search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
31.94k stars 5.67k forks source link

SQLMap can't detect "refresh" header #2351

Closed habibiefaried closed 7 years ago

habibiefaried commented 7 years ago

What's the problem (or question)?

The problem occured when I was testing private website with burp repeater. I put sqli character (') and do a POST request from that form. Then I got error message Database Error

When I was about to exploit this bug with sqlmap. I got this error

ERROR: 19:04:11 - there was an error checking the stability of page because of lack of content. Please check the page request results (and probable errors) by using higher verbosity levels.`

Lack of content? This is not possible!. So I checked the burp traffic and here I got

HTTP response [50] (200 OK): Content-length: 0 X-powered-by: PHP/5.2.10-2ubuntu6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Vary: Accept-Encoding Uri: /secret/url

Refresh: 0;url=/secret/url <- SQLMap couldn't detect refresh header, so sqlmap didn't follow this URL by GET method. My browser and burp could do that.

Server: Apache Connection: close Pragma: no-cache Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Date: Mon, 16 Jan 2017 11:55:21 GMT Content-type: text/html

..... Blank

All of traffic ALWAYS produce blank content and sqlmap didn't follow that refresh URL

Do you have an idea for a solution?

I think the only problem is the response parser right after you receive the http response. You should detect if any refresh string on http response. If you can detect "refresh" header, then you have to prompt user whether the user want to follow the URL or not.

How can we reproduce the issue?

  1. Create some login page or form page that vulnerable to SQLInjection
  2. Send your very basic sqli payload to that form
  3. Send the response with header 200 OK, followed by Refresh tag (just like above)
  4. Refresh tag will go to URL that will give the output of the result. (e.g if you login then whether success or failure will be announced in this URL)
  5. If you try that manually, of course the "Database error" will be occured
  6. If you try that with sqlmap, then you will get that "lack of content" error

Full Traffic

HTTP request [50]: POST /secret/url HTTP/1.1 <-- this is the target. confirmed vulnerable by burp Host: secrethost Accept-language: en Cookie: PHPSESSID=de946cb8e3bed12620bd3155c7b9228f Referer: http://secret/url Content-type: application/x-www-form-urlencoded Accept: / User-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Content-length: 310 Connection: close

parameter that has sqlinjection vuln

HTTP response [50] (200 OK): Content-length: 0 X-powered-by: PHP/5.2.10-2ubuntu6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Vary: Accept-Encoding Uri: /secret/url Refresh: 0;url=/secret/url Server: Apache Connection: close Pragma: no-cache Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Date: Mon, 16 Jan 2017 11:55:21 GMT Content-type: text/html

Epilogue

Thanks for your time to read and follow up my issue. Any effort will be much appreciated :)

stamparm commented 7 years ago

sqlmap is not doing anything wrong here. Header Refresh doesn't exist in any RFC nor similar standard. It is an obsolete feature coming from Netscape era (Reference: http://stackoverflow.com/a/283794). I could do a patch for this, but as said, it is an imaginary/non-existent header. Proper way for this functionality is the usage of <meta http-equiv="refresh"....

habibiefaried commented 7 years ago

Oh okay @stamparm . So is there any mode in sqlmap that can overwrite sqlmap refresh regex matching? I Found that on "https://github.com/sqlmapproject/sqlmap/blame/master/lib/request/connect.py"

Thanks anyway

stamparm commented 7 years ago

Done with 121f037

habibiefaried commented 7 years ago

See my comment on your commit @stamparm

Thanks!