sqlmap-users

[sqlmap-users] Weird behavior with injection in cookie value

[Dennis <kor...@ya...>]

Hi guys,

I'm experiencing a weird behavior when injecting into a cookie value.

The cookie in the request looks like this (yes the spaces are intentional):
Cookie: foocookie=asd     ,rrr-123   ,tzu-345

The injection is possible after the rrr-123 and before the first space.
Neat and straight-forward boolean based blind. Something like
Cookie: foocookie=asd     ,rrr-123' and 34=34 and 'qe'='qe   ,tzu-345
or
Cookie: foocookie=asd     ,rrr-123' and 34+2=36 and 'qe'='qe   ,tzu-345
gets the job done.

First problem: It seems I cannot define custom injection points (*) in
cookies. I fixed this by using a request file and terminating the cookie
string after rrr-123 and adding the rest of the cookie value as
--suffix="   ,tzu-345". Works fine.

Second problem: sqlmap thinks it finds the boolean based injection, then
wildly tries to union inject. This fails and the boolean based injection
is discarded as false positive.

Checking the payloads in burp, it seems that sqlmap does the following
checks:
Cookie: foocookie=asd     ,rrr-123' and 3456=3456   ,tzu-345
Cookie: foocookie=asd     ,rrr-123') and 5678=5678   ,tzu-345
Cookie: foocookie=asd     ,rrr-123')) and 1234=1234   ,tzu-345
and so on but never tries the obvious (and correct)
Cookie: foocookie=asd     ,rrr-123' and 'qwer'='qwer   ,tzu-345

With higher level it then goes on with boolean based (comment), etc.
Comparing the payloads, they don't seem to differ from the normal
boolean based payloads. I think there might be a bug?

Cheers
Dennis

Re: [sqlmap-users] Weird behavior with injection in cookie value

[Miroslav S. <mir...@gm...>]

Hi Dennis.

1) Custom injection marker (*) is not yet supported inside cookie values
2) I believe that you really want to use --suffix="and 'qwer'='qwer
,tzu-345" instead of --suffix="   ,tzu-345"

Kind regards,
Miroslav Stampar

On Wed, Nov 14, 2012 at 6:33 PM, Dennis <kor...@ya...> wrote:

> Hi guys,
>
> I'm experiencing a weird behavior when injecting into a cookie value.
>
> The cookie in the request looks like this (yes the spaces are intentional):
> Cookie: foocookie=asd     ,rrr-123   ,tzu-345
>
> The injection is possible after the rrr-123 and before the first space.
> Neat and straight-forward boolean based blind. Something like
> Cookie: foocookie=asd     ,rrr-123' and 34=34 and 'qe'='qe   ,tzu-345
> or
> Cookie: foocookie=asd     ,rrr-123' and 34+2=36 and 'qe'='qe   ,tzu-345
> gets the job done.
>
> First problem: It seems I cannot define custom injection points (*) in
> cookies. I fixed this by using a request file and terminating the cookie
> string after rrr-123 and adding the rest of the cookie value as
> --suffix="   ,tzu-345". Works fine.
>
> Second problem: sqlmap thinks it finds the boolean based injection, then
> wildly tries to union inject. This fails and the boolean based injection
> is discarded as false positive.
>
> Checking the payloads in burp, it seems that sqlmap does the following
> checks:
> Cookie: foocookie=asd     ,rrr-123' and 3456=3456   ,tzu-345
> Cookie: foocookie=asd     ,rrr-123') and 5678=5678   ,tzu-345
> Cookie: foocookie=asd     ,rrr-123')) and 1234=1234   ,tzu-345
> and so on but never tries the obvious (and correct)
> Cookie: foocookie=asd     ,rrr-123' and 'qwer'='qwer   ,tzu-345
>
> With higher level it then goes on with boolean based (comment), etc.
> Comparing the payloads, they don't seem to differ from the normal
> boolean based payloads. I think there might be a bug?
>
> Cheers
> Dennis
>
>
> ------------------------------------------------------------------------------
> Monitor your physical, virtual and cloud infrastructure from a single
> web console. Get in-depth insight into apps, servers, databases, vmware,
> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm