Hi guys,

I'm experiencing a weird behavior when injecting into a cookie value.

The cookie in the request looks like this (yes the spaces are intentional):
Cookie: foocookie=asd     ,rrr-123   ,tzu-345

The injection is possible after the rrr-123 and before the first space.
Neat and straight-forward boolean based blind. Something like
Cookie: foocookie=asd     ,rrr-123' and 34=34 and 'qe'='qe   ,tzu-345
or
Cookie: foocookie=asd     ,rrr-123' and 34+2=36 and 'qe'='qe   ,tzu-345
gets the job done.

First problem: It seems I cannot define custom injection points (*) in
cookies. I fixed this by using a request file and terminating the cookie
string after rrr-123 and adding the rest of the cookie value as
--suffix="   ,tzu-345". Works fine.

Second problem: sqlmap thinks it finds the boolean based injection, then
wildly tries to union inject. This fails and the boolean based injection
is discarded as false positive.

Checking the payloads in burp, it seems that sqlmap does the following
checks:
Cookie: foocookie=asd     ,rrr-123' and 3456=3456   ,tzu-345
Cookie: foocookie=asd     ,rrr-123') and 5678=5678   ,tzu-345
Cookie: foocookie=asd     ,rrr-123')) and 1234=1234   ,tzu-345
and so on but never tries the obvious (and correct)
Cookie: foocookie=asd     ,rrr-123' and 'qwer'='qwer   ,tzu-345

With higher level it then goes on with boolean based (comment), etc.
Comparing the payloads, they don't seem to differ from the normal
boolean based payloads. I think there might be a bug?

Cheers
Dennis

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to