Hi Stephen.
>From this traffic file it's not really clear if this is exploitable by any
mean more than time-based.
Could you please send the response you get when you "manually exploit" it
with the payload you've mentioned:
"sesh=')%20UNION%20select%201,2,3,4%20--%20" ?
Kind regards,
Miroslav Stampar
On Sat, Sep 15, 2012 at 1:33 AM, Stephen Shkardoon <s...@ss23.geek.nz>wrote:
> It ran a little over and started testing User-Agent, but it has the entire
> log for the session cookie there.
> The options I used this time were:
> python2 sqlmap.py -u "http://10.100.0.26/account.php"; --cookie="sesh=1"
> -t traffic.txt --level=5
>
> Thanks,
> ss23
>
>
> On Sat, Sep 15, 2012 at 10:31 AM, Miroslav Stampar <
> miroslav.stam...@gmail.com> wrote:
>
>> Hi.
>>
>> In that case could you please send the sqlmap traffic file got by using
>> -t traffic.txt along with your standard switches/options?
>>
>> Kind regards,
>> Miroslav Stampar
>>
>>
>> On Sat, Sep 15, 2012 at 12:09 AM, Stephen Shkardoon <s...@ss23.geek.nz>wrote:
>>
>>> Hi,
>>>
>>> Sorry, my mistake. I just copied the line and altered it to show that
>>> the cookie was being used. In the real script, there was no parse error.
>>> Nonetheless, sqlmap cannot pull out results.
>>>
>>> Thanks
>>> ss23
>>>
>>> On Sat, Sep 15, 2012 at 9:55 AM, Miroslav Stampar <
>>> miroslav.stam...@gmail.com> wrote:
>>>
>>>> Hi.
>>>>
>>>> I am not sure how are you able to "definitely able to pull out results"
>>>> as as I can see the problem lies in used PHP (enclosed pair of single
>>>> quotes with another pair of single quotes):
>>>>
>>>> Bad:
>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>> sessionid = *'$_COOKIE['sesh']'*)");
>>>>
>>>> Good 1:
>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>> sessionid = *'$_COOKIE[sesh]'*)");
>>>>
>>>> Good 2:
>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>> sessionid = " . *$_COOKIE['sesh'] . "*)");
>>>>
>>>> With that code of yours you should get an ugly PHP error message:
>>>> "Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE,
>>>> expecting T_STRING or T_VARIABLE or T_NUM_STRING"
>>>>
>>>> Also, you could take a look at similar case here [1].
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>> [1]
>>>> http://www.hotscripts.com/forums/php/21179-php-parse-error-parse-error-unexpected-t_encapsed_and_whitespace-expecting-t_strin.html
>>>>
>>>> On Fri, Sep 14, 2012 at 8:08 PM, Stephen Shkardoon
>>>> <s...@ss23.geek.nz>wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> Trying to do a (simple) injection with sqlmap, and I can't seem to
>>>>> coax it into getting it right.
>>>>> The PHP source looks something like:
>>>>>
>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>> sessionid = '$_COOKIE['sesh']')");
>>>>>
>>>>> and then it displays the fields it pulled out.
>>>>>
>>>>> The command(s) I've tried look something like ./sqlmap.py -u
>>>>> site.com/script.php --cookie="sesh=1" --cookie-urlencode --level=5
>>>>> --risk=5. However, the only injection point it finds is AND/OR time-based
>>>>> blind, which is horribly slow. Of course, manually, I can do a
>>>>> sesh=')%20UNION%20select%201,2,3,4%20--%20 or similar, so
>>>>> I'm definitely able to pull out results.
>>>>>
>>>>> Anything I can do to push sqlmap in the right direction?
>>>>>
>>>>> Thanks,
>>>>> ss23
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Got visibility?
>>>>> Most devs has no idea what their production app looks like.
>>>>> Find out how fast your code is with AppDynamics Lite.
>>>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sqlmap-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>>
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
