Re: [sqlmap-users] oracle order by not detected
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2014-12-03 13:45:39
|
And what's the original sqlmap command you used? Bye On Wed, Dec 3, 2014 at 1:39 PM, Harry Acker <har...@gm...> wrote: > I'm testing an app which I've confirmed is running Oracle and has > injection into the order by field. > > http://xxx/test?order=id > > id is a direct mapping to the database column name. I confirmed injection > with the following: > > http://xxx/test?order=%28select%20%27id%27%20from%20dual%29 > > The site returns either a table of data or the Oracle exception if the > field name given is invalid > > I've ran sqlmap against it with level 5 and risk 3 (its a test site, > client happy to reset if damaged) but it doesn't detect the injection. I've > also tried with --string passing it a value from the table so it knows when > it hits valid data. > > I know this should work and from what I've seen when searching a level 3 > scan should detect it. What am I doing wrong? > > And just for my curiosity, as I've got the working injection, would I be > able to pass that to sqlmap and point it at that to say inject into here. I > gave it a quick try and it complained that the url provided was already > tainted and I should clean it up first. > > Harry. > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |