found one (VM) and done some tests :) you are right, subqueries can't be used on MySQL < 4.1 which means that sql injection there is of no significant value (e.g. dumping of table content which inherently requires subquerying mechanism).
kr On Tue, Jul 12, 2011 at 11:23 PM, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > ok, got the point. > > also seen the same thing on Twitter few days ago, maybe it was you :) > > two things: > A) does anyone have experience with subqueries on MySQL < 4.1? > B) is there some VM around that carry for example MySQL 3.x ready for testing? > > kr > > On Tue, Jul 12, 2011 at 1:01 PM, Till .ch <till...@hotmail.com> wrote: >> Hi >> >> >> Lately I've been playing with sqlmap and a 4.0 mysql server. Sqlmap detected >> the injection point just fine, but struggled with gathering information >> about other tables. >> I guess this happened due to the fact as subqueries have been introduced >> with mysql >=4.1 (http://dev.mysql.com/doc/refman/4.1/en/news-4-1-x.html) >> and thus payloads like the following are regarded as an invalid query on >> mysql <4.1: >> >> >> [PAYLOAD] 1234 AND ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS CHAR),CHAR(32)) >> FROM randomtable),1,1)) > 51 >> >> >> Best Regards >> Till >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar (@stamparm) > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
