sqlmap-users

[sqlmap-users] Small bug in detecting time-based injection under MySQL

[Krzysztof K. <kko...@gm...>]

Hi!

I'm using SVN version of sqlmap ( r988 ).
MYSQL: Server version: 5.0.67-0ubuntu6 (Ubuntu)


When doing --time-test on a known-to-be vulnerable mysql setup the software
cannot detect it to be affected by injection:


[01:39:19] [INFO] testing time based blind sql injection on parameter 'id'
with AND condition syntax
[01:39:19] [INFO] detecting back-end DBMS version from its banner
[01:39:19] [INFO] read from file
'/home/koto/Private/dev/sqlmap/output/localhost/session': 5.0.67
[01:39:19] [TRAFFIC OUT] HTTP request:
GET
/~koto/sqlinjection/index.php?id=1%20AND%20SELECT%20SLEEP%285%29%20AND%208530=8530
HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: localhost
Accept-language: en-us,en;q=0.5
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-agent: sqlmap/0.8-rc2 (http://sqlmap.sourceforge.net)
Connection: close

[01:39:19] [WARNING] the parameter 'id' is not affected by a time based
blind sql injection with AND condition syntax

The problem is with the query used to detect injection. In the application
I'm using:

SELECT * FROM table WHERE id = {$_GET['id']}

which results in the following injected query:

SELECT * FROM  table WHERE id = 1 AND SELECT SLEEP(5) AND 8530=8530

This is invalid in mysql (at least in my version), you should use:
SELECT * FROM  table WHERE id = 1 AND SLEEP(5) AND 8530=8530

If I change relevant query in <timedelay> element from queries.xml to
"SLEEP(%d)", sqlmap correctly detects time-based blind sql injection.
However I suppose that the same query is used later on in stacked query
fallback in timebased.py, and this one needs "SELECT",
so the logic of this test should be changed.

-- 
Cheers,
Krzysztof Kotowicz

Re: [sqlmap-users] Small bug in detecting time-based injection under MySQL

[Bernardo D. A. G. <ber...@gm...>]

Hi Krzysztof,

Fixed and commited.
Thanks for reporting.

Cheers,
Bernardo


On Tue, Dec 29, 2009 at 01:15, Krzysztof Kotowicz <kko...@gm...> wrote:
> Hi!
>
> I'm using SVN version of sqlmap ( r988 ).
> MYSQL: Server version: 5.0.67-0ubuntu6 (Ubuntu)
>
>
> When doing --time-test on a known-to-be vulnerable mysql setup the software
> cannot detect it to be affected by injection:
>
>
> [01:39:19] [INFO] testing time based blind sql injection on parameter 'id'
> with AND condition syntax
> [01:39:19] [INFO] detecting back-end DBMS version from its banner
> [01:39:19] [INFO] read from file
> '/home/koto/Private/dev/sqlmap/output/localhost/session': 5.0.67
> [01:39:19] [TRAFFIC OUT] HTTP request:
> GET
> /~koto/sqlinjection/index.php?id=1%20AND%20SELECT%20SLEEP%285%29%20AND%208530=8530
> HTTP/1.1
> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
> Host: localhost
> Accept-language: en-us,en;q=0.5
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> User-agent: sqlmap/0.8-rc2 (http://sqlmap.sourceforge.net)
> Connection: close
>
> [01:39:19] [WARNING] the parameter 'id' is not affected by a time based
> blind sql injection with AND condition syntax
>
> The problem is with the query used to detect injection. In the application
> I'm using:
>
> SELECT * FROM table WHERE id = {$_GET['id']}
>
> which results in the following injected query:
>
> SELECT * FROM  table WHERE id = 1 AND SELECT SLEEP(5) AND 8530=8530
>
> This is invalid in mysql (at least in my version), you should use:
> SELECT * FROM  table WHERE id = 1 AND SLEEP(5) AND 8530=8530
>
> If I change relevant query in <timedelay> element from queries.xml to
> "SLEEP(%d)", sqlmap correctly detects time-based blind sql injection.
> However I suppose that the same query is used later on in stacked query
> fallback in timebased.py, and this one needs "SELECT",
> so the logic of this test should be changed.
>
> --
> Cheers,
> Krzysztof Kotowicz

-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F