Re: [sqlmap-users] custom query not possible stacked query are essential
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] custom query not possible stacked query are essential
|
From: Miroslav S. <mir...@gm...> - 2013-02-20 14:12:37
|
p.s. 15 days ago there was no such warning for "INTO OUTFILE" but also it (silently) didn't work On Wed, Feb 20, 2013 at 3:11 PM, Miroslav Stampar < mir...@gm...> wrote: > Do you see that warning: "execution of custom SQL queries is only > available when stacked queries are supported". Do you know what does it > mean? > > I've said that you need stacking -> you need to have "STACKED" technique > available for exploitation. In your case that's not the case. > > Kind regards, > Miroslav Stampar > > > On Wed, Feb 20, 2013 at 3:05 PM, ml <ml...@sm...> wrote: > >> Le 2013-02-20 14:52, Miroslav Stampar a écrit : >> >>> p.s. problem is that INTO OUTFILE affects only the SELECT query where >>> is supposed to be done. In your case you have one query which is >>> INJECTABLE and one separate CUSTOM query which needs to include INTO >>> OUTFILE -> this is a conflict which requires usage of stacking (or you >>> can try to exploit it manually using original query) >>> >> >> >> >> sql-shell> 1;select 0x3c*******e into dumpfile >> "/www/doc/www.**************.**cz/www/new/upload.php"; >> [15:01:16] [WARNING] execution of custom SQL queries is only available >> when stacked queries are supported >> >> >> in the case of a concrete example I get this even with stacking >> >> >> >>> On Wed, Feb 20, 2013 at 2:48 PM, Miroslav Stampar >>> <mir...@gm...> wrote: >>> >>> For using "INTO OUTFILE" in a specific SELECT query you need stacking >>>> (or you can try to exploit it manually). We can't help you here. >>>> >>>> Bye >>>> >>>> On Wed, Feb 20, 2013 at 2:45 PM, ml <ml...@sm...> wrote: >>>> >>>> Le 2013-02-20 09:53, Miroslav Stampar a écrit : >>>>> >>>>> --sql-query WORKS (tested this moment with ERROR based-only technique >>>>>> using query "SELECT id FROM users") >>>>>> --sql-shell WORKS (tested this moment with ERROR based-only technique >>>>>> using query "SELECT id FROM users") >>>>>> >>>>>> To distinguish things a bit. Query is a SQL command that starts with >>>>>> "SELECT". Non-query statements (INSERT/UPDATE/DELETE...) require >>>>>> "stacking". >>>>>> >>>>>> You haven't stated what switch have you used, nor which >>>>>> query/non-query command have you tried, nor which techniques were >>>>>> available in your case... Nothing. >>>>>> >>>>> >>>>> I tried an application style >>>>> >>>>> select 0x3a into outfile './test.txt' >>>>> >>>>> and that >>>>> >>>>> the shell answers a error >>>>> custom query are not disponible >>>>> >>>>> simple query style >>>>> SELECT id FROM users works >>>>> >>>>> but when you add into dumpfile outfile or it does not work >>>>> >>>>> I tried putting 1; in front of the stack or no more successful >>>>> >>>>> there is a problem >>>>> >>>>> On Tue, Feb 19, 2013 at 11:37 PM, ml <ml...@sm...> wrote: >>>>>> >>>>>> hello guru >>>>>>> >>>>>>> I ask you a little help. >>>>>>> all the "custom query" are no longer possible >>>>>>> to execute custom query sqlmap answers the "stacked query" are not >>>>>>> supported. >>>>>>> >>>>>>> what inplique lines of code that execute 15 days ago in the past do >>>>>>> not >>>>>>> work anymore >>>>>>> >>>>>>> please provide a little help >>>>>>> >>>>>>> sincerely >>>>>>> -- >>>>>>> gpg --keyserver pgp.mit.edu [1] [1] --recv-key C2626742 >>>>>>> http://about.me/fakessh [2] [2] >>>>>>> >>>>>>> >>>>>>> ------------------------------**------------------------------** >>>>>>> ------------------ >>>>>>> Everyone hates slow websites. So do we. >>>>>>> Make your web apps faster with AppDynamics >>>>>>> Download AppDynamics Lite for free today: >>>>>>> http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3] [3] >>>>>>> ______________________________**_________________ >>>>>>> sqlmap-users mailing list >>>>>>> sqlmap-users@lists.**sourceforge.net<sql...@li...> >>>>>>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4] [4] >>>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm [5] [5] >>>>>> >>>>>> Links: >>>>>> ------ >>>>>> [1] http://pgp.mit.edu [1] >>>>>> [2] http://about.me/fakessh [2] >>>>>> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3] >>>>>> [4] https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4] >>>>>> [5] http://about.me/stamparm [5] >>>>>> >>>>> >>>>> -- >>>>> gpg --keyserver pgp.mit.edu [1] --recv-key C2626742 >>>>> http://about.me/fakessh [2] >>>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm [5] >>>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm [5] >>> >>> Links: >>> ------ >>> [1] http://pgp.mit.edu >>> [2] http://about.me/fakessh >>> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb> >>> [4] https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>> [5] http://about.me/stamparm >>> >> >> -- >> gpg --keyserver pgp.mit.edu --recv-key C2626742 >> http://about.me/fakessh >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
