Thread: [sqlmap-users] Determining blind UNION-able injections with SLEEP
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Brandon P. <bpe...@gm...> - 2015-09-11 18:43:24
|
I have had this idea for a while, and I finally came across an injection that this was useful for me. Due to logic in the application, a generic UNION tacked on the end of the query doesn't work. However, a payload of: blah=foo"+union+select+null,null,null,null,sleep(5)--%20 does result in a response coming back 5 seconds later than the baseline. Removing or adding a column to the union results in the baseline request time. This was very useful for me, because I was able to use this 'blind union' in order to write a file to the web root and achieve RCE, even though the union in and of itself would not let me pull data out en mass (the other time based payloads did work as well). This might be a useful check for sqlmap to implement. Currently, there are heuristics that sqlmap has to determine whether an injection point is union-able, but not exploitable with generic NULL/union char payloads. I think this is determined by the HTTP response data though, not the temporal aspect of the HTTP response. Thoughts? -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Johnathon D. <hoo...@gm...> - 2015-09-14 01:30:37
|
Sounds cool, but kind of an edge case. I'm just interested to understand more if you don't mind... Is the sleep function being used within or as a vulnerable column value in your example or is it merely appended to the union injection and before the suffix/delimiter value (unsure because example has a comma before the sleep(5) call)? Are you leveraging the sleep() location for a time based injection entry point? If you frame the --url --data strings to include the union base and mark the sleep() location with '*' and --technique=T does it work to identify the time based injection (i.e. ./sqpmap.py --url http// somesite.com/ --data 'bar=foo"+union+select+null,null,null,null*' --technique=T --banner)? On Fri, Sep 11, 2015 at 1:43 PM, Brandon Perry <bpe...@gm...> wrote: > I have had this idea for a while, and I finally came across an injection > that this was useful for me. > > Due to logic in the application, a generic UNION tacked on the end of the > query doesn't work. > > However, a payload of: > > blah=foo"+union+select+null,null,null,null,sleep(5)--%20 > > does result in a response coming back 5 seconds later than the baseline. > Removing or adding a column to the union results in the baseline request > time. > > This was very useful for me, because I was able to use this 'blind union' > in order to write a file to the web root and achieve RCE, even though the > union in and of itself would not let me pull data out en mass (the other > time based payloads did work as well). > > This might be a useful check for sqlmap to implement. Currently, there are > heuristics that sqlmap has to determine whether an injection point is > union-able, but not exploitable with generic NULL/union char payloads. I > think this is determined by the HTTP response data though, not the temporal > aspect of the HTTP response. > > Thoughts? > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Brandon P. <bpe...@gm...> - 2015-09-14 01:35:12
Attachments:
signature.asc
|
> On Sep 13, 2015, at 8:30 PM, Johnathon Doe <hoo...@gm...> wrote: > > Sounds cool, but kind of an edge case. I'm just interested to understand more if you don't mind... > > Is the sleep function being used within or as a vulnerable column value in your example or is it merely appended to the union injection and before the suffix/delimiter value (unsure because example has a comma before the sleep(5) call)? The sleep can be used in any of the columns, it only works when the columns have been balanced on both sides of the UNION. This way, sqlmap could have one extra injection point to support attempting to write a file with. > > Are you leveraging the sleep() location for a time based injection entry point? If you frame the --url --data strings to include the union base and mark the sleep() location with '*' and --technique=T does it work to identify the time based injection (i.e. ./sqpmap.py --url http//somesite.com/ <http://somesite.com/> --data 'bar=foo"+union+select+null,null,null,null*' --technique=T --banner)? This was by hand. > > On Fri, Sep 11, 2015 at 1:43 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: > I have had this idea for a while, and I finally came across an injection that this was useful for me. > > Due to logic in the application, a generic UNION tacked on the end of the query doesn't work. > > However, a payload of: > > blah=foo"+union+select+null,null,null,null,sleep(5)--%20 > > does result in a response coming back 5 seconds later than the baseline. Removing or adding a column to the union results in the baseline request time. > > This was very useful for me, because I was able to use this 'blind union' in order to write a file to the web root and achieve RCE, even though the union in and of itself would not let me pull data out en mass (the other time based payloads did work as well). > > This might be a useful check for sqlmap to implement. Currently, there are heuristics that sqlmap has to determine whether an injection point is union-able, but not exploitable with generic NULL/union char payloads. I think this is determined by the HTTP response data though, not the temporal aspect of the HTTP response. > > Thoughts? > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> > > |
|
From: Brandon P. <bpe...@gm...> - 2015-09-14 01:37:20
Attachments:
signature.asc
|
> On Sep 13, 2015, at 8:35 PM, Brandon Perry <bpe...@gm...> wrote: > > >> On Sep 13, 2015, at 8:30 PM, Johnathon Doe <hoo...@gm... <mailto:hoo...@gm...>> wrote: >> >> Sounds cool, but kind of an edge case. I'm just interested to understand more if you don't mind... >> >> Is the sleep function being used within or as a vulnerable column value in your example or is it merely appended to the union injection and before the suffix/delimiter value (unsure because example has a comma before the sleep(5) call)? > > The sleep can be used in any of the columns, it only works when the columns have been balanced on both sides of the UNION. This way, sqlmap could have one extra injection point to support attempting to write a file with. > >> >> Are you leveraging the sleep() location for a time based injection entry point? If you frame the --url --data strings to include the union base and mark the sleep() location with '*' and --technique=T does it work to identify the time based injection (i.e. ./sqpmap.py --url http//somesite.com/ <http://somesite.com/> --data 'bar=foo"+union+select+null,null,null,null*' --technique=T --banner)? > > This was by hand. Oh, I should have read the question more clearly. I didn’t try this, but then sqlmap wouldn’t realize it is a union then. > >> >> On Fri, Sep 11, 2015 at 1:43 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: >> I have had this idea for a while, and I finally came across an injection that this was useful for me. >> >> Due to logic in the application, a generic UNION tacked on the end of the query doesn't work. >> >> However, a payload of: >> >> blah=foo"+union+select+null,null,null,null,sleep(5)--%20 >> >> does result in a response coming back 5 seconds later than the baseline. Removing or adding a column to the union results in the baseline request time. >> >> This was very useful for me, because I was able to use this 'blind union' in order to write a file to the web root and achieve RCE, even though the union in and of itself would not let me pull data out en mass (the other time based payloads did work as well). >> >> This might be a useful check for sqlmap to implement. Currently, there are heuristics that sqlmap has to determine whether an injection point is union-able, but not exploitable with generic NULL/union char payloads. I think this is determined by the HTTP response data though, not the temporal aspect of the HTTP response. >> >> Thoughts? >> >> >> -- >> http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog >> http://www.volatileminds.net <http://www.volatileminds.net/> -- website >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> >> > |
|
From: Miroslav S. <mir...@gm...> - 2015-09-15 11:54:48
|
Hi. A) As I see this "hybrid", you are proposing it as a way to do the "UNION" based file write (INTO DUMPFILE). B) Incorporating this "hybrid" technique into the standard tests would be uberkill (from my perspective). I have a feeling that at least the "time-based" injection would be detected in this kind of cases, so making the "UNION" tests carrying the SLEEP would just detect the same thing (but with usage of UNION technique), but with more requests. So, to go back to the A). sqlmap already tries to use the "INTO OUTFILE ... LINES TERMINATED" in non-UNION cases. Making post-detection tests for number of columns is doable in the "file-write" phase, but I am not convinced that it would do more good than the number of requests required (as ORDER BY is expected to be unusable, we would need to pick the number of columns incrementally). Thoughts? Kind regards On Fri, Sep 11, 2015 at 8:43 PM, Brandon Perry <bpe...@gm...> wrote: > I have had this idea for a while, and I finally came across an injection > that this was useful for me. > > Due to logic in the application, a generic UNION tacked on the end of the > query doesn't work. > > However, a payload of: > > blah=foo"+union+select+null,null,null,null,sleep(5)--%20 > > does result in a response coming back 5 seconds later than the baseline. > Removing or adding a column to the union results in the baseline request > time. > > This was very useful for me, because I was able to use this 'blind union' > in order to write a file to the web root and achieve RCE, even though the > union in and of itself would not let me pull data out en mass (the other > time based payloads did work as well). > > This might be a useful check for sqlmap to implement. Currently, there are > heuristics that sqlmap has to determine whether an injection point is > union-able, but not exploitable with generic NULL/union char payloads. I > think this is determined by the HTTP response data though, not the temporal > aspect of the HTTP response. > > Thoughts? > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Brandon P. <bpe...@gm...> - 2015-09-15 13:46:45
|
On Tue, Sep 15, 2015 at 6:54 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > A) As I see this "hybrid", you are proposing it as a way to do the "UNION" > based file write (INTO DUMPFILE). > > B) Incorporating this "hybrid" technique into the standard tests would be > uberkill (from my perspective). I have a feeling that at least the > "time-based" injection would be detected in this kind of cases, so making > the "UNION" tests carrying the SLEEP would just detect the same thing (but > with usage of UNION technique), but with more requests. > You are correct, the other time base payloads were detected correctly. > > So, to go back to the A). sqlmap already tries to use the "INTO OUTFILE > ... LINES TERMINATED" in non-UNION cases. Making post-detection tests for > number of columns is doable in the "file-write" phase, but I am not > convinced that it would do more good than the number of requests required > (as ORDER BY is expected to be unusable, we would need to pick the number > of columns incrementally). > I didn't realise sqlmap would try this, I thought it required a UNION-based detection before trying. I can play around with this. > > Thoughts? > > Kind regards > > On Fri, Sep 11, 2015 at 8:43 PM, Brandon Perry <bpe...@gm...> > wrote: > >> I have had this idea for a while, and I finally came across an injection >> that this was useful for me. >> >> Due to logic in the application, a generic UNION tacked on the end of the >> query doesn't work. >> >> However, a payload of: >> >> blah=foo"+union+select+null,null,null,null,sleep(5)--%20 >> >> does result in a response coming back 5 seconds later than the baseline. >> Removing or adding a column to the union results in the baseline request >> time. >> >> This was very useful for me, because I was able to use this 'blind union' >> in order to write a file to the web root and achieve RCE, even though the >> union in and of itself would not let me pull data out en mass (the other >> time based payloads did work as well). >> >> This might be a useful check for sqlmap to implement. Currently, there >> are heuristics that sqlmap has to determine whether an injection point is >> union-able, but not exploitable with generic NULL/union char payloads. I >> think this is determined by the HTTP response data though, not the temporal >> aspect of the HTTP response. >> >> Thoughts? >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X