Closed habibiefaried closed 7 years ago
sqlmap is not doing anything wrong here. Header Refresh
doesn't exist in any RFC nor similar standard. It is an obsolete feature coming from Netscape era (Reference: http://stackoverflow.com/a/283794). I could do a patch for this, but as said, it is an imaginary/non-existent header. Proper way for this functionality is the usage of <meta http-equiv="refresh"....
Oh okay @stamparm . So is there any mode in sqlmap that can overwrite sqlmap refresh regex matching? I Found that on "https://github.com/sqlmapproject/sqlmap/blame/master/lib/request/connect.py"
Thanks anyway
Done with 121f037
See my comment on your commit @stamparm
Thanks!
What's the problem (or question)?
The problem occured when I was testing private website with burp repeater. I put sqli character (') and do a POST request from that form. Then I got error message Database Error
When I was about to exploit this bug with sqlmap. I got this error
Lack of content? This is not possible!. So I checked the burp traffic and here I got
HTTP response [50] (200 OK): Content-length: 0 X-powered-by: PHP/5.2.10-2ubuntu6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Vary: Accept-Encoding Uri: /secret/url
Refresh: 0;url=/secret/url <- SQLMap couldn't detect refresh header, so sqlmap didn't follow this URL by GET method. My browser and burp could do that.
Server: Apache Connection: close Pragma: no-cache Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Date: Mon, 16 Jan 2017 11:55:21 GMT Content-type: text/html
..... Blank
All of traffic ALWAYS produce blank content and sqlmap didn't follow that refresh URL
Do you have an idea for a solution?
I think the only problem is the response parser right after you receive the http response. You should detect if any refresh string on http response. If you can detect "refresh" header, then you have to prompt user whether the user want to follow the URL or not.
How can we reproduce the issue?
Full Traffic
HTTP request [50]: POST /secret/url HTTP/1.1 <-- this is the target. confirmed vulnerable by burp Host: secrethost Accept-language: en Cookie: PHPSESSID=de946cb8e3bed12620bd3155c7b9228f Referer: http://secret/url Content-type: application/x-www-form-urlencoded Accept: / User-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Content-length: 310 Connection: close
parameter that has sqlinjection vuln
HTTP response [50] (200 OK): Content-length: 0 X-powered-by: PHP/5.2.10-2ubuntu6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Vary: Accept-Encoding Uri: /secret/url Refresh: 0;url=/secret/url Server: Apache Connection: close Pragma: no-cache Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Date: Mon, 16 Jan 2017 11:55:21 GMT Content-type: text/html
Epilogue
Thanks for your time to read and follow up my issue. Any effort will be much appreciated :)