Thanks, I'll give it a go specifying the number of columns when I'm next
allowed to test. It might also cause problems that a couple of the columns
have to be dates so might have to resort to scripting it by hand.
Robin
On Sat, 25 Feb 2017, 07:34 Miroslav Stampar,
wrote:
> p.s. you have a very
p.s. you have a very specific case. I had a couple of similar and had to
make my own script(s). Basically, data is provided to two separate DBMSes,
while you are targeting the second one. To get to it you have to make a
payload that won't make problems with the first one. In your case I would
try t
"Do you know the maximum number of fields the union will do" - by default
1-10. If there are more techniques usable (e.g. boolean), it will extend
it. Also, if ORDER BY is usable it will try to find the number of columns
without limitations. If you want to manually extend, use --union-cols (e.g.
1-
Annoyingly my test window is closed and I'll probably not get to talk to
the client will Monday but will try this out on a test box just to watch
the traffic and see if it is doing what I think should work.
Ta
Robin
On Fri, 24 Feb 2017, 23:23 Chris Oakley,
wrote:
> I *think* (going from memory
I *think* (going from memory here) that it's higher than that by default.
There's also the --union-cols=30-40, so you should be good
On 24 February 2017 at 18:17, Robin Wood wrote:
> I hadn't tried the custom injection point, I'll give that a try. Do you
> know the maximum number of fields the u
I hadn't tried the custom injection point, I'll give that a try. Do you
know the maximum number of fields the union will do, was thinking about it
after shutting machine down and think it's 30 so will need to increase that.
Robin
On Fri, 24 Feb 2017, 23:14 Chris Oakley,
wrote:
> I assume you've
I assume you've tried * for custom injection point and --technique=U?
Whether or not it'll dance with HQL is another question entirely.
On 24 February 2017 at 16:44, Robin Wood wrote:
> I've just found an instance of Hibernate Query Language injection that
> lets me get at an underlying MySQL d
I've just found an instance of Hibernate Query Language injection that lets
me get at an underlying MySQL database if I inject in the right way, some
examples I've got are:
loginName=a - works and gives 200
loginName=' - fails with HQL error and 500
loginName=a' or 'a'='a - works and gives 200
log
