Hi Till.

--select-payload "')) UNION SELECT '1', NULL,([PAYLOAD]), '3'-- x"

would be something that would not be used often for sure. Also, small
percentage of users even know what's [PAYLOAD].

I know what you are referring to, and I believe that there are similar
cases that could be "treated" this way, but that "--select-payload"
formation doesn't look more "user-friendly" than --prefix/--suffix

Also, you haven't mentioned if other techniques are recognized in your
case. I believe that boolean could be available and there is a perfect
hole for draining data. There are lots of strange/weird/specific cases
like this one, but if there is no "easy way" and most of all "general"
how to handle it inside sqlmap (across bundle of other DBMSes), user
is encouraged to modify sqlmap to suit his own needs for that special
case

Kind regards

On Mon, May 7, 2012 at 12:40 PM, Till Maas <opensou...@till.name> wrote:
> Hi,
>
> On Mon, May 07, 2012 at 11:56:58AM +0200, Miroslav Stampar wrote:
>
>> Are you maybe referring to the case where MSSQL integer column is
>> injectable manifesting conversion errors when arbitrary SELECT used?
>
> no. I have got an application where a parameter is injectable, but there
> are certain constraints that sqlmap cannot figure out automatically, but
> I succeeded doing it manually. For example a UNION injection is
> possible, but requires different types of values in the different
> columns:
>
> sqlmap.py -u http://example.com/f?param=TEST --union-char='X'
> --prefix "')) UNION SELECT '1', NULL, COALESCE((SELECT '2' WHERE 1=0"
> ---suffix "), 'NOTHING'), '3'-- x"
>
> This currently works, but adds a lot of complexity to make sqlmap
> recognise a UNION select vulnerability.
>
> It would be much nice to be able to just use something like:
>
> sqlmap.py -u http://example.com/f?param=TEST
> --select-payload "')) UNION SELECT '1', NULL,([PAYLOAD]), '3'-- x"
>
> that makes sqlmap use this as an attack vector and replace [PAYLOAD]
> with the respective SELECT statements required to for example retrieve
> the banner.
>
> The problem manifests itself when application logic adds certain
> constraints to result of the UNION statement, such as that the first
> column must not be NULL but a date within a certain range for example.
>
> Regards
> Till



-- 
Miroslav Stampar
http://about.me/stamparm

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to