> On Sep 13, 2015, at 8:30 PM, Johnathon Doe <hood3dro...@gmail.com> wrote: > > Sounds cool, but kind of an edge case. I'm just interested to understand more > if you don't mind... > > Is the sleep function being used within or as a vulnerable column value in > your example or is it merely appended to the union injection and before the > suffix/delimiter value (unsure because example has a comma before the > sleep(5) call)?
The sleep can be used in any of the columns, it only works when the columns have been balanced on both sides of the UNION. This way, sqlmap could have one extra injection point to support attempting to write a file with. > > Are you leveraging the sleep() location for a time based injection entry > point? If you frame the --url --data strings to include the union base and > mark the sleep() location with '*' and --technique=T does it work to identify > the time based injection (i.e. ./sqpmap.py --url http//somesite.com/ > <http://somesite.com/> --data 'bar=foo"+union+select+null,null,null,null*' > --technique=T --banner)? This was by hand. > > On Fri, Sep 11, 2015 at 1:43 PM, Brandon Perry <bperry.volat...@gmail.com > <mailto:bperry.volat...@gmail.com>> wrote: > I have had this idea for a while, and I finally came across an injection that > this was useful for me. > > Due to logic in the application, a generic UNION tacked on the end of the > query doesn't work. > > However, a payload of: > > blah=foo"+union+select+null,null,null,null,sleep(5)--%20 > > does result in a response coming back 5 seconds later than the baseline. > Removing or adding a column to the union results in the baseline request time. > > This was very useful for me, because I was able to use this 'blind union' in > order to write a file to the web root and achieve RCE, even though the union > in and of itself would not let me pull data out en mass (the other time based > payloads did work as well). > > This might be a useful check for sqlmap to implement. Currently, there are > heuristics that sqlmap has to determine whether an injection point is > union-able, but not exploitable with generic NULL/union char payloads. I > think this is determined by the HTTP response data though, not the temporal > aspect of the HTTP response. > > Thoughts? > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- > blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> > >
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
