[sqlmap-users] Small bug in detecting time-based injection under MySQL
Brought to you by:
inquisb
From: Krzysztof K. <kko...@gm...> - 2009-12-29 01:15:15
|
Hi! I'm using SVN version of sqlmap ( r988 ). MYSQL: Server version: 5.0.67-0ubuntu6 (Ubuntu) When doing --time-test on a known-to-be vulnerable mysql setup the software cannot detect it to be affected by injection: [01:39:19] [INFO] testing time based blind sql injection on parameter 'id' with AND condition syntax [01:39:19] [INFO] detecting back-end DBMS version from its banner [01:39:19] [INFO] read from file '/home/koto/Private/dev/sqlmap/output/localhost/session': 5.0.67 [01:39:19] [TRAFFIC OUT] HTTP request: GET /~koto/sqlinjection/index.php?id=1%20AND%20SELECT%20SLEEP%285%29%20AND%208530=8530 HTTP/1.1 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: localhost Accept-language: en-us,en;q=0.5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-agent: sqlmap/0.8-rc2 (http://sqlmap.sourceforge.net) Connection: close [01:39:19] [WARNING] the parameter 'id' is not affected by a time based blind sql injection with AND condition syntax The problem is with the query used to detect injection. In the application I'm using: SELECT * FROM table WHERE id = {$_GET['id']} which results in the following injected query: SELECT * FROM table WHERE id = 1 AND SELECT SLEEP(5) AND 8530=8530 This is invalid in mysql (at least in my version), you should use: SELECT * FROM table WHERE id = 1 AND SLEEP(5) AND 8530=8530 If I change relevant query in <timedelay> element from queries.xml to "SLEEP(%d)", sqlmap correctly detects time-based blind sql injection. However I suppose that the same query is used later on in stacked query fallback in timebased.py, and this one needs "SELECT", so the logic of this test should be changed. -- Cheers, Krzysztof Kotowicz |