[sqlmap-users] false negative on generic UNION inject?

[Emiliano B. <emi...@7e...>]

Hi,

I just read this Multiple SQL Injection in Ajax Category Dropdown wordpress
plugin<http://www.htbridge.ch/advisory/multiple_sql_injection_in_ajax_category_dropdown_wordpress_plugin.html>advisory
published by High-Tech Bridge.  Among others there's a generic
UNION inject on the *category_id* GET parameter, and I decided to try it
with sqlmap.

Here's this poc provided in the advisory:

http://
[host]/wp-content/plugins/ajax-category-dropdown/includes/dhat-ajax-cat-dropdown-request.php?admin&category_level=2&category_id=1%20union%20select%201,user%28%29,3,4,5,6,7,8,9,version%28%29%20--%201

As you can see there's a 10 columns UNION, of which columns 2 and 10 are
rendered on the page; so when you try the above proof-of-concept on a
vulnerable target it should render a single item dropdown box in the format:

db_user (db_version)

However, I couldn't seem to be able to exploit it via sqlmap

So, being are it was a Linux box and considering WordPress runs on MySQL, I
used the following as a base for the test:

./sqlmap.py --os linux --dbms mysql --technique U --union-cols 9-11 -p
category_id --referer "http://[host]/" -u "http://
[host]/wp-content/plugins/ajax-category-dropdown/includes/dhat-ajax-cat-dropdown-request.php?admin&category_level=2&category_id=1"

And then I tried everything from _--level 1_ to _5_, from _--risk 1_ to _3_,
with and without _--string "Uncategorized"_ (wich applies for GET
_category_id=1_), and even _--prefix " union select " --suffix " -- 1"_; all
with no luck.  In the end I removed all of the previous flags until I was
finally able to exploit an _OR boolean-based blind - WHERE or HAVING clause_
and a _MySQL > 5.0.11 OR time-based blind_ inject, only when using the
_--risk 3 --level 2_; there was also a _MySQL < 5.0.12 AND time-based blind
(heavy query)_ on _--risk 2 --level 2_, but it was too much for the server.
But still, no way to exploit the actual UNION flaw via sqlmap.

Any clue?

-- 
    Emiliano