Hi, On Mon, May 07, 2012 at 11:56:58AM +0200, Miroslav Stampar wrote:
> Are you maybe referring to the case where MSSQL integer column is > injectable manifesting conversion errors when arbitrary SELECT used? no. I have got an application where a parameter is injectable, but there are certain constraints that sqlmap cannot figure out automatically, but I succeeded doing it manually. For example a UNION injection is possible, but requires different types of values in the different columns: sqlmap.py -u http://example.com/f?param=TEST --union-char='X' --prefix "')) UNION SELECT '1', NULL, COALESCE((SELECT '2' WHERE 1=0" ---suffix "), 'NOTHING'), '3'-- x" This currently works, but adds a lot of complexity to make sqlmap recognise a UNION select vulnerability. It would be much nice to be able to just use something like: sqlmap.py -u http://example.com/f?param=TEST --select-payload "')) UNION SELECT '1', NULL,([PAYLOAD]), '3'-- x" that makes sqlmap use this as an attack vector and replace [PAYLOAD] with the respective SELECT statements required to for example retrieve the banner. The problem manifests itself when application logic adds certain constraints to result of the UNION statement, such as that the first column must not be NULL but a date within a certain range for example. Regards Till ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users