Sqlmap default union exploitation routine on detecting page-output

[blackhatdynamics]

Conditions overview:

• sqlmap/1.0-dev-fca6772
• simple union sql injection
• no tampers applied
• no optimization switches applied

Expected result:

• smooth exploitation procedure with security in mind

Actual result:

• by default sqlmap is trying to figure out where is the page output by using concat() function
• concateration functions are often detected by such things as WAFs and similar goals solutions
• number of queries per technique on detection phase is the same as the number of columns which results more queries than necessary

Conclusion:

• nothing stops from using '0xhexedstring' symbolic hex representation per column, unique enough to detect outupt on specific column during page parsing
• it may result less queries if all selected columns will consist of unique ids when it's possible according to the whole payload string length

[stamparm]

LOL. Please be more detailed in your conclusions or I'll be more than happy to close your issue requests as invalid. One more time it's not clear what you are implying other than you have a better idea than us

Conclusion: be more specific or Issue is going to be closed as Invalid/Wontfix

[stamparm]

Conclusion without premises and valid logical reasoning is a wrong conclusion. Please restrain yourself from concluding if you can't make valid conclusions Dana 24.6.2013. 02:34 "blackhatdynamics" notifications@github.com je napisao/la:

Conditions overview:

• sqlmap/1.0-dev-fca6772
• simple union sql injection
• no tampers applied
• no optimization switches applied

Expected result:

• smooth exploitation procedure with security in mind

Actual result:

• by default sqlmap is trying to figure out where is the page output by using concat() function
• concateration functions are often detected by such things as WAFs and similar goals solutions
• number of queries per technique on detection phase is the same as the number of columns which results more queries than necessary

Conclusion:

• nothing stops from using '0xhexedstring' symbolic hex representation per column, unique enough to detect outupt on specific column during page parsing
• it may result less queries if all selected columns will consist of unique ids when it's possible according to the whole payload string length

— Reply to this email directly or view it on GitHubhttps://github.com/sqlmapproject/sqlmap/issues/473 .

[stamparm]

"Expected result: smooth exploitation procedure with security in mind" trolololol....

Have you ever tried to exploit non-MySQL DBMS without using sqlmap? Do you know that other DBMS are not so autocast friendly (UNION select of string value into integer column)? Dana 24.6.2013. 02:34 "blackhatdynamics" notifications@github.com je napisao/la:

Conditions overview:

• sqlmap/1.0-dev-fca6772
• simple union sql injection
• no tampers applied
• no optimization switches applied

Expected result:

• smooth exploitation procedure with security in mind

Actual result:

• by default sqlmap is trying to figure out where is the page output by using concat() function
• concateration functions are often detected by such things as WAFs and similar goals solutions
• number of queries per technique on detection phase is the same as the number of columns which results more queries than necessary

Conclusion:

• nothing stops from using '0xhexedstring' symbolic hex representation per column, unique enough to detect outupt on specific column during page parsing
• it may result less queries if all selected columns will consist of unique ids when it's possible according to the whole payload string length

— Reply to this email directly or view it on GitHubhttps://github.com/sqlmapproject/sqlmap/issues/473 .

[blackhatdynamics]

Yeah, i was talking about mysql, my fault, didn't mention it. And yes, you are absolutely right about others. But still, i'll try to expand it: Q: If we got mysql union injection with 100 columns, how many requests will it take to determine the output, which pops up on 100th column in web page context? A: 100 (and more, 100 is an approximate minimum, usually it's 100*number of --level chosen combinatorics of parameter mutations like randomizing it's numerical value, default suffixes and prefixes checks, invalid-logical operations as "-numericalparam" and numerical/string inequality and such and so on) Q: How exactly sqlmap injects string it's looking for at parsing step? A: As a concateration function concat()

If you see that there is nothing wrong about it, leave it closed. Thank you for your attention.

[stamparm]

I don't see anything wrong with our approach. Please use -t traffic.txt to find out what sqlmap does in those kind of cases.

[blackhatdynamics]

-v 4 is enough to see it's too ugly

[stamparm]

If you were just a little more normal and little less arrogant from the beginning we would discuss about your complaints. Now, you can just continue with your joyful ride in adventures of dynamic blackhat world. I bet you have 16 years

[blackhatdynamics]

Normal? I was trying hard with my poor english to write this fucking report in an understandable manner, look at your first comment and try to notice the fact that you can't see your own faults behind my mistakes. Good luck, bunny-boy, sqlmap is for children and lubed dick heads which claim to be so flawless coders, that they don't even see they screwed up, not talking about being sceptical about themselves at the first place. Oh, you want me to be a 16 yrs old boy? ;) Got black condoms? Show me some more faggotry dynamics, i was a bad boy, teach me to be normal, let's dive into adventures of gay maintainer's trololo passion!

[stamparm]

Lol. Good luck have fun :)