Hi Miroslav,
Am 10.06.2013 12:22, schrieb Miroslav Stampar:
> Hi Sebastian.
>
> There was indeed a bug [1]. Find it fixed now.
And its working, thanks!
> If you would like to contribute this payload we could include it into
> sqlmap :)
With pleasure! It should be working with (at least) MySQL, I haven't
verified it in PostgreSQL. It *is* working in WHERE, SELECT before FROM
and ORDER BY, not tested for other locations. Quite possibly similar
'syntax errors' can be found for other locations/dbms.
The "" are needed, because sqlmap will convert '' into 0x, which will
not throw an error.
Kind regards,
Sebastian Nerz
>
> Kind regards,
> Miroslav Stampar
>
> [1] https://github.com/sqlmapproject/sqlmap/issues/462
>
>
> On Mon, Jun 10, 2013 at 11:30 AM, Sebastian Nerz <seb...@sy...>wrote:
>
>> Hi there,
>>
>> I wrote a small payload, to test for conditional error-based
>> SQL-injection possibilities:
>>
>> <!-- Boolean-error-based blind tests - WHERE/HAVING clause -->
>> <test>
>> <title>AND boolean-error-based blind - WHERE or HAVING clause
>> (MySQL)</title>
>> <stype>1</stype>
>> <level>1</level>
>> <risk>1</risk>
>> <clause>1</clause>
>> <where>1</where>
>> <vector>REGEXP IF([INFERENCE],1,"")</vector>
>> <request>
>> <payload>REGEXP IF([RANDNUM]=[RANDNUM],1,"")</payload>
>> </request>
>> <response>
>> <comparison>REGEXP IF([RANDNUM]=[RANDNUM1],1,"")</comparison>
>> </response>
>> <details>
>> <dbms>MySQL</dbms>
>> </details>
>> </test>
>>
>>
>> Theoretically it is working - as long as the server is actually
>> returning content, the injection is detected and works just fine (feel
>> free to add it to the sqlmap repository, if it is correct :) ). But a
>> soon as the tested URL is returning an empty page, detection fails.
>>
>> * With a TRUE request, the server returns a content-length of 0
>> * With a FALSE request, the server returns the error message
>>
>> Now ... for my understanding, this is quite a difference, but SQLMAP
>> fails to recognize it, even with "not-string" given. The problem might
>> be, that the server returns a warning during the dynamic-check as well.
>> Is it possible to forbid the usage of ' during this test?
>>
>> What am I doing wrong? Is there an error in the payload above? Can
>> sqlmap handle empty pages?
>>
>> Thanks!
>>
>> Kind regards,
>>
>> Sebastian Nerz
>> --
>> Sebastian Nerz
>> Dipl.-Inform.
>> IT-Security Consultant
>>
>> mailto:seb...@sy...
>> ___________________________________________________________
>>
>> SySS GmbH
>> Wohlboldstraße 8
>> 72072 Tübingen
>> Germany
>> Voice: +49 7071 407856-31
>> Fax: +49 7071 407856-19
>> WWW: http://www.syss.de
>>
>> PGP FP: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2
>>
>> Geschaeftsfuehrer Sebastian Schreiber
>> Registergericht: Amtsgericht Stuttgart / HRB 382420
>> Steuernummer: 86118 / 55809
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> How ServiceNow helps IT people transform IT departments:
>> 1. A cloud service to automate IT design, transition and operations
>> 2. Dashboards that offer high-level views of enterprise services
>> 3. A single system of record for all IT processes
>> http://p.sf.net/sfu/servicenow-d2d-j
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
--
Sebastian Nerz
Dipl.-Inform.
IT-Security Consultant
mailto:seb...@sy...
___________________________________________________________
SySS GmbH
Wohlboldstraße 8
72072 Tübingen
Germany
Voice: +49 7071 407856-31
Fax: +49 7071 407856-19
WWW: http://www.syss.de
PGP FP: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2
Geschaeftsfuehrer Sebastian Schreiber
Registergericht: Amtsgericht Stuttgart / HRB 382420
Steuernummer: 86118 / 55809
|
