemoteUsername=null" and "RemotePassword=null" this triggers the exception by hand. I'm trying to figure out if I can get sqlmap to do this. It's not looking like it. *"1432680462000 onFault ñ9com.chromeriver.exception.CrException: com.cougar.lang.CGException: DB Error: 1452-23000-Cannot add or update a child row: a foreign key constraint fails (`xxxxx_expense`.`tbl_PersonPassword`, CONSTRAINT `FK_tbl_PersonPassword_UK` FOREIGN KEY (`PersonID`) REFERENCES `tbl_Person` (`PersonID`)) at "* I know the shady lady is there .... So close ;) Thanks Guys. Chris. On Fri, May 29, 2015 at 7:01 AM, <sql...@li... > wrote: > Send sqlmap-users mailing list submissions to > sql...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > or, via email, send a message with subject or body 'help' to > sql...@li... > > You can reach the person managing the list at > sql...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of sqlmap-users digest..." > > > Today's Topics: > > 1. AMF sqli injection (Christopher Downs) > 2. Re: AMF sqli injection (Brandon Perry) > 3. Re: AMF sqli injection (Brandon Perry) > 4. Re: AMF sqli injection (Chris Oakley) > 5. Re: AMF sqli injection (Brandon Perry) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 28 May 2015 13:21:51 -0500 > From: Christopher Downs <chr...@ch...> > Subject: [sqlmap-users] AMF sqli injection > To: sql...@li... > Message-ID: > < > CAF...@ma...> > Content-Type: text/plain; charset="utf-8" > > Good afternoon gents, > I am a profession penetration tester and have a rather difficult injection > point for one of my customers. > > I can trigger the exception by pausing traffic with burp and inserting > NULL's into the user | pass via a back end flex call. Is there a way to > take advantage of sqlmap to inject via flex remoting objects ? > > If not I will have to write this myself but I thought I may ask the list > first. > > Thanks. > Sincerely, > Christopher M Downs > > -- > [image: Description: Chrome] > > Chris Downs | System Administrator > > main > > 888.781.0088 > > email > > *chr...@ch... <chr...@ch...>* > > web > > www.chromeriver.com > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 2 > Date: Thu, 28 May 2015 13:59:12 -0500 > From: Brandon Perry <bpe...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Christopher Downs <chr...@ch...> > Cc: sqlmap users <sql...@li...> > Message-ID: > < > CAO...@ma...> > Content-Type: text/plain; charset="utf-8" > > Flex is hard because you have to update the integer that tells flex how > long a string is, unless I am mistaken. > > If not, you could try with the * marker to tell sqlmap exactly where the > injection point is. > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > chr...@ch...> wrote: > > > Good afternoon gents, > > I am a profession penetration tester and have a rather difficult > injection > > point for one of my customers. > > > > I can trigger the exception by pausing traffic with burp and inserting > > NULL's into the user | pass via a back end flex call. Is there a way to > > take advantage of sqlmap to inject via flex remoting objects ? > > > > If not I will have to write this myself but I thought I may ask the list > > first. > > > > Thanks. > > Sincerely, > > Christopher M Downs > > > > -- > > [image: Description: Chrome] > > > > Chris Downs | System Administrator > > > > main > > > > 888.781.0088 > > > > email > > > > *chr...@ch... <chr...@ch...>* > > > > web > > > > www.chromeriver.com > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 3 > Date: Thu, 28 May 2015 14:17:07 -0500 > From: Brandon Perry <bpe...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Christopher Downs <chr...@ch...> > Cc: sqlmap users <sql...@li...> > Message-ID: > <CAOJKFBAH7_-ARCWR= > xWv...@ma...> > Content-Type: text/plain; charset="utf-8" > > FWIW here is an exploit a wrote a long while back that partly abuses a weak > AMF endpoint (xxe, not sqli...). > > > http://packetstormsecurity.com/files/126703/HP-Release-Control-9.20.0000-Build-395-XXE.html > > However, I distinctly remember having to keep the admin password the same > length as my base AMF request (because I was lazy and didn't feel like > having to update the integer as well). See the change_admin_password > method. I basically base64 encoded the request in order to store the base > request, then decoded it and modified it based on what I wanted to do. > > You could make a few requests with different sized usernames to find the > integer that you will need to manipulate during exploitation. > > On Thu, May 28, 2015 at 1:59 PM, Brandon Perry <bpe...@gm...> > wrote: > > > Flex is hard because you have to update the integer that tells flex how > > long a string is, unless I am mistaken. > > > > If not, you could try with the * marker to tell sqlmap exactly where the > > injection point is. > > > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > > chr...@ch...> wrote: > > > >> Good afternoon gents, > >> I am a profession penetration tester and have a rather difficult > >> injection point for one of my customers. > >> > >> I can trigger the exception by pausing traffic with burp and inserting > >> NULL's into the user | pass via a back end flex call. Is there a way to > >> take advantage of sqlmap to inject via flex remoting objects ? > >> > >> If not I will have to write this myself but I thought I may ask the list > >> first. > >> > >> Thanks. > >> Sincerely, > >> Christopher M Downs > >> > >> -- > >> [image: Description: Chrome] > >> > >> Chris Downs | System Administrator > >> > >> main > >> > >> 888.781.0088 > >> > >> email > >> > >> *chr...@ch... <chr...@ch...>* > >> > >> web > >> > >> www.chromeriver.com > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > -- > > http://volatile-minds.blogspot.com -- blog > > http://www.volatileminds.net -- website > > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 4 > Date: Thu, 28 May 2015 15:24:36 -0400 > From: Chris Oakley <chr...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Brandon Perry <bpe...@gm...> > Cc: sqlmap users <sql...@li...>, Christopher > Downs <chr...@ch...> > Message-ID: > <CAF6VE= > qRa...@ma...> > Content-Type: text/plain; charset="utf-8" > > "Flex is hard because you have to update the integer that tells flex how > long a string is" > > It might be possible to address this with the --eval option > > On 28 May 2015 at 14:59, Brandon Perry <bpe...@gm...> wrote: > > > Flex is hard because you have to update the integer that tells flex how > > long a string is, unless I am mistaken. > > > > If not, you could try with the * marker to tell sqlmap exactly where the > > injection point is. > > > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > > chr...@ch...> wrote: > > > >> Good afternoon gents, > >> I am a profession penetration tester and have a rather difficult > >> injection point for one of my customers. > >> > >> I can trigger the exception by pausing traffic with burp and inserting > >> NULL's into the user | pass via a back end flex call. Is there a way to > >> take advantage of sqlmap to inject via flex remoting objects ? > >> > >> If not I will have to write this myself but I thought I may ask the list > >> first. > >> > >> Thanks. > >> Sincerely, > >> Christopher M Downs > >> > >> -- > >> [image: Description: Chrome] > >> > >> Chris Downs | System Administrator > >> > >> main > >> > >> 888.781.0088 > >> > >> email > >> > >> *chr...@ch... <chr...@ch...>* > >> > >> web > >> > >> www.chromeriver.com > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > -- > > http://volatile-minds.blogspot.com -- blog > > http://www.volatileminds.net -- website > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 5 > Date: Thu, 28 May 2015 15:12:57 -0500 > From: Brandon Perry <bpe...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Chris Oakley <chr...@gm...> > Cc: sqlmap users <sql...@li...>, Christopher > Downs <chr...@ch...> > Message-ID: > < > CAO...@ma...> > Content-Type: text/plain; charset="utf-8" > > That could work. > > On Thu, May 28, 2015 at 2:24 PM, Chris Oakley < > chr...@gm...> > wrote: > > > "Flex is hard because you have to update the integer that tells flex how > > long a string is" > > > > It might be possible to address this with the --eval option > > > > On 28 May 2015 at 14:59, Brandon Perry <bpe...@gm...> > wrote: > > > >> Flex is hard because you have to update the integer that tells flex how > >> long a string is, unless I am mistaken. > >> > >> If not, you could try with the * marker to tell sqlmap exactly where the > >> injection point is. > >> > >> On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > >> chr...@ch...> wrote: > >> > >>> Good afternoon gents, > >>> I am a profession penetration tester and have a rather difficult > >>> injection point for one of my customers. > >>> > >>> I can trigger the exception by pausing traffic with burp and inserting > >>> NULL's into the user | pass via a back end flex call. Is there a way to > >>> take advantage of sqlmap to inject via flex remoting objects ? > >>> > >>> If not I will have to write this myself but I thought I may ask the > list > >>> first. > >>> > >>> Thanks. > >>> Sincerely, > >>> Christopher M Downs > >>> > >>> -- > >>> [image: Description: Chrome] > >>> > >>> Chris Downs | System Administrator > >>> > >>> main > >>> > >>> 888.781.0088 > >>> > >>> email > >>> > >>> *chr...@ch... <chr...@ch...>* > >>> > >>> web > >>> > >>> www.chromeriver.com > >>> > >>> > >>> > ------------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> sqlmap-users mailing list > >>> sql...@li... > >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >>> > >>> > >> > >> > >> -- > >> http://volatile-minds.blogspot.com -- blog > >> http://www.volatileminds.net -- website > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > > ------------------------------------------------------------------------------ > > > ------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > End of sqlmap-users Digest, Vol 48, Issue 3 > ******************************************* > -- [image: Description: Chrome] Chris Downs | System Administrator main 888.781.0088 email *chr...@ch... <chr...@ch...>* web www.chromeriver.com |
|
From: Christopher D. <chr...@ch...> - 2015-05-29 21:51:13
|
@Brandon Excellent. Very well done sir... Seeing if maybe I can do something like this. Thanks. Chris. On Fri, May 29, 2015 at 7:01 AM, <sql...@li... > wrote: > Send sqlmap-users mailing list submissions to > sql...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > or, via email, send a message with subject or body 'help' to > sql...@li... > > You can reach the person managing the list at > sql...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of sqlmap-users digest..." > > > Today's Topics: > > 1. AMF sqli injection (Christopher Downs) > 2. Re: AMF sqli injection (Brandon Perry) > 3. Re: AMF sqli injection (Brandon Perry) > 4. Re: AMF sqli injection (Chris Oakley) > 5. Re: AMF sqli injection (Brandon Perry) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 28 May 2015 13:21:51 -0500 > From: Christopher Downs <chr...@ch...> > Subject: [sqlmap-users] AMF sqli injection > To: sql...@li... > Message-ID: > < > CAF...@ma...> > Content-Type: text/plain; charset="utf-8" > > Good afternoon gents, > I am a profession penetration tester and have a rather difficult injection > point for one of my customers. > > I can trigger the exception by pausing traffic with burp and inserting > NULL's into the user | pass via a back end flex call. Is there a way to > take advantage of sqlmap to inject via flex remoting objects ? > > If not I will have to write this myself but I thought I may ask the list > first. > > Thanks. > Sincerely, > Christopher M Downs > > -- > [image: Description: Chrome] > > Chris Downs | System Administrator > > main > > 888.781.0088 > > email > > *chr...@ch... <chr...@ch...>* > > web > > www.chromeriver.com > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 2 > Date: Thu, 28 May 2015 13:59:12 -0500 > From: Brandon Perry <bpe...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Christopher Downs <chr...@ch...> > Cc: sqlmap users <sql...@li...> > Message-ID: > < > CAO...@ma...> > Content-Type: text/plain; charset="utf-8" > > Flex is hard because you have to update the integer that tells flex how > long a string is, unless I am mistaken. > > If not, you could try with the * marker to tell sqlmap exactly where the > injection point is. > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > chr...@ch...> wrote: > > > Good afternoon gents, > > I am a profession penetration tester and have a rather difficult > injection > > point for one of my customers. > > > > I can trigger the exception by pausing traffic with burp and inserting > > NULL's into the user | pass via a back end flex call. Is there a way to > > take advantage of sqlmap to inject via flex remoting objects ? > > > > If not I will have to write this myself but I thought I may ask the list > > first. > > > > Thanks. > > Sincerely, > > Christopher M Downs > > > > -- > > [image: Description: Chrome] > > > > Chris Downs | System Administrator > > > > main > > > > 888.781.0088 > > > > email > > > > *chr...@ch... <chr...@ch...>* > > > > web > > > > www.chromeriver.com > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 3 > Date: Thu, 28 May 2015 14:17:07 -0500 > From: Brandon Perry <bpe...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Christopher Downs <chr...@ch...> > Cc: sqlmap users <sql...@li...> > Message-ID: > <CAOJKFBAH7_-ARCWR= > xWv...@ma...> > Content-Type: text/plain; charset="utf-8" > > FWIW here is an exploit a wrote a long while back that partly abuses a weak > AMF endpoint (xxe, not sqli...). > > > http://packetstormsecurity.com/files/126703/HP-Release-Control-9.20.0000-Build-395-XXE.html > > However, I distinctly remember having to keep the admin password the same > length as my base AMF request (because I was lazy and didn't feel like > having to update the integer as well). See the change_admin_password > method. I basically base64 encoded the request in order to store the base > request, then decoded it and modified it based on what I wanted to do. > > You could make a few requests with different sized usernames to find the > integer that you will need to manipulate during exploitation. > > On Thu, May 28, 2015 at 1:59 PM, Brandon Perry <bpe...@gm...> > wrote: > > > Flex is hard because you have to update the integer that tells flex how > > long a string is, unless I am mistaken. > > > > If not, you could try with the * marker to tell sqlmap exactly where the > > injection point is. > > > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > > chr...@ch...> wrote: > > > >> Good afternoon gents, > >> I am a profession penetration tester and have a rather difficult > >> injection point for one of my customers. > >> > >> I can trigger the exception by pausing traffic with burp and inserting > >> NULL's into the user | pass via a back end flex call. Is there a way to > >> take advantage of sqlmap to inject via flex remoting objects ? > >> > >> If not I will have to write this myself but I thought I may ask the list > >> first. > >> > >> Thanks. > >> Sincerely, > >> Christopher M Downs > >> > >> -- > >> [image: Description: Chrome] > >> > >> Chris Downs | System Administrator > >> > >> main > >> > >> 888.781.0088 > >> > >> email > >> > >> *chr...@ch... <chr...@ch...>* > >> > >> web > >> > >> www.chromeriver.com > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > -- > > http://volatile-minds.blogspot.com -- blog > > http://www.volatileminds.net -- website > > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 4 > Date: Thu, 28 May 2015 15:24:36 -0400 > From: Chris Oakley <chr...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Brandon Perry <bpe...@gm...> > Cc: sqlmap users <sql...@li...>, Christopher > Downs <chr...@ch...> > Message-ID: > <CAF6VE= > qRa...@ma...> > Content-Type: text/plain; charset="utf-8" > > "Flex is hard because you have to update the integer that tells flex how > long a string is" > > It might be possible to address this with the --eval option > > On 28 May 2015 at 14:59, Brandon Perry <bpe...@gm...> wrote: > > > Flex is hard because you have to update the integer that tells flex how > > long a string is, unless I am mistaken. > > > > If not, you could try with the * marker to tell sqlmap exactly where the > > injection point is. > > > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > > chr...@ch...> wrote: > > > >> Good afternoon gents, > >> I am a profession penetration tester and have a rather difficult > >> injection point for one of my customers. > >> > >> I can trigger the exception by pausing traffic with burp and inserting > >> NULL's into the user | pass via a back end flex call. Is there a way to > >> take advantage of sqlmap to inject via flex remoting objects ? > >> > >> If not I will have to write this myself but I thought I may ask the list > >> first. > >> > >> Thanks. > >> Sincerely, > >> Christopher M Downs > >> > >> -- > >> [image: Description: Chrome] > >> > >> Chris Downs | System Administrator > >> > >> main > >> > >> 888.781.0088 > >> > >> email > >> > >> *chr...@ch... <chr...@ch...>* > >> > >> web > >> > >> www.chromeriver.com > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > -- > > http://volatile-minds.blogspot.com -- blog > > http://www.volatileminds.net -- website > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 5 > Date: Thu, 28 May 2015 15:12:57 -0500 > From: Brandon Perry <bpe...@gm...> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Chris Oakley <chr...@gm...> > Cc: sqlmap users <sql...@li...>, Christopher > Downs <chr...@ch...> > Message-ID: > < > CAO...@ma...> > Content-Type: text/plain; charset="utf-8" > > That could work. > > On Thu, May 28, 2015 at 2:24 PM, Chris Oakley < > chr...@gm...> > wrote: > > > "Flex is hard because you have to update the integer that tells flex how > > long a string is" > > > > It might be possible to address this with the --eval option > > > > On 28 May 2015 at 14:59, Brandon Perry <bpe...@gm...> > wrote: > > > >> Flex is hard because you have to update the integer that tells flex how > >> long a string is, unless I am mistaken. > >> > >> If not, you could try with the * marker to tell sqlmap exactly where the > >> injection point is. > >> > >> On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > >> chr...@ch...> wrote: > >> > >>> Good afternoon gents, > >>> I am a profession penetration tester and have a rather difficult > >>> injection point for one of my customers. > >>> > >>> I can trigger the exception by pausing traffic with burp and inserting > >>> NULL's into the user | pass via a back end flex call. Is there a way to > >>> take advantage of sqlmap to inject via flex remoting objects ? > >>> > >>> If not I will have to write this myself but I thought I may ask the > list > >>> first. > >>> > >>> Thanks. > >>> Sincerely, > >>> Christopher M Downs > >>> > >>> -- > >>> [image: Description: Chrome] > >>> > >>> Chris Downs | System Administrator > >>> > >>> main > >>> > >>> 888.781.0088 > >>> > >>> email > >>> > >>> *chr...@ch... <chr...@ch...>* > >>> > >>> web > >>> > >>> www.chromeriver.com > >>> > >>> > >>> > ------------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> sqlmap-users mailing list > >>> sql...@li... > >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >>> > >>> > >> > >> > >> -- > >> http://volatile-minds.blogspot.com -- blog > >> http://www.volatileminds.net -- website > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > > ------------------------------------------------------------------------------ > > > ------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > End of sqlmap-users Digest, Vol 48, Issue 3 > ******************************************* > -- [image: Description: Chrome] Chris Downs | System Administrator main 888.781.0088 email *chr...@ch... <chr...@ch...>* web www.chromeriver.com |
|
From: Brandon P. <bpe...@gm...> - 2015-05-28 20:13:06
|
That could work. On Thu, May 28, 2015 at 2:24 PM, Chris Oakley <chr...@gm...> wrote: > "Flex is hard because you have to update the integer that tells flex how > long a string is" > > It might be possible to address this with the --eval option > > On 28 May 2015 at 14:59, Brandon Perry <bpe...@gm...> wrote: > >> Flex is hard because you have to update the integer that tells flex how >> long a string is, unless I am mistaken. >> >> If not, you could try with the * marker to tell sqlmap exactly where the >> injection point is. >> >> On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < >> chr...@ch...> wrote: >> >>> Good afternoon gents, >>> I am a profession penetration tester and have a rather difficult >>> injection point for one of my customers. >>> >>> I can trigger the exception by pausing traffic with burp and inserting >>> NULL's into the user | pass via a back end flex call. Is there a way to >>> take advantage of sqlmap to inject via flex remoting objects ? >>> >>> If not I will have to write this myself but I thought I may ask the list >>> first. >>> >>> Thanks. >>> Sincerely, >>> Christopher M Downs >>> >>> -- >>> [image: Description: Chrome] >>> >>> Chris Downs | System Administrator >>> >>> main >>> >>> 888.781.0088 >>> >>> email >>> >>> *chr...@ch... <chr...@ch...>* >>> >>> web >>> >>> www.chromeriver.com >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Chris O. <chr...@gm...> - 2015-05-28 19:24:44
|
"Flex is hard because you have to update the integer that tells flex how long a string is" It might be possible to address this with the --eval option On 28 May 2015 at 14:59, Brandon Perry <bpe...@gm...> wrote: > Flex is hard because you have to update the integer that tells flex how > long a string is, unless I am mistaken. > > If not, you could try with the * marker to tell sqlmap exactly where the > injection point is. > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > chr...@ch...> wrote: > >> Good afternoon gents, >> I am a profession penetration tester and have a rather difficult >> injection point for one of my customers. >> >> I can trigger the exception by pausing traffic with burp and inserting >> NULL's into the user | pass via a back end flex call. Is there a way to >> take advantage of sqlmap to inject via flex remoting objects ? >> >> If not I will have to write this myself but I thought I may ask the list >> first. >> >> Thanks. >> Sincerely, >> Christopher M Downs >> >> -- >> [image: Description: Chrome] >> >> Chris Downs | System Administrator >> >> main >> >> 888.781.0088 >> >> email >> >> *chr...@ch... <chr...@ch...>* >> >> web >> >> www.chromeriver.com >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Brandon P. <bpe...@gm...> - 2015-05-28 19:17:15
|
FWIW here is an exploit a wrote a long while back that partly abuses a weak AMF endpoint (xxe, not sqli...). http://packetstormsecurity.com/files/126703/HP-Release-Control-9.20.0000-Build-395-XXE.html However, I distinctly remember having to keep the admin password the same length as my base AMF request (because I was lazy and didn't feel like having to update the integer as well). See the change_admin_password method. I basically base64 encoded the request in order to store the base request, then decoded it and modified it based on what I wanted to do. You could make a few requests with different sized usernames to find the integer that you will need to manipulate during exploitation. On Thu, May 28, 2015 at 1:59 PM, Brandon Perry <bpe...@gm...> wrote: > Flex is hard because you have to update the integer that tells flex how > long a string is, unless I am mistaken. > > If not, you could try with the * marker to tell sqlmap exactly where the > injection point is. > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > chr...@ch...> wrote: > >> Good afternoon gents, >> I am a profession penetration tester and have a rather difficult >> injection point for one of my customers. >> >> I can trigger the exception by pausing traffic with burp and inserting >> NULL's into the user | pass via a back end flex call. Is there a way to >> take advantage of sqlmap to inject via flex remoting objects ? >> >> If not I will have to write this myself but I thought I may ask the list >> first. >> >> Thanks. >> Sincerely, >> Christopher M Downs >> >> -- >> [image: Description: Chrome] >> >> Chris Downs | System Administrator >> >> main >> >> 888.781.0088 >> >> email >> >> *chr...@ch... <chr...@ch...>* >> >> web >> >> www.chromeriver.com >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
48 messages has been excluded from this view by a project administrator.
