0

I have a known sqli vulnerability that I'd like to try out with sqlmap in a web application; however, I don't believe sqlmap is able to figure this one out. Here's how the system works:

  • Inject on a given parameter, s, in Thread 1.
  • Thread 1 dispatches the information to a second thread. Thread 1 returns an HTML message immediately always with a status of "Pending"
  • Thread 2 now executes the sqli and writes a file to a location in the web site I can look up. It also returns a Success message.

I cannot directly call the private method that Thread 2 executes, so I need to start with the dispatcher. However, I believe sqlmap can only find that this is a successful injection if it could read the outcome of thread 2. Does anyone have any idea how I could get sqlmap to understand this sequence?

tophersmith116
  • 103
  • 3

1 Answers1

2

This appears to be some type of what is known as Second Order SQL Injection.

Even if Thread 1 writes to a queue instead of to a DB, as the injection does not happen as a direct result of it, sqlmap cannot be used to exploit the vulnerability.

Sqlmap looks for error messages in responses or differences in timing (for blind SQL injection) to determine whether a page is vulnerable. Since these types of attack will usually be undetectable using these methods (unless it does alter the original page - but then you've got a latency issue), sqlmap would not be able to exploit it.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • Great. Thank you for the link. I finally got it working by standing up an intercepting proxy and making the second request before returning to sqlmap. E.g. sqlmap->proxy->server->proxy->server->proxy->sqlmap. It took a bunch of finagling, but tricks sqlmap into working correctly. I'm marking you correct anyways, since my way is a bit of a nasty hack. – tophersmith116 May 08 '15 at 14:11