Hi Emiliano, On 24 April 2011 22:21, Emiliano Bazaes <emili...@7espejos.com> wrote: > ... > Here's this poc provided in the advisory: > > http://[host]/wp-content/plugins/ajax-category-dropdown/includes/dhat-ajax-cat-dropdown-request.php?admin&category_level=2&category_id=1%20union%20select%201,user%28%29,3,4,5,6,7,8,9,version%28%29%20--%201 > > As you can see there's a 10 columns UNION, of which columns 2 and 10 are > rendered on the page; so when you try the above proof-of-concept on a > vulnerable target it should render a single item dropdown box in the format: > > db_user (db_version) > > However, I couldn't seem to be able to exploit it via sqlmap > ...
The detection engine fails to detect this specific UNION query SQL injection because the HTTP response bodies for valid and invalid number of injected columns differ very little. In order to avoid this problem, you can run sqlmap with --text-only switch, where only the proper text of the response bodies are considered for matching/comparison (by excluding HTML tags, scripts, etc. - see user's manual for details). Regards, Bernardo and Miroslav -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F ------------------------------------------------------------------------------ Fulfilling the Lean Software Promise Lean software platforms are now widely adopted and the benefits have been demonstrated beyond question. Learn why your peers are replacing JEE containers with lightweight application servers - and what you can gain from the move. http://p.sf.net/sfu/vmware-sfemails _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
