Hi Till. --select-payload "')) UNION SELECT '1', NULL,([PAYLOAD]), '3'-- x"
would be something that would not be used often for sure. Also, small percentage of users even know what's [PAYLOAD]. I know what you are referring to, and I believe that there are similar cases that could be "treated" this way, but that "--select-payload" formation doesn't look more "user-friendly" than --prefix/--suffix Also, you haven't mentioned if other techniques are recognized in your case. I believe that boolean could be available and there is a perfect hole for draining data. There are lots of strange/weird/specific cases like this one, but if there is no "easy way" and most of all "general" how to handle it inside sqlmap (across bundle of other DBMSes), user is encouraged to modify sqlmap to suit his own needs for that special case Kind regards On Mon, May 7, 2012 at 12:40 PM, Till Maas <opensou...@till.name> wrote: > Hi, > > On Mon, May 07, 2012 at 11:56:58AM +0200, Miroslav Stampar wrote: > >> Are you maybe referring to the case where MSSQL integer column is >> injectable manifesting conversion errors when arbitrary SELECT used? > > no. I have got an application where a parameter is injectable, but there > are certain constraints that sqlmap cannot figure out automatically, but > I succeeded doing it manually. For example a UNION injection is > possible, but requires different types of values in the different > columns: > > sqlmap.py -u http://example.com/f?param=TEST --union-char='X' > --prefix "')) UNION SELECT '1', NULL, COALESCE((SELECT '2' WHERE 1=0" > ---suffix "), 'NOTHING'), '3'-- x" > > This currently works, but adds a lot of complexity to make sqlmap > recognise a UNION select vulnerability. > > It would be much nice to be able to just use something like: > > sqlmap.py -u http://example.com/f?param=TEST > --select-payload "')) UNION SELECT '1', NULL,([PAYLOAD]), '3'-- x" > > that makes sqlmap use this as an attack vector and replace [PAYLOAD] > with the respective SELECT statements required to for example retrieve > the banner. > > The problem manifests itself when application logic adds certain > constraints to result of the UNION statement, such as that the first > column must not be NULL but a date within a certain range for example. > > Regards > Till -- Miroslav Stampar http://about.me/stamparm ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users