Re: [sqlmap-users] Direct connection to Oracle supported?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Direct connection to Oracle supported?
|
From: <in...@ex...> - 2013-10-21 22:15:56
|
<html><body><span style="font-family:Verdana; color:#000000; font-size:10pt;"><div> I wish it were so easy. I tried with and without quotes and also specifying --dbms=Oracle</div> <div>I'll clone the github version and try that in case the Kali version is somehow screwed up.</div> <div> </div> <BLOCKQUOTE style="BORDER-LEFT: blue 2px solid; PADDING-LEFT: 8px; FONT-FAMILY: verdana; COLOR: black; MARGIN-LEFT: 8px; FONT-SIZE: 10pt" id=replyBlockquote webmail="1"> <DIV id=wmQuoteWrapper> <DIV dir=ltr>Maybe you forgot the quotes ? <DIV><BR></DIV> <DIV><PRE style="BORDER-BOTTOM: rgb(221,221,221) 1px solid; BORDER-LEFT: rgb(221,221,221) 1px solid; PADDING-BOTTOM: 6px; LINE-HEIGHT: 19px; BACKGROUND-COLOR: rgb(248,248,248); MARGIN-TOP: 15px; PADDING-LEFT: 10px; PADDING-RIGHT: 10px; FONT-FAMILY: Consolas,'Liberation Mono',Courier,monospace; MARGIN-BOTTOM: 15px; COLOR: rgb(51,51,51); FONT-SIZE: 13px; OVERFLOW: auto; BORDER-TOP: rgb(221,221,221) 1px solid; BORDER-RIGHT: rgb(221,221,221) 1px solid; PADDING-TOP: 6px; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px"> <CODE style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0px; BACKGROUND-COLOR: transparent; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; FONT-FAMILY: Consolas,'Liberation Mono',Courier,monospace; WORD-WRAP: normal; FONT-SIZE: 12px; BORDER-TOP: medium none; BORDER-RIGHT: medium none; PADDING-TOP: 0px; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px">python <a href="http://sqlmap.py">sqlmap.py</a> -d "mysql://<A href="http://admin:admin@192.168.21.17:3306/testdb" target=_blank>admin:admin@192.168.21.17:3306/testdb</A>" -f --banner --dbs --users</CODE></PRE></DIV> <DIV class=gmail_extra><BR><BR> <DIV class=gmail_quote>On Mon, Oct 21, 2013 at 8:17 PM, Miroslav Stampar <SPAN dir=ltr><<A href="mailto:mir...@gm..." target=_blank>mir...@gm...</A>></SPAN> wrote:<BR> <BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote> <DIV dir=ltr>Hi. <DIV><BR></DIV> <DIV>sqlmap supports it. Sample console output:</DIV> <DIV><BR></DIV> <DIV> <DIV>$ python <a href="http://sqlmap.py">sqlmap.py</a> -d "oracle://<A href="http://SYSTEM:testpass@192.168.5.27:1521/testdb" target=_blank>SYSTEM:testpass@192.168.5.27:1521/testdb</A>" -v 5 --banner</DIV> <DIV><BR></DIV> <DIV> sqlmap/1.0-dev-8dac47f - automatic SQL injection and database takeover tool</DIV> <DIV> <A href="http://sqlmap.org/" target=_blank>http://sqlmap.org</A></DIV> <DIV><BR></DIV> <DIV>[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program</DIV> <DIV><BR></DIV> <DIV>[*] starting at 20:15:37</DIV> <DIV><BR></DIV> <DIV>[20:15:37] [DEBUG] cleaning up configuration parameters</DIV> <DIV>[20:15:37] [DEBUG] forcing timeout to 10 seconds</DIV> <DIV>[20:15:37] [INFO] connection to oracle server <A href="http://192.168.5.27:1521/" target=_blank>192.168.5.27:1521</A> established</DIV> <DIV>[20:15:37] [INFO] the back-end DBMS is Oracle</DIV> <DIV>[20:15:37] [INFO] fetching banner</DIV> <DIV>[20:15:37] [PAYLOAD] SELECT NVL(CAST(banner AS VARCHAR(4000)),' ') FROM v$version WHERE ROWNUM=1</DIV> <DIV>back-end DBMS: Oracle</DIV> <DIV>banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'</DIV> <DIV>[20:15:37] [INFO] connection to oracle server <A href="http://192.168.5.27:1521/" target=_blank>192.168.5.27:1521</A> closed</DIV> <DIV><BR></DIV> <DIV>[*] shutting down at 20:15:37</DIV></DIV> <DIV><BR></DIV> <DIV>Could you please check that you run the latest revision from the Github repository and try to run it with -v 5? Strange thing with your case is "sqlmap was not able to fingerprint..." while there is no fingerprinting in sqlmap's direct mode (at least in HEAD revision).</DIV> <DIV><BR></DIV> <DIV>Kind regards,</DIV> <DIV>Miroslav Stampar</DIV></DIV> <DIV class=gmail_extra> <DIV> <DIV class=h5><BR><BR> <DIV class=gmail_quote>On Mon, Oct 21, 2013 at 7:24 PM, Brian Milliron <SPAN dir=ltr><<A href="mailto:Br...@ec..." target=_blank>Br...@ec...</A>></SPAN> wrote:<BR> <BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote>Using sqlmap on a recently updated Kali installation, I tried to connect<BR>to an Oracle db using this command:<BR>sqlmap -d Oracle://<A href="http://user:pass@10.10.10.10:1521/SID" target=_blank>user:pass@10.10.10.10:1521/SID</A><BR>I get the error message "[CRITICAL] sqlmap was not able to fingerprint<BR>the back-end database management system. Support for this DBMS will be<BR>implemented at some point.<BR><BR>The wiki on github states that Oracle is supported for direct<BR>connections, so there is some confusion here. Wireshark confirms no<BR>attempt to connect to the server is made at all and the syntax of the<BR>command appears correct. Can you confirm whether sqlmap currently<BR>supports direct connections to Oracle databases or if there is some<BR>other problem?<BR><BR><BR>--<BR>Brian Milliron, CEO<BR>ECR Security<BR><A href="http://www.ecrsecurity.com/" target=_blank>http://www.ECRSecurity.com</A><BR><A href="tel:512-422-5408" target=_blank value="+15124225408">512-422-5408</A><BR><BR>------------------------------------------------------------------------------<BR>October Webinars: Code for Performance<BR>Free Intel webinars can help you accelerate application performance.<BR>Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from<BR>the latest Intel processors and coprocessors. See abstracts and register ><BR><A href="http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk" target=_blank>http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk</A><BR>_______________________________________________<BR>sqlmap-users mailing list<BR><A href="mailto:sql...@li..." target=_blank>sql...@li...</A><BR><A href="https://lists.sourceforge.net/lists/listinfo/sqlmap-users" target=_blank>https://lists.sourceforge.net/lists/listinfo/sqlmap-users</A><BR></BLOCKQUOTE></DIV><BR><BR clear=all> <DIV><BR></DIV></DIV></DIV><SPAN class=HOEnZb><FONT color=#888888>-- <BR>Miroslav Stampar<BR><A href="http://about.me/stamparm" target=_blank>http://about.me/stamparm</A> </FONT></SPAN></DIV><BR>------------------------------------------------------------------------------<BR>October Webinars: Code for Performance<BR>Free Intel webinars can help you accelerate application performance.<BR>Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from<BR>the latest Intel processors and coprocessors. See abstracts and register ><BR><A href="http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk" target=_blank>http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk</A><BR>_______________________________________________<BR>sqlmap-users mailing list<BR><A href="mailto:sql...@li..." target=_blank>sql...@li...</A><BR><A href="https://lists.sourceforge.net/lists/listinfo/sqlmap-users" target=_blank>https://lists.sourceforge.net/lists/listinfo/sqlmap-users</A><BR><BR></BLOCKQUOTE></DIV><BR><BR clear=all> <DIV><BR></DIV>-- <BR> <DIV dir=ltr> <DIV><B><FONT color=#444444>Yoan AGOSTINI</FONT></B></DIV></DIV></DIV></DIV></DIV></BLOCKQUOTE></span></body></html> |
