[sqlmap-users] A bug and a sugestion
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] A bug and a sugestion
|
From: Stuffe <stu...@gm...> - 2009-07-29 16:22:37
|
I just fired up the version of sqlmap, but it couldnt find the web root,
although it should be simple to do.
A simple regex could identify all php errors, they all start like <b>Parse
error</b>:, <b>Notice</n>:, <b>Warning</b>:, <b>Fatal error</b>: etc,
After that comes some random crap and then comes the url you are looking
for, inside a <b> tag, eg. <b>C:\wamp\www\index.php</b>.
Here are some examples:
<b>Notice</b>: Undefined index: b in <b>C:\wamp\www\index.php</b> on line
<b>12</b>
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL
result resource in <b>C:\wamp\www\index.php</b> on line <b>14</b>
<b>Parse error</b>: parse error, expecting `'('' in <b>C:\wamp\www\index.php
</b> on line <b>28</b>
As you can see, they are not hard to extract with a regex. And they can
often be generated, if you insert something that brakes the sql query or by
typecasting the a get var as an array
(like index.php?a[]=now_a_becomes_an_array) or other tricks.
Any way, when the error message is found, it should be checked wheather or
not the last part of the url is equal to the last part of the internal
path,
if they are equal, you know the webroot.
eg. http://example.com/whatever/index.php gives the error:
<b>Notice</b>: Undefined index: b in
<b>C:\wamp\www\whatever\index.php</b>on line
<b>12</b>
you replace \ with / and compare:
http://example.com/whatever/index.php
with
C:/wamp/www/whatever/index.php
and see find that C:/wamp/www/ must be the webroot.
Now i dont know if or how sqlmap is trying to retrieve the webroot, but it
wasnt able to find these things in my tests (even though they were all over
the place).
Any way, It also crashed on me when I tried to upload a webshell:
C:\Documents and Settings\Administrator>"C:\Documents and
Settings\Administrator
\Desktop\sqlmap-0.7_exe\sqlmap.exe" -u http://localhost/?a=1 --os-shell
sqlmap/0.7
by Bernardo Damele A. G. <ber...@gm...>
[*] starting at: 17:37:18
[17:37:18] [INFO] testing connection to the target url
[17:37:18] [INFO] testing if the url is stable, wait a few seconds
[17:37:19] [INFO] url is stable
[17:37:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[17:37:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[17:37:20] [INFO] testing if GET parameter 'a' is dynamic
[17:37:20] [INFO] confirming that GET parameter 'a' is dynamic
[17:37:20] [INFO] GET parameter 'a' is dynamic
[17:37:20] [INFO] testing sql injection on GET parameter 'a' with 0
parenthesis
[17:37:20] [INFO] testing unescaped numeric injection on GET parameter 'a'
[17:37:20] [INFO] confirming unescaped numeric injection on GET parameter
'a'
[17:37:20] [INFO] GET parameter 'a' is unescaped numeric injectable with 0
paren
thesis
[17:37:20] [INFO] testing for parenthesis on injectable parameter
[17:37:20] [INFO] the injectable parameter requires 0 parenthesis
[17:37:20] [INFO] testing MySQL
[17:37:20] [INFO] confirming MySQL
[17:37:20] [INFO] retrieved: 9
[17:37:20] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.0.63, PHP 5.2.9
back-end DBMS: MySQL >= 5.0.0
[17:37:20] [INFO] testing stacked queries support on parameter 'a'
[17:37:20] [INFO] detecting back-end DBMS version from its banner
[17:37:20] [INFO] retrieved: 5.1.33
[17:37:20] [WARNING] the web application does not support stacked queries on
par
ameter 'a'
[17:37:20] [INFO] going to upload a web page backdoor for command execution
[17:37:20] [INFO] fingerprinting the back-end DBMS operating system
[17:37:20] [INFO] retrieved: c
[17:37:20] [INFO] the back-end DBMS operating system is Windows
[17:37:20] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/Inetpub/wwwroot/]:
C:/wamp/www/
[17:37:46] [INFO] retrieved web server full paths: 'C:\wamp\www, C:\'
please provide any additional web server full path to try to upload the
agent [C
:/Inetpub/wwwroot/test/]: C:/wamp/www/test/
[17:37:51] [INFO] trying to upload the uploader agent
which web application language does the web server support?
[1] ASP
[2] PHP (default)
[3] JSP
> 2
[17:37:53] [ERROR] unhandled exception in sqlmap/0.7, please copy the
command li
ne and the following text and send by e-mail to
sql...@li...urceforge.n
et. The developer will fix it as soon as possible:
sqlmap version: 0.7
Python version: 2.6.1
Operating system: win32
Traceback (most recent call last):
File "sqlmap.py", line 84, in main
File "lib\controller\controller.pyc", line 263, in start
File "lib\controller\action.pyc", line 140, in action
File "plugins\generic\takeover.pyc", line 295, in osShell
File "plugins\generic\takeover.pyc", line 187, in __webBackdoorInit
File "lib\request\connect.pyc", line 131, in getPage
File "urllib2.pyc", line 124, in urlopen
File "urllib2.pyc", line 383, in open
File "urllib2.pyc", line 401, in _open
File "urllib2.pyc", line 361, in _call_chain
File "urllib2.pyc", line 1130, in http_open
File "urllib2.pyc", line 1087, in do_open
File "httplib.pyc", line 656, in __init__
File "httplib.pyc", line 668, in _set_hostport
InvalidURL: nonnumeric port: '80\test'
[*] shutting down at: 17:37:53
|
