Hi again,
I am coming back to my signing issue. I run the following command in
order to run sqlmap and have my request signed (well, it's only a hash
of some params and a secret):
python sqlmap.py -u
"http://myserver.com/api/my_object/create.xml?app_id=100&arg1=email&[email protected]";
--eval='import base64;import
hashlib;api_sig=base64.b64encode(hashlib.md5("%s=%s%s=%s%s=%s%s" %
("app_id", app_id, "arg1", arg1, "arg2", arg2,
"secretstuff")).digest())' --skip=app_id
I am running Wireshark to see the actual requests. First sqlmap checks
if the url is stable and that's fine (i.e. the signing works). Then it
tries to mess up with arg1 by replacing its value to 3448 or 1584 and
that's fine too. Then it tries to inject
arg1=email%27%29%5B%5D%2C%27%5B%22%22%5B but the signature is not
correct anymore.
The hashing done in the --eval part should be apply to values before it
gets URLEncoded and that's where I think my problem is. How could I get
the "raw" value of arg1, i.e. not URLEncoded.
Thanks a lot again for your help.
Boris
On 25/01/13 17:31, Boris Chazalet wrote:
Wow, thanks a lot Miroslav!
So what's the rule, any variable created in the eval code is
considered as a HTTP parameter for the ongoing request?
Regards,
Boris
On 25/01/13 15:20, Miroslav Stampar wrote:
Hi Boris.
This would do:
python sqlmap.py -u
"http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty
<http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty&sig=3cd7a0db76ff9dca48979e24c39b408c>"
--eval='import hashlib;sig=hashlib.md5("%s:%s:%s:%s" % (name, phone,
password, "secretkey123")).hexdigest()'
Kind regards,
Miroslav Stampar
On Fri, Jan 25, 2013 at 3:13 PM, Boris Chazalet
<[email protected] <mailto:[email protected]>> wrote:
Well, an example of a valid request to the server looks something
like this:
http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty&sig=3cd7a0db76ff9dca48979e24c39b408c
with name, phone, password being regular parameters and sig being
the hash of the params value, or in other words:
sig = md5(bob:phone:qwerty:secretkey)
The server first checks the sig parameter and reject the request
if it does not match its own calculation.
I have a python script to compute the sig value using the secret
key so I just would like to access any sqlmap request before it
is actually send in order to append the sig parameter and its
value, i.e. "&sig=3cd7a0db76ff9dca48979e24c39b408c".
My question is whether that can be done with the --eval switch or
if that requires me to go into the source code of sqlmap and add
this functionality
Thanks a lot for your help.
Regards,
Boris
On 24/01/13 18:17, Miroslav Stampar wrote:
Hi.
Could you please give more information?
Kind regards,
Miroslav Stampar
Dana 24.1.2013. 18:56 "Boris Chazalet"
<[email protected] <mailto:[email protected]>>
je napisao/la:
Hi,
I need to sign the requests with a secret key before sending
it to the
server for them to be accepted. More precisely, I need to
hash the
different request parameters together with a secret key and
to add that
hash as an extra parameter in the final URL.
Is that something that can be done with the --eval switch or
do I need
to modify the source code?
Regards,
Boris
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET
<http://ASP.NET>, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your
skills current
with LearnDevNow - 3,200 step-by-step video tutorials by
Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
sqlmap-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET <http://ASP.NET>,
C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
sqlmap-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
