> On Sep 13, 2015, at 8:35 PM, Brandon Perry <bperry.volat...@gmail.com> wrote: > > >> On Sep 13, 2015, at 8:30 PM, Johnathon Doe <hood3dro...@gmail.com >> <mailto:hood3dro...@gmail.com>> wrote: >> >> Sounds cool, but kind of an edge case. I'm just interested to understand >> more if you don't mind... >> >> Is the sleep function being used within or as a vulnerable column value in >> your example or is it merely appended to the union injection and before the >> suffix/delimiter value (unsure because example has a comma before the >> sleep(5) call)? > > The sleep can be used in any of the columns, it only works when the columns > have been balanced on both sides of the UNION. This way, sqlmap could have > one extra injection point to support attempting to write a file with. > >> >> Are you leveraging the sleep() location for a time based injection entry >> point? If you frame the --url --data strings to include the union base and >> mark the sleep() location with '*' and --technique=T does it work to >> identify the time based injection (i.e. ./sqpmap.py --url >> http//somesite.com/ <http://somesite.com/> --data >> 'bar=foo"+union+select+null,null,null,null*' --technique=T --banner)? > > This was by hand.
Oh, I should have read the question more clearly. I didn’t try this, but then sqlmap wouldn’t realize it is a union then. > >> >> On Fri, Sep 11, 2015 at 1:43 PM, Brandon Perry <bperry.volat...@gmail.com >> <mailto:bperry.volat...@gmail.com>> wrote: >> I have had this idea for a while, and I finally came across an injection >> that this was useful for me. >> >> Due to logic in the application, a generic UNION tacked on the end of the >> query doesn't work. >> >> However, a payload of: >> >> blah=foo"+union+select+null,null,null,null,sleep(5)--%20 >> >> does result in a response coming back 5 seconds later than the baseline. >> Removing or adding a column to the union results in the baseline request >> time. >> >> This was very useful for me, because I was able to use this 'blind union' in >> order to write a file to the web root and achieve RCE, even though the union >> in and of itself would not let me pull data out en mass (the other time >> based payloads did work as well). >> >> This might be a useful check for sqlmap to implement. Currently, there are >> heuristics that sqlmap has to determine whether an injection point is >> union-able, but not exploitable with generic NULL/union char payloads. I >> think this is determined by the HTTP response data though, not the temporal >> aspect of the HTTP response. >> >> Thoughts? >> >> >> -- >> http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- >> blog >> http://www.volatileminds.net <http://www.volatileminds.net/> -- website >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> <mailto:sqlmap-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> >> >
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
