[sqlmap-users] false negative on generic UNION inject?

Sun, 24 Apr 2011 14:22:15 -0700 

Hi,

I just read this Multiple SQL Injection in Ajax Category Dropdown wordpress
plugin<http://www.htbridge.ch/advisory/multiple_sql_injection_in_ajax_category_dropdown_wordpress_plugin.html>advisory
published by High-Tech Bridge.  Among others there's a generic
UNION inject on the *category_id* GET parameter, and I decided to try it
with sqlmap.

Here's this poc provided in the advisory:

http://
[host]/wp-content/plugins/ajax-category-dropdown/includes/dhat-ajax-cat-dropdown-request.php?admin&category_level=2&category_id=1%20union%20select%201,user%28%29,3,4,5,6,7,8,9,version%28%29%20--%201

As you can see there's a 10 columns UNION, of which columns 2 and 10 are
rendered on the page; so when you try the above proof-of-concept on a
vulnerable target it should render a single item dropdown box in the format:

db_user (db_version)

However, I couldn't seem to be able to exploit it via sqlmap

So, being are it was a Linux box and considering WordPress runs on MySQL, I
used the following as a base for the test:

./sqlmap.py --os linux --dbms mysql --technique U --union-cols 9-11 -p
category_id --referer "http://[host]/"; -u "http://
[host]/wp-content/plugins/ajax-category-dropdown/includes/dhat-ajax-cat-dropdown-request.php?admin&category_level=2&category_id=1"

And then I tried everything from _--level 1_ to _5_, from _--risk 1_ to _3_,
with and without _--string "Uncategorized"_ (wich applies for GET
_category_id=1_), and even _--prefix " union select " --suffix " -- 1"_; all
with no luck.  In the end I removed all of the previous flags until I was
finally able to exploit an _OR boolean-based blind - WHERE or HAVING clause_
and a _MySQL > 5.0.11 OR time-based blind_ inject, only when using the
_--risk 3 --level 2_; there was also a _MySQL < 5.0.12 AND time-based blind
(heavy query)_ on _--risk 2 --level 2_, but it was too much for the server.
But still, no way to exploit the actual UNION flaw via sqlmap.

Any clue?

-- 
    Emiliano

------------------------------------------------------------------------------
Fulfilling the Lean Software Promise
Lean software platforms are now widely adopted and the benefits have been 
demonstrated beyond question. Learn why your peers are replacing JEE 
containers with lightweight application servers - and what you can gain 
from the move. http://p.sf.net/sfu/vmware-sfemails
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to