I tried that with a custom mark for --data. My point I need to hit is the RemotingMessage AMF object with the data Params of "RemoteUsername=null" and "RemotePassword=null" this triggers the exception by hand. I'm trying to figure out if I can get sqlmap to do this. It's not looking like it.
*"1432680462000 onFault ñ9com.chromeriver.exception.CrException: com.cougar.lang.CGException: DB Error: 1452-23000-Cannot add or update a child row: a foreign key constraint fails (`xxxxx_expense`.`tbl_PersonPassword`, CONSTRAINT `FK_tbl_PersonPassword_UK` FOREIGN KEY (`PersonID`) REFERENCES `tbl_Person` (`PersonID`)) at "* I know the shady lady is there .... So close ;) Thanks Guys. Chris. On Fri, May 29, 2015 at 7:01 AM, <sqlmap-users-requ...@lists.sourceforge.net > wrote: > Send sqlmap-users mailing list submissions to > sqlmap-users@lists.sourceforge.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > or, via email, send a message with subject or body 'help' to > sqlmap-users-requ...@lists.sourceforge.net > > You can reach the person managing the list at > sqlmap-users-ow...@lists.sourceforge.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of sqlmap-users digest..." > > > Today's Topics: > > 1. AMF sqli injection (Christopher Downs) > 2. Re: AMF sqli injection (Brandon Perry) > 3. Re: AMF sqli injection (Brandon Perry) > 4. Re: AMF sqli injection (Chris Oakley) > 5. Re: AMF sqli injection (Brandon Perry) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 28 May 2015 13:21:51 -0500 > From: Christopher Downs <chris.do...@chromeriver.com> > Subject: [sqlmap-users] AMF sqli injection > To: sqlmap-users@lists.sourceforge.net > Message-ID: > < > cafxdtoo6skzuceshf8jfbc7zvqsh-2t9g7gvwzlc7kceycd...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Good afternoon gents, > I am a profession penetration tester and have a rather difficult injection > point for one of my customers. > > I can trigger the exception by pausing traffic with burp and inserting > NULL's into the user | pass via a back end flex call. Is there a way to > take advantage of sqlmap to inject via flex remoting objects ? > > If not I will have to write this myself but I thought I may ask the list > first. > > Thanks. > Sincerely, > Christopher M Downs > > -- > [image: Description: Chrome] > > Chris Downs | System Administrator > > main > > 888.781.0088 > > email > > *chris.do...@chromeriver.com <chris.do...@chromeriver.com>* > > web > > www.chromeriver.com > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 2 > Date: Thu, 28 May 2015 13:59:12 -0500 > From: Brandon Perry <bperry.volat...@gmail.com> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Christopher Downs <chris.do...@chromeriver.com> > Cc: sqlmap users <sqlmap-users@lists.sourceforge.net> > Message-ID: > < > caojkfbcn475zo0gjaxkb5anu5mlfsn-f_yeffnprpsntyh6...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Flex is hard because you have to update the integer that tells flex how > long a string is, unless I am mistaken. > > If not, you could try with the * marker to tell sqlmap exactly where the > injection point is. > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > chris.do...@chromeriver.com> wrote: > > > Good afternoon gents, > > I am a profession penetration tester and have a rather difficult > injection > > point for one of my customers. > > > > I can trigger the exception by pausing traffic with burp and inserting > > NULL's into the user | pass via a back end flex call. Is there a way to > > take advantage of sqlmap to inject via flex remoting objects ? > > > > If not I will have to write this myself but I thought I may ask the list > > first. > > > > Thanks. > > Sincerely, > > Christopher M Downs > > > > -- > > [image: Description: Chrome] > > > > Chris Downs | System Administrator > > > > main > > > > 888.781.0088 > > > > email > > > > *chris.do...@chromeriver.com <chris.do...@chromeriver.com>* > > > > web > > > > www.chromeriver.com > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > sqlmap-users mailing list > > sqlmap-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 3 > Date: Thu, 28 May 2015 14:17:07 -0500 > From: Brandon Perry <bperry.volat...@gmail.com> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Christopher Downs <chris.do...@chromeriver.com> > Cc: sqlmap users <sqlmap-users@lists.sourceforge.net> > Message-ID: > <CAOJKFBAH7_-ARCWR= > xwvrsq8mxsxlajntzujihj3lze9zzj...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > FWIW here is an exploit a wrote a long while back that partly abuses a weak > AMF endpoint (xxe, not sqli...). > > > http://packetstormsecurity.com/files/126703/HP-Release-Control-9.20.0000-Build-395-XXE.html > > However, I distinctly remember having to keep the admin password the same > length as my base AMF request (because I was lazy and didn't feel like > having to update the integer as well). See the change_admin_password > method. I basically base64 encoded the request in order to store the base > request, then decoded it and modified it based on what I wanted to do. > > You could make a few requests with different sized usernames to find the > integer that you will need to manipulate during exploitation. > > On Thu, May 28, 2015 at 1:59 PM, Brandon Perry <bperry.volat...@gmail.com> > wrote: > > > Flex is hard because you have to update the integer that tells flex how > > long a string is, unless I am mistaken. > > > > If not, you could try with the * marker to tell sqlmap exactly where the > > injection point is. > > > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > > chris.do...@chromeriver.com> wrote: > > > >> Good afternoon gents, > >> I am a profession penetration tester and have a rather difficult > >> injection point for one of my customers. > >> > >> I can trigger the exception by pausing traffic with burp and inserting > >> NULL's into the user | pass via a back end flex call. Is there a way to > >> take advantage of sqlmap to inject via flex remoting objects ? > >> > >> If not I will have to write this myself but I thought I may ask the list > >> first. > >> > >> Thanks. > >> Sincerely, > >> Christopher M Downs > >> > >> -- > >> [image: Description: Chrome] > >> > >> Chris Downs | System Administrator > >> > >> main > >> > >> 888.781.0088 > >> > >> email > >> > >> *chris.do...@chromeriver.com <chris.do...@chromeriver.com>* > >> > >> web > >> > >> www.chromeriver.com > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sqlmap-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > -- > > http://volatile-minds.blogspot.com -- blog > > http://www.volatileminds.net -- website > > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 4 > Date: Thu, 28 May 2015 15:24:36 -0400 > From: Chris Oakley <christopher.oak...@gmail.com> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Brandon Perry <bperry.volat...@gmail.com> > Cc: sqlmap users <sqlmap-users@lists.sourceforge.net>, Christopher > Downs <chris.do...@chromeriver.com> > Message-ID: > <CAF6VE= > qraa3pequ6pxwwa8tmd2t+ctj-dg1kyzuwqresa9a...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > "Flex is hard because you have to update the integer that tells flex how > long a string is" > > It might be possible to address this with the --eval option > > On 28 May 2015 at 14:59, Brandon Perry <bperry.volat...@gmail.com> wrote: > > > Flex is hard because you have to update the integer that tells flex how > > long a string is, unless I am mistaken. > > > > If not, you could try with the * marker to tell sqlmap exactly where the > > injection point is. > > > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > > chris.do...@chromeriver.com> wrote: > > > >> Good afternoon gents, > >> I am a profession penetration tester and have a rather difficult > >> injection point for one of my customers. > >> > >> I can trigger the exception by pausing traffic with burp and inserting > >> NULL's into the user | pass via a back end flex call. Is there a way to > >> take advantage of sqlmap to inject via flex remoting objects ? > >> > >> If not I will have to write this myself but I thought I may ask the list > >> first. > >> > >> Thanks. > >> Sincerely, > >> Christopher M Downs > >> > >> -- > >> [image: Description: Chrome] > >> > >> Chris Downs | System Administrator > >> > >> main > >> > >> 888.781.0088 > >> > >> email > >> > >> *chris.do...@chromeriver.com <chris.do...@chromeriver.com>* > >> > >> web > >> > >> www.chromeriver.com > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sqlmap-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > -- > > http://volatile-minds.blogspot.com -- blog > > http://www.volatileminds.net -- website > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > sqlmap-users mailing list > > sqlmap-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > Message: 5 > Date: Thu, 28 May 2015 15:12:57 -0500 > From: Brandon Perry <bperry.volat...@gmail.com> > Subject: Re: [sqlmap-users] AMF sqli injection > To: Chris Oakley <christopher.oak...@gmail.com> > Cc: sqlmap users <sqlmap-users@lists.sourceforge.net>, Christopher > Downs <chris.do...@chromeriver.com> > Message-ID: > < > caojkfbdxgth6dhcuj9dp3jwng-hpc7gftbyxvhoriibfdo2...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > That could work. > > On Thu, May 28, 2015 at 2:24 PM, Chris Oakley < > christopher.oak...@gmail.com> > wrote: > > > "Flex is hard because you have to update the integer that tells flex how > > long a string is" > > > > It might be possible to address this with the --eval option > > > > On 28 May 2015 at 14:59, Brandon Perry <bperry.volat...@gmail.com> > wrote: > > > >> Flex is hard because you have to update the integer that tells flex how > >> long a string is, unless I am mistaken. > >> > >> If not, you could try with the * marker to tell sqlmap exactly where the > >> injection point is. > >> > >> On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > >> chris.do...@chromeriver.com> wrote: > >> > >>> Good afternoon gents, > >>> I am a profession penetration tester and have a rather difficult > >>> injection point for one of my customers. > >>> > >>> I can trigger the exception by pausing traffic with burp and inserting > >>> NULL's into the user | pass via a back end flex call. Is there a way to > >>> take advantage of sqlmap to inject via flex remoting objects ? > >>> > >>> If not I will have to write this myself but I thought I may ask the > list > >>> first. > >>> > >>> Thanks. > >>> Sincerely, > >>> Christopher M Downs > >>> > >>> -- > >>> [image: Description: Chrome] > >>> > >>> Chris Downs | System Administrator > >>> > >>> main > >>> > >>> 888.781.0088 > >>> > >>> email > >>> > >>> *chris.do...@chromeriver.com <chris.do...@chromeriver.com>* > >>> > >>> web > >>> > >>> www.chromeriver.com > >>> > >>> > >>> > ------------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> sqlmap-users mailing list > >>> sqlmap-users@lists.sourceforge.net > >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >>> > >>> > >> > >> > >> -- > >> http://volatile-minds.blogspot.com -- blog > >> http://www.volatileminds.net -- website > >> > >> > >> > ------------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> sqlmap-users mailing list > >> sqlmap-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: image003.jpg > Type: image/jpeg > Size: 9090 bytes > Desc: not available > > ------------------------------ > > > ------------------------------------------------------------------------------ > > > ------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > End of sqlmap-users Digest, Vol 48, Issue 3 > ******************************************* > -- [image: Description: Chrome] Chris Downs | System Administrator main 888.781.0088 email *chris.do...@chromeriver.com <chris.do...@chromeriver.com>* web www.chromeriver.com
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
