sqlmap-users

[sqlmap-users] UNION based sqli

[Mauricio V. <mau...@gm...>]

Hey all.

First id like to congratulate the team for the great tool and for sharing.
Im testing sqlmap on a local script i've created.

When i try to fingerprint the DBMS sqlmap starts using :

    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause

to do it. So its using a sqli blind technique to fetch the contents. I know
that this script supports UNION based inyections which would be much faster
to do. so my question is

1) Does sqlmap have a funcionality to fingerprint the contents of
information_schema.tables and information_schema.colums via a UNION based
inyection in order to get the databases, tables and columns ?

2) If so, which are the parameters to use ?

Thanks in Advance,

Mauricio

Re: [sqlmap-users] UNION based sqli

[Miroslav S. <mir...@gm...>]

hi Mauricio.

the assumption is that you are using the latest v0.9/dev.

if you are getting only "boolean-based blind" as the result of
detection phase then that's the only technique that can be used in
further steps.

but, if you are getting more of techniques, then they'll be used in
their speed order - 1) UNION, 2) ERROR, 3) BLIND, 4) TIMED, 5) STACKED

all techniques can be used for all enumerations

in case that you are not getting UNION technique as a result of the
detection phase then it would be good to use something like: --level=3
--risk=2 (more techniques and boundary prefixes/suffixes will be used)

in the default run there will be a test against a UNION based
injection up to 10 columns, but with higher level it will test more
(e.g. --level=2 --> 1-10 & 10-20; --level=3 --> 1-10 & 10-20 & 20-30).
in case that you know number of columns to be between 10 and 15 you
can use default settings and only put --union-cols=10-15

one more thing about information_schema database. assumption is that
the MySQL DBMS is > 4 and that there are no read restrictions on it.

kr

On Tue, Apr 5, 2011 at 7:56 AM, Mauricio Velazco
<mau...@gm...> wrote:
> Hey all.
>
> First id like to congratulate the team for the great tool and for sharing.
> Im testing sqlmap on a local script i've created.
>
> When i try to fingerprint the DBMS sqlmap starts using :
>
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause
>
> to do it. So its using a sqli blind technique to fetch the contents. I know
> that this script supports UNION based inyections which would be much faster
> to do. so my question is
>
> 1) Does sqlmap have a funcionality to fingerprint the contents of
> information_schema.tables and information_schema.colums via a UNION based
> inyection in order to get the databases, tables and columns ?
>
> 2) If so, which are the parameters to use ?
>
> Thanks in Advance,
>
> Mauricio
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B