Thanks for the quick reply. The contents of the request file are as follows:
GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1 Host: <redacted> Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: <redacted> Cookie: <redacted> I've redacted some of the details as it's not appropriate to draw attention to an internet facing application's SQLi vulnerability. When providing the request file as part of the following command: sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string 'industries' -v 1 sqlmap executes as normal but cannot identify (and therefore cannot exploit) the boolean-based blind vulnerability which I've verified manually. Thanks again, Al. On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > And what is the content of request file? > > Bye > > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson <amcljohn...@gmail.com> > wrote: >> >> Hi sqlmappers, >> >> I'm a fairly experienced user of sqlmap having used it extensively in >> the past. I came across what appeared to pretty typical boolean-based >> blind SQLi in an application I'm (legally) testing. However, for the >> first time, I'm unable to get sqlmap to recognise the parameter as >> vulnerable to exploit it further. And as we know, manually exploiting >> blind SQLi is cumbersome to say the least. >> >> Here is a summary of the requests i've made to manually confirm the >> vulnerability. >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A) >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response A) >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response B) >> >> I've tried various sqlmap flags and thought the following command >> would give me the best chance of success: >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string >> 'industries' -v 1 >> >> Note: the string 'industries' is text that appears in response A but >> not response B. >> >> I've looked at the requests that sqlmap is sending in the background >> (proxied through burp). It appears that it's attempting to exploit >> this with the AND statement as it should but is not using single >> quotes as per my example above. >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be >> more than happy to contribute some time to improve it so it can >> identify injectable parameters such as these in the future. >> >> Thanks, >> >> Al. >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
