Hey,
haven't spent any thinking on a generic approach yet as I was on an
Oracle DBMS and did fine. But I see your point... I will give it a
thought...
Cheers,
Dennis
Am 25.07.2012 12:09, schrieb Miroslav Stampar:
> Hi again.
>
> Most generic approach would be to use dummy prefix as "99999 WHERE
> 1=1", but there are lots of potential pitfalls here (e.g. if column
> name is delimited with a DBMS specific column name delimiter). We've
> added a new issue for this [1].
>
> Kind regards,
> Miroslav Stampar
>
> [1] https://github.com/sqlmapproject/sqlmap/issues/120
>
> On Wed, Jul 25, 2012 at 11:47 AM, Miroslav Stampar
> <miroslav.stam...@gmail.com <mailto:miroslav.stam...@gmail.com>> wrote:
>
> Hi.
>
> How would you exploit this:
>
> SELECT $_GET['id'] FROM table
>
> on all DBMSes?
>
> Oracle and MySQL have DUAL but what with others? At the end we'll
> end with 10 new payloads and/or boundaries each of those covering
> each DBMS.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Wed, Jul 25, 2012 at 11:28 AM, Dennis <korius_...@yahoo.com
> <mailto:korius_...@yahoo.com>> wrote:
>
> I'm not sure about Troy, but I had a similar case recently. I
> could control the bit of the query between SELECT and FROM,
> which could be exploited either with nested (SELECT)s or by
> expanding the query with another FROM [...] UNION SELECT [...]
> to extend the query. SQLmap did not find the injection. The
> DBMS was Oracle.
>
> Cheers
>
>
> Am 25.07.2012 00 <tel:25.07.2012%2000>:48, schrieb Miroslav
> Stampar:
>>
>> Hi Troy.
>>
>> More info is required for sure.
>>
>> You mean that you just need a (SELECT...)/subquery type of
>> injection? This is something that we are aware that we need
>> to do.
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> On Jul 24, 2012 11:18 PM, "Troy B"
>> <powercorruptionandl...@gmail.com
>> <mailto:powercorruptionandl...@gmail.com>> wrote:
>>
>> Evening all,
>>
>> I had an SQL injection into a MySQL5-based web
>> application the other week which involved me having
>> control over the column list being selected. I tried
>> sqlmap against the URL, but it didn't find the injection
>> point. I tried again, taking the --level and --risk a
>> little higher, but still nothing.
>>
>> In the end, I manually exploited it using a sub-select.
>> Was I doing something wrong with sqlmap, or will it not
>> identify injection points like that? I can provide an
>> example of the query the application was using if this helps.
>>
>> Regards,
>>
>> Matt
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's
>> security and
>> threat landscape has changed and how IT managers can
>> respond. Discussions
>> will include endpoint security, mobile security and the
>> latest in malware
>> threats.
>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> <mailto:sqlmap-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
>> Discussions
>> will include endpoint security, mobile security and the latest in
>> malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>
>>
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> <mailto:sqlmap-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
