Re: [sqlmap-users] Union injectable or not
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Union injectable or not
|
From: Brandon P. <bpe...@gm...> - 2015-02-09 16:20:09
|
A UNION payload that shows some bit of data that you expect in the response. For instance, perhaps the first column in the union is expected to be a UUID, and the third column is given back in the response. UNION SELECT '2403db44-b077-11e4-b0e1-000c29133bd7', NULL, 0x6664736166647361, NULL If that payload were to succeed, 'fdsafdsa' would appear in the response. Figure out how to at least inject with a known payload and report back. :) On Mon, Feb 9, 2015 at 10:13 AM, Vojtěch Polášek <kr...@gm...> wrote: > Hi, > thanks for your reply. > What do you mean by one working union payload? > Do you mean payload which causes sqlmap to report URL as being union > injectable? > Thank you very much, > Vojta > > > > > > On 9.2.2015 13:23, Miroslav Stampar wrote: > > As Brandon said, one of columns could be "picky" about the "test" values > being used. We use either NULLs or integer values (e.g. 1) and this works > quite well in majority of situations (auto-casting and stuff). > > Also, there is a possibility that ORDER BY mechanism is triggering some > results, while the UNION query is not possible to achieve. I would suggest > you to find one working UNION payload and report back. > > Bye > > On Mon, Feb 9, 2015 at 12:08 AM, Brandon Perry <bpe...@gm...> > wrote: > >> The application could be requiring one of the columns to be in a certain >> format (perhaps a date, or serialized object) in order to be brought to the >> UI. Just sending and int/string or a NULL causes the SQL query to succeed, >> but the app throws an error due to the data not being formatted as expected. >> >> On Sun, Feb 8, 2015 at 4:08 PM, Vojtěch Polášek <kr...@gm...> >> wrote: >> >>> Greetings, >>> I am doing some pentesting for a corporation. >>> I am testing some GET parameter of their web application and I encounter >>> a strange issue. >>> The URL seems to be injectable as sqlmap states, but at the end it says >>> that it is not injectable. >>> Here is a link to the log with verbosity level 3. Due to confidentiality >>> reasons, I can't provide you with actual requests or responses. >>> >>> http://cloud.vojtapolasek.eu/public.php?service=files&t=2c68ef52ac55edb53770c9d5be403bae >>> What might be the problem? >>> I am running Sqlmap 1.0dev-nongit-20150111 from Blackarch repository of >>> Arch Linux. >>> Thank you very much for your opinions, >>> Vojta >>> >>> >>> ------------------------------------------------------------------------------ >>> Dive into the World of Parallel Programming. The Go Parallel Website, >>> sponsored by Intel and developed in partnership with Slashdot Media, is >>> your >>> hub for all things parallel software development, from weekly thought >>> leadership blogs to news, videos, case studies, tutorials and more. Take >>> a >>> look and join the conversation now. http://goparallel.sourceforge.net/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming. The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, is >> your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. Take a >> look and join the conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
