Hi buawig, We have a ticket to address DBMS-specific detection "limitations", https://github.com/sqlmapproject/sqlmap/issues/1 - Microsoft Access is indeed one of these cases. We could consider to use the user's provided database and/or table name when these are needed at detection phase rather than statically using hard-coded names. There're trade-offs to this thought.
With regards to the query being overly long, you can use switch --no-cast to reduce the injected query length. Bernardo On 20 March 2013 16:28, buawig <bua...@gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > to simply get the job done I changed the table name in: > lib/core/dicts.py:144 > > after changing MSysAccessObjects to foobar sqlmap detected the union > based sqli but exploitation did not work because it created very long > queries and the server replied with: "query to complex" > > at the end I had to use extract data using boolean based exploitation > (which did work after finding a column name in the table that had > unique values) > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJRSeO+AAoJEJeRHQyF0ukMsrkQALcJwXhjXRRyXzusdloIc9ZZ > Ybradjx4dKQ00lZR5nkQv+49Xe3V53bwcP4di2KqiiIIo/5gGyoxYzNAREsF2TT3 > FpctmbmE13hnKg16HjZDbpxcJzUN1CMCs3Gb5E0ibP9/RTTHOegOG3xcvceEAj1Y > DI8YFnDSmQRa2JBenJM8InHve3ue7Ef9seowHm4mBs8bniEskw2sAtxosVZJwUS9 > eRndYwB9jBke9pXx+MuectmajWmMf0cTXhu5q5nOIbbykGZf2DDjduujLMCm6bT4 > +iavnZkW/fHc+cnw1nmiwPcI2vCHxSLZW2ZX5FzpXjM4agXM8+FTQzT8+7WUalfW > QAAkZYjNWiOgpvFVUBsqgb1ozc/4O33y1oNfbg7SHbopgPOApvtvAxjBa5Igtwh9 > SDTuGXbuovQYoJEOI3JwxTMPXZuUpgvQgszvqfr/JB2MweZk/B9TPPIRLvLwLM3u > yRRtrrxij296XJ/MZBq5dWcj1Ij3mS1hTeO2GkxNcJnh/vcN4Vsic8OJmQrEGRKP > Xmz1VT4eqZMh3dzg6d90RQb3oCdVJ0OdY3Duvf7pPMCfKPtk9SROxoqmc+K0bQSl > CIKgTBcsC3SAmVYZljYk2JqMnorcVvv7bXbvcM2okllA4fmZq+oGf+r2oO80zorQ > NKORqeE2OQ6bqNYJaDIR > =VMtR > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
