Re: [sqlmap-users] Bug with union test?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Bug with union test?
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-05-10 14:09:13
|
For me it works with no problems against SQL injection on SELECT with more than a column. Try to provide sqlmap with --string or --regex. Also, try with --union-tech orderby. Bernardo On Sun, May 9, 2010 at 21:33, David Guimaraes <sk...@gm...> wrote: > I noticed that this is already happening for some time ago, sqlmap > fails to properly detect UNION inband sql injection .. even in cases > where the detection is quite simple as shown below: > > http://www.vulnsite.com/vulnscript.php?id=42 and 1 = 0 union all > select 1,2,3,4,5,6 (mysql) > > I am currently editing the sessions file directly to use the UNION > technique with sqlmap. > > By using the --union-test and verbose level 2, it was possible to > identify that sqlmap not completely test the technique of NULL > bruteforcing UNION. It tests only a single column, and reports that > have found the flaw.. as show below: > > 16:58:09] [INFO] testing inband sql injection on parameter 'id' with > NULL bruteforcing technique > [16:58:09] [TRAFFIC OUT] HTTP request: > GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%203967=3967 > HTTP/1.1 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: www.vulnsite.com > Accept-language: en-us,en;q=0.5 > Cookie: > Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) > Connection: close > > [16:58:10] [INFO] confirming full inband sql injection on parameter 'id' > [16:58:10] [TRAFFIC OUT] HTTP request: > GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204073=4073 > HTTP/1.1 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: www.vulnsite.com > Accept-language: en-us,en;q=0.5 > Cookie: > Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) > Connection: close > > [16:58:10] [WARNING] the target url is not affected by an exploitable > full inband sql injection vulnerability > [16:58:10] [INFO] confirming partial (single entry) inband sql > injection on parameter 'id' by appending a false condition after the > parameter value > [16:58:11] [TRAFFIC OUT] HTTP request: > GET /vulnscript.php?id=42%20AND%206261=6262%20UNION%20ALL%20SELECT%20NULL%23%20AND%206194=6194 > HTTP/1.1 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: www.vulnsite.com > Accept-language: en-us,en;q=0.5 > Cookie: > Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) > Connection: close > > [16:58:11] [WARNING] the target url is not affected by an exploitable > partial (single entry) inband sql injection vulnerability > [16:58:11] [INFO] confirming partial (single entry) inband sql > injection on parameter 'id' with negative parameter value > [16:58:11] [TRAFFIC OUT] HTTP request: > GET /vulnscript.php?id=-42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204970=4970 > HTTP/1.1 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: www.vulnsite.com > Accept-language: en-us,en;q=0.5 > Cookie: > Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) > Connection: close > > [16:58:12] [WARNING] the target url is not affected by an exploitable > partial (single entry) inband sql injection vulnerability > valid union: None > > Sqlmap documentation says: "By default sqlmap uses the NULL > bruteforcing technique to detect the number of columns within the > original SELECT statement." > > I think the correct use of brute force technique would be to test > several columns until find the correct number. Right? > > -- > David Gomes Guimarães > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
