Hi guys, I'm experiencing a weird behavior when injecting into a cookie value.
The cookie in the request looks like this (yes the spaces are intentional): Cookie: foocookie=asd ,rrr-123 ,tzu-345 The injection is possible after the rrr-123 and before the first space. Neat and straight-forward boolean based blind. Something like Cookie: foocookie=asd ,rrr-123' and 34=34 and 'qe'='qe ,tzu-345 or Cookie: foocookie=asd ,rrr-123' and 34+2=36 and 'qe'='qe ,tzu-345 gets the job done. First problem: It seems I cannot define custom injection points (*) in cookies. I fixed this by using a request file and terminating the cookie string after rrr-123 and adding the rest of the cookie value as --suffix=" ,tzu-345". Works fine. Second problem: sqlmap thinks it finds the boolean based injection, then wildly tries to union inject. This fails and the boolean based injection is discarded as false positive. Checking the payloads in burp, it seems that sqlmap does the following checks: Cookie: foocookie=asd ,rrr-123' and 3456=3456 ,tzu-345 Cookie: foocookie=asd ,rrr-123') and 5678=5678 ,tzu-345 Cookie: foocookie=asd ,rrr-123')) and 1234=1234 ,tzu-345 and so on but never tries the obvious (and correct) Cookie: foocookie=asd ,rrr-123' and 'qwer'='qwer ,tzu-345 With higher level it then goes on with boolean based (comment), etc. Comparing the payloads, they don't seem to differ from the normal boolean based payloads. I think there might be a bug? Cheers Dennis ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
