Re: [sqlmap-users] Injecting into LIMIT ints
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Injecting into LIMIT ints
|
From: Chris O. <chr...@gm...> - 2012-08-03 16:37:31
|
Thanks Miroslav, I'll give it a go! On 3 August 2012 16:15, Miroslav Stampar <mir...@gm...> wrote: > Hi Chris. > > In those kind of cases UNION injection should be a solution. > > As LIMIT doesn't accept subquery as an operand you have to append a UNION > ALL SELECT to the original value (foo in your case) and necessarily add a > comment to the end (e.g. --) to neutralize that second operand of affected > LIMIT part. > > To make it short, LIMIT doesn't accept subqueries and standard non-UNION > based injection techniques should fail (as they "seed" their payload into > the affected SQL form - in this case LIMIT). > > Kind regards, > Miroslav Stampar > > On Fri, Aug 3, 2012 at 4:08 PM, Chris Oakley <chr...@gm... > > wrote: > >> Hi All >> >> I have found that an application has a rewritten URL element that ends up >> in a SQL query. The error message tells me that I'm injecting into the >> LIMIT number at the end of the query. This appears to be the only point of >> injection for now. >> >> A simplified version of the query that's being injected into is: >> >> SELECT * FROM posts WHERE site_id = '1' ORDER BY post_date DESC, >> created_date DESC LIMIT foo, 10 >> >> 'foo' is my injection and of course gives a syntax error. >> >> I know that apostrophes/ticks (as in the ' character) are blocked as a >> minimum. >> >> Does anyone have any experience injecting this late in a query? Any >> ideas would be greatly received. >> >> Regards >> >> Chris >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
