Re: [sqlmap-users] Simple failed injection
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Simple failed injection
|
From: Stephen S. <ss...@ss...> - 2012-09-14 22:10:02
|
Hi,
Sorry, my mistake. I just copied the line and altered it to show that the
cookie was being used. In the real script, there was no parse error.
Nonetheless, sqlmap cannot pull out results.
Thanks
ss23
On Sat, Sep 15, 2012 at 9:55 AM, Miroslav Stampar <
mir...@gm...> wrote:
> Hi.
>
> I am not sure how are you able to "definitely able to pull out results" as
> as I can see the problem lies in used PHP (enclosed pair of single quotes
> with another pair of single quotes):
>
> Bad:
> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
> sessionid = *'$_COOKIE['sesh']'*)");
>
> Good 1:
> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
> sessionid = *'$_COOKIE[sesh]'*)");
>
> Good 2:
> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
> sessionid = " . *$_COOKIE['sesh'] . "*)");
>
> With that code of yours you should get an ugly PHP error message:
> "Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE,
> expecting T_STRING or T_VARIABLE or T_NUM_STRING"
>
> Also, you could take a look at similar case here [1].
>
> Kind regards,
> Miroslav Stampar
>
> [1]
> http://www.hotscripts.com/forums/php/21179-php-parse-error-parse-error-unexpected-t_encapsed_and_whitespace-expecting-t_strin.html
>
> On Fri, Sep 14, 2012 at 8:08 PM, Stephen Shkardoon <ss...@ss...>wrote:
>
>> Hi all,
>>
>> Trying to do a (simple) injection with sqlmap, and I can't seem to coax
>> it into getting it right.
>> The PHP source looks something like:
>>
>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>> sessionid = '$_COOKIE['sesh']')");
>>
>> and then it displays the fields it pulled out.
>>
>> The command(s) I've tried look something like ./sqlmap.py -u
>> site.com/script.php --cookie="sesh=1" --cookie-urlencode --level=5
>> --risk=5. However, the only injection point it finds is AND/OR time-based
>> blind, which is horribly slow. Of course, manually, I can do a
>> sesh=')%20UNION%20select%201,2,3,4%20--%20 or similar, so
>> I'm definitely able to pull out results.
>>
>> Anything I can do to push sqlmap in the right direction?
>>
>> Thanks,
>> ss23
>>
>>
>> ------------------------------------------------------------------------------
>> Got visibility?
>> Most devs has no idea what their production app looks like.
>> Find out how fast your code is with AppDynamics Lite.
>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
|
