nd
> it. Also, if ORDER BY is usable it will try to find the number of columns
> without limitations. If you want to manually extend, use --union-cols (e.g.
> 1-100)
>
> Bye
>
> On Sat, Feb 25, 2017 at 12:28 AM, Robin Wood wrote:
>
> Annoyingly my test window is closed an
ing from memory here) that it's higher than that by default.
> There's also the --union-cols=30-40, so you should be good
>
> On 24 February 2017 at 18:17, Robin Wood wrote:
>
> I hadn't tried the custom injection point, I'll give that a try. Do you
> know the m
te:
> I assume you've tried * for custom injection point and --technique=U?
>
> Whether or not it'll dance with HQL is another question entirely.
>
> On 24 February 2017 at 16:44, Robin Wood wrote:
>
> I've just found an instance of Hibernate Query Language injection
I've just found an instance of Hibernate Query Language injection that lets
me get at an underlying MySQL database if I inject in the right way, some
examples I've got are:
loginName=a - works and gives 200
loginName=' - fails with HQL error and 500
loginName=a' or 'a'='a - works and gives 200
log
Have you tried to manually extract some data? If not then give it a
try, from doing it you'll be able to work out if you need any
tampering or if there are any other special requirements.
Robin
On 9 October 2015 at 11:49, Vojtěch Polášek wrote:
> Hi,
> You can download Webgoat here:
> https://we
Wouldn't it be a bad idea trying to do a time based attack over Tor?
Robin
On 8 December 2014 at 11:00, Miroslav Stampar
wrote:
> Hi.
>
> 1) Shouldn't "waitfor delay '0:0:0'" make no delay?
> 2) sqlmap says "false positive or unexploitable injection point detected".
> Is there a possibility that
> adapt either sqlmap or drop older entities (e.g. via --cleanup).
>
> Why wouldn't you revoke privileges for creating of tables and/or procedures
> for defensive purposes rather than laying around sqlmap... inside database?
>
> Bye
>
> On Fri, Dec 5, 2014 at 10:19 PM, R
Bye
>
> On Fri, Dec 5, 2014 at 10:08 PM, Robin Wood wrote:
>>
>> Sorry, somehow sent early, was trying to ask, is the name still
>> dynamic or is it now just a fixed name?
>>
>> Robin
>>
>> On 5 December 2014 at 21:07, Robin Wood wrote:
>> >
Sorry, somehow sent early, was trying to ask, is the name still
dynamic or is it now just a fixed name?
Robin
On 5 December 2014 at 21:07, Robin Wood wrote:
> OK, I've got a lab I can test it in later tonight.
>
> When you say not random, is it still dynamic va
>
> On 5 De
>>
>> Bye
>>
>> On Thu, Dec 4, 2014 at 4:11 PM, Robin Wood wrote:
>>>
>>> Looking at the commands sent I can see three drop tables for
>>> sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for stored
>>> procedures.
>>>
>
Just spotted --cleanup but that didn't remove the procedure, sqlmap
command seemed to run OK though but didn't say anything about what it
was removing, should it have done?
Robin
On 4 December 2014 at 15:01, Robin Wood wrote:
> I'm testing sqlmap against an MSSQL DB and loo
I'm testing sqlmap against an MSSQL DB and looking at running OS
commands. In an attempt to reenable xp_cmdshell a stored proc called
xp_gedp has been created and left behind, is there any way to
automatically clean up this and any other things that are created?
Robin
This is from page 57 of the readme.pdf
On MySQL and PostgreSQL, sqlmap uploads (via the file upload functionality
explained above) a shared library (binary file) containing two user-defined
functions, sys_exec() and sys_eval(), then it creates these two functions on
the database and calls one of t
Looking at the commands sent I can see three drop tables for
sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for stored
procedures.
On 4 December 2014 at 15:08, Robin Wood wrote:
> Just spotted --cleanup but that didn't remove the procedure, sqlmap
> command seemed to run OK
nking properly.
Robin
> On Wed, Oct 1, 2014 at 11:17 AM, Robin Wood wrote:
>
>> It was pointed out that I should be URL encoding the *s which removes
>> that as a problem but it still isn't quite working properly, probably
>> because of the spaces. Got limited time on
I've got the following vulnerable querystring value:
string=the%%22/**/and/**/1=1/**/and/**/%22%%22=%22
Where with 1=1 I get data back, 1=0 is false so no data.
I can't use spaces which is why I've have to go for /**/.
How do I tell sqlmap where the injection point is and to use /**/ instead
of
2014 09:54, Robin Wood wrote:
> I've got the following vulnerable querystring value:
>
> string=the%%22/**/and/**/1=1/**/and/**/%22%%22=%22
>
> Where with 1=1 I get data back, 1=0 is false so no data.
>
> I can't use spaces which is why I've have to go for
I'd assume on LAMP that the file is written using INTO OUTFILE so what you
could try is SSH to the box, use the MySQL client to connect as the user
the web app uses and try to create the file manually just to see if it can
be created.
Robin
On 18 Aug 2014 00:54, "Omara" wrote:
> I also get "it l
king. I guess something got cached based
on an old version of the shell.
Robin
> Kind regards,
> Miroslav Stampar
>
> On Fri, Sep 14, 2012 at 2:12 PM, Robin Wood wrote:
>>
>> Looks like you've updated the shell sent over with os-shell but not
>> updated the s
Looks like you've updated the shell sent over with os-shell but not
updated the size that the script checks to see if it exists.
Robin
[13:08:22] [WARNING] unable to retrieve the web server document root
please provide the web server document root [/var/www/]: /var/www/html/upload/
[13:08:29] [WA
> Bernardo
>
>
> On 26 June 2012 09:36, Robin Wood wrote:
>> On 26 June 2012 08:10, Miroslav Stampar wrote:
>>> Hi Robin.
>>>
>>> You are an xyz-th user with this same request ;)
>>
>> Thought I might be.
>>
>>> Problem is that
st the dirty way).
It would be good but not worth compromising good clean code to get it in.
Robin
> Kind regards,
> Miroslav Stampar
>
> On Jun 25, 2012 7:32 PM, "Robin Wood" wrote:
>>
>> I was retrieving table names at the time but I guess it would help in
>
I was retrieving table names at the time but I guess it would help in other
situations as well.
Robin
On Jun 25, 2012 6:07 PM, "Miroslav Stampar"
wrote:
> You forgot to mention which technique?
>
> Kind regards,
> Miroslav Stampar
>
> On Mon, Jun 25, 2012 a
I've just been testing a site which has to have the --no-cast option
to retrieve data, it works great but it is very slow. Because of this
I'd quite often guessed the data it was pulling down way before the
command had finished, especially with table names.
It would be really good if you could in
On 11 January 2012 11:32, Bernardo Damele A. G.
wrote:
> Hi Chris,
>
> You can tune txt/common-outputs.txt to your needs in order to make
> --predict-output more efficient for your test.
>
> Bernardo
>
> On 11 January 2012 11:29, Chris Oakley wrote:
>> I think Ctrl+C is going to be the only way t
On 14 December 2011 15:51, Chris Oakley wrote:
> Hi All
>
> I'm having problems with an injection that I think is real.
>
> It's a standard POST request with one of the parameters of the data sent
> being vulnerable. This all happens in an unauthenticated area of the
> application, so there's no
ike parameters in
> default cases. so, either you can use explicit -p "ASP.NET_SessionId"
> or you can use --level=4. in your case i would suggest usage of -p.
>
> kr
Thanks, I'll give that a try.
Robin
> On Tue, Aug 2, 2011 at 2:41 PM, Robin Wood wrote:
>> Hi
>
Hi
I've got an application that is vulnerable to SQLi in one of two
cookie parameters. The one that is injectable is the ASP.NET_SessionId
which has to start with a valid session id but then if given an extra
' on the end it fails and dumps out a nice SQL error.
So what I need to do is to tell sql
28 matches
Mail list logo
