Hi Julia again.
After a through examination I believe that something other is screwed. In
your case "Host" header value is used for establishing origin of request
when the original request hasn't got a full url (server address included).
That's why httplib uses that value to make a full url.
Does this makes sense to you? Do you see any special in your case?
Now, I can't imagine how is this happening. Could you please send me
privately more information? What command line have you used (or
configuration file in your case)? Also, traffic file (or maybe a part of
it) would be great.
Kind regards
On Fri, Mar 16, 2012 at 12:09 PM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> Will "patch" it in an hour or two. HTTP headers should not be url encoded
> but in this case character : from payload needs to be replaced with url
> encoded counterpart to prevent this kind of behavior.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Fri, Mar 16, 2012 at 11:50 AM, Miroslav Stampar <
> miroslav.stam...@gmail.com> wrote:
>
>> Hi Julia.
>>
>> Thank you for your report and a minor explanation of what is going here.
>> We are doing also an injection of "Host" header on higher levels (e.g.
>> --level=5) and that's causing the problem in your case. Python's library
>> httplib is obviously not happy with that. Have to research a bit what we
>> can be done here.
>>
>> Kind regards,
>> Miroslav Stampar
>>
>>
>> On Fri, Mar 16, 2012 at 1:12 AM, Julia Wolf <ju...@fireeye.com> wrote:
>>
>>>
>>> Well, here's a bug report crash-thingy... My cursory analysis is that
>>> the SQL PAYLOAD got sucked back up and, for some mysterious reason,
>>> re-parsed as a host:port value. Something like the hostname being
>>> "10.6.1.142) AND 5306=CAST... etc. ...ELSE 0 END))::" which then means
>>> that the port would be "text||CHR(58) ... and stuff"
>>>
>>> Here's some, possibly relevant, options from the config file.
>>>
>>> crawlDepth = 10
>>> forceSSL = True
>>> level = 5
>>> risk = 3
>>> tech = BEUST
>>>
>>>
>>>
>>> [18:28:19] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
>>> clause'
>>> [18:28:19] [PAYLOAD] 10.6.1.142) AND
>>> 5306=CAST(CHR(58)||CHR(105)||CHR(105)||CHR(121)||CHR(58)||(SELECT (CASE
>>> WHEN (5306=5306) THEN 1 ELSE 0
>>> END))::text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)
>>> [18:28:19] [TRAFFIC OUT] HTTP request [#13922]:
>>> GET // HTTP/1.1
>>> Accept-Encoding: identity
>>> Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>> Host: 10.6.1.142) AND
>>> 5306=CAST(CHR(58)||CHR(105)||CHR(105)||CHR(121)||CHR(58)||(SELECT (CASE
>>> WHEN (5306=5306) THEN 1 ELSE 0
>>> END))::text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)
>>> Accept-language: en-us,en;q=0.5
>>> Cookie: _session_id=60273438247a37935d9d37562d6888ba;
>>> Referer: https://10.6.1.142:443//
>>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
>>> Gecko/20100101 Firefox/8.0.1
>>> Connection: close
>>>
>>> [18:28:19] [WARNING] HTTP error codes detected during testing:
>>> 400 (Bad Request) - 62 times, 500 (Internal Server Error) - 35 times,
>>> 404 (Not Found) - 3572 times
>>>
>>> [18:28:19] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4864),
>>> retry your run with the latest development version from the Subversion
>>> repository. If the exception persists, please send by e-mail to
>>> sqlmap-users@lists.sourceforge.net the following text and any
>>> information required to reproduce the bug. The developers will try to
>>> reproduce the bug, fix it accordingly and get back to you.
>>> sqlmap version: 1.0-dev (r4864)
>>> Python version: 2.7.2
>>> Operating system: posix
>>> Command line: ./sqlmap.py -c test2.conf -l final_url.lst
>>> Technique: UNION
>>> Back-end DBMS: PostgreSQL (identified)
>>> Traceback (most recent call last):
>>> File "/home/jwolf/Mar_14_12/sqlmap/_sqlmap.py", line 82, in main
>>> start()
>>> File "/home/jwolf/Mar_14_12/sqlmap/lib/controller/controller.py", line
>>> 472, in start
>>> injection = checkSqlInjection(place, parameter, value)
>>> File "/home/jwolf/Mar_14_12/sqlmap/lib/controller/checks.py", line
>>> 355, in checkSqlInjection
>>> page, headers = Request.queryPage(reqPayload, place, content=True,
>>> raise404=False)
>>> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/connect.py", line 719,
>>> in queryPage
>>> page, headers, code = Connect.getPage(url=uri, get=get, post=post,
>>> cookie=cookie, ua=ua, referer=referer, host=host, silent=silent,
>>> method=method, auxHeaders=auxHeaders, response=response, raise404=raise404,
>>> ignoreTimeout=timeBasedCompare)
>>> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/connect.py", line 294,
>>> in getPage
>>> conn = urllib2.urlopen(req)
>>> File "/usr/lib64/python2.7/urllib2.py", line 126, in urlopen
>>> return _opener.open(url, data, timeout)
>>> File "/usr/lib64/python2.7/urllib2.py", line 400, in open
>>> response = meth(req, response)
>>> File "/usr/lib64/python2.7/urllib2.py", line 513, in http_response
>>> 'http', request, response, code, msg, hdrs)
>>> File "/usr/lib64/python2.7/urllib2.py", line 432, in error
>>> result = self._call_chain(*args)
>>> File "/usr/lib64/python2.7/urllib2.py", line 372, in _call_chain
>>> result = func(*args)
>>> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/redirecthandler.py",
>>> line 108, in http_error_302
>>> result = urllib2.HTTPRedirectHandler.http_error_302(self, req, fp,
>>> code, msg, headers)
>>> File "/usr/lib64/python2.7/urllib2.py", line 619, in http_error_302
>>> return self.parent.open(new, timeout=req.timeout)
>>> File "/usr/lib64/python2.7/urllib2.py", line 394, in open
>>> response = self._open(req, data)
>>> File "/usr/lib64/python2.7/urllib2.py", line 412, in _open
>>> '_open', req)
>>> File "/usr/lib64/python2.7/urllib2.py", line 372, in _call_chain
>>> result = func(*args)
>>> File "/usr/lib64/python2.7/urllib2.py", line 1207, in https_open
>>> return self.do_open(httplib.HTTPSConnection, req)
>>> File "/usr/lib64/python2.7/urllib2.py", line 1140, in do_open
>>> h = http_class(host, timeout=req.timeout) # will parse host:port
>>> File "/usr/lib64/python2.7/httplib.py", line 1146, in __init__
>>> source_address)
>>> File "/usr/lib64/python2.7/httplib.py", line 693, in __init__
>>> self._set_hostport(host, port)
>>> File "/usr/lib64/python2.7/httplib.py", line 718, in _set_hostport
>>> raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
>>> InvalidURL: nonnumeric port:
>>> 'text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)'
>>>
>>> [*] shutting down at 18:28:19
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF email is sponsosred by:
>>> Try Windows Azure free for 90 days Click Here
>>> http://p.sf.net/sfu/sfd2d-msazure
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
