Re: [sqlmap-users] oracle order by not detected

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

And what's the original sqlmap command you used?

Bye

On Wed, Dec 3, 2014 at 1:39 PM, Harry Acker <har...@gm...>
wrote:

> I'm testing an app which I've confirmed is running Oracle and has
> injection into the order by field.
>
> http://xxx/test?order=id
>
> id is a direct mapping to the database column name. I confirmed injection
> with the following:
>
> http://xxx/test?order=%28select%20%27id%27%20from%20dual%29
>
> The site returns either a table of data or the Oracle exception if the
> field name given is invalid
>
> I've ran sqlmap against it with level 5 and risk 3 (its a test site,
> client happy to reset if damaged) but it doesn't detect the injection. I've
> also tried with --string passing it a value from the table so it knows when
> it hits valid data.
>
> I know this should work and from what I've seen when searching a level 3
> scan should detect it. What am I doing wrong?
>
> And just for my curiosity, as I've got the working injection, would I be
> able to pass that to sqlmap and point it at that to say inject into here. I
> gave it a quick try and it complained that the url provided was already
> tainted and I should clean it up first.
>
> Harry.
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
Miroslav Stampar
http://about.me/stamparm