search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
32.19k stars 5.68k forks source link

sqlmap won't follow frames #1617

Closed patosar closed 8 years ago

patosar commented 8 years ago

Of course, sqlmap is working as designed because it doesn't have an HTML parser AFAIK.

But, what happens is that I'm pentesting and I found a potential blind SQL injection in a webapp, via some POST parameter (I'm running sqlmap the following way python sqlmap.py -u http://redacted/redacted.asp --load-cookies="/cookiejar.txt" --data="redacted=12345678&ano=2015&Radio=redacted&Consultar=redacted" -p ano)

The thing is, the webapp responds to the request with:

>>HTTP Headers and stuff<< <frameset rows="120,*" frameborder="NO" border="0" framespacing="0" cols="*"> <frame name="Titulo" scrolling="NO" noresize src="encabezado.asp" > <frame name="mainFrame" src="rendimiento.asp"> </frameset>

And it happens to be that the sql error is printed in the encabezado.asp file, but sqlmap does not know that it also has to issue a GET to that file after the first response. (I've confirmed that by using the -t switch).

What can I do? Is it possible to get sqlmap to follow frames?

stamparm commented 8 years ago

Have you tried with:

--second-order=S.. Resulting page URL searched for second-order response

It should look for results of SQLi inside provided URL

patosar commented 8 years ago

@stamparm hey! Thanks for the quick reply, love the sqlmap project.

It was exactly what I was looking for, thanks! It worked like a charm.

Still, would it be a nice feature if sqlmap followed frames by default, automatically?

stamparm commented 8 years ago

But which frames? In some pages there are tens of frames, in most cases with junk ads.

patosar commented 8 years ago

@stamparm agreed.

patosar commented 8 years ago

@stamparm could a little reference to frames be added to the --second-order entry in the wiki, so it's easier for everybody in the future to find a solution to this via google?

stamparm commented 8 years ago

Added (e.g. frame) into the https://github.com/sqlmapproject/sqlmap/wiki/Usage#second-order-attack. There is really no need to put any more details

slw07g commented 5 years ago

Can there be a flag added so that frames are processed? Second-order is only a work-around and not feasible when there are many frames.

stamparm commented 5 years ago

@slw07g but why don't you just provide the frame URL as value for --second-url?