You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To test there is no SQL injection, we can use:
-- Installation of sqlmap
-------------------------
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap
cd sqlmap
./sqlmap.py --update
./sqlmap.py --purge
Add, into file ~/git/sqlmap/data/xml/payloads/boolean_blind.xml, the custom rule:
<!-- Boolean-based blind tests - WHERE/HAVING clause -->
<test>
<title>Our_ORDERBY_Payload</title>
<stype>1</stype>
<level>1</level>
<risk>1</risk>
<clause>1</clause>
<where>1</where>
<vector>,(select * from(select (CASE WHEN ([INFERENCE]) THEN 1 ELSE exp(710) END))a)</vector>
<request>
<payload>,(select * from(select (CASE WHEN (1=1) THEN 1 ELSE exp(710) END))a)</payload>
</request>
<response>
<comparison>,(select * from(select (CASE WHEN (1=2) THEN 1 ELSE exp(710) END))a)</comparison>
</response>
<details>
<dbms>mysql</dbms>
<os>linux</os>
</details>
</test>
-- Launch sqlmap on a given url/parameter
-----------------------------------------
Introduce a vulnerability by changing the GETPOST on parameter search_status into GETPOST('search_status', 'none') and removing $db->sanitize when parameter is used;
./sqlmap.py --fresh-queries -u "http://localhostdev/comm/propal/list.php?search_status=*"
./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/comm/propal/list.php?search_status=*" --dbms=mysql --os=linux --technique=B --batch --skip-waf \
--cookie="DOLSESSID_xxxxxx=yyyyyyyy;" --prefix='1' -v 4 > sqlmap.txt
Check vulnerability is found into sqlmap.txt. Scanner is working.
-- Launch sqlmap on all the application
---------------------------------------
Set $dolibarr_nocsrfcheck='1' into conf.php file to make access easier.
With prefix (required to have some rules working)
./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout|user\/card|custom\/" \
--skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \
--cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" --prefix='1' -v
Without prefix
./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout|user\/card|custom\/" \
--skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \
--cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" -v