http-sql-injection broken in Nmap 7.70

[rtaylor777]

I was trying to follow an SQL injection tutorial (Web Application Penetration Testing course on Cybrary.it) which showed downloading a VM ISO from https://pentesterlab.com/exercises/from_sqli_to_shell. The tutorial showed using nmap to check for SQLI and in the video it returned lots of results. I have not been able to get it to work and I show using curl below to prove there is an SQLI on the target.
root@kali:~# nmap -debug -p80 --script http-sql-injection --script-args
'httpspider.maxpagecount=200,http-sql-injection.url=/cat.php' 10.0.0.21

Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-19 19:04 PDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: httpspider.maxpagecount=200,http-sql-injection.url=/cat.php
NSE: Arguments parsed: httpspider.maxpagecount=200,http-sql-injection.url=/cat.php
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 19:04
Completed NSE at 19:04, 0.00s elapsed
Initiating ARP Ping Scan at 19:04
Scanning 10.0.0.21 [1 port]
Packet capture filter (device eth1): arp and arp[18:4] = 0x08002793 and arp[22:2] = 0x0BC1
Completed ARP Ping Scan at 19:04, 0.03s elapsed (1 total hosts)
Overall sending rates: 34.26 packets / s, 1438.75 bytes / s.
mass_rdns: Using DNS server 10.10.77.254
Initiating Parallel DNS resolution of 1 host. at 19:04
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 19:04, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:04
Scanning 10.0.0.21 [1 port]
Packet capture filter (device eth1): dst host 10.0.0.22 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.0.0.21)))
Discovered open port 80/tcp on 10.0.0.21
Completed SYN Stealth Scan at 19:04, 0.04s elapsed (1 total ports)
Overall sending rates: 22.43 packets / s, 987.01 bytes / s.
NSE: Script scanning 10.0.0.21.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 19:04
NSE: Starting http-sql-injection against 10.0.0.21:80.
NSE: Finished http-sql-injection against 10.0.0.21:80.
NSE: [http-sql-injection 10.0.0.21:80] Testing 33 suspicious URLs
NSE: [http-sql-injection 10.0.0.21:80] Total number of pipelined requests: 33
NSE: [http-sql-injection 10.0.0.21:80] Number of requests allowed by pipeline: 33
NSE: [http-sql-injection 10.0.0.21:80] Number of received responses: 33
NSE: Finished http-sql-injection against 10.0.0.21:80.
Completed NSE at 19:04, 0.18s elapsed
Nmap scan report for 10.0.0.21
Host is up, received arp-response (0.00022s latency).
Scanned at 2018-04-19 19:04:33 PDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:68:6D:A0 (Oracle VirtualBox virtual NIC)
Final times for host: srtt: 218 rttvar: 3756  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 19:04
Completed NSE at 19:04, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

root@kali:~# curl "10.0.0.21/cat.php?id=1'"

<html>
  <head>
    <link rel="stylesheet" id="base" href="css/default.css" type="text/css" media="screen" />
    <title>My awesome Photoblog</title>
  </head>
  <body>
  <div id="header">
    <div id="logo">
      <h1><a href="index.php">My Awesome Photoblog</a></h1>
    </div>
    <div id="menu">
      <ul>  
        <li class="active">
            <a href="/"> Home  |</a> 
        </li>
        	<li><a href="cat.php?id=1">test | </a></li>
	<li><a href="cat.php?id=2">ruxcon | </a></li>
	<li><a href="cat.php?id=3">2010 | </a></li>
        <li>
          <a href="/all.php">All pictures |</a>
        </li>
        <li>
          <a href="/admin/">Admin</a>
        </li>
        </ul>
      </div>
    </div> 
  </div>
    <div id="page">
      <div id="content">
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1    <div class="block" id="block-text">
    <div class="secondary-navigation">
    </div>
  </div>
        <div id="footer">
          <div class="block">
            <p>No Copyright </p>
          </div>
        </div>      
      </div>
    </div>
  </div>
  </body>
</html>

[rtaylor777]

I'm seeing issues with detection of XSS as well. The course shows that I should be getting results:
https://www.javacrypt.com/images/results.jpg
But instead I am seeing(note that without using debug I don't even see that phpself did anything):
root@kali:/usr/share/nmap/scripts# nmap -debug -p80 --script http-stored-xss.nse,http-dombased-
xss,http-phpself-xss --script-args httpspider.maxpagecount=200 10.0.0.20 10.0.0.21 10.0.0.23

Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-21 13:07 PDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: httpspider.maxpagecount=200
NSE: Arguments parsed: httpspider.maxpagecount=200
NSE: Loaded 3 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 13:07
Completed NSE at 13:07, 0.00s elapsed
Initiating ARP Ping Scan at 13:07
Scanning 3 hosts [1 port/host]
Packet capture filter (device eth1): arp and arp[18:4] = 0x08002793 and arp[22:2] = 0x0BC1
Completed ARP Ping Scan at 13:07, 0.04s elapsed (3 total hosts)
Overall sending rates: 81.45 packets / s, 3421.03 bytes / s.
mass_rdns: Using DNS server 10.10.77.254
Initiating Parallel DNS resolution of 3 hosts. at 13:07
mass_rdns: 0.01s 0/3 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 3]
Completed Parallel DNS resolution of 3 hosts. at 13:07, 0.01s elapsed
DNS resolution of 3 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 3, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 13:07
Scanning 3 hosts [1 port/host]
Packet capture filter (device eth1): dst host 10.0.0.22 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.0.0.20 or src host 10.0.0.21 or src host 10.0.0.23)))
Discovered open port 80/tcp on 10.0.0.21
Discovered open port 80/tcp on 10.0.0.23
Discovered open port 80/tcp on 10.0.0.20
Completed SYN Stealth Scan at 13:07, 0.04s elapsed (3 total ports)
Overall sending rates: 69.45 packets / s, 3055.91 bytes / s.
NSE: Script scanning 3 hosts.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 13:07
NSE: Starting http-phpself-xss against 10.0.0.23:80.
NSE: Starting http-phpself-xss against 10.0.0.21:80.
NSE: Starting http-dombased-xss against 10.0.0.23:80.
NSE: Starting http-phpself-xss against 10.0.0.20:80.
NSE: Starting http-stored-xss against 10.0.0.20:80.
NSE: Starting http-stored-xss against 10.0.0.21:80.
NSE: Starting http-dombased-xss against 10.0.0.21:80.
NSE: Starting http-dombased-xss against 10.0.0.20:80.
NSE: Starting http-stored-xss against 10.0.0.23:80.
NSE: [http-phpself-xss 10.0.0.20:80] HTTP GET /cat.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.21:80] HTTP GET /all.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.21:80] HTTP GET /cat.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.21:80] HTTP GET /index.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.20:80] HTTP GET /all.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.20:80] HTTP GET /index.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.21:80] HTTP GET /admin/index.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.20:80] HTTP GET /admin/index.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.21:80] HTTP GET /show.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: [http-phpself-xss 10.0.0.20:80] HTTP GET /show.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
NSE: Finished http-phpself-xss against 10.0.0.21:80.
NSE: Finished http-phpself-xss against 10.0.0.20:80.
NSE: Finished http-stored-xss against 10.0.0.20:80.
NSE: Finished http-phpself-xss against 10.0.0.20:80.
NSE: Finished http-stored-xss against 10.0.0.21:80.
NSE: Finished http-phpself-xss against 10.0.0.21:80.
NSE: Finished http-dombased-xss against 10.0.0.21:80.
NSE: Finished http-dombased-xss against 10.0.0.20:80.
NSE: Finished http-dombased-xss against 10.0.0.21:80.
NSE: Finished http-dombased-xss against 10.0.0.20:80.
NSE: Finished http-stored-xss against 10.0.0.20:80.
NSE: Finished http-stored-xss against 10.0.0.21:80.
NSE: Finished http-stored-xss against 10.0.0.21:80.
NSE: Finished http-stored-xss against 10.0.0.20:80.
NSE: Finished http-phpself-xss against 10.0.0.23:80.
NSE: Finished http-dombased-xss against 10.0.0.23:80.
NSE: Finished http-phpself-xss against 10.0.0.23:80.
NSE: Finished http-dombased-xss against 10.0.0.23:80.
NSE: Finished http-stored-xss against 10.0.0.23:80.
NSE: Finished http-stored-xss against 10.0.0.23:80.
NSE: Finished http-stored-xss against 10.0.0.23:80.
Completed NSE at 13:07, 3.63s elapsed
Nmap scan report for 10.0.0.20
Host is up, received arp-response (0.00043s latency).
Scanned at 2018-04-21 13:07:12 PDT for 1s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 08:00:27:68:6D:A0 (Oracle VirtualBox virtual NIC)
Final times for host: srtt: 430 rttvar: 3784  to: 100000

Nmap scan report for 10.0.0.21
Host is up, received arp-response (0.00055s latency).
Scanned at 2018-04-21 13:07:12 PDT for 1s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 08:00:27:58:EA:54 (Oracle VirtualBox virtual NIC)
Final times for host: srtt: 553 rttvar: 3846  to: 100000

Nmap scan report for 10.0.0.23
Host is up, received arp-response (0.00042s latency).
Scanned at 2018-04-21 13:07:12 PDT for 4s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 08:00:27:D0:BD:5F (Oracle VirtualBox virtual NIC)
Final times for host: srtt: 425 rttvar: 3786  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 13:07
Completed NSE at 13:07, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 3 IP addresses (3 hosts up) scanned in 4.08 seconds
           Raw packets sent: 6 (216B) | Rcvd: 6 (216B)

If you want me to report this as a separate bug let me know. I think the problem is related.

[dmiller-nmap]

Thanks for the report! I have a few questions to help diagnose the problem:

1. What version of Nmap are they using in the video, and what is the intended output?
2. Does Nmap 6.47 or earlier work for you? That is the last time that this script was functionally changed.
3. Can you (using Nmap 7.70) run the http-sql-injection scan with --script-trace and verify if the error message is returned from the server like in the curl command? You could also use Wireshark for this, comparing what Nmap does to what Curl does and see if it looks like they send different requests or if they receive different responses.

Thanks.

[dmiller-nmap]

Regarding the XSS detection, it doesn't look like the vulnerable path is being requested. The http-phpself-xss script uses the httpspider library to crawl through the target finding links. If the /xss/example8.php path is not linked, then the script won't see it. Can you verify that you can find that page linked from the web pages you are targeting? The same goes for http-dombased-xss and the /xss/example9.php path.

[rtaylor777]

Hi Daniel,
Thanks for the replies. Referring to the original post... The version of nmap that the video is using is 6.49BETA4. I tried version 6.47 and I am still not seeing what I hoped for. This is one of the last streams in wireshark when trying again using Nmap 7.70:

GET /cat.php HTTP/1.1
Connection: close
User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Host: 10.0.0.21

HTTP/1.1 200 OK
Date: Sat, 19 May 2018 04:40:02 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze14
Vary: Accept-Encoding
Content-Length: 1858
Connection: close
Content-Type: text/html






<html>
  <head>
    <link rel="stylesheet" id="base" href="css/default.css" type="text/css" media="screen" />

    <title>My awesome Photoblog</title>
  </head>
  <body>
    
  <div id="header">
    <div id="logo">
      <h1><a href="index.php">My Awesome Photoblog</a></h1>
    </div>
    <div id="menu">
      <ul>  
        <li class="active">
            <a href="/"> Home  |</a> 
        </li>
        	<li><a href="cat.php?id=1">test | </a></li>
	<li><a href="cat.php?id=2">ruxcon | </a></li>
	<li><a href="cat.php?id=3">2010 | </a></li>
        <li>
          <a href="/all.php">All pictures |</a>
        </li>

I can see that the vulnerable URL cat.php?id=1 is in the returned packet stream but there is no further effort by nmap to access these URLs. I suspect the issue is that spidering is not really happening, since I am not seeing any effort to inject anything.

[rtaylor777]

Hi Daniel,
Please disregard the 2nd post concerning XSS detection. I am able to get results now thanks.

[rtaylor777]

Hi Daniel,
I forgot to run the test with sqltrace. I am seeing evidence that it got the error results that should have indicated an injection, here is a small bit of it:

000002e0: 70 68 70 3f 69 64 3d 33 22 3e 32 30 31 30 20 7c php?id=3">2010 |
000002f0: 20 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20  </a></li>      
00000300: 20 20 20 3c 6c 69 3e 0a 20 20 20 20 20 20 20 20    <li>         
00000310: 20 20 3c 61 20 68 72 65 66 3d 22 2f 61 6c 6c 2e   <a href="/all.
00000320: 70 68 70 22 3e 41 6c 6c 20 70 69 63 74 75 72 65 php">All picture
00000330: 73 20 7c 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 s |</a>         
00000340: 3c 2f 6c 69 3e 0a 20 0a 20 20 20 20 20 20 20 20 </li>           
00000350: 3c 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 3c <li>           <
00000360: 61 20 68 72 65 66 3d 22 2f 61 64 6d 69 6e 2f 22 a href="/admin/"
00000370: 3e 41 64 6d 69 6e 3c 2f 61 3e 0a 20 20 20 20 20 >Admin</a>      
00000380: 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20    </li>        
00000390: 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 3c 2f 64  </ul>       </d
000003a0: 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 20 0a iv>     </div>  
000003b0: 0a 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c    </div>      <
000003c0: 64 69 76 20 69 64 3d 22 70 61 67 65 22 3e 0a 20 div id="page">  
000003d0: 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f      <div id="co
000003e0: 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 ntent">         
000003f0: 0a 0a 20 20 0a 59 6f 75 20 68 61 76 65 20 61 6e      You have an
00000400: 20 65 72 72 6f 72 20 69 6e 20 79 6f 75 72 20 53  error in your S
00000410: 51 4c 20 73 79 6e 74 61 78 3b 20 63 68 65 63 6b QL syntax; check
00000420: 20 74 68 65 20 6d 61 6e 75 61 6c 20 74 68 61 74  the manual that
00000430: 20 63 6f 72 72 65 73 70 6f 6e 64 73 20 74 6f 20  corresponds to 
00000440: 79 6f 75 72 20 4d 79 53 51 4c 20 73 65 72 76 65 your MySQL serve
00000450: 72 20 76 65 72 73 69 6f 6e 20 66 6f 72 20 74 68 r version for th
00000460: 65 20 72 69 67 68 74 20 73 79 6e 74 61 78 20 74 e right syntax t
00000470: 6f 20 75 73 65 20 6e 65 61 72 20 27 27 20 4f 52 o use near '' OR
00000480: 20 73 71 6c 73 70 69 64 65 72 27 20 61 74 20 6c  sqlspider' at l
00000490: 69 6e 65 20 31 20 20 20 20 3c 64 69 76 20 63 6c ine 1    <div cl
000004a0: 61 73 73 3d 22 62 6c 6f 63 6b 22 20 69 64 3d 22 ass="block" id="
000004b0: 62 6c 6f 63 6b 2d 74 65 78 74 22 3e 0a 20 20 20 block-text">    
000004c0: 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 65 63  <div class="sec
000004d0: 6f 6e 64 61 72 79 2d 6e 61 76 69 67 61 74 69 6f ondary-navigatio
000004e0: 6e 22 3e 0a 0a 20 20 20 20 3c 2f 64 69 76 3e 0a n">      </div> 
000004f0: 20 20 3c 2f 64 69 76 3e 0a 0a 0a 0a 0a 20 20 20   </div>        
00000500: 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 66 6f      <div id="fo
00000510: 6f 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 oter">          
00000520: 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6c 6f  <div class="blo
00000530: 63 6b 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 ck">            
00000540: 20 3c 70 3e 4e 6f 20 43 6f 70 79 72 69 67 68 74  <p>No Copyright
00000550: 20 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20  </p>           
00000560: 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c </div>         <
00000570: 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 0a 20 /div>           
00000580: 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20      </div>     
00000590: 3c 2f 64 69 76 3e 0a 20 20 3c 2f 64 69 76 3e 0a </div>   </div> 
000005a0: 0a 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74     </body> </ht
000005b0: 6d 6c 3e 0a 20 0a                               ml>  

[rtaylor777]

Ignore the bit about not seeing it in wireshark. I am now... just a bit of a brain shortage. So I guess the only issue is it is not reported as being found despite performing the injection and receiving the error indicating an injection occured.

[cldrn]

The problem here was the error detection string generated by this instance of MySQL was missing in our DB. Remember that Nmap as a project can't ship larger databases so it is always a good idea to keep a larger list that you can use for these cases.

In this case I will add two additional error strings taken from this VM to improve detection with the default DB and close this ticket.