[sqlmap-users] Question or feature request: page vulnerable to UNION limits output which prevents t
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Question or feature request: page vulnerable to UNION limits output which prevents to obtaining all rows
|
From: Vladimir R. <rut...@gm...> - 2011-08-09 20:34:10
|
Hello! Consider following example of vulnerability. Server has PHP and MySQL 5.X. URL http://example.com/list.php?filter=text outputs list of items that match filter and is vulnerable to following SQL injection: http://example.com/list.php?filter=' UNION SELECT 1,2,3 -- This will show one row with some values 1, 2 and 3. sqlmap works with such URL when queried in following way: $ ./sqlmap.py -u http://example.com/list.php?filter=text \ -p filter --prefix "' " --suffix ' -- ' --tables -D db --- will output list of table in `db' database. The problem is that vulnerable list.php script limits number of outputted items --- it always show only first 10 items omitting others on PHP level (without using MySQL LIMIT clause), so sqlmap incorrectly detects number of columns, number of rows etc --- always limiting number of items to 10. I looked in documentation and didn't found any options for splitting enumeration requests on bunch of requests limited by some value of outputted items (e.g. query all table rows selecting by 10 rows at single query). Can you add such options or tell me how can I achieve my goal with current version of sqlmap (I'm using trunk version)? Also I want to propose checking if all of requested items was received by adding extra UNION SELECT at end with some end mark and checking is that end mark is received. I don't know details of sqlmap implementation so not sure is my proposition is correct. Thanks in advance, Vladimir Rutsky |
