And what is the content of request file?
Bye
On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson <amcljohn...@gmail.com>
wrote:
> Hi sqlmappers,
>
> I'm a fairly experienced user of sqlmap having used it extensively in
> the past. I came across what appeared to pretty typical boolean-based
> blind SQLi in an application I'm (legally) testing. However, for the
> first time, I'm unable to get sqlmap to recognise the parameter as
> vulnerable to exploit it further. And as we know, manually exploiting
> blind SQLi is cumbersome to say the least.
>
> Here is a summary of the requests i've made to manually confirm the
> vulnerability.
>
> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response A)
> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response B)
>
> I've tried various sqlmap flags and thought the following command
> would give me the best chance of success:
>
> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> 'industries' -v 1
>
> Note: the string 'industries' is text that appears in response A but
> not response B.
>
> I've looked at the requests that sqlmap is sending in the background
> (proxied through burp). It appears that it's attempting to exploit
> this with the AND statement as it should but is not using single
> quotes as per my example above.
>
> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be
> more than happy to contribute some time to improve it so it can
> identify injectable parameters such as these in the future.
>
> Thanks,
>
> Al.
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
