Hello!

Consider following example of vulnerability. 
Server has PHP and MySQL 5.X. URL
http://example.com/list.php?filter=text outputs list of items that match
filter and is vulnerable to following SQL injection:
  http://example.com/list.php?filter=' UNION SELECT 1,2,3 -- 
This will show one row with some values 1, 2 and 3.

sqlmap works with such URL when queried in following way:
$ ./sqlmap.py -u http://example.com/list.php?filter=text \
    -p filter --prefix "' " --suffix ' -- ' --tables -D db
--- will output list of table in `db' database.

The problem is that vulnerable list.php script limits number of
outputted items --- it always show only first 10 items omitting others
on PHP level (without using MySQL LIMIT clause), so sqlmap incorrectly
detects number of columns, number of rows etc --- always limiting number
of items to 10.

I looked in documentation and didn't found any options for splitting
enumeration requests on bunch of requests limited by some value of
outputted items (e.g. query all table rows selecting by 10 rows at
single query). Can you add such options or tell me how can I achieve my
goal with current version of sqlmap (I'm using trunk version)?

Also I want to propose checking if all of requested items was received
by adding extra UNION SELECT at end with some end mark and checking is
that end mark is received. I don't know details of sqlmap implementation
so not sure is my proposition is correct.


Thanks in advance,

Vladimir Rutsky



------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to