p.s. 15 days ago there was no such warning for "INTO OUTFILE" but also it
(silently) didn't work
On Wed, Feb 20, 2013 at 3:11 PM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> Do you see that warning: "execution of custom SQL queries is only
> available when stacked queries are supported". Do you know what does it
> mean?
>
> I've said that you need stacking -> you need to have "STACKED" technique
> available for exploitation. In your case that's not the case.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Wed, Feb 20, 2013 at 3:05 PM, ml <m...@smtp.fakessh.eu> wrote:
>
>> Le 2013-02-20 14:52, Miroslav Stampar a écrit :
>>
>>> p.s. problem is that INTO OUTFILE affects only the SELECT query where
>>> is supposed to be done. In your case you have one query which is
>>> INJECTABLE and one separate CUSTOM query which needs to include INTO
>>> OUTFILE -> this is a conflict which requires usage of stacking (or you
>>> can try to exploit it manually using original query)
>>>
>>
>>
>>
>> sql-shell> 1;select 0x3c*******e into dumpfile
>> "/www/doc/www.**************.**cz/www/new/upload.php";
>> [15:01:16] [WARNING] execution of custom SQL queries is only available
>> when stacked queries are supported
>>
>>
>> in the case of a concrete example I get this even with stacking
>>
>>
>>
>>> On Wed, Feb 20, 2013 at 2:48 PM, Miroslav Stampar
>>> <miroslav.stam...@gmail.com> wrote:
>>>
>>> For using "INTO OUTFILE" in a specific SELECT query you need stacking
>>>> (or you can try to exploit it manually). We can't help you here.
>>>>
>>>> Bye
>>>>
>>>> On Wed, Feb 20, 2013 at 2:45 PM, ml <m...@smtp.fakessh.eu> wrote:
>>>>
>>>> Le 2013-02-20 09:53, Miroslav Stampar a écrit :
>>>>>
>>>>> --sql-query WORKS (tested this moment with ERROR based-only technique
>>>>>> using query "SELECT id FROM users")
>>>>>> --sql-shell WORKS (tested this moment with ERROR based-only technique
>>>>>> using query "SELECT id FROM users")
>>>>>>
>>>>>> To distinguish things a bit. Query is a SQL command that starts with
>>>>>> "SELECT". Non-query statements (INSERT/UPDATE/DELETE...) require
>>>>>> "stacking".
>>>>>>
>>>>>> You haven't stated what switch have you used, nor which
>>>>>> query/non-query command have you tried, nor which techniques were
>>>>>> available in your case... Nothing.
>>>>>>
>>>>>
>>>>> I tried an application style
>>>>>
>>>>> select 0x3a into outfile './test.txt'
>>>>>
>>>>> and that
>>>>>
>>>>> the shell answers a error
>>>>> custom query are not disponible
>>>>>
>>>>> simple query style
>>>>> SELECT id FROM users works
>>>>>
>>>>> but when you add into dumpfile outfile or it does not work
>>>>>
>>>>> I tried putting 1; in front of the stack or no more successful
>>>>>
>>>>> there is a problem
>>>>>
>>>>> On Tue, Feb 19, 2013 at 11:37 PM, ml <m...@smtp.fakessh.eu> wrote:
>>>>>>
>>>>>> hello guru
>>>>>>>
>>>>>>> I ask you a little help.
>>>>>>> all the "custom query" are no longer possible
>>>>>>> to execute custom query sqlmap answers the "stacked query" are not
>>>>>>> supported.
>>>>>>>
>>>>>>> what inplique lines of code that execute 15 days ago in the past do
>>>>>>> not
>>>>>>> work anymore
>>>>>>>
>>>>>>> please provide a little help
>>>>>>>
>>>>>>> sincerely
>>>>>>> --
>>>>>>> gpg --keyserver pgp.mit.edu [1] [1] --recv-key C2626742
>>>>>>> http://about.me/fakessh [2] [2]
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------**------------------------------**
>>>>>>> ------------------
>>>>>>> Everyone hates slow websites. So do we.
>>>>>>> Make your web apps faster with AppDynamics
>>>>>>> Download AppDynamics Lite for free today:
>>>>>>> http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3]
>>>>>>> [3]
>>>>>>> ______________________________**_________________
>>>>>>> sqlmap-users mailing list
>>>>>>> sqlmap-users@lists.**sourceforge.net<sqlmap-users@lists.sourceforge.net>
>>>>>>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4]
>>>>>>> [4]
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Miroslav Stampar
>>>>>> http://about.me/stamparm [5] [5]
>>>>>>
>>>>>> Links:
>>>>>> ------
>>>>>> [1] http://pgp.mit.edu [1]
>>>>>> [2] http://about.me/fakessh [2]
>>>>>> [3]
>>>>>> http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3]
>>>>>> [4]
>>>>>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4]
>>>>>> [5] http://about.me/stamparm [5]
>>>>>>
>>>>>
>>>>> --
>>>>> gpg --keyserver pgp.mit.edu [1] --recv-key C2626742
>>>>> http://about.me/fakessh [2]
>>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm [5]
>>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm [5]
>>>
>>> Links:
>>> ------
>>> [1] http://pgp.mit.edu
>>> [2] http://about.me/fakessh
>>> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>
>>> [4]
>>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>>> [5] http://about.me/stamparm
>>>
>>
>> --
>> gpg --keyserver pgp.mit.edu --recv-key C2626742
>> http://about.me/fakessh
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users