0

I implemented a small website for penetration testing purposes using the Vaadin framework. I have a MySQL database running in the background as well as a Jetty server.

The website is vulnerable against manual SQL injection attacks. But when I want to use a powerful tool such as sqlmap I can't find any vulnerabilites. The main reason is that the url of my website doesn't contain injectable paramters. Instead I get following message:

!main/test: event not found

How can I change the URL to be vulnerable?

http://localhost:8080/#!main/text
Anders
  • 64,406
  • 24
  • 178
  • 215
Nazar Medeiros
  • 161
  • 8
  • A website can be designed in hundreds of ways. Where do you get the `event not found` message (tomcat log?), and how do you do the manual injection if the URL does not have any parameters? (btw, URL parameters go after `?`, anything after a `#` should never be sent to the server) – grochmal Sep 27 '16 at 13:22
  • A website may designed in hundreds of ways, but this depends mostly on your frameworks you are using. I am using vaadin and the `#` character is automatically set up in the url. The `event not found` message was displayed in my sqlmap-terminal. Do you have any experience with `vaadin`? – Nazar Medeiros Sep 27 '16 at 13:27
  • No, absolutely no experience with vaadin, just plain tomcat. But I assume that you're running it on top of tomcat since that would be the easiest deployment. But remember that this is sec.SE not SO, you are responsible for the explanation of where the security part comes in. SQL injection is not irrelevant from webserver, but the use of `#` and `?` in a URL is. – grochmal Sep 27 '16 at 13:35

2 Answers2

1

Sqlmap does not see any injectable requests.
Vaadin heavily relies on client side JavaScript.
This is very common with current frameworks.
To get a better idea take a look at the W3C's Usage Patterns For Client-Side URL parameters .

You could try to log the request from the browser via the developer tools or use, e.g., ZAP. From there you should be able to identify the right request. I would also recommend to manually validate the SQL injection vulnerability with ZAP. Then you can be sure that you exploit the vulnerability and try sqlmap with that request.

Also, be aware that Vaadin utilizes CSRF tokens that might screw with automated attacks.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
C Bauer
  • 11
  • 1
0

When entering the sqlmap command for this test are you putting the URL in double-quotes? I am guessing no because i think that sqlmap is trying to process the !

Raincity Redteam
  • 29
  • 2
  • Yeah! I used double-quotes. But then I tried another way :`sqlmap -u 'http://localhost:8080/#!main/hauptansicht' --dbs --level=3 `No errors.. but it can't find injectable parameters. – Nazar Medeiros Oct 04 '16 at 11:23