Re: [sqlmap-users] Injection into columns list
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Injection into columns list
|
From: Dennis <kor...@ya...> - 2012-07-25 12:17:29
|
Hey, haven't spent any thinking on a generic approach yet as I was on an Oracle DBMS and did fine. But I see your point... I will give it a thought... Cheers, Dennis Am 25.07.2012 12:09, schrieb Miroslav Stampar: > Hi again. > > Most generic approach would be to use dummy prefix as "99999 WHERE > 1=1", but there are lots of potential pitfalls here (e.g. if column > name is delimited with a DBMS specific column name delimiter). We've > added a new issue for this [1]. > > Kind regards, > Miroslav Stampar > > [1] https://github.com/sqlmapproject/sqlmap/issues/120 > > On Wed, Jul 25, 2012 at 11:47 AM, Miroslav Stampar > <mir...@gm... <mailto:mir...@gm...>> wrote: > > Hi. > > How would you exploit this: > > SELECT $_GET['id'] FROM table > > on all DBMSes? > > Oracle and MySQL have DUAL but what with others? At the end we'll > end with 10 new payloads and/or boundaries each of those covering > each DBMS. > > Kind regards, > Miroslav Stampar > > > On Wed, Jul 25, 2012 at 11:28 AM, Dennis <kor...@ya... > <mailto:kor...@ya...>> wrote: > > I'm not sure about Troy, but I had a similar case recently. I > could control the bit of the query between SELECT and FROM, > which could be exploited either with nested (SELECT)s or by > expanding the query with another FROM [...] UNION SELECT [...] > to extend the query. SQLmap did not find the injection. The > DBMS was Oracle. > > Cheers > > > Am 25.07.2012 00 <tel:25.07.2012%2000>:48, schrieb Miroslav > Stampar: >> >> Hi Troy. >> >> More info is required for sure. >> >> You mean that you just need a (SELECT...)/subquery type of >> injection? This is something that we are aware that we need >> to do. >> >> Kind regards, >> Miroslav Stampar >> >> On Jul 24, 2012 11:18 PM, "Troy B" >> <pow...@gm... >> <mailto:pow...@gm...>> wrote: >> >> Evening all, >> >> I had an SQL injection into a MySQL5-based web >> application the other week which involved me having >> control over the column list being selected. I tried >> sqlmap against the URL, but it didn't find the injection >> point. I tried again, taking the --level and --risk a >> little higher, but still nothing. >> >> In the end, I manually exploited it using a sub-select. >> Was I doing something wrong with sqlmap, or will it not >> identify injection points like that? I can provide an >> example of the query the application was using if this helps. >> >> Regards, >> >> Matt >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's >> security and >> threat landscape has changed and how IT managers can >> respond. Discussions >> will include endpoint security, mobile security and the >> latest in malware >> threats. >> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
