Ahmed,

I have created an issue for this,
https://github.com/sqlmapproject/sqlmap/issues/96.

Bernardo


On 3 May 2012 16:06, Bernardo Damele A. G. <bernardo.dam...@gmail.com> wrote:
> Hi Ahmed,
>
> On 2 May 2012 21:09, Ahmed Shawky <ah...@isecur1ty.org> wrote:
>>
>> While using sqlmap with --os-shell I found that it only works if the
>> writable directory is on the DOCUMENT_ROOT directly
>> and if it exists on another dir sqlmap successfully uploads the php file but
>> it couldn't connect  through it
>
> This should not be the case.
>
>> ...
>> Here's data I sent manually to the application
>>
>> ' UNION ALL SELECT "<?php system($_GET['cmd']); ?>",NULL,NULL,NULL INTO
>> OUTFILE "/opt/lampp/htdocs/uploads/test.php"#
>>
>> and here's sqlmap payload:
>> -7440' OR 6498=6498 LIMIT 1 INTO OUTFILE 's/scope/sqli/tmpuywdg.php' LINES
>> TERMINATED BY
>> ...
>
> The reason why we opted to upload the web file stager with "LIMIT 1
> INTO OUTFILE" rather than using "UNION ALL SELECT" is because with the
> former we do not have to rely on UNION SQL injection technique which
> is statistically less common than boolean/time-based techniques.
>
> In cases where the boolean-based injection is OR-based though, the
> "LIMIT 1" clause limits the output to one entry only which will output
> to the file only the first entry of the whole SELECT statement. Hence
> no sqlmap payload is written to the target PHP file. This is exactly
> the behaviour that you have experienced.
>
> A solution to this issue is to use the "LIMIT [...]" clause payload
> for file upload as is by default unless it is an OR-based
> boolean-based SQL injection, in which case a fall-back to UNION
> statement is required, when UNION SQL injection technique has been
> identified too.
>
> We will be addressing this issue shortly.
>
> Bernardo
>
>
>
> --
> Bernardo Damele A. G.
>
> Homepage: http://about.me/inquis
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to