Re: [sqlmap-users] injecting into MySQL through HQL
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] injecting into MySQL through HQL
|
From: Robin W. <ro...@di...> - 2017-02-24 23:28:27
|
Annoyingly my test window is closed and I'll probably not get to talk to the client will Monday but will try this out on a test box just to watch the traffic and see if it is doing what I think should work. Ta Robin On Fri, 24 Feb 2017, 23:23 Chris Oakley, <chr...@gm...> wrote: > I *think* (going from memory here) that it's higher than that by default. > There's also the --union-cols=30-40, so you should be good > > On 24 February 2017 at 18:17, Robin Wood <ro...@di...nja> wrote: > > I hadn't tried the custom injection point, I'll give that a try. Do you > know the maximum number of fields the union will do, was thinking about it > after shutting machine down and think it's 30 so will need to increase that. > > Robin > > On Fri, 24 Feb 2017, 23:14 Chris Oakley, <chr...@gm...> > wrote: > > I assume you've tried * for custom injection point and --technique=U? > > Whether or not it'll dance with HQL is another question entirely. > > On 24 February 2017 at 16:44, Robin Wood <ro...@di...nja> wrote: > > I've just found an instance of Hibernate Query Language injection that > lets me get at an underlying MySQL database if I inject in the right way, > some examples I've got are: > > loginName=a - works and gives 200 > loginName=' - fails with HQL error and 500 > loginName=a' or 'a'='a - works and gives 200 > loginName=a\'' - gets through HQL and then generates a MySQL error in a > where clause. The injection gets converted to where NAME='a\''' > > With some playing I've found that this is a valid injection and they are > running as root as I get a 500 back when I supply root, a 200 when give > something else. > > loginName=a' and 'a\''="a" union select > @@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01" > from users where user()="root@localhost" -- '='1 > > The 500 is because some of the stuff from the union isn't being handled > correctly by the page, the 200 is because the union doesn't return any data > so the first bit (basically a=a) is returning valid data so getting through > the rest of the parsing. > > So I think what I need to do is to tell SQLMap that it is a union > injection with 31 fields and that the injection needs to go into here: > > loginName=a' and 'a\''="a" <INJECT> -- '='1 > > Can I do this? > > I've got all this set up and running in Burp so I can test things out if > anyone needs me to. > > Robin > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > |
