0xd0m7: February 2016

Tuesday 9 February 2016

Understanding "tamper" option in Sqlmap (II)

In the previous post, we explained the reason for using tamper sqlmap option. However, due to the large number of tampers available, it is necessary to construct a table where you can see where we can use every tamper, because I could not find a table on the internet where you reflect the type of database manager data used in each tamper, between others:

TAMPER	MySQL	MSSQL	Oracle	PostgreSQL
apostrophemask	*	*	*	*
apostrophenullencode	-	-	-	-
appendnullbyte	*	*	*	*
base64encode	4,5,5.5	2005	10g	-
between	5.1	-	-	-
bluecoat	*	*	*	*
apostrophemask	9.0.3	2000,2005	-	9.3
charunicodeencode	4,5.0 and 5.5	2005	10g	8.3,8.4,9.0
charencode	*	-	-	-
commalessmid	*	-	-	-
concat2concatws	*	*	*	*
equaltolike	*	*	*	*
greatest	< 5.1	-	-	-
halfversionedmorekeywords	5.0 and 5.5	-	-	-
ifnull2ifisnull	*	*	*	*
informationschemacomment	4,5.0,5.5	2005	10g	8.3,8.4,9.0
lowercase	5.0	-	-	-
modsecurityversioned	5.0	-	-	-
modsecurityzeroversioned	*	*	*	*
multiplespaces	*	*	*	*
nonrecursivereplacement	*	*	*	*
overlongutf8	5.1.56,5.5.11	2000, 2005	N/A	9.0
percentage	4, 5.0,5.5	2005	10g	8.3,8.4,9.0
randomcase	*	*	*	*
randomcomments	*	*	*	*
securesphere	4,5.0,5.5	2005	10g	8.3,8.4,9.0
space2comment	-	-	-	-
space2dash	4.0,5.0	-	-	-
space2hash	>= 5.1.13	-	-	-
space2morehash	-	2000, 2005	-	-
space2mssqlblank	*	*	-	-
space2mssqlhash	*	*	*	*
space2plus	4,5.0,5.5	2005	10g	8.3,8.4,9.0
space2randomblank	-	*	-	-
sp_password	*	*	*	*
symboliclogical	*	*	*	*
unionalltounion	*	*	*	*
unmagicquotes	4, 5.0,5.5	2005	10g	8.3,8.4,9.0
uppercase	*	*	*	*
varnish	*	-	-	-
versionedkeywords	>=5.1.13	-	-	-
versionedmorekeywords	*	*	*	*
xforwardedfor	*	*	*	*

(*) It might work for all versions.
(-) Does not apply

While the ultimate goal of using the tamper data, to evade firewalls and filters possible application, should know to what kind of database manager apply one or the other tampers.

The reason not add the Microsoft Access data base is evident, this type of database is not relational, so using Sqlmap for such SQL injections might be a waste of time.However Sqlmap has a specific tamper for Microsoft Access databases, called appendnullbyte.

Moreover, there are some tampers that are unique to evade WAF, for example:

securesphere: Useful for bypassing Imperva SecureShere WAF.

varnish: Useful for bypassing WAF Protection of Varnish Firewall.

Some tampers only work for certain specific Web programming languages, such as:

charunicodeencode: Only for ASP or ASP.NET.

In short, there are many ways to bypass filters and firewalls. Although it will be difficult to find such deficiencies in large companies dedicated to it. Although we can always develop a script that can bypass such restrictions.

Other links that may be of interest to bypass filters, in this case XSS:

https://www.exploit-db.com/docs/38117.pdf

In the following post we use appendnullbyte tamper to Microsoft Access databases and try to explain in as much detail as possible the problem of SQL injections against these databases.

Regards,

Monday 8 February 2016

Understanding "tamper" option in Sqlmap

In today's post, we will see the meaning of the "tamper" option in Sqlmap tool. By the time we just enough to know that there are certain data filtering mechanisms and certain web application firewalls that will hinder us much homework, when implemented correctly SQL injection attack.

To better understand the data covered, it will proceed to stage it in the following example. As you can see below, when a vulnerability is detected SQL code and then tries to exploit, the server returns the same sentence without spaces:

REQUEST:
GET /index.html?id=' AND 1=1

Host: X.X.X.X

User-agent: Mozilla/5.0 …

Connection: close

RESPONSE:
HTTP/1.1 200 OK

Server: X

Connection: Close

The SQL syntax is incorrect when SELECT * FROM productos WHERE ID='AND1=1....

As shown in the above example, the server responds as "The SQL syntax is incorrect" after eliminating the spaces of the sentence. Tampear would require data so that 20% be added to each space.

Although default hexadecimal sqlmap becomes the content of the petition, this example helps us to understand why to the "tamper" option.

Applying the above concept to our previous example, that the judgment was valid should be as follows:

REQUEST:
GET /index.html?id=%27%20AND%201=1

Host: X.X.X.X

User-agent: Mozilla/5.0 …

Connection: close

RESPONSE:
HTTP/1.1 200 OK

Server: X

Connection: Close

As you can see in the previous answer, so that the SQL statement is correct, they should to use tamper option to convert all to hexadecimal data. However, Sqlmap does by default, but is a good way to understand why of tamper option.

I guess by now, you're thinking, and as I used to tamper option. How could identify this?.

Everything depends more, if our client uses WAF(Web Application Firewall), and the version of manager database software.Sometimes we believe that the filters themselves implemented by the manager of the database, are a WAF, but not always.

Sqlmap further it incorporates a feature that allows the detection of the best known to date WAFS this will help us in verifying the existence or otherwise of such firewalls:

--check-waf

#You can find more information in the following official link sqlmap:

https://github.com/sqlmapproject/sqlmap/wiki/Usage

Once identified first type of WAF (if web application has any), the programming language used to develop web, and the type and version that uses the manager of the database, and are ready to choose the tamper option more appropriate.

Since the purpose of this post is to understand the Tamper Sqlmap option and I think is quite clear. I will simply say that there is much information on the Internet regarding what kind of tamper option is used depending on the above parameters.

Regards,