p.s. it would be good if you could send a traffic file for this case (-t
traffic.txt)
On Wed, Apr 25, 2012 at 3:42 PM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> Hi Robert.
>
> Could you please update (svn update) to the latest r5018 and retry it
> again?
>
> Kind regards,
> Miroslav Stampar
>
>
> On Wed, Apr 25, 2012 at 3:33 PM, Robert Spotswood <
> rob...@spotswood-computer.net> wrote:
>
>> I was going through the Backtrack how-to's forum, and g0tmi1k's posts
>> about VulnImage led me to experiment with sqlmap. I'm using Backtrack
>> 5R2 and therefore sqlmap version 1.0-dev (r4766). I'm not sure what I'm
>> doing wrong.
>>
>> I created a page with a parameter that is injectable (i.e. no
>> sanitation). The php based page connects to a MySQL DB, with 5 columns.
>> The actual php select statement is:
>>
>> $name_bad = stripslashes($_POST['rs_string']);
>> $query_bad = "SELECT TestName, Price FROM pricelist WHERE testname =
>> '$name_bad'";
>>
>> (FYI: The stripslashes is in there because the version of php I'm
>> testing on has magic quotes turned on. No login required for this page
>> either.)
>>
>> If I input, manually,
>> Code:
>>
>> ' or 1; --
>>
>> then the query spits out every result in the database as it should,
>> since the query is now
>>
>> SELECT TestName, Price FROM pricelist WHERE testname = '' or 1; -- '
>>
>> Classic injection - This parameter is vulnerable! (FYI, there is space
>> after the second dash and it is required or the query errors out.)
>>
>> I've gone further, and used the order by to see how many columns the
>> select returns (yes, I know it's two, but I'm pretending I don't). So
>>
>> ' or 1 order by 1; -- '
>>
>> orders by testname, and by changing "by 1" to "by 2" I can order by
>> price. If I do "by 3", I get an error as expected since there are only
>> two columns return. Again, classic injection. This page IS vulnerable.
>>
>> Now I fire up a burp proxy and browse the page, enter a testname or two
>> so it's in the log (this is described in g0tmi1k's posts). Then I fire
>> up sqlmap with the command:
>>
>> ./sqlmap -l /root/burp.log --banner --current-user --current-db --is-dba
>> --dbms=MySQL
>>
>> After testing the correct page, it tells me rs_string is not injectable,
>> even if I crank up the level and risk. But is clearly is! I can do it by
>> hand.
>>
>> What am I doing wrong? Or have I found a bug.
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
