p.s. you have a very specific case. I had a couple of similar and had to
make my own script(s). Basically, data is provided to two separate DBMSes,
while you are targeting the second one. To get to it you have to make a
payload that won't make problems with the first one. In your case I would
try to provide only valid options to sqlmap (e.g. --data
"...?logname=admin" --technique=U --union-cols=31 --dbms=mysql) and cross
the fingers. If that fails you'll have to make a case specific script. For
MySQL enumeration queries you can always take a look into xml/payloads.xml
On Sat, Feb 25, 2017 at 8:17 AM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> "Do you know the maximum number of fields the union will do" - by default
> 1-10. If there are more techniques usable (e.g. boolean), it will extend
> it. Also, if ORDER BY is usable it will try to find the number of columns
> without limitations. If you want to manually extend, use --union-cols (e.g.
> 1-100)
>
> Bye
>
> On Sat, Feb 25, 2017 at 12:28 AM, Robin Wood <robin@digi.ninja> wrote:
>
>> Annoyingly my test window is closed and I'll probably not get to talk to
>> the client will Monday but will try this out on a test box just to watch
>> the traffic and see if it is doing what I think should work.
>>
>> Ta
>>
>> Robin
>>
>> On Fri, 24 Feb 2017, 23:23 Chris Oakley, <christopher.oak...@gmail.com>
>> wrote:
>>
>>> I *think* (going from memory here) that it's higher than that by
>>> default. There's also the --union-cols=30-40, so you should be good
>>>
>>> On 24 February 2017 at 18:17, Robin Wood <robin@digi.ninja> wrote:
>>>
>>> I hadn't tried the custom injection point, I'll give that a try. Do you
>>> know the maximum number of fields the union will do, was thinking about it
>>> after shutting machine down and think it's 30 so will need to increase that.
>>>
>>> Robin
>>>
>>> On Fri, 24 Feb 2017, 23:14 Chris Oakley, <christopher.oak...@gmail.com>
>>> wrote:
>>>
>>> I assume you've tried * for custom injection point and --technique=U?
>>>
>>> Whether or not it'll dance with HQL is another question entirely.
>>>
>>> On 24 February 2017 at 16:44, Robin Wood <robin@digi.ninja> wrote:
>>>
>>> I've just found an instance of Hibernate Query Language injection that
>>> lets me get at an underlying MySQL database if I inject in the right way,
>>> some examples I've got are:
>>>
>>> loginName=a - works and gives 200
>>> loginName=' - fails with HQL error and 500
>>> loginName=a' or 'a'='a - works and gives 200
>>> loginName=a\'' - gets through HQL and then generates a MySQL error in a
>>> where clause. The injection gets converted to where NAME='a\'''
>>>
>>> With some playing I've found that this is a valid injection and they are
>>> running as root as I get a 500 back when I supply root, a 200 when give
>>> something else.
>>>
>>> loginName=a' and 'a\''="a" union select @@version,2,3,4,5,6,7,8,9,10,1
>>> 1,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01"
>>> from users where user()="root@localhost" -- '='1
>>>
>>> The 500 is because some of the stuff from the union isn't being handled
>>> correctly by the page, the 200 is because the union doesn't return any data
>>> so the first bit (basically a=a) is returning valid data so getting through
>>> the rest of the parsing.
>>>
>>> So I think what I need to do is to tell SQLMap that it is a union
>>> injection with 31 fields and that the injection needs to go into here:
>>>
>>> loginName=a' and 'a\''="a" <INJECT> -- '='1
>>>
>>> Can I do this?
>>>
>>> I've got all this set up and running in Burp so I can test things out if
>>> anyone needs me to.
>>>
>>> Robin
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>>
>>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
