Re: [sqlmap-users] Subquery payloads on mysql <4.1

Tue, 12 Jul 2011 14:23:24 -0700 

ok, got the point.

also seen the same thing on Twitter few days ago, maybe it was you :)

two things:
A) does anyone have experience with subqueries on MySQL < 4.1?
B) is there some VM around that carry for example MySQL 3.x ready for testing?

kr

On Tue, Jul 12, 2011 at 1:01 PM, Till .ch <till...@hotmail.com> wrote:
> Hi
>
>
> Lately I've been playing with sqlmap and a 4.0 mysql server. Sqlmap detected
> the injection point just fine, but struggled with gathering information
> about other tables.
> I guess this happened due to the fact as subqueries have been introduced
> with mysql >=4.1 (http://dev.mysql.com/doc/refman/4.1/en/news-4-1-x.html)
> and thus payloads like the following are regarded as an invalid query on
> mysql <4.1:
>
>
> [PAYLOAD] 1234 AND ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS CHAR),CHAR(32))
> FROM randomtable),1,1)) > 51
>
>
> Best Regards
> Till
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar (@stamparm)

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

------------------------------------------------------------------------------
AppSumo Presents a FREE Video for the SourceForge Community by Eric 
Ries, the creator of the Lean Startup Methodology on "Lean Startup 
Secrets Revealed." This video shows you how to validate your ideas, 
optimize your ideas and identify your business strategy.
http://p.sf.net/sfu/appsumosfdev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to