Thread: Re: [sqlmap-users] bug - Host header missing port number
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Miroslav S. <mir...@gm...> - 2011-06-21 20:48:48
|
hi David. it should be "patched" with the latest commit. thing is that some web servers don't act good with Host:port scheme, hence the behavior you've noticed. this is prone to changes and we are opened for suggestions. kr On Tue, Jun 21, 2011 at 10:39 PM, David Rhoades <dav...@ma...> wrote: > I'm using sqlmap/1.0-dev (r4149). > The HTTP Host header is missing the port number when the target is on a > non-standard port, such as http://target:8080. > > Here is an example targeting OWASP's Insecure Web App > (https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project). > > $ ./sqlmap.py --url > "http://localhost:8080/insecure/public/Login.jsp?login=cjones&pass=chris" > --cookie "JSESSIONID=8A4000EFEEA92B193D8DF284F6D22777" --dbs -v 6 > > === > [16:29:53] [TRAFFIC OUT] HTTP request [#1]: > GET /insecure/public/Login.jsp?login=cjones&pass=chris HTTP/1.1 > Accept-Encoding: identity > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: localhost > Accept-language: en-us,en;q=0.5 > Pragma: no-cache > Cache-control: no-cache,no-store > Cookie: JSESSIONID=8A4000EFEEA92B193D8DF284F6D22788 > User-agent: sqlmap/1.0-dev (r4149) (http://sqlmap.sourceforge.net) > Connection: close > === > > That request goes to the correct place on port 8080 (a sniffer or MITM proxy > shows this to be the case) but the Host header only says, "Host: localhost" > rather than "Host: localhost:8080". In this case the web server > (Apache-Coyote/1.1) is using the Host header to form the Location header in > the reply to HTTP 302 redirect the user to another page after successfully > logging in. Because the Host header is missing the port the Location header > mistakenly says the host is localhost rather than localhost:8080, so sqlmap > attempts to follow that link which is the wrong site (wrong port anyway). > > === > HTTP/1.1 302 Moved Temporarily > Set-Cookie: JSESSIONID=71B3FFFCA9EC2F65A998D3E555864109; Path=/insecure > Location: http://localhost/insecure/secure/index.jsp > Content-Type: text/html;charset=ISO-8859-1 > Content-Length: 0 > Date: Tue, 21 Jun 2011 16:21:57 GMT > Server: Apache-Coyote/1.1 > Connection: close > === > > I also see the same behavior when using sqlmap against Hacme Casino > (http://sourceforge.net/scm/?type=cvs&group_id=143089) which uses Mongrel > 1.1.5 as its server. Hacme Casino is on port 3000. > > This is probably not a big deal in the real world because it's not clear if > any other servers reference the Host header when making Location headers. > Also, most people are probably targeting standard ports (80 and 443). But > still, it would be great to get this fixed so we can continue to use sqlmap > in our training labs (we have targets on non-standard ports). > > <semi-shameless plug> > If you would like to see this behavior for yourself checkout the Web > Security Dojo since it has sqlmap, InsecureWebApp, and Hacme Casino > pre-installed (along with other goodies). http://dojo.mavensecurity.com > I only mention that to aid in debugging sqlmap. :) > </semi-shameless plug> > > -----------------------------------------------------<>< > David Rhoades > Maven Security Consulting Inc (www.MavenSecurity.com) > Current Timezone: GMT-4 (Wilmington, DE) > > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Miroslav S. <mir...@gm...> - 2011-06-21 20:57:28
|
p.s. with the last update (r4153) only run with non-80 ports will result in :port scheme (which is comformant to http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html). this should be the best way to solve this issue. thank you for your report kr On Tue, Jun 21, 2011 at 10:48 PM, Miroslav Stampar <mir...@gm...> wrote: > hi David. > > it should be "patched" with the latest commit. > > thing is that some web servers don't act good with Host:port scheme, > hence the behavior you've noticed. this is prone to changes and we are > opened for suggestions. > > kr > > On Tue, Jun 21, 2011 at 10:39 PM, David Rhoades > <dav...@ma...> wrote: >> I'm using sqlmap/1.0-dev (r4149). >> The HTTP Host header is missing the port number when the target is on a >> non-standard port, such as http://target:8080. >> >> Here is an example targeting OWASP's Insecure Web App >> (https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project). >> >> $ ./sqlmap.py --url >> "http://localhost:8080/insecure/public/Login.jsp?login=cjones&pass=chris" >> --cookie "JSESSIONID=8A4000EFEEA92B193D8DF284F6D22777" --dbs -v 6 >> >> === >> [16:29:53] [TRAFFIC OUT] HTTP request [#1]: >> GET /insecure/public/Login.jsp?login=cjones&pass=chris HTTP/1.1 >> Accept-Encoding: identity >> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >> Host: localhost >> Accept-language: en-us,en;q=0.5 >> Pragma: no-cache >> Cache-control: no-cache,no-store >> Cookie: JSESSIONID=8A4000EFEEA92B193D8DF284F6D22788 >> User-agent: sqlmap/1.0-dev (r4149) (http://sqlmap.sourceforge.net) >> Connection: close >> === >> >> That request goes to the correct place on port 8080 (a sniffer or MITM proxy >> shows this to be the case) but the Host header only says, "Host: localhost" >> rather than "Host: localhost:8080". In this case the web server >> (Apache-Coyote/1.1) is using the Host header to form the Location header in >> the reply to HTTP 302 redirect the user to another page after successfully >> logging in. Because the Host header is missing the port the Location header >> mistakenly says the host is localhost rather than localhost:8080, so sqlmap >> attempts to follow that link which is the wrong site (wrong port anyway). >> >> === >> HTTP/1.1 302 Moved Temporarily >> Set-Cookie: JSESSIONID=71B3FFFCA9EC2F65A998D3E555864109; Path=/insecure >> Location: http://localhost/insecure/secure/index.jsp >> Content-Type: text/html;charset=ISO-8859-1 >> Content-Length: 0 >> Date: Tue, 21 Jun 2011 16:21:57 GMT >> Server: Apache-Coyote/1.1 >> Connection: close >> === >> >> I also see the same behavior when using sqlmap against Hacme Casino >> (http://sourceforge.net/scm/?type=cvs&group_id=143089) which uses Mongrel >> 1.1.5 as its server. Hacme Casino is on port 3000. >> >> This is probably not a big deal in the real world because it's not clear if >> any other servers reference the Host header when making Location headers. >> Also, most people are probably targeting standard ports (80 and 443). But >> still, it would be great to get this fixed so we can continue to use sqlmap >> in our training labs (we have targets on non-standard ports). >> >> <semi-shameless plug> >> If you would like to see this behavior for yourself checkout the Web >> Security Dojo since it has sqlmap, InsecureWebApp, and Hacme Casino >> pre-installed (along with other goodies). http://dojo.mavensecurity.com >> I only mention that to aid in debugging sqlmap. :) >> </semi-shameless plug> >> >> -----------------------------------------------------<>< >> David Rhoades >> Maven Security Consulting Inc (www.MavenSecurity.com) >> Current Timezone: GMT-4 (Wilmington, DE) >> >> >> >> ------------------------------------------------------------------------------ >> EditLive Enterprise is the world's most technically advanced content >> authoring tool. Experience the power of Track Changes, Inline Image >> Editing and ensure content is compliant with Accessibility Checking. >> http://p.sf.net/sfu/ephox-dev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar (@stamparm) > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Steven P. <ste...@gm...> - 2011-06-22 02:27:56
|
Miroslav Stampar wrote: > p.s. > > with the last update (r4153) only run with non-80 ports will result in > :port scheme (which is comformant to > http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html). > > this should be the best way to solve this issue. > > thank you for your report > > kr Note that port 443 is also optional for https urls. Don't have any knowledge of whether the optional use of :443 causes problems in the real world or not. -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Miroslav S. <mir...@gm...> - 2011-06-22 09:07:21
|
hi Steven. find it "patched" with the last commit. kr On Wed, Jun 22, 2011 at 4:27 AM, Steven Pinkham <ste...@gm...> wrote: > Miroslav Stampar wrote: >> p.s. >> >> with the last update (r4153) only run with non-80 ports will result in >> :port scheme (which is comformant to >> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html). >> >> this should be the best way to solve this issue. >> >> thank you for your report >> >> kr > > Note that port 443 is also optional for https urls. > > Don't have any knowledge of whether the optional use of :443 causes > problems in the real world or not. > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > > > ------------------------------------------------------------------------------ > Simplify data backup and recovery for your virtual environment with vRanger. > Installation's a snap, and flexible recovery options mean your data is safe, > secure and there when you need it. Data protection magic? > Nope - It's vRanger. Get your free trial download today. > http://p.sf.net/sfu/quest-sfdev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X