[sqlmap-users] UNHEX vs 0x in MySQL/MariaDB
Brought to you by:
inquisb
From: Brandon P. <bpe...@gm...> - 2018-05-30 10:49:27
|
I’ve come across a SQL injection that uppercases the input, so that 0xaaaa becomes 0XAAAA. This isn’t a valid hex value in MySQL since 0X is required to use a lowercase x. I attempted to use a quick —eval argument to change the syntax from 0x to X’’, but the single quotes in the X’' syntax end up being escaped with double slashes so the syntax is still broken (X’’ -> X\\’\\’). What are the chances a different encoding using UNHEX and CONCAT be used instead of 0x when using BENCHMARK? For instance: BENCHMARK(5000000,MD5(0xaaaa)) Could be rewritten as: BENCHMARK(5000000,MD5(UNHEX(CONCAT(CHAR(65),CHAR(65),CHAR(65),CHAR(65)) Perhaps this is attainable with a tamper script and I am missing it? This would prevent the application from breaking the SQL syntax by changing 0x to 0X. Any thoughts are appreciated! |