Sounds cool, but kind of an edge case. I'm just interested to understand more if you don't mind...
Is the sleep function being used within or as a vulnerable column value in your example or is it merely appended to the union injection and before the suffix/delimiter value (unsure because example has a comma before the sleep(5) call)? Are you leveraging the sleep() location for a time based injection entry point? If you frame the --url --data strings to include the union base and mark the sleep() location with '*' and --technique=T does it work to identify the time based injection (i.e. ./sqpmap.py --url http// somesite.com/ --data 'bar=foo"+union+select+null,null,null,null*' --technique=T --banner)? On Fri, Sep 11, 2015 at 1:43 PM, Brandon Perry <bperry.volat...@gmail.com> wrote: > I have had this idea for a while, and I finally came across an injection > that this was useful for me. > > Due to logic in the application, a generic UNION tacked on the end of the > query doesn't work. > > However, a payload of: > > blah=foo"+union+select+null,null,null,null,sleep(5)--%20 > > does result in a response coming back 5 seconds later than the baseline. > Removing or adding a column to the union results in the baseline request > time. > > This was very useful for me, because I was able to use this 'blind union' > in order to write a file to the web root and achieve RCE, even though the > union in and of itself would not let me pull data out en mass (the other > time based payloads did work as well). > > This might be a useful check for sqlmap to implement. Currently, there are > heuristics that sqlmap has to determine whether an injection point is > union-able, but not exploitable with generic NULL/union char payloads. I > think this is determined by the HTTP response data though, not the temporal > aspect of the HTTP response. > > Thoughts? > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
