sqlmap-users Mailing List for sqlmap (Page 104)
Brought to you by:
inquisb
You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Miroslav S. <mir...@gm...> - 2011-02-24 07:20:59
|
hi. we are planning OOB features for v1.0, especially DNS based like the one you've mentioned. kr On Thu, Feb 24, 2011 at 12:27 AM, <bu...@gm...> wrote: > Hi, > > will sqlmap support DNS exfiltration for dbms that have such a feature? > e.g. > oracle: > UTL_INADDR.get_host_address() > UTL_HTTP.REQUEST() > > for such a feature new options would be needed: > --domain Domain used for exfitrating results. > --port Port on which sqlmap should listen for incoming DNS requests. > Default 53. > The latter could be useful if root redirects traffic from 53 to a high > port, where also non-root user could open a listener. This way sqlmap > wouldn't have to run as root. > > let me know what you think about it. > > > > ------------------------------------------------------------------------------ > Free Software Download: Index, Search & Analyze Logs and other IT data in > Real-Time with Splunk. Collect, index and harness all the fast moving IT data > generated by your applications, servers and devices whether physical, virtual > or in the cloud. Deliver compliance at lower cost and gain new business > insights. http://p.sf.net/sfu/splunk-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: <bu...@gm...> - 2011-02-23 22:30:00
|
Hi, will sqlmap support DNS exfiltration for dbms that have such a feature? e.g. oracle: UTL_INADDR.get_host_address() UTL_HTTP.REQUEST() for such a feature new options would be needed: --domain Domain used for exfitrating results. --port Port on which sqlmap should listen for incoming DNS requests. Default 53. The latter could be useful if root redirects traffic from 53 to a high port, where also non-root user could open a listener. This way sqlmap wouldn't have to run as root. let me know what you think about it. |
From: <bu...@gm...> - 2011-02-23 18:59:22
|
On 02/22/2011 12:34 PM, Miroslav Stampar wrote: > in the latest commit (r3356) we've fixed some issues related to > non-HTML documents. > > please give it a try again and report observations. Thank you for implementing that feature so fast. Unfortunately I was not able to test it yet. |
From: Miroslav S. <mir...@gm...> - 2011-02-22 17:23:31
|
just to confirm that this should work now. we've made some image based testing pages and it works ok now. kr On Tue, Feb 22, 2011 at 12:34 PM, Miroslav Stampar <mir...@gm...> wrote: > hi again. > > in the latest commit (r3356) we've fixed some issues related to > non-HTML documents. > > please give it a try again and report observations. > > kr > > On Tue, Feb 22, 2011 at 9:59 AM, Miroslav Stampar > <mir...@gm...> wrote: >> just a quick info. >> >> right now we handle it like all data, except we don't unencode it - >> plain byte array (string in python). >> >> also, we do a "quick_ratio" on it (like for all pages), so no MD5 whatsoever. >> >> this all means that this should work out of box since (since r3122), >> at least I've expected it to work. >> >> kr >> >> On Tue, Feb 22, 2011 at 9:52 AM, Miroslav Stampar >> <mir...@gm...> wrote: >>> hi again. >>> >>> it seems that i've mixed some pears and apples. >>> >>> "How does sqlmap compair non-html responses? Does it calculate hashes or >>> does it just look on response size if the reply is not text/html? >>> >>> thanks! (using r3351)" >>> >>> right now we've done some initial support but we haven't tested it >>> throughly. this is a first voice that since that "initial" >>> implementation it doesn't work. >>> >>> we'll do some test pages and fix accordingly. >>> >>> kr >>> >>> On Tue, Feb 22, 2011 at 9:46 AM, Miroslav Stampar >>> <mir...@gm...> wrote: >>>> hi all. >>>> >>>> "response" is not just a response. >>>> >>>> response is usually a HTML document with links included toward other >>>> documents and/or images. >>>> >>>> so, for us to be able to "ratio" this we would need to do lots of more >>>> requests/responses than we do it right now. >>>> >>>> it would require times N more traffic and nobody wants that in default manner. >>>> >>>> we could consider doing some extra switch which would download all >>>> embedded data, but just imagine how much traffic/slow down that would >>>> result in some normal case. i am aware that this would help here and >>>> there but i am just waiting for some "smart pants" to NAG how this and >>>> this is slow. >>>> >>>> kr >>>> >>>> On Tue, Feb 22, 2011 at 3:24 AM, Andres Riancho >>>> <and...@gm...> wrote: >>>>> Bernardo, >>>>> >>>>> On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G. >>>>> <ber...@gm...> wrote: >>>>>> At the moment it has no support for these responses. It is in our todo though. >>>>> >>>>> What's the limitation? Why not handling all answers (disregarding of >>>>> the real content type) the same? It would be fairly simple to use >>>>> difflib.quick_ratio to compare any HTTP response body. I'm curious :) >>>>> >>>>>> Bernardo Damele A. G. >>>>>> >>>>>> This message was sent from a smartphone >>>>>> >>>>>> On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have a blind sql injection vulnerability that results in different >>>>>>> pictures (content type img/png - no html) depending if true or false. >>>>>>> The size of the picture in terms of bytes and resolution does not >>>>>>> change. The content and their hash (e.g. MD5) does. >>>>>>> >>>>>>> It seams that sqlmap is not able to detect the vulnerability. >>>>>>> I provided the backend dbms (Oracle) via --dbms and tried it also with >>>>>>> --level 5. >>>>>>> >>>>>>> How does sqlmap compair non-html responses? Does it calculate hashes or >>>>>>> does it just look on response size if the reply is not text/html? >>>>>>> >>>>>>> thanks! (using r3351) >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>>>>> Collect, index and harness all the fast moving IT data generated by your >>>>>>> applications, servers and devices whether physical, virtual or in the cloud. >>>>>>> Deliver compliance at lower cost and gain new business insights. >>>>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>>>> Collect, index and harness all the fast moving IT data generated by your >>>>>> applications, servers and devices whether physical, virtual or in the cloud. >>>>>> Deliver compliance at lower cost and gain new business insights. >>>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Andrés Riancho >>>>> Director of Web Security at Rapid7 LLC >>>>> Founder at Bonsai Information Security >>>>> Project Leader at w3af >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>>> Collect, index and harness all the fast moving IT data generated by your >>>>> applications, servers and devices whether physical, virtual or in the cloud. >>>>> Deliver compliance at lower cost and gain new business insights. >>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail: miroslav.stampar (at) gmail.com >>>> Alternate: miroslav.stampar (at) mail.ru >>>> PGP Key ID: 0xB5397B1B >>>> Location: Zagreb, Croatia >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail: miroslav.stampar (at) gmail.com >>> Alternate: miroslav.stampar (at) mail.ru >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> Alternate: miroslav.stampar (at) mail.ru >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-02-22 11:34:23
|
hi again. in the latest commit (r3356) we've fixed some issues related to non-HTML documents. please give it a try again and report observations. kr On Tue, Feb 22, 2011 at 9:59 AM, Miroslav Stampar <mir...@gm...> wrote: > just a quick info. > > right now we handle it like all data, except we don't unencode it - > plain byte array (string in python). > > also, we do a "quick_ratio" on it (like for all pages), so no MD5 whatsoever. > > this all means that this should work out of box since (since r3122), > at least I've expected it to work. > > kr > > On Tue, Feb 22, 2011 at 9:52 AM, Miroslav Stampar > <mir...@gm...> wrote: >> hi again. >> >> it seems that i've mixed some pears and apples. >> >> "How does sqlmap compair non-html responses? Does it calculate hashes or >> does it just look on response size if the reply is not text/html? >> >> thanks! (using r3351)" >> >> right now we've done some initial support but we haven't tested it >> throughly. this is a first voice that since that "initial" >> implementation it doesn't work. >> >> we'll do some test pages and fix accordingly. >> >> kr >> >> On Tue, Feb 22, 2011 at 9:46 AM, Miroslav Stampar >> <mir...@gm...> wrote: >>> hi all. >>> >>> "response" is not just a response. >>> >>> response is usually a HTML document with links included toward other >>> documents and/or images. >>> >>> so, for us to be able to "ratio" this we would need to do lots of more >>> requests/responses than we do it right now. >>> >>> it would require times N more traffic and nobody wants that in default manner. >>> >>> we could consider doing some extra switch which would download all >>> embedded data, but just imagine how much traffic/slow down that would >>> result in some normal case. i am aware that this would help here and >>> there but i am just waiting for some "smart pants" to NAG how this and >>> this is slow. >>> >>> kr >>> >>> On Tue, Feb 22, 2011 at 3:24 AM, Andres Riancho >>> <and...@gm...> wrote: >>>> Bernardo, >>>> >>>> On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G. >>>> <ber...@gm...> wrote: >>>>> At the moment it has no support for these responses. It is in our todo though. >>>> >>>> What's the limitation? Why not handling all answers (disregarding of >>>> the real content type) the same? It would be fairly simple to use >>>> difflib.quick_ratio to compare any HTTP response body. I'm curious :) >>>> >>>>> Bernardo Damele A. G. >>>>> >>>>> This message was sent from a smartphone >>>>> >>>>> On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have a blind sql injection vulnerability that results in different >>>>>> pictures (content type img/png - no html) depending if true or false. >>>>>> The size of the picture in terms of bytes and resolution does not >>>>>> change. The content and their hash (e.g. MD5) does. >>>>>> >>>>>> It seams that sqlmap is not able to detect the vulnerability. >>>>>> I provided the backend dbms (Oracle) via --dbms and tried it also with >>>>>> --level 5. >>>>>> >>>>>> How does sqlmap compair non-html responses? Does it calculate hashes or >>>>>> does it just look on response size if the reply is not text/html? >>>>>> >>>>>> thanks! (using r3351) >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>>>> Collect, index and harness all the fast moving IT data generated by your >>>>>> applications, servers and devices whether physical, virtual or in the cloud. >>>>>> Deliver compliance at lower cost and gain new business insights. >>>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>>> Collect, index and harness all the fast moving IT data generated by your >>>>> applications, servers and devices whether physical, virtual or in the cloud. >>>>> Deliver compliance at lower cost and gain new business insights. >>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>>> >>>> >>>> -- >>>> Andrés Riancho >>>> Director of Web Security at Rapid7 LLC >>>> Founder at Bonsai Information Security >>>> Project Leader at w3af >>>> >>>> ------------------------------------------------------------------------------ >>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>> Collect, index and harness all the fast moving IT data generated by your >>>> applications, servers and devices whether physical, virtual or in the cloud. >>>> Deliver compliance at lower cost and gain new business insights. >>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail: miroslav.stampar (at) gmail.com >>> Alternate: miroslav.stampar (at) mail.ru >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> Alternate: miroslav.stampar (at) mail.ru >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-02-22 08:59:51
|
just a quick info. right now we handle it like all data, except we don't unencode it - plain byte array (string in python). also, we do a "quick_ratio" on it (like for all pages), so no MD5 whatsoever. this all means that this should work out of box since (since r3122), at least I've expected it to work. kr On Tue, Feb 22, 2011 at 9:52 AM, Miroslav Stampar <mir...@gm...> wrote: > hi again. > > it seems that i've mixed some pears and apples. > > "How does sqlmap compair non-html responses? Does it calculate hashes or > does it just look on response size if the reply is not text/html? > > thanks! (using r3351)" > > right now we've done some initial support but we haven't tested it > throughly. this is a first voice that since that "initial" > implementation it doesn't work. > > we'll do some test pages and fix accordingly. > > kr > > On Tue, Feb 22, 2011 at 9:46 AM, Miroslav Stampar > <mir...@gm...> wrote: >> hi all. >> >> "response" is not just a response. >> >> response is usually a HTML document with links included toward other >> documents and/or images. >> >> so, for us to be able to "ratio" this we would need to do lots of more >> requests/responses than we do it right now. >> >> it would require times N more traffic and nobody wants that in default manner. >> >> we could consider doing some extra switch which would download all >> embedded data, but just imagine how much traffic/slow down that would >> result in some normal case. i am aware that this would help here and >> there but i am just waiting for some "smart pants" to NAG how this and >> this is slow. >> >> kr >> >> On Tue, Feb 22, 2011 at 3:24 AM, Andres Riancho >> <and...@gm...> wrote: >>> Bernardo, >>> >>> On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G. >>> <ber...@gm...> wrote: >>>> At the moment it has no support for these responses. It is in our todo though. >>> >>> What's the limitation? Why not handling all answers (disregarding of >>> the real content type) the same? It would be fairly simple to use >>> difflib.quick_ratio to compare any HTTP response body. I'm curious :) >>> >>>> Bernardo Damele A. G. >>>> >>>> This message was sent from a smartphone >>>> >>>> On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote: >>>> >>>>> Hi, >>>>> >>>>> I have a blind sql injection vulnerability that results in different >>>>> pictures (content type img/png - no html) depending if true or false. >>>>> The size of the picture in terms of bytes and resolution does not >>>>> change. The content and their hash (e.g. MD5) does. >>>>> >>>>> It seams that sqlmap is not able to detect the vulnerability. >>>>> I provided the backend dbms (Oracle) via --dbms and tried it also with >>>>> --level 5. >>>>> >>>>> How does sqlmap compair non-html responses? Does it calculate hashes or >>>>> does it just look on response size if the reply is not text/html? >>>>> >>>>> thanks! (using r3351) >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>>> Collect, index and harness all the fast moving IT data generated by your >>>>> applications, servers and devices whether physical, virtual or in the cloud. >>>>> Deliver compliance at lower cost and gain new business insights. >>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> ------------------------------------------------------------------------------ >>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>> Collect, index and harness all the fast moving IT data generated by your >>>> applications, servers and devices whether physical, virtual or in the cloud. >>>> Deliver compliance at lower cost and gain new business insights. >>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> Andrés Riancho >>> Director of Web Security at Rapid7 LLC >>> Founder at Bonsai Information Security >>> Project Leader at w3af >>> >>> ------------------------------------------------------------------------------ >>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>> Collect, index and harness all the fast moving IT data generated by your >>> applications, servers and devices whether physical, virtual or in the cloud. >>> Deliver compliance at lower cost and gain new business insights. >>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> Alternate: miroslav.stampar (at) mail.ru >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-02-22 08:52:27
|
hi again. it seems that i've mixed some pears and apples. "How does sqlmap compair non-html responses? Does it calculate hashes or does it just look on response size if the reply is not text/html? thanks! (using r3351)" right now we've done some initial support but we haven't tested it throughly. this is a first voice that since that "initial" implementation it doesn't work. we'll do some test pages and fix accordingly. kr On Tue, Feb 22, 2011 at 9:46 AM, Miroslav Stampar <mir...@gm...> wrote: > hi all. > > "response" is not just a response. > > response is usually a HTML document with links included toward other > documents and/or images. > > so, for us to be able to "ratio" this we would need to do lots of more > requests/responses than we do it right now. > > it would require times N more traffic and nobody wants that in default manner. > > we could consider doing some extra switch which would download all > embedded data, but just imagine how much traffic/slow down that would > result in some normal case. i am aware that this would help here and > there but i am just waiting for some "smart pants" to NAG how this and > this is slow. > > kr > > On Tue, Feb 22, 2011 at 3:24 AM, Andres Riancho > <and...@gm...> wrote: >> Bernardo, >> >> On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G. >> <ber...@gm...> wrote: >>> At the moment it has no support for these responses. It is in our todo though. >> >> What's the limitation? Why not handling all answers (disregarding of >> the real content type) the same? It would be fairly simple to use >> difflib.quick_ratio to compare any HTTP response body. I'm curious :) >> >>> Bernardo Damele A. G. >>> >>> This message was sent from a smartphone >>> >>> On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote: >>> >>>> Hi, >>>> >>>> I have a blind sql injection vulnerability that results in different >>>> pictures (content type img/png - no html) depending if true or false. >>>> The size of the picture in terms of bytes and resolution does not >>>> change. The content and their hash (e.g. MD5) does. >>>> >>>> It seams that sqlmap is not able to detect the vulnerability. >>>> I provided the backend dbms (Oracle) via --dbms and tried it also with >>>> --level 5. >>>> >>>> How does sqlmap compair non-html responses? Does it calculate hashes or >>>> does it just look on response size if the reply is not text/html? >>>> >>>> thanks! (using r3351) >>>> >>>> ------------------------------------------------------------------------------ >>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>> Collect, index and harness all the fast moving IT data generated by your >>>> applications, servers and devices whether physical, virtual or in the cloud. >>>> Deliver compliance at lower cost and gain new business insights. >>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> ------------------------------------------------------------------------------ >>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>> Collect, index and harness all the fast moving IT data generated by your >>> applications, servers and devices whether physical, virtual or in the cloud. >>> Deliver compliance at lower cost and gain new business insights. >>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Andrés Riancho >> Director of Web Security at Rapid7 LLC >> Founder at Bonsai Information Security >> Project Leader at w3af >> >> ------------------------------------------------------------------------------ >> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >> Collect, index and harness all the fast moving IT data generated by your >> applications, servers and devices whether physical, virtual or in the cloud. >> Deliver compliance at lower cost and gain new business insights. >> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-02-22 08:50:21
|
hi David. our internal decision is no. that (S)kip current test does a good job now and more detailed than that would just "inject" more confusion. kr On Tue, Feb 15, 2011 at 10:41 PM, Miroslav Stampar <mir...@gm...> wrote: > aha, sorry, Bernardo pointed it to me. > > you've mentioned this here: > "so, with this option, there is some chance that another payload with > less or more brackets or quotation marks, could succeed." > > we'll discuss internally. > > kr > > On Tue, Feb 15, 2011 at 10:37 PM, Miroslav Stampar > <mir...@gm...> wrote: >> Hi David. >> >> Could you please explain a bit? >> >> What's the difference between current (S)kip test and your proposed >> (o)ther test? >> >> Skip test should skip to the next test in the list. Maybe we should >> rename it to the (S)kip current test. >> >> kr >> >> On Tue, Feb 15, 2011 at 10:32 PM, David Guimaraes <sk...@gm...> wrote: >>> Hello, can I suggest a new feature? Why not put an option to advance to the >>> next testing inside detection phase? >>> >>> Hypothetical example: >>> >>> [18:32:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - >>> WHERE or HAVING clause' >>> [18:32:52] [PAYLOAD] 1499) AND >>> 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT >>> (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) >>> END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND (3656=3656 >>> ^C[18:32:52] [WARNING] Ctrl+C detected in detection phase >>> How do you want to proceed? [(o)ther payload test/(S)kip test/(e)nd >>> detection phase/(n)ext parameter/(q)uit] o >>> [18:32:54] [PAYLOAD] 1499' AND >>> 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT >>> (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) >>> END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND '3656'='3656 >>> [18:32:54] [PAYLOAD] 1499 AND >>> 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT >>> (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) >>> END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND 3656=3656 >>> >>> Why? Because there is some cases where the actual testing query hang the >>> server (as i am suffering this right now with the first payload query) and >>> the detection phase can't continue(try to reconnect or increasing the >>> read-timeout don't work)... so, with this option, there is some chance that >>> another payload with less or more brackets or quotation marks, could >>> succeed. >>> >>> Just an suggestion =) >>> >>> David >>> >>> ------------------------------------------------------------------------------ >>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >>> Pinpoint memory and threading errors before they happen. >>> Find and fix more than 250 security defects in the development cycle. >>> Locate bottlenecks in serial and parallel code that limit performance. >>> http://p.sf.net/sfu/intel-dev2devfeb >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> Alternate: miroslav.stampar (at) mail.ru >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-02-22 08:46:19
|
hi all. "response" is not just a response. response is usually a HTML document with links included toward other documents and/or images. so, for us to be able to "ratio" this we would need to do lots of more requests/responses than we do it right now. it would require times N more traffic and nobody wants that in default manner. we could consider doing some extra switch which would download all embedded data, but just imagine how much traffic/slow down that would result in some normal case. i am aware that this would help here and there but i am just waiting for some "smart pants" to NAG how this and this is slow. kr On Tue, Feb 22, 2011 at 3:24 AM, Andres Riancho <and...@gm...> wrote: > Bernardo, > > On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G. > <ber...@gm...> wrote: >> At the moment it has no support for these responses. It is in our todo though. > > What's the limitation? Why not handling all answers (disregarding of > the real content type) the same? It would be fairly simple to use > difflib.quick_ratio to compare any HTTP response body. I'm curious :) > >> Bernardo Damele A. G. >> >> This message was sent from a smartphone >> >> On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote: >> >>> Hi, >>> >>> I have a blind sql injection vulnerability that results in different >>> pictures (content type img/png - no html) depending if true or false. >>> The size of the picture in terms of bytes and resolution does not >>> change. The content and their hash (e.g. MD5) does. >>> >>> It seams that sqlmap is not able to detect the vulnerability. >>> I provided the backend dbms (Oracle) via --dbms and tried it also with >>> --level 5. >>> >>> How does sqlmap compair non-html responses? Does it calculate hashes or >>> does it just look on response size if the reply is not text/html? >>> >>> thanks! (using r3351) >>> >>> ------------------------------------------------------------------------------ >>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>> Collect, index and harness all the fast moving IT data generated by your >>> applications, servers and devices whether physical, virtual or in the cloud. >>> Deliver compliance at lower cost and gain new business insights. >>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> ------------------------------------------------------------------------------ >> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >> Collect, index and harness all the fast moving IT data generated by your >> applications, servers and devices whether physical, virtual or in the cloud. >> Deliver compliance at lower cost and gain new business insights. >> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Andrés Riancho > Director of Web Security at Rapid7 LLC > Founder at Bonsai Information Security > Project Leader at w3af > > ------------------------------------------------------------------------------ > Index, Search & Analyze Logs and other IT data in Real-Time with Splunk > Collect, index and harness all the fast moving IT data generated by your > applications, servers and devices whether physical, virtual or in the cloud. > Deliver compliance at lower cost and gain new business insights. > Free Software Download: http://p.sf.net/sfu/splunk-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Andres R. <and...@gm...> - 2011-02-22 02:25:16
|
Bernardo, On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G. <ber...@gm...> wrote: > At the moment it has no support for these responses. It is in our todo though. What's the limitation? Why not handling all answers (disregarding of the real content type) the same? It would be fairly simple to use difflib.quick_ratio to compare any HTTP response body. I'm curious :) > Bernardo Damele A. G. > > This message was sent from a smartphone > > On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote: > >> Hi, >> >> I have a blind sql injection vulnerability that results in different >> pictures (content type img/png - no html) depending if true or false. >> The size of the picture in terms of bytes and resolution does not >> change. The content and their hash (e.g. MD5) does. >> >> It seams that sqlmap is not able to detect the vulnerability. >> I provided the backend dbms (Oracle) via --dbms and tried it also with >> --level 5. >> >> How does sqlmap compair non-html responses? Does it calculate hashes or >> does it just look on response size if the reply is not text/html? >> >> thanks! (using r3351) >> >> ------------------------------------------------------------------------------ >> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >> Collect, index and harness all the fast moving IT data generated by your >> applications, servers and devices whether physical, virtual or in the cloud. >> Deliver compliance at lower cost and gain new business insights. >> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > ------------------------------------------------------------------------------ > Index, Search & Analyze Logs and other IT data in Real-Time with Splunk > Collect, index and harness all the fast moving IT data generated by your > applications, servers and devices whether physical, virtual or in the cloud. > Deliver compliance at lower cost and gain new business insights. > Free Software Download: http://p.sf.net/sfu/splunk-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af |
From: Bernardo D. A. G. <ber...@gm...> - 2011-02-21 22:44:50
|
Bernardo Damele A. G. This message was sent from a smartphone Begin forwarded message: *From:* "Bernardo Damele A. G." <ber...@gm...> *Date:* 21 February 2011 22:41:04 GMT *To:* m4l1c3 <mal...@gm...> *Subject:* *Re: [sqlmap-users] Can sqlmap do this?* Bernardo Damele A. G. This message was sent from a smartphone On 21 Feb 2011, at 19:19, m4l1c3 <mal...@gm...> wrote: Is it possible to have sqlmp dump info from it's session into csv? No. Sometimes that would be useful when sqlmap crashes during a phase. Check the log file. Also, can you dump the session into a csv without being able to connect to the host? No. Csv file are created only at the end of successful --dump for each table dumped. Many thanks. ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ sqlmap-users mailing list sql...@li... https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
From: Bernardo D. A. G. <ber...@gm...> - 2011-02-21 22:44:18
|
At the moment it has no support for these responses. It is in our todo though. Bernardo Damele A. G. This message was sent from a smartphone On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote: > Hi, > > I have a blind sql injection vulnerability that results in different > pictures (content type img/png - no html) depending if true or false. > The size of the picture in terms of bytes and resolution does not > change. The content and their hash (e.g. MD5) does. > > It seams that sqlmap is not able to detect the vulnerability. > I provided the backend dbms (Oracle) via --dbms and tried it also with > --level 5. > > How does sqlmap compair non-html responses? Does it calculate hashes or > does it just look on response size if the reply is not text/html? > > thanks! (using r3351) > > ------------------------------------------------------------------------------ > Index, Search & Analyze Logs and other IT data in Real-Time with Splunk > Collect, index and harness all the fast moving IT data generated by your > applications, servers and devices whether physical, virtual or in the cloud. > Deliver compliance at lower cost and gain new business insights. > Free Software Download: http://p.sf.net/sfu/splunk-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
From: <bu...@gm...> - 2011-02-21 21:55:51
|
Hi, I have a blind sql injection vulnerability that results in different pictures (content type img/png - no html) depending if true or false. The size of the picture in terms of bytes and resolution does not change. The content and their hash (e.g. MD5) does. It seams that sqlmap is not able to detect the vulnerability. I provided the backend dbms (Oracle) via --dbms and tried it also with --level 5. How does sqlmap compair non-html responses? Does it calculate hashes or does it just look on response size if the reply is not text/html? thanks! (using r3351) |
From: m4l1c3 <mal...@gm...> - 2011-02-21 19:19:13
|
Is it possible to have sqlmp dump info from it's session into csv? Sometimes that would be useful when sqlmap crashes during a phase. Also, can you dump the session into a csv without being able to connect to the host? Many thanks. |
From: Bernardo D. A. G. <ber...@gm...> - 2011-02-15 21:56:48
|
Hi, In the upcoming couple of days I will be doing some maintenance on the server hosting the Subversion repository so be aware that it might be down for some time. Cheers, Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Miroslav S. <mir...@gm...> - 2011-02-15 21:41:24
|
aha, sorry, Bernardo pointed it to me. you've mentioned this here: "so, with this option, there is some chance that another payload with less or more brackets or quotation marks, could succeed." we'll discuss internally. kr On Tue, Feb 15, 2011 at 10:37 PM, Miroslav Stampar <mir...@gm...> wrote: > Hi David. > > Could you please explain a bit? > > What's the difference between current (S)kip test and your proposed > (o)ther test? > > Skip test should skip to the next test in the list. Maybe we should > rename it to the (S)kip current test. > > kr > > On Tue, Feb 15, 2011 at 10:32 PM, David Guimaraes <sk...@gm...> wrote: >> Hello, can I suggest a new feature? Why not put an option to advance to the >> next testing inside detection phase? >> >> Hypothetical example: >> >> [18:32:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - >> WHERE or HAVING clause' >> [18:32:52] [PAYLOAD] 1499) AND >> 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT >> (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) >> END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND (3656=3656 >> ^C[18:32:52] [WARNING] Ctrl+C detected in detection phase >> How do you want to proceed? [(o)ther payload test/(S)kip test/(e)nd >> detection phase/(n)ext parameter/(q)uit] o >> [18:32:54] [PAYLOAD] 1499' AND >> 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT >> (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) >> END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND '3656'='3656 >> [18:32:54] [PAYLOAD] 1499 AND >> 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT >> (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) >> END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND 3656=3656 >> >> Why? Because there is some cases where the actual testing query hang the >> server (as i am suffering this right now with the first payload query) and >> the detection phase can't continue(try to reconnect or increasing the >> read-timeout don't work)... so, with this option, there is some chance that >> another payload with less or more brackets or quotation marks, could >> succeed. >> >> Just an suggestion =) >> >> David >> >> ------------------------------------------------------------------------------ >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >> Pinpoint memory and threading errors before they happen. >> Find and fix more than 250 security defects in the development cycle. >> Locate bottlenecks in serial and parallel code that limit performance. >> http://p.sf.net/sfu/intel-dev2devfeb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-02-15 21:37:48
|
Hi David. Could you please explain a bit? What's the difference between current (S)kip test and your proposed (o)ther test? Skip test should skip to the next test in the list. Maybe we should rename it to the (S)kip current test. kr On Tue, Feb 15, 2011 at 10:32 PM, David Guimaraes <sk...@gm...> wrote: > Hello, can I suggest a new feature? Why not put an option to advance to the > next testing inside detection phase? > > Hypothetical example: > > [18:32:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - > WHERE or HAVING clause' > [18:32:52] [PAYLOAD] 1499) AND > 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT > (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND (3656=3656 > ^C[18:32:52] [WARNING] Ctrl+C detected in detection phase > How do you want to proceed? [(o)ther payload test/(S)kip test/(e)nd > detection phase/(n)ext parameter/(q)uit] o > [18:32:54] [PAYLOAD] 1499' AND > 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT > (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND '3656'='3656 > [18:32:54] [PAYLOAD] 1499 AND > 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT > (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND 3656=3656 > > Why? Because there is some cases where the actual testing query hang the > server (as i am suffering this right now with the first payload query) and > the detection phase can't continue(try to reconnect or increasing the > read-timeout don't work)... so, with this option, there is some chance that > another payload with less or more brackets or quotation marks, could > succeed. > > Just an suggestion =) > > David > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: David G. <sk...@gm...> - 2011-02-15 21:32:35
|
Hello, can I suggest a new feature? Why not put an option to advance to the next testing inside detection phase? Hypothetical example: [18:32:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' [18:32:52] [PAYLOAD] 1499) AND 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND (3656=3656 *^C[18:32:52] [WARNING] Ctrl+C detected in detection phase How do you want to proceed? [**(o)ther payload test/**(S)kip test/**(e)nd detection phase/(n)ext parameter/(q)uit]* *o* [18:32:54] [PAYLOAD] 1499' AND 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND '3656'='3656 [18:32:54] [PAYLOAD] 1499 AND 1366=CONVERT(INT,(CHAR(58)+CHAR(117)+CHAR(117)+CHAR(117)+CHAR(58)+(SELECT (CASE WHEN (1366=1366) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(99)+CHAR(103)+CHAR(109)+CHAR(58))) AND 3656=3656 Why? Because there is some cases where the actual testing query hang the server (as i am suffering this right now with the first payload query) and the detection phase can't continue(try to reconnect or increasing the read-timeout don't work)... so, with this option, there is some chance that another payload with less or more brackets or quotation marks, could succeed. Just an suggestion =) David |
From: Miroslav S. <mir...@gm...> - 2011-02-15 21:20:32
|
hi yonny. this is strange. there are two possible reasons and one not so possible: 1) either you have done update only of some files, not the whole project or 2) either that sqlmap (alias? batch?) you run somehow screws environment or 3) something else is screwed :) could you please try to update to the latest revision and try to run with python sqlmap.py? i've updated to the latest revision and i've run with same switches without any problems. kr On Tue, Feb 15, 2011 at 6:50 PM, yonny mutai <yo...@go...> wrote: > /pentest/database/sqlmap$ sqlmap --level 5 --risk 3 --parse-errors > --msf-path /pentest/exploits/framework3 --text-only --threads 1 > --timeout 139 --data="psw=1212&uname=112" -u > "http://192.168.1.132/index.php" -v1 --dbms mysql > Traceback (most recent call last): > File "/pentest/database/sqlmap/sqlmap.py", line 26, in <module> > from lib.controller.controller import start > File "/pentest/database/sqlmap/lib/controller/controller.py", line 12, in > <module> > from lib.controller.action import action > File "/pentest/database/sqlmap/lib/controller/action.py", line 10, in > <module> > from lib.controller.handler import setHandler > File "/pentest/database/sqlmap/lib/controller/handler.py", line 27, in > <module> > from plugins.dbms.mssqlserver import MSSQLServerMap > File "/pentest/database/sqlmap/plugins/dbms/mssqlserver/__init__.py", line > 14, in <module> > from plugins.dbms.mssqlserver.enumeration import Enumeration > File "/pentest/database/sqlmap/plugins/dbms/mssqlserver/enumeration.py", > line 25, in <module> > from plugins.generic.enumeration import Enumeration as > GenericEnumeration > File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line 48, > in <module> > from lib.core.settings import CONCAT_ROW_DELIMITER > ImportError: cannot import name CONCAT_ROW_DELIMITER > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: yonny m. <yo...@go...> - 2011-02-15 17:50:25
|
/pentest/database/sqlmap$ sqlmap --level 5 --risk 3 --parse-errors --msf-path /pentest/exploits/framework3 --text-only --threads 1 --timeout 139 --data="psw=1212&uname=112" -u " http://192.168.1.132/index.php" -v1 --dbms mysql Traceback (most recent call last): File "/pentest/database/sqlmap/sqlmap.py", line 26, in <module> from lib.controller.controller import start File "/pentest/database/sqlmap/lib/controller/controller.py", line 12, in <module> from lib.controller.action import action File "/pentest/database/sqlmap/lib/controller/action.py", line 10, in <module> from lib.controller.handler import setHandler File "/pentest/database/sqlmap/lib/controller/handler.py", line 27, in <module> from plugins.dbms.mssqlserver import MSSQLServerMap File "/pentest/database/sqlmap/plugins/dbms/mssqlserver/__init__.py", line 14, in <module> from plugins.dbms.mssqlserver.enumeration import Enumeration File "/pentest/database/sqlmap/plugins/dbms/mssqlserver/enumeration.py", line 25, in <module> from plugins.generic.enumeration import Enumeration as GenericEnumeration File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line 48, in <module> from lib.core.settings import CONCAT_ROW_DELIMITER ImportError: cannot import name CONCAT_ROW_DELIMITER |
From: Miroslav S. <mir...@gm...> - 2011-02-15 00:28:48
|
Hi all. With r3320 we've implemented switch --group-concat for GROUP_CONCAT technique of dumping for MySQL DBMS. Also, you can turn it on implicitly with -o switch. For now it's limited only to error based technique. Please report any problems. KR p.s. it's fast -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-02-14 13:58:03
|
i am pretty sure that this is false positive. all simptoms are here. if you could send me URI privately just to see what's going on myself it would be great. kr On Mon, Feb 14, 2011 at 2:35 PM, Johnny Venter <Joh...@zo...> wrote: > Thanks for the info, I used the first option (a) and it still found an > injection point. > However, in one iteration; it identified the back-end server as MySQL and > then as MS SQL 2008. > I can connect via --sql-shell; but no information is returned. I get output > similar to "?~t|r8p?@?~?xx?n?zt". > Could this happen when the db server and web server are on two separate > systems? > Any help/input is greatly appreciated. > Miro, I am working on the "--string" option (b) and will report the results. > > Thanks, J > > > > On Feb 12, 2011, at 2:31 AM, Miroslav Stampar wrote: > > hi. > > this is either some case of false positive or dynamicity problem. > > to resolve this either: > > a) try --flush-session --text-only > or > b) --flush-session --string .... > please, find one string that is characteristic only to the TRUE page > and use it with --string parameter > > if a) and b) fail to find any injection then the problem is most > definitely false positive. in that case please report with more > details. > > kr > > On Sat, Feb 12, 2011 at 1:27 AM, Johnny Venter <Joh...@zo...> > wrote: > > Here is a sample of output I receive when I request "--current-user": > > ?~t|r8p?@?~?xx?n?zt > > I am using version 0.9-dev. > > Boolean based blind is the type of injection that was found. > > On Feb 11, 2011, at 5:41 PM, Miroslav Stampar wrote: > > hi Johnny. > > it's not normal behavior :) > > you haven't told which version are you using? > > kr > > On Fri, Feb 11, 2011 at 9:42 PM, Johnny Venter <Joh...@zo...> > wrote: > > Whenever I try to enumerate information from a vulnerable web app (with SQL > 2008 back-end), the information is garbled/unreadable. > > I am using SQLi blind method. Is there something I can do to convert the > returned data or is this normal? > > > Thanks, J > > ------------------------------------------------------------------------------ > > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > > Pinpoint memory and threading errors before they happen. > > Find and fix more than 250 security defects in the development cycle. > > Locate bottlenecks in serial and parallel code that limit performance. > > http://p.sf.net/sfu/intel-dev2devfeb > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > > Alternate: miroslav.stampar (at) mail.ru > > PGP Key ID: 0xB5397B1B > > Location: Zagreb, Croatia > > ------------------------------------------------------------------------------ > > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > > Pinpoint memory and threading errors before they happen. > > Find and fix more than 250 security defects in the development cycle. > > Locate bottlenecks in serial and parallel code that limit performance. > > http://p.sf.net/sfu/intel-dev2devfeb > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Johnny V. <Joh...@zo...> - 2011-02-14 13:35:35
|
Thanks for the info, I used the first option (a) and it still found an injection point. However, in one iteration; it identified the back-end server as MySQL and then as MS SQL 2008. I can connect via --sql-shell; but no information is returned. I get output similar to "?~t|r8p?@?~?xx?n?zt". Could this happen when the db server and web server are on two separate systems? Any help/input is greatly appreciated. Miro, I am working on the "--string" option (b) and will report the results. Thanks, J On Feb 12, 2011, at 2:31 AM, Miroslav Stampar wrote: > hi. > > this is either some case of false positive or dynamicity problem. > > to resolve this either: > > a) try --flush-session --text-only > or > b) --flush-session --string .... > please, find one string that is characteristic only to the TRUE page > and use it with --string parameter > > if a) and b) fail to find any injection then the problem is most > definitely false positive. in that case please report with more > details. > > kr > > On Sat, Feb 12, 2011 at 1:27 AM, Johnny Venter <Joh...@zo...> wrote: >> Here is a sample of output I receive when I request "--current-user": >> >> ?~t|r8p?@?~?xx?n?zt >> >> I am using version 0.9-dev. >> >> Boolean based blind is the type of injection that was found. >> >> On Feb 11, 2011, at 5:41 PM, Miroslav Stampar wrote: >> >>> hi Johnny. >>> >>> it's not normal behavior :) >>> >>> you haven't told which version are you using? >>> >>> kr >>> >>> On Fri, Feb 11, 2011 at 9:42 PM, Johnny Venter <Joh...@zo...> wrote: >>>> Whenever I try to enumerate information from a vulnerable web app (with SQL 2008 back-end), the information is garbled/unreadable. >>>> >>>> I am using SQLi blind method. Is there something I can do to convert the returned data or is this normal? >>>> >>>> >>>> Thanks, J >>>> >>>> ------------------------------------------------------------------------------ >>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >>>> Pinpoint memory and threading errors before they happen. >>>> Find and fix more than 250 security defects in the development cycle. >>>> Locate bottlenecks in serial and parallel code that limit performance. >>>> http://p.sf.net/sfu/intel-dev2devfeb >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail: miroslav.stampar (at) gmail.com >>> Alternate: miroslav.stampar (at) mail.ru >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >>> ------------------------------------------------------------------------------ >>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >>> Pinpoint memory and threading errors before they happen. >>> Find and fix more than 250 security defects in the development cycle. >>> Locate bottlenecks in serial and parallel code that limit performance. >>> http://p.sf.net/sfu/intel-dev2devfeb >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
From: Miroslav S. <mir...@gm...> - 2011-02-12 19:49:08
|
hi all. as of r3311 we've removed --method option by a request from buawig. from now on usage of --data will imply that the method is POST. kr On Tue, Feb 1, 2011 at 11:30 PM, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi, > > On 1 February 2011 22:16, <bu...@gm...> wrote: >> ... >> If --data= is used it seams always to result in POST requests regardless >> of the --method switch >> "--data=DATA Data string to be sent through POST" > > Yes, this is as per design choice. > >> this rises the question: What do you need --method for if the absence of >> --data results in GET request and the presence of --data results in POST >> requests. > > In fact we do not. > >> I would propose the following behaviour: >> >> - remove the --method switch and make the method depending on the fact >> that --data switch was used or not > > I think that I agree on this. > > Cheers, > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: 0x05F5A30F > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-02-12 07:32:08
|
hi. this is either some case of false positive or dynamicity problem. to resolve this either: a) try --flush-session --text-only or b) --flush-session --string .... please, find one string that is characteristic only to the TRUE page and use it with --string parameter if a) and b) fail to find any injection then the problem is most definitely false positive. in that case please report with more details. kr On Sat, Feb 12, 2011 at 1:27 AM, Johnny Venter <Joh...@zo...> wrote: > Here is a sample of output I receive when I request "--current-user": > > ?~t|r8p?@?~?xx?n?zt > > I am using version 0.9-dev. > > Boolean based blind is the type of injection that was found. > > On Feb 11, 2011, at 5:41 PM, Miroslav Stampar wrote: > >> hi Johnny. >> >> it's not normal behavior :) >> >> you haven't told which version are you using? >> >> kr >> >> On Fri, Feb 11, 2011 at 9:42 PM, Johnny Venter <Joh...@zo...> wrote: >>> Whenever I try to enumerate information from a vulnerable web app (with SQL 2008 back-end), the information is garbled/unreadable. >>> >>> I am using SQLi blind method. Is there something I can do to convert the returned data or is this normal? >>> >>> >>> Thanks, J >>> >>> ------------------------------------------------------------------------------ >>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >>> Pinpoint memory and threading errors before they happen. >>> Find and fix more than 250 security defects in the development cycle. >>> Locate bottlenecks in serial and parallel code that limit performance. >>> http://p.sf.net/sfu/intel-dev2devfeb >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> Alternate: miroslav.stampar (at) mail.ru >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> >> ------------------------------------------------------------------------------ >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >> Pinpoint memory and threading errors before they happen. >> Find and fix more than 250 security defects in the development cycle. >> Locate bottlenecks in serial and parallel code that limit performance. >> http://p.sf.net/sfu/intel-dev2devfeb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |