sqlmap-users

[sqlmap-users] AMF sqli injection

[Christopher D. <chr...@ch...>]

Good afternoon gents,
I am a profession penetration tester and have a rather difficult injection
point for one of my customers.

I can trigger the exception by pausing traffic with burp and inserting
NULL's into the user | pass via a back end flex call. Is there a way to
take advantage of sqlmap to inject via flex remoting objects ?

If not I will have to write this myself but I thought I may ask the list
first.

Thanks.
Sincerely,
Christopher M Downs

-- 
[image: Description: Chrome]

Chris Downs | System Administrator

main

888.781.0088

email

*chr...@ch... <chr...@ch...>*

web

www.chromeriver.com

Re: [sqlmap-users] AMF sqli injection

[Brandon P. <bpe...@gm...>]

Flex is hard because you have to update the integer that tells flex how
long a string is, unless I am mistaken.

If not, you could try with the * marker to tell sqlmap exactly where the
injection point is.

On Thu, May 28, 2015 at 1:21 PM, Christopher Downs <
chr...@ch...> wrote:

> Good afternoon gents,
> I am a profession penetration tester and have a rather difficult injection
> point for one of my customers.
>
> I can trigger the exception by pausing traffic with burp and inserting
> NULL's into the user | pass via a back end flex call. Is there a way to
> take advantage of sqlmap to inject via flex remoting objects ?
>
> If not I will have to write this myself but I thought I may ask the list
> first.
>
> Thanks.
> Sincerely,
> Christopher M Downs
>
> --
> [image: Description: Chrome]
>
> Chris Downs | System Administrator
>
> main
>
> 888.781.0088
>
> email
>
> *chr...@ch... <chr...@ch...>*
>
> web
>
> www.chromeriver.com
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Re: [sqlmap-users] AMF sqli injection

[Brandon P. <bpe...@gm...>]

FWIW here is an exploit a wrote a long while back that partly abuses a weak
AMF endpoint (xxe, not sqli...).

http://packetstormsecurity.com/files/126703/HP-Release-Control-9.20.0000-Build-395-XXE.html

However, I distinctly remember having to keep the admin password the same
length as my base AMF request (because I was lazy and didn't feel like
having to update the integer as well). See the change_admin_password
method. I basically base64 encoded the request in order to store the base
request, then decoded it and modified it based on what I wanted to do.

You could make a few requests with different sized usernames to find the
integer that you will need to manipulate during exploitation.

On Thu, May 28, 2015 at 1:59 PM, Brandon Perry <bpe...@gm...>
wrote:

> Flex is hard because you have to update the integer that tells flex how
> long a string is, unless I am mistaken.
>
> If not, you could try with the * marker to tell sqlmap exactly where the
> injection point is.
>
> On Thu, May 28, 2015 at 1:21 PM, Christopher Downs <
> chr...@ch...> wrote:
>
>> Good afternoon gents,
>> I am a profession penetration tester and have a rather difficult
>> injection point for one of my customers.
>>
>> I can trigger the exception by pausing traffic with burp and inserting
>> NULL's into the user | pass via a back end flex call. Is there a way to
>> take advantage of sqlmap to inject via flex remoting objects ?
>>
>> If not I will have to write this myself but I thought I may ask the list
>> first.
>>
>> Thanks.
>> Sincerely,
>> Christopher M Downs
>>
>> --
>> [image: Description: Chrome]
>>
>> Chris Downs | System Administrator
>>
>> main
>>
>> 888.781.0088
>>
>> email
>>
>> *chr...@ch... <chr...@ch...>*
>>
>> web
>>
>> www.chromeriver.com
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Re: [sqlmap-users] AMF sqli injection

[Chris O. <chr...@gm...>]

"Flex is hard because you have to update the integer that tells flex how
long a string is"

It might be possible to address this with the --eval option

On 28 May 2015 at 14:59, Brandon Perry <bpe...@gm...> wrote:

> Flex is hard because you have to update the integer that tells flex how
> long a string is, unless I am mistaken.
>
> If not, you could try with the * marker to tell sqlmap exactly where the
> injection point is.
>
> On Thu, May 28, 2015 at 1:21 PM, Christopher Downs <
> chr...@ch...> wrote:
>
>> Good afternoon gents,
>> I am a profession penetration tester and have a rather difficult
>> injection point for one of my customers.
>>
>> I can trigger the exception by pausing traffic with burp and inserting
>> NULL's into the user | pass via a back end flex call. Is there a way to
>> take advantage of sqlmap to inject via flex remoting objects ?
>>
>> If not I will have to write this myself but I thought I may ask the list
>> first.
>>
>> Thanks.
>> Sincerely,
>> Christopher M Downs
>>
>> --
>> [image: Description: Chrome]
>>
>> Chris Downs | System Administrator
>>
>> main
>>
>> 888.781.0088
>>
>> email
>>
>> *chr...@ch... <chr...@ch...>*
>>
>> web
>>
>> www.chromeriver.com
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] AMF sqli injection

[Brandon P. <bpe...@gm...>]

That could work.

On Thu, May 28, 2015 at 2:24 PM, Chris Oakley <chr...@gm...>
wrote:

> "Flex is hard because you have to update the integer that tells flex how
> long a string is"
>
> It might be possible to address this with the --eval option
>
> On 28 May 2015 at 14:59, Brandon Perry <bpe...@gm...> wrote:
>
>> Flex is hard because you have to update the integer that tells flex how
>> long a string is, unless I am mistaken.
>>
>> If not, you could try with the * marker to tell sqlmap exactly where the
>> injection point is.
>>
>> On Thu, May 28, 2015 at 1:21 PM, Christopher Downs <
>> chr...@ch...> wrote:
>>
>>> Good afternoon gents,
>>> I am a profession penetration tester and have a rather difficult
>>> injection point for one of my customers.
>>>
>>> I can trigger the exception by pausing traffic with burp and inserting
>>> NULL's into the user | pass via a back end flex call. Is there a way to
>>> take advantage of sqlmap to inject via flex remoting objects ?
>>>
>>> If not I will have to write this myself but I thought I may ask the list
>>> first.
>>>
>>> Thanks.
>>> Sincerely,
>>> Christopher M Downs
>>>
>>> --
>>> [image: Description: Chrome]
>>>
>>> Chris Downs | System Administrator
>>>
>>> main
>>>
>>> 888.781.0088
>>>
>>> email
>>>
>>> *chr...@ch... <chr...@ch...>*
>>>
>>> web
>>>
>>> www.chromeriver.com
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>


-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website