Re: [sqlmap-users] Simple failed injection
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Simple failed injection
|
From: Miroslav S. <mir...@gm...> - 2012-09-14 21:55:21
|
Hi.
I am not sure how are you able to "definitely able to pull out results" as
as I can see the problem lies in used PHP (enclosed pair of single quotes
with another pair of single quotes):
Bad:
$res = mysql_query("SELECT userid, custname, custemail, owing FROM custdata
AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE sessionid
= *'$_COOKIE['sesh']'*)");
Good 1:
$res = mysql_query("SELECT userid, custname, custemail, owing FROM custdata
AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE sessionid
= *'$_COOKIE[sesh]'*)");
Good 2:
$res = mysql_query("SELECT userid, custname, custemail, owing FROM custdata
AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE sessionid
= " . *$_COOKIE['sesh'] . "*)");
With that code of yours you should get an ugly PHP error message:
"Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting
T_STRING or T_VARIABLE or T_NUM_STRING"
Also, you could take a look at similar case here [1].
Kind regards,
Miroslav Stampar
[1]
http://www.hotscripts.com/forums/php/21179-php-parse-error-parse-error-unexpected-t_encapsed_and_whitespace-expecting-t_strin.html
On Fri, Sep 14, 2012 at 8:08 PM, Stephen Shkardoon <ss...@ss...>wrote:
> Hi all,
>
> Trying to do a (simple) injection with sqlmap, and I can't seem to coax it
> into getting it right.
> The PHP source looks something like:
>
> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
> sessionid = '$_COOKIE['sesh']')");
>
> and then it displays the fields it pulled out.
>
> The command(s) I've tried look something like ./sqlmap.py -u
> site.com/script.php --cookie="sesh=1" --cookie-urlencode --level=5
> --risk=5. However, the only injection point it finds is AND/OR time-based
> blind, which is horribly slow. Of course, manually, I can do a
> sesh=')%20UNION%20select%201,2,3,4%20--%20 or similar, so
> I'm definitely able to pull out results.
>
> Anything I can do to push sqlmap in the right direction?
>
> Thanks,
> ss23
>
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
