sqlmap-users

[sqlmap-users] Add a new Injection-Type to sqlmap?

[whp <wh...@po...>]

Hi list/developer

I stumbled over this type of injection while doing a pentest and thought of
implementing this kind of injection in sqlmap (I call is
"error-based-blind-injection"):

The Webapp replied with "success", if the statement was correct, regardless of
the number of returned rows (the rows actually were fetched in a subsequent
request). And with an empty respons, if the statement failed. So the attack was
identified the following way (It is a Oracle DB):

param=' and to_char(1/0) like '1 --> empty response because 1/0 is a devision
by zero error
param=' and to_char(1/1) like '1 --> success

Now I had to find a workaround to get sqlmap to identify this injection (it
only identified a time based blind, but I wanted a _fast_ attack)

My solution:
prefix= ' and to_char(1/(case (select 'a' from dual where 1=1
suffix=  ) when 'a' then '1' else '0' end)) like '1

Know my question: is it possible to get this attack in sqlmap as a standard
attack - or is there an easier way to configure sqlmap?

Additionaly the oracle -"order by" clause injection via a case-statement would
be interesting.

Your opinions/suggestions?

Chris
--  
whp_at_pohlcity_dot_de

Re: [sqlmap-users] Add a new Injection-Type to sqlmap?

[Miroslav S. <mir...@gm...>]

Hi.

We have something similar already covered, but your payload is original for
sure. We'll probably include it as a standard one. Will let you know.

Kind regards,
Miroslav Stampar

On Thu, Jul 26, 2012 at 11:02 AM, whp <wh...@po...> wrote:

> Hi list/developer
>
> I stumbled over this type of injection while doing a pentest and thought of
> implementing this kind of injection in sqlmap (I call is
> "error-based-blind-injection"):
>
> The Webapp replied with "success", if the statement was correct,
> regardless of
> the number of returned rows (the rows actually were fetched in a subsequent
> request). And with an empty respons, if the statement failed. So the
> attack was
> identified the following way (It is a Oracle DB):
>
> param=' and to_char(1/0) like '1 --> empty response because 1/0 is a
> devision
> by zero error
> param=' and to_char(1/1) like '1 --> success
>
> Now I had to find a workaround to get sqlmap to identify this injection (it
> only identified a time based blind, but I wanted a _fast_ attack)
>
> My solution:
> prefix= ' and to_char(1/(case (select 'a' from dual where 1=1
> suffix=  ) when 'a' then '1' else '0' end)) like '1
>
> Know my question: is it possible to get this attack in sqlmap as a standard
> attack - or is there an easier way to configure sqlmap?
>
> Additionaly the oracle -"order by" clause injection via a case-statement
> would
> be interesting.
>
> Your opinions/suggestions?
>
> Chris
> --
> whp_at_pohlcity_dot_de
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm