It's a GET, so there wouldn't be a content type, unless I am mistaken.
Alistair, have you tried --risk=3 with --level=5 yet?
Sent from a phone
> On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <miroslav.stam...@gmail.com>
> wrote:
>
> Can you please send the unredacted content of request.txt to my address?
>
> If not, then please at least send me the content of traffic file which you
> can obtain by just appending the "-t traffic.txt" to the regular sqlmap's run.
>
> Bye
>
>> On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amcljohn...@gmail.com>
>> wrote:
>> Thanks for the quick reply.
>>
>> The contents of the request file are as follows:
>>
>> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
>> Host: <redacted>
>> Accept: */*
>> Accept-Language: en
>> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
>> x64; Trident/5.0)
>> Connection: close
>> Referer: <redacted>
>> Cookie: <redacted>
>>
>> I've redacted some of the details as it's not appropriate to draw
>> attention to an internet facing application's SQLi vulnerability.
>>
>> When providing the request file as part of the following command:
>> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> 'industries' -v 1
>>
>> sqlmap executes as normal but cannot identify (and therefore cannot
>> exploit) the boolean-based blind vulnerability which I've verified
>> manually.
>>
>> Thanks again,
>>
>> Al.
>>
>>
>> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
>> <miroslav.stam...@gmail.com> wrote:
>> > And what is the content of request file?
>> >
>> > Bye
>> >
>> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson <amcljohn...@gmail.com>
>> > wrote:
>> >>
>> >> Hi sqlmappers,
>> >>
>> >> I'm a fairly experienced user of sqlmap having used it extensively in
>> >> the past. I came across what appeared to pretty typical boolean-based
>> >> blind SQLi in an application I'm (legally) testing. However, for the
>> >> first time, I'm unable to get sqlmap to recognise the parameter as
>> >> vulnerable to exploit it further. And as we know, manually exploiting
>> >> blind SQLi is cumbersome to say the least.
>> >>
>> >> Here is a summary of the requests i've made to manually confirm the
>> >> vulnerability.
>> >>
>> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response A)
>> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response B)
>> >>
>> >> I've tried various sqlmap flags and thought the following command
>> >> would give me the best chance of success:
>> >>
>> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> 'industries' -v 1
>> >>
>> >> Note: the string 'industries' is text that appears in response A but
>> >> not response B.
>> >>
>> >> I've looked at the requests that sqlmap is sending in the background
>> >> (proxied through burp). It appears that it's attempting to exploit
>> >> this with the AND statement as it should but is not using single
>> >> quotes as per my example above.
>> >>
>> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be
>> >> more than happy to contribute some time to improve it so it can
>> >> identify injectable parameters such as these in the future.
>> >>
>> >> Thanks,
>> >>
>> >> Al.
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> One dashboard for servers and applications across Physical-Virtual-Cloud
>> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> Performance metrics, stats and reports that give you Actionable Insights
>> >> Deep dive visibility with transaction tracing using APM Insight.
>> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> _______________________________________________
>> >> sqlmap-users mailing list
>> >> sqlmap-users@lists.sourceforge.net
>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
