Thanks, I'll give it a go specifying the number of columns when I'm next
allowed to test. It might also cause problems that a couple of the columns
have to be dates so might have to resort to scripting it by hand.
Robin
On Sat, 25 Feb 2017, 07:34 Miroslav Stampar, <miroslav.stam...@gmail.com>
wrote:
> p.s. you have a very specific case. I had a couple of similar and had to
> make my own script(s). Basically, data is provided to two separate DBMSes,
> while you are targeting the second one. To get to it you have to make a
> payload that won't make problems with the first one. In your case I would
> try to provide only valid options to sqlmap (e.g. --data
> "...?logname=admin" --technique=U --union-cols=31 --dbms=mysql) and cross
> the fingers. If that fails you'll have to make a case specific script. For
> MySQL enumeration queries you can always take a look into xml/payloads.xml
>
> On Sat, Feb 25, 2017 at 8:17 AM, Miroslav Stampar <
> miroslav.stam...@gmail.com> wrote:
>
> "Do you know the maximum number of fields the union will do" - by default
> 1-10. If there are more techniques usable (e.g. boolean), it will extend
> it. Also, if ORDER BY is usable it will try to find the number of columns
> without limitations. If you want to manually extend, use --union-cols (e.g.
> 1-100)
>
> Bye
>
> On Sat, Feb 25, 2017 at 12:28 AM, Robin Wood <robin@digi.ninja> wrote:
>
> Annoyingly my test window is closed and I'll probably not get to talk to
> the client will Monday but will try this out on a test box just to watch
> the traffic and see if it is doing what I think should work.
>
> Ta
>
> Robin
>
> On Fri, 24 Feb 2017, 23:23 Chris Oakley, <christopher.oak...@gmail.com>
> wrote:
>
> I *think* (going from memory here) that it's higher than that by default.
> There's also the --union-cols=30-40, so you should be good
>
> On 24 February 2017 at 18:17, Robin Wood <robin@digi.ninja> wrote:
>
> I hadn't tried the custom injection point, I'll give that a try. Do you
> know the maximum number of fields the union will do, was thinking about it
> after shutting machine down and think it's 30 so will need to increase that.
>
> Robin
>
> On Fri, 24 Feb 2017, 23:14 Chris Oakley, <christopher.oak...@gmail.com>
> wrote:
>
> I assume you've tried * for custom injection point and --technique=U?
>
> Whether or not it'll dance with HQL is another question entirely.
>
> On 24 February 2017 at 16:44, Robin Wood <robin@digi.ninja> wrote:
>
> I've just found an instance of Hibernate Query Language injection that
> lets me get at an underlying MySQL database if I inject in the right way,
> some examples I've got are:
>
> loginName=a - works and gives 200
> loginName=' - fails with HQL error and 500
> loginName=a' or 'a'='a - works and gives 200
> loginName=a\'' - gets through HQL and then generates a MySQL error in a
> where clause. The injection gets converted to where NAME='a\'''
>
> With some playing I've found that this is a valid injection and they are
> running as root as I get a 500 back when I supply root, a 200 when give
> something else.
>
> loginName=a' and 'a\''="a" union select
> @@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01"
> from users where user()="root@localhost" -- '='1
>
> The 500 is because some of the stuff from the union isn't being handled
> correctly by the page, the 200 is because the union doesn't return any data
> so the first bit (basically a=a) is returning valid data so getting through
> the rest of the parsing.
>
> So I think what I need to do is to tell SQLMap that it is a union
> injection with 31 fields and that the injection needs to go into here:
>
> loginName=a' and 'a\''="a" <INJECT> -- '='1
>
> Can I do this?
>
> I've got all this set up and running in Burp so I can test things out if
> anyone needs me to.
>
> Robin
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
