[sqlmap-users] Bug with union test?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I noticed that this is already happening for some time ago, sqlmap
fails to properly detect UNION inband sql injection .. even in cases
where the detection is quite simple as shown below:

http://www.vulnsite.com/vulnscript.php?id=42 and 1 = 0 union all
select 1,2,3,4,5,6 (mysql)

I am currently editing the sessions file directly to use the UNION
technique with sqlmap.

By using the --union-test and verbose level 2, it was possible to
identify that sqlmap not completely test the technique of NULL
bruteforcing UNION. It tests only a single column, and reports that
have found the flaw.. as show below:

16:58:09] [INFO] testing inband sql injection on parameter 'id' with
NULL bruteforcing technique
[16:58:09] [TRAFFIC OUT] HTTP request:
GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%203967=3967
HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: www.vulnsite.com
Accept-language: en-us,en;q=0.5
Cookie:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net)
Connection: close

[16:58:10] [INFO] confirming full inband sql injection on parameter 'id'
[16:58:10] [TRAFFIC OUT] HTTP request:
GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204073=4073
HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: www.vulnsite.com
Accept-language: en-us,en;q=0.5
Cookie:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net)
Connection: close

[16:58:10] [WARNING] the target url is not affected by an exploitable
full inband sql injection vulnerability
[16:58:10] [INFO] confirming partial (single entry) inband sql
injection on parameter 'id' by appending a false condition after the
parameter value
[16:58:11] [TRAFFIC OUT] HTTP request:
GET /vulnscript.php?id=42%20AND%206261=6262%20UNION%20ALL%20SELECT%20NULL%23%20AND%206194=6194
HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: www.vulnsite.com
Accept-language: en-us,en;q=0.5
Cookie:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net)
Connection: close

[16:58:11] [WARNING] the target url is not affected by an exploitable
partial (single entry) inband sql injection vulnerability
[16:58:11] [INFO] confirming partial (single entry) inband sql
injection on parameter 'id' with negative parameter value
[16:58:11] [TRAFFIC OUT] HTTP request:
GET /vulnscript.php?id=-42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204970=4970
HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: www.vulnsite.com
Accept-language: en-us,en;q=0.5
Cookie:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net)
Connection: close

[16:58:12] [WARNING] the target url is not affected by an exploitable
partial (single entry) inband sql injection vulnerability
valid union:	None

Sqlmap documentation says: "By default sqlmap uses the NULL
bruteforcing technique to detect the number of columns within the
original SELECT statement."

I think the correct use of brute force technique would be to test
several columns until find the correct number. Right?

-- 
David Gomes Guimarães