[sqlmap-users] avoiding comma characters

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Just wanted to share some of my ideas:

It is not the first time, that during a penetration test, we came over
an obviously blind-SQL-injectable WebApp, that uses comma characters to
split the input somehow. Hence we can't use comma within the injection
expression.
Usually this is a dead end, because comma characters are needed in
different SQL functions which are essential for data extraction.

In case sqlmap is useless or would require huge modifications, we
sometimes use a set of individual scripts to craft our sql injection
attacks. In the mentioned case we accomplished data extraction by
avoiding all comma characters in our scripts, because the backend DB is
mysql.

What did we do:
1.) Found boolean injection vector.
2.) Problem Substrings: instead of SUBSTR(expression,[start],[length])
we've used SUBSTRING(expression FROM [start] FOR [length)
3.) Problem multiline results: instead of LIMIT [offset],1 we've uses
LIMIT 1 OFFSET [offset]

Now we consider to implement this approach in a general way in sqlmap,
but there seem to be some pitfalls left. Please feel free to comment our
ideas:

1.) Fingerprinting and version determination: There are special
functions used, some of them require commas. How can we avoid that?
2.) Where to implement:
	a) replace existing query definitions (how compatible is our
syntax especially with older mysql releases?)
	b) write a tamper module: Seems to be hard, since SQL Statements
have to be matched and rewritten
	c) implement another db-backend, which is in fact a special
variant of the mysql-backend
3.) Techniques: Are we stuck to boolean or are other techniques
possible?
4.) Generalization: Are there similar approaches for the other backends?
Hopefully yes, because the SUBSTRING/FROM/FOR notation is SQL standard

-marek