sqlmap-users Mailing List for sqlmap (Page 106)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: yonny m. <yo...@go...> - 2011-02-06 14:45:03
|
[17:38:28] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
with the latest development version from the Subversion repository. If the
exception persists, please send by e-mail to
sql...@li... the following text and any information
required to reproduce the bug. The developers will try to reproduce the bug,
fix it accordingly and get back to you.
sqlmap version: 0.9-dev (r3226)
Python version: 2.6.5
Operating system: posix
Command line: /pentest/database/sqlmap/sqlmap.py --level 5 --risk 3
--parse-errors --msf-path /pentest/exploits/framework3 --read-file
/etc/passwd --time-sec 10 --method=POST --data=user_name=loan&password=2121
--threads 1 --timeout 39 -u **********************************************
--dbms mysql --flush-session
Technique: ERROR
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
File "/pentest/database/sqlmap/sqlmap.py", line 82, in main
start()
File "/pentest/database/sqlmap/lib/controller/controller.py", line 414, in
start
action()
File "/pentest/database/sqlmap/lib/controller/action.py", line 123, in
action
conf.dumper.rFile(conf.rFile, conf.dbmsHandler.readFile(conf.rFile))
File "/pentest/database/sqlmap/plugins/generic/filesystem.py", line 285,
in readFile
newFileContent += chunk
TypeError: cannot concatenate 'str' and 'NoneType' objects
|
|
From: Miroslav S. <mir...@gm...> - 2011-02-05 16:57:46
|
hi Steve. we have been contacted by an author of wavsep, as he wasn't been able to run sqlmap against it. he'll rerun the test when 0.9 stable will go out. well, I won't tell you the results (of our own run), to not curse them :). you'll see them in time. kr On Sat, Feb 5, 2011 at 5:51 PM, Steve Pinkham <ste...@gm...> wrote: > On 02/05/2011 03:23 AM, Miroslav Stampar wrote: >> Hi again. >> >> I was giving it a thought and the final for now is no. This would >> break the concept of sqlmap a lot. >> >> We are identifying injection points by parameter names (also >> considering the place where it's located - e.g. GET/id). >> >> In case where we would "modify" sqlmap to accept these "cases" we >> would need not just replace dictionary with list, but to change the >> whole data model. This moment we have more priority stuff to do. > > I would agree. The only thing I've really found HTTP Parameter > Pollution useful for so far is XSS filtering workarounds, both for the > IE 8 client side filter and WAF type tech. I can't think of too many > places where it would be directly useful for SQL injection. Definitely > a corner case for that application probably is best handled by a human > brain. > > The problem with web security in general is the amount of corner cases > is huge, and most tools don't even do a good job of hitting the easy > cases yet. Sqlmap is definitely ahead of the curve for SQL injection tools. > > Speaking of which, have you given sqlmap a try on WAVSEP yet? I've used > it a bit for XSS tool vetting and development the past few weeks(and am > adding some more test cases), but haven't looked at if for SQL injection > yet. > > http://code.google.com/p/wavsep/ > >> Three things I would suggest so you could make a scan "compliant" to sqlmap is: >> 1) either use URI injection mark * to tell sqlmap where to look for >> injection (e.g. ./sqlmap.py -u >> "www.test.com/index.php?idA=1&idB=2&idA=3*&idC=1") >> or >> 2) concatenate/adjust the URI yourself manually - so, if you see that >> there are two idA parameters try to manually play around and see what >> web servers does with those - try to concatenate and/or delete first >> one >> or >> 3) be realistic. there are lots of "junk" URIs in the wild that can be >> "beautified" by yourself - e.g. >> ?search=some%XXshitty%XXquery%XXthere%XXis -> ?search=test >> >> kr > > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Steve P. <ste...@gm...> - 2011-02-05 16:51:35
|
On 02/05/2011 03:23 AM, Miroslav Stampar wrote: > Hi again. > > I was giving it a thought and the final for now is no. This would > break the concept of sqlmap a lot. > > We are identifying injection points by parameter names (also > considering the place where it's located - e.g. GET/id). > > In case where we would "modify" sqlmap to accept these "cases" we > would need not just replace dictionary with list, but to change the > whole data model. This moment we have more priority stuff to do. I would agree. The only thing I've really found HTTP Parameter Pollution useful for so far is XSS filtering workarounds, both for the IE 8 client side filter and WAF type tech. I can't think of too many places where it would be directly useful for SQL injection. Definitely a corner case for that application probably is best handled by a human brain. The problem with web security in general is the amount of corner cases is huge, and most tools don't even do a good job of hitting the easy cases yet. Sqlmap is definitely ahead of the curve for SQL injection tools. Speaking of which, have you given sqlmap a try on WAVSEP yet? I've used it a bit for XSS tool vetting and development the past few weeks(and am adding some more test cases), but haven't looked at if for SQL injection yet. http://code.google.com/p/wavsep/ > Three things I would suggest so you could make a scan "compliant" to sqlmap is: > 1) either use URI injection mark * to tell sqlmap where to look for > injection (e.g. ./sqlmap.py -u > "www.test.com/index.php?idA=1&idB=2&idA=3*&idC=1") > or > 2) concatenate/adjust the URI yourself manually - so, if you see that > there are two idA parameters try to manually play around and see what > web servers does with those - try to concatenate and/or delete first > one > or > 3) be realistic. there are lots of "junk" URIs in the wild that can be > "beautified" by yourself - e.g. > ?search=some%XXshitty%XXquery%XXthere%XXis -> ?search=test > > kr -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Miroslav S. <mir...@gm...> - 2011-02-05 14:15:47
|
hi Ahmed. thank you for your report. at the end we were able to reproduce it. find the fix in the latest revision (r3226) kr On Fri, Feb 4, 2011 at 9:17 PM, Ahmed Shawky <ah...@is...> wrote: > sqlmap version: 0.9-dev (r3225) > Python version: 2.7 > Operating system: posix > Command line: ./sqlmap.py -u ************************************ > --method=POST --data=email=test&pass=test&keepcookies=1&login=1 --level=3 > Technique: UNION > Back-end DBMS: Microsoft SQL Server (fingerprinted) > Traceback (most recent call last): > File "./sqlmap.py", line 82, in main > start() > File "/pentest/database/sqlmap/lib/controller/controller.py", line 356, in > start > injection = checkSqlInjection(place, parameter, value) > File "/pentest/database/sqlmap/lib/controller/checks.py", line 375, in > checkSqlInjection > reqPayload, vector = unionTest(comment, place, parameter, value, prefix, > suffix) > File "/pentest/database/sqlmap/lib/techniques/inband/union/test.py", line > 196, in unionTest > validPayload, vector = __unionTestByCharBruteforce(comment, place, > parameter, value, prefix, suffix) > File "/pentest/database/sqlmap/lib/techniques/inband/union/test.py", line > 170, in __unionTestByCharBruteforce > count = __findUnionCharCount(comment, place, parameter, value, prefix, > suffix) > File "/pentest/database/sqlmap/lib/techniques/inband/union/test.py", line > 70, in __findUnionCharCount > if abs(max_ - min_) < MIN_STATISTICAL_RANGE: > TypeError: unsupported operand type(s) for -: 'float' and 'NoneType' > [*] shutting down at: 22:11:56 > > -- > > Ahmed Shawky El-Antry > Pen-tester, Programmer and System administrator > lnxg33k owner "http://lnxg33k.wordpress.com" > Isecur1ty team "http://www.isecur1ty.org" > Twitter @lnxg33k > > ------------------------------------------------------------------------------ > The modern datacenter depends on network connectivity to access resources > and provide services. The best practices for maximizing a physical server's > connectivity to a physical network are well understood - see how these > rules translate into the virtual world? > http://p.sf.net/sfu/oracle-sfdevnlfb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Chris O. <chr...@gm...> - 2011-02-05 10:21:53
|
Hi all Thanks for the input, really fast as always :) Very interesting reading on multitple instances of the same parameter; not that I've really seen it "in the wild" but I had assumed that the server would just take the last value of it and overwrite the old - obviously that's not always the case! Chris On 5 February 2011 08:33, Miroslav Stampar <mir...@gm...>wrote: > as said, Steve is the man :) > > this was a really interesting article i must say. also, you've prove > me that some web server applications really concatenate those > parameters. > > for the time being, as said in the last message related to this topic, > we'll leave everything as it is. > > kr > > On Fri, Feb 4, 2011 at 10:09 PM, Steve Pinkham <ste...@gm...> > wrote: > > On 02/04/2011 02:45 PM, Miroslav Stampar wrote: > >> well, i am 99% sure that one parameter value is just overwritten by > >> the other. in that case it doesn't matter if sqlmap handles parameters > >> as dictionary. > >> > >> prove me wrong Pieter with some example :) > >> > >> i like people that prove me wrong (Steve was one of those with that > >> newly found mssql server query delay payload) > >> > >> kr > > > > It's been called HTTP parameter pollution, and different server software > > responds differently. When faced with multiple inputs, some take the > > first, some take the last, and some auto-magically turn it into an array > > or concatenate them with a comma. > > > > Sometimes the software will use the first parameter, but the WAF might > > only sanitise the last, or vice versa. > > > > Here was the some of the first research into the phenomenon: > > > > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf > > > > > > -- > > | Steven Pinkham, Security Consultant | > > | http://www.mavensecurity.com | > > | GPG public key ID CD31CAFB | > > > > > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > > ------------------------------------------------------------------------------ > The modern datacenter depends on network connectivity to access resources > and provide services. The best practices for maximizing a physical server's > connectivity to a physical network are well understood - see how these > rules translate into the virtual world? > http://p.sf.net/sfu/oracle-sfdevnlfb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Miroslav S. <mir...@gm...> - 2011-02-05 08:33:15
|
as said, Steve is the man :) this was a really interesting article i must say. also, you've prove me that some web server applications really concatenate those parameters. for the time being, as said in the last message related to this topic, we'll leave everything as it is. kr On Fri, Feb 4, 2011 at 10:09 PM, Steve Pinkham <ste...@gm...> wrote: > On 02/04/2011 02:45 PM, Miroslav Stampar wrote: >> well, i am 99% sure that one parameter value is just overwritten by >> the other. in that case it doesn't matter if sqlmap handles parameters >> as dictionary. >> >> prove me wrong Pieter with some example :) >> >> i like people that prove me wrong (Steve was one of those with that >> newly found mssql server query delay payload) >> >> kr > > It's been called HTTP parameter pollution, and different server software > responds differently. When faced with multiple inputs, some take the > first, some take the last, and some auto-magically turn it into an array > or concatenate them with a comma. > > Sometimes the software will use the first parameter, but the WAF might > only sanitise the last, or vice versa. > > Here was the some of the first research into the phenomenon: > > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-05 08:23:31
|
Hi again. I was giving it a thought and the final for now is no. This would break the concept of sqlmap a lot. We are identifying injection points by parameter names (also considering the place where it's located - e.g. GET/id). In case where we would "modify" sqlmap to accept these "cases" we would need not just replace dictionary with list, but to change the whole data model. This moment we have more priority stuff to do. Three things I would suggest so you could make a scan "compliant" to sqlmap is: 1) either use URI injection mark * to tell sqlmap where to look for injection (e.g. ./sqlmap.py -u "www.test.com/index.php?idA=1&idB=2&idA=3*&idC=1") or 2) concatenate/adjust the URI yourself manually - so, if you see that there are two idA parameters try to manually play around and see what web servers does with those - try to concatenate and/or delete first one or 3) be realistic. there are lots of "junk" URIs in the wild that can be "beautified" by yourself - e.g. ?search=some%XXshitty%XXquery%XXthere%XXis -> ?search=test kr On Fri, Feb 4, 2011 at 11:37 PM, Pieter de Boer <pi...@th...> wrote: > On 02/04/11 20:37, Miroslav Stampar wrote: > >> are you certain that one parameter value is not "overwritten" by the >> other at the servers side. in server side programming (PHP, ASP) i >> don't know how to handle such requests out of box. >> >> could you please post some examples just to experiment? >> > Unfortunately I don't have examples, but I've seen such cases 'in the wild'. > It can be used for selecting multiple items from a list, for example. It > really depends on how the application, language or framework handles the > parameters, as Steve mailed earlier. > > It may not be very useful to implement as it's rarely used for useful > purposes, but if it's not a problem to replace the dict with a list, I > suggest considering doing so. > > Regards, > Pieter > > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Pieter de B. <pi...@th...> - 2011-02-04 22:37:22
|
On 02/04/11 20:37, Miroslav Stampar wrote: > are you certain that one parameter value is not "overwritten" by the > other at the servers side. in server side programming (PHP, ASP) i > don't know how to handle such requests out of box. > > could you please post some examples just to experiment? > Unfortunately I don't have examples, but I've seen such cases 'in the wild'. It can be used for selecting multiple items from a list, for example. It really depends on how the application, language or framework handles the parameters, as Steve mailed earlier. It may not be very useful to implement as it's rarely used for useful purposes, but if it's not a problem to replace the dict with a list, I suggest considering doing so. Regards, Pieter |
|
From: Steve P. <ste...@gm...> - 2011-02-04 21:09:33
|
On 02/04/2011 02:45 PM, Miroslav Stampar wrote: > well, i am 99% sure that one parameter value is just overwritten by > the other. in that case it doesn't matter if sqlmap handles parameters > as dictionary. > > prove me wrong Pieter with some example :) > > i like people that prove me wrong (Steve was one of those with that > newly found mssql server query delay payload) > > kr It's been called HTTP parameter pollution, and different server software responds differently. When faced with multiple inputs, some take the first, some take the last, and some auto-magically turn it into an array or concatenate them with a comma. Sometimes the software will use the first parameter, but the WAF might only sanitise the last, or vice versa. Here was the some of the first research into the phenomenon: http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Ahmed S. <ah...@is...> - 2011-02-04 20:44:47
|
sqlmap version: 0.9-dev (r3225)
Python version: 2.7
Operating system: posix
Command line: ./sqlmap.py -u ************************************
--method=POST --data=email=test&pass=test&keepcookies=1&login=1 --level=3
Technique: UNION
Back-end DBMS: Microsoft SQL Server (fingerprinted)
Traceback (most recent call last):
File "./sqlmap.py", line 82, in main
start()
File "/pentest/database/sqlmap/lib/controller/controller.py", line 356, in
start
injection = checkSqlInjection(place, parameter, value)
File "/pentest/database/sqlmap/lib/controller/checks.py", line 375, in
checkSqlInjection
reqPayload, vector = unionTest(comment, place, parameter, value, prefix,
suffix)
File "/pentest/database/sqlmap/lib/techniques/inband/union/test.py", line
196, in unionTest
validPayload, vector = __unionTestByCharBruteforce(comment, place,
parameter, value, prefix, suffix)
File "/pentest/database/sqlmap/lib/techniques/inband/union/test.py", line
170, in __unionTestByCharBruteforce
count = __findUnionCharCount(comment, place, parameter, value, prefix,
suffix)
File "/pentest/database/sqlmap/lib/techniques/inband/union/test.py", line
70, in __findUnionCharCount
if abs(max_ - min_) < MIN_STATISTICAL_RANGE:
TypeError: unsupported operand type(s) for -: 'float' and 'NoneType'
[*] shutting down at: 22:11:56
--
- Ahmed Shawky El-Antry
- Pen-tester, Programmer and System administrator
- lnxg33k owner "http://lnxg33k.wordpress.com"
- Isecur1ty team "http://www.isecur1ty.org"
- Twitter @lnxg33k
|
|
From: Pieter de B. <pi...@th...> - 2011-02-04 19:52:16
|
On 02/04/11 19:06, Miroslav Stampar wrote: > > From now (r3225) we are storing dictionary keys in the order of > appearance (OrderedDict principle). > > That means that if you have URL like ?rss=1&back=2&out=3&index=0 their > testing order will be the same as their order of appearance (rss, > back, out and index at the end). Hm, how does it handle URLs with the same parameter more than once? While perhaps a bit odd, I have seen such URLs in practice. -- Pieter |
|
From: Miroslav S. <mir...@gm...> - 2011-02-04 19:45:36
|
well, i am 99% sure that one parameter value is just overwritten by the other. in that case it doesn't matter if sqlmap handles parameters as dictionary. prove me wrong Pieter with some example :) i like people that prove me wrong (Steve was one of those with that newly found mssql server query delay payload) kr On Fri, Feb 4, 2011 at 8:37 PM, Miroslav Stampar <mir...@gm...> wrote: > well, as said, it's a dictionary. that means that it doesn't play well > with such "abominations" :) > > are you certain that one parameter value is not "overwritten" by the > other at the servers side. in server side programming (PHP, ASP) i > don't know how to handle such requests out of box. > > could you please post some examples just to experiment? > > kr > > On Fri, Feb 4, 2011 at 8:34 PM, Pieter de Boer <pi...@th...> wrote: >> On 02/04/11 19:06, Miroslav Stampar wrote: >>> >>> > From now (r3225) we are storing dictionary keys in the order of >>> appearance (OrderedDict principle). >>> >>> That means that if you have URL like ?rss=1&back=2&out=3&index=0 their >>> testing order will be the same as their order of appearance (rss, >>> back, out and index at the end). >> >> Hm, how does it handle URLs with the same parameter more than once? While >> perhaps a bit odd, I have seen such URLs in practice. >> >> -- >> Pieter >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-04 19:38:05
|
well, as said, it's a dictionary. that means that it doesn't play well with such "abominations" :) are you certain that one parameter value is not "overwritten" by the other at the servers side. in server side programming (PHP, ASP) i don't know how to handle such requests out of box. could you please post some examples just to experiment? kr On Fri, Feb 4, 2011 at 8:34 PM, Pieter de Boer <pi...@th...> wrote: > On 02/04/11 19:06, Miroslav Stampar wrote: >> >> > From now (r3225) we are storing dictionary keys in the order of >> appearance (OrderedDict principle). >> >> That means that if you have URL like ?rss=1&back=2&out=3&index=0 their >> testing order will be the same as their order of appearance (rss, >> back, out and index at the end). > > Hm, how does it handle URLs with the same parameter more than once? While > perhaps a bit odd, I have seen such URLs in practice. > > -- > Pieter > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-04 18:07:00
|
Hi again. Please update to the latest revision to have this "updated". >From now (r3225) we are storing dictionary keys in the order of appearance (OrderedDict principle). That means that if you have URL like ?rss=1&back=2&out=3&index=0 their testing order will be the same as their order of appearance (rss, back, out and index at the end). kr On Fri, Feb 4, 2011 at 6:45 PM, Miroslav Stampar <mir...@gm...> wrote: > Hi Chris. > > well, it starts with sort, and goes to the end, but the manufacture_id > is indeed being tested: > > ... > [18:42:57] [INFO] confirming that GET parameter 'manufacturer_id' is dynamic > [18:42:57] [INFO] GET parameter 'manufacturer_id' is dynamic > ... > > problematic part is that we use python dictionary to store parameters, > potentially screwing their order of appearance. we can check out what > can be done. > > in the mean time you can force checking of manufacturer_id by issuing: > -p manufacturer_id > > kr > > On Fri, Feb 4, 2011 at 5:27 PM, Chris Oakley > <chr...@gm...> wrote: >> Hi all >> >> I've just issued the following command using the latest revision of sqlmap >> .9: >> >> C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://x.x.x.x/index.php?r >> oute=product/manufacturer&manufacturer_id=1&sort=pd.name&order=DESC&page=18&scri >> pt1296664523519=12345" --text-only --proxy "http://127.0.0.1:8085" --level=5 >> --r >> isk=3 --flush-session >> >> Partial output from this command is as follows: >> >> [16:22:21] [INFO] flushing session file >> [16:22:21] [INFO] testing connection to the target url >> [16:22:21] [INFO] testing if the url is stable, wait a few seconds >> [16:22:23] [INFO] url is stable >> [16:22:23] [INFO] testing if GET parameter 'sort' is dynamic >> [16:22:24] [WARNING] GET parameter 'sort' is not dynamic >> [16:22:24] [WARNING] heuristic test shows that GET parameter 'sort' might >> not be >> injectable >> [16:22:24] [INFO] testing sql injection on GET parameter 'sort' >> >> The parameter I'm specifically looking at as potentially injectable is >> "manufacturer_id" but sqlmap starts at 'sort' and then moves through to the >> end of the param list, then ends, totally bypassing the first parameter. >> >> For testing purposes if you install a clean version of the latest open cart, >> you should be able to replicate this. >> >> Regards >> >> Chris >> >> >> >> >> ------------------------------------------------------------------------------ >> The modern datacenter depends on network connectivity to access resources >> and provide services. The best practices for maximizing a physical server's >> connectivity to a physical network are well understood - see how these >> rules translate into the virtual world? >> http://p.sf.net/sfu/oracle-sfdevnlfb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-04 17:46:11
|
Hi Chris. well, it starts with sort, and goes to the end, but the manufacture_id is indeed being tested: ... [18:42:57] [INFO] confirming that GET parameter 'manufacturer_id' is dynamic [18:42:57] [INFO] GET parameter 'manufacturer_id' is dynamic ... problematic part is that we use python dictionary to store parameters, potentially screwing their order of appearance. we can check out what can be done. in the mean time you can force checking of manufacturer_id by issuing: -p manufacturer_id kr On Fri, Feb 4, 2011 at 5:27 PM, Chris Oakley <chr...@gm...> wrote: > Hi all > > I've just issued the following command using the latest revision of sqlmap > .9: > > C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://x.x.x.x/index.php?r > oute=product/manufacturer&manufacturer_id=1&sort=pd.name&order=DESC&page=18&scri > pt1296664523519=12345" --text-only --proxy "http://127.0.0.1:8085" --level=5 > --r > isk=3 --flush-session > > Partial output from this command is as follows: > > [16:22:21] [INFO] flushing session file > [16:22:21] [INFO] testing connection to the target url > [16:22:21] [INFO] testing if the url is stable, wait a few seconds > [16:22:23] [INFO] url is stable > [16:22:23] [INFO] testing if GET parameter 'sort' is dynamic > [16:22:24] [WARNING] GET parameter 'sort' is not dynamic > [16:22:24] [WARNING] heuristic test shows that GET parameter 'sort' might > not be > injectable > [16:22:24] [INFO] testing sql injection on GET parameter 'sort' > > The parameter I'm specifically looking at as potentially injectable is > "manufacturer_id" but sqlmap starts at 'sort' and then moves through to the > end of the param list, then ends, totally bypassing the first parameter. > > For testing purposes if you install a clean version of the latest open cart, > you should be able to replicate this. > > Regards > > Chris > > > > > ------------------------------------------------------------------------------ > The modern datacenter depends on network connectivity to access resources > and provide services. The best practices for maximizing a physical server's > connectivity to a physical network are well understood - see how these > rules translate into the virtual world? > http://p.sf.net/sfu/oracle-sfdevnlfb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Chris O. <chr...@gm...> - 2011-02-04 16:27:36
|
Hi all I've just issued the following command using the latest revision of sqlmap .9: C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://x.x.x.x/index.php?r oute=product/manufacturer&manufacturer_id=1&sort=pd.name &order=DESC&page=18&scri pt1296664523519=12345" --text-only --proxy "http://127.0.0.1:8085" --level=5 --r isk=3 --flush-session Partial output from this command is as follows: [16:22:21] [INFO] flushing session file [16:22:21] [INFO] testing connection to the target url [16:22:21] [INFO] testing if the url is stable, wait a few seconds [16:22:23] [INFO] url is stable [16:22:23] [INFO] testing if GET parameter 'sort' is dynamic [16:22:24] [WARNING] GET parameter 'sort' is not dynamic [16:22:24] [WARNING] heuristic test shows that GET parameter 'sort' might not be injectable [16:22:24] [INFO] testing sql injection on GET parameter 'sort' The parameter I'm specifically looking at as potentially injectable is "manufacturer_id" but sqlmap starts at 'sort' and then moves through to the end of the param list, then ends, totally bypassing the first parameter. For testing purposes if you install a clean version of the latest open cart, you should be able to replicate this. Regards Chris |
|
From: Miroslav S. <mir...@gm...> - 2011-02-04 14:03:00
|
Hi Zack. Fixed and commited. Thank you for your report. KR On Fri, Feb 4, 2011 at 10:47 AM, Zack Payton <zac...@ex...> wrote: > sqlmap version: 0.9-dev (r3206) > Python version: 2.6.1 > Operating system: posix > Command line: sqlmap.py --tables --exclude-sysdbs -u > ******************************************************************** > Technique: ERROR > Back-end DBMS: Microsoft SQL Server (fingerprinted) > Traceback (most recent call last): > File "sqlmap.py", line 82, in main > start() > File "/Users/whodatbe/Code/sqlmap-dev/lib/controller/controller.py", line > 414, in start > action() > File "/Users/whodatbe/Code/sqlmap-dev/lib/controller/action.py", line 91, > in action > conf.dumper.dbTables(conf.dbmsHandler.getTables()) > File "/Users/whodatbe/Code/sqlmap-dev/lib/core/dump.py", line 151, in > dbTables > maxlength = max(maxlength, len(table)) > TypeError: object of type 'NoneType' has no len() > [*] shutting down at: 01:44:52 > -- > Zachary Payton > Executive Instruments, Inc. > Site: http://www.executiveinstruments.com > Email: zac...@ex... > Blog: http://executiveinstruments.blogspot.com/ > PGP Key ID: 0x9E74F148 > Phone: 703.350.7069 > > ------------------------------------------------------------------------------ > The modern datacenter depends on network connectivity to access resources > and provide services. The best practices for maximizing a physical server's > connectivity to a physical network are well understood - see how these > rules translate into the virtual world? > http://p.sf.net/sfu/oracle-sfdevnlfb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-04 10:19:43
|
Hi all. There was a really nasty bug going on which "minorized" the true importance of --text-only switch :) Also, as there were some related changes going on in last 12 hours it's quite possible that you had some "FALSE negatives". Now, with r3208 the bug is "terminated". KR -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Zack P. <zac...@ex...> - 2011-02-04 10:11:49
|
sqlmap version: 0.9-dev (r3206)
Python version: 2.6.1
Operating system: posix
Command line: sqlmap.py --tables --exclude-sysdbs -u
********************************************************************
Technique: ERROR
Back-end DBMS: Microsoft SQL Server (fingerprinted)
Traceback (most recent call last):
File "sqlmap.py", line 82, in main
start()
File "/Users/whodatbe/Code/sqlmap-dev/lib/controller/controller.py", line
414, in start
action()
File "/Users/whodatbe/Code/sqlmap-dev/lib/controller/action.py", line 91,
in action
conf.dumper.dbTables(conf.dbmsHandler.getTables())
File "/Users/whodatbe/Code/sqlmap-dev/lib/core/dump.py", line 151, in
dbTables
maxlength = max(maxlength, len(table))
TypeError: object of type 'NoneType' has no len()
[*] shutting down at: 01:44:52
--
Zachary Payton
Executive Instruments, Inc.
Site: http://www.executiveinstruments.com
Email: zac...@ex...
Blog: http://executiveinstruments.blogspot.com/
PGP Key ID: 0x9E74F148
Phone: 703.350.7069
|
|
From: Miroslav S. <mir...@gm...> - 2011-02-03 15:22:00
|
Hi all. I just wanted to drop a short message regarding "misuse" of --threads that I've noticed on lots of instances from various users. Well, best starting point should be the following error message: "HTTP 403.9 - Access Forbidden: Too many users are connected" --threads=20 --threads=40 and stuff like that doesn't make any sense. All of you who used it you've risked three things: A) lots of scanning noise B) potential DoS C) potential problems which result with message as the one from the beginning of this mail (leading to scanning results with lots of ????). Every site has it's bandwidth and using some crazy number for --threads won't help you much in lots of cases. It will just get worse. We've fixed an potential issue with --keep-alive and --threads (or -o) in the latest commit r3196, but still, to prevent misuse out of "i didn't know that this could cause any problems" number of threads is now limited to 10. But, if you know what you are doing and don't want this kind of restraining you can go to: lib/core/settings.py and there manually change the maximum number of threads given by line: MAX_NUMBER_OF_THREADS = 10 KR p.s. for plain old users who prefer -o switch it has been stabilized with r3196 -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-02-02 21:35:26
|
hi.
you've reported this and we've fixed it 2 days ago :)
you are using r3139, fix was made in r3141, while current revision is r3186 :)))
kr
On Wed, Feb 2, 2011 at 9:48 PM, m4l1c3 <mal...@gm...> wrote:
> ./sqlmap.py -u "domain.tld/som.php?xxx=99999" --dump -D database -T this
>
> Enumerates DB, Table, but fails to dump to csv.
>
> [15:33:17] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
> with the latest development version from the Subversion repository. If the
> exception persists, please send by e-mail to
> sql...@li... the command line, the following text and
> any information needed to reproduce the bug. The developers will try to
> reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 0.9-dev (r3139)
> Python version: 2.5.2
> Operating system: posix
> Technique: ERROR
> Back-end DBMS: MySQL
> Traceback (most recent call last):
> File "./sqlmap.py", line 83, in main
> start()
> File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line
> 414, in start
> action()
> File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 103, in
> action
> conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable())
> File "/pentest/database/sqlmap-dev/lib/core/dump.py", line 366, in
> dbTableValues
> self.__write("| %s%s" % (value, blank), n=False)
> File "/pentest/database/sqlmap-dev/lib/core/dump.py", line 38, in __write
> dataToStdout(text)
> File "/pentest/database/sqlmap-dev/lib/core/common.py", line 590, in
> dataToStdout
> sys.stdout.write(data.encode(UNICODE_ENCODING, errors="replace"))
> TypeError: encode() takes no keyword arguments
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: m4l1c3 <mal...@gm...> - 2011-02-02 20:48:24
|
./sqlmap.py -u "domain.tld/som.php?xxx=99999" --dump -D database -T this
Enumerates DB, Table, but fails to dump to csv.
[15:33:17] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
with the latest development version from the Subversion repository. If the
exception persists, please send by e-mail to
sql...@li... the command line, the following text and
any information needed to reproduce the bug. The developers will try to
reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 0.9-dev (r3139)
Python version: 2.5.2
Operating system: posix
Technique: ERROR
Back-end DBMS: MySQL
Traceback (most recent call last):
File "./sqlmap.py", line 83, in main
start()
File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line
414, in start
action()
File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 103, in
action
conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable())
File "/pentest/database/sqlmap-dev/lib/core/dump.py", line 366, in
dbTableValues
self.__write("| %s%s" % (value, blank), n=False)
File "/pentest/database/sqlmap-dev/lib/core/dump.py", line 38, in __write
dataToStdout(text)
File "/pentest/database/sqlmap-dev/lib/core/common.py", line 590, in
dataToStdout
sys.stdout.write(data.encode(UNICODE_ENCODING, errors="replace"))
TypeError: encode() takes no keyword arguments
|
|
From: Miroslav S. <mir...@gm...> - 2011-02-02 14:53:17
|
Hi all. We've chosen to remove switch -a as in most of cases it was probably used in conjunction with "./txt/user-agents.txt", and replace it/them with more usable --random-agent switch. Before: -a "./txt/user-agents.txt" Now: --random-agent Also, quite recently we've updated user-agents.txt file with most recent entries so you don't have to worry about quality of "randomness" :) KR -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: David G. <sk...@gm...> - 2011-02-02 11:12:02
|
Thank u bernardo. =) On Wed, Feb 2, 2011 at 7:46 AM, Bernardo Damele A. G. < ber...@gm...> wrote: > Now also UNION query technique take into account --start and --stop, > like other techniques. > > Bernardo > > On 28 January 2011 15:12, Miroslav Stampar <mir...@gm...> > wrote: > > yes, Bernardo warned me about this yesterday night :) > > > > we'll try to find something > > > > kr > > > > On Fri, Jan 28, 2011 at 4:02 PM, David Guimaraes <sk...@gm...> > wrote: > >> --start and --stop are not working > >> > >> Sqlmap just ignore these parameter. i think when used with union > injection > >> technique, these parameters are ignored(??). tried with --start 1 and > --stop > >> 20. > >> > >> > >> On Thu, Jan 27, 2011 at 6:04 PM, Miroslav Stampar > >> <mir...@gm...> wrote: > >>> > >>> in the mean time you can try to use these: > >>> > >>> --start=LIMITSTART First query output entry to retrieve > >>> --stop=LIMITSTOP Last query output entry to retrieve > >>> > >>> kr > >>> > >>> On Thu, Jan 27, 2011 at 8:55 PM, Miroslav Stampar > >>> <mir...@gm...> wrote: > >>> > > http://mail.python.org/pipermail/mailman-users/2005-October/047436.html > >>> > > >>> > "A MemoryError exception is a built-in Python exception "Raised when > an > >>> > operation runs out of memory but the situation may still be rescued > >>> > (by deleting some objects)." > >>> > > >>> > How many members does this list have? According to the FAQ, the > largest > >>> > list reported to date has 147,000 members and presumably works. > >>> > Possibly something in the cPanel implementation or your particular > >>> > installation limits this to a greater degree." > >>> > > >>> > now, this messes our concept a bit but we'll try to adapt. > >>> > > >>> > kr > >>> > > >>> > On Thu, Jan 27, 2011 at 8:45 PM, Miroslav Stampar > >>> > <mir...@gm...> wrote: > >>> >> LOL (50,350 entries in the table and 48 columns) > >>> >> > >>> >> we'll try to make some tests regarding this and report accordingly. > >>> >> haven't planed this kind of "huge" data retrievals :) > >>> >> > >>> >> kr > >>> >> > >>> >> On Thu, Jan 27, 2011 at 8:40 PM, David Guimaraes <sk...@gm... > > > >>> >> wrote: > >>> >>> # ./sqlmap.py --method post --cookie > >>> >>> "PHPSESSID=7i2j7ou46iu4c62xxx4kemiql6" > >>> >>> --data "vulnparam=6" -u " > http://www.vulnsite.com/intranet/vulnphp.php" > >>> >>> -v 3 > >>> >>> -D nomes -T class --dump > >>> >>> > >>> >>> sqlmap/0.9-dev - automatic SQL injection and database takeover > >>> >>> tool > >>> >>> http://sqlmap.sourceforge.net > >>> >>> > >>> >>> [*] starting at: 16:58:05 > >>> >>> > >>> >>> [16:58:05] [DEBUG] cleaning up configuration parameters > >>> >>> [16:58:05] [DEBUG] setting the HTTP timeout > >>> >>> [16:58:05] [DEBUG] setting the HTTP Cookie header > >>> >>> [16:58:05] [DEBUG] setting the HTTP method to POST > >>> >>> [16:58:05] [DEBUG] creating HTTP requests opener object > >>> >>> [16:58:05] [INFO] using > >>> >>> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session' as session > file > >>> >>> [16:58:05] [INFO] resuming injection data from session file > >>> >>> [16:58:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session > file > >>> >>> [16:58:05] [INFO] testing connection to the target url > >>> >>> you provided an HTTP Cookie header value. The target url provided > its > >>> >>> own > >>> >>> Cookie within the HTTP Set-Cookie header. Do you want to continue > >>> >>> using the > >>> >>> HTTP Cookie values that you provided? [Y/n] > >>> >>> sqlmap identified the following injection points with a total of 0 > >>> >>> HTTP(s) > >>> >>> requests: > >>> >>> --- > >>> >>> Place: POST > >>> >>> Parameter: vulnparam > >>> >>> Type: boolean-based blind > >>> >>> Title: AND boolean-based blind - WHERE or HAVING clause > >>> >>> Payload: vulnparam=6 AND 5647=5647 > >>> >>> > >>> >>> Type: error-based > >>> >>> Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause > >>> >>> Payload: vulnparam=6 AND (SELECT 714 FROM(SELECT > >>> >>> COUNT(*),CONCAT(CHAR(58,111,106,112,58),(SELECT (CASE WHEN > (714=714) > >>> >>> THEN 1 > >>> >>> ELSE 0 END)),CHAR(58,99,99,109,58),FLOOR(RAND(0)*2))x FROM > >>> >>> information_schema.tables GROUP BY x)a) > >>> >>> > >>> >>> Type: UNION query > >>> >>> Title: MySQL UNION query (NULL) - 4 to 7 columns > >>> >>> Payload: vulnparam=6 UNION ALL SELECT NULL, NULL, > >>> >>> CONCAT(CHAR(58,111,106,112,58),IFNULL(CAST(CHAR(101,76,89,111) AS > >>> >>> CHAR), > >>> >>> CHAR(32)),CHAR(58,99,99,109,58)), NULL, NULL# > >>> >>> > >>> >>> Type: AND/OR time-based blind > >>> >>> Title: MySQL > 5.0.11 AND time-based blind > >>> >>> Payload: vulnparam=6 AND SLEEP(5) > >>> >>> --- > >>> >>> > >>> >>> [16:58:06] [INFO] the back-end DBMS is MySQL > >>> >>> > >>> >>> web application technology: PHP 5.3.2 > >>> >>> back-end DBMS: MySQL 5.0 > >>> >>> [16:58:06] [INFO] fetching columns for table 'class' on database > >>> >>> 'nomes' > >>> >>> [16:58:06] [INFO] read from file > >>> >>> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session': > vulncolumns > >>> >>> [16:58:06] [INFO] fetching entries for table 'class' on database > >>> >>> 'nomes' > >>> >>> [16:58:06] [PAYLOAD] 6 UNION ALL SELECT NULL, NULL, > >>> >>> CONCAT(CHAR(58,101,110,122,58),XXX,CHAR(58,111,115,122,58)), NULL, > >>> >>> NULL FROM > >>> >>> nomes.class# > >>> >>> [17:00:09] [DEBUG] performed 1 queries in 122 seconds > >>> >>> > >>> >>> [17:00:13] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry > >>> >>> your run > >>> >>> with the latest development version from the Subversion repository. > If > >>> >>> the > >>> >>> exception persists, please send by e-mail to > >>> >>> sql...@li... the command line, the following > >>> >>> text and > >>> >>> any information needed to reproduce the bug. The developers will > try > >>> >>> to > >>> >>> reproduce the bug, fix it accordingly and get back to you. > >>> >>> sqlmap version: 0.9-dev > >>> >>> Python version: 2.6.5 > >>> >>> Operating system: posix > >>> >>> Traceback (most recent call last): > >>> >>> File "./sqlmap.py", line 83, in main > >>> >>> start() > >>> >>> File "/home/kkk/sqlmap-dev/lib/controller/controller.py", line > 414, > >>> >>> in > >>> >>> start > >>> >>> action() > >>> >>> File "/home/kkk/sqlmap-dev/lib/controller/action.py", line 103, > in > >>> >>> action > >>> >>> conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) > >>> >>> File "/home/kkk/sqlmap-dev/plugins/generic/enumeration.py", line > >>> >>> 1189, in > >>> >>> dumpTable > >>> >>> entries = inject.getValue(query, blind=False, dump=True) > >>> >>> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 427, in > >>> >>> getValue > >>> >>> value = __goInband(query, expected, sort, resumeValue, unpack, > >>> >>> dump) > >>> >>> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 384, in > >>> >>> __goInband > >>> >>> data = parseUnionPage(output, expression, partial, None, sort) > >>> >>> File "/home/kkk/sqlmap-dev/lib/core/common.py", line 785, in > >>> >>> parseUnionPage > >>> >>> dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, > >>> >>> kb.injection.place, conf.parameters[kb.injection.place], > expression, > >>> >>> logOutput)) > >>> >>> MemoryError > >>> >>> > >>> >>> [*] shutting down at: 17:00:13 > >>> >>> > >>> >>> There are about 50,350 entries in the table and 48 columns.I tested > >>> >>> the > >>> >>> query manually, and returned a page with 600k of information.I > think > >>> >>> that > >>> >>> sqlmap did not support the amount of data...? > >>> >>> > >>> >>> David > >>> >>> > >>> >>> > >>> >>> > ------------------------------------------------------------------------------ > >>> >>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD > value)! > >>> >>> Finally, a world-class log management solution at an even better > >>> >>> price-free! > >>> >>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires > >>> >>> February 28th, so secure your free ArcSight Logger TODAY! > >>> >>> http://p.sf.net/sfu/arcsight-sfd2d > >>> >>> _______________________________________________ > >>> >>> sqlmap-users mailing list > >>> >>> sql...@li... > >>> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >>> >>> > >>> >>> > >>> >> > >>> >> > >>> >> > >>> >> -- > >>> >> Miroslav Stampar > >>> >> > >>> >> E-mail / Jabber: miroslav.stampar (at) gmail.com > >>> >> Mobile: +385921010204 (HR 0921010204) > >>> >> PGP Key ID: 0xB5397B1B > >>> >> Location: Zagreb, Croatia > >>> >> > >>> > > >>> > > >>> > > >>> > -- > >>> > Miroslav Stampar > >>> > > >>> > E-mail / Jabber: miroslav.stampar (at) gmail.com > >>> > Mobile: +385921010204 (HR 0921010204) > >>> > PGP Key ID: 0xB5397B1B > >>> > Location: Zagreb, Croatia > >>> > > >>> > >>> > >>> > >>> -- > >>> Miroslav Stampar > >>> > >>> E-mail / Jabber: miroslav.stampar (at) gmail.com > >>> Mobile: +385921010204 (HR 0921010204) > >>> PGP Key ID: 0xB5397B1B > >>> Location: Zagreb, Croatia > >> > >> > >> > >> -- > >> David Gomes Guimarães > >> > > > > > > > > -- > > Miroslav Stampar > > > > E-mail / Jabber: miroslav.stampar (at) gmail.com > > Mobile: +385921010204 (HR 0921010204) > > PGP Key ID: 0xB5397B1B > > Location: Zagreb, Croatia > > > > > ------------------------------------------------------------------------------ > > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > > Finally, a world-class log management solution at an even better > price-free! > > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > > February 28th, so secure your free ArcSight Logger TODAY! > > http://p.sf.net/sfu/arcsight-sfd2d > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: 0x05F5A30F > -- David Gomes Guimarães |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-02-02 09:47:05
|
Now also UNION query technique take into account --start and --stop, like other techniques. Bernardo On 28 January 2011 15:12, Miroslav Stampar <mir...@gm...> wrote: > yes, Bernardo warned me about this yesterday night :) > > we'll try to find something > > kr > > On Fri, Jan 28, 2011 at 4:02 PM, David Guimaraes <sk...@gm...> wrote: >> --start and --stop are not working >> >> Sqlmap just ignore these parameter. i think when used with union injection >> technique, these parameters are ignored(??). tried with --start 1 and --stop >> 20. >> >> >> On Thu, Jan 27, 2011 at 6:04 PM, Miroslav Stampar >> <mir...@gm...> wrote: >>> >>> in the mean time you can try to use these: >>> >>> --start=LIMITSTART First query output entry to retrieve >>> --stop=LIMITSTOP Last query output entry to retrieve >>> >>> kr >>> >>> On Thu, Jan 27, 2011 at 8:55 PM, Miroslav Stampar >>> <mir...@gm...> wrote: >>> > http://mail.python.org/pipermail/mailman-users/2005-October/047436.html >>> > >>> > "A MemoryError exception is a built-in Python exception "Raised when an >>> > operation runs out of memory but the situation may still be rescued >>> > (by deleting some objects)." >>> > >>> > How many members does this list have? According to the FAQ, the largest >>> > list reported to date has 147,000 members and presumably works. >>> > Possibly something in the cPanel implementation or your particular >>> > installation limits this to a greater degree." >>> > >>> > now, this messes our concept a bit but we'll try to adapt. >>> > >>> > kr >>> > >>> > On Thu, Jan 27, 2011 at 8:45 PM, Miroslav Stampar >>> > <mir...@gm...> wrote: >>> >> LOL (50,350 entries in the table and 48 columns) >>> >> >>> >> we'll try to make some tests regarding this and report accordingly. >>> >> haven't planed this kind of "huge" data retrievals :) >>> >> >>> >> kr >>> >> >>> >> On Thu, Jan 27, 2011 at 8:40 PM, David Guimaraes <sk...@gm...> >>> >> wrote: >>> >>> # ./sqlmap.py --method post --cookie >>> >>> "PHPSESSID=7i2j7ou46iu4c62xxx4kemiql6" >>> >>> --data "vulnparam=6" -u "http://www.vulnsite.com/intranet/vulnphp.php" >>> >>> -v 3 >>> >>> -D nomes -T class --dump >>> >>> >>> >>> sqlmap/0.9-dev - automatic SQL injection and database takeover >>> >>> tool >>> >>> http://sqlmap.sourceforge.net >>> >>> >>> >>> [*] starting at: 16:58:05 >>> >>> >>> >>> [16:58:05] [DEBUG] cleaning up configuration parameters >>> >>> [16:58:05] [DEBUG] setting the HTTP timeout >>> >>> [16:58:05] [DEBUG] setting the HTTP Cookie header >>> >>> [16:58:05] [DEBUG] setting the HTTP method to POST >>> >>> [16:58:05] [DEBUG] creating HTTP requests opener object >>> >>> [16:58:05] [INFO] using >>> >>> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session' as session file >>> >>> [16:58:05] [INFO] resuming injection data from session file >>> >>> [16:58:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file >>> >>> [16:58:05] [INFO] testing connection to the target url >>> >>> you provided an HTTP Cookie header value. The target url provided its >>> >>> own >>> >>> Cookie within the HTTP Set-Cookie header. Do you want to continue >>> >>> using the >>> >>> HTTP Cookie values that you provided? [Y/n] >>> >>> sqlmap identified the following injection points with a total of 0 >>> >>> HTTP(s) >>> >>> requests: >>> >>> --- >>> >>> Place: POST >>> >>> Parameter: vulnparam >>> >>> Type: boolean-based blind >>> >>> Title: AND boolean-based blind - WHERE or HAVING clause >>> >>> Payload: vulnparam=6 AND 5647=5647 >>> >>> >>> >>> Type: error-based >>> >>> Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause >>> >>> Payload: vulnparam=6 AND (SELECT 714 FROM(SELECT >>> >>> COUNT(*),CONCAT(CHAR(58,111,106,112,58),(SELECT (CASE WHEN (714=714) >>> >>> THEN 1 >>> >>> ELSE 0 END)),CHAR(58,99,99,109,58),FLOOR(RAND(0)*2))x FROM >>> >>> information_schema.tables GROUP BY x)a) >>> >>> >>> >>> Type: UNION query >>> >>> Title: MySQL UNION query (NULL) - 4 to 7 columns >>> >>> Payload: vulnparam=6 UNION ALL SELECT NULL, NULL, >>> >>> CONCAT(CHAR(58,111,106,112,58),IFNULL(CAST(CHAR(101,76,89,111) AS >>> >>> CHAR), >>> >>> CHAR(32)),CHAR(58,99,99,109,58)), NULL, NULL# >>> >>> >>> >>> Type: AND/OR time-based blind >>> >>> Title: MySQL > 5.0.11 AND time-based blind >>> >>> Payload: vulnparam=6 AND SLEEP(5) >>> >>> --- >>> >>> >>> >>> [16:58:06] [INFO] the back-end DBMS is MySQL >>> >>> >>> >>> web application technology: PHP 5.3.2 >>> >>> back-end DBMS: MySQL 5.0 >>> >>> [16:58:06] [INFO] fetching columns for table 'class' on database >>> >>> 'nomes' >>> >>> [16:58:06] [INFO] read from file >>> >>> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session': vulncolumns >>> >>> [16:58:06] [INFO] fetching entries for table 'class' on database >>> >>> 'nomes' >>> >>> [16:58:06] [PAYLOAD] 6 UNION ALL SELECT NULL, NULL, >>> >>> CONCAT(CHAR(58,101,110,122,58),XXX,CHAR(58,111,115,122,58)), NULL, >>> >>> NULL FROM >>> >>> nomes.class# >>> >>> [17:00:09] [DEBUG] performed 1 queries in 122 seconds >>> >>> >>> >>> [17:00:13] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry >>> >>> your run >>> >>> with the latest development version from the Subversion repository. If >>> >>> the >>> >>> exception persists, please send by e-mail to >>> >>> sql...@li... the command line, the following >>> >>> text and >>> >>> any information needed to reproduce the bug. The developers will try >>> >>> to >>> >>> reproduce the bug, fix it accordingly and get back to you. >>> >>> sqlmap version: 0.9-dev >>> >>> Python version: 2.6.5 >>> >>> Operating system: posix >>> >>> Traceback (most recent call last): >>> >>> File "./sqlmap.py", line 83, in main >>> >>> start() >>> >>> File "/home/kkk/sqlmap-dev/lib/controller/controller.py", line 414, >>> >>> in >>> >>> start >>> >>> action() >>> >>> File "/home/kkk/sqlmap-dev/lib/controller/action.py", line 103, in >>> >>> action >>> >>> conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) >>> >>> File "/home/kkk/sqlmap-dev/plugins/generic/enumeration.py", line >>> >>> 1189, in >>> >>> dumpTable >>> >>> entries = inject.getValue(query, blind=False, dump=True) >>> >>> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 427, in >>> >>> getValue >>> >>> value = __goInband(query, expected, sort, resumeValue, unpack, >>> >>> dump) >>> >>> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 384, in >>> >>> __goInband >>> >>> data = parseUnionPage(output, expression, partial, None, sort) >>> >>> File "/home/kkk/sqlmap-dev/lib/core/common.py", line 785, in >>> >>> parseUnionPage >>> >>> dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, >>> >>> kb.injection.place, conf.parameters[kb.injection.place], expression, >>> >>> logOutput)) >>> >>> MemoryError >>> >>> >>> >>> [*] shutting down at: 17:00:13 >>> >>> >>> >>> There are about 50,350 entries in the table and 48 columns.I tested >>> >>> the >>> >>> query manually, and returned a page with 600k of information.I think >>> >>> that >>> >>> sqlmap did not support the amount of data...? >>> >>> >>> >>> David >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >>> >>> Finally, a world-class log management solution at an even better >>> >>> price-free! >>> >>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >>> >>> February 28th, so secure your free ArcSight Logger TODAY! >>> >>> http://p.sf.net/sfu/arcsight-sfd2d >>> >>> _______________________________________________ >>> >>> sqlmap-users mailing list >>> >>> sql...@li... >>> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> >> >>> >> >>> >> >>> >> -- >>> >> Miroslav Stampar >>> >> >>> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> >> Mobile: +385921010204 (HR 0921010204) >>> >> PGP Key ID: 0xB5397B1B >>> >> Location: Zagreb, Croatia >>> >> >>> > >>> > >>> > >>> > -- >>> > Miroslav Stampar >>> > >>> > E-mail / Jabber: miroslav.stampar (at) gmail.com >>> > Mobile: +385921010204 (HR 0921010204) >>> > PGP Key ID: 0xB5397B1B >>> > Location: Zagreb, Croatia >>> > >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >> >> >> >> -- >> David Gomes Guimarães >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
48 messages has been excluded from this view by a project administrator.
