Hi.
In that case could you please send the sqlmap traffic file got by using -t
traffic.txt along with your standard switches/options?
Kind regards,
Miroslav Stampar
On Sat, Sep 15, 2012 at 12:09 AM, Stephen Shkardoon <s...@ss23.geek.nz>wrote:
> Hi,
>
> Sorry, my mistake. I just copied the line and altered it to show that the
> cookie was being used. In the real script, there was no parse error.
> Nonetheless, sqlmap cannot pull out results.
>
> Thanks
> ss23
>
> On Sat, Sep 15, 2012 at 9:55 AM, Miroslav Stampar <
> miroslav.stam...@gmail.com> wrote:
>
>> Hi.
>>
>> I am not sure how are you able to "definitely able to pull out results"
>> as as I can see the problem lies in used PHP (enclosed pair of single
>> quotes with another pair of single quotes):
>>
>> Bad:
>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>> sessionid = *'$_COOKIE['sesh']'*)");
>>
>> Good 1:
>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>> sessionid = *'$_COOKIE[sesh]'*)");
>>
>> Good 2:
>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>> sessionid = " . *$_COOKIE['sesh'] . "*)");
>>
>> With that code of yours you should get an ugly PHP error message:
>> "Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE,
>> expecting T_STRING or T_VARIABLE or T_NUM_STRING"
>>
>> Also, you could take a look at similar case here [1].
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> [1]
>> http://www.hotscripts.com/forums/php/21179-php-parse-error-parse-error-unexpected-t_encapsed_and_whitespace-expecting-t_strin.html
>>
>> On Fri, Sep 14, 2012 at 8:08 PM, Stephen Shkardoon <s...@ss23.geek.nz>wrote:
>>
>>> Hi all,
>>>
>>> Trying to do a (simple) injection with sqlmap, and I can't seem to coax
>>> it into getting it right.
>>> The PHP source looks something like:
>>>
>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>> sessionid = '$_COOKIE['sesh']')");
>>>
>>> and then it displays the fields it pulled out.
>>>
>>> The command(s) I've tried look something like ./sqlmap.py -u
>>> site.com/script.php --cookie="sesh=1" --cookie-urlencode --level=5
>>> --risk=5. However, the only injection point it finds is AND/OR time-based
>>> blind, which is horribly slow. Of course, manually, I can do a
>>> sesh=')%20UNION%20select%201,2,3,4%20--%20 or similar, so
>>> I'm definitely able to pull out results.
>>>
>>> Anything I can do to push sqlmap in the right direction?
>>>
>>> Thanks,
>>> ss23
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Got visibility?
>>> Most devs has no idea what their production app looks like.
>>> Find out how fast your code is with AppDynamics Lite.
>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
