I have had this idea for a while, and I finally came across an injection that this was useful for me.
Due to logic in the application, a generic UNION tacked on the end of the query doesn't work. However, a payload of: blah=foo"+union+select+null,null,null,null,sleep(5)--%20 does result in a response coming back 5 seconds later than the baseline. Removing or adding a column to the union results in the baseline request time. This was very useful for me, because I was able to use this 'blind union' in order to write a file to the web root and achieve RCE, even though the union in and of itself would not let me pull data out en mass (the other time based payloads did work as well). This might be a useful check for sqlmap to implement. Currently, there are heuristics that sqlmap has to determine whether an injection point is union-able, but not exploitable with generic NULL/union char payloads. I think this is determined by the HTTP response data though, not the temporal aspect of the HTTP response. Thoughts? -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
