Re: [sqlmap-users] Subquery payloads on mysql <4.1
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Subquery payloads on mysql <4.1
|
From: Till .c. <ti...@ho...> - 2011-07-13 12:55:26
|
I've found a way around it this query is invalid: 1234 AND ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS CHAR),CHAR(32)) FROM randomtable),1,1)) > 51 this is valid: 1234 AND 1 = 0 UNION SELECT ORD(MID(IFNULL(CAST(COUNT(*) AS CHAR),CHAR(32)),1,1)) AS ENTR,id FROM randomtable GROUP BY id HAVING ENTR > 51 The same way it would be possible to dump table content. Necessary for this kind of payload is : - an injection point which just checks if the query returns a result at all. - knowledge of the number of selected columns - knowledge of one column name Cheers - Till > Date: Tue, 12 Jul 2011 23:45:41 +0200 > Subject: Re: [sqlmap-users] Subquery payloads on mysql <4.1 > From: mir...@gm... > To: ti...@ho... > CC: sql...@li... > > found one (VM) and done some tests :) > > you are right, subqueries can't be used on MySQL < 4.1 which means > that sql injection there is of no significant value (e.g. dumping of > table content which inherently requires subquerying mechanism). > > kr > > On Tue, Jul 12, 2011 at 11:23 PM, Miroslav Stampar > <mir...@gm...> wrote: > > ok, got the point. > > > > also seen the same thing on Twitter few days ago, maybe it was you :) > > > > two things: > > A) does anyone have experience with subqueries on MySQL < 4.1? > > B) is there some VM around that carry for example MySQL 3.x ready for testing? > > > > kr > > > > On Tue, Jul 12, 2011 at 1:01 PM, Till .ch <ti...@ho...> wrote: > >> Hi > >> > >> > >> Lately I've been playing with sqlmap and a 4.0 mysql server. Sqlmap detected > >> the injection point just fine, but struggled with gathering information > >> about other tables. > >> I guess this happened due to the fact as subqueries have been introduced > >> with mysql >=4.1 (http://dev.mysql.com/doc/refman/4.1/en/news-4-1-x.html) > >> and thus payloads like the following are regarded as an invalid query on > >> mysql <4.1: > >> > >> > >> [PAYLOAD] 1234 AND ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS CHAR),CHAR(32)) > >> FROM randomtable),1,1)) > 51 > >> > >> > >> Best Regards > >> Till > >> > >> ------------------------------------------------------------------------------ > >> All of the data generated in your IT infrastructure is seriously valuable. > >> Why? It contains a definitive record of application performance, security > >> threats, fraudulent activity, and more. Splunk takes this data and makes > >> sense of it. IT sense. And common sense. > >> http://p.sf.net/sfu/splunk-d2d-c2 > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > > > -- > > Miroslav Stampar (@stamparm) > > > > E-mail: miroslav.stampar (at) gmail.com > > PGP Key ID: 0xB5397B1B > > > > > > -- > Miroslav Stampar (@stamparm) > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B |
