On 14 December 2011 15:51, Chris Oakley <christopher.oak...@gmail.com> wrote: > Hi All > > I'm having problems with an injection that I think is real. > > It's a standard POST request with one of the parameters of the data sent > being vulnerable. This all happens in an unauthenticated area of the > application, so there's no need to set the cookie value etc. > > The injection point was found with Burp Scanner. It has the following to > say: > > Issue detail > The BLAH parameter appears to be vulnerable to SQL injection attacks. The > payload %00' was submitted in the BLAH parameter, and a database error > message was returned. You should review the contents of the error message, > and the application's handling of other input, to confirm whether a > vulnerability is present. The database appears to be PostgreSQL. The > application attempts to block SQL injection attacks but this can be > circumvented by submitting a URL-encoded NULL byte (%00) before the > characters that are being blocked. > > The server response looks like this: > > HTTP/1.1 202 Accepted > Server: Apache-Coyote/1.1 > Vary: Accept-Encoding > Cache-Control: no-cache > Content-Type: text/xml;charset=UTF-8 > Date: Wed, 14 Dec 2011 12:48:30 GMT > Content-Length: 7754 > > <?xml version="1.0" encoding="UTF-8"?> > <errors><error><text><![CDATA[could not load an entity: > [vyre.content.CollectionSchema#165']; nested exception is > org.hibernate.exception.DataException: could not load an entity: > [vyre.content.CollectionSchema#165']]]></text><stack-trace><![CDATA[org.springframework.dao.InvalidDataAccessResourceUsageException: > could not load an entity: [vyre.content.CollectionSchema#165'] > at > org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:618) > at > org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412) > at > org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:424) > at > org.springframework.orm.hibernate3.HibernateTemplate.executeWithNativeSession(HibernateTemplate.java:374) > at > org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:560) > at > org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:554) > at > vyre.core.entity.pl.HibernateStringIdentifierEntityDAO.load(HibernateStringIdentifierEntityDAO.java:47) > at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149) > at > org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) > at > org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) > at $Proxy17.load(Unknown Source) > at > vyre.publishing.ContentGatewayAjaxListener.handle(ContentGatewayAjaxListener.java:146) > at > vyre.publishing.ajax.AjaxControllerServlet.service(AjaxControllerServlet.java:88) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at vyre.delivery.MainFilter.doFilter(MainFilter.java:145) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > vyre.content.search.permissions.ViewPermissionFilter.doFilter(ViewPermissionFilter.java:27) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > com.virginholidays.filter.CacheControlFilter.doFilter(CacheControlFilter.java:26) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > vyre.utils.filters.login.AbstractLoginFilter.doFilter(AbstractLoginFilter.java:95) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) > at java.lang.Thread.run(Thread.java:619) > Caused by: org.hibernate.exception.DataException: could not load an entity: > [vyre.content.CollectionSchema#165'] > at > org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:77) > at > org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43) > at org.hibernate.loader.Loader.loadEntity(Loader.java:1874) > at > org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:48) > at > org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:42) > at > org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3049) > at > org.hibernate.event.def.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:399) > at > org.hibernate.event.def.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:375) > at > org.hibernate.event.def.DefaultLoadEventListener.load(DefaultLoadEventListener.java:139) > at > org.hibernate.event.def.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:179) > at > org.hibernate.event.def.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:103) > at org.hibernate.impl.SessionImpl.fireLoad(SessionImpl.java:878) > at org.hibernate.impl.SessionImpl.load(SessionImpl.java:795) > at org.hibernate.impl.SessionImpl.load(SessionImpl.java:788) > at > org.springframework.orm.hibernate3.HibernateTemplate$3.doInHibernate(HibernateTemplate.java:566) > at > org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:419) > ... 46 more > Caused by: org.postgresql.util.PSQLException: ERROR: invalid byte sequence > for encoding "UTF8": 0x00 > at > org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102) > at > org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835) > at > org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273) > at > org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) > at > org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) > at > org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186) > at org.hibernate.loader.Loader.getResultSet(Loader.java:1787) > at org.hibernate.loader.Loader.doQuery(Loader.java:674) > at > org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236) > at org.hibernate.loader.Loader.loadEntity(Loader.java:1860) > ... 59 more > ]]></stack-trace></error></errors> > > I've worked my way up to the following sqlmap command: > > C:\Program Files\sqlmap>python sqlmap.py -u > "http://www.**********/servlet/ajax"; --data "..........&BLAH=165" -p BLAH > --level=5 --risk=2 --dbms=postgresql --union-char=1 --tamper=appendnullbyte > -f -b > > sqlmap/1.0-dev (r4577) - automatic SQL injection and database takeover > tool > http://www.sqlmap.org > > [!] legal disclaimer: usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsi > bility to obey all applicable local, state and federal laws. Authors assume > no liability and are not responsible for any misuse or > damage caused by this program > > [*] starting at 15:33:52 > > [15:33:52] [INFO] loading tamper script 'appendnullbyte' > [15:33:53] [INFO] using '*****\session' as session file > [15:33:53] [INFO] testing connection to the target url > [15:34:00] [WARNING] provided parameter 'BLAH' is not inside the Cookie > [15:34:00] [INFO] testing if the url is stable, wait a few seconds > [15:34:03] [INFO] url is stable > [15:34:03] [INFO] heuristic test shows that POST parameter 'BLAH' might be > injectable (possible DBMS: PostgreSQL) > [15:34:03] [INFO] testing sql injection on POST parameter 'BLAH' > [15:34:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' > [15:34:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause > (Generic comment)' > [15:34:16] [INFO] testing 'Generic boolean-based blind - Parameter replace > (original value)' > [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER > BY clauses' > [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER > BY clauses (original value)' > [15:34:16] [INFO] testing 'PostgreSQL boolean-based blind - Parameter > replace (GENERATE_SERIES - original value)' > [15:34:17] [INFO] testing 'PostgreSQL stacked conditional-error blind > queries' > [15:34:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING > clause' > [15:34:27] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING > clause' > [15:34:32] [INFO] testing 'PostgreSQL error-based - Parameter replace' > [15:34:32] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY > clauses' > [15:34:32] [INFO] testing 'PostgreSQL > 8.1 stacked queries' > [15:34:35] [INFO] testing 'PostgreSQL stacked queries (heavy query)' > [15:34:37] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)' > [15:34:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' > [15:34:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind (comment)' > [15:34:44] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)' > [15:34:47] [INFO] testing 'PostgreSQL AND time-based blind (heavy query - > comment)' > [15:34:49] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns' > [15:34:50] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:51] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:53] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:55] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:56] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:58] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:59] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:01] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:02] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:04] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:06] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:07] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:09] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:10] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:11] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:13] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:14] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:16] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:17] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:19] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:20] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:22] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:23] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:25] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:27] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:29] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:30] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:32] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:33] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:35] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:36] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:37] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:39] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:40] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:42] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:42] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns' > [15:36:29] [INFO] testing 'Generic UNION query (1) - 21 to 30 columns' > [15:37:15] [INFO] testing 'Generic UNION query (1) - 31 to 40 columns' > [15:38:01] [INFO] testing 'Generic UNION query (1) - 41 to 50 columns' > [15:38:46] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to 10 > columns' > [15:38:47] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:50] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:51] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:53] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:54] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:56] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:57] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:59] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:00] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:03] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:04] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:05] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:07] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:08] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:10] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:11] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:13] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:14] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:16] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:18] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:19] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:21] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:22] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:24] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:25] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:27] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:28] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:30] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:31] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:33] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:35] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:37] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:38] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:40] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:41] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:41] [INFO] testing 'Generic UNION query (NUL comment) (1) - 11 to 20 > columns' > [15:40:27] [INFO] testing 'Generic UNION query (NUL comment) (1) - 21 to 30 > columns' > [15:41:11] [INFO] testing 'Generic UNION query (NUL comment) (1) - 31 to 40 > columns' > [15:41:56] [INFO] testing 'Generic UNION query (NUL comment) (1) - 41 to 50 > columns' > [15:42:42] [WARNING] POST parameter 'BLAH' is not injectable > [15:42:42] [CRITICAL] all parameters appear to be not injectable. Try to > increase --level/--risk values to perform more tests. As > heuristic test turned out positive you are strongly advised to continue on > with the tests. Please, consider usage of tampering scr > ipts as your target might filter the queries. Also, you can try to rerun by > providing either a valid --string or a valid --regexp, > refer to the user's manual for details > > [*] shutting down at 15:42:42 > > I didn't start with all of those arguments for sqlmap - I've tried it > without: --level=5, --risk=2, --dbms=postgresql, --union-char=1 and > --tamper=appendnullbyte and got pretty much the same results for each. > > Maybe it's not injectable, but I'd like peoples input before I write it off, > since it looks very suspect to me. > > Thanks > > Chris >
Have you tried working it by hand to see if you can inject something basic into it? I'd get Burp repeater on it and manually work on confirming whether there is injection there or not. Look for something basic like adding a delay or limiting/opening the number of results returned. Robin ------------------------------------------------------------------------------ Cloud Computing - Latest Buzzword or a Glimpse of the Future? This paper surveys cloud computing today: What are the benefits? Why are businesses embracing it? What are its payoffs and pitfalls? http://www.accelacomm.com/jaw/sdnl/114/51425149/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
