In the function procedure analyse() I found this crash while passing a sub query.
Things to keep in mind if you landed on this page searching for Specifically XPATH Based injection then let me tell you its the wrong place. Here we are not actually injecting into XPATH, we are just using one of the XPATH function which is Extractvalue() to generate error and get the output.
So I've been looking into this one URL (I can email it if needed) and I know that a PROCEDURE ANALYSE (EXTRACTVALUE) based injection at least gets me results when done manually, but I was wondering why sqlmap never does it on URLs.
SQL Truncation Attack. If the database is vulnerable and the max number of chars for username is for example 30 and you want to impersonate the user admin, try to create a username called: "admin [30 spaces] a" and any password.
AND ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1)));-- Available in 5.1.5.
Может кто-нибудь помочь мне понять, правильно ли я преобразовал это в PHP?
We replicated the vulnerability locally; we will use the XPath function — Extractvalue() mentioned in the POC to generate the needed errors to extract the information. Before diving into generating the errors, let’s take a step back and understand how the function works, then use it for our advantage.
IT professionals must learn how to analyze tampered data, including learning about useful facts and shortcuts. That’s why we created this SQL injection cheat sheet for your reference. In it, you’ll find common SQL injection commands, an SQL injection code list, and much more.
So this is probably the most exciting part, although the SQL Injections alone only have a CVSS score of 6.8 because they are only exploitable using administrative permissions.
Maybe check the URL and try again?