Simple SQL Injection testing

In this post I will write my own simple penetration testing, trying to exploit Phrogress with simple common SQL Injection vurnerability. To simplify and automate the testing process, we are going to use tools sqlmap

We are going to test Project Details page. To access the page, we need to be authenticated first, so we need to give cookie header to the sqlmap.

adam@redframe:~$ sqlmap -u "http://0.0.0.0:3000/projects/3*" --headers="cookie: _phrogress_session=ZGpOTUQ5aEFic243ZGxsR1Q2QmsrNzYzbWJlWXZJQjN0ZnBuN0NtYWVaNVV1bzAwS2c1bENQbTlVRHNhdnNEQndqYUg5UkZmdWhqcEJyNWU1clhKem56cHVNeU1XbzdEZVZZc3pCNFE0L2txem8rd2dNdnRNWi8vcmtUMVF5N01JWklnQnBEYjlxVDZYWlRSc2QzbDZLOGhObVFtTHZvZWJGcWx5OGs0bU5HV08xalFyWVBHbzlxeWtLVS9Fc2Fad3A2Y0ViM3VVQ0l0V2NBUEZvV1RqNDVwcmx6dWJ0Q3lmQ1VaS3c0SUlVWm5xZEtFdTU4UUFwNUFPK2gxb3FpTDUxSXNUMjhaSkwvbzZEd0Y2SWRHZXV0d2k4eno2VUM1aXNzTlZueTl3TGF5WWdYZTAyUzk5dHl0aDdnNHd6eElZZXhDcTdlS2ZSa0VRdXNqSGUyUzRhK3BWcmtWaStZcHNkb2UxcGxXYi9qRTl3Q1pBeUtCWVZhTFBmVnU0RGxEMkdvTmtuckNrQUNHUHNUMDlHb0JjTU5qeXorYmZyME1YTnc2dWk0RHRFZVlrUzA3dUhjVkhKQUtETE5ZbFNyci0tR0FYcndKMGVOWlhBaEg1MjhsU3o2Zz09--4341b6586c94c6d60e93abd70df968f889316650"

adam@redframe:~$ sqlmap -u "http://0.0.0.0:3000/projects/3*" --headers="cookie: _phrogress_session=ZGpOTUQ5aEFic243ZGxsR1Q2QmsrNzYzbWJlWXZJQjN0ZnBuN0NtYWVaNVV1bzAwS2c1bENQbTlVRHNhdnNEQndqYUg5UkZmdWhqcEJyNWU1clhKem56cHVNeU1XbzdEZVZZc3pCNFE0L2txem8rd2dNdnRNWi8vcmtUMVF5N01JWklnQnBEYjlxVDZYWlRSc2QzbDZLOGhObVFtTHZvZWJGcWx5OGs0bU5HV08xalFyWVBHbzlxeWtLVS9Fc2Fad3A2Y0ViM3VVQ0l0V2NBUEZvV1RqNDVwcmx6dWJ0Q3lmQ1VaS3c0SUlVWm5xZEtFdTU4UUFwNUFPK2gxb3FpTDUxSXNUMjhaSkwvbzZEd0Y2SWRHZXV0d2k4eno2VUM1aXNzTlZueTl3TGF5WWdYZTAyUzk5dHl0aDdnNHd6eElZZXhDcTdlS2ZSa0VRdXNqSGUyUzRhK3BWcmtWaStZcHNkb2UxcGxXYi9qRTl3Q1pBeUtCWVZhTFBmVnU0RGxEMkdvTmtuckNrQUNHUHNUMDlHb0JjTU5qeXorYmZyME1YTnc2dWk0RHRFZVlrUzA3dUhjVkhKQUtETE5ZbFNyci0tR0FYcndKMGVOWlhBaEg1MjhsU3o2Zz09--4341b6586c94c6d60e93abd70df968f889316650"
 ___
 __H__
 ___ ___[']_____ ___ ___ {1.0.10#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
 |_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 13:45:06

custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[13:45:12] [INFO] testing connection to the target URL
[13:45:12] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
[13:45:12] [INFO] testing if the target URL is stable
you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] y
[13:45:16] [INFO] target URL is stable
[13:45:16] [INFO] testing if URI parameter '#1*' is dynamic
[13:45:16] [INFO] confirming that URI parameter '#1*' is dynamic
[13:45:17] [INFO] URI parameter '#1*' is dynamic
[13:45:17] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[13:45:17] [INFO] testing for SQL injection on URI parameter '#1*'
[13:45:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:45:18] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[13:45:19] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[13:45:20] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:45:20] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[13:45:21] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[13:45:22] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[13:45:22] [INFO] testing 'MySQL inline queries'
[13:45:22] [INFO] testing 'PostgreSQL inline queries'
[13:45:22] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:45:22] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[13:45:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[13:45:24] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[13:45:24] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[13:45:25] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[13:45:26] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[13:45:27] [INFO] testing 'Oracle AND time-based blind'
[13:45:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:45:28] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it with option '--dbms'
[13:45:38] [WARNING] URI parameter '#1*' does not seem to be injectable
[13:45:38] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp'). If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[13:45:38] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times, 500 (Internal Server Error) - 138 times

[*] shutting down at 13:45:38

 

Result show that some SQL Injection common technique and/or payload was not able to exploit anything. That’s it.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s