Technically, it shouldn't*
On Tue, Apr 28, 2015 at 9:07 AM, Brandon Perry <bperry.volat...@gmail.com>
wrote:
> The injections I see like those are all suffixed with the start of a
> comment (# or --). So, technically it should matter if single quotes are
> used in the latter part of the boolean clause.
>
> For instance, SELECT * FROM blah WHERE foo = 'fdsa' with value 'fdsa'
> being injectable. Using fdsa' AND 1=1# would result with the trailing
> single quote being part of the comment and ignored by MySQL.
>
> Can you exploit the injection by hand using 1=1# or 1=1--?
>
> On Tue, Apr 28, 2015 at 8:15 AM, Alistair Johnson <amcljohn...@gmail.com>
> wrote:
>
>> Hi Brandon,
>>
>> Thanks for your comment. Confirming that i've tried risk=3 with
>> level=5 with the same results. I've looked more closely at the
>> requests that sqlmap is sending to check if the parameter is
>> injectable. It is testing the Sec paramater with values such as:
>>
>> PackageSelection) AND 1477=7114
>> PackageSelection) AND 1631=1631
>> PackageSelection') AND 5603=7729
>> PackageSelection') AND 1631=1631
>> PackageSelection' AND 3943=9381
>> PackageSelection' AND 1631=1631
>> PackageSelection" AND 3324=4690
>> PackageSelection" AND 1631=1631
>> PackageSelection) AND 4734=6616 AND (6346=6346
>> PackageSelection)) AND 7350=9272 AND (8861=8861
>>
>> When in fact, i assume it would need to use logic like I used to get
>> distinguishable responses:
>>
>> PackageSelection (returns response A)
>> PackageSelection' AND '1'='1 (returns response A)
>> PackageSelection' AND '1'='2 (returns response B)
>>
>> In a nutshell, it doesn't appear to be trying single quotes and values
>> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
>> typical format for checking boolean-based blind SQLi.
>>
>> Cheers,
>>
>> Alistair.
>>
>> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
>> <bperry.volat...@gmail.com> wrote:
>> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
>> >
>> > Alistair, have you tried --risk=3 with --level=5 yet?
>> >
>> > Sent from a phone
>> >
>> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <
>> miroslav.stam...@gmail.com>
>> > wrote:
>> >
>> > Can you please send the unredacted content of request.txt to my address?
>> >
>> > If not, then please at least send me the content of traffic file which
>> you
>> > can obtain by just appending the "-t traffic.txt" to the regular
>> sqlmap's
>> > run.
>> >
>> > Bye
>> >
>> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <
>> amcljohn...@gmail.com>
>> > wrote:
>> >>
>> >> Thanks for the quick reply.
>> >>
>> >> The contents of the request file are as follows:
>> >>
>> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
>> >> Host: <redacted>
>> >> Accept: */*
>> >> Accept-Language: en
>> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
>> >> x64; Trident/5.0)
>> >> Connection: close
>> >> Referer: <redacted>
>> >> Cookie: <redacted>
>> >>
>> >> I've redacted some of the details as it's not appropriate to draw
>> >> attention to an internet facing application's SQLi vulnerability.
>> >>
>> >> When providing the request file as part of the following command:
>> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> 'industries' -v 1
>> >>
>> >> sqlmap executes as normal but cannot identify (and therefore cannot
>> >> exploit) the boolean-based blind vulnerability which I've verified
>> >> manually.
>> >>
>> >> Thanks again,
>> >>
>> >> Al.
>> >>
>> >>
>> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
>> >> <miroslav.stam...@gmail.com> wrote:
>> >> > And what is the content of request file?
>> >> >
>> >> > Bye
>> >> >
>> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
>> >> > <amcljohn...@gmail.com>
>> >> > wrote:
>> >> >>
>> >> >> Hi sqlmappers,
>> >> >>
>> >> >> I'm a fairly experienced user of sqlmap having used it extensively
>> in
>> >> >> the past. I came across what appeared to pretty typical
>> boolean-based
>> >> >> blind SQLi in an application I'm (legally) testing. However, for the
>> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
>> >> >> vulnerable to exploit it further. And as we know, manually
>> exploiting
>> >> >> blind SQLi is cumbersome to say the least.
>> >> >>
>> >> >> Here is a summary of the requests i've made to manually confirm the
>> >> >> vulnerability.
>> >> >>
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
>> response
>> >> >> A)
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
>> response
>> >> >> B)
>> >> >>
>> >> >> I've tried various sqlmap flags and thought the following command
>> >> >> would give me the best chance of success:
>> >> >>
>> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> >> 'industries' -v 1
>> >> >>
>> >> >> Note: the string 'industries' is text that appears in response A but
>> >> >> not response B.
>> >> >>
>> >> >> I've looked at the requests that sqlmap is sending in the background
>> >> >> (proxied through burp). It appears that it's attempting to exploit
>> >> >> this with the AND statement as it should but is not using single
>> >> >> quotes as per my example above.
>> >> >>
>> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd
>> be
>> >> >> more than happy to contribute some time to improve it so it can
>> >> >> identify injectable parameters such as these in the future.
>> >> >>
>> >> >> Thanks,
>> >> >>
>> >> >> Al.
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> ------------------------------------------------------------------------------
>> >> >> One dashboard for servers and applications across
>> >> >> Physical-Virtual-Cloud
>> >> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> >> Performance metrics, stats and reports that give you Actionable
>> >> >> Insights
>> >> >> Deep dive visibility with transaction tracing using APM Insight.
>> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> >> _______________________________________________
>> >> >> sqlmap-users mailing list
>> >> >> sqlmap-users@lists.sourceforge.net
>> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Miroslav Stampar
>> >> > http://about.me/stamparm
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>> >
>> >
>> ------------------------------------------------------------------------------
>> > One dashboard for servers and applications across Physical-Virtual-Cloud
>> > Widest out-of-the-box monitoring support with 50+ applications
>> > Performance metrics, stats and reports that give you Actionable Insights
>> > Deep dive visibility with transaction tracing using APM Insight.
>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sqlmap-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
