nevermind the last message. this is particular case and i'll try to deal with it.
thing is that the returned page for AND 1=1 was really too similar to the original (match ratio 0.973) and together with comparison against response of 1=0 it triggered FALSE positive. kr On Wed, Apr 20, 2011 at 3:24 PM, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > hi all. > > here we have a pretty "interesting" problem. ahmed sent me privately > the url and it really seems like a FALSE positive. > > but this one is pretty annoying and not so obvious to solve. > > thing is that the tested "search" parameter with payload "bla AND 1=1" > displays totally different results than "bla AND 1=0". by totally i > mean totally as major number of people, and our engine, really would > say that it's affected, while it's not. > > the question goes like this. what would you suggest how to deal > (automatically) with this kind of situations? it's a normal case when > really the tested parameter is some kind of query string and for > different payloads it acts like it's really affected while it's not. > > one case of FALSE positive from this one is: > --- > Place: GET > Parameter: q > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: q=Something AND 8602=8602 > --- > > to be more ironic, things like --string and/or --regexp wouldn't help > as they would also FAIL :) and call it a POSITIVE. > > kr > > On Wed, Apr 20, 2011 at 1:48 PM, Miroslav Stampar > <miroslav.stam...@gmail.com> wrote: >> this is a false positive for sure, because of one reason: >> in one run it's MySQL detected while in second it's Postgres. >> >> you can disclose the URL itself to me so i could test it myself and >> find out what's going on or you can just forget about it (as it's >> false positive). >> >> kr >> >> On Wed, Apr 20, 2011 at 1:44 PM, Ahmed Shawky <ah...@isecur1ty.org> wrote: >>> after using these falgs sqlmap is unable to retrieve the number of >>> databases >>> sqlmap identified the following injection points with a total of 111 HTTP(s) >>> requests: >>> --- >>> Place: GET >>> Parameter: q >>> Type: boolean-based blind >>> Title: AND boolean-based blind - WHERE or HAVING clause >>> Payload: q=Open addressing) AND 4293=4293 >>> --- >>> [13:40:09] [INFO] testing PostgreSQL >>> [13:40:10] [INFO] confirming PostgreSQL >>> [13:40:11] [INFO] the back-end DBMS is PostgreSQL >>> web server operating system: Windows 2008 >>> web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727 >>> back-end DBMS: PostgreSQL >>> [13:40:11] [INFO] fetching database names >>> [13:40:11] [INFO] fetching number of databases >>> [13:40:11] [INFO] retrieved: >>> [13:40:18] [ERROR] unable to retrieve the number of databases >>> [13:40:18] [INFO] falling back to current database >>> [13:40:18] [INFO] fetching current database >>> [13:40:18] [INFO] retrieved: >>> [13:40:55] [CRITICAL] unable to retrieve the database names >>> >>> On Wed, Apr 20, 2011 at 10:41 AM, Miroslav Stampar >>> <miroslav.stam...@gmail.com> wrote: >>>> >>>> hi Ahmed. >>>> >>>> could you please retry with --flush-session and --text-only and report >>>> back? >>>> >>>> kr >>>> >>>> On Wed, Apr 20, 2011 at 7:06 AM, Ahmed Shawky <ah...@isecur1ty.org> wrote: >>>> > sqlmap display the output in strange way something like >>>> > available databases [1]: >>>> > [*] ][[[][A[]][][][[][]B! [[[[QCR Q]C >>>> > the used flags are -t log.log --level 3 --risk 3 --dbs >>>> > info: >>>> > Place: GET >>>> > Parameter: q >>>> > Type: boolean-based blind >>>> > Title: AND boolean-based blind - WHERE or HAVING clause >>>> > Payload: q=Open addressing) AND 6448=6448 >>>> > --- >>>> > [05:46:53] [INFO] the back-end DBMS is MySQL >>>> > web server operating system: Windows 2008 >>>> > web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET >>>> > 2.0.50727 >>>> > back-end DBMS: MySQL 5 >>>> > -- >>>> > >>>> > Ahmed Shawky El-Antry >>>> > Pen-tester, Programmer and System administrator >>>> > lnxg33k owner "http://lnxg33k.wordpress.com"; >>>> > Isecur1ty team member"http://www.isecur1ty.org"; >>>> > Twitter @lnxg33k >>>> > >>>> > >>>> > ------------------------------------------------------------------------------ >>>> > Benefiting from Server Virtualization: Beyond Initial Workload >>>> > Consolidation -- Increasing the use of server virtualization is a top >>>> > priority.Virtualization can reduce costs, simplify management, and >>>> > improve >>>> > application availability and disaster protection. Learn more about >>>> > boosting >>>> > the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev >>>> > _______________________________________________ >>>> > sqlmap-users mailing list >>>> > sqlmap-users@lists.sourceforge.net >>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> > >>>> > >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail: miroslav.stampar (at) gmail.com >>>> PGP Key ID: 0xB5397B1B >>> >>> >>> >>> -- >>> >>> Ahmed Shawky El-Antry >>> Pen-tester, Programmer and System administrator >>> lnxg33k owner "http://lnxg33k.wordpress.com"; >>> Isecur1ty team member"http://www.isecur1ty.org"; >>> Twitter @lnxg33k >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> PGP Key ID: 0xB5397B1B >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
