Hi Brandon, Thanks for your comment. Confirming that i've tried risk=3 with level=5 with the same results. I've looked more closely at the requests that sqlmap is sending to check if the parameter is injectable. It is testing the Sec paramater with values such as:
PackageSelection) AND 1477=7114 PackageSelection) AND 1631=1631 PackageSelection') AND 5603=7729 PackageSelection') AND 1631=1631 PackageSelection' AND 3943=9381 PackageSelection' AND 1631=1631 PackageSelection" AND 3324=4690 PackageSelection" AND 1631=1631 PackageSelection) AND 4734=6616 AND (6346=6346 PackageSelection)) AND 7350=9272 AND (8861=8861 When in fact, i assume it would need to use logic like I used to get distinguishable responses: PackageSelection (returns response A) PackageSelection' AND '1'='1 (returns response A) PackageSelection' AND '1'='2 (returns response B) In a nutshell, it doesn't appear to be trying single quotes and values in the ' AND '1'='1 pattern. But i would have thought this is a pretty typical format for checking boolean-based blind SQLi. Cheers, Alistair. On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry <bperry.volat...@gmail.com> wrote: > It's a GET, so there wouldn't be a content type, unless I am mistaken. > > Alistair, have you tried --risk=3 with --level=5 yet? > > Sent from a phone > > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <miroslav.stam...@gmail.com> > wrote: > > Can you please send the unredacted content of request.txt to my address? > > If not, then please at least send me the content of traffic file which you > can obtain by just appending the "-t traffic.txt" to the regular sqlmap's > run. > > Bye > > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amcljohn...@gmail.com> > wrote: >> >> Thanks for the quick reply. >> >> The contents of the request file are as follows: >> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1 >> Host: <redacted> >> Accept: */* >> Accept-Language: en >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; >> x64; Trident/5.0) >> Connection: close >> Referer: <redacted> >> Cookie: <redacted> >> >> I've redacted some of the details as it's not appropriate to draw >> attention to an internet facing application's SQLi vulnerability. >> >> When providing the request file as part of the following command: >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string >> 'industries' -v 1 >> >> sqlmap executes as normal but cannot identify (and therefore cannot >> exploit) the boolean-based blind vulnerability which I've verified >> manually. >> >> Thanks again, >> >> Al. >> >> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar >> <miroslav.stam...@gmail.com> wrote: >> > And what is the content of request file? >> > >> > Bye >> > >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson >> > <amcljohn...@gmail.com> >> > wrote: >> >> >> >> Hi sqlmappers, >> >> >> >> I'm a fairly experienced user of sqlmap having used it extensively in >> >> the past. I came across what appeared to pretty typical boolean-based >> >> blind SQLi in an application I'm (legally) testing. However, for the >> >> first time, I'm unable to get sqlmap to recognise the parameter as >> >> vulnerable to exploit it further. And as we know, manually exploiting >> >> blind SQLi is cumbersome to say the least. >> >> >> >> Here is a summary of the requests i've made to manually confirm the >> >> vulnerability. >> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A) >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response >> >> A) >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response >> >> B) >> >> >> >> I've tried various sqlmap flags and thought the following command >> >> would give me the best chance of success: >> >> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server' >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string >> >> 'industries' -v 1 >> >> >> >> Note: the string 'industries' is text that appears in response A but >> >> not response B. >> >> >> >> I've looked at the requests that sqlmap is sending in the background >> >> (proxied through burp). It appears that it's attempting to exploit >> >> this with the AND statement as it should but is not using single >> >> quotes as per my example above. >> >> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be >> >> more than happy to contribute some time to improve it so it can >> >> identify injectable parameters such as these in the future. >> >> >> >> Thanks, >> >> >> >> Al. >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> One dashboard for servers and applications across >> >> Physical-Virtual-Cloud >> >> Widest out-of-the-box monitoring support with 50+ applications >> >> Performance metrics, stats and reports that give you Actionable >> >> Insights >> >> Deep dive visibility with transaction tracing using APM Insight. >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> >> _______________________________________________ >> >> sqlmap-users mailing list >> >> sqlmap-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > >> > >> > >> > >> > -- >> > Miroslav Stampar >> > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
