[sqlmap-users] avoiding comma characters
Brought to you by:
inquisb
From: Stiefenhofer, M. <M.S...@r-...> - 2012-04-24 11:37:38
|
Just wanted to share some of my ideas: It is not the first time, that during a penetration test, we came over an obviously blind-SQL-injectable WebApp, that uses comma characters to split the input somehow. Hence we can't use comma within the injection expression. Usually this is a dead end, because comma characters are needed in different SQL functions which are essential for data extraction. In case sqlmap is useless or would require huge modifications, we sometimes use a set of individual scripts to craft our sql injection attacks. In the mentioned case we accomplished data extraction by avoiding all comma characters in our scripts, because the backend DB is mysql. What did we do: 1.) Found boolean injection vector. 2.) Problem Substrings: instead of SUBSTR(expression,[start],[length]) we've used SUBSTRING(expression FROM [start] FOR [length) 3.) Problem multiline results: instead of LIMIT [offset],1 we've uses LIMIT 1 OFFSET [offset] Now we consider to implement this approach in a general way in sqlmap, but there seem to be some pitfalls left. Please feel free to comment our ideas: 1.) Fingerprinting and version determination: There are special functions used, some of them require commas. How can we avoid that? 2.) Where to implement: a) replace existing query definitions (how compatible is our syntax especially with older mysql releases?) b) write a tamper module: Seems to be hard, since SQL Statements have to be matched and rewritten c) implement another db-backend, which is in fact a special variant of the mysql-backend 3.) Techniques: Are we stuck to boolean or are other techniques possible? 4.) Generalization: Are there similar approaches for the other backends? Hopefully yes, because the SUBSTRING/FROM/FOR notation is SQL standard -marek |