Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sqlmap Uses Incompatible MySQL Function JSON_STORAGE_FREE with MariaDB #5713

Closed
CyberFazaN opened this issue May 15, 2024 · 3 comments
Closed

sqlmap Uses Incompatible MySQL Function JSON_STORAGE_FREE with MariaDB #5713

CyberFazaN opened this issue May 15, 2024 · 3 comments
Assignees
@stamparm
Labels
support

Comments

@CyberFazaN
Copy link

CyberFazaN commented May 15, 2024
edited

Description:
When using sqlmap to test a web application running with MariaDB, it incorrectly attempts to use the JSON_STORAGE_FREE function, which is exclusive to MySQL, resulting in errors.

Steps to Reproduce:

  1. Set up a test environment with the latest docker containers for nginx and MariaDB. Ensure the web application contains SQL injection vulnerabilities.
  2. Execute sqlmap against the web application.
  3. Observe errors in the php-fpm logs indicating the use of a non-existent function in MariaDB.

Expected Behavior:
sqlmap correctly recognizes the DBMS type (MariaDB in this case) and adapt its function calls accordingly, avoiding the use of MySQL-specific functions.

Running Environment:

  • sqlmap version: {1.8.5.4#dev}
  • Installation method: Cloned from GitHub and executed using ./sqlmap.py
  • Operating System: Termux
  • Python version: 3.11.8

Target Details:

  • DBMS Version: 11.3.2-MariaDB-1:11.3.2+maria~ubu2204
  • SQL Injection Techniques Found: Time-based and Union
  • WAF/IPS: None

Relevant Console Output:

[01:33:12] [INFO] the back-end DBMS is MySQL
Web application technology: Nginx
Back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:33:12] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 11 times

Exception Traceback:

NOTICE: PHP message: PHP Fatal error:  Uncaught mysqli_sql_exception: FUNCTION demo.JSON_STORAGE_FREE does not exist in /var/nginx/demo/search.php:18

Additional Information:
This error may lead to an incomplete or incorrect analysis of the security posture of the web application when MariaDB is used instead of MySQL. Adjusting sqlmap to better recognize and differentiate MariaDB specific functions could mitigate this issue.
@CyberFazaN CyberFazaN changed the title Sqlmap recognises mariadb but still trying to use unimplemented functions sqlmap Uses Incompatible MySQL Function JSON_STORAGE_FREE with MariaDB May 15, 2024
@CyberFazaN
Copy link
Author

CyberFazaN commented May 16, 2024
edited

Vulnerable code snippet, if needed:

<?php
$host = 'mariadb';
$database = 'demo';
$user = 'root';
$password = '';

$link = mysqli_connect($host, $user, $password, $database)
    or die("Error: " . mysqli_error($link));

if (isset($_POST['search_term'])) {
    $search_term = $_POST['search_term'];

    $query = "SELECT * FROM news WHERE Text LIKE '%$search_term%'";

    $result = mysqli_query($link, $query) or die("Error: " . mysqli_error($link)); 

    if($result) {
        $rows = mysqli_num_rows($result);

        echo "<p>Found: $rows</p>";
        while ($row = mysqli_fetch_row($result)) {
            echo "<p><strong>Author:</strong> {$row[1]} <strong>Title:</strong> {$row[2]} <strong>Text:</strong> {$row[3]}</p>";
        }
        mysqli_free_result($result);
    }
}

mysqli_close($link);
?>

<!DOCTYPE html>
<html>
<head>
    <title>Search News</title>
</head>
<body>
    <h1>News Search</h1>
    <form action="" method="post">
        <input type="text" name="search_term" placeholder="Enter search text...">
        <button type="submit">Search</button>
    </form>
</body>
</html>

@stamparm
Copy link
Member

you should do better and inspect the sqlmap's source code, at least from which part of it that same call is made. let me help: https://github.com/sqlmapproject/sqlmap/blob/master/plugins/dbms/mysql/fingerprint.py#L206-L210. this is just to check whether the sqlmap is dealing with MySQL>=8.0.0. it doesn't affect the further workflow in any case/scenario

please don't be trigger happy when seeing a HTTP error code during a web (pen)test. it is perfectly normal to get non-200 here and there, especially if you are using an automated tool like sqlmap

@stamparm stamparm self-assigned this May 17, 2024
@CyberFazaN
Copy link
Author

CyberFazaN commented May 17, 2024
edited

@stamparm Yeah, sorry, my mistake. I have tried to inject sql query this way: ./sqlmap.py -u <url> --forms --dbms mysql -D demo --sql-query "select * from admin"
But sqlmap returns only last column value (Hash_Password is the last column in DB structure):

[19:28:03] [INFO] the query with expanded column name(s) is: SELECT Hash_Password, ID, Login FROM admin
select * from admin: '0d10**'

I thought HTTP errors and the use of incorrect functions were to blame, but MySQL reacts the same way.
I know that using raw queries is not good at all (I just forgot about --dump flag :)
You can test it by yourself: http://demo.hackosint.net:8080/search.php for MySQL

Important note, these are my resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stamparm stamparm

Labels
support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stamparm @CyberFazaN