Re: [sqlmap-users] Determining blind UNION-able injections with SLEEP
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Determining blind UNION-able injections with SLEEP
|
From: Brandon P. <bpe...@gm...> - 2015-09-14 01:37:20
|
> On Sep 13, 2015, at 8:35 PM, Brandon Perry <bpe...@gm...> wrote: > > >> On Sep 13, 2015, at 8:30 PM, Johnathon Doe <hoo...@gm... <mailto:hoo...@gm...>> wrote: >> >> Sounds cool, but kind of an edge case. I'm just interested to understand more if you don't mind... >> >> Is the sleep function being used within or as a vulnerable column value in your example or is it merely appended to the union injection and before the suffix/delimiter value (unsure because example has a comma before the sleep(5) call)? > > The sleep can be used in any of the columns, it only works when the columns have been balanced on both sides of the UNION. This way, sqlmap could have one extra injection point to support attempting to write a file with. > >> >> Are you leveraging the sleep() location for a time based injection entry point? If you frame the --url --data strings to include the union base and mark the sleep() location with '*' and --technique=T does it work to identify the time based injection (i.e. ./sqpmap.py --url http//somesite.com/ <http://somesite.com/> --data 'bar=foo"+union+select+null,null,null,null*' --technique=T --banner)? > > This was by hand. Oh, I should have read the question more clearly. I didn’t try this, but then sqlmap wouldn’t realize it is a union then. > >> >> On Fri, Sep 11, 2015 at 1:43 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: >> I have had this idea for a while, and I finally came across an injection that this was useful for me. >> >> Due to logic in the application, a generic UNION tacked on the end of the query doesn't work. >> >> However, a payload of: >> >> blah=foo"+union+select+null,null,null,null,sleep(5)--%20 >> >> does result in a response coming back 5 seconds later than the baseline. Removing or adding a column to the union results in the baseline request time. >> >> This was very useful for me, because I was able to use this 'blind union' in order to write a file to the web root and achieve RCE, even though the union in and of itself would not let me pull data out en mass (the other time based payloads did work as well). >> >> This might be a useful check for sqlmap to implement. Currently, there are heuristics that sqlmap has to determine whether an injection point is union-able, but not exploitable with generic NULL/union char payloads. I think this is determined by the HTTP response data though, not the temporal aspect of the HTTP response. >> >> Thoughts? >> >> >> -- >> http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog >> http://www.volatileminds.net <http://www.volatileminds.net/> -- website >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> >> > |
