Re: [sqlmap-users] 32 results from database with 10, 000 rows! (id 90-99, 990-999, 9990-9999)
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] 32 results from database with 10, 000 rows! (id 90-99, 990-999, 9990-9999)
|
From: Tom T. <k1...@li...> - 2011-05-03 09:14:12
|
Excellent! Confirmed fixed :) > Date: Sun, 1 May 2011 17:45:19 +0200 > Subject: Re: [sqlmap-users] 32 results from database with 10, 000 rows! (id 90-99, 990-999, 9990-9999) > From: mir...@gm... > To: k1...@li... > CC: sql...@li... > > hi all. > > it's strange that nobody has noticed this till now :))) > > this bug was (in cases when the pivot column used was an integer > based) trimming/preventing dumping of entire table contents of some > DBMSes supported by sqlmap, like MSSQL, Sybase and MaxDB :) > > thank you Tom very much for this report. thing is that we haven't > noticed it till this report because we use fairly small testing > tables. > > now it should be fixed with the last commit > > kr > > On Mon, Apr 25, 2011 at 11:08 AM, Miroslav Stampar > <mir...@gm...> wrote: > > Hi Tom. > > > > I believe i see the connection with our code. That number ranges have > > the root in programs logic. > > > > Will be fixed in a week. > > > > After that hackers will be able to dump all :) > > > > It's just strange that nobody has noticed this in some two weeks as > > that's the time of affecting commit. > > > > Kr > > On Sunday, April 24, 2011, Tom Thumb <k1...@li...> wrote: > >> > >> > >> > >> > >> > >> When trying to dump a table containing over 10000 entries, only 32 results are returned (rows with id 8, 9, 90-99, 990-999, 9990-9999). All the other data is not dumped, and I can't understand why. > >> Can anyone explain this behaviour? > >> Obviously I'm pleased that my database does not appear to be completely exploitable, but I'm worried that I'm missing something simple, and that there is something a hacker could do to retreive the rest of the data... > >> Test subject is an MSSQL 2005 Database runing on Windows 2003. > >> > > > > -- > > Miroslav Stampar > > > > E-mail: miroslav.stampar (at) gmail.com > > PGP Key ID: 0xB5397B1B > > > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B |
