Re: [sqlmap-users] Small bug in detecting time-based injection under MySQL
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Small bug in detecting time-based injection under MySQL
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-01-05 11:47:23
|
Hi Krzysztof, Fixed and commited. Thanks for reporting. Cheers, Bernardo On Tue, Dec 29, 2009 at 01:15, Krzysztof Kotowicz <kko...@gm...> wrote: > Hi! > > I'm using SVN version of sqlmap ( r988 ). > MYSQL: Server version: 5.0.67-0ubuntu6 (Ubuntu) > > > When doing --time-test on a known-to-be vulnerable mysql setup the software > cannot detect it to be affected by injection: > > > [01:39:19] [INFO] testing time based blind sql injection on parameter 'id' > with AND condition syntax > [01:39:19] [INFO] detecting back-end DBMS version from its banner > [01:39:19] [INFO] read from file > '/home/koto/Private/dev/sqlmap/output/localhost/session': 5.0.67 > [01:39:19] [TRAFFIC OUT] HTTP request: > GET > /~koto/sqlinjection/index.php?id=1%20AND%20SELECT%20SLEEP%285%29%20AND%208530=8530 > HTTP/1.1 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: localhost > Accept-language: en-us,en;q=0.5 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > User-agent: sqlmap/0.8-rc2 (http://sqlmap.sourceforge.net) > Connection: close > > [01:39:19] [WARNING] the parameter 'id' is not affected by a time based > blind sql injection with AND condition syntax > > The problem is with the query used to detect injection. In the application > I'm using: > > SELECT * FROM table WHERE id = {$_GET['id']} > > which results in the following injected query: > > SELECT * FROM table WHERE id = 1 AND SELECT SLEEP(5) AND 8530=8530 > > This is invalid in mysql (at least in my version), you should use: > SELECT * FROM table WHERE id = 1 AND SLEEP(5) AND 8530=8530 > > If I change relevant query in <timedelay> element from queries.xml to > "SLEEP(%d)", sqlmap correctly detects time-based blind sql injection. > However I suppose that the same query is used later on in stacked query > fallback in timebased.py, and this one needs "SELECT", > so the logic of this test should be changed. > > -- > Cheers, > Krzysztof Kotowicz -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
