sqlmap-users Mailing List for sqlmap (Page 109)

Brought to you by: inquisb

sqlmap-users — sqlmap users mailing list

You can subscribe to this list here.

2008	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep (4)	Oct (11)	Nov (24)	Dec (13)
2009	Jan (23)	Feb (17)	Mar (13)	Apr (48)	May (22)	Jun (18)	Jul (22)	Aug (13)	Sep (23)	Oct (6)	Nov (11)	Dec (25)
2010	Jan (21)	Feb (33)	Mar (61)	Apr (47)	May (48)	Jun (30)	Jul (24)	Aug (37)	Sep (52)	Oct (59)	Nov (32)	Dec (57)
2011	Jan (166)	Feb (93)	Mar (65)	Apr (117)	May (87)	Jun (124)	Jul (102)	Aug (78)	Sep (65)	Oct (22)	Nov (71)	Dec (79)
2012	Jan (93)	Feb (55)	Mar (45)	Apr (49)	May (56)	Jun (93)	Jul (95)	Aug (42)	Sep (26)	Oct (36)	Nov (32)	Dec (46)
2013	Jan (36)	Feb (78)	Mar (38)	Apr (57)	May (35)	Jun (39)	Jul (23)	Aug (33)	Sep (28)	Oct (38)	Nov (22)	Dec (16)
2014	Jan (33)	Feb (23)	Mar (41)	Apr (29)	May (12)	Jun (20)	Jul (21)	Aug (23)	Sep (18)	Oct (34)	Nov (12)	Dec (39)
2015	Jan (2)	Feb (51)	Mar (10)	Apr (28)	May (9)	Jun (22)	Jul (32)	Aug (35)	Sep (29)	Oct (50)	Nov (8)	Dec (2)
2016	Jan (8)	Feb (2)	Mar (3)	Apr (14)	May	Jun	Jul	Aug (12)	Sep	Oct	Nov (1)	Dec (19)
2017	Jan	Feb (18)	Mar	Apr (1)	May	Jun	Jul	Aug (4)	Sep	Oct	Nov (2)	Dec
2018	Jan	Feb	Mar (1)	Apr (1)	May (3)	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2019	Jan	Feb	Mar	Apr (3)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec

Flat | Threaded

<< < 1 .. 107 108 109 110 111 .. 145 > >> (Page 109 of 145)

[sqlmap-users] Bug Mssql Column search error

From: black z. <tim...@gm...> - 2011-01-27 13:57:03

sqlmap version: 0.9-dev (r3117)
Python version: 2.6.6
Operating system: posix
Traceback (most recent call last):
  File "sqlmap.py", line 83, in main
    start()
  File "/home/john/sqlmap-dev/lib/controller/controller.py", line 414, in
start
    action()
  File "/home/john/sqlmap-dev/lib/controller/action.py", line 109, in action
    conf.dbmsHandler.search()
  File "/home/john/sqlmap-dev/plugins/generic/enumeration.py", line 1914, in
search
    self.searchColumn()
  File "/home/john/sqlmap-dev/plugins/dbms/mssqlserver/enumeration.py", line
214, in searchColumn
    dbs[db] = {}
TypeError: unhashable type: 'list'

Re: [sqlmap-users] bug report

From: Miroslav S. <mir...@gm...> - 2011-01-27 13:10:58

union based data retrieving has some serious problems. maybe this
could illustrate:

in generic/enumeration.py (getPasswordHashes):

if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or
isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
...
            value = inject.getValue(query, blind=False)

            if value:
                import pdb
                pdb.set_trace()
                for user, password in value:
                    if not user or user == " ":
                        continue

at that import pdb value variable has the value of:
'__START__sa__DEL__0x01004086ceb60c90646a8ab9889fe3ed8e5c150b5460ece8425a__STOP__'

do you know if there is any possibility that getValue returns this kind of data?

kr

On Thu, Jan 27, 2011 at 3:04 AM, m4l1c3 <mal...@gm...> wrote:
>
> ./sqlmap.py -u "http://DOMAIN:80/LANG/DIR/PARAM.php?xxx=999" --passwords
>
>
>
> sqlmap version: 0.9-dev (r3115)
> Python version: 2.5.2
> Operating system: posix
> Traceback (most recent call last):
>   File "./sqlmap.py", line 83, in main
>     start()
>   File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line
> 414, in start
>     action()
>   File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 77, in
> action
>     conf.dbmsHandler.getPasswordHashes(), "password hash")
>   File "/pentest/database/sqlmap-dev/plugins/generic/enumeration.py", line
> 238, in getPasswordHashes
>     for user, password in value:
> ValueError: need more than 1 value to unpack
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

[sqlmap-users] bug report

From: m4l1c3 <mal...@gm...> - 2011-01-27 02:04:18

./sqlmap.py -u "http://DOMAIN:80/LANG/DIR/PARAM.php?xxx=999" --passwords



sqlmap version: 0.9-dev (r3115)
Python version: 2.5.2
Operating system: posix
Traceback (most recent call last):
  File "./sqlmap.py", line 83, in main
    start()
  File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line
414, in start
    action()
  File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 77, in
action
    conf.dbmsHandler.getPasswordHashes(), "password hash")
  File "/pentest/database/sqlmap-dev/plugins/generic/enumeration.py", line
238, in getPasswordHashes
    for user, password in value:
ValueError: need more than 1 value to unpack

[sqlmap-users] TypeError: unhashable type: 'list'

From: black z. <tim...@gm...> - 2011-01-26 23:04:06

why mssql sa  pass dumping error?

sqlmap version: 0.9-dev (r3115)
Python version: 2.6.6
Operating system: posix
Traceback (most recent call last):
  File "sqlmap.py", line 83, in main
    start()
  File "/home/john/sqlmap-dev/lib/controller/controller.py", line 414, in
start
    action()
  File "/home/john/sqlmap-dev/lib/controller/action.py", line 77, in action
    conf.dbmsHandler.getPasswordHashes(), "password hash")
  File "/home/john/sqlmap-dev/plugins/generic/enumeration.py", line 270, in
getPasswordHashes
    if user in retrievedUsers:
TypeError: unhashable type: 'list'

[*] shutting down at: 01:01:22

thanks

Re: [sqlmap-users] SQLMap Error

From: Miroslav S. <mir...@gm...> - 2011-01-25 22:24:41

Thank you for your report.

I've never stumbled upon this one, but I think that we've patched it
in the latest commit (this moment).

KR

On Tue, Jan 25, 2011 at 8:25 PM, yonny mutai <yo...@go...> wrote:
> Hi guys..
>    Bumped into this after todays update....
>
> [22:22:23] [WARNING] url is not stable, sqlmap will base the page comparison
> on a sequence matcher. If no dynamic nor injectable parameters are detected,
> or in case of junk results, refer to user's manual paragraph 'Page
> comparison' and provide a string or regular expression to match on
> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c
> [22:22:34] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
> with the latest development version from the Subversion repository. If the
> exception persists, please send by e-mail to
> sql...@li... the command line, the following text and
> any information needed to reproduce the bug. The developers will try to
> reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 0.9-dev (r3113)
> Python version: 2.6.5
> Operating system: posix
> Traceback (most recent call last):
>   File "./sqlmap.py", line 83, in main
>     start()
>   File "/pentest/database/sqlmap/lib/controller/controller.py", line 292, in
> start
>     checkStability()
>   File "/pentest/database/sqlmap/lib/controller/checks.py", line 691, in
> checkStability
>     checkDynamicContent(firstPage, secondPage)
>   File "/pentest/database/sqlmap/lib/controller/checks.py", line 581, in
> checkDynamicContent
>     if seqMatcher.quick_ratio() <= UPPER_RATIO_BOUND:
>   File "/usr/lib/python2.6/difflib.py", line 682, in quick_ratio
>     for elt in self.a:
> TypeError: iteration over non-sequence
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] SQLMap Error

From: yonny m. <yo...@go...> - 2011-01-25 19:25:48

Hi guys..

   Bumped into this after todays update....

[22:22:23] [WARNING] url is not stable, sqlmap will base the page comparison
on a sequence matcher. If no dynamic nor injectable parameters are detected,
or in case of junk results, refer to user's manual paragraph 'Page
comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c

[22:22:34] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
with the latest development version from the Subversion repository. If the
exception persists, please send by e-mail to
sql...@li... the command line, the following text and
any information needed to reproduce the bug. The developers will try to
reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 0.9-dev (r3113)
Python version: 2.6.5
Operating system: posix
Traceback (most recent call last):
  File "./sqlmap.py", line 83, in main
    start()
  File "/pentest/database/sqlmap/lib/controller/controller.py", line 292, in
start
    checkStability()
  File "/pentest/database/sqlmap/lib/controller/checks.py", line 691, in
checkStability
    checkDynamicContent(firstPage, secondPage)
  File "/pentest/database/sqlmap/lib/controller/checks.py", line 581, in
checkDynamicContent
    if seqMatcher.quick_ratio() <= UPPER_RATIO_BOUND:
  File "/usr/lib/python2.6/difflib.py", line 682, in quick_ratio
    for elt in self.a:
TypeError: iteration over non-sequence

[sqlmap-users] Generic UNION/SQLite

From: Miroslav S. <mir...@gm...> - 2011-01-25 16:07:41

Hi all.

Just to drop a quick warning message. Currently there is a major
problem going on code named "Generic UNION/SQLite". All of you who
think that you've stumbled upon a Generic UNION/SQLite injection
you've probably had a "visit" by a FALSE positive.

We'll try to fix this ASAP together with other UNION based detection issues.

KR

Re: [sqlmap-users] 0.9-dev (r3107) - UnboundLocalError: local variable 'code' referenced before assignment

From: Miroslav S. <mir...@gm...> - 2011-01-25 12:19:33

thx Andres for suggestion.

i'll make a script for doing this automatically.

pylint is cool, but not omnipotent. in this case it didn't detect the
issue :)) i just tried before and after.

kr

On Tue, Jan 25, 2011 at 1:02 PM, Andres Riancho
<and...@gm...> wrote:
> Miroslav,
>
>     I recomend running "pylint -e" before each commit. That would avoid
> these simple bugs! Learned the hard way!
>
> Regards,
> --
> Andres Riancho
>
> El ene 25, 2011 8:01 a.m., "Miroslav Stampar" <mir...@gm...>
> escribió:
>
> hi Kazim.
>
> thank you for your report. find it fixed in the latest commit
>
> kr
>
> 2011/1/25 Kazım Buğra Tombul <mha...@gm...>:
>
>>
>> [12:44:46] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your
>> run
>> with the latest de...
>
>>
>> ------------------------------------------------------------------------------
>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>> Finally, a world-class log management solution at an even better
>> price-free!
>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>> February 28th, so secure your free ArcSight Logger TODAY!
>> http://p.sf.net/sfu/arcsight-sfd2d
>> _______________________________________________
>> sqlmap-users mailing list
>
>> sql...@li...
>
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> sqlmap-users mailing list
>
> sql...@li...
>
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] 0.9-dev (r3107) - UnboundLocalError: local variable 'code' referenced before assignment

From: Andres R. <and...@gm...> - 2011-01-25 12:02:47

Miroslav,

    I recomend running "pylint -e" before each commit. That would avoid
these simple bugs! Learned the hard way!

Regards,
--
Andres Riancho

El ene 25, 2011 8:01 a.m., "Miroslav Stampar" <mir...@gm...>
escribió:

hi Kazim.

thank you for your report. find it fixed in the latest commit

kr

2011/1/25 Kazım Buğra Tombul <mha...@gm...>:

>
> [12:44:46] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your
run
> with the latest de...
>
------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better
price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> sqlmap-users mailing list

> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



--
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
sqlmap-users mailing list

sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] 0.9-dev (r3107) - UnboundLocalError: local variable 'code' referenced before assignment

From: Miroslav S. <mir...@gm...> - 2011-01-25 11:00:17

hi Kazim.

thank you for your report. find it fixed in the latest commit

kr

2011/1/25 Kazım Buğra Tombul <mha...@gm...>:
>
> [12:44:46] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
> with the latest development version from the Subversion repository. If the
> exception persists, please send by e-mail to
> sql...@li... the command line, the following text and
> any information needed to reproduce the bug. The developers will try to
> reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 0.9-dev (r3107)
> Python version: 2.5.4
> Operating system: posix
> Traceback (most recent call last):
>   File "./sqlmap.py", line 83, in main
>     start()
>   File "/Users/my_user_name/sqlmap-dev/lib/controller/controller.py", line
> 336, in start
>     elif not checkDynParam(place, parameter, value):
>   File "/Users/my_user_name/sqlmap-dev/lib/controller/checks.py", line 551,
> in checkDynParam
>     dynResult = Request.queryPage(payload, place, raise404=False)
>   File "/Users/my_user_name/sqlmap-dev/lib/request/connect.py", line 462, in
> queryPage
>     page, headers = Connect.getPage(url=uri, get=get, post=post,
> cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders,
> response=response, raise404=raise404, ignoreTimeout=timeBasedCompare)
>   File "/Users/my_user_name/sqlmap-dev/lib/request/connect.py", line 262, in
> getPage
>     warnMsg += "to get error page information (%d)" % code
> UnboundLocalError: local variable 'code' referenced before assignment
> [*] shutting down at: 12:44:46
>
>
> Kazım Buğra Tombul
>
> Senior @ Metu Computer Engineering
> Software Developer @ Speeddate.com, Inc.
> System Administrator @ Metu Computer Club
> Supervisory Board Member @ Metu Computer Club
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

[sqlmap-users] 0.9-dev (r3107) - UnboundLocalError: local variable 'code' referenced before assignment

From: Kazım B. T. <mha...@gm...> - 2011-01-25 10:51:15

[12:44:46] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
with the latest development version from the Subversion repository. If the
exception persists, please send by e-mail to
sql...@li... the command line, the following text and
any information needed to reproduce the bug. The developers will try to
reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 0.9-dev (r3107)
Python version: 2.5.4
Operating system: posix
Traceback (most recent call last):
  File "./sqlmap.py", line 83, in main
    start()
  File "/Users/my_user_name/sqlmap-dev/lib/controller/controller.py", line
336, in start
    elif not checkDynParam(place, parameter, value):
  File "/Users/my_user_name/sqlmap-dev/lib/controller/checks.py", line 551,
in checkDynParam
    dynResult = Request.queryPage(payload, place, raise404=False)
  File "/Users/my_user_name/sqlmap-dev/lib/request/connect.py", line 462, in
queryPage
    page, headers = Connect.getPage(url=uri, get=get, post=post,
cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders,
response=response, raise404=raise404, ignoreTimeout=timeBasedCompare)
  File "/Users/my_user_name/sqlmap-dev/lib/request/connect.py", line 262, in
getPage
    warnMsg += "to get error page information (%d)" % code
UnboundLocalError: local variable 'code' referenced before assignment

[*] shutting down at: 12:44:46



*Kazım Buğra Tombul*

*Senior @ Metu Computer Engineering*
*Software Developer @ Speeddate.com, Inc.*
*System Administrator @ Metu Computer Club*
*Supervisory Board Member @ Metu Computer Club*

Re: [sqlmap-users] unhandled exception: ValueError: unknown url type (r3077)

From: Miroslav S. <mir...@gm...> - 2011-01-24 14:50:48

hi buawig.

thank you for your report.

we've done some basic checking to prevent this kind of behavior in the
latest commit.

kr

On Sun, Jan 23, 2011 at 2:15 PM,  <bu...@gm...> wrote:
> Hi,
>
> don't know if this should be called a bug or just user stupidity but I
> report it anyway.
> The following occurred after providing 'use insecure' as new url
> (redirect question)
> because I thought I was already on the sql-shell> prompt
>
>
> sqlmap version: 0.9-dev (r3077)
> Python version: 2.6.4
> Operating system: posix
> Traceback (most recent call last):
>  File "./sqlmap.py", line 83, in main
>    start()
>  File "sqlmap-dev/lib/controller/controller.py", line 414, in start
>    action()
>  File "sqlmap-dev/lib/controller/action.py", line 115, in action
>    conf.dbmsHandler.sqlShell()
>  File "sqlmap-dev/plugins/generic/enumeration.py", line 1999, in sqlShell
>    output = self.sqlQuery(query)
>  File "sqlmap-dev/plugins/generic/enumeration.py", line 1945, in sqlQuery
>    output = inject.getValue(query, fromUser=True)
>  File "sqlmap-dev/lib/request/inject.py", line 463, in getValue
>    value = __goInferenceProxy(query, fromUser, expected, batch,
> resumeValue, unpack, charsetType, firstChar, lastChar)
>  File "sqlmap-dev/lib/request/inject.py", line 315, in __goInferenceProxy
>    outputs = __goInferenceFields(expression, expressionFields,
> expressionFieldsList, payload, expected, resumeValue=resumeValue,
> charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
>  File "sqlmap-dev/lib/request/inject.py", line 99, in __goInferenceFields
>    output = __goInference(payload, expressionReplaced, charsetType,
> firstChar, lastChar)
>  File "sqlmap-dev/lib/request/inject.py", line 64, in __goInference
>    count, value = bisection(payload, expression, length, charsetType,
> firstChar, lastChar)
>  File "sqlmap-dev/lib/techniques/blind/inference.py", line 483, in
> bisection
>    val = getChar(index, asciiTbl)
>  File "sqlmap-dev/lib/techniques/blind/inference.py", line 189, in getChar
>    result = Request.queryPage(forgedPayload,
> timeBasedCompare=timeBasedCompare, raise404=False)
>  File "sqlmap-dev/lib/request/connect.py", line 431, in queryPage
>    Connect.queryPage(content=True)
>  File "sqlmap-dev/lib/request/connect.py", line 457, in queryPage
>    page, headers = Connect.getPage(url=uri, get=get, post=post,
> cookie=cookie, ua=ua, silent=silent, method=method,
> auxHeaders=auxHeaders, response=response, raise404=raise404,
> ignoreTimeout=timeBasedCompare)
>  File "sqlmap-dev/lib/request/connect.py", line 195, in getPage
>    conn = urllib2.urlopen(req)
>  File "/usr/lib64/python2.6/urllib2.py", line 124, in urlopen
>    return _opener.open(url, data, timeout)
>  File "/usr/lib64/python2.6/urllib2.py", line 381, in open
>    protocol = req.get_type()
>  File "/usr/lib64/python2.6/urllib2.py", line 242, in get_type
>    raise ValueError, "unknown url type: %s" % self.__original
> ValueError: unknown url type: use%20insecure
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] SQLMap Stager Uploader

From: Miroslav S. <mir...@gm...> - 2011-01-23 20:48:09

Hi all.

There has been a major "revisit" of methods used in --os-shell. We'll
try to do some more inspection of those, but all in all now it works
far better than before. Just to warn that this doesn't mean that it
will work always, as permissions are most problematic in this case,
but should do in cases when previous one failed to do so while it
could/should.

KR

On Sun, Jan 23, 2011 at 7:38 PM, yonny mutai <yo...@go...> wrote:
> Cool n thanks
>
> On Sun, Jan 23, 2011 at 9:28 PM, Miroslav Stampar
> <mir...@gm...> wrote:
>>
>> currently i am rewriting that all logic.
>>
>> will report
>>
>> kr
>>
>> On Sun, Jan 23, 2011 at 6:28 PM, yonny mutai <yo...@go...>
>> wrote:
>> > Hi Miroslav,
>> >   I found out it was apparmour which was hindering mysql from writing
>> > the
>> > file.. It now writes the file but the script fails with the message
>> > "unable
>> > to upload the file stager on '/var/www/'.. although the file exists in
>> > the
>> > directory and when the script does a GET on the file it gets it .
>> > which web application language does the web server support?
>> > [1] ASP
>> > [2] ASPX
>> > [3] PHP (default)
>> > [4] JSP
>> >>
>> > [20:23:35] [WARNING] unable to retrieve the web server document root
>> > please provide the web server document root [/var/www/]:
>> > [20:23:35] [WARNING] unable to retrieve any web server path
>> > please provide any additional web server full path to try to upload the
>> > agent [/var/www/]:
>> > [20:23:36] [WARNING] unable to upload the file stager on '/var/www/'
>> > [20:23:36] [INFO] Fetched data logged to text files under
>> > '/pentest/database/sqlmap/output/127.0.0.1'
>> >
>> > 127.0.0.1 - - [23/Jan/2011:20:23:34 +0300] "POST
>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Opera/9.62
>> > (Windows NT 5.1; U; pt-BR) Presto/2.1.1"
>> > 127.0.0.1 - - [23/Jan/2011:20:23:36 +0300] "POST
>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5983 "-" "Opera/9.62
>> > (Windows NT 5.1; U; pt-BR) Presto/2.1.1"
>> > 127.0.0.1 - - [23/Jan/2011:20:23:36 +0300] "GET /tmpubtee.php HTTP/1.1"
>> > 200
>> > 241 "-" "Opera/9.62 (Windows NT 5.1; U; pt-BR) Presto/2.1.1"
>> > sylar@Sylar:/pentest/database/sqlmap$ ls  -lhtr  /var/www/
>> > total 324K
>> > drwxrwxrwx  4 mysql mysql 4.0K 2010-06-16 08:37 mutillidae
>> > drwxrwxrwx 15 mysql mysql 4.0K 2010-11-02 12:15 3G_data_promo
>> > -rwxrwxrwx  1 mysql mysql 6.9K 2010-12-21 16:47 41.js
>> > -rwxrwxrwx  1 mysql mysql  13K 2010-12-21 16:48 index.html
>> > drwxrwxrwx  8 mysql mysql 4.0K 2011-01-08 11:40 vux
>> > -rwxrwxrwx  1 mysql mysql  39K 2011-01-16 22:41 mutillidae1.5.zip
>> > -rw-r--r--  1 mysql mysql 1.3K 2011-01-19 12:24 ppx.php
>> > -rw-rw-rw-  1 mysql mysql 1.3K 2011-01-23 20:23 tmpubtee.php
>> >
>> >
>> > On Thu, Jan 20, 2011 at 1:15 AM, yonny mutai <yo...@go...>
>> > wrote:
>> >>
>> >>   I have tried both --os-pwn and --os-shell.I have set my metasploit
>> >> path
>> >> in my sqlmap.conf.. I'm running this on Linux.The application connects
>> >> to
>> >> the db as root.I have also tried --read-file and its also not
>> >> suceessful.Maybe its the mysql version... I logged in as root to the db
>> >> and
>> >> tried to run select hex(load_file("__PATH__")) and it also returns
>> >> null...
>> >> I'll try installing a lower version to see how it behaves..
>> >>
>> >> On Thu, Jan 20, 2011 at 1:00 AM, Miroslav Stampar
>> >> <mir...@gm...> wrote:
>> >>>
>> >>> hi again.
>> >>>
>> >>> i wrongly mixed --os-shell and --os-pwn. for --os-pwn you need
>> >>> metasploit.
>> >>>
>> >>> are you using sqlmap on windows or on linux? where is your metasploit
>> >>> located (you haven't use the --msf-path=MSFPATH option)?
>> >>>
>> >>> if on linux then there would be a critical message "unable to locate
>> >>> Metasploit Framework 3 installation...." if no --msf-path specified
>> >>> (except proper environment variable is set), while on windows that
>> >>> message is in form of warning (we should change it to critical abort
>> >>> too) which says "[22:50:05] [WARNING] some sqlmap takeover
>> >>> functionalities are not yet supported
>> >>> on Windows. Please use Linux in a virtual machine for out-of-band
>> >>> features. sqlm
>> >>> ap will now carry on ignoring out-of-band switches"
>> >>>
>> >>> kr
>> >>>
>> >>>
>> >>> On Wed, Jan 19, 2011 at 10:37 PM, yonny mutai <yo...@go...>
>> >>> wrote:
>> >>> > Thanks for your response Miroslav,
>> >>> >      I have tried setting the permissions for the directories do
>> >>> > that
>> >>> > they
>> >>> > are owned by the apache process ... but still it doesnt seem to
>> >>> > work.Here
>> >>> > are the access logs:
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:15 +0300] "POST
>> >>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-"
>> >>> > "Mozilla/5.0
>> >>> > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
>> >>> > Firefox/3.6.9"
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "POST
>> >>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-"
>> >>> > "Mozilla/5.0
>> >>> > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
>> >>> > Firefox/3.6.9"
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "GET /tmpuvwtu.php
>> >>> > HTTP/1.1"
>> >>> > 404
>> >>> > 488 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9)
>> >>> > Gecko/20100915 Gentoo Firefox/3.6.9"
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:49 +0300] "POST
>> >>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-"
>> >>> > "Mozilla/5.0
>> >>> > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729
>> >>> > Slackware/13.0
>> >>> > Firefox/3.5.2"
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "POST
>> >>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-"
>> >>> > "Mozilla/5.0
>> >>> > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729
>> >>> > Slackware/13.0
>> >>> > Firefox/3.5.2"
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "GET /tmpucqwh.php
>> >>> > HTTP/1.1"
>> >>> > 404
>> >>> > 488 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2)
>> >>> > Gecko/20090729
>> >>> > Slackware/13.0 Firefox/3.5.2"
>> >>> > and the permissions
>> >>> > sylar@Sylar:/pentest/database/sqlmap$ ls  -lht  /var/www/
>> >>> > drwxrwxrwx  8 www-data www-data 4.0K 2011-01-08 11:40 vux
>> >>> > -rwxrwxrwx  1 www-data www-data 102K 2010-12-21 17:24 fc4.js
>> >>> > -rwxrwxrwx  1 www-data www-data 6.9K 2010-12-21 16:47 41.js
>> >>> > drwxrwxrwx  4 www-data www-data 4.0K 2010-06-16 08:37 mutillidae
>> >>> > ... and I have the most latest state of the code from svn
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > On Thu, Jan 20, 2011 at 12:24 AM, Miroslav Stampar
>> >>> > <mir...@gm...> wrote:
>> >>> >>
>> >>> >> hi yonny.
>> >>> >>
>> >>> >> few questions.
>> >>> >>
>> >>> >> do you have write permissions "for all" at the "target" directory
>> >>> >> (for
>> >>> >> example: /var/www/Multidae)? at which directory does Multidae
>> >>> >> reside
>> >>> >> at your debian machine? what have you entered as "target directory"
>> >>> >> when sqlmap asked you?
>> >>> >>
>> >>> >> as you can guess, most occuring problem with "stager" are the write
>> >>> >> permissions for the web servers process.
>> >>> >>
>> >>> >> KR
>> >>> >>
>> >>> >> On Wed, Jan 19, 2011 at 8:06 PM, yonny mutai
>> >>> >> <yo...@go...>
>> >>> >> wrote:
>> >>> >> > Hi,
>> >>> >> >    Wonderful tool.... Seems like the stager uploader has ceased
>> >>> >> > to
>> >>> >> > work...
>> >>> >> > anyone to help with this please..
>> >>> >> >   To add more info that might help in troubleshooting :
>> >>> >> >     DB : mysql  Ver 14.14 Distrib 5.1.41, for debian-linux-gnu
>> >>> >> > (i486)
>> >>> >> > using
>> >>> >> > readline 6.1
>> >>> >> >     App: The vulnerable Multidae app
>> >>> >> >     Command Used: ./sqlmap.py  --level 5 --risk 3 --parse-errors
>> >>> >> > --os-pwn
>> >>> >> >      --time-sec 10  -a txt/user-agents.txt   --text-only
>> >>> >> >  --threads
>> >>> >> > 1
>> >>> >> > --timeout 39  -u
>> >>> >> > "http://127.0.0.1/mutillidae/index.php?page=login.php"
>> >>> >> > --method "POST" --data
>> >>> >> > "user_name=txv&password=txv&Submit_button=Submit"
>> >>> >> >
>> >>> >> > Rgds
>> >>> >> >
>> >>> >> >
>> >>> >> >
>> >>> >> > ------------------------------------------------------------------------------
>> >>> >> > Protect Your Site and Customers from Malware Attacks
>> >>> >> > Learn about various malware tactics and how to avoid them.
>> >>> >> > Understand
>> >>> >> > malware threats, the impact they can have on your business, and
>> >>> >> > how
>> >>> >> > you
>> >>> >> > can protect your company and customers by using code signing.
>> >>> >> > http://p.sf.net/sfu/oracle-sfdevnl
>> >>> >> > _______________________________________________
>> >>> >> > sqlmap-users mailing list
>> >>> >> > sql...@li...
>> >>> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >>> >> >
>> >>> >> >
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >> --
>> >>> >> Miroslav Stampar
>> >>> >>
>> >>> >> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> >>> >> Mobile: +385921010204 (HR 0921010204)
>> >>> >> PGP Key ID: 0xB5397B1B
>> >>> >> Location: Zagreb, Croatia
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> >
>> >>> >
>> >>> > Regards
>> >>> > Yonny Mutai
>> >>> >
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Miroslav Stampar
>> >>>
>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> >>> Mobile: +385921010204 (HR 0921010204)
>> >>> PGP Key ID: 0xB5397B1B
>> >>> Location: Zagreb, Croatia
>> >>
>> >>
>> >>
>> >> --
>> >>
>> >>
>> >> Regards
>> >> Yonny Mutai
>> >
>> >
>> >
>> > --
>> >
>> >
>> > Regards
>> > Yonny Mutai
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>> > Finally, a world-class log management solution at an even better
>> > price-free!
>> > Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>> > February 28th, so secure your free ArcSight Logger TODAY!
>> > http://p.sf.net/sfu/arcsight-sfd2d
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>> >
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>
>
>
> --
>
>
> Regards
> Yonny Mutai
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] SQLMap Stager Uploader

From: Miroslav S. <mir...@gm...> - 2011-01-23 18:28:50

currently i am rewriting that all logic.

will report

kr

On Sun, Jan 23, 2011 at 6:28 PM, yonny mutai <yo...@go...> wrote:
> Hi Miroslav,
>   I found out it was apparmour which was hindering mysql from writing the
> file.. It now writes the file but the script fails with the message "unable
> to upload the file stager on '/var/www/'.. although the file exists in the
> directory and when the script does a GET on the file it gets it .
> which web application language does the web server support?
> [1] ASP
> [2] ASPX
> [3] PHP (default)
> [4] JSP
>>
> [20:23:35] [WARNING] unable to retrieve the web server document root
> please provide the web server document root [/var/www/]:
> [20:23:35] [WARNING] unable to retrieve any web server path
> please provide any additional web server full path to try to upload the
> agent [/var/www/]:
> [20:23:36] [WARNING] unable to upload the file stager on '/var/www/'
> [20:23:36] [INFO] Fetched data logged to text files under
> '/pentest/database/sqlmap/output/127.0.0.1'
>
> 127.0.0.1 - - [23/Jan/2011:20:23:34 +0300] "POST
> /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Opera/9.62
> (Windows NT 5.1; U; pt-BR) Presto/2.1.1"
> 127.0.0.1 - - [23/Jan/2011:20:23:36 +0300] "POST
> /mutillidae/index.php?page=login.php HTTP/1.1" 200 5983 "-" "Opera/9.62
> (Windows NT 5.1; U; pt-BR) Presto/2.1.1"
> 127.0.0.1 - - [23/Jan/2011:20:23:36 +0300] "GET /tmpubtee.php HTTP/1.1" 200
> 241 "-" "Opera/9.62 (Windows NT 5.1; U; pt-BR) Presto/2.1.1"
> sylar@Sylar:/pentest/database/sqlmap$ ls  -lhtr  /var/www/
> total 324K
> drwxrwxrwx  4 mysql mysql 4.0K 2010-06-16 08:37 mutillidae
> drwxrwxrwx 15 mysql mysql 4.0K 2010-11-02 12:15 3G_data_promo
> -rwxrwxrwx  1 mysql mysql 6.9K 2010-12-21 16:47 41.js
> -rwxrwxrwx  1 mysql mysql  13K 2010-12-21 16:48 index.html
> drwxrwxrwx  8 mysql mysql 4.0K 2011-01-08 11:40 vux
> -rwxrwxrwx  1 mysql mysql  39K 2011-01-16 22:41 mutillidae1.5.zip
> -rw-r--r--  1 mysql mysql 1.3K 2011-01-19 12:24 ppx.php
> -rw-rw-rw-  1 mysql mysql 1.3K 2011-01-23 20:23 tmpubtee.php
>
>
> On Thu, Jan 20, 2011 at 1:15 AM, yonny mutai <yo...@go...> wrote:
>>
>>   I have tried both --os-pwn and --os-shell.I have set my metasploit path
>> in my sqlmap.conf.. I'm running this on Linux.The application connects to
>> the db as root.I have also tried --read-file and its also not
>> suceessful.Maybe its the mysql version... I logged in as root to the db and
>> tried to run select hex(load_file("__PATH__")) and it also returns null...
>> I'll try installing a lower version to see how it behaves..
>>
>> On Thu, Jan 20, 2011 at 1:00 AM, Miroslav Stampar
>> <mir...@gm...> wrote:
>>>
>>> hi again.
>>>
>>> i wrongly mixed --os-shell and --os-pwn. for --os-pwn you need
>>> metasploit.
>>>
>>> are you using sqlmap on windows or on linux? where is your metasploit
>>> located (you haven't use the --msf-path=MSFPATH option)?
>>>
>>> if on linux then there would be a critical message "unable to locate
>>> Metasploit Framework 3 installation...." if no --msf-path specified
>>> (except proper environment variable is set), while on windows that
>>> message is in form of warning (we should change it to critical abort
>>> too) which says "[22:50:05] [WARNING] some sqlmap takeover
>>> functionalities are not yet supported
>>> on Windows. Please use Linux in a virtual machine for out-of-band
>>> features. sqlm
>>> ap will now carry on ignoring out-of-band switches"
>>>
>>> kr
>>>
>>>
>>> On Wed, Jan 19, 2011 at 10:37 PM, yonny mutai <yo...@go...>
>>> wrote:
>>> > Thanks for your response Miroslav,
>>> >      I have tried setting the permissions for the directories do that
>>> > they
>>> > are owned by the apache process ... but still it doesnt seem to
>>> > work.Here
>>> > are the access logs:
>>> > 127.0.0.1 - - [20/Jan/2011:00:30:15 +0300] "POST
>>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-"
>>> > "Mozilla/5.0
>>> > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
>>> > Firefox/3.6.9"
>>> > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "POST
>>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-"
>>> > "Mozilla/5.0
>>> > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
>>> > Firefox/3.6.9"
>>> > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "GET /tmpuvwtu.php HTTP/1.1"
>>> > 404
>>> > 488 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9)
>>> > Gecko/20100915 Gentoo Firefox/3.6.9"
>>> > 127.0.0.1 - - [20/Jan/2011:00:30:49 +0300] "POST
>>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-"
>>> > "Mozilla/5.0
>>> > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Slackware/13.0
>>> > Firefox/3.5.2"
>>> > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "POST
>>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-"
>>> > "Mozilla/5.0
>>> > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Slackware/13.0
>>> > Firefox/3.5.2"
>>> > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "GET /tmpucqwh.php HTTP/1.1"
>>> > 404
>>> > 488 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2)
>>> > Gecko/20090729
>>> > Slackware/13.0 Firefox/3.5.2"
>>> > and the permissions
>>> > sylar@Sylar:/pentest/database/sqlmap$ ls  -lht  /var/www/
>>> > drwxrwxrwx  8 www-data www-data 4.0K 2011-01-08 11:40 vux
>>> > -rwxrwxrwx  1 www-data www-data 102K 2010-12-21 17:24 fc4.js
>>> > -rwxrwxrwx  1 www-data www-data 6.9K 2010-12-21 16:47 41.js
>>> > drwxrwxrwx  4 www-data www-data 4.0K 2010-06-16 08:37 mutillidae
>>> > ... and I have the most latest state of the code from svn
>>> >
>>> >
>>> >
>>> >
>>> > On Thu, Jan 20, 2011 at 12:24 AM, Miroslav Stampar
>>> > <mir...@gm...> wrote:
>>> >>
>>> >> hi yonny.
>>> >>
>>> >> few questions.
>>> >>
>>> >> do you have write permissions "for all" at the "target" directory (for
>>> >> example: /var/www/Multidae)? at which directory does Multidae reside
>>> >> at your debian machine? what have you entered as "target directory"
>>> >> when sqlmap asked you?
>>> >>
>>> >> as you can guess, most occuring problem with "stager" are the write
>>> >> permissions for the web servers process.
>>> >>
>>> >> KR
>>> >>
>>> >> On Wed, Jan 19, 2011 at 8:06 PM, yonny mutai <yo...@go...>
>>> >> wrote:
>>> >> > Hi,
>>> >> >    Wonderful tool.... Seems like the stager uploader has ceased to
>>> >> > work...
>>> >> > anyone to help with this please..
>>> >> >   To add more info that might help in troubleshooting :
>>> >> >     DB : mysql  Ver 14.14 Distrib 5.1.41, for debian-linux-gnu
>>> >> > (i486)
>>> >> > using
>>> >> > readline 6.1
>>> >> >     App: The vulnerable Multidae app
>>> >> >     Command Used: ./sqlmap.py  --level 5 --risk 3 --parse-errors
>>> >> > --os-pwn
>>> >> >      --time-sec 10  -a txt/user-agents.txt   --text-only  --threads
>>> >> > 1
>>> >> > --timeout 39  -u
>>> >> > "http://127.0.0.1/mutillidae/index.php?page=login.php"
>>> >> > --method "POST" --data
>>> >> > "user_name=txv&password=txv&Submit_button=Submit"
>>> >> >
>>> >> > Rgds
>>> >> >
>>> >> >
>>> >> > ------------------------------------------------------------------------------
>>> >> > Protect Your Site and Customers from Malware Attacks
>>> >> > Learn about various malware tactics and how to avoid them.
>>> >> > Understand
>>> >> > malware threats, the impact they can have on your business, and how
>>> >> > you
>>> >> > can protect your company and customers by using code signing.
>>> >> > http://p.sf.net/sfu/oracle-sfdevnl
>>> >> > _______________________________________________
>>> >> > sqlmap-users mailing list
>>> >> > sql...@li...
>>> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> >> >
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Miroslav Stampar
>>> >>
>>> >> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> >> Mobile: +385921010204 (HR 0921010204)
>>> >> PGP Key ID: 0xB5397B1B
>>> >> Location: Zagreb, Croatia
>>> >
>>> >
>>> >
>>> > --
>>> >
>>> >
>>> > Regards
>>> > Yonny Mutai
>>> >
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> Mobile: +385921010204 (HR 0921010204)
>>> PGP Key ID: 0xB5397B1B
>>> Location: Zagreb, Croatia
>>
>>
>>
>> --
>>
>>
>> Regards
>> Yonny Mutai
>
>
>
> --
>
>
> Regards
> Yonny Mutai
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] SQLMap Stager Uploader

From: yonny m. <yo...@go...> - 2011-01-23 17:29:19

Hi Miroslav,
  I found out it was apparmour which was hindering mysql from writing the
file.. It now writes the file but the script fails with the message "unable
to upload the file stager on '/var/www/'.. although the file exists in the
directory and when the script does a GET on the file it gets it .

which web application language does the web server support?
[1] ASP
[2] ASPX
[3] PHP (default)
[4] JSP
>
[20:23:35] [WARNING] unable to retrieve the web server document root
please provide the web server document root [/var/www/]:
[20:23:35] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the
agent [/var/www/]:
[20:23:36] [WARNING] unable to upload the file stager on '/var/www/'
[20:23:36] [INFO] Fetched data logged to text files under
'/pentest/database/sqlmap/output/127.0.0.1'


127.0.0.1 - - [23/Jan/2011:20:23:34 +0300] "POST
/mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Opera/9.62
(Windows NT 5.1; U; pt-BR) Presto/2.1.1"
127.0.0.1 - - [23/Jan/2011:20:23:36 +0300] "POST
/mutillidae/index.php?page=login.php HTTP/1.1" 200 5983 "-" "Opera/9.62
(Windows NT 5.1; U; pt-BR) Presto/2.1.1"
127.0.0.1 - - [23/Jan/2011:20:23:36 +0300] "GET /tmpubtee.php HTTP/1.1" 200
241 "-" "Opera/9.62 (Windows NT 5.1; U; pt-BR) Presto/2.1.1"

sylar@Sylar:/pentest/database/sqlmap$ ls  -lhtr  /var/www/
total 324K
drwxrwxrwx  4 mysql mysql 4.0K 2010-06-16 08:37 mutillidae
drwxrwxrwx 15 mysql mysql 4.0K 2010-11-02 12:15 3G_data_promo
-rwxrwxrwx  1 mysql mysql 6.9K 2010-12-21 16:47 41.js
-rwxrwxrwx  1 mysql mysql  13K 2010-12-21 16:48 index.html
drwxrwxrwx  8 mysql mysql 4.0K 2011-01-08 11:40 vux
-rwxrwxrwx  1 mysql mysql  39K 2011-01-16 22:41 mutillidae1.5.zip
-rw-r--r--  1 mysql mysql 1.3K 2011-01-19 12:24 ppx.php
-rw-rw-rw-  1 mysql mysql 1.3K 2011-01-23 20:23 tmpubtee.php



On Thu, Jan 20, 2011 at 1:15 AM, yonny mutai <yo...@go...> wrote:

>   I have tried both --os-pwn and --os-shell.I have set my metasploit path
> in my sqlmap.conf.. I'm running this on Linux.The application connects to
> the db as root.I have also tried --read-file and its also not
> suceessful.Maybe its the mysql version... I logged in as root to the db and
> tried to run select hex(load_file("__PATH__")) and it also returns null...
> I'll try installing a lower version to see how it behaves..
>
>
> On Thu, Jan 20, 2011 at 1:00 AM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> hi again.
>>
>> i wrongly mixed --os-shell and --os-pwn. for --os-pwn you need metasploit.
>>
>> are you using sqlmap on windows or on linux? where is your metasploit
>> located (you haven't use the --msf-path=MSFPATH option)?
>>
>> if on linux then there would be a critical message "unable to locate
>> Metasploit Framework 3 installation...." if no --msf-path specified
>> (except proper environment variable is set), while on windows that
>> message is in form of warning (we should change it to critical abort
>> too) which says "[22:50:05] [WARNING] some sqlmap takeover
>> functionalities are not yet supported
>> on Windows. Please use Linux in a virtual machine for out-of-band
>> features. sqlm
>> ap will now carry on ignoring out-of-band switches"
>>
>> kr
>>
>>
>> On Wed, Jan 19, 2011 at 10:37 PM, yonny mutai <yo...@go...>
>> wrote:
>> > Thanks for your response Miroslav,
>> >      I have tried setting the permissions for the directories do that
>> they
>> > are owned by the apache process ... but still it doesnt seem to
>> work.Here
>> > are the access logs:
>> > 127.0.0.1 - - [20/Jan/2011:00:30:15 +0300] "POST
>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Mozilla/5.0
>> > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
>> > Firefox/3.6.9"
>> > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "POST
>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-" "Mozilla/5.0
>> > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
>> > Firefox/3.6.9"
>> > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "GET /tmpuvwtu.php HTTP/1.1"
>> 404
>> > 488 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9)
>> > Gecko/20100915 Gentoo Firefox/3.6.9"
>> > 127.0.0.1 - - [20/Jan/2011:00:30:49 +0300] "POST
>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Mozilla/5.0
>> > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Slackware/13.0
>> > Firefox/3.5.2"
>> > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "POST
>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-" "Mozilla/5.0
>> > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Slackware/13.0
>> > Firefox/3.5.2"
>> > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "GET /tmpucqwh.php HTTP/1.1"
>> 404
>> > 488 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2)
>> Gecko/20090729
>> > Slackware/13.0 Firefox/3.5.2"
>> > and the permissions
>> > sylar@Sylar:/pentest/database/sqlmap$ ls  -lht  /var/www/
>> > drwxrwxrwx  8 www-data www-data 4.0K 2011-01-08 11:40 vux
>> > -rwxrwxrwx  1 www-data www-data 102K 2010-12-21 17:24 fc4.js
>> > -rwxrwxrwx  1 www-data www-data 6.9K 2010-12-21 16:47 41.js
>> > drwxrwxrwx  4 www-data www-data 4.0K 2010-06-16 08:37 mutillidae
>> > ... and I have the most latest state of the code from svn
>> >
>> >
>> >
>> >
>> > On Thu, Jan 20, 2011 at 12:24 AM, Miroslav Stampar
>> > <mir...@gm...> wrote:
>> >>
>> >> hi yonny.
>> >>
>> >> few questions.
>> >>
>> >> do you have write permissions "for all" at the "target" directory (for
>> >> example: /var/www/Multidae)? at which directory does Multidae reside
>> >> at your debian machine? what have you entered as "target directory"
>> >> when sqlmap asked you?
>> >>
>> >> as you can guess, most occuring problem with "stager" are the write
>> >> permissions for the web servers process.
>> >>
>> >> KR
>> >>
>> >> On Wed, Jan 19, 2011 at 8:06 PM, yonny mutai <yo...@go...>
>> >> wrote:
>> >> > Hi,
>> >> >    Wonderful tool.... Seems like the stager uploader has ceased to
>> >> > work...
>> >> > anyone to help with this please..
>> >> >   To add more info that might help in troubleshooting :
>> >> >     DB : mysql  Ver 14.14 Distrib 5.1.41, for debian-linux-gnu (i486)
>> >> > using
>> >> > readline 6.1
>> >> >     App: The vulnerable Multidae app
>> >> >     Command Used: ./sqlmap.py  --level 5 --risk 3 --parse-errors
>> >> > --os-pwn
>> >> >      --time-sec 10  -a txt/user-agents.txt   --text-only  --threads 1
>> >> > --timeout 39  -u "
>> http://127.0.0.1/mutillidae/index.php?page=login.php"
>> >> > --method "POST" --data
>> "user_name=txv&password=txv&Submit_button=Submit"
>> >> >
>> >> > Rgds
>> >> >
>> >> >
>> ------------------------------------------------------------------------------
>> >> > Protect Your Site and Customers from Malware Attacks
>> >> > Learn about various malware tactics and how to avoid them. Understand
>> >> > malware threats, the impact they can have on your business, and how
>> you
>> >> > can protect your company and customers by using code signing.
>> >> > http://p.sf.net/sfu/oracle-sfdevnl
>> >> > _______________________________________________
>> >> > sqlmap-users mailing list
>> >> > sql...@li...
>> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Miroslav Stampar
>> >>
>> >> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> >> Mobile: +385921010204 (HR 0921010204)
>> >> PGP Key ID: 0xB5397B1B
>> >> Location: Zagreb, Croatia
>> >
>> >
>> >
>> > --
>> >
>> >
>> > Regards
>> > Yonny Mutai
>> >
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
>
> --
>
>
> Regards
> Yonny Mutai
>



-- 


Regards
Yonny Mutai

Re: [sqlmap-users] testing/exploiting INSERT statements

From: <bu...@gm...> - 2011-01-23 17:09:29

On 01/23/2011 04:58 PM, Bernardo Damele A. G. wrote:
> I will add this feature request to the TODO list

Great, thank you!

Re: [sqlmap-users] testing/exploiting INSERT statements

From: Bernardo D. A. G. <ber...@gm...> - 2011-01-23 16:59:34

No, it is not.

I will add this feature request to the TODO list, but can not
guarantee that it will make it for 0.9 release.

Bernardo Damele A. G.

This message was sent from a smartphone

On 23 Jan 2011, at 16:18, "bu...@gm..." <bu...@gm...> wrote:

> Hi,
>
> is it possible to tell sqlmap the following:
>
> send your requests to .../post.php but look at/fetch .../index.php after
> you submitted to ../post.php for detection/exploitation?
>
> I guess --safe-url is not what I mean..
> --safe-url=SAFURL   Url address to visit frequently during testing
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

[sqlmap-users] testing/exploiting INSERT statements

From: <bu...@gm...> - 2011-01-23 16:18:05

Hi,

is it possible to tell sqlmap the following:

send your requests to .../post.php but look at/fetch .../index.php after
you submitted to ../post.php for detection/exploitation?

I guess --safe-url is not what I mean..
--safe-url=SAFURL   Url address to visit frequently during testing

[sqlmap-users] unhandled exception: ValueError: unknown url type (r3077)

From: <bu...@gm...> - 2011-01-23 13:16:02

Hi,

don't know if this should be called a bug or just user stupidity but I
report it anyway.
The following occurred after providing 'use insecure' as new url
(redirect question)
because I thought I was already on the sql-shell> prompt


sqlmap version: 0.9-dev (r3077)
Python version: 2.6.4
Operating system: posix
Traceback (most recent call last):
  File "./sqlmap.py", line 83, in main
    start()
  File "sqlmap-dev/lib/controller/controller.py", line 414, in start
    action()
  File "sqlmap-dev/lib/controller/action.py", line 115, in action
    conf.dbmsHandler.sqlShell()
  File "sqlmap-dev/plugins/generic/enumeration.py", line 1999, in sqlShell
    output = self.sqlQuery(query)
  File "sqlmap-dev/plugins/generic/enumeration.py", line 1945, in sqlQuery
    output = inject.getValue(query, fromUser=True)
  File "sqlmap-dev/lib/request/inject.py", line 463, in getValue
    value = __goInferenceProxy(query, fromUser, expected, batch,
resumeValue, unpack, charsetType, firstChar, lastChar)
  File "sqlmap-dev/lib/request/inject.py", line 315, in __goInferenceProxy
    outputs = __goInferenceFields(expression, expressionFields,
expressionFieldsList, payload, expected, resumeValue=resumeValue,
charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
  File "sqlmap-dev/lib/request/inject.py", line 99, in __goInferenceFields
    output = __goInference(payload, expressionReplaced, charsetType,
firstChar, lastChar)
  File "sqlmap-dev/lib/request/inject.py", line 64, in __goInference
    count, value = bisection(payload, expression, length, charsetType,
firstChar, lastChar)
  File "sqlmap-dev/lib/techniques/blind/inference.py", line 483, in
bisection
    val = getChar(index, asciiTbl)
  File "sqlmap-dev/lib/techniques/blind/inference.py", line 189, in getChar
    result = Request.queryPage(forgedPayload,
timeBasedCompare=timeBasedCompare, raise404=False)
  File "sqlmap-dev/lib/request/connect.py", line 431, in queryPage
    Connect.queryPage(content=True)
  File "sqlmap-dev/lib/request/connect.py", line 457, in queryPage
    page, headers = Connect.getPage(url=uri, get=get, post=post,
cookie=cookie, ua=ua, silent=silent, method=method,
auxHeaders=auxHeaders, response=response, raise404=raise404,
ignoreTimeout=timeBasedCompare)
  File "sqlmap-dev/lib/request/connect.py", line 195, in getPage
    conn = urllib2.urlopen(req)
  File "/usr/lib64/python2.6/urllib2.py", line 124, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib64/python2.6/urllib2.py", line 381, in open
    protocol = req.get_type()
  File "/usr/lib64/python2.6/urllib2.py", line 242, in get_type
    raise ValueError, "unknown url type: %s" % self.__original
ValueError: unknown url type: use%20insecure

Re: [sqlmap-users] --sql-query: only single field outputs allowed?

From: <bu...@gm...> - 2011-01-20 18:15:57

On 01/18/2011 11:12 PM, Bernardo Damele A. G. wrote:
> Issue closed. Now all technique support --sql-query and --sql-shell
> packing/unpacking/retrieval of output.

sql-shell> select id from content
select id from content [3]:
[*] 1
[*] 2
[*] 3


sql-shell> select count(*) from content
[INFO] fetching SQL SELECT statement query output: 'select count(*) from
content'
[WARNING] the SQL query used does not return any output


should the later statement work too?
(r3050)

Re: [sqlmap-users] Problem with using Webscarab conversations

From: Miroslav S. <mir...@gm...> - 2011-01-20 16:16:30

...nevertheless you can use -r to load them individually (e.g.
./sqlmap.py -r "./logdirectory/conversations/10-request")

kr

On Thu, Jan 20, 2011 at 4:57 PM, Miroslav Stampar
<mir...@gm...> wrote:
> hi.
>
> with last commit you can find support for WebScarab log files. if you
> find any "problems" related please report.
>
> only one warning: you won't be able to process POST requests as
> WebScarab "smartly" stores their bodies in separate files.
>
> kr
>
> On Thu, Jan 20, 2011 at 12:32 PM, Miroslav Stampar
> <mir...@gm...> wrote:
>> hi Antonios.
>>
>> no worry. gonna fix it probably today.
>>
>> kr
>>
>> On Thu, Jan 20, 2011 at 12:22 PM, Antonios Atlasis
>> <ant...@gm...> wrote:
>>> Thanks for your reply.
>>>
>>> The problem is that the free version of Burpsuite does not allow to save the
>>> spidering results; this is why I rely on webscarab.
>>>
>>> Thanks again
>>>
>>> Antonios
>>> .
>>> 2011/1/20 Miroslav Stampar <mir...@gm...>
>>>>
>>>> LOL
>>>>
>>>> we've stated that we support WebScarab logs, while we don't :)
>>>>
>>>> thx for reporting.
>>>>
>>>> we'll see what we can do. in the mean time you can try to use Burp
>>>> which logs we should support most definitely.
>>>>
>>>> kr
>>>>
>>>> On Wed, Jan 19, 2011 at 10:19 PM, Miroslav Stampar
>>>> <mir...@gm...> wrote:
>>>> > Downloading right now. Will report back.
>>>> >
>>>> > KR
>>>> >
>>>> > On Wed, Jan 19, 2011 at 9:28 PM, Antonios Atlasis
>>>> > <ant...@gm...> wrote:
>>>> >> Hi Miroslav and thanks for your answer,
>>>> >>
>>>> >> I did reproduce the results a couple of times and you can easily do so.
>>>> >>
>>>> >> My target is the ctf6 lampsec security (you can downloaded from
>>>> >> http://sourceforge.net/projects/lampsecurity/).
>>>> >>
>>>> >> After a very fast browsing, I crawled the rest of the site using
>>>> >> Webscarab.
>>>> >>
>>>> >> I run the command sqlmap --batch -v 2 -l
>>>> >> ../webscarab-logs/conversations/
>>>> >>
>>>> >> sqlmap failed to find any sqli.
>>>> >>
>>>> >> Then I run  sqlmap -u  http://192.168.163.128/index.php?id=4 (one of
>>>> >> the
>>>> >> vulnerable urls) and it does find the sqli vulnerability.
>>>> >>
>>>> >> please let me know if you want me to send you any logs.
>>>> >>
>>>> >> Regards
>>>> >>
>>>> >> Antonios
>>>> >>
>>>> >> 2011/1/18 Miroslav Stampar <mir...@gm...>
>>>> >>>
>>>> >>> Hi Antonios.
>>>> >>>
>>>> >>> main question is: are you able to reproduce this kind of behavior
>>>> >>> again?
>>>> >>>
>>>> >>> if yes, then sqlmap really has some "bug" and it would be great if you
>>>> >>> could (maybe privately) provide is with further details from used
>>>> >>> logs.
>>>> >>>
>>>> >>> if no, thing that comes to my mind and that can screw things up is
>>>> >>> "dynamicity". we've worked hard to make a good comparison/detection
>>>> >>> engine together with dynamicity removal, but still, pages with lots of
>>>> >>> garbaged styles/tags/scripts... can screw things up, especially when
>>>> >>> only a small part of the page is affected by injection itself. hence
>>>> >>> there are switches like --string and --text-only (removes all
>>>> >>> tags/scripts/styles and retrieves only pure text) that can do miracles
>>>> >>> in those kind of cases.
>>>> >>>
>>>> >>> KR
>>>> >>>
>>>> >>> On Tue, Jan 18, 2011 at 10:04 PM, Antonios Atlasis
>>>> >>> <ant...@gm...> wrote:
>>>> >>> >
>>>> >>> > Hello to the list,
>>>> >>> >
>>>> >>> > after spidering a site that is vulnerable to SQLi with Webscarab, I
>>>> >>> > fed
>>>> >>> > its
>>>> >>> > conversations directory to sqlmap using the -l option.
>>>> >>> > sqlmap didn't find any SQLi vulnerable.
>>>> >>> >
>>>> >>> > Then, I fed a vulnerable URL to sqlmap with the -u option (which URL
>>>> >>> > was
>>>> >>> > also included in the webscarab conversations and it had also been
>>>> >>> > tested
>>>> >>> > before with sqlmap), and sqlmap did found this time the specific
>>>> >>> > SQLi
>>>> >>> > vulnerability.
>>>> >>> >
>>>> >>> > Has anyone else observed a problem using Webscarab conversations? Is
>>>> >>> > there
>>>> >>> > any tip or trick that I can use in order to solve this problem?
>>>> >>> >
>>>> >>> > Thanks in advance
>>>> >>> >
>>>> >>> > Antonios
>>>> >>> >
>>>> >>> >
>>>> >>> >
>>>> >>> > ------------------------------------------------------------------------------
>>>> >>> > Protect Your Site and Customers from Malware Attacks
>>>> >>> > Learn about various malware tactics and how to avoid them.
>>>> >>> > Understand
>>>> >>> > malware threats, the impact they can have on your business, and how
>>>> >>> > you
>>>> >>> > can protect your company and customers by using code signing.
>>>> >>> > http://p.sf.net/sfu/oracle-sfdevnl
>>>> >>> > _______________________________________________
>>>> >>> > sqlmap-users mailing list
>>>> >>> > sql...@li...
>>>> >>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>> >>> >
>>>> >>> >
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>> --
>>>> >>> Miroslav Stampar
>>>> >>>
>>>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>> >>> Mobile: +385921010204 (HR 0921010204)
>>>> >>> PGP Key ID: 0xB5397B1B
>>>> >>> Location: Zagreb, Croatia
>>>> >>
>>>> >>
>>>> >>
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Miroslav Stampar
>>>> >
>>>> > E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>> > Mobile: +385921010204 (HR 0921010204)
>>>> > PGP Key ID: 0xB5397B1B
>>>> > Location: Zagreb, Croatia
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>>
>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>> Mobile: +385921010204 (HR 0921010204)
>>>> PGP Key ID: 0xB5397B1B
>>>> Location: Zagreb, Croatia
>>>
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] Problem with using Webscarab conversations

From: Miroslav S. <mir...@gm...> - 2011-01-20 15:58:04

hi.

with last commit you can find support for WebScarab log files. if you
find any "problems" related please report.

only one warning: you won't be able to process POST requests as
WebScarab "smartly" stores their bodies in separate files.

kr

On Thu, Jan 20, 2011 at 12:32 PM, Miroslav Stampar
<mir...@gm...> wrote:
> hi Antonios.
>
> no worry. gonna fix it probably today.
>
> kr
>
> On Thu, Jan 20, 2011 at 12:22 PM, Antonios Atlasis
> <ant...@gm...> wrote:
>> Thanks for your reply.
>>
>> The problem is that the free version of Burpsuite does not allow to save the
>> spidering results; this is why I rely on webscarab.
>>
>> Thanks again
>>
>> Antonios
>> .
>> 2011/1/20 Miroslav Stampar <mir...@gm...>
>>>
>>> LOL
>>>
>>> we've stated that we support WebScarab logs, while we don't :)
>>>
>>> thx for reporting.
>>>
>>> we'll see what we can do. in the mean time you can try to use Burp
>>> which logs we should support most definitely.
>>>
>>> kr
>>>
>>> On Wed, Jan 19, 2011 at 10:19 PM, Miroslav Stampar
>>> <mir...@gm...> wrote:
>>> > Downloading right now. Will report back.
>>> >
>>> > KR
>>> >
>>> > On Wed, Jan 19, 2011 at 9:28 PM, Antonios Atlasis
>>> > <ant...@gm...> wrote:
>>> >> Hi Miroslav and thanks for your answer,
>>> >>
>>> >> I did reproduce the results a couple of times and you can easily do so.
>>> >>
>>> >> My target is the ctf6 lampsec security (you can downloaded from
>>> >> http://sourceforge.net/projects/lampsecurity/).
>>> >>
>>> >> After a very fast browsing, I crawled the rest of the site using
>>> >> Webscarab.
>>> >>
>>> >> I run the command sqlmap --batch -v 2 -l
>>> >> ../webscarab-logs/conversations/
>>> >>
>>> >> sqlmap failed to find any sqli.
>>> >>
>>> >> Then I run  sqlmap -u  http://192.168.163.128/index.php?id=4 (one of
>>> >> the
>>> >> vulnerable urls) and it does find the sqli vulnerability.
>>> >>
>>> >> please let me know if you want me to send you any logs.
>>> >>
>>> >> Regards
>>> >>
>>> >> Antonios
>>> >>
>>> >> 2011/1/18 Miroslav Stampar <mir...@gm...>
>>> >>>
>>> >>> Hi Antonios.
>>> >>>
>>> >>> main question is: are you able to reproduce this kind of behavior
>>> >>> again?
>>> >>>
>>> >>> if yes, then sqlmap really has some "bug" and it would be great if you
>>> >>> could (maybe privately) provide is with further details from used
>>> >>> logs.
>>> >>>
>>> >>> if no, thing that comes to my mind and that can screw things up is
>>> >>> "dynamicity". we've worked hard to make a good comparison/detection
>>> >>> engine together with dynamicity removal, but still, pages with lots of
>>> >>> garbaged styles/tags/scripts... can screw things up, especially when
>>> >>> only a small part of the page is affected by injection itself. hence
>>> >>> there are switches like --string and --text-only (removes all
>>> >>> tags/scripts/styles and retrieves only pure text) that can do miracles
>>> >>> in those kind of cases.
>>> >>>
>>> >>> KR
>>> >>>
>>> >>> On Tue, Jan 18, 2011 at 10:04 PM, Antonios Atlasis
>>> >>> <ant...@gm...> wrote:
>>> >>> >
>>> >>> > Hello to the list,
>>> >>> >
>>> >>> > after spidering a site that is vulnerable to SQLi with Webscarab, I
>>> >>> > fed
>>> >>> > its
>>> >>> > conversations directory to sqlmap using the -l option.
>>> >>> > sqlmap didn't find any SQLi vulnerable.
>>> >>> >
>>> >>> > Then, I fed a vulnerable URL to sqlmap with the -u option (which URL
>>> >>> > was
>>> >>> > also included in the webscarab conversations and it had also been
>>> >>> > tested
>>> >>> > before with sqlmap), and sqlmap did found this time the specific
>>> >>> > SQLi
>>> >>> > vulnerability.
>>> >>> >
>>> >>> > Has anyone else observed a problem using Webscarab conversations? Is
>>> >>> > there
>>> >>> > any tip or trick that I can use in order to solve this problem?
>>> >>> >
>>> >>> > Thanks in advance
>>> >>> >
>>> >>> > Antonios
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> > ------------------------------------------------------------------------------
>>> >>> > Protect Your Site and Customers from Malware Attacks
>>> >>> > Learn about various malware tactics and how to avoid them.
>>> >>> > Understand
>>> >>> > malware threats, the impact they can have on your business, and how
>>> >>> > you
>>> >>> > can protect your company and customers by using code signing.
>>> >>> > http://p.sf.net/sfu/oracle-sfdevnl
>>> >>> > _______________________________________________
>>> >>> > sqlmap-users mailing list
>>> >>> > sql...@li...
>>> >>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> >>> >
>>> >>> >
>>> >>>
>>> >>>
>>> >>>
>>> >>> --
>>> >>> Miroslav Stampar
>>> >>>
>>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> >>> Mobile: +385921010204 (HR 0921010204)
>>> >>> PGP Key ID: 0xB5397B1B
>>> >>> Location: Zagreb, Croatia
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Miroslav Stampar
>>> >
>>> > E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> > Mobile: +385921010204 (HR 0921010204)
>>> > PGP Key ID: 0xB5397B1B
>>> > Location: Zagreb, Croatia
>>> >
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> Mobile: +385921010204 (HR 0921010204)
>>> PGP Key ID: 0xB5397B1B
>>> Location: Zagreb, Croatia
>>
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] Problem with using Webscarab conversations

From: Miroslav S. <mir...@gm...> - 2011-01-20 11:32:34

hi Antonios.

no worry. gonna fix it probably today.

kr

On Thu, Jan 20, 2011 at 12:22 PM, Antonios Atlasis
<ant...@gm...> wrote:
> Thanks for your reply.
>
> The problem is that the free version of Burpsuite does not allow to save the
> spidering results; this is why I rely on webscarab.
>
> Thanks again
>
> Antonios
> .
> 2011/1/20 Miroslav Stampar <mir...@gm...>
>>
>> LOL
>>
>> we've stated that we support WebScarab logs, while we don't :)
>>
>> thx for reporting.
>>
>> we'll see what we can do. in the mean time you can try to use Burp
>> which logs we should support most definitely.
>>
>> kr
>>
>> On Wed, Jan 19, 2011 at 10:19 PM, Miroslav Stampar
>> <mir...@gm...> wrote:
>> > Downloading right now. Will report back.
>> >
>> > KR
>> >
>> > On Wed, Jan 19, 2011 at 9:28 PM, Antonios Atlasis
>> > <ant...@gm...> wrote:
>> >> Hi Miroslav and thanks for your answer,
>> >>
>> >> I did reproduce the results a couple of times and you can easily do so.
>> >>
>> >> My target is the ctf6 lampsec security (you can downloaded from
>> >> http://sourceforge.net/projects/lampsecurity/).
>> >>
>> >> After a very fast browsing, I crawled the rest of the site using
>> >> Webscarab.
>> >>
>> >> I run the command sqlmap --batch -v 2 -l
>> >> ../webscarab-logs/conversations/
>> >>
>> >> sqlmap failed to find any sqli.
>> >>
>> >> Then I run  sqlmap -u  http://192.168.163.128/index.php?id=4 (one of
>> >> the
>> >> vulnerable urls) and it does find the sqli vulnerability.
>> >>
>> >> please let me know if you want me to send you any logs.
>> >>
>> >> Regards
>> >>
>> >> Antonios
>> >>
>> >> 2011/1/18 Miroslav Stampar <mir...@gm...>
>> >>>
>> >>> Hi Antonios.
>> >>>
>> >>> main question is: are you able to reproduce this kind of behavior
>> >>> again?
>> >>>
>> >>> if yes, then sqlmap really has some "bug" and it would be great if you
>> >>> could (maybe privately) provide is with further details from used
>> >>> logs.
>> >>>
>> >>> if no, thing that comes to my mind and that can screw things up is
>> >>> "dynamicity". we've worked hard to make a good comparison/detection
>> >>> engine together with dynamicity removal, but still, pages with lots of
>> >>> garbaged styles/tags/scripts... can screw things up, especially when
>> >>> only a small part of the page is affected by injection itself. hence
>> >>> there are switches like --string and --text-only (removes all
>> >>> tags/scripts/styles and retrieves only pure text) that can do miracles
>> >>> in those kind of cases.
>> >>>
>> >>> KR
>> >>>
>> >>> On Tue, Jan 18, 2011 at 10:04 PM, Antonios Atlasis
>> >>> <ant...@gm...> wrote:
>> >>> >
>> >>> > Hello to the list,
>> >>> >
>> >>> > after spidering a site that is vulnerable to SQLi with Webscarab, I
>> >>> > fed
>> >>> > its
>> >>> > conversations directory to sqlmap using the -l option.
>> >>> > sqlmap didn't find any SQLi vulnerable.
>> >>> >
>> >>> > Then, I fed a vulnerable URL to sqlmap with the -u option (which URL
>> >>> > was
>> >>> > also included in the webscarab conversations and it had also been
>> >>> > tested
>> >>> > before with sqlmap), and sqlmap did found this time the specific
>> >>> > SQLi
>> >>> > vulnerability.
>> >>> >
>> >>> > Has anyone else observed a problem using Webscarab conversations? Is
>> >>> > there
>> >>> > any tip or trick that I can use in order to solve this problem?
>> >>> >
>> >>> > Thanks in advance
>> >>> >
>> >>> > Antonios
>> >>> >
>> >>> >
>> >>> >
>> >>> > ------------------------------------------------------------------------------
>> >>> > Protect Your Site and Customers from Malware Attacks
>> >>> > Learn about various malware tactics and how to avoid them.
>> >>> > Understand
>> >>> > malware threats, the impact they can have on your business, and how
>> >>> > you
>> >>> > can protect your company and customers by using code signing.
>> >>> > http://p.sf.net/sfu/oracle-sfdevnl
>> >>> > _______________________________________________
>> >>> > sqlmap-users mailing list
>> >>> > sql...@li...
>> >>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >>> >
>> >>> >
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Miroslav Stampar
>> >>>
>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> >>> Mobile: +385921010204 (HR 0921010204)
>> >>> PGP Key ID: 0xB5397B1B
>> >>> Location: Zagreb, Croatia
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> >
>> > E-mail / Jabber: miroslav.stampar (at) gmail.com
>> > Mobile: +385921010204 (HR 0921010204)
>> > PGP Key ID: 0xB5397B1B
>> > Location: Zagreb, Croatia
>> >
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] Back-end DBMS charset encoding

From: Miroslav S. <mir...@gm...> - 2011-01-20 11:30:47

Attachments: latin for latin blind.gif latin for latin error.gif latin for utf8 blind.gif latin for utf8 error.gif utf8 for latin blind.gif utf8 for latin error.gif utf8 for utf8 blind.gif utf8 for utf8 error.gif

i am sending you all update regarding this field together with some screenshots

for example:
"latin for latin blind" means: blind inference used, for retrieving of
latin data via latin (and latin connection to the backend DBMS) page
"latin for utf8 error" means: error approach used, for retrieving of
utf8 data via latin (and latin connection to the backend DBMS) page
"utf8 for latin error" means: error approach used, for retrieving of
latin data via utf8 (and utf8 connection to the backend DBMS) page

...

all data that you see with '???' are lost irreversibly in cases when
utf8 data was retrieved via latin connection/pages, and they are
inherently incompatible (we can't do a shit in those cases as
connection charset is hard coded in the web pages code - like
"mysql_set_charset("latin1", $link)").

so, all in all sqlmap is doing a great job right now in this field :)

p.s. there was a "really nasty" problem when -o switch was used
(--null-connection part) and page encoding was just reset to 'utf8'
which potentially lead to messy results. fixed in last commit.

On Tue, Jan 18, 2011 at 12:11 PM, Miroslav Stampar
<mir...@gm...> wrote:
> hi mitchell.
>
> thank you for your answer. i thought that nobody would :)
>
> we've done some serious work these days in this field and would like
> to have it "stabilized". plz report any "strange" behavior in this
> field if you encounter it.
>
> kr
>
> On Tue, Jan 18, 2011 at 12:01 PM, mitchell <mit...@tu...> wrote:
>> Hi Miroslav,
>>
>> In say 80% of the cases I delt with Bulgarian sites, the data in the
>> database used the same encoding as the encoding announced on the webpage,
>> usually CP-1251. The rest use UTF.
>>
>> # mitchell
>>
>> On 17 Jan 2011 16:52, "Miroslav Stampar" <mir...@gm...> wrote:
>>> Hi all.
>>>
>>> I have a general question to all those pentesters that are retrieving data
>>> from sites with "funny" charset encodings (...russian, chinese...).
>>>
>>> What's should be the general "consensus" for data retrieval:
>>>
>>> A) assume that the backend DBMS uses the "utf8" charset encoding
>>> or
>>> B) treat data retrieved with the same encoding as used in the page
>>> or
>>> C) find out the proper collation used and use that one? (i am not a fan of
>>> this one :)
>>> or
>>> D) don't care (some people tend to use mixed collations which is quite
>>> romantic)
>>>
>>> Also, I would like to ask you all to try out the latest revision with
>>> cases
>>> that could be problematic and report impressions.
>>>
>>> Kind regards
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] Problem with using Webscarab conversations

From: Antonios A. <ant...@gm...> - 2011-01-20 11:22:25

Thanks for your reply.

The problem is that the free version of Burpsuite does not allow to save the
spidering results; this is why I rely on webscarab.

Thanks again

Antonios
.
2011/1/20 Miroslav Stampar <mir...@gm...>

> LOL
>
> we've stated that we support WebScarab logs, while we don't :)
>
> thx for reporting.
>
> we'll see what we can do. in the mean time you can try to use Burp
> which logs we should support most definitely.
>
> kr
>
> On Wed, Jan 19, 2011 at 10:19 PM, Miroslav Stampar
> <mir...@gm...> wrote:
> > Downloading right now. Will report back.
> >
> > KR
> >
> > On Wed, Jan 19, 2011 at 9:28 PM, Antonios Atlasis
> > <ant...@gm...> wrote:
> >> Hi Miroslav and thanks for your answer,
> >>
> >> I did reproduce the results a couple of times and you can easily do so.
> >>
> >> My target is the ctf6 lampsec security (you can downloaded from
> >> http://sourceforge.net/projects/lampsecurity/).
> >>
> >> After a very fast browsing, I crawled the rest of the site using
> Webscarab.
> >>
> >> I run the command sqlmap --batch -v 2 -l
> ../webscarab-logs/conversations/
> >>
> >> sqlmap failed to find any sqli.
> >>
> >> Then I run  sqlmap -u  http://192.168.163.128/index.php?id=4 (one of
> the
> >> vulnerable urls) and it does find the sqli vulnerability.
> >>
> >> please let me know if you want me to send you any logs.
> >>
> >> Regards
> >>
> >> Antonios
> >>
> >> 2011/1/18 Miroslav Stampar <mir...@gm...>
> >>>
> >>> Hi Antonios.
> >>>
> >>> main question is: are you able to reproduce this kind of behavior
> again?
> >>>
> >>> if yes, then sqlmap really has some "bug" and it would be great if you
> >>> could (maybe privately) provide is with further details from used
> >>> logs.
> >>>
> >>> if no, thing that comes to my mind and that can screw things up is
> >>> "dynamicity". we've worked hard to make a good comparison/detection
> >>> engine together with dynamicity removal, but still, pages with lots of
> >>> garbaged styles/tags/scripts... can screw things up, especially when
> >>> only a small part of the page is affected by injection itself. hence
> >>> there are switches like --string and --text-only (removes all
> >>> tags/scripts/styles and retrieves only pure text) that can do miracles
> >>> in those kind of cases.
> >>>
> >>> KR
> >>>
> >>> On Tue, Jan 18, 2011 at 10:04 PM, Antonios Atlasis
> >>> <ant...@gm...> wrote:
> >>> >
> >>> > Hello to the list,
> >>> >
> >>> > after spidering a site that is vulnerable to SQLi with Webscarab, I
> fed
> >>> > its
> >>> > conversations directory to sqlmap using the -l option.
> >>> > sqlmap didn't find any SQLi vulnerable.
> >>> >
> >>> > Then, I fed a vulnerable URL to sqlmap with the -u option (which URL
> was
> >>> > also included in the webscarab conversations and it had also been
> tested
> >>> > before with sqlmap), and sqlmap did found this time the specific SQLi
> >>> > vulnerability.
> >>> >
> >>> > Has anyone else observed a problem using Webscarab conversations? Is
> >>> > there
> >>> > any tip or trick that I can use in order to solve this problem?
> >>> >
> >>> > Thanks in advance
> >>> >
> >>> > Antonios
> >>> >
> >>> >
> >>> >
> ------------------------------------------------------------------------------
> >>> > Protect Your Site and Customers from Malware Attacks
> >>> > Learn about various malware tactics and how to avoid them. Understand
> >>> > malware threats, the impact they can have on your business, and how
> you
> >>> > can protect your company and customers by using code signing.
> >>> > http://p.sf.net/sfu/oracle-sfdevnl
> >>> > _______________________________________________
> >>> > sqlmap-users mailing list
> >>> > sql...@li...
> >>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>> >
> >>> >
> >>>
> >>>
> >>>
> >>> --
> >>> Miroslav Stampar
> >>>
> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com
> >>> Mobile: +385921010204 (HR 0921010204)
> >>> PGP Key ID: 0xB5397B1B
> >>> Location: Zagreb, Croatia
> >>
> >>
> >>
> >
> >
> >
> > --
> > Miroslav Stampar
> >
> > E-mail / Jabber: miroslav.stampar (at) gmail.com
> > Mobile: +385921010204 (HR 0921010204)
> > PGP Key ID: 0xB5397B1B
> > Location: Zagreb, Croatia
> >
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>

48 messages has been excluded from this view by a project administrator.

Flat | Threaded

<< < 1 .. 107 108 109 110 111 .. 145 > >> (Page 109 of 145)