[sqlmap-users] "union all select" vs. "union select"
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] "union all select" vs. "union select"
|
From: <bu...@gm...> - 2012-02-21 20:14:37
|
Hi, recently I had a union based sqli vulnerability that sqlmap was not able to detect (I'm not sure if I used --level=4 but I think so). After having a look at sqlmap's requests by routing them through a proxy I saw that the only difference between my manual tests and sqlmap's was that sqlmap used "union all select" and I used "union select" and it was only detectable/exploitable using "union select". My quick and dirty 'fix' was to do a automatic on-the-fly search and replace of sqlmap's traffic with burp (replacing "union all select" with "union select"), but I wanted to share this case with you and I thought you might want to add some "union select" testcases if there are none. (I'm sorry I don't remember the DBMS in question - it probably was mssql but I'm not sure anymore.) kind regards, buawig |
