Exploiting A Tricky SQL Injection With sqlmap

Like many pentesters, I’m a fan of sqlmap.  It’s often the first and last tool I reach for when exploiting boolean or time-based SQL injection vulnerabilities.

I wanted to briefly document a slightly tricky SQL injection issue I encountered recently and a few of the sqlmap features that impressed me most.

I initially noticed that the following URLs returned the same page:

http://host/script?id=10
http://host/script?id=11-1 # same as id=10
http://host/script?id=(select 10) # same as id=10

Which looks pretty standard. The were a few problems with this injection, though. Firstly “and” and “or” didn’t work for some reason I never figured out:

 http://host/script?id=10 and 1=1 # failed

Secondly, I could’t terminate the query

http://host/script?id=10-- # failed
http://host/script?id=10;-- # failed
http://host/script?id=10);-- # failed
http://host/script?id=10)subquery;-- # failed

I spent a long time trying to terminate the query in burp intruder with a custom dictionary of possible strings. To no avail. I therefore could not make this into a UNION injection.

To exploit it as a boolean injection, I rewrote the URL slightly to help sqlmap – which was struggling because “and” and “or” didn’t work as they normally would:

 http://host/script?id=11-(case when 1=1 then 1 else 0 end)

It was then possible to put ” and 1=2″ etc. after the “1=1” to give two different pages for the true or false response:

http://host/script?id=11 # the "when" clause is false
http://host/script?id=10 # the "when" clause is true

Apparently if you increase the “–level” parameter, sqlmap will try clever stuff like this for you.  I bares illustrating how to do it manually, though.

Telling sqlmap Where To Inject

By default sqlmap will figure out for itself where the injection point it. If you want to guide it, simply add a * to the URL like this:

sqlmap -u http://host/script?id=11-(case when 1=1* then 1)

BTW I’m using SVN version.  Apparently this feature was present in v0.9, but wasn’t documented.  Use the docs from the SVN  read about this feature.

It’s a brilliant feature. I probably wouldn’t have bothered with sqlmap if it didn’t have this feature.

Error Correction

For some reason, the server gave me inconsistent responses (load balancing / general brokenness?). This resulted in about 25% of the chars retrieve by sqlmap being incorrect – not the fault of the tool, but the fault of the server.

This is a problem not faced by sqlmap users when using time-based (“waitfor delay”) injection because sqlmap has a cool feature: error correction.  After each character it extracts, it checks using a true/false query that the character is correct.

It wasn’t too hard to activate the error-correction feature for boolean injections too – in fact I changed a single line of code.

Sweet.  Error-free data from the database.

I’ve mailed Bernardo, sqlmap’s author and hopefully we’ll see this as an optional feature in a future release.  It does mean about 1/8th more queries will be required, but that’s a small price to pay when the server’s giving you bad data.

Tamper Scripts

To further complicate the injection, some characters needed URL encoding – e.g. > to %3E.  My instinct was to use “–tamper=between” which converts “> 5” to “not between 0 and 5”.  However, this made the query too long (a further trickyness of this particular injection).

It was fairly easy to create a custom tamper script based on one of the 20 plus examples that ship with sqlmap:

cd sqlmap/tamper
cp between.py ptm.py
vi ptm.py
../sqlmap.py --tamper=ptm ...

Update: In retrospect –tamper=charencode may have worked.

Support

I found Bernardo very helpful and welcoming of feedback*.  He and Miroslav Stampar have done a great job on this tool.  And it just keeps improving.

*Though, always RTFM (v0.9 SVN version) before contacting him 🙂