[sqlmap-users] Stack query detection misbehavior
Brought to you by:
inquisb
From: David A. <dav...@gm...> - 2013-06-05 10:19:07
|
Hi, I have found out a misbehavior in the detection phase, sqlmap detects a stack query injectable with the following request: POST /path abc=%27%29%3B%20SELECT%20SLEEP%285%29--%20 However, when Sqlmap checks if the injection point is a false positive, it's using the following payload: abc=%27%29%3B%20IF%28%28%2884%2B88%29%3D172%29%2CSLEEP%285%29%2C5577%29--%20 At this moment, it replies with a false positive or unexploitable point, so the correct payload for Mysql v5.5 will be: %27%29%3B%20SELECT%20IF%28%28%2884%2B88%29%3D172%29%2CSLEEP%285%29%2C5577%29--%20 The problem is in line 2028 of xml/payloads.xml file, the correct one for MySQL v5.5 is: <vector>; *SELECT* IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector> payloads.xml: ... <!-- Stacked queries tests --> <test> <title>MySQL > 5.0.11 stacked queries</title> <stype>4</stype> <level>1</level> <risk>0</risk> <clause>0</clause> <where>1</where> *<vector>; IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>* <request> <payload>; SELECT SLEEP([SLEEPTIME])</payload> <comment>-- </comment> </request> <response> <time>[SLEEPTIME]</time> </response> <details> <dbms>MySQL</dbms> <dbms_version>> 5.0.11</dbms_version> </details> </test> Regards |