Re: [sqlmap-users] custom query not possible stacked query are essential
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] custom query not possible stacked query are essential
|
From: Miroslav S. <mir...@gm...> - 2013-02-20 14:11:26
|
Do you see that warning: "execution of custom SQL queries is only available when stacked queries are supported". Do you know what does it mean? I've said that you need stacking -> you need to have "STACKED" technique available for exploitation. In your case that's not the case. Kind regards, Miroslav Stampar On Wed, Feb 20, 2013 at 3:05 PM, ml <ml...@sm...> wrote: > Le 2013-02-20 14:52, Miroslav Stampar a écrit : > >> p.s. problem is that INTO OUTFILE affects only the SELECT query where >> is supposed to be done. In your case you have one query which is >> INJECTABLE and one separate CUSTOM query which needs to include INTO >> OUTFILE -> this is a conflict which requires usage of stacking (or you >> can try to exploit it manually using original query) >> > > > > sql-shell> 1;select 0x3c*******e into dumpfile > "/www/doc/www.**************.**cz/www/new/upload.php"; > [15:01:16] [WARNING] execution of custom SQL queries is only available > when stacked queries are supported > > > in the case of a concrete example I get this even with stacking > > > >> On Wed, Feb 20, 2013 at 2:48 PM, Miroslav Stampar >> <mir...@gm...> wrote: >> >> For using "INTO OUTFILE" in a specific SELECT query you need stacking >>> (or you can try to exploit it manually). We can't help you here. >>> >>> Bye >>> >>> On Wed, Feb 20, 2013 at 2:45 PM, ml <ml...@sm...> wrote: >>> >>> Le 2013-02-20 09:53, Miroslav Stampar a écrit : >>>> >>>> --sql-query WORKS (tested this moment with ERROR based-only technique >>>>> using query "SELECT id FROM users") >>>>> --sql-shell WORKS (tested this moment with ERROR based-only technique >>>>> using query "SELECT id FROM users") >>>>> >>>>> To distinguish things a bit. Query is a SQL command that starts with >>>>> "SELECT". Non-query statements (INSERT/UPDATE/DELETE...) require >>>>> "stacking". >>>>> >>>>> You haven't stated what switch have you used, nor which >>>>> query/non-query command have you tried, nor which techniques were >>>>> available in your case... Nothing. >>>>> >>>> >>>> I tried an application style >>>> >>>> select 0x3a into outfile './test.txt' >>>> >>>> and that >>>> >>>> the shell answers a error >>>> custom query are not disponible >>>> >>>> simple query style >>>> SELECT id FROM users works >>>> >>>> but when you add into dumpfile outfile or it does not work >>>> >>>> I tried putting 1; in front of the stack or no more successful >>>> >>>> there is a problem >>>> >>>> On Tue, Feb 19, 2013 at 11:37 PM, ml <ml...@sm...> wrote: >>>>> >>>>> hello guru >>>>>> >>>>>> I ask you a little help. >>>>>> all the "custom query" are no longer possible >>>>>> to execute custom query sqlmap answers the "stacked query" are not >>>>>> supported. >>>>>> >>>>>> what inplique lines of code that execute 15 days ago in the past do >>>>>> not >>>>>> work anymore >>>>>> >>>>>> please provide a little help >>>>>> >>>>>> sincerely >>>>>> -- >>>>>> gpg --keyserver pgp.mit.edu [1] [1] --recv-key C2626742 >>>>>> http://about.me/fakessh [2] [2] >>>>>> >>>>>> >>>>>> ------------------------------**------------------------------** >>>>>> ------------------ >>>>>> Everyone hates slow websites. So do we. >>>>>> Make your web apps faster with AppDynamics >>>>>> Download AppDynamics Lite for free today: >>>>>> http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3] [3] >>>>>> ______________________________**_________________ >>>>>> sqlmap-users mailing list >>>>>> sqlmap-users@lists.**sourceforge.net<sql...@li...> >>>>>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4] [4] >>>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm [5] [5] >>>>> >>>>> Links: >>>>> ------ >>>>> [1] http://pgp.mit.edu [1] >>>>> [2] http://about.me/fakessh [2] >>>>> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3] >>>>> [4] https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4] >>>>> [5] http://about.me/stamparm [5] >>>>> >>>> >>>> -- >>>> gpg --keyserver pgp.mit.edu [1] --recv-key C2626742 >>>> http://about.me/fakessh [2] >>>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm [5] >>> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm [5] >> >> Links: >> ------ >> [1] http://pgp.mit.edu >> [2] http://about.me/fakessh >> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb> >> [4] https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> [5] http://about.me/stamparm >> > > -- > gpg --keyserver pgp.mit.edu --recv-key C2626742 > http://about.me/fakessh > -- Miroslav Stampar http://about.me/stamparm |
