Thread: [sqlmap-users] Weird payload generated
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Raphael G. <rap...@gm...> - 2013-10-02 12:29:49
|
Hi, sqlmap/1.0-dev-25eca9d I don't manage to get Sqlmap generating the good payload ! Here is my entry point : (dbms = MSSQL) I got this with manual tries in burp : param value : (select name from sysusers where udi=-1) - if the select returns no value => HTTP request returns 200 - otherwise returns 302 to an error page so with param value : (select name from sysusers where udi=-1 or 1=1) => returns error with param value : (select name from sysusers where udi=-1 or 1=2) => returns 200 I thought I could make Sqlmap find a boolean based blind test with OR statements So I tried this command : ./sqlmap.py -r myreq.txt -p param --level=3 --risk=3 --prefix="(select name from sysusers where udi=-1 " --suffix=")" nothing is founded but when I look at generated payloads, I get [PAYLOAD] -9402(select name from sysusers where udi=-1 OR (9544=9561)) so I always get a number generated before my command Where am I wrong ? Thanks |
|
From: Miroslav S. <mir...@gm...> - 2013-10-02 20:18:53
|
Hi. --prefix is a formation that is going in between of *value* and *payload*: ...=*value prefix payload*... This simply means that you've forgot for the complete *value* thing in your case. In your case usage of custom injection mark (*) is more appropriate: python sqlmap.py -u "www.target.com/vuln.php?param=(select name from sysusers where udi=-1 *)" Kind regards, Miroslav Stampar On Wed, Oct 2, 2013 at 2:29 PM, Raphael GONZALEZ <rap...@gm...>wrote: > Hi, > > sqlmap/1.0-dev-25eca9d > > I don't manage to get Sqlmap generating the good payload ! > > Here is my entry point : > (dbms = MSSQL) > > I got this with manual tries in burp : > > param value : (select name from sysusers where udi=-1) > - if the select returns no value => HTTP request returns 200 > - otherwise returns 302 to an error page > > so > with param value : (select name from sysusers where udi=-1 or 1=1) => > returns error > with param value : (select name from sysusers where udi=-1 or 1=2) => > returns 200 > > I thought I could make Sqlmap find a boolean based blind test with OR > statements > So I tried this command : > ./sqlmap.py -r myreq.txt -p param --level=3 --risk=3 --prefix="(select > name from sysusers where udi=-1 " --suffix=")" > > nothing is founded > but when I look at generated payloads, I get > [PAYLOAD] -9402(select name from sysusers where udi=-1 OR (9544=9561)) > > so I always get a number generated before my command > > Where am I wrong ? > > Thanks > > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Raphael G. <rap...@gm...> - 2013-10-04 07:27:47
|
Hi, Thanks a lot. Yes with * it's easier than with prefix/suffix ... but I'm not sure I was clear enough because my problem is still there :) Here is my Request : POST target_url ... param=&other_param=... if param - is empty, - or contains a number - or contains a select sub-statement that returns a number => returns 200 with other info if param - contains a string - or contains a select sub-statement that returns a string => returns 302 to error page so using the * I still get some strange payload , for example [PAYLOAD] -9402 OR (9544=9561) I think it comes from the "<where>2</where> in the payloads.xml file (for OR boolean-based blind) ... because if I add a test case with <where>1</where> then the generated payload seems ok (and then the blind injection is detected) I have also a second problem when the response is 302, the error message is contained in the location (and also in the body as a HREF), as very often with asp (but if I follow the redirection the next page don't contains the message) => so it's not detected because of URL encoded, specially "+" character) I can turn around this by using a proxy and modifying the response before it returns to sqlmap but it would be more convenient to do that in sqlmap. Is there a way ? (for example and option similar to tamper to call a function on the response before it is processed by sqlmap) Thanks again Raphael On Wed, Oct 2, 2013 at 10:18 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > --prefix is a formation that is going in between of *value* and *payload*: > > ...=*value prefix payload*... > > This simply means that you've forgot for the complete *value* thing in > your case. > > In your case usage of custom injection mark (*) is more appropriate: > > python sqlmap.py -u "www.target.com/vuln.php?param=(select name from > sysusers where udi=-1 *)" > > Kind regards, > Miroslav Stampar > > > On Wed, Oct 2, 2013 at 2:29 PM, Raphael GONZALEZ <rap...@gm...>wrote: > >> Hi, >> >> sqlmap/1.0-dev-25eca9d >> >> I don't manage to get Sqlmap generating the good payload ! >> >> Here is my entry point : >> (dbms = MSSQL) >> >> I got this with manual tries in burp : >> >> param value : (select name from sysusers where udi=-1) >> - if the select returns no value => HTTP request returns 200 >> - otherwise returns 302 to an error page >> >> so >> with param value : (select name from sysusers where udi=-1 or 1=1) => >> returns error >> with param value : (select name from sysusers where udi=-1 or 1=2) => >> returns 200 >> >> I thought I could make Sqlmap find a boolean based blind test with OR >> statements >> So I tried this command : >> ./sqlmap.py -r myreq.txt -p param --level=3 --risk=3 --prefix="(select >> name from sysusers where udi=-1 " --suffix=")" >> >> nothing is founded >> but when I look at generated payloads, I get >> [PAYLOAD] -9402(select name from sysusers where udi=-1 OR (9544=9561)) >> >> so I always get a number generated before my command >> >> Where am I wrong ? >> >> Thanks >> >> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2013-10-04 09:09:56
|
On Fri, Oct 4, 2013 at 9:27 AM, Raphael GONZALEZ <rap...@gm...>wrote: > Hi, > > Thanks a lot. > Yes with * it's easier than with prefix/suffix > > ... but I'm not sure I was clear enough because my problem is still there > :) > > Here is my Request : > > POST target_url > ... > > param=&other_param=... > > > > if param > - is empty, > - or contains a number > - or contains a select sub-statement that returns a number > => returns 200 with other info > > if param > - contains a string > - or contains a select sub-statement that returns a string > => returns 302 to error page > > so using the * I still get some strange payload , for example > [PAYLOAD] -9402 OR (9544=9561) > > I think it comes from the "<where>2</where> in the payloads.xml file (for > OR boolean-based blind) > ... because if I add a test case with <where>1</where> then the generated > payload seems ok (and then the blind injection is detected) > Point of the whole OR payload is to generate an "invalid/negative/non-original" response and to combine it with a inference (... OR A=B). That <where>2</where> is there on purpose -> to generate invalid/negative values in case of OR payloads. > > I have also a second problem > when the response is 302, the error message is contained in the location > (and also in the body as a HREF), as very often with asp > (but if I follow the redirection the next page don't contains the message) > Have you tried without following the 302? sqlmap is asking you politely "do you want to follow". > => so it's not detected because of URL encoded, specially "+" character) > > I can turn around this by using a proxy and modifying the response before > it returns to sqlmap but it would be more convenient to do that in sqlmap. > Is there a way ? (for example and option similar to tamper to call a > function on the response before it is processed by sqlmap) > In cases like this when case is seems to be specific, we encourage users to modify sqlmap to suit their needs and/or use (also) other tools. > > Thanks again > Raphael > Bye > > > > > On Wed, Oct 2, 2013 at 10:18 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi. >> >> --prefix is a formation that is going in between of *value* and *payload* >> : >> >> ...=*value prefix payload*... >> >> This simply means that you've forgot for the complete *value* thing in >> your case. >> >> In your case usage of custom injection mark (*) is more appropriate: >> >> python sqlmap.py -u "www.target.com/vuln.php?param=(select name from >> sysusers where udi=-1 *)" >> >> Kind regards, >> Miroslav Stampar >> >> >> On Wed, Oct 2, 2013 at 2:29 PM, Raphael GONZALEZ <rap...@gm...>wrote: >> >>> Hi, >>> >>> sqlmap/1.0-dev-25eca9d >>> >>> I don't manage to get Sqlmap generating the good payload ! >>> >>> Here is my entry point : >>> (dbms = MSSQL) >>> >>> I got this with manual tries in burp : >>> >>> param value : (select name from sysusers where udi=-1) >>> - if the select returns no value => HTTP request returns 200 >>> - otherwise returns 302 to an error page >>> >>> so >>> with param value : (select name from sysusers where udi=-1 or 1=1) => >>> returns error >>> with param value : (select name from sysusers where udi=-1 or 1=2) => >>> returns 200 >>> >>> I thought I could make Sqlmap find a boolean based blind test with OR >>> statements >>> So I tried this command : >>> ./sqlmap.py -r myreq.txt -p param --level=3 --risk=3 --prefix="(select >>> name from sysusers where udi=-1 " --suffix=")" >>> >>> nothing is founded >>> but when I look at generated payloads, I get >>> [PAYLOAD] -9402(select name from sysusers where udi=-1 OR (9544=9561)) >>> >>> so I always get a number generated before my command >>> >>> Where am I wrong ? >>> >>> Thanks >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > -- Miroslav Stampar http://about.me/stamparm |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X