Re: [sqlmap-users] false negative on generic UNION inject?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] false negative on generic UNION inject?
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-24 23:52:35
|
Hi Emiliano, On 24 April 2011 22:21, Emiliano Bazaes <emi...@7e...> wrote: > ... > Here's this poc provided in the advisory: > > http://[host]/wp-content/plugins/ajax-category-dropdown/includes/dhat-ajax-cat-dropdown-request.php?admin&category_level=2&category_id=1%20union%20select%201,user%28%29,3,4,5,6,7,8,9,version%28%29%20--%201 > > As you can see there's a 10 columns UNION, of which columns 2 and 10 are > rendered on the page; so when you try the above proof-of-concept on a > vulnerable target it should render a single item dropdown box in the format: > > db_user (db_version) > > However, I couldn't seem to be able to exploit it via sqlmap > ... The detection engine fails to detect this specific UNION query SQL injection because the HTTP response bodies for valid and invalid number of injected columns differ very little. In order to avoid this problem, you can run sqlmap with --text-only switch, where only the proper text of the response bodies are considered for matching/comparison (by excluding HTML tags, scripts, etc. - see user's manual for details). Regards, Bernardo and Miroslav -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
