Hi Robert.
In this kind of situations where "there are a number of filters confounding
the effort, including certain character sequences, query length" we can't
help you. sqlmap is an automated tool and automation is confronted to the
wall in "special" situations.
I would suggest you to automate that "process" you've successfully used in
some kind of a custom script.
Kind regards,
Miroslav Stampar
On Thu, Oct 17, 2013 at 12:56 AM, Robert Rich <rr...@gsti.net> wrote:
> I’ve got a case where I’m trying to enumerate MS SQL table names, but
> the user doesn’t have access to dbname..sysobjects. It does have access
> to INFORMATION.SCHEMA though.****
>
> ** **
>
> The vulnerability is a blind SQL and there are a number of filters
> confounding the effort, including certain character sequences, query
> length, etc.****
>
> ** **
>
> I’ve got a process working manually along the lines of (from memory, may
> not be 100%):****
>
> ** **
>
> VulnerableQueryParam=1550 AND (SELECT/**/COUNT(*) FROM INFORMATION.SCHEMA
> AS XYZ WHERE TABLE_CATALOG=CHAR(103)<snip>CHAR(98) AND TABLE_NAME LIKE
> [Test Case]) > 0****
>
> ** **
>
> Where [Test Case] is an iteration of****
>
> ** **
>
> CHAR(65)+CHAR(37) // A%****
>
> CHAR(66)+CHAR(37) // B%****
>
> CHAR(68)+CHAR(37) // C%****
>
> ** **
>
> I can tell by the output which are matching and which are not (elementary
> stuff, basically). OF course, once the first character is found, I repeat
> with known good characters at position 2:****
>
> ** **
>
> CHAR(103)+CHAR(65)+CHAR(37) // gA%****
>
> CHAR(103)+CHAR(65)+CHAR(37) // gB%****
>
> ** **
>
> Is it possible for me to basically automate this with sqlmap? I can’t
> seem to get it to find this query using its own process. I’d like to just
> be able to put a ‘*’ or equivalent somewhere in the input URL to indicate
> where it should insert the CHAR() values, and pass it a --not-string in
> this case to distinguish true from false.****
>
> ** **
>
> Thanks for any input you can provide!****
>
> ** **
>
> Bob****
>
> ** **
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
