[sqlmap-users] custom blind SQL enumeration query?
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] custom blind SQL enumeration query?
|
From: Robert R. <rr...@gs...> - 2013-10-16 23:11:42
|
I've got a case where I'm trying to enumerate MS SQL table names, but the user doesn't have access to dbname..sysobjects. It does have access to INFORMATION.SCHEMA though. The vulnerability is a blind SQL and there are a number of filters confounding the effort, including certain character sequences, query length, etc. I've got a process working manually along the lines of (from memory, may not be 100%): VulnerableQueryParam=1550 AND (SELECT/**/COUNT(*) FROM INFORMATION.SCHEMA AS XYZ WHERE TABLE_CATALOG=CHAR(103)<snip>CHAR(98) AND TABLE_NAME LIKE [Test Case]) > 0 Where [Test Case] is an iteration of CHAR(65)+CHAR(37) // A% CHAR(66)+CHAR(37) // B% CHAR(68)+CHAR(37) // C% I can tell by the output which are matching and which are not (elementary stuff, basically). OF course, once the first character is found, I repeat with known good characters at position 2: CHAR(103)+CHAR(65)+CHAR(37) // gA% CHAR(103)+CHAR(65)+CHAR(37) // gB% Is it possible for me to basically automate this with sqlmap? I can't seem to get it to find this query using its own process. I'd like to just be able to put a '*' or equivalent somewhere in the input URL to indicate where it should insert the CHAR() values, and pass it a --not-string in this case to distinguish true from false. Thanks for any input you can provide! Bob |
