Hi,

On Mon, May 07, 2012 at 11:56:58AM +0200, Miroslav Stampar wrote:

> Are you maybe referring to the case where MSSQL integer column is
> injectable manifesting conversion errors when arbitrary SELECT used?

no. I have got an application where a parameter is injectable, but there
are certain constraints that sqlmap cannot figure out automatically, but
I succeeded doing it manually. For example a UNION injection is
possible, but requires different types of values in the different
columns:

sqlmap.py -u http://example.com/f?param=TEST --union-char='X'
--prefix "')) UNION SELECT '1', NULL, COALESCE((SELECT '2' WHERE 1=0"
---suffix "), 'NOTHING'), '3'-- x"

This currently works, but adds a lot of complexity to make sqlmap
recognise a UNION select vulnerability.

It would be much nice to be able to just use something like:

sqlmap.py -u http://example.com/f?param=TEST
--select-payload "')) UNION SELECT '1', NULL,([PAYLOAD]), '3'-- x"

that makes sqlmap use this as an attack vector and replace [PAYLOAD]
with the respective SELECT statements required to for example retrieve
the banner.

The problem manifests itself when application logic adds certain
constraints to result of the UNION statement, such as that the first
column must not be NULL but a date within a certain range for example.

Regards
Till

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to