[sqlmap-users] Fwd: Ms09-004 on W2K3SP2
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Fwd: Ms09-004 on W2K3SP2
|
From: Luis R. <lui...@gm...> - 2013-12-03 19:57:12
|
Hello List, Miroslav, Did you had any chance to further look into this? thx Luis ---------- Forwarded message ---------- From: Luis Rocha <lui...@gm...> Date: Sun, Dec 1, 2013 at 10:47 PM Subject: Re: [sqlmap-users] Ms09-004 on W2K3SP2 To: Miroslav Stampar <mir...@gm...> Thank you for your time Miroslav! With the latest version : sqlmap/1.0-dev-59d667d ... when running with --banner --os-bof, it produces the same output as before: --- Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- (..) [16:43:53] [CRITICAL] sqlmap can not exploit the stored procedure buffer overflow because it does not have a valid return code for the underlying operating system (Windows 2003 Service Pack 0) [16:43:53] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 2 times [*] shutting down at 16:43:53 Exception AttributeError: "'NoneType' object has no attribute 'error'" in <bound method Popen.__del__ of <lib.core.subprocessng.Popen object at 0xa1c0bcc>> ignored On Sun, Dec 1, 2013 at 10:25 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > Please retry it now. > > Bye > > > On Sun, Dec 1, 2013 at 9:54 PM, Luis Rocha <lui...@gm...> wrote: > >> Here you have: >> >> [15:52:47] [INFO] the back-end DBMS is Microsoft SQL Server >> [15:52:47] [INFO] fetching banner >> [15:52:47] [INFO] resumed: Microsoft SQL Server 2005 - 9.00.1399.06 >> (Intel X86) \n\tOct 14 2005 00:33:37 \n\tCopyright (c) 1988-2005 Microsoft >> Corporation\n\tExpress Edition on Windows NT 5.2 (Build 3790: Service Pack >> 2)\n >> >> [15:52:47] [CRITICAL] unhandled exception in sqlmap/1.0-dev-663b1e7, >> retry your run with the latest development version from the GitHub >> repository. If the exception persists, please send by e-mail to ' >> sql...@li...' or open a new issue at ' >> https://github.com/sqlmapproject/sqlmap/issues/new' with the following >> text and any information required to reproduce the bug. The developers will >> try to reproduce the bug, fix it accordingly and get back to you. >> sqlmap version: 1.0-dev-663b1e7 >> Python version: 2.6.5 >> Operating system: posix >> >> (..) >> >> Technique: BOOLEAN >> Back-end DBMS: Microsoft SQL Server (fingerprinted) >> Traceback (most recent call last): >> File "./sqlmap.py", line 95, in main >> start() >> File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line >> 582, in start >> action() >> File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 32, >> in action >> setHandler() >> File "/pentest/database/sqlmap-dev/lib/controller/handler.py", line >> 100, in setHandler >> if handler.checkDbms(): >> File >> "/pentest/database/sqlmap-dev/plugins/dbms/mssqlserver/fingerprint.py", >> line 73, in checkDbms >> self.getBanner() >> File "/pentest/database/sqlmap-dev/plugins/generic/enumeration.py", >> line 59, in getBanner >> bannerParser(kb.data.banner) >> File "/pentest/database/sqlmap-dev/lib/parse/banner.py", line 114, in >> bannerParser >> parseXmlFile(paths.GENERIC_XML, handler) >> File "/pentest/database/sqlmap-dev/lib/core/common.py", line 1655, in >> parseXmlFile >> parse(stream, handler) >> File "/usr/lib/python2.6/xml/sax/__init__.py", line 33, in parse >> parser.parse(source) >> File "/usr/lib/python2.6/xml/sax/expatreader.py", line 107, in parse >> xmlreader.IncrementalParser.parse(self, source) >> File "/usr/lib/python2.6/xml/sax/xmlreader.py", line 123, in parse >> self.feed(buffer) >> File "/usr/lib/python2.6/xml/sax/expatreader.py", line 207, in feed >> self._parser.Parse(data, isFinal) >> File "/usr/lib/python2.6/xml/sax/expatreader.py", line 301, in >> start_element >> self._cont_handler.startElement(name, AttributesImpl(attrs)) >> File "/pentest/database/sqlmap-dev/lib/parse/handler.py", line 73, in >> startElement >> self._feedInfo("sp", "Service Pack %s" % >> self._match.group(int(self._sp))) >> IndexError: no such group >> >> [*] shutting down at 15:52:47 >> >> >> >> thx >> Luis >> >> >> On Sun, Dec 1, 2013 at 9:33 PM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Hi. >>> >>> Can you please update to the latest revision and include --banner >>> together with --os-bof? >>> >>> Kind regards, >>> Miroslav Stampar >>> >>> >>> On Sun, Dec 1, 2013 at 9:09 PM, Luis Rocha <lui...@gm...> wrote: >>> >>>> Yes, its the following: >>>> >>>> --- >>>> Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) >>>> Oct 14 2005 00:33:37 >>>> Copyright (c) 1988-2005 Microsoft Corporation >>>> Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) >>>> --- >>>> >>>> Thank you, >>>> Luis >>>> >>>> >>>> On Sun, Dec 1, 2013 at 8:46 PM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> Hi. >>>>> >>>>> It seems that sqlmap was not able to parse "service pack" information >>>>> from retrieved banner. >>>>> >>>>> Can you please write back what do you get for --banner? >>>>> >>>>> Kind regards, >>>>> Miroslav Stampar >>>>> >>>>> >>>>> On Sat, Nov 30, 2013 at 8:07 PM, Luis Rocha <lui...@gm...>wrote: >>>>> >>>>>> Hello All, >>>>>> >>>>>> Since this is my first post I want to make sure that I write that >>>>>> sqlmap is a brilliant tool and congratulations to the devteam! >>>>>> >>>>>> >>>>>> I have a question that you might know. I am using sqlmap version >>>>>> 1.0-dev-cda27ec. >>>>>> >>>>>> >>>>>> Consider a victim system running Windows 2003 SP2 English version >>>>>> with HAL version : 5.2.3790.3959 (srv03_sp2_rtm.070216-1710) with MSSQL2005 >>>>>> on VMware Workstation. >>>>>> >>>>>> >>>>>> From the attacker I am trying to take advantage of the MS09-004 and >>>>>> when I try to execute the ./sqlmap.py -u ' >>>>>> http://vulnerable/page.aspx' --data=`cat data` --prefix="1', 1);" >>>>>> --suffix="--" --fresh-queries --os-bof it generates an error: >>>>>> >>>>>> [13:17:51] [CRITICAL] sqlmap can not exploit the stored procedure >>>>>> buffer overflow because it does not have a valid return code for the >>>>>> underlying operating system (Windows 2003 Service Pack 0) >>>>>> >>>>>> >>>>>> I took a look at the file /plugins/dbms/mssqlserver/takeover.py and >>>>>> saw the following lines commented out: >>>>>> >>>>>> 2003 Service Pack 2 updated at 12/2008 (....) >>>>>> >>>>>> 2003 Service Pack 2 updated at 09/2009 (....) >>>>>> >>>>>> >>>>>> I remove the comment but still the same problem. ...the tool seems to >>>>>> determine that the OS does not contain any SP when in fact it has SP2... >>>>>> >>>>>> >>>>>> Any ideas? >>>>>> >>>>>> >>>>>> Thank you, >>>>>> >>>>>> Luis >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Rapidly troubleshoot problems before they affect your business. Most >>>>>> IT >>>>>> organizations don't have a clear picture of how application >>>>>> performance >>>>>> affects their revenue. With AppDynamics, you get 100% visibility into >>>>>> your >>>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>>>>> AppDynamics Pro! >>>>>> >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
