sqlmap-users

[sqlmap-users] Problem Injecting in ORDER BY clause

[Korius <kor...@ya...>]

Hi list,

I'm having trouble exploiting an SQLi in an ORDER BY clause with sqlmap.
Manually I can inject using a construct like "(CASE WHEN 'a'='b' THEN
t.bar ELSE (SELECT BENCHMARK(1000000,MD5(1))) END)" where t.bar is a
correct column name and then altering the boolean clause. Unfortunately
the target server responds pretty slowly, so a manual extraction is
gonna be agonizingly slow.

Just passing the target URL to sqlmap (yesterday's build 4938), sqlmap
wont find an injection using level 3. I also tried passing my manual
vector as prefix/suffix (--prefix="(CASE WHEN 'a'='" --suffix="' THEN
t.bar ELSE (SELECT BENCHMARK(1000000,MD5(1))) END)") but without avail.
Any ideas or suggestions?

Cheers
Dennis

Re: [sqlmap-users] Problem Injecting in ORDER BY clause

[Bernardo D. A. G. <ber...@gm...>]

Hi Korius,

I have created an issue for this,
https://github.com/sqlmapproject/sqlmap/issues/97.

Bernardo


On 4 April 2012 10:34, Korius <kor...@ya...> wrote:
> Hi list,
>
> I'm having trouble exploiting an SQLi in an ORDER BY clause with sqlmap.
> Manually I can inject using a construct like "(CASE WHEN 'a'='b' THEN
> t.bar ELSE (SELECT BENCHMARK(1000000,MD5(1))) END)" where t.bar is a
> correct column name and then altering the boolean clause. Unfortunately
> the target server responds pretty slowly, so a manual extraction is
> gonna be agonizingly slow.
>
> Just passing the target URL to sqlmap (yesterday's build 4938), sqlmap
> wont find an injection using level 3. I also tried passing my manual
> vector as prefix/suffix (--prefix="(CASE WHEN 'a'='" --suffix="' THEN
> t.bar ELSE (SELECT BENCHMARK(1000000,MD5(1))) END)") but without avail.
> Any ideas or suggestions?
>
> Cheers
> Dennis
>
> ------------------------------------------------------------------------------
> Better than sec? Nothing is better than sec when it comes to
> monitoring Big Data applications. Try Boundary one-second
> resolution app monitoring today. Free.
> http://p.sf.net/sfu/Boundary-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)