Thread: [sqlmap-users] A incorrectly identified "tainted" parameter

Brought to you by: inquisb

sqlmap-users

[sqlmap-users] A incorrectly identified "tainted" parameter

From: Bob S. <bo...@si...> - 2011-12-10 14:23:04

I received this message:

[23:28:33] [CRITICAL] you have provided tainted parameter values (ncmb%26ShowMenu=-1) with most probably leftover chars from manual sql injection tests (;()') or non-valid numerical value. Please, always use only valid parameter values so sqlmap could be able to do a valid run.


Here is a portion of the POSTed data that surrounds this parameter. 

fhdn%260=&fhdn%26=&ncmb%26ShowMenu=-1&fhdn%26isYahooGobutton=N

The parameters were captured directly using burpsuite while I was running the UI. I was performing no injection testing when this was captured. I looked for each of the listed parameters in the posted data and they do not appear. (note there are more parameters but I would rather send those privately if possible).

I am running a recent svn extract of the dev stream (1.0)

Thanks
Bob

Re: [sqlmap-users] A incorrectly identified "tainted" parameter

From: Brandon P. <bpe...@gm...> - 2011-12-10 18:58:04

Can you replace the (-) with %2d, it's hexadecimal representation?

On Sat, Dec 10, 2011 at 8:22 AM, Bob Simonoff <bo...@si...> wrote:
>
> I received this message:
>
> [23:28:33] [CRITICAL] you have provided tainted parameter values
> (ncmb%26ShowMenu=-1) with most probably leftover chars from manual sql
> injection tests (;()') or non-valid numerical value. Please, always use only
> valid parameter values so sqlmap could be able to do a valid run.
>
> Here is a portion of the POSTed data that surrounds this parameter.
>
> fhdn%260=&fhdn%26=&ncmb%26ShowMenu=-1&fhdn%26isYahooGobutton=N
>
> The parameters were captured directly using burpsuite while I was running
> the UI. I was performing no injection testing when this was captured. I
> looked for each of the listed parameters in the posted data and they do not
> appear. (note there are more parameters but I would rather send those
> privately if possible).
>
> I am running a recent svn extract of the dev stream (1.0)
>
> Thanks
> Bob
>
> ------------------------------------------------------------------------------
> Learn Windows Azure Live!  Tuesday, Dec 13, 2011
> Microsoft is holding a special Learn Windows Azure training event for
> developers. It will provide a great way to learn Windows Azure and what it
> provides. You can attend the event by watching it streamed LIVE online.
> Learn more at http://p.sf.net/sfu/ms-windowsazure
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Re: [sqlmap-users] A incorrectly identified "tainted" parameter

From: Miroslav S. <mir...@gm...> - 2011-12-11 08:37:44

Hi.

Thing is that in general negative parameter values are a leftover from
manual injection attempts causing problems in some cases. Hence the
warning/error message. Have you tried just to change that -1 value to 1 for
ShowMenu parameter?

Kind regards
On Dec 10, 2011 3:23 PM, "Bob Simonoff" <bo...@si...> wrote:

> **
>
> I received this message:
>
> [23:28:33] [CRITICAL] you have provided tainted parameter values
> (ncmb%26ShowMenu=-1) with most probably leftover chars from manual sql
> injection tests (;()') or non-valid numerical value. Please, always use
> only valid parameter values so sqlmap could be able to do a valid run.
>
> Here is a portion of the POSTed data that surrounds this parameter.
>
> fhdn%260=&fhdn%26=&ncmb%26ShowMenu=-1&fhdn%26isYahooGobutton=N
>
> The parameters were captured directly using burpsuite while I was running
> the UI. I was performing no injection testing when this was captured. I
> looked for each of the listed parameters in the posted data and they do not
> appear. (note there are more parameters but I would rather send those
> privately if possible).
>
> I am running a recent svn extract of the dev stream (1.0)
>
> Thanks
> Bob
>
>
> ------------------------------------------------------------------------------
> Learn Windows Azure Live!  Tuesday, Dec 13, 2011
> Microsoft is holding a special Learn Windows Azure training event for
> developers. It will provide a great way to learn Windows Azure and what it
> provides. You can attend the event by watching it streamed LIVE online.
> Learn more at http://p.sf.net/sfu/ms-windowsazure
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] A incorrectly identified "tainted" parameter

From: Bob S. <bo...@si...> - 2011-12-11 13:35:27

The developer uses -1 to say no menu should be shown, other values have specific meaning. The suggestion to use %2d for the - sign seems to have worked. I just found another such case for the _ character as part of a parameter name.

I am a little surprised that it is assumed more likely that a person captured the requests while doing manual injection testing than the application uses - and _ symbols in their application. I guess using them is a bit of a security measure :-)

SQLMap sure is a great tool and amazingly thorough. I am also pretty impressed with the documentation, it is well written and covers most of what a beginner would want to know. I appreciate it

Thanks!
Bob

----- Original Message -----
From: Miroslav Stampar
To: Bob Simonoff
Cc: sql...@li...
Sent: Sunday, December 11, 2011 3:37 AM
Subject: Re: [sqlmap-users] A incorrectly identified "tainted" parameter

Hi.

Thing is that in general negative parameter values are a leftover from manual injection attempts causing problems in some cases. Hence the warning/error message. Have you tried just to change that -1 value to 1 for ShowMenu parameter?

Kind regards

On Dec 10, 2011 3:23 PM, "Bob Simonoff" <bo...@si...> wrote:

I received this message:

[23:28:33] [CRITICAL] you have provided tainted parameter values (ncmb%26ShowMenu=-1) with most probably leftover chars from manual sql injection tests (;()') or non-valid numerical value. Please, always use only valid parameter values so sqlmap could be able to do a valid run.

Here is a portion of the POSTed data that surrounds this parameter.

fhdn%260=&fhdn%26=&ncmb%26ShowMenu=-1&fhdn%26isYahooGobutton=N

The parameters were captured directly using burpsuite while I was running the UI. I was performing no injection testing when this was captured. I looked for each of the listed parameters in the posted data and they do not appear. (note there are more parameters but I would rather send those privately if possible).

I am running a recent svn extract of the dev stream (1.0)

Thanks
Bob

------------------------------------------------------------------------------
Learn Windows Azure Live! Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for
developers. It will provide a great way to learn Windows Azure and what it
provides. You can attend the event by watching it streamed LIVE online.
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users