sqlmap-users

[sqlmap-users] Parameter "is not dynamic"

[Roman Medina-H. H. <ro...@rs...>]

Hello,

I'm trying sqlmap (latest windows exe) against a vulnerable site and I
always get sqlmap telling that the parameter is not dynamic (then sqlmap is
terminated). Could you explain how does this logic (the dynamic test) work?

The page in question is a user/password form, sent via POST method, where
only the user parameter (called "txtUsuario") is injectable. I manually
checked it and:
- if an arbitrary user is entered, I get a 200 response with "Incorrect
user" message.
- if I enter a "'" char, I get a 500 response and an error message from the
database :)
- if I enter the typical "aaa' or ''='" (which is evaluated to TRUE), I get
a 200 response, this time with "Incorrect password" (so user test is
passed!!!).

Former tests show that it is clearly vulnerable to (blind) sql injection,
but I didn't get it to exploit with sqlmap....

This is what I'm using and the faulty results:

C:\SQLMAP~1.3_E>sqlmap -v 2 -u "https://www.victim.com:4
43/LoginAction.do" --method POST --data "txtUsuario=a&txtPwd=a&Submit=ace
ptar" -p "txtUsuario"

    sqlmap/0.6.3 coded by Bernardo Damele A. G. <ber...@gm...>
                        and Daniele Bellucci <dan...@gm...>

[*] starting at: 16:20:16

[16:20:16] [DEBUG] initializing the configuration
[16:20:16] [DEBUG] initializing the knowledge base
[16:20:16] [DEBUG] cleaning up configuration parameters
[16:20:16] [DEBUG] setting the HTTP method to POST
[16:20:16] [DEBUG] creating HTTP requests opener object
[16:20:16] [DEBUG] parsing XML queries file
[16:20:16] [INFO] testing connection to the target url
[16:20:18] [WARNING] the testable parameter 'txtUsuario' you provided is
not int
o the Cookie
[16:20:18] [INFO] testing if the url is stable, wait a few seconds
[16:20:23] [INFO] url is stable
[16:20:23] [INFO] testing if POST parameter 'txtUsuario' is dynamic
[16:20:24] [WARNING] POST parameter 'txtUsuario' is not dynamic

[*] shutting down at: 16:20:24


C:\SQLMAP~1.3_E>


I've sniffed the requests sent by sqlmap and it sent the following 5 requests:
txtUsuario=a&txtPwd=a&Submit=aceptar
txtUsuario=a&txtPwd=a&Submit=aceptar
txtUsuario=a&txtPwd=a&Submit=aceptar
txtUsuario=a&txtPwd=a&Submit=aceptar
txtUsuario=9378&txtPwd=a&Submit=aceptar

I guess the first requests are tests for stability (that's ok), and the
last one is for "dynamic"-test. Since both "a" and "9378" values return the
same response (code 200, with string "Incorrect user"), it believes the
parameter is not dynamic (I guess). But this logic is non-sense: why is
sqlmap checking for 9378? Why did't it try with a "'"? Is there any way to
disable this "dynamic test"?

I also tried with --string, with no luck. Could you help me, please? Which
exact command line would you enter in my scenario?

Thank you.

Cheers,
-Roman

Re: [sqlmap-users] Parameter "is not dynamic"

[Roman Medina-H. H. <ro...@rs...>]

Please, Bernardo, some comments about this? Thank you.
-r

Roman Medina-Heigl Hernandez escribió:
> Hello,
> 
> I'm trying sqlmap (latest windows exe) against a vulnerable site and I
> always get sqlmap telling that the parameter is not dynamic (then sqlmap is
> terminated). Could you explain how does this logic (the dynamic test) work?
> 
> The page in question is a user/password form, sent via POST method, where
> only the user parameter (called "txtUsuario") is injectable. I manually
> checked it and:
> - if an arbitrary user is entered, I get a 200 response with "Incorrect
> user" message.
> - if I enter a "'" char, I get a 500 response and an error message from the
> database :)
> - if I enter the typical "aaa' or ''='" (which is evaluated to TRUE), I get
> a 200 response, this time with "Incorrect password" (so user test is
> passed!!!).
> 
> Former tests show that it is clearly vulnerable to (blind) sql injection,
> but I didn't get it to exploit with sqlmap....
> 
> This is what I'm using and the faulty results:
> 
> C:\SQLMAP~1.3_E>sqlmap -v 2 -u "https://www.victim.com:4
> 43/LoginAction.do" --method POST --data "txtUsuario=a&txtPwd=a&Submit=ace
> ptar" -p "txtUsuario"
> 
>     sqlmap/0.6.3 coded by Bernardo Damele A. G. <ber...@gm...>
>                         and Daniele Bellucci <dan...@gm...>
> 
> [*] starting at: 16:20:16
> 
> [16:20:16] [DEBUG] initializing the configuration
> [16:20:16] [DEBUG] initializing the knowledge base
> [16:20:16] [DEBUG] cleaning up configuration parameters
> [16:20:16] [DEBUG] setting the HTTP method to POST
> [16:20:16] [DEBUG] creating HTTP requests opener object
> [16:20:16] [DEBUG] parsing XML queries file
> [16:20:16] [INFO] testing connection to the target url
> [16:20:18] [WARNING] the testable parameter 'txtUsuario' you provided is
> not int
> o the Cookie
> [16:20:18] [INFO] testing if the url is stable, wait a few seconds
> [16:20:23] [INFO] url is stable
> [16:20:23] [INFO] testing if POST parameter 'txtUsuario' is dynamic
> [16:20:24] [WARNING] POST parameter 'txtUsuario' is not dynamic
> 
> [*] shutting down at: 16:20:24
> 
> 
> C:\SQLMAP~1.3_E>
> 
> 
> I've sniffed the requests sent by sqlmap and it sent the following 5 requests:
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=9378&txtPwd=a&Submit=aceptar
> 
> I guess the first requests are tests for stability (that's ok), and the
> last one is for "dynamic"-test. Since both "a" and "9378" values return the
> same response (code 200, with string "Incorrect user"), it believes the
> parameter is not dynamic (I guess). But this logic is non-sense: why is
> sqlmap checking for 9378? Why did't it try with a "'"? Is there any way to
> disable this "dynamic test"?
> 
> I also tried with --string, with no luck. Could you help me, please? Which
> exact command line would you enter in my scenario?
> 
> Thank you.
> 
> Cheers,
> -Roman
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

-- 

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Re: [sqlmap-users] Parameter "is not dynamic"

[Bernardo D. A. G. <ber...@gm...>]

Hi Roman,

Roman Medina-Heigl Hernandez wrote:
> ...
> The page in question is a user/password form, sent via POST method, where
> only the user parameter (called "txtUsuario") is injectable. I manually
> checked it and:
> - if an arbitrary user is entered, I get a 200 response with "Incorrect
> user" message.
> - if I enter a "'" char, I get a 500 response and an error message from the
> database :)
> - if I enter the typical "aaa' or ''='" (which is evaluated to TRUE), I get
> a 200 response, this time with "Incorrect password" (so user test is
> passed!!!).

The comparison and dynamicity test is done based on page content, not on
response codes. However, it has been strongly improved for the next release.

> Former tests show that it is clearly vulnerable to (blind) sql injection,
> but I didn't get it to exploit with sqlmap....
> ...

Use the latest version available from sqlmap subversion repository or
wait as long as I release it as stable in a few days.

> ...
> I've sniffed the requests sent by sqlmap and it sent the following 5 requests:
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=9378&txtPwd=a&Submit=aceptar
> 
> I guess the first requests are tests for stability (that's ok), and the
> last one is for "dynamic"-test. Since both "a" and "9378" values return the
> same response (code 200, with string "Incorrect user"), it believes the
> parameter is not dynamic (I guess). But this logic is non-sense: why is
> sqlmap checking for 9378? Why did't it try with a "'"? Is there any way to
> disable this "dynamic test"?

Try to call sqlmap providing as txtUsuario a valid username rather than
'a'. By the way, sqlmap does not implement yet automatical login
bypasses, but you can do that manually using the latest development
version by combining options --prefix and --postfix. I went through this
topic already on this mailing list, check on the online archives.

Regards,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F