I have found a simple boolean blind SQL vulnerability and want to let sqlmap do the iterating for me but it doesn't seem to work, I have the impression it tries to start at a point that I'm far beyond. Here are the details. The vulnerability is like this
and I can query like this
http://host/path?param=123' or 10 = (select len(system_user()));--
(URL encoded of course). If the second or condition is true I'll get somewhere in the response "Found 1000 hits". If it is false there will be "Found 0 hits". So now I can easily do a binary search with
http://host/path?param=123' or 100 < (select ascii(substring(system_user(), 1, 1));--
character per character (it is MS SQL Server in case you haven't noticed). This looks so bloody easy I cannot understand that sqlmap keeps telling me "param doesn't seem to be injectable". Here is the sqlmap call I've tried:
sqlmap -u "http://host/path?param=123" -p param --current-user --dbms mssql --prefix="123' or " --suffix=";--" --risk 3 --level 2
I've played with --risk, --level and --technique=B and also --string="Found 1000 hits". Nothing helps. How can I tell sqlmap to not search for anything but just do this silly iteration?
Injection points as simple as your example can certainly be picked up by sqlmap.
Here are some troubleshooting ideas:
Could the server use a WAF or otherwise react to the sqlmap user-agent (
--user-agent to specify the same user-agent as your browser has (or a generic one).
Does the server react differently on rapid consecutive HTTP requests? You can use
--delay to specify a delay interval between requests.
For such a straightforward injection you usually don't need to specify
--suffix. Better omit them to not mess with sqlmap's own process of analysis.
Try to omit
--dbms mssql if you're not 100% sure about the backend DBMS. sqlmap can usually figure that out itself.
Could the requests be authenticated or depend on some cookie settings you're unaware of? Use
--cookie to add the same cookies that might be set in your browser.
Debug the requests and responses by sqlmap and compare them with what you're getting in your browser. You can set a high output verbosity level (e.g.
-v 6) to overserve the entire HTTP traffic.
curl to verify that the manual injection generally works outside your browser. E.g.:
curl "http://host/path?param=123' or 10 = (select len(system_user()));--" | grep "1000 hits"
External links referenced by this document: