Re: [sqlmap-users] hmm
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] hmm
|
From: <ja...@ev...> - 2010-05-20 11:41:02
|
Hi, Sorry if this is duplicate, I clicked "getting started" in firefox by accident while sending this email.. Yeah I know PHP/MSSQL should support stacked queries but it appears to be disabled.. Judging from the rest of this pen test it just simply cannot be on purpose. Im thinking maybe a false negative.. However, diagnosing is a little tricky. The webserver just returns a blank page instead of an error (grrr). I will do some more checking if possible. Theres also no UNION ability ;( A general note to SQLMap users / Developers: I've been using sqlmap pretty much since 0.6 or something and I've noted time and time again it misses simple vulns (on stable pages) for stuff like http://microsoft.com/windowsucks.aspx?id=31337';waitfor delay '00:00:15'-- Its also quite terrible at detecting POST vulns. The POST vulns i've been testing are mostly shitty login.asp scripts. Bert told me I should be using SQLNinja so I tried it out and viola, it exploits the vulns however SQLNinja is more of a database takeover tool and I need data from the db's as proof for the job. Just wondering if anyone has noted this and possibly maybe we can send Bernardo some example sites (IN PRIVATE) where SQLNinja was able to succeed and SQLMap failed detection. Lets all submit some urls -- IN PRIVATE -- where SQLmap wasnt able to detect a POST or GET vuln that sqlninja was able to detect? Please? Lets make sqlmap awesomer. Also, It'd be nice if SQLMap supported uploading debug.exe .scr's and converting them to .exe's on the db box. AND... [07:29:27] [INFO] retrieved: sqlmap got a 302 redirect to /index.php - What target address do you want to use from now on? http://www.fbi.gov:80/search/score.php (default) or provide another target address based also on the redirection got from the application I think? SQLmap is supposed to log that to the session file and use it every time however it does indeed ask me every time on the same page, same db, same dump params. If it isnt setup that way... It'd be nice or maybe a cmd arp that is something along the lines of --static-url What do you guys think? James P.S. All URL's have been censored to protect the idiots who pay me. On Thu, 20 May 2010 12:19:45 +0100, "Bernardo Damele A. G." <ber...@gm...> wrote: > James, > > On Thu, May 20, 2010 at 06:14, <ja...@ev...> wrote: >> ... >> Im currently attempting to attack an interesting setup.. A >> RedHat(Apache) >> >> box with a PHP front end linked to a MS SQL db. > > It's a quite common setup. I've seen also Windows/Apache/PHP(or Perl) > with back-end MSSQL or MySQL recently. > >> Since its Apache+Linux it >> >> doesnt support stacked queries.. > > Mmmh, PHP does support stacked queries when the back-end is MSSQL. Try > yourself with a SQL payload like ; WAITFOR DELAY '0:2:00';-- > >> Its also slow as dog crap going up a hill >> >> with the blind injection. Does anyone know of a way to use the OPENROWSET >> >> type attack without stacked queries? > > You can try with UNION ALL SELECT 'foobar' FROM OPENROWSET... > >> Or basically have any ideas how I can >> >> get enough proof of data from this box relatively quick? > > If it is affected by an error-based SQL injection also, something like > AND 1=(SELECT ...) might do the trick otherwise a UNION query SQL > injection can help, if vulnerable. > > Cheers, |
