hi. with the last commit (3761) false positives tests are implemented (small Turing like arithmetic tests).
this means that now there should be far lesser problems like this reported by Ahmed. kr On Thu, Apr 21, 2011 at 11:19 AM, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > hi all. > > to deal with this kind of situations (FALSE positives) we've agreed > internally to run a confirmation phase right after detection phase > for: > A) when only blind injection is detected (like in Ahmed's case, > especially pain in the ass are search engine queries) > B) when only time and/or stacked injection is detected > > as these two cases are really prone to FALSE positives we'll > incorporate few more checks at the end just to be sure. > > if you have some other suggestions please do. > > kr > > On Wed, Apr 20, 2011 at 3:50 PM, Miroslav Stampar > <miroslav.stam...@gmail.com> wrote: >> nevermind the last message. >> >> this is particular case and i'll try to deal with it. >> >> thing is that the returned page for AND 1=1 was really too similar to >> the original (match ratio 0.973) and together with comparison against >> response of 1=0 it triggered FALSE positive. >> >> kr >> >> On Wed, Apr 20, 2011 at 3:24 PM, Miroslav Stampar >> <miroslav.stam...@gmail.com> wrote: >>> hi all. >>> >>> here we have a pretty "interesting" problem. ahmed sent me privately >>> the url and it really seems like a FALSE positive. >>> >>> but this one is pretty annoying and not so obvious to solve. >>> >>> thing is that the tested "search" parameter with payload "bla AND 1=1" >>> displays totally different results than "bla AND 1=0". by totally i >>> mean totally as major number of people, and our engine, really would >>> say that it's affected, while it's not. >>> >>> the question goes like this. what would you suggest how to deal >>> (automatically) with this kind of situations? it's a normal case when >>> really the tested parameter is some kind of query string and for >>> different payloads it acts like it's really affected while it's not. >>> >>> one case of FALSE positive from this one is: >>> --- >>> Place: GET >>> Parameter: q >>> Type: boolean-based blind >>> Title: AND boolean-based blind - WHERE or HAVING clause >>> Payload: q=Something AND 8602=8602 >>> --- >>> >>> to be more ironic, things like --string and/or --regexp wouldn't help >>> as they would also FAIL :) and call it a POSITIVE. >>> >>> kr >>> >>> On Wed, Apr 20, 2011 at 1:48 PM, Miroslav Stampar >>> <miroslav.stam...@gmail.com> wrote: >>>> this is a false positive for sure, because of one reason: >>>> in one run it's MySQL detected while in second it's Postgres. >>>> >>>> you can disclose the URL itself to me so i could test it myself and >>>> find out what's going on or you can just forget about it (as it's >>>> false positive). >>>> >>>> kr >>>> >>>> On Wed, Apr 20, 2011 at 1:44 PM, Ahmed Shawky <ah...@isecur1ty.org> wrote: >>>>> after using these falgs sqlmap is unable to retrieve the number of >>>>> databases >>>>> sqlmap identified the following injection points with a total of 111 >>>>> HTTP(s) >>>>> requests: >>>>> --- >>>>> Place: GET >>>>> Parameter: q >>>>> Type: boolean-based blind >>>>> Title: AND boolean-based blind - WHERE or HAVING clause >>>>> Payload: q=Open addressing) AND 4293=4293 >>>>> --- >>>>> [13:40:09] [INFO] testing PostgreSQL >>>>> [13:40:10] [INFO] confirming PostgreSQL >>>>> [13:40:11] [INFO] the back-end DBMS is PostgreSQL >>>>> web server operating system: Windows 2008 >>>>> web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727 >>>>> back-end DBMS: PostgreSQL >>>>> [13:40:11] [INFO] fetching database names >>>>> [13:40:11] [INFO] fetching number of databases >>>>> [13:40:11] [INFO] retrieved: >>>>> [13:40:18] [ERROR] unable to retrieve the number of databases >>>>> [13:40:18] [INFO] falling back to current database >>>>> [13:40:18] [INFO] fetching current database >>>>> [13:40:18] [INFO] retrieved: >>>>> [13:40:55] [CRITICAL] unable to retrieve the database names >>>>> >>>>> On Wed, Apr 20, 2011 at 10:41 AM, Miroslav Stampar >>>>> <miroslav.stam...@gmail.com> wrote: >>>>>> >>>>>> hi Ahmed. >>>>>> >>>>>> could you please retry with --flush-session and --text-only and report >>>>>> back? >>>>>> >>>>>> kr >>>>>> >>>>>> On Wed, Apr 20, 2011 at 7:06 AM, Ahmed Shawky <ah...@isecur1ty.org> >>>>>> wrote: >>>>>> > sqlmap display the output in strange way something like >>>>>> > available databases [1]: >>>>>> > [*] ][[[][A[]][][][[][]B! [[[[QCR Q]C >>>>>> > the used flags are -t log.log --level 3 --risk 3 --dbs >>>>>> > info: >>>>>> > Place: GET >>>>>> > Parameter: q >>>>>> > Type: boolean-based blind >>>>>> > Title: AND boolean-based blind - WHERE or HAVING clause >>>>>> > Payload: q=Open addressing) AND 6448=6448 >>>>>> > --- >>>>>> > [05:46:53] [INFO] the back-end DBMS is MySQL >>>>>> > web server operating system: Windows 2008 >>>>>> > web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET >>>>>> > 2.0.50727 >>>>>> > back-end DBMS: MySQL 5 >>>>>> > -- >>>>>> > >>>>>> > Ahmed Shawky El-Antry >>>>>> > Pen-tester, Programmer and System administrator >>>>>> > lnxg33k owner "http://lnxg33k.wordpress.com"; >>>>>> > Isecur1ty team member"http://www.isecur1ty.org"; >>>>>> > Twitter @lnxg33k >>>>>> > >>>>>> > >>>>>> > ------------------------------------------------------------------------------ >>>>>> > Benefiting from Server Virtualization: Beyond Initial Workload >>>>>> > Consolidation -- Increasing the use of server virtualization is a top >>>>>> > priority.Virtualization can reduce costs, simplify management, and >>>>>> > improve >>>>>> > application availability and disaster protection. Learn more about >>>>>> > boosting >>>>>> > the value of server virtualization. >>>>>> > http://p.sf.net/sfu/vmware-sfdev2dev >>>>>> > _______________________________________________ >>>>>> > sqlmap-users mailing list >>>>>> > sqlmap-users@lists.sourceforge.net >>>>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> > >>>>>> > >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> >>>>>> E-mail: miroslav.stampar (at) gmail.com >>>>>> PGP Key ID: 0xB5397B1B >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Ahmed Shawky El-Antry >>>>> Pen-tester, Programmer and System administrator >>>>> lnxg33k owner "http://lnxg33k.wordpress.com"; >>>>> Isecur1ty team member"http://www.isecur1ty.org"; >>>>> Twitter @lnxg33k >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail: miroslav.stampar (at) gmail.com >>>> PGP Key ID: 0xB5397B1B >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail: miroslav.stampar (at) gmail.com >>> PGP Key ID: 0xB5397B1B >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> PGP Key ID: 0xB5397B1B >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ Fulfilling the Lean Software Promise Lean software platforms are now widely adopted and the benefits have been demonstrated beyond question. Learn why your peers are replacing JEE containers with lightweight application servers - and what you can gain from the move. http://p.sf.net/sfu/vmware-sfemails _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
