AND/OR time-based blind and invalid characters #1973

Open
iwantaturboman opened this Issue Jun 21, 2016 · 17 comments

Projects

None yet

3 participants

@iwantaturboman

Hi all,
as i said in a previous threads, it's very frustrating to retrieve "invalid characters" during a "AND/OR time-based blind" injection. Last week, i spent 12 hours to retrieve 80 tables from a database and -of course- some of them had errors.
Example :
sqlmap.py -u http://www.target.com/page.php?id=1 -D database01 --tables --no-cast

80 tables found : 
Administr%et%on
Blog
Configuration
Coupon
(...)
Topics

Instead of --fresh-queries, i try this :
sqlmap.py -u "http://www.target.com/page.php?id=1*" --sql-shell
and then :
sql-shell> SELECT column_name FROM information_schema.columns WHERE table_schema="database01" and column_name LIKE 'Admin%';
sqlmap answers :
1 table found : Administration
So all is ok.

My question is that there is any way to tells sqlmap to replace "Administr%et%on" wrong-table name (found via --tables command) by the right one "Administration" (found via --sql-shell command) ?

Thanks to all,

@stamparm
Member

One question. We are talking about retrieval of bits via time delays and you are frustrated because of couple of invalid characters. Why table names have to be perfectly correct in sqlmap listing while you know which characters are invalid yourself? I will never understand user's behavior, especially in this kind of cases. I'll eventually make something for corrections of invalid characters, but currently on vacation with my family

@iwantaturboman

Hi stamparm, thanks for your answer. I have no pb with this. But it would be perfect if we can MANUALLY edit those invalid characters. It's frustrating because you have no option than to use --refresh-queries and restart all retrieving from the beginning, hoping that all would be ok (this time).

@stamparm
Member
stamparm commented Jun 27, 2016 edited

@iwantaturboman something like ... -D database01 --tables --fresh-entries "A.*" where that A.* represents a regex for all entries that should be retrieved from start (in this case, for all entries that start with A). Does that sound OK?

@stamparm
Member
@iwantaturboman

It would be perferct @stamparm !

@wireghoul
wireghoul commented Sep 26, 2016 edited

It's vital to ensure character accuracy if extracting non-sensical data like password hashes, where the human brain can't easily determine if a character is bad or not. Especially as the character variation can be subtle. Here is an example of flawed extraction from a recent pentest (boolean blind with --code=302):
[10:22:26] [INFO] retrieved: PostfqeSOL 9(3.13 on x86_44-unkn
While obvious to the naked eye in this case a change from g => f, r => q, Q => O or a 6 to a 4 in a base64 string or a password hash would have very different impact and cannot be spotted.

IIRC there was some intention to support error-correction according to http://pentestmonkey.net/blog/exploiting-a-tricky-sql-injection-with-sqlmap

@stamparm
Member
stamparm commented Sep 26, 2016 edited

@wireghoul please, don't reference attempts from other parties. Everything include currently inside the sqlmap is the state of the art in world of time-based SQL injections made by us. If you don't like it you: A) stop using it and make your own SQLi tool, B) raise the --time-sec or C) let us do our job.

I am sick and tired of battling with users that don't know the basics about the Shannon's information theory and the information system entropy. You have a huge source of entropy in one side (network latency) and you have demanding users who just have requirements like vital ... to ensure character accuracy. When I tell them to raise the --time-sec all jump to their feet because they don't want to battle the entropy with the correct weapon (introducing the user controlled factor - in this place deliberate delay). Nooooo, they want gazzilion of verifications in no time, while nobody is aware that those same verifications after a while become a source of new entropy (if you have N requests per character and you introduce new M requests for validation, each of those validation requests can potentially invalidate EVERYTHING done till now).

Anyway, please let me handle all this. I have a trick or two in my sleeves and none of things mentioned by your or mentioned third parties are included.

@stamparm
Member
stamparm commented Sep 26, 2016 edited

@wireghoul p.s. I would long ago introduce some new code in time-based SQLi department, but as said, I am sick of battling with unknowing users, hence sick of this (verification) topic and similar (e.g. 1 request for retrieval of N characters in inferential boolean/time-based SQLi bullsh*t). Everybody is the smartest around, while I turn the table and ask them to provide the code of proof nobody is replying back. Also, everybody is "requiring" and semi-demanding something, while those same people are not donating anything to the project. I just ask you one thing. What do you thing what's the average sum of donations per year in this ten years of sqlmap? Also, have you donated anything or you just expect somebody else to donate/contribute as part of the majority?

@stamparm
Member

@wireghoul p.p.s. "Here is an example of flawed extraction from a recent pentest (boolean blind with --code=302)" <- I can just say LOL. You had a problem with the target site when it apparently didn't reply 302 in case of TRUE responses each and every time and now you are including this as an argument into this whole discussion. Please, stop.

@wireghoul
wireghoul commented Sep 27, 2016 edited

I'll just ignore the snark and the qqing about donations and try again to convey my point...

The website in question was behind a reverse proxy/load balancer and responded with a 500 error for a false boolean query which caused the proxy to throw 502 gateway errors until the website passed the next health check and these 502 errors was the cause of the false positives. However as long as it was serving true cases it could be hit fast. I was able to extract the data with 100% accuracy using a single thread and --delay=15, but that was insanely slow. Given that most of the data incorrectly identified by the 502 error resulted in a correct/incorrect ratio of >60% correct it would have been much faster to run at a better speed and just use validation to correct mistakes than extracting at 1t x 15s delay. Hopefully I made better sense the second time around, I did not mean to sound demanding I write a few open source projects myself and know how hard it can be to find time to work on them.

@stamparm
Member

@wireghoul "Hopefully I made better sense the second time around" <- no, you are just nagging without providing anything useful to the discussion.

@stamparm
Member
stamparm commented Sep 27, 2016 edited

@wireghoul quick 101 of information science. If you have 6 requests per character and you introduce 6 validation requests (which are depending on network latency as those same 6 requests that you are validating from before) what do you think what would be the end result? If you are think that it would result with something GOOD then you are wrong.

Also, you are mentioning 500/502 errors without pointing what was the problem there. I'll make the changes that has something to do with those sudden >=400 errors but has nothing to do with unnecessary N more validations. Please leave me do my job and don't nag anymore here

@wireghoul

Latency isn't an issue with boolean, lol information science. kk bye

@stamparm
Member
stamparm commented Sep 27, 2016 edited

@wireghoul I'll just ignore the snark and the qqing about donations <- I am just attaching the tweet you are referring to made as a result to your first comment here:

foobar

@stamparm
Member
stamparm commented Sep 27, 2016 edited

"Latency isn't an issue with boolean, lol information science. kk bye" <- so, you are commenting on boolean based blinds on an issue that has a title "AND/OR time-based blind and invalid characters". Why FFS? As said, please don't introduce the unnecessary noise into the discussion.

@stamparm
Member
stamparm commented Sep 27, 2016 edited

@wireghoul disregard that I am a d*ck sometimes, with the latest commit (7151df1) there is an extra validation step even for boolean-based blind SQLi cases when "sudden" unexpected HTTP code occurs (like in your case 500/502)

12345

@wireghoul

Had to run it single thread with delay for the detection as it tried a few things that caused 502 before trying x=y and x=x. Handling 5xx responses in detection must be a PITA so no complaints there. Once it had the detection done I could crtl+c and then run normally. Error detection is working really well so far and it is sooo much faster. Nice work!!! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment