Thread: [sqlmap-users] Suffix bug and redirect handling
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: David T. <dav...@gm...> - 2011-05-23 15:17:31
|
Hi all, I am new to the list, so can I first say a massive thank you to everybody that has contributed to the development of this tool; it is awesome. I have come across a couple of issues with the current version of the tool. First, trailing whitespace seems to be stripped from the end of --suffix parameters. I have a blind injection point that requires " -- " as a terminator. If I give the tool --suffix " -- ", this gets turned into "%20--" in the injection, which doesn't work since the trailing space is missing. I've worked around this by appending some extra non-space characters (--suffix " -- xx"), which works, but shouldn't be necessary. And second, I don't quite understand how the redirect handling works. The same blind injection point I mention above is on a login page. If I don't try to inject, or if the injection equates to false, I get a HTTP 200 return code, with a "login failed" message. If the injection equates to true, the application 302's me to another page. I get the message "sqlmap got a 302 redirect to...", asking me if I want to re-target. In this instance, I don't want to choose a new target. I know the bsql vuln exists; I just want to use sqlmap to leverage it. However if I hit enter to select the default (keep same target), sqlmap doesn't detect the injection point. I have also tried providing a --string parameter, but this doesn't affect the result. Could we please have some way to blindly follow redirects, and compare the eventual result page to that retrieved for other injections? Thanks again, Dave |
|
From: Miroslav S. <mir...@gm...> - 2011-05-23 16:23:50
|
hi David. we'll deal with both issues shortly (today or tomorrow) and keep you posted. kr On Mon, May 23, 2011 at 5:17 PM, David Taylor <dav...@gm...> wrote: > Hi all, > I am new to the list, so can I first say a massive thank you to everybody > that has contributed to the development of this tool; it is awesome. > I have come across a couple of issues with the current version of the tool. > First, trailing whitespace seems to be stripped from the end of --suffix > parameters. I have a blind injection point that requires " -- " as a > terminator. If I give the tool --suffix " -- ", this gets turned into > "%20--" in the injection, which doesn't work since the trailing space is > missing. I've worked around this by appending some extra non-space > characters (--suffix " -- xx"), which works, but shouldn't be necessary. > And second, I don't quite understand how the redirect handling works. The > same blind injection point I mention above is on a login page. If I don't > try to inject, or if the injection equates to false, I get a HTTP 200 return > code, with a "login failed" message. If the injection equates to true, the > application 302's me to another page. > I get the message "sqlmap got a 302 redirect to...", asking me if I want to > re-target. In this instance, I don't want to choose a new target. I know > the bsql vuln exists; I just want to use sqlmap to leverage it. However if > I hit enter to select the default (keep same target), sqlmap doesn't detect > the injection point. > I have also tried providing a --string parameter, but this doesn't affect > the result. > Could we please have some way to blindly follow redirects, and compare the > eventual result page to that retrieved for other injections? > Thanks again, > Dave > ------------------------------------------------------------------------------ > What Every C/C++ and Fortran developer Should Know! > Read this article and learn how Intel has extended the reach of its > next-generation tools to help Windows* and Linux* C/C++ and Fortran > developers boost performance applications - including clusters. > http://p.sf.net/sfu/intel-dev2devmay > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Miroslav S. <mir...@gm...> - 2011-05-23 19:59:48
|
hi David. that suffix thingy should be fixed with the latest commit. please retry and report back. about that 302. well, generally it works, but still, maybe it needs little glancing up. it would be great if you could provide with some more information (privately). kr On Mon, May 23, 2011 at 6:23 PM, Miroslav Stampar <mir...@gm...> wrote: > hi David. > > we'll deal with both issues shortly (today or tomorrow) and keep you posted. > > kr > > On Mon, May 23, 2011 at 5:17 PM, David Taylor > <dav...@gm...> wrote: >> Hi all, >> I am new to the list, so can I first say a massive thank you to everybody >> that has contributed to the development of this tool; it is awesome. >> I have come across a couple of issues with the current version of the tool. >> First, trailing whitespace seems to be stripped from the end of --suffix >> parameters. I have a blind injection point that requires " -- " as a >> terminator. If I give the tool --suffix " -- ", this gets turned into >> "%20--" in the injection, which doesn't work since the trailing space is >> missing. I've worked around this by appending some extra non-space >> characters (--suffix " -- xx"), which works, but shouldn't be necessary. >> And second, I don't quite understand how the redirect handling works. The >> same blind injection point I mention above is on a login page. If I don't >> try to inject, or if the injection equates to false, I get a HTTP 200 return >> code, with a "login failed" message. If the injection equates to true, the >> application 302's me to another page. >> I get the message "sqlmap got a 302 redirect to...", asking me if I want to >> re-target. In this instance, I don't want to choose a new target. I know >> the bsql vuln exists; I just want to use sqlmap to leverage it. However if >> I hit enter to select the default (keep same target), sqlmap doesn't detect >> the injection point. >> I have also tried providing a --string parameter, but this doesn't affect >> the result. >> Could we please have some way to blindly follow redirects, and compare the >> eventual result page to that retrieved for other injections? >> Thanks again, >> Dave >> ------------------------------------------------------------------------------ >> What Every C/C++ and Fortran developer Should Know! >> Read this article and learn how Intel has extended the reach of its >> next-generation tools to help Windows* and Linux* C/C++ and Fortran >> developers boost performance applications - including clusters. >> http://p.sf.net/sfu/intel-dev2devmay >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Miroslav S. <mir...@gm...> - 2011-05-23 20:15:26
|
hi David. basically, you are right. default behavior should be to follow up the redirection. the real problem is that it wasn't a default thingy in "sqlmap got a 302 redirect to" and we all know that people just like to press Enter when running sqlmap and we like to make "dummy click-click yeaa" users :) will do some changes kr On Mon, May 23, 2011 at 9:59 PM, Miroslav Stampar <mir...@gm...> wrote: > hi David. > > that suffix thingy should be fixed with the latest commit. please > retry and report back. > > about that 302. well, generally it works, but still, maybe it needs > little glancing up. it would be great if you could provide with some > more information (privately). > > kr > > On Mon, May 23, 2011 at 6:23 PM, Miroslav Stampar > <mir...@gm...> wrote: >> hi David. >> >> we'll deal with both issues shortly (today or tomorrow) and keep you posted. >> >> kr >> >> On Mon, May 23, 2011 at 5:17 PM, David Taylor >> <dav...@gm...> wrote: >>> Hi all, >>> I am new to the list, so can I first say a massive thank you to everybody >>> that has contributed to the development of this tool; it is awesome. >>> I have come across a couple of issues with the current version of the tool. >>> First, trailing whitespace seems to be stripped from the end of --suffix >>> parameters. I have a blind injection point that requires " -- " as a >>> terminator. If I give the tool --suffix " -- ", this gets turned into >>> "%20--" in the injection, which doesn't work since the trailing space is >>> missing. I've worked around this by appending some extra non-space >>> characters (--suffix " -- xx"), which works, but shouldn't be necessary. >>> And second, I don't quite understand how the redirect handling works. The >>> same blind injection point I mention above is on a login page. If I don't >>> try to inject, or if the injection equates to false, I get a HTTP 200 return >>> code, with a "login failed" message. If the injection equates to true, the >>> application 302's me to another page. >>> I get the message "sqlmap got a 302 redirect to...", asking me if I want to >>> re-target. In this instance, I don't want to choose a new target. I know >>> the bsql vuln exists; I just want to use sqlmap to leverage it. However if >>> I hit enter to select the default (keep same target), sqlmap doesn't detect >>> the injection point. >>> I have also tried providing a --string parameter, but this doesn't affect >>> the result. >>> Could we please have some way to blindly follow redirects, and compare the >>> eventual result page to that retrieved for other injections? >>> Thanks again, >>> Dave >>> ------------------------------------------------------------------------------ >>> What Every C/C++ and Fortran developer Should Know! >>> Read this article and learn how Intel has extended the reach of its >>> next-generation tools to help Windows* and Linux* C/C++ and Fortran >>> developers boost performance applications - including clusters. >>> http://p.sf.net/sfu/intel-dev2devmay >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> PGP Key ID: 0xB5397B1B >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Miroslav S. <mir...@gm...> - 2011-05-23 23:17:44
|
hi David, again. could you please retry with the latest revision and report back. we've done some changes which could improve the behaviour. kr On Mon, May 23, 2011 at 10:15 PM, Miroslav Stampar <mir...@gm...> wrote: > hi David. > > basically, you are right. > > default behavior should be to follow up the redirection. > > the real problem is that it wasn't a default thingy in "sqlmap got a > 302 redirect to" and we all know that people just like to press Enter > when running sqlmap and we like to make "dummy click-click yeaa" users > :) > > will do some changes > > kr > > On Mon, May 23, 2011 at 9:59 PM, Miroslav Stampar > <mir...@gm...> wrote: >> hi David. >> >> that suffix thingy should be fixed with the latest commit. please >> retry and report back. >> >> about that 302. well, generally it works, but still, maybe it needs >> little glancing up. it would be great if you could provide with some >> more information (privately). >> >> kr >> >> On Mon, May 23, 2011 at 6:23 PM, Miroslav Stampar >> <mir...@gm...> wrote: >>> hi David. >>> >>> we'll deal with both issues shortly (today or tomorrow) and keep you posted. >>> >>> kr >>> >>> On Mon, May 23, 2011 at 5:17 PM, David Taylor >>> <dav...@gm...> wrote: >>>> Hi all, >>>> I am new to the list, so can I first say a massive thank you to everybody >>>> that has contributed to the development of this tool; it is awesome. >>>> I have come across a couple of issues with the current version of the tool. >>>> First, trailing whitespace seems to be stripped from the end of --suffix >>>> parameters. I have a blind injection point that requires " -- " as a >>>> terminator. If I give the tool --suffix " -- ", this gets turned into >>>> "%20--" in the injection, which doesn't work since the trailing space is >>>> missing. I've worked around this by appending some extra non-space >>>> characters (--suffix " -- xx"), which works, but shouldn't be necessary. >>>> And second, I don't quite understand how the redirect handling works. The >>>> same blind injection point I mention above is on a login page. If I don't >>>> try to inject, or if the injection equates to false, I get a HTTP 200 return >>>> code, with a "login failed" message. If the injection equates to true, the >>>> application 302's me to another page. >>>> I get the message "sqlmap got a 302 redirect to...", asking me if I want to >>>> re-target. In this instance, I don't want to choose a new target. I know >>>> the bsql vuln exists; I just want to use sqlmap to leverage it. However if >>>> I hit enter to select the default (keep same target), sqlmap doesn't detect >>>> the injection point. >>>> I have also tried providing a --string parameter, but this doesn't affect >>>> the result. >>>> Could we please have some way to blindly follow redirects, and compare the >>>> eventual result page to that retrieved for other injections? >>>> Thanks again, >>>> Dave >>>> ------------------------------------------------------------------------------ >>>> What Every C/C++ and Fortran developer Should Know! >>>> Read this article and learn how Intel has extended the reach of its >>>> next-generation tools to help Windows* and Linux* C/C++ and Fortran >>>> developers boost performance applications - including clusters. >>>> http://p.sf.net/sfu/intel-dev2devmay >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail: miroslav.stampar (at) gmail.com >>> PGP Key ID: 0xB5397B1B >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> PGP Key ID: 0xB5397B1B >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X