Hi Karl,
On 19 December 2010 08:39, Buggy <bug...@gm...> wrote:
> ...
> I (and sqlmap) have found my new nemesis concerning SQL injection: injecting
> in the ORDER BY clause:
Good for you.
> I am currently doing work on a webapp based on an ORACLE database and can
> inject here:
>
>
>
> …SELECT foo, bar FROM the_table ORDER BY [INJECTION]
sqlmap from Subversion repository has full support to detect and
exploit injection points in ORDER BY and GROUP BY clause, regardless
of the back-end DBMS.
> 1) The mean thing is you cannot use UNION because of the ORDER BY clause
True.
> => Any hints on how to get a working injection going here? Has anyone ever
> encountered this rare case?
Yes, several times.
svn update and enjoy. Test for ORDER BY clause injection against
Oracle --level to be set to 3.
We are going to update the user's manual just before the official
release of 0.9 stable in a month or two, for the time being sqlmap.py
-h will highlight you on the meaning of the new switches (--level,
--risk, etc.).
> 2) the furthest I have gotten in a try to get into a blind sql injection
> situation is the following:
>
> [INJECTION] = decode ((select 'a' from dual),'a',foo,bar)
>
>
>
> …depending on whether ‘a’ or something else is selected, the ouput is sorted
> by column ‘foo’ or column ‘bar’
>
>
>
> …the idea is to “ask the question” here (pseudocode):
>
> decode ((select first letter of first username < chr(128)),TRUE,foo,bar)
>
>
>
> …but it doesn’t work as I do not know how to write the question query or how
> to decide if the answer is TRUE or FALSE
>
>
>
>
>
>
>
> => is there some hint how to continue from here and maybe even get the thing
> working with sqlmap?
Again, svn update.
If you want to understand how it works, check yourself
xml/payloads.xml file, lines 617-634 in your case.
Cheers,
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F
|
