Do you see that warning: "execution of custom SQL queries is only available
when stacked queries are supported". Do you know what does it mean?
I've said that you need stacking -> you need to have "STACKED" technique
available for exploitation. In your case that's not the case.
Kind regards,
Miroslav Stampar
On Wed, Feb 20, 2013 at 3:05 PM, ml <[email protected]> wrote:
> Le 2013-02-20 14:52, Miroslav Stampar a écrit :
>
>> p.s. problem is that INTO OUTFILE affects only the SELECT query where
>> is supposed to be done. In your case you have one query which is
>> INJECTABLE and one separate CUSTOM query which needs to include INTO
>> OUTFILE -> this is a conflict which requires usage of stacking (or you
>> can try to exploit it manually using original query)
>>
>
>
>
> sql-shell> 1;select 0x3c*******e into dumpfile
> "/www/doc/www.**************.**cz/www/new/upload.php";
> [15:01:16] [WARNING] execution of custom SQL queries is only available
> when stacked queries are supported
>
>
> in the case of a concrete example I get this even with stacking
>
>
>
>> On Wed, Feb 20, 2013 at 2:48 PM, Miroslav Stampar
>> <[email protected]> wrote:
>>
>> For using "INTO OUTFILE" in a specific SELECT query you need stacking
>>> (or you can try to exploit it manually). We can't help you here.
>>>
>>> Bye
>>>
>>> On Wed, Feb 20, 2013 at 2:45 PM, ml <[email protected]> wrote:
>>>
>>> Le 2013-02-20 09:53, Miroslav Stampar a écrit :
>>>>
>>>> --sql-query WORKS (tested this moment with ERROR based-only technique
>>>>> using query "SELECT id FROM users")
>>>>> --sql-shell WORKS (tested this moment with ERROR based-only technique
>>>>> using query "SELECT id FROM users")
>>>>>
>>>>> To distinguish things a bit. Query is a SQL command that starts with
>>>>> "SELECT". Non-query statements (INSERT/UPDATE/DELETE...) require
>>>>> "stacking".
>>>>>
>>>>> You haven't stated what switch have you used, nor which
>>>>> query/non-query command have you tried, nor which techniques were
>>>>> available in your case... Nothing.
>>>>>
>>>>
>>>> I tried an application style
>>>>
>>>> select 0x3a into outfile './test.txt'
>>>>
>>>> and that
>>>>
>>>> the shell answers a error
>>>> custom query are not disponible
>>>>
>>>> simple query style
>>>> SELECT id FROM users works
>>>>
>>>> but when you add into dumpfile outfile or it does not work
>>>>
>>>> I tried putting 1; in front of the stack or no more successful
>>>>
>>>> there is a problem
>>>>
>>>> On Tue, Feb 19, 2013 at 11:37 PM, ml <[email protected]> wrote:
>>>>>
>>>>> hello guru
>>>>>>
>>>>>> I ask you a little help.
>>>>>> all the "custom query" are no longer possible
>>>>>> to execute custom query sqlmap answers the "stacked query" are not
>>>>>> supported.
>>>>>>
>>>>>> what inplique lines of code that execute 15 days ago in the past do
>>>>>> not
>>>>>> work anymore
>>>>>>
>>>>>> please provide a little help
>>>>>>
>>>>>> sincerely
>>>>>> --
>>>>>> gpg --keyserver pgp.mit.edu [1] [1] --recv-key C2626742
>>>>>> http://about.me/fakessh [2] [2]
>>>>>>
>>>>>>
>>>>>> ------------------------------**------------------------------**
>>>>>> ------------------
>>>>>> Everyone hates slow websites. So do we.
>>>>>> Make your web apps faster with AppDynamics
>>>>>> Download AppDynamics Lite for free today:
>>>>>> http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3]
>>>>>> [3]
>>>>>> ______________________________**_________________
>>>>>> sqlmap-users mailing list
>>>>>> sqlmap-users@lists.**sourceforge.net<[email protected]>
>>>>>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4]
>>>>>> [4]
>>>>>>
>>>>>
>>>>> --
>>>>> Miroslav Stampar
>>>>> http://about.me/stamparm [5] [5]
>>>>>
>>>>> Links:
>>>>> ------
>>>>> [1] http://pgp.mit.edu [1]
>>>>> [2] http://about.me/fakessh [2]
>>>>> [3]
>>>>> http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3]
>>>>> [4]
>>>>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4]
>>>>> [5] http://about.me/stamparm [5]
>>>>>
>>>>
>>>> --
>>>> gpg --keyserver pgp.mit.edu [1] --recv-key C2626742
>>>> http://about.me/fakessh [2]
>>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm [5]
>>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm [5]
>>
>> Links:
>> ------
>> [1] http://pgp.mit.edu
>> [2] http://about.me/fakessh
>> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>
>> [4]
>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>> [5] http://about.me/stamparm
>>
>
> --
> gpg --keyserver pgp.mit.edu --recv-key C2626742
> http://about.me/fakessh
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
