Sqlmap - Coldfusion Case When ?

[edre1]

I'm very new at using SqlMap and Sql in general, so I'm hoping you'll be able to offer some advice please.

I have a vulnerable site where I can get the database names and table names, but I am unable to retrieve any entries. An internal 500 error crops up saying there is "[Macromedia][sqlServer JDBC Driver][sqlServer]Incorrect syntax near '('. ".

I'm thinking that it's because the payload is using a CASE WHEN statement but reading about it ColdFusion doesn't allow them.

The payload is:

(SELECT CHAR(113)+CHAR(120)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4281=4281) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(122)+CHAR(113)+CHAR(113)

Is there any way this can be turned into a statement that can be used with ColdFusion? - Such as using UNION SELECT or something? - I don't yet know enough to be able to change it myself.

Thank you in advance

[cooper]

I think some identation can clarify some of the problem:

(

SELECT CHAR(113)+CHAR(120)+CHAR(112)+CHAR(122)+CHAR(113)+(

SELECT (

CASE WHEN (4281=4281) THEN CHAR(49) ELSE CHAR(48) END

)

)+CHAR(113)+CHAR(106)+CHAR(122)+CHAR(113)+CHAR(113)

As you can see, there's an unclosed ( in there.

Indeed, the CASE is something I've never EVER before seen in SQL like this. In PSQL, sure, but as part of your SQL statement?

Without the subselects and other stuff you do to try and obfuscate what's going on, here's what that reads:

( 'qxpzq1qjzqq'

I have no idea what the value of this might be in the context of your attack, but hopefully you do.

[edre1]

Thank you very much for your help! I will have a play around to see if closing the ( works the issues out.

Dan