[sqlmap-users] sqlmap with Sybase
Brought to you by:
inquisb
From: les p. <rw8...@gm...> - 2014-03-25 18:15:33
|
Hi all, I'm running into trouble with sqlmap against a Sybase db. Here's the fingerprint: Adaptive Server Enterprise/15.0.3/EBF 17770 ESD#4/P/x86_64/Enterprise Linux/ase1503/2768/64-bit/FBO/Thu Aug 26 09:54:27 2010 The technique I'm using is error-based through a POST to a vulnerable .aspx page. I am able to enumerate the master db, but not the user tables, which are what I want. $ ./sqlmap.py -u xxx -d "huge_asp_net_viewstate&theparam=blah" --dbms=sybase --threads=8 --batch --technique=E -D master --tables This produces 58 tables, mostly sys* and some mon* which seem standard. I can dump the sysobjects table using -D and -T, etc. The web app is querying a database we'll call "ENERGY". If I try to "-D ENERGY --tables", I get "No tables found, try using --hex or --no-cast blahblah" (which don't work). I used -v4 to look closely at the requests, and see sqlmap is prefixing the tablenames with "ENERGY.dbo." or sometimes just "ENERGY..", which after experimenting I found doesn't work, so I wrote a small tamper script to strip off "ENERGY.." and "ENERGY.dbo." - this lets me pull the column names from the user tables (type='U'), but I'm still not able to get at the actual data/rows in the tables. I know it must be possible because the web app is definitely querying the tables to validate a login (this is a sqli vuln in a login form, heh). I'm not even sure this is really a bug in sqlmap - maybe something odd in the way the database is built or something. I just thought I'd ask in case anyone has had success using sqlmap against a similar Sybase db and has some tips or suggestions. Thanks for reading - I can provide more information if anyone's interested. |