Thread: [sqlmap-users] Sqlmap missing a get param?
Brought to you by:
inquisb
From: Chris O. <chr...@gm...> - 2011-02-04 16:27:36
|
Hi all I've just issued the following command using the latest revision of sqlmap .9: C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://x.x.x.x/index.php?r oute=product/manufacturer&manufacturer_id=1&sort=pd.name &order=DESC&page=18&scri pt1296664523519=12345" --text-only --proxy "http://127.0.0.1:8085" --level=5 --r isk=3 --flush-session Partial output from this command is as follows: [16:22:21] [INFO] flushing session file [16:22:21] [INFO] testing connection to the target url [16:22:21] [INFO] testing if the url is stable, wait a few seconds [16:22:23] [INFO] url is stable [16:22:23] [INFO] testing if GET parameter 'sort' is dynamic [16:22:24] [WARNING] GET parameter 'sort' is not dynamic [16:22:24] [WARNING] heuristic test shows that GET parameter 'sort' might not be injectable [16:22:24] [INFO] testing sql injection on GET parameter 'sort' The parameter I'm specifically looking at as potentially injectable is "manufacturer_id" but sqlmap starts at 'sort' and then moves through to the end of the param list, then ends, totally bypassing the first parameter. For testing purposes if you install a clean version of the latest open cart, you should be able to replicate this. Regards Chris |
From: Miroslav S. <mir...@gm...> - 2011-02-04 17:46:11
|
Hi Chris. well, it starts with sort, and goes to the end, but the manufacture_id is indeed being tested: ... [18:42:57] [INFO] confirming that GET parameter 'manufacturer_id' is dynamic [18:42:57] [INFO] GET parameter 'manufacturer_id' is dynamic ... problematic part is that we use python dictionary to store parameters, potentially screwing their order of appearance. we can check out what can be done. in the mean time you can force checking of manufacturer_id by issuing: -p manufacturer_id kr On Fri, Feb 4, 2011 at 5:27 PM, Chris Oakley <chr...@gm...> wrote: > Hi all > > I've just issued the following command using the latest revision of sqlmap > .9: > > C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://x.x.x.x/index.php?r > oute=product/manufacturer&manufacturer_id=1&sort=pd.name&order=DESC&page=18&scri > pt1296664523519=12345" --text-only --proxy "http://127.0.0.1:8085" --level=5 > --r > isk=3 --flush-session > > Partial output from this command is as follows: > > [16:22:21] [INFO] flushing session file > [16:22:21] [INFO] testing connection to the target url > [16:22:21] [INFO] testing if the url is stable, wait a few seconds > [16:22:23] [INFO] url is stable > [16:22:23] [INFO] testing if GET parameter 'sort' is dynamic > [16:22:24] [WARNING] GET parameter 'sort' is not dynamic > [16:22:24] [WARNING] heuristic test shows that GET parameter 'sort' might > not be > injectable > [16:22:24] [INFO] testing sql injection on GET parameter 'sort' > > The parameter I'm specifically looking at as potentially injectable is > "manufacturer_id" but sqlmap starts at 'sort' and then moves through to the > end of the param list, then ends, totally bypassing the first parameter. > > For testing purposes if you install a clean version of the latest open cart, > you should be able to replicate this. > > Regards > > Chris > > > > > ------------------------------------------------------------------------------ > The modern datacenter depends on network connectivity to access resources > and provide services. The best practices for maximizing a physical server's > connectivity to a physical network are well understood - see how these > rules translate into the virtual world? > http://p.sf.net/sfu/oracle-sfdevnlfb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-02-04 18:07:00
|
Hi again. Please update to the latest revision to have this "updated". >From now (r3225) we are storing dictionary keys in the order of appearance (OrderedDict principle). That means that if you have URL like ?rss=1&back=2&out=3&index=0 their testing order will be the same as their order of appearance (rss, back, out and index at the end). kr On Fri, Feb 4, 2011 at 6:45 PM, Miroslav Stampar <mir...@gm...> wrote: > Hi Chris. > > well, it starts with sort, and goes to the end, but the manufacture_id > is indeed being tested: > > ... > [18:42:57] [INFO] confirming that GET parameter 'manufacturer_id' is dynamic > [18:42:57] [INFO] GET parameter 'manufacturer_id' is dynamic > ... > > problematic part is that we use python dictionary to store parameters, > potentially screwing their order of appearance. we can check out what > can be done. > > in the mean time you can force checking of manufacturer_id by issuing: > -p manufacturer_id > > kr > > On Fri, Feb 4, 2011 at 5:27 PM, Chris Oakley > <chr...@gm...> wrote: >> Hi all >> >> I've just issued the following command using the latest revision of sqlmap >> .9: >> >> C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://x.x.x.x/index.php?r >> oute=product/manufacturer&manufacturer_id=1&sort=pd.name&order=DESC&page=18&scri >> pt1296664523519=12345" --text-only --proxy "http://127.0.0.1:8085" --level=5 >> --r >> isk=3 --flush-session >> >> Partial output from this command is as follows: >> >> [16:22:21] [INFO] flushing session file >> [16:22:21] [INFO] testing connection to the target url >> [16:22:21] [INFO] testing if the url is stable, wait a few seconds >> [16:22:23] [INFO] url is stable >> [16:22:23] [INFO] testing if GET parameter 'sort' is dynamic >> [16:22:24] [WARNING] GET parameter 'sort' is not dynamic >> [16:22:24] [WARNING] heuristic test shows that GET parameter 'sort' might >> not be >> injectable >> [16:22:24] [INFO] testing sql injection on GET parameter 'sort' >> >> The parameter I'm specifically looking at as potentially injectable is >> "manufacturer_id" but sqlmap starts at 'sort' and then moves through to the >> end of the param list, then ends, totally bypassing the first parameter. >> >> For testing purposes if you install a clean version of the latest open cart, >> you should be able to replicate this. >> >> Regards >> >> Chris >> >> >> >> >> ------------------------------------------------------------------------------ >> The modern datacenter depends on network connectivity to access resources >> and provide services. The best practices for maximizing a physical server's >> connectivity to a physical network are well understood - see how these >> rules translate into the virtual world? >> http://p.sf.net/sfu/oracle-sfdevnlfb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Pieter de B. <pi...@th...> - 2011-02-04 19:52:16
|
On 02/04/11 19:06, Miroslav Stampar wrote: > > From now (r3225) we are storing dictionary keys in the order of > appearance (OrderedDict principle). > > That means that if you have URL like ?rss=1&back=2&out=3&index=0 their > testing order will be the same as their order of appearance (rss, > back, out and index at the end). Hm, how does it handle URLs with the same parameter more than once? While perhaps a bit odd, I have seen such URLs in practice. -- Pieter |
From: Miroslav S. <mir...@gm...> - 2011-02-04 19:38:05
|
well, as said, it's a dictionary. that means that it doesn't play well with such "abominations" :) are you certain that one parameter value is not "overwritten" by the other at the servers side. in server side programming (PHP, ASP) i don't know how to handle such requests out of box. could you please post some examples just to experiment? kr On Fri, Feb 4, 2011 at 8:34 PM, Pieter de Boer <pi...@th...> wrote: > On 02/04/11 19:06, Miroslav Stampar wrote: >> >> > From now (r3225) we are storing dictionary keys in the order of >> appearance (OrderedDict principle). >> >> That means that if you have URL like ?rss=1&back=2&out=3&index=0 their >> testing order will be the same as their order of appearance (rss, >> back, out and index at the end). > > Hm, how does it handle URLs with the same parameter more than once? While > perhaps a bit odd, I have seen such URLs in practice. > > -- > Pieter > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-02-04 19:45:36
|
well, i am 99% sure that one parameter value is just overwritten by the other. in that case it doesn't matter if sqlmap handles parameters as dictionary. prove me wrong Pieter with some example :) i like people that prove me wrong (Steve was one of those with that newly found mssql server query delay payload) kr On Fri, Feb 4, 2011 at 8:37 PM, Miroslav Stampar <mir...@gm...> wrote: > well, as said, it's a dictionary. that means that it doesn't play well > with such "abominations" :) > > are you certain that one parameter value is not "overwritten" by the > other at the servers side. in server side programming (PHP, ASP) i > don't know how to handle such requests out of box. > > could you please post some examples just to experiment? > > kr > > On Fri, Feb 4, 2011 at 8:34 PM, Pieter de Boer <pi...@th...> wrote: >> On 02/04/11 19:06, Miroslav Stampar wrote: >>> >>> > From now (r3225) we are storing dictionary keys in the order of >>> appearance (OrderedDict principle). >>> >>> That means that if you have URL like ?rss=1&back=2&out=3&index=0 their >>> testing order will be the same as their order of appearance (rss, >>> back, out and index at the end). >> >> Hm, how does it handle URLs with the same parameter more than once? While >> perhaps a bit odd, I have seen such URLs in practice. >> >> -- >> Pieter >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Steve P. <ste...@gm...> - 2011-02-04 21:09:33
Attachments:
smime.p7s
|
On 02/04/2011 02:45 PM, Miroslav Stampar wrote: > well, i am 99% sure that one parameter value is just overwritten by > the other. in that case it doesn't matter if sqlmap handles parameters > as dictionary. > > prove me wrong Pieter with some example :) > > i like people that prove me wrong (Steve was one of those with that > newly found mssql server query delay payload) > > kr It's been called HTTP parameter pollution, and different server software responds differently. When faced with multiple inputs, some take the first, some take the last, and some auto-magically turn it into an array or concatenate them with a comma. Sometimes the software will use the first parameter, but the WAF might only sanitise the last, or vice versa. Here was the some of the first research into the phenomenon: http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Pieter de B. <pi...@th...> - 2011-02-04 22:37:22
|
On 02/04/11 20:37, Miroslav Stampar wrote: > are you certain that one parameter value is not "overwritten" by the > other at the servers side. in server side programming (PHP, ASP) i > don't know how to handle such requests out of box. > > could you please post some examples just to experiment? > Unfortunately I don't have examples, but I've seen such cases 'in the wild'. It can be used for selecting multiple items from a list, for example. It really depends on how the application, language or framework handles the parameters, as Steve mailed earlier. It may not be very useful to implement as it's rarely used for useful purposes, but if it's not a problem to replace the dict with a list, I suggest considering doing so. Regards, Pieter |
From: Miroslav S. <mir...@gm...> - 2011-02-05 08:23:31
|
Hi again. I was giving it a thought and the final for now is no. This would break the concept of sqlmap a lot. We are identifying injection points by parameter names (also considering the place where it's located - e.g. GET/id). In case where we would "modify" sqlmap to accept these "cases" we would need not just replace dictionary with list, but to change the whole data model. This moment we have more priority stuff to do. Three things I would suggest so you could make a scan "compliant" to sqlmap is: 1) either use URI injection mark * to tell sqlmap where to look for injection (e.g. ./sqlmap.py -u "www.test.com/index.php?idA=1&idB=2&idA=3*&idC=1") or 2) concatenate/adjust the URI yourself manually - so, if you see that there are two idA parameters try to manually play around and see what web servers does with those - try to concatenate and/or delete first one or 3) be realistic. there are lots of "junk" URIs in the wild that can be "beautified" by yourself - e.g. ?search=some%XXshitty%XXquery%XXthere%XXis -> ?search=test kr On Fri, Feb 4, 2011 at 11:37 PM, Pieter de Boer <pi...@th...> wrote: > On 02/04/11 20:37, Miroslav Stampar wrote: > >> are you certain that one parameter value is not "overwritten" by the >> other at the servers side. in server side programming (PHP, ASP) i >> don't know how to handle such requests out of box. >> >> could you please post some examples just to experiment? >> > Unfortunately I don't have examples, but I've seen such cases 'in the wild'. > It can be used for selecting multiple items from a list, for example. It > really depends on how the application, language or framework handles the > parameters, as Steve mailed earlier. > > It may not be very useful to implement as it's rarely used for useful > purposes, but if it's not a problem to replace the dict with a list, I > suggest considering doing so. > > Regards, > Pieter > > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-02-05 08:33:15
|
as said, Steve is the man :) this was a really interesting article i must say. also, you've prove me that some web server applications really concatenate those parameters. for the time being, as said in the last message related to this topic, we'll leave everything as it is. kr On Fri, Feb 4, 2011 at 10:09 PM, Steve Pinkham <ste...@gm...> wrote: > On 02/04/2011 02:45 PM, Miroslav Stampar wrote: >> well, i am 99% sure that one parameter value is just overwritten by >> the other. in that case it doesn't matter if sqlmap handles parameters >> as dictionary. >> >> prove me wrong Pieter with some example :) >> >> i like people that prove me wrong (Steve was one of those with that >> newly found mssql server query delay payload) >> >> kr > > It's been called HTTP parameter pollution, and different server software > responds differently. When faced with multiple inputs, some take the > first, some take the last, and some auto-magically turn it into an array > or concatenate them with a comma. > > Sometimes the software will use the first parameter, but the WAF might > only sanitise the last, or vice versa. > > Here was the some of the first research into the phenomenon: > > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Chris O. <chr...@gm...> - 2011-02-05 10:21:53
|
Hi all Thanks for the input, really fast as always :) Very interesting reading on multitple instances of the same parameter; not that I've really seen it "in the wild" but I had assumed that the server would just take the last value of it and overwrite the old - obviously that's not always the case! Chris On 5 February 2011 08:33, Miroslav Stampar <mir...@gm...>wrote: > as said, Steve is the man :) > > this was a really interesting article i must say. also, you've prove > me that some web server applications really concatenate those > parameters. > > for the time being, as said in the last message related to this topic, > we'll leave everything as it is. > > kr > > On Fri, Feb 4, 2011 at 10:09 PM, Steve Pinkham <ste...@gm...> > wrote: > > On 02/04/2011 02:45 PM, Miroslav Stampar wrote: > >> well, i am 99% sure that one parameter value is just overwritten by > >> the other. in that case it doesn't matter if sqlmap handles parameters > >> as dictionary. > >> > >> prove me wrong Pieter with some example :) > >> > >> i like people that prove me wrong (Steve was one of those with that > >> newly found mssql server query delay payload) > >> > >> kr > > > > It's been called HTTP parameter pollution, and different server software > > responds differently. When faced with multiple inputs, some take the > > first, some take the last, and some auto-magically turn it into an array > > or concatenate them with a comma. > > > > Sometimes the software will use the first parameter, but the WAF might > > only sanitise the last, or vice versa. > > > > Here was the some of the first research into the phenomenon: > > > > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf > > > > > > -- > > | Steven Pinkham, Security Consultant | > > | http://www.mavensecurity.com | > > | GPG public key ID CD31CAFB | > > > > > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > > ------------------------------------------------------------------------------ > The modern datacenter depends on network connectivity to access resources > and provide services. The best practices for maximizing a physical server's > connectivity to a physical network are well understood - see how these > rules translate into the virtual world? > http://p.sf.net/sfu/oracle-sfdevnlfb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
From: Steve P. <ste...@gm...> - 2011-02-05 16:51:35
Attachments:
smime.p7s
|
On 02/05/2011 03:23 AM, Miroslav Stampar wrote: > Hi again. > > I was giving it a thought and the final for now is no. This would > break the concept of sqlmap a lot. > > We are identifying injection points by parameter names (also > considering the place where it's located - e.g. GET/id). > > In case where we would "modify" sqlmap to accept these "cases" we > would need not just replace dictionary with list, but to change the > whole data model. This moment we have more priority stuff to do. I would agree. The only thing I've really found HTTP Parameter Pollution useful for so far is XSS filtering workarounds, both for the IE 8 client side filter and WAF type tech. I can't think of too many places where it would be directly useful for SQL injection. Definitely a corner case for that application probably is best handled by a human brain. The problem with web security in general is the amount of corner cases is huge, and most tools don't even do a good job of hitting the easy cases yet. Sqlmap is definitely ahead of the curve for SQL injection tools. Speaking of which, have you given sqlmap a try on WAVSEP yet? I've used it a bit for XSS tool vetting and development the past few weeks(and am adding some more test cases), but haven't looked at if for SQL injection yet. http://code.google.com/p/wavsep/ > Three things I would suggest so you could make a scan "compliant" to sqlmap is: > 1) either use URI injection mark * to tell sqlmap where to look for > injection (e.g. ./sqlmap.py -u > "www.test.com/index.php?idA=1&idB=2&idA=3*&idC=1") > or > 2) concatenate/adjust the URI yourself manually - so, if you see that > there are two idA parameters try to manually play around and see what > web servers does with those - try to concatenate and/or delete first > one > or > 3) be realistic. there are lots of "junk" URIs in the wild that can be > "beautified" by yourself - e.g. > ?search=some%XXshitty%XXquery%XXthere%XXis -> ?search=test > > kr -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Miroslav S. <mir...@gm...> - 2011-02-05 16:57:46
|
hi Steve. we have been contacted by an author of wavsep, as he wasn't been able to run sqlmap against it. he'll rerun the test when 0.9 stable will go out. well, I won't tell you the results (of our own run), to not curse them :). you'll see them in time. kr On Sat, Feb 5, 2011 at 5:51 PM, Steve Pinkham <ste...@gm...> wrote: > On 02/05/2011 03:23 AM, Miroslav Stampar wrote: >> Hi again. >> >> I was giving it a thought and the final for now is no. This would >> break the concept of sqlmap a lot. >> >> We are identifying injection points by parameter names (also >> considering the place where it's located - e.g. GET/id). >> >> In case where we would "modify" sqlmap to accept these "cases" we >> would need not just replace dictionary with list, but to change the >> whole data model. This moment we have more priority stuff to do. > > I would agree. The only thing I've really found HTTP Parameter > Pollution useful for so far is XSS filtering workarounds, both for the > IE 8 client side filter and WAF type tech. I can't think of too many > places where it would be directly useful for SQL injection. Definitely > a corner case for that application probably is best handled by a human > brain. > > The problem with web security in general is the amount of corner cases > is huge, and most tools don't even do a good job of hitting the easy > cases yet. Sqlmap is definitely ahead of the curve for SQL injection tools. > > Speaking of which, have you given sqlmap a try on WAVSEP yet? I've used > it a bit for XSS tool vetting and development the past few weeks(and am > adding some more test cases), but haven't looked at if for SQL injection > yet. > > http://code.google.com/p/wavsep/ > >> Three things I would suggest so you could make a scan "compliant" to sqlmap is: >> 1) either use URI injection mark * to tell sqlmap where to look for >> injection (e.g. ./sqlmap.py -u >> "www.test.com/index.php?idA=1&idB=2&idA=3*&idC=1") >> or >> 2) concatenate/adjust the URI yourself manually - so, if you see that >> there are two idA parameters try to manually play around and see what >> web servers does with those - try to concatenate and/or delete first >> one >> or >> 3) be realistic. there are lots of "junk" URIs in the wild that can be >> "beautified" by yourself - e.g. >> ?search=some%XXshitty%XXquery%XXthere%XXis -> ?search=test >> >> kr > > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |