Annoyingly my test window is closed and I'll probably not get to talk to
the client will Monday but will try this out on a test box just to watch
the traffic and see if it is doing what I think should work.
Ta
Robin
On Fri, 24 Feb 2017, 23:23 Chris Oakley, <christopher.oak...@gmail.com>
wrote:
> I *think* (going from memory here) that it's higher than that by default.
> There's also the --union-cols=30-40, so you should be good
>
> On 24 February 2017 at 18:17, Robin Wood <robin@digi.ninja> wrote:
>
> I hadn't tried the custom injection point, I'll give that a try. Do you
> know the maximum number of fields the union will do, was thinking about it
> after shutting machine down and think it's 30 so will need to increase that.
>
> Robin
>
> On Fri, 24 Feb 2017, 23:14 Chris Oakley, <christopher.oak...@gmail.com>
> wrote:
>
> I assume you've tried * for custom injection point and --technique=U?
>
> Whether or not it'll dance with HQL is another question entirely.
>
> On 24 February 2017 at 16:44, Robin Wood <robin@digi.ninja> wrote:
>
> I've just found an instance of Hibernate Query Language injection that
> lets me get at an underlying MySQL database if I inject in the right way,
> some examples I've got are:
>
> loginName=a - works and gives 200
> loginName=' - fails with HQL error and 500
> loginName=a' or 'a'='a - works and gives 200
> loginName=a\'' - gets through HQL and then generates a MySQL error in a
> where clause. The injection gets converted to where NAME='a\'''
>
> With some playing I've found that this is a valid injection and they are
> running as root as I get a 500 back when I supply root, a 200 when give
> something else.
>
> loginName=a' and 'a\''="a" union select
> @@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01"
> from users where user()="root@localhost" -- '='1
>
> The 500 is because some of the stuff from the union isn't being handled
> correctly by the page, the 200 is because the union doesn't return any data
> so the first bit (basically a=a) is returning valid data so getting through
> the rest of the parsing.
>
> So I think what I need to do is to tell SQLMap that it is a union
> injection with 31 fields and that the injection needs to go into here:
>
> loginName=a' and 'a\''="a" <INJECT> -- '='1
>
> Can I do this?
>
> I've got all this set up and running in Burp so I can test things out if
> anyone needs me to.
>
> Robin
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
