Re: [sqlmap-users] Injection into columns list

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi again.

Most generic approach would be to use dummy prefix as "99999 WHERE 1=1",
but there are lots of potential pitfalls here (e.g. if column name is
delimited with a DBMS specific column name delimiter). We've added a new
issue for this [1].

Kind regards,
Miroslav Stampar

[1] https://github.com/sqlmapproject/sqlmap/issues/120

On Wed, Jul 25, 2012 at 11:47 AM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi.
>
> How would you exploit this:
>
> SELECT $_GET['id'] FROM table
>
> on all DBMSes?
>
> Oracle and MySQL have DUAL but what with others? At the end we'll end with
> 10 new payloads and/or boundaries each of those covering  each DBMS.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Wed, Jul 25, 2012 at 11:28 AM, Dennis <kor...@ya...> wrote:
>
>>  I'm not sure about Troy, but I had a similar case recently. I could
>> control the bit of the query between SELECT and FROM, which could be
>> exploited either with nested (SELECT)s or by expanding the query with
>> another FROM [...] UNION SELECT [...] to extend the query. SQLmap did not
>> find the injection. The DBMS was Oracle.
>>
>> Cheers
>>
>>
>> Am 25.07.2012 00:48, schrieb Miroslav Stampar:
>>
>> Hi Troy.
>>
>> More info is required for sure.
>>
>> You mean that you just need a (SELECT...)/subquery type of injection?
>> This is something that we are aware that we need to do.
>>
>> Kind regards,
>> Miroslav Stampar
>> On Jul 24, 2012 11:18 PM, "Troy B" <pow...@gm...>
>> wrote:
>>
>>> Evening all,
>>>
>>>  I had an SQL injection into a MySQL5-based web application the other
>>> week which involved me having control over the column list being selected.
>>>  I tried sqlmap against the URL, but it didn't find the injection point.  I
>>> tried again,  taking the --level and --risk a little higher, but still
>>> nothing.
>>>
>>>  In the end, I manually exploited it using a sub-select. Was I doing
>>> something wrong with sqlmap, or will it not identify injection points like
>>> that?  I can provide an example of the query the application was using if
>>> this helps.
>>>
>>>  Regards,
>>>
>>>  Matt
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>
>>
>>
>> _______________________________________________
>> sqlmap-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>

-- 
Miroslav Stampar
http://about.me/stamparm