Re: [sqlmap-users] Mysql 4, information schema, and sql-shell
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Mysql 4, information schema, and sql-shell
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-11-01 11:49:32
|
Hi Kyle, On Sat, Oct 3, 2009 at 19:42, Kyle Anderson <ky...@xk...> wrote: > So it seems that you cannot do a --dump-all on a mysql 4 server > because information_schema is not available. It's not a lack of sqlmap. By design all versions of MySQL < 5.0 do not have information_schema so, as far as I know, no way to automatically identify tables and columns within a database. > But can't I just do a "show databases;" in a sql shell? I tried but I > can't seem to get the sql-shell to work (probably because it says I'm > not a DBA) The --sql-shell functionality does not work exactly like a direct connection with the MySQL console. Statements like show can not be supported (easily) within a SQL injection scenario. On MySQL < 5.0 it is still possible to enumerate the databases via 'mysql' system database's 'db' table and sqlmap does it for you if you specificy --dbs and it fingerprint an old version of MySQL. If it does not, then there's a bug, please report it. Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
