Thanks to all. Definitely a false positive following all your advice and
reasoning. Cheers.
On 15 December 2011 10:14, Miroslav Stampar <miroslav.stam...@gmail.com>wrote:
> Hi.
>
> I believe that in your case that "appears to be" caused a little
> misguidance. With the latest commit that message should be restrained to
> 1 appearance per target, so there won't be such large number of those.
>
> "Appears to be" is just a friendly log message. Be sure that sqlmap checks
> that "appears to be" is really a chance for injecting.
>
> I would say that you should skip this target because of one strong reasons:
> - you've received "appears to be" for different boundaries (prefix/suffix
> combinations) which is impossible for a positive injectionable target
>
> Kind regards
>
> On Wed, Dec 14, 2011 at 4:51 PM, Chris Oakley <
> christopher.oak...@gmail.com> wrote:
>
>> Hi All
>>
>> I'm having problems with an injection that I think is real.
>>
>> It's a standard POST request with one of the parameters of the data sent
>> being vulnerable. This all happens in an unauthenticated area of the
>> application, so there's no need to set the cookie value etc.
>>
>> The injection point was found with Burp Scanner. It has the following to
>> say:
>>
>> *Issue detail*
>> The BLAH parameter appears to be vulnerable to SQL injection attacks. The
>> payload %00' was submitted in the BLAH parameter, and a database error
>> message was returned. You should review the contents of the error message,
>> and the application's handling of other input, to confirm whether a
>> vulnerability is present. The database appears to be PostgreSQL. The
>> application attempts to block SQL injection attacks but this can be
>> circumvented by submitting a URL-encoded NULL byte (%00) before the
>> characters that are being blocked.
>>
>> The server response looks like this:
>>
>> HTTP/1.1 202 Accepted
>> Server: Apache-Coyote/1.1
>> Vary: Accept-Encoding
>> Cache-Control: no-cache
>> Content-Type: text/xml;charset=UTF-8
>> Date: Wed, 14 Dec 2011 12:48:30 GMT
>> Content-Length: 7754
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <errors><error><text><![CDATA[could not load an entity:
>> [vyre.content.CollectionSchema#165']; nested exception is
>> org.hibernate.exception.DataException: could not load an entity:
>> [vyre.content.CollectionSchema#165']]]></text><stack-trace><![CDATA[org.springframework.dao.InvalidDataAccessResourceUsageException:
>> could not load an entity: [vyre.content.CollectionSchema#165']
>> at
>> org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:618)
>> at
>> org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412)
>> at
>> org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:424)
>> at
>> org.springframework.orm.hibernate3.HibernateTemplate.executeWithNativeSession(HibernateTemplate.java:374)
>> at
>> org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:560)
>> at
>> org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:554)
>> at
>> vyre.core.entity.pl.HibernateStringIdentifierEntityDAO.load(HibernateStringIdentifierEntityDAO.java:47)
>> at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>> at java.lang.reflect.Method.invoke(Method.java:597)
>> at
>> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
>> at
>> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
>> at
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
>> at
>> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
>> at
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
>> at
>> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
>> at $Proxy17.load(Unknown Source)
>> at
>> vyre.publishing.ContentGatewayAjaxListener.handle(ContentGatewayAjaxListener.java:146)
>> at
>> vyre.publishing.ajax.AjaxControllerServlet.service(AjaxControllerServlet.java:88)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at vyre.delivery.MainFilter.doFilter(MainFilter.java:145)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at
>> vyre.content.search.permissions.ViewPermissionFilter.doFilter(ViewPermissionFilter.java:27)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at
>> org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
>> at
>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at
>> com.virginholidays.filter.CacheControlFilter.doFilter(CacheControlFilter.java:26)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at
>> vyre.utils.filters.login.AbstractLoginFilter.doFilter(AbstractLoginFilter.java:95)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
>> at
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>> at java.lang.Thread.run(Thread.java:619)
>> Caused by: org.hibernate.exception.DataException: could not load an
>> entity: [vyre.content.CollectionSchema#165']
>> at
>> org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:77)
>> at
>> org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43)
>> at org.hibernate.loader.Loader.loadEntity(Loader.java:1874)
>> at
>> org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:48)
>> at
>> org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:42)
>> at
>> org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3049)
>> at
>> org.hibernate.event.def.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:399)
>> at
>> org.hibernate.event.def.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:375)
>> at
>> org.hibernate.event.def.DefaultLoadEventListener.load(DefaultLoadEventListener.java:139)
>> at
>> org.hibernate.event.def.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:179)
>> at
>> org.hibernate.event.def.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:103)
>> at org.hibernate.impl.SessionImpl.fireLoad(SessionImpl.java:878)
>> at org.hibernate.impl.SessionImpl.load(SessionImpl.java:795)
>> at org.hibernate.impl.SessionImpl.load(SessionImpl.java:788)
>> at
>> org.springframework.orm.hibernate3.HibernateTemplate$3.doInHibernate(HibernateTemplate.java:566)
>> at
>> org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:419)
>> ... 46 more
>> Caused by: org.postgresql.util.PSQLException: ERROR: invalid byte
>> sequence for encoding "UTF8": 0x00
>> at
>> org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102)
>> at
>> org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835)
>> at
>> org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257)
>> at
>> org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500)
>> at
>> org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388)
>> at
>> org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273)
>> at
>> org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
>> at
>> org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
>> at
>> org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186)
>> at org.hibernate.loader.Loader.getResultSet(Loader.java:1787)
>> at org.hibernate.loader.Loader.doQuery(Loader.java:674)
>> at
>> org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236)
>> at org.hibernate.loader.Loader.loadEntity(Loader.java:1860)
>> ... 59 more
>> ]]></stack-trace></error></errors>
>>
>> I've worked my way up to the following sqlmap command:
>>
>> C:\Program Files\sqlmap>python sqlmap.py -u
>> "http://www.**********/servlet/ajax";
>> --data "..........&BLAH=165" -p BLAH --level=5 --risk=2 --dbms=postgresql
>> --union-char=1 --tamper=appendnullbyte -f -b
>>
>> sqlmap/1.0-dev (r4577) - automatic SQL injection and database
>> takeover tool
>> http://www.sqlmap.org
>>
>> [!] legal disclaimer: usage of sqlmap for attacking targets without prior
>> mutual consent is illegal. It is the end user's responsi
>> bility to obey all applicable local, state and federal laws. Authors
>> assume no liability and are not responsible for any misuse or
>> damage caused by this program
>>
>> [*] starting at 15:33:52
>>
>> [15:33:52] [INFO] loading tamper script 'appendnullbyte'
>> [15:33:53] [INFO] using '*****\session' as session file
>> [15:33:53] [INFO] testing connection to the target url
>> [15:34:00] [WARNING] provided parameter 'BLAH' is not inside the Cookie
>> [15:34:00] [INFO] testing if the url is stable, wait a few seconds
>> [15:34:03] [INFO] url is stable
>> [15:34:03] [INFO] heuristic test shows that POST parameter 'BLAH' might
>> be injectable (possible DBMS: PostgreSQL)
>> [15:34:03] [INFO] testing sql injection on POST parameter 'BLAH'
>> [15:34:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause'
>> [15:34:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause (Generic comment)'
>> [15:34:16] [INFO] testing 'Generic boolean-based blind - Parameter
>> replace (original value)'
>> [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>> ORDER BY clauses'
>> [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>> ORDER BY clauses (original value)'
>> [15:34:16] [INFO] testing 'PostgreSQL boolean-based blind - Parameter
>> replace (GENERATE_SERIES - original value)'
>> [15:34:17] [INFO] testing 'PostgreSQL stacked conditional-error blind
>> queries'
>> [15:34:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
>> clause'
>> [15:34:27] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING
>> clause'
>> [15:34:32] [INFO] testing 'PostgreSQL error-based - Parameter replace'
>> [15:34:32] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY
>> clauses'
>> [15:34:32] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
>> [15:34:35] [INFO] testing 'PostgreSQL stacked queries (heavy query)'
>> [15:34:37] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)'
>> [15:34:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
>> [15:34:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind
>> (comment)'
>> [15:34:44] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)'
>> [15:34:47] [INFO] testing 'PostgreSQL AND time-based blind (heavy query -
>> comment)'
>> [15:34:49] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns'
>> [15:34:50] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:34:51] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:34:53] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:34:55] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:34:56] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:34:58] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:34:59] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:01] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:02] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:04] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:06] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:07] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:09] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:10] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:11] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:13] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:14] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:16] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:17] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:19] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:20] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:22] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:23] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:25] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:27] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:29] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:30] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:32] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:33] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:35] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:36] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:37] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:39] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:40] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:42] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:35:42] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns'
>> [15:36:29] [INFO] testing 'Generic UNION query (1) - 21 to 30 columns'
>> [15:37:15] [INFO] testing 'Generic UNION query (1) - 31 to 40 columns'
>> [15:38:01] [INFO] testing 'Generic UNION query (1) - 41 to 50 columns'
>> [15:38:46] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to
>> 10 columns'
>> [15:38:47] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:38:50] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:38:51] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:38:53] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:38:54] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:38:56] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:38:57] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:38:59] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:00] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:03] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:04] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:05] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:07] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:08] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:10] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:11] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:13] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:14] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:16] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:18] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:19] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:21] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:22] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:24] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:25] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:27] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:28] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:30] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:31] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:33] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:35] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:37] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:38] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:40] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:41] [INFO] target url appears to be UNION injectable with 1 columns
>> [15:39:41] [INFO] testing 'Generic UNION query (NUL comment) (1) - 11 to
>> 20 columns'
>> [15:40:27] [INFO] testing 'Generic UNION query (NUL comment) (1) - 21 to
>> 30 columns'
>> [15:41:11] [INFO] testing 'Generic UNION query (NUL comment) (1) - 31 to
>> 40 columns'
>> [15:41:56] [INFO] testing 'Generic UNION query (NUL comment) (1) - 41 to
>> 50 columns'
>> [15:42:42] [WARNING] POST parameter 'BLAH' is not injectable
>> [15:42:42] [CRITICAL] all parameters appear to be not injectable. Try to
>> increase --level/--risk values to perform more tests. As
>> heuristic test turned out positive you are strongly advised to continue
>> on with the tests. Please, consider usage of tampering scr
>> ipts as your target might filter the queries. Also, you can try to rerun
>> by providing either a valid --string or a valid --regexp,
>> refer to the user's manual for details
>>
>> [*] shutting down at 15:42:42
>>
>> I didn't start with all of those arguments for sqlmap - I've tried it
>> without: --level=5, --risk=2, --dbms=postgresql, --union-char=1 and
>> --tamper=appendnullbyte and got pretty much the same results for each.
>>
>> Maybe it's not injectable, but I'd like peoples input before I write it
>> off, since it looks very suspect to me.
>>
>> Thanks
>>
>> Chris
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Cloud Computing - Latest Buzzword or a Glimpse of the Future?
>> This paper surveys cloud computing today: What are the benefits?
>> Why are businesses embracing it? What are its payoffs and pitfalls?
>> http://www.accelacomm.com/jaw/sdnl/114/51425149/
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
------------------------------------------------------------------------------
Learn Windows Azure Live! Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for
developers. It will provide a great way to learn Windows Azure and what it
provides. You can attend the event by watching it streamed LIVE online.
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
