Hi.
I believe that in your case that "appears to be" caused a little
misguidance. With the latest commit that message should be restrained to
1 appearance per target, so there won't be such large number of those.
"Appears to be" is just a friendly log message. Be sure that sqlmap checks
that "appears to be" is really a chance for injecting.
I would say that you should skip this target because of one strong reasons:
- you've received "appears to be" for different boundaries (prefix/suffix
combinations) which is impossible for a positive injectionable target
Kind regards
On Wed, Dec 14, 2011 at 4:51 PM, Chris Oakley
<christopher.oak...@gmail.com>wrote:
> Hi All
>
> I'm having problems with an injection that I think is real.
>
> It's a standard POST request with one of the parameters of the data sent
> being vulnerable. This all happens in an unauthenticated area of the
> application, so there's no need to set the cookie value etc.
>
> The injection point was found with Burp Scanner. It has the following to
> say:
>
> *Issue detail*
> The BLAH parameter appears to be vulnerable to SQL injection attacks. The
> payload %00' was submitted in the BLAH parameter, and a database error
> message was returned. You should review the contents of the error message,
> and the application's handling of other input, to confirm whether a
> vulnerability is present. The database appears to be PostgreSQL. The
> application attempts to block SQL injection attacks but this can be
> circumvented by submitting a URL-encoded NULL byte (%00) before the
> characters that are being blocked.
>
> The server response looks like this:
>
> HTTP/1.1 202 Accepted
> Server: Apache-Coyote/1.1
> Vary: Accept-Encoding
> Cache-Control: no-cache
> Content-Type: text/xml;charset=UTF-8
> Date: Wed, 14 Dec 2011 12:48:30 GMT
> Content-Length: 7754
>
> <?xml version="1.0" encoding="UTF-8"?>
> <errors><error><text><![CDATA[could not load an entity:
> [vyre.content.CollectionSchema#165']; nested exception is
> org.hibernate.exception.DataException: could not load an entity:
> [vyre.content.CollectionSchema#165']]]></text><stack-trace><![CDATA[org.springframework.dao.InvalidDataAccessResourceUsageException:
> could not load an entity: [vyre.content.CollectionSchema#165']
> at
> org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:618)
> at
> org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412)
> at
> org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:424)
> at
> org.springframework.orm.hibernate3.HibernateTemplate.executeWithNativeSession(HibernateTemplate.java:374)
> at
> org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:560)
> at
> org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:554)
> at
> vyre.core.entity.pl.HibernateStringIdentifierEntityDAO.load(HibernateStringIdentifierEntityDAO.java:47)
> at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
> at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
> at $Proxy17.load(Unknown Source)
> at
> vyre.publishing.ContentGatewayAjaxListener.handle(ContentGatewayAjaxListener.java:146)
> at
> vyre.publishing.ajax.AjaxControllerServlet.service(AjaxControllerServlet.java:88)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at vyre.delivery.MainFilter.doFilter(MainFilter.java:145)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> vyre.content.search.permissions.ViewPermissionFilter.doFilter(ViewPermissionFilter.java:27)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> com.virginholidays.filter.CacheControlFilter.doFilter(CacheControlFilter.java:26)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> vyre.utils.filters.login.AbstractLoginFilter.doFilter(AbstractLoginFilter.java:95)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Thread.java:619)
> Caused by: org.hibernate.exception.DataException: could not load an
> entity: [vyre.content.CollectionSchema#165']
> at
> org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:77)
> at
> org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43)
> at org.hibernate.loader.Loader.loadEntity(Loader.java:1874)
> at
> org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:48)
> at
> org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:42)
> at
> org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3049)
> at
> org.hibernate.event.def.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:399)
> at
> org.hibernate.event.def.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:375)
> at
> org.hibernate.event.def.DefaultLoadEventListener.load(DefaultLoadEventListener.java:139)
> at
> org.hibernate.event.def.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:179)
> at
> org.hibernate.event.def.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:103)
> at org.hibernate.impl.SessionImpl.fireLoad(SessionImpl.java:878)
> at org.hibernate.impl.SessionImpl.load(SessionImpl.java:795)
> at org.hibernate.impl.SessionImpl.load(SessionImpl.java:788)
> at
> org.springframework.orm.hibernate3.HibernateTemplate$3.doInHibernate(HibernateTemplate.java:566)
> at
> org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:419)
> ... 46 more
> Caused by: org.postgresql.util.PSQLException: ERROR: invalid byte sequence
> for encoding "UTF8": 0x00
> at
> org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102)
> at
> org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835)
> at
> org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273)
> at
> org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
> at
> org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
> at
> org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186)
> at org.hibernate.loader.Loader.getResultSet(Loader.java:1787)
> at org.hibernate.loader.Loader.doQuery(Loader.java:674)
> at
> org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236)
> at org.hibernate.loader.Loader.loadEntity(Loader.java:1860)
> ... 59 more
> ]]></stack-trace></error></errors>
>
> I've worked my way up to the following sqlmap command:
>
> C:\Program Files\sqlmap>python sqlmap.py -u
> "http://www.**********/servlet/ajax";
> --data "..........&BLAH=165" -p BLAH --level=5 --risk=2 --dbms=postgresql
> --union-char=1 --tamper=appendnullbyte -f -b
>
> sqlmap/1.0-dev (r4577) - automatic SQL injection and database takeover
> tool
> http://www.sqlmap.org
>
> [!] legal disclaimer: usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsi
> bility to obey all applicable local, state and federal laws. Authors
> assume no liability and are not responsible for any misuse or
> damage caused by this program
>
> [*] starting at 15:33:52
>
> [15:33:52] [INFO] loading tamper script 'appendnullbyte'
> [15:33:53] [INFO] using '*****\session' as session file
> [15:33:53] [INFO] testing connection to the target url
> [15:34:00] [WARNING] provided parameter 'BLAH' is not inside the Cookie
> [15:34:00] [INFO] testing if the url is stable, wait a few seconds
> [15:34:03] [INFO] url is stable
> [15:34:03] [INFO] heuristic test shows that POST parameter 'BLAH' might be
> injectable (possible DBMS: PostgreSQL)
> [15:34:03] [INFO] testing sql injection on POST parameter 'BLAH'
> [15:34:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [15:34:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause (Generic comment)'
> [15:34:16] [INFO] testing 'Generic boolean-based blind - Parameter replace
> (original value)'
> [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and
> ORDER BY clauses'
> [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and
> ORDER BY clauses (original value)'
> [15:34:16] [INFO] testing 'PostgreSQL boolean-based blind - Parameter
> replace (GENERATE_SERIES - original value)'
> [15:34:17] [INFO] testing 'PostgreSQL stacked conditional-error blind
> queries'
> [15:34:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
> clause'
> [15:34:27] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING
> clause'
> [15:34:32] [INFO] testing 'PostgreSQL error-based - Parameter replace'
> [15:34:32] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY
> clauses'
> [15:34:32] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
> [15:34:35] [INFO] testing 'PostgreSQL stacked queries (heavy query)'
> [15:34:37] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)'
> [15:34:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
> [15:34:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind (comment)'
> [15:34:44] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)'
> [15:34:47] [INFO] testing 'PostgreSQL AND time-based blind (heavy query -
> comment)'
> [15:34:49] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns'
> [15:34:50] [INFO] target url appears to be UNION injectable with 1 columns
> [15:34:51] [INFO] target url appears to be UNION injectable with 1 columns
> [15:34:53] [INFO] target url appears to be UNION injectable with 1 columns
> [15:34:55] [INFO] target url appears to be UNION injectable with 1 columns
> [15:34:56] [INFO] target url appears to be UNION injectable with 1 columns
> [15:34:58] [INFO] target url appears to be UNION injectable with 1 columns
> [15:34:59] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:01] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:02] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:04] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:06] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:07] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:09] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:10] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:11] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:13] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:14] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:16] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:17] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:19] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:20] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:22] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:23] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:25] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:27] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:29] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:30] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:32] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:33] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:35] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:36] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:37] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:39] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:40] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:42] [INFO] target url appears to be UNION injectable with 1 columns
> [15:35:42] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns'
> [15:36:29] [INFO] testing 'Generic UNION query (1) - 21 to 30 columns'
> [15:37:15] [INFO] testing 'Generic UNION query (1) - 31 to 40 columns'
> [15:38:01] [INFO] testing 'Generic UNION query (1) - 41 to 50 columns'
> [15:38:46] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to 10
> columns'
> [15:38:47] [INFO] target url appears to be UNION injectable with 1 columns
> [15:38:50] [INFO] target url appears to be UNION injectable with 1 columns
> [15:38:51] [INFO] target url appears to be UNION injectable with 1 columns
> [15:38:53] [INFO] target url appears to be UNION injectable with 1 columns
> [15:38:54] [INFO] target url appears to be UNION injectable with 1 columns
> [15:38:56] [INFO] target url appears to be UNION injectable with 1 columns
> [15:38:57] [INFO] target url appears to be UNION injectable with 1 columns
> [15:38:59] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:00] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:03] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:04] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:05] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:07] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:08] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:10] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:11] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:13] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:14] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:16] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:18] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:19] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:21] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:22] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:24] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:25] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:27] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:28] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:30] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:31] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:33] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:35] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:37] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:38] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:40] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:41] [INFO] target url appears to be UNION injectable with 1 columns
> [15:39:41] [INFO] testing 'Generic UNION query (NUL comment) (1) - 11 to
> 20 columns'
> [15:40:27] [INFO] testing 'Generic UNION query (NUL comment) (1) - 21 to
> 30 columns'
> [15:41:11] [INFO] testing 'Generic UNION query (NUL comment) (1) - 31 to
> 40 columns'
> [15:41:56] [INFO] testing 'Generic UNION query (NUL comment) (1) - 41 to
> 50 columns'
> [15:42:42] [WARNING] POST parameter 'BLAH' is not injectable
> [15:42:42] [CRITICAL] all parameters appear to be not injectable. Try to
> increase --level/--risk values to perform more tests. As
> heuristic test turned out positive you are strongly advised to continue on
> with the tests. Please, consider usage of tampering scr
> ipts as your target might filter the queries. Also, you can try to rerun
> by providing either a valid --string or a valid --regexp,
> refer to the user's manual for details
>
> [*] shutting down at 15:42:42
>
> I didn't start with all of those arguments for sqlmap - I've tried it
> without: --level=5, --risk=2, --dbms=postgresql, --union-char=1 and
> --tamper=appendnullbyte and got pretty much the same results for each.
>
> Maybe it's not injectable, but I'd like peoples input before I write it
> off, since it looks very suspect to me.
>
> Thanks
>
> Chris
>
>
>
>
>
> ------------------------------------------------------------------------------
> Cloud Computing - Latest Buzzword or a Glimpse of the Future?
> This paper surveys cloud computing today: What are the benefits?
> Why are businesses embracing it? What are its payoffs and pitfalls?
> http://www.accelacomm.com/jaw/sdnl/114/51425149/
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
10 Tips for Better Server Consolidation
Server virtualization is being driven by many needs.
But none more important than the need to reduce IT complexity
while improving strategic productivity. Learn More!
http://www.accelacomm.com/jaw/sdnl/114/51507609/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
