Re: [sqlmap-users] A bug and a sugestion
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] A bug and a sugestion
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-07-30 12:05:47
|
Hi Stuffe,
On Wed, Jul 29, 2009 at 17:22, Stuffe<stu...@gm...> wrote:
> I just fired up the version of sqlmap, but it couldnt find the web root,
> although it should be simple to do.
> A simple regex could identify all php errors, they all start like <b>Parse
> error</b>:, <b>Notice</n>:, <b>Warning</b>:, <b>Fatal error</b>: etc,
> After that comes some random crap and then comes the url you are looking
> for, inside a <b> tag, eg. <b>C:\wamp\www\index.php</b>.
> Here are some examples:
> <b>Notice</b>: Undefined index: b in <b>C:\wamp\www\index.php</b> on line
> <b>12</b>
> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL
> result resource in <b>C:\wamp\www\index.php</b> on line <b>14</b>
> <b>Parse error</b>: parse error, expecting `'('' in
> <b>C:\wamp\www\index.php</b> on line <b>28</b>
> As you can see, they are not hard to extract with a regex. And they can
> often be generated, if you insert something that brakes the sql query or by
> typecasting the a get var as an array
> (like index.php?a[]=now_a_becomes_an_array) or other tricks.
I will improve the HTML parsing function as soon as possible, thanks
for reporting.
> Any way, when the error message is found, it should be checked wheather or
> not the last part of the url is equal to the last part of the internal
> path,
> if they are equal, you know the webroot.
> ...
This is done already. If it does not work, then it's a bug. Let me know.
> Any way, It also crashed on me when I tried to upload a webshell:
> C:\Documents and Settings\Administrator>"C:\Documents and
> Settings\Administrator
> \Desktop\sqlmap-0.7_exe\sqlmap.exe" -u http://localhost/?a=1 --os-shell
> sqlmap/0.7
> by Bernardo Damele A. G. <ber...@gm...>
> [*] starting at: 17:37:18
> [17:37:18] [INFO] testing connection to the target url
> [17:37:18] [INFO] testing if the url is stable, wait a few seconds
> [17:37:19] [INFO] url is stable
> [17:37:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> [17:37:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> [17:37:20] [INFO] testing if GET parameter 'a' is dynamic
> [17:37:20] [INFO] confirming that GET parameter 'a' is dynamic
> [17:37:20] [INFO] GET parameter 'a' is dynamic
> [17:37:20] [INFO] testing sql injection on GET parameter 'a' with 0
> parenthesis
> [17:37:20] [INFO] testing unescaped numeric injection on GET parameter 'a'
> [17:37:20] [INFO] confirming unescaped numeric injection on GET parameter
> 'a'
> [17:37:20] [INFO] GET parameter 'a' is unescaped numeric injectable with 0
> paren
> thesis
> [17:37:20] [INFO] testing for parenthesis on injectable parameter
> [17:37:20] [INFO] the injectable parameter requires 0 parenthesis
> [17:37:20] [INFO] testing MySQL
> [17:37:20] [INFO] confirming MySQL
> [17:37:20] [INFO] retrieved: 9
> [17:37:20] [INFO] the back-end DBMS is MySQL
> web server operating system: Windows
> web application technology: Apache 2.0.63, PHP 5.2.9
> back-end DBMS: MySQL >= 5.0.0
> [17:37:20] [INFO] testing stacked queries support on parameter 'a'
> [17:37:20] [INFO] detecting back-end DBMS version from its banner
> [17:37:20] [INFO] retrieved: 5.1.33
> [17:37:20] [WARNING] the web application does not support stacked queries on
> par
> ameter 'a'
> [17:37:20] [INFO] going to upload a web page backdoor for command execution
> [17:37:20] [INFO] fingerprinting the back-end DBMS operating system
> [17:37:20] [INFO] retrieved: c
> [17:37:20] [INFO] the back-end DBMS operating system is Windows
> [17:37:20] [WARNING] unable to retrieve the web server document root
> please provide the web server document root [C:/Inetpub/wwwroot/]:
> C:/wamp/www/
> [17:37:46] [INFO] retrieved web server full paths: 'C:\wamp\www, C:\'
> please provide any additional web server full path to try to upload the
> agent [C
> :/Inetpub/wwwroot/test/]: C:/wamp/www/test/
> [17:37:51] [INFO] trying to upload the uploader agent
> which web application language does the web server support?
> [1] ASP
> [2] PHP (default)
> [3] JSP
>> 2
> [17:37:53] [ERROR] unhandled exception in sqlmap/0.7, please copy the
> command li
> ne and the following text and send by e-mail to
> sql...@li....n
> et. The developer will fix it as soon as possible:
> sqlmap version: 0.7
> Python version: 2.6.1
> Operating system: win32
> Traceback (most recent call last):
> File "sqlmap.py", line 84, in main
> File "lib\controller\controller.pyc", line 263, in start
> File "lib\controller\action.pyc", line 140, in action
> File "plugins\generic\takeover.pyc", line 295, in osShell
> File "plugins\generic\takeover.pyc", line 187, in __webBackdoorInit
> File "lib\request\connect.pyc", line 131, in getPage
> File "urllib2.pyc", line 124, in urlopen
> File "urllib2.pyc", line 383, in open
> File "urllib2.pyc", line 401, in _open
> File "urllib2.pyc", line 361, in _call_chain
> File "urllib2.pyc", line 1130, in http_open
> File "urllib2.pyc", line 1087, in do_open
> File "httplib.pyc", line 656, in __init__
> File "httplib.pyc", line 668, in _set_hostport
> InvalidURL: nonnumeric port: '80\test'
> [*] shutting down at: 17:37:53
This bug is fixed and commited now. Please, let me know if the web
root works properly in your test environment or if you find any other
bug.
Cheers,
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F
|
