I've got a case where I'm trying to enumerate MS SQL table names, but the user
doesn't have access to dbname..sysobjects. It does have access to
INFORMATION.SCHEMA though.
The vulnerability is a blind SQL and there are a number of filters confounding
the effort, including certain character sequences, query length, etc.
I've got a process working manually along the lines of (from memory, may not be
100%):
VulnerableQueryParam=1550 AND (SELECT/**/COUNT(*) FROM INFORMATION.SCHEMA AS
XYZ WHERE TABLE_CATALOG=CHAR(103)<snip>CHAR(98) AND TABLE_NAME LIKE [Test
Case]) > 0
Where [Test Case] is an iteration of
CHAR(65)+CHAR(37) // A%
CHAR(66)+CHAR(37) // B%
CHAR(68)+CHAR(37) // C%
I can tell by the output which are matching and which are not (elementary
stuff, basically). OF course, once the first character is found, I repeat with
known good characters at position 2:
CHAR(103)+CHAR(65)+CHAR(37) // gA%
CHAR(103)+CHAR(65)+CHAR(37) // gB%
Is it possible for me to basically automate this with sqlmap? I can't seem to
get it to find this query using its own process. I'd like to just be able to
put a '*' or equivalent somewhere in the input URL to indicate where it should
insert the CHAR() values, and pass it a --not-string in this case to
distinguish true from false.
Thanks for any input you can provide!
Bob
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
