Hi list/developer I stumbled over this type of injection while doing a pentest and thought of implementing this kind of injection in sqlmap (I call is "error-based-blind-injection"):
The Webapp replied with "success", if the statement was correct, regardless of the number of returned rows (the rows actually were fetched in a subsequent request). And with an empty respons, if the statement failed. So the attack was identified the following way (It is a Oracle DB): param=' and to_char(1/0) like '1 --> empty response because 1/0 is a devision by zero error param=' and to_char(1/1) like '1 --> success Now I had to find a workaround to get sqlmap to identify this injection (it only identified a time based blind, but I wanted a _fast_ attack) My solution: prefix= ' and to_char(1/(case (select 'a' from dual where 1=1 suffix= ) when 'a' then '1' else '0' end)) like '1 Know my question: is it possible to get this attack in sqlmap as a standard attack - or is there an easier way to configure sqlmap? Additionaly the oracle -"order by" clause injection via a case-statement would be interesting. Your opinions/suggestions? Chris -- whp_at_pohlcity_dot_de ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
