sqlmap-users Mailing List for sqlmap (Page 110)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-19 23:59:22
|
LOL we've stated that we support WebScarab logs, while we don't :) thx for reporting. we'll see what we can do. in the mean time you can try to use Burp which logs we should support most definitely. kr On Wed, Jan 19, 2011 at 10:19 PM, Miroslav Stampar <mir...@gm...> wrote: > Downloading right now. Will report back. > > KR > > On Wed, Jan 19, 2011 at 9:28 PM, Antonios Atlasis > <ant...@gm...> wrote: >> Hi Miroslav and thanks for your answer, >> >> I did reproduce the results a couple of times and you can easily do so. >> >> My target is the ctf6 lampsec security (you can downloaded from >> http://sourceforge.net/projects/lampsecurity/). >> >> After a very fast browsing, I crawled the rest of the site using Webscarab. >> >> I run the command sqlmap --batch -v 2 -l ../webscarab-logs/conversations/ >> >> sqlmap failed to find any sqli. >> >> Then I run sqlmap -u http://192.168.163.128/index.php?id=4 (one of the >> vulnerable urls) and it does find the sqli vulnerability. >> >> please let me know if you want me to send you any logs. >> >> Regards >> >> Antonios >> >> 2011/1/18 Miroslav Stampar <mir...@gm...> >>> >>> Hi Antonios. >>> >>> main question is: are you able to reproduce this kind of behavior again? >>> >>> if yes, then sqlmap really has some "bug" and it would be great if you >>> could (maybe privately) provide is with further details from used >>> logs. >>> >>> if no, thing that comes to my mind and that can screw things up is >>> "dynamicity". we've worked hard to make a good comparison/detection >>> engine together with dynamicity removal, but still, pages with lots of >>> garbaged styles/tags/scripts... can screw things up, especially when >>> only a small part of the page is affected by injection itself. hence >>> there are switches like --string and --text-only (removes all >>> tags/scripts/styles and retrieves only pure text) that can do miracles >>> in those kind of cases. >>> >>> KR >>> >>> On Tue, Jan 18, 2011 at 10:04 PM, Antonios Atlasis >>> <ant...@gm...> wrote: >>> > >>> > Hello to the list, >>> > >>> > after spidering a site that is vulnerable to SQLi with Webscarab, I fed >>> > its >>> > conversations directory to sqlmap using the -l option. >>> > sqlmap didn't find any SQLi vulnerable. >>> > >>> > Then, I fed a vulnerable URL to sqlmap with the -u option (which URL was >>> > also included in the webscarab conversations and it had also been tested >>> > before with sqlmap), and sqlmap did found this time the specific SQLi >>> > vulnerability. >>> > >>> > Has anyone else observed a problem using Webscarab conversations? Is >>> > there >>> > any tip or trick that I can use in order to solve this problem? >>> > >>> > Thanks in advance >>> > >>> > Antonios >>> > >>> > >>> > ------------------------------------------------------------------------------ >>> > Protect Your Site and Customers from Malware Attacks >>> > Learn about various malware tactics and how to avoid them. Understand >>> > malware threats, the impact they can have on your business, and how you >>> > can protect your company and customers by using code signing. >>> > http://p.sf.net/sfu/oracle-sfdevnl >>> > _______________________________________________ >>> > sqlmap-users mailing list >>> > sql...@li... >>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> > >>> > >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >> >> >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-19 23:17:59
|
Hi Ahmed. I am very interested into this bug as it's first SQLite related. Could you please update to the latest revision and try it again. Which techniques were used for data retrieval (probably blind or union)? Now, as this bug is hard to detect (because that error message from 're' is not so informative) it would be great help if you could just put inside the common.py: print type(value) print value before: for match in re.finditer(getCompiledRegex(r"(\w+) ([A-Z]+)[,\r\n]"), value): KR On Wed, Jan 19, 2011 at 8:13 PM, Ahmed Shawky <ah...@is...> wrote: > ./sqlmap.py -u "http://site" --columns -T tbl_name -D SQLite_masterdb > > sqlmap version: 0.9-dev (r3034) > Python version: 2.6.4 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 83, in main > start() > File "/pentest/database/sqlmap/lib/controller/controller.py", line 414, in > start > action() > File "/pentest/database/sqlmap/lib/controller/action.py", line 96, in > action > conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns()) > File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line 997, > in getColumns > parseSqliteTableSchema(value) > File "/pentest/database/sqlmap/lib/core/common.py", line 1941, in > parseSqliteTableSchema > for match in re.finditer(getCompiledRegex(r"(\w+) ([A-Z]+)[,\r\n]"), > value): > File "/usr/lib/python2.6/re.py", line 186, in finditer > return _compile(pattern, flags).finditer(string) > TypeError: expected string or buffer > > > -- > > Ahmed Shawky El-Antry > Pen-tester, Programmer and System administrator > lnxg33k owner "http://lnxg33k.wordpress.com" > Isecur1ty team "http://www.isecur1ty.org" > Twitter @lnxg33k > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: yonny m. <yo...@go...> - 2011-01-19 22:15:48
|
I have tried both --os-pwn and --os-shell.I have set my metasploit path in
my sqlmap.conf.. I'm running this on Linux.The application connects to the
db as root.I have also tried --read-file and its also not suceessful.Maybe
its the mysql version... I logged in as root to the db and tried to run
select hex(load_file("__PATH__")) and it also returns null... I'll try
installing a lower version to see how it behaves..
On Thu, Jan 20, 2011 at 1:00 AM, Miroslav Stampar <
mir...@gm...> wrote:
> hi again.
>
> i wrongly mixed --os-shell and --os-pwn. for --os-pwn you need metasploit.
>
> are you using sqlmap on windows or on linux? where is your metasploit
> located (you haven't use the --msf-path=MSFPATH option)?
>
> if on linux then there would be a critical message "unable to locate
> Metasploit Framework 3 installation...." if no --msf-path specified
> (except proper environment variable is set), while on windows that
> message is in form of warning (we should change it to critical abort
> too) which says "[22:50:05] [WARNING] some sqlmap takeover
> functionalities are not yet supported
> on Windows. Please use Linux in a virtual machine for out-of-band features.
> sqlm
> ap will now carry on ignoring out-of-band switches"
>
> kr
>
>
> On Wed, Jan 19, 2011 at 10:37 PM, yonny mutai <yo...@go...>
> wrote:
> > Thanks for your response Miroslav,
> > I have tried setting the permissions for the directories do that
> they
> > are owned by the apache process ... but still it doesnt seem to work.Here
> > are the access logs:
> > 127.0.0.1 - - [20/Jan/2011:00:30:15 +0300] "POST
> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Mozilla/5.0
> > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
> > Firefox/3.6.9"
> > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "POST
> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-" "Mozilla/5.0
> > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
> > Firefox/3.6.9"
> > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "GET /tmpuvwtu.php HTTP/1.1"
> 404
> > 488 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9)
> > Gecko/20100915 Gentoo Firefox/3.6.9"
> > 127.0.0.1 - - [20/Jan/2011:00:30:49 +0300] "POST
> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Mozilla/5.0
> > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Slackware/13.0
> > Firefox/3.5.2"
> > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "POST
> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-" "Mozilla/5.0
> > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Slackware/13.0
> > Firefox/3.5.2"
> > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "GET /tmpucqwh.php HTTP/1.1"
> 404
> > 488 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2)
> Gecko/20090729
> > Slackware/13.0 Firefox/3.5.2"
> > and the permissions
> > sylar@Sylar:/pentest/database/sqlmap$ ls -lht /var/www/
> > drwxrwxrwx 8 www-data www-data 4.0K 2011-01-08 11:40 vux
> > -rwxrwxrwx 1 www-data www-data 102K 2010-12-21 17:24 fc4.js
> > -rwxrwxrwx 1 www-data www-data 6.9K 2010-12-21 16:47 41.js
> > drwxrwxrwx 4 www-data www-data 4.0K 2010-06-16 08:37 mutillidae
> > ... and I have the most latest state of the code from svn
> >
> >
> >
> >
> > On Thu, Jan 20, 2011 at 12:24 AM, Miroslav Stampar
> > <mir...@gm...> wrote:
> >>
> >> hi yonny.
> >>
> >> few questions.
> >>
> >> do you have write permissions "for all" at the "target" directory (for
> >> example: /var/www/Multidae)? at which directory does Multidae reside
> >> at your debian machine? what have you entered as "target directory"
> >> when sqlmap asked you?
> >>
> >> as you can guess, most occuring problem with "stager" are the write
> >> permissions for the web servers process.
> >>
> >> KR
> >>
> >> On Wed, Jan 19, 2011 at 8:06 PM, yonny mutai <yo...@go...>
> >> wrote:
> >> > Hi,
> >> > Wonderful tool.... Seems like the stager uploader has ceased to
> >> > work...
> >> > anyone to help with this please..
> >> > To add more info that might help in troubleshooting :
> >> > DB : mysql Ver 14.14 Distrib 5.1.41, for debian-linux-gnu (i486)
> >> > using
> >> > readline 6.1
> >> > App: The vulnerable Multidae app
> >> > Command Used: ./sqlmap.py --level 5 --risk 3 --parse-errors
> >> > --os-pwn
> >> > --time-sec 10 -a txt/user-agents.txt --text-only --threads 1
> >> > --timeout 39 -u "
> http://127.0.0.1/mutillidae/index.php?page=login.php"
> >> > --method "POST" --data
> "user_name=txv&password=txv&Submit_button=Submit"
> >> >
> >> > Rgds
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > Protect Your Site and Customers from Malware Attacks
> >> > Learn about various malware tactics and how to avoid them. Understand
> >> > malware threats, the impact they can have on your business, and how
> you
> >> > can protect your company and customers by using code signing.
> >> > http://p.sf.net/sfu/oracle-sfdevnl
> >> > _______________________________________________
> >> > sqlmap-users mailing list
> >> > sql...@li...
> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Miroslav Stampar
> >>
> >> E-mail / Jabber: miroslav.stampar (at) gmail.com
> >> Mobile: +385921010204 (HR 0921010204)
> >> PGP Key ID: 0xB5397B1B
> >> Location: Zagreb, Croatia
> >
> >
> >
> > --
> >
> >
> > Regards
> > Yonny Mutai
> >
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
Regards
Yonny Mutai
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-19 22:00:42
|
hi again. i wrongly mixed --os-shell and --os-pwn. for --os-pwn you need metasploit. are you using sqlmap on windows or on linux? where is your metasploit located (you haven't use the --msf-path=MSFPATH option)? if on linux then there would be a critical message "unable to locate Metasploit Framework 3 installation...." if no --msf-path specified (except proper environment variable is set), while on windows that message is in form of warning (we should change it to critical abort too) which says "[22:50:05] [WARNING] some sqlmap takeover functionalities are not yet supported on Windows. Please use Linux in a virtual machine for out-of-band features. sqlm ap will now carry on ignoring out-of-band switches" kr On Wed, Jan 19, 2011 at 10:37 PM, yonny mutai <yo...@go...> wrote: > Thanks for your response Miroslav, > I have tried setting the permissions for the directories do that they > are owned by the apache process ... but still it doesnt seem to work.Here > are the access logs: > 127.0.0.1 - - [20/Jan/2011:00:30:15 +0300] "POST > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Mozilla/5.0 > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo > Firefox/3.6.9" > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "POST > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-" "Mozilla/5.0 > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo > Firefox/3.6.9" > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "GET /tmpuvwtu.php HTTP/1.1" 404 > 488 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) > Gecko/20100915 Gentoo Firefox/3.6.9" > 127.0.0.1 - - [20/Jan/2011:00:30:49 +0300] "POST > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Mozilla/5.0 > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Slackware/13.0 > Firefox/3.5.2" > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "POST > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-" "Mozilla/5.0 > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Slackware/13.0 > Firefox/3.5.2" > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "GET /tmpucqwh.php HTTP/1.1" 404 > 488 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 > Slackware/13.0 Firefox/3.5.2" > and the permissions > sylar@Sylar:/pentest/database/sqlmap$ ls -lht /var/www/ > drwxrwxrwx 8 www-data www-data 4.0K 2011-01-08 11:40 vux > -rwxrwxrwx 1 www-data www-data 102K 2010-12-21 17:24 fc4.js > -rwxrwxrwx 1 www-data www-data 6.9K 2010-12-21 16:47 41.js > drwxrwxrwx 4 www-data www-data 4.0K 2010-06-16 08:37 mutillidae > ... and I have the most latest state of the code from svn > > > > > On Thu, Jan 20, 2011 at 12:24 AM, Miroslav Stampar > <mir...@gm...> wrote: >> >> hi yonny. >> >> few questions. >> >> do you have write permissions "for all" at the "target" directory (for >> example: /var/www/Multidae)? at which directory does Multidae reside >> at your debian machine? what have you entered as "target directory" >> when sqlmap asked you? >> >> as you can guess, most occuring problem with "stager" are the write >> permissions for the web servers process. >> >> KR >> >> On Wed, Jan 19, 2011 at 8:06 PM, yonny mutai <yo...@go...> >> wrote: >> > Hi, >> > Wonderful tool.... Seems like the stager uploader has ceased to >> > work... >> > anyone to help with this please.. >> > To add more info that might help in troubleshooting : >> > DB : mysql Ver 14.14 Distrib 5.1.41, for debian-linux-gnu (i486) >> > using >> > readline 6.1 >> > App: The vulnerable Multidae app >> > Command Used: ./sqlmap.py --level 5 --risk 3 --parse-errors >> > --os-pwn >> > --time-sec 10 -a txt/user-agents.txt --text-only --threads 1 >> > --timeout 39 -u "http://127.0.0.1/mutillidae/index.php?page=login.php" >> > --method "POST" --data "user_name=txv&password=txv&Submit_button=Submit" >> > >> > Rgds >> > >> > ------------------------------------------------------------------------------ >> > Protect Your Site and Customers from Malware Attacks >> > Learn about various malware tactics and how to avoid them. Understand >> > malware threats, the impact they can have on your business, and how you >> > can protect your company and customers by using code signing. >> > http://p.sf.net/sfu/oracle-sfdevnl >> > _______________________________________________ >> > sqlmap-users mailing list >> > sql...@li... >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > >> > >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia > > > > -- > > > Regards > Yonny Mutai > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: yonny m. <yo...@go...> - 2011-01-19 21:38:46
|
Thanks for your response Miroslav,
I have tried setting the permissions for the directories do that they
are owned by the apache process ... but still it doesnt seem to work.Here
are the access logs:
127.0.0.1 - - [20/Jan/2011:00:30:15 +0300] "POST
/mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Mozilla/5.0
(X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
Firefox/3.6.9"
127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "POST
/mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-" "Mozilla/5.0
(X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
Firefox/3.6.9"
127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "GET /tmpuvwtu.php HTTP/1.1" 404
488 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9)
Gecko/20100915 Gentoo Firefox/3.6.9"
127.0.0.1 - - [20/Jan/2011:00:30:49 +0300] "POST
/mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Mozilla/5.0
(X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Slackware/13.0
Firefox/3.5.2"
127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "POST
/mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-" "Mozilla/5.0
(X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Slackware/13.0
Firefox/3.5.2"
127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "GET /tmpucqwh.php HTTP/1.1" 404
488 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729
Slackware/13.0 Firefox/3.5.2"
and the permissions
sylar@Sylar:/pentest/database/sqlmap$ ls -lht /var/www/
drwxrwxrwx 8 www-data www-data 4.0K 2011-01-08 11:40 vux
-rwxrwxrwx 1 www-data www-data 102K 2010-12-21 17:24 fc4.js
-rwxrwxrwx 1 www-data www-data 6.9K 2010-12-21 16:47 41.js
drwxrwxrwx 4 www-data www-data 4.0K 2010-06-16 08:37 mutillidae
... and I have the most latest state of the code from svn
On Thu, Jan 20, 2011 at 12:24 AM, Miroslav Stampar <
mir...@gm...> wrote:
> hi yonny.
>
> few questions.
>
> do you have write permissions "for all" at the "target" directory (for
> example: /var/www/Multidae)? at which directory does Multidae reside
> at your debian machine? what have you entered as "target directory"
> when sqlmap asked you?
>
> as you can guess, most occuring problem with "stager" are the write
> permissions for the web servers process.
>
> KR
>
> On Wed, Jan 19, 2011 at 8:06 PM, yonny mutai <yo...@go...>
> wrote:
> > Hi,
> > Wonderful tool.... Seems like the stager uploader has ceased to
> work...
> > anyone to help with this please..
> > To add more info that might help in troubleshooting :
> > DB : mysql Ver 14.14 Distrib 5.1.41, for debian-linux-gnu (i486)
> using
> > readline 6.1
> > App: The vulnerable Multidae app
> > Command Used: ./sqlmap.py --level 5 --risk 3 --parse-errors
> --os-pwn
> > --time-sec 10 -a txt/user-agents.txt --text-only --threads 1
> > --timeout 39 -u "http://127.0.0.1/mutillidae/index.php?page=login.php"
> > --method "POST" --data "user_name=txv&password=txv&Submit_button=Submit"
> >
> > Rgds
> >
> ------------------------------------------------------------------------------
> > Protect Your Site and Customers from Malware Attacks
> > Learn about various malware tactics and how to avoid them. Understand
> > malware threats, the impact they can have on your business, and how you
> > can protect your company and customers by using code signing.
> > http://p.sf.net/sfu/oracle-sfdevnl
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
Regards
Yonny Mutai
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-19 21:25:02
|
hi yonny. few questions. do you have write permissions "for all" at the "target" directory (for example: /var/www/Multidae)? at which directory does Multidae reside at your debian machine? what have you entered as "target directory" when sqlmap asked you? as you can guess, most occuring problem with "stager" are the write permissions for the web servers process. KR On Wed, Jan 19, 2011 at 8:06 PM, yonny mutai <yo...@go...> wrote: > Hi, > Wonderful tool.... Seems like the stager uploader has ceased to work... > anyone to help with this please.. > To add more info that might help in troubleshooting : > DB : mysql Ver 14.14 Distrib 5.1.41, for debian-linux-gnu (i486) using > readline 6.1 > App: The vulnerable Multidae app > Command Used: ./sqlmap.py --level 5 --risk 3 --parse-errors --os-pwn > --time-sec 10 -a txt/user-agents.txt --text-only --threads 1 > --timeout 39 -u "http://127.0.0.1/mutillidae/index.php?page=login.php" > --method "POST" --data "user_name=txv&password=txv&Submit_button=Submit" > > Rgds > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-19 21:20:07
|
Downloading right now. Will report back. KR On Wed, Jan 19, 2011 at 9:28 PM, Antonios Atlasis <ant...@gm...> wrote: > Hi Miroslav and thanks for your answer, > > I did reproduce the results a couple of times and you can easily do so. > > My target is the ctf6 lampsec security (you can downloaded from > http://sourceforge.net/projects/lampsecurity/). > > After a very fast browsing, I crawled the rest of the site using Webscarab. > > I run the command sqlmap --batch -v 2 -l ../webscarab-logs/conversations/ > > sqlmap failed to find any sqli. > > Then I run sqlmap -u http://192.168.163.128/index.php?id=4 (one of the > vulnerable urls) and it does find the sqli vulnerability. > > please let me know if you want me to send you any logs. > > Regards > > Antonios > > 2011/1/18 Miroslav Stampar <mir...@gm...> >> >> Hi Antonios. >> >> main question is: are you able to reproduce this kind of behavior again? >> >> if yes, then sqlmap really has some "bug" and it would be great if you >> could (maybe privately) provide is with further details from used >> logs. >> >> if no, thing that comes to my mind and that can screw things up is >> "dynamicity". we've worked hard to make a good comparison/detection >> engine together with dynamicity removal, but still, pages with lots of >> garbaged styles/tags/scripts... can screw things up, especially when >> only a small part of the page is affected by injection itself. hence >> there are switches like --string and --text-only (removes all >> tags/scripts/styles and retrieves only pure text) that can do miracles >> in those kind of cases. >> >> KR >> >> On Tue, Jan 18, 2011 at 10:04 PM, Antonios Atlasis >> <ant...@gm...> wrote: >> > >> > Hello to the list, >> > >> > after spidering a site that is vulnerable to SQLi with Webscarab, I fed >> > its >> > conversations directory to sqlmap using the -l option. >> > sqlmap didn't find any SQLi vulnerable. >> > >> > Then, I fed a vulnerable URL to sqlmap with the -u option (which URL was >> > also included in the webscarab conversations and it had also been tested >> > before with sqlmap), and sqlmap did found this time the specific SQLi >> > vulnerability. >> > >> > Has anyone else observed a problem using Webscarab conversations? Is >> > there >> > any tip or trick that I can use in order to solve this problem? >> > >> > Thanks in advance >> > >> > Antonios >> > >> > >> > ------------------------------------------------------------------------------ >> > Protect Your Site and Customers from Malware Attacks >> > Learn about various malware tactics and how to avoid them. Understand >> > malware threats, the impact they can have on your business, and how you >> > can protect your company and customers by using code signing. >> > http://p.sf.net/sfu/oracle-sfdevnl >> > _______________________________________________ >> > sqlmap-users mailing list >> > sql...@li... >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > >> > >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia > > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Antonios A. <ant...@gm...> - 2011-01-19 20:28:22
|
Hi Miroslav and thanks for your answer, I did reproduce the results a couple of times and you can easily do so. My target is the ctf6 lampsec security (you can downloaded from http://sourceforge.net/projects/lampsecurity/). After a very fast browsing, I crawled the rest of the site using Webscarab. I run the command sqlmap --batch -v 2 -l ../webscarab-logs/conversations/ sqlmap failed to find any sqli. Then I run sqlmap -u http://192.168.163.128/index.php?id=4 (one of the vulnerable urls) and it does find the sqli vulnerability. please let me know if you want me to send you any logs. Regards Antonios 2011/1/18 Miroslav Stampar <mir...@gm...> > Hi Antonios. > > main question is: are you able to reproduce this kind of behavior again? > > if yes, then sqlmap really has some "bug" and it would be great if you > could (maybe privately) provide is with further details from used > logs. > > if no, thing that comes to my mind and that can screw things up is > "dynamicity". we've worked hard to make a good comparison/detection > engine together with dynamicity removal, but still, pages with lots of > garbaged styles/tags/scripts... can screw things up, especially when > only a small part of the page is affected by injection itself. hence > there are switches like --string and --text-only (removes all > tags/scripts/styles and retrieves only pure text) that can do miracles > in those kind of cases. > > KR > > On Tue, Jan 18, 2011 at 10:04 PM, Antonios Atlasis > <ant...@gm...> wrote: > > > > Hello to the list, > > > > after spidering a site that is vulnerable to SQLi with Webscarab, I fed > its > > conversations directory to sqlmap using the -l option. > > sqlmap didn't find any SQLi vulnerable. > > > > Then, I fed a vulnerable URL to sqlmap with the -u option (which URL was > > also included in the webscarab conversations and it had also been tested > > before with sqlmap), and sqlmap did found this time the specific SQLi > > vulnerability. > > > > Has anyone else observed a problem using Webscarab conversations? Is > there > > any tip or trick that I can use in order to solve this problem? > > > > Thanks in advance > > > > Antonios > > > > > ------------------------------------------------------------------------------ > > Protect Your Site and Customers from Malware Attacks > > Learn about various malware tactics and how to avoid them. Understand > > malware threats, the impact they can have on your business, and how you > > can protect your company and customers by using code signing. > > http://p.sf.net/sfu/oracle-sfdevnl > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > |
|
From: Ahmed S. <ah...@is...> - 2011-01-19 19:36:15
|
./sqlmap.py -u "http://site" --columns -T tbl_name -D SQLite_masterdb
sqlmap version: 0.9-dev (r3034)
Python version: 2.6.4
Operating system: posix
Traceback (most recent call last):
File "./sqlmap.py", line 83, in main
start()
File "/pentest/database/sqlmap/lib/controller/controller.py", line 414, in
start
action()
File "/pentest/database/sqlmap/lib/controller/action.py", line 96, in
action
conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns())
File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line 997,
in getColumns
parseSqliteTableSchema(value)
File "/pentest/database/sqlmap/lib/core/common.py", line 1941, in
parseSqliteTableSchema
for match in re.finditer(getCompiledRegex(r"(\w+) ([A-Z]+)[,\r\n]"),
value):
File "/usr/lib/python2.6/re.py", line 186, in finditer
return _compile(pattern, flags).finditer(string)
TypeError: expected string or buffer
--
- Ahmed Shawky El-Antry
- Pen-tester, Programmer and System administrator
- lnxg33k owner "http://lnxg33k.wordpress.com"
- Isecur1ty team "http://www.isecur1ty.org"
- Twitter @lnxg33k
|
|
From: yonny m. <yo...@go...> - 2011-01-19 19:06:51
|
Hi,
Wonderful tool.... Seems like the stager uploader has ceased to work...
anyone to help with this please..
To add more info that might help in troubleshooting :
DB : mysql Ver 14.14 Distrib 5.1.41, for debian-linux-gnu (i486) using
readline 6.1
App: The vulnerable Multidae app
Command Used: ./sqlmap.py --level 5 --risk 3 --parse-errors --os-pwn
--time-sec 10 -a txt/user-agents.txt --text-only --threads 1
--timeout 39 -u "http://127.0.0.1/mutillidae/index.php?page=login.php"
--method "POST" --data "user_name=txv&password=txv&Submit_button=Submit"
Rgds
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-19 15:33:28
|
update regarding current status of sqlmap in this field:
1) if you are going to use ERROR or UNION based injections you'll be
presented with the results retrieved from the given page with usage of
it's encoding. if you are going to dump tables which have different
collation/encoding than the page's you will most probably get here and
there '???', but that's because the web server's connection to the
backend DBMS is trying to convert retrieved data charset to the web
pages one -> in case those two charsets are incompatible web server
will most probably fallback to something like replacing it with
character like '?' or similar. sqlmap can't do a squirt in this field
because we can't (in normal cases) just change the web servers
connection charset/encoding (e.g. mysql_set_charset("latin1", $link)).
2) in other "blind" cases (BOOLEAN, TIMED, STACKED) where characters
are retrieved bit by bit, starting with the last commit, web servers
"encoding" is used for proper decoding of the inferenced integer. last
tests show great improvement in this field.
best regards.
On Wed, Jan 19, 2011 at 3:30 PM, Miroslav Stampar
<mir...@gm...> wrote:
> addendum: most simple explanation for the "priority among all charsets
> is the encoding of the web page" is that, as we need to choose one,
> let it be the most obvious one :)))
>
> On Wed, Jan 19, 2011 at 3:25 PM, Miroslav Stampar
> <mir...@gm...> wrote:
>> hi all.
>>
>> as i was really interested into this issue i had to set up a testing
>> environment to find out what's going on :)))
>>
>> i've choose simplest (disposable) testing environment: XAMPP
>>
>> two tables: users_utf8 & users_latin
>> two vulnerable GET pages: get_int_utf8.php & get_int_latin.php
>>
>> well, conclusion and my answer to the given question: "What's should
>> be the general "consensus" for data retrieval":
>>
>> priority among all charsets is the encoding of the web page, and
>> that's because three reasons:
>>
>> 1) connection from the web server to the backend DBMS will be most
>> certainly set to some "compatible" charset with the one at the page
>> itself - that means that all the data from DBMS to the web server will
>> be automatically converted to connection's charset
>> 2) once the web server has replied with the data, in case that the
>> data is not compatible with it's current character set it will in most
>> cases just do a simple replacement with '?' for problematic characters
>> (like in case from latin1 -> utf8) - which means a big screw up for
>> our data in "error" and "union" techniques as the data is irreversibly
>> lost
>> 3) finding out "proper" collation is a futile in a sense that in MySQL
>> for example you can put collation to everything (column, table,
>> connection, user, ...), and there is no "magic" bullet to know the
>> final collation of the retrieved data in a "time constrained" manner.
>>
>> interesting thing that should be pointed out is that you'll most
>> probably have problems with character sets of retrieved data here and
>> there for one obvious reason:
>> web page's connection to the backend DBMS dictates character set used
>> for retrieved data, we "violently" use it in sql injection attacks for
>> different tables with different character sets/collations which were
>> most probably not "meant" to be "compatible" with web page itself,
>> hence you'll lose information irreversibly during the conversion
>> process.
>>
>> kr
>>
>> On Tue, Jan 18, 2011 at 12:13 PM, mitchell <mit...@tu...> wrote:
>>> Will do :)
>>>
>>> # mitchell
>>>
>>> On 18 Jan 2011 13:11, "Miroslav Stampar" <mir...@gm...> wrote:
>>>> hi mitchell.
>>>>
>>>> thank you for your answer. i thought that nobody would :)
>>>>
>>>> we've done some serious work these days in this field and would like
>>>> to have it "stabilized". plz report any "strange" behavior in this
>>>> field if you encounter it.
>>>>
>>>> kr
>>>>
>>>> On Tue, Jan 18, 2011 at 12:01 PM, mitchell <mit...@tu...> wrote:
>>>>> Hi Miroslav,
>>>>>
>>>>> In say 80% of the cases I delt with Bulgarian sites, the data in the
>>>>> database used the same encoding as the encoding announced on the webpage,
>>>>> usually CP-1251. The rest use UTF.
>>>>>
>>>>> # mitchell
>>>>>
>>>>> On 17 Jan 2011 16:52, "Miroslav Stampar" <mir...@gm...>
>>>>> wrote:
>>>>>> Hi all.
>>>>>>
>>>>>> I have a general question to all those pentesters that are retrieving
>>>>>> data
>>>>>> from sites with "funny" charset encodings (...russian, chinese...).
>>>>>>
>>>>>> What's should be the general "consensus" for data retrieval:
>>>>>>
>>>>>> A) assume that the backend DBMS uses the "utf8" charset encoding
>>>>>> or
>>>>>> B) treat data retrieved with the same encoding as used in the page
>>>>>> or
>>>>>> C) find out the proper collation used and use that one? (i am not a fan
>>>>>> of
>>>>>> this one :)
>>>>>> or
>>>>>> D) don't care (some people tend to use mixed collations which is quite
>>>>>> romantic)
>>>>>>
>>>>>> Also, I would like to ask you all to try out the latest revision with
>>>>>> cases
>>>>>> that could be problematic and report impressions.
>>>>>>
>>>>>> Kind regards
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>>
>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>> Mobile: +385921010204 (HR 0921010204)
>>>> PGP Key ID: 0xB5397B1B
>>>> Location: Zagreb, Croatia
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-19 14:30:47
|
addendum: most simple explanation for the "priority among all charsets is the encoding of the web page" is that, as we need to choose one, let it be the most obvious one :))) On Wed, Jan 19, 2011 at 3:25 PM, Miroslav Stampar <mir...@gm...> wrote: > hi all. > > as i was really interested into this issue i had to set up a testing > environment to find out what's going on :))) > > i've choose simplest (disposable) testing environment: XAMPP > > two tables: users_utf8 & users_latin > two vulnerable GET pages: get_int_utf8.php & get_int_latin.php > > well, conclusion and my answer to the given question: "What's should > be the general "consensus" for data retrieval": > > priority among all charsets is the encoding of the web page, and > that's because three reasons: > > 1) connection from the web server to the backend DBMS will be most > certainly set to some "compatible" charset with the one at the page > itself - that means that all the data from DBMS to the web server will > be automatically converted to connection's charset > 2) once the web server has replied with the data, in case that the > data is not compatible with it's current character set it will in most > cases just do a simple replacement with '?' for problematic characters > (like in case from latin1 -> utf8) - which means a big screw up for > our data in "error" and "union" techniques as the data is irreversibly > lost > 3) finding out "proper" collation is a futile in a sense that in MySQL > for example you can put collation to everything (column, table, > connection, user, ...), and there is no "magic" bullet to know the > final collation of the retrieved data in a "time constrained" manner. > > interesting thing that should be pointed out is that you'll most > probably have problems with character sets of retrieved data here and > there for one obvious reason: > web page's connection to the backend DBMS dictates character set used > for retrieved data, we "violently" use it in sql injection attacks for > different tables with different character sets/collations which were > most probably not "meant" to be "compatible" with web page itself, > hence you'll lose information irreversibly during the conversion > process. > > kr > > On Tue, Jan 18, 2011 at 12:13 PM, mitchell <mit...@tu...> wrote: >> Will do :) >> >> # mitchell >> >> On 18 Jan 2011 13:11, "Miroslav Stampar" <mir...@gm...> wrote: >>> hi mitchell. >>> >>> thank you for your answer. i thought that nobody would :) >>> >>> we've done some serious work these days in this field and would like >>> to have it "stabilized". plz report any "strange" behavior in this >>> field if you encounter it. >>> >>> kr >>> >>> On Tue, Jan 18, 2011 at 12:01 PM, mitchell <mit...@tu...> wrote: >>>> Hi Miroslav, >>>> >>>> In say 80% of the cases I delt with Bulgarian sites, the data in the >>>> database used the same encoding as the encoding announced on the webpage, >>>> usually CP-1251. The rest use UTF. >>>> >>>> # mitchell >>>> >>>> On 17 Jan 2011 16:52, "Miroslav Stampar" <mir...@gm...> >>>> wrote: >>>>> Hi all. >>>>> >>>>> I have a general question to all those pentesters that are retrieving >>>>> data >>>>> from sites with "funny" charset encodings (...russian, chinese...). >>>>> >>>>> What's should be the general "consensus" for data retrieval: >>>>> >>>>> A) assume that the backend DBMS uses the "utf8" charset encoding >>>>> or >>>>> B) treat data retrieved with the same encoding as used in the page >>>>> or >>>>> C) find out the proper collation used and use that one? (i am not a fan >>>>> of >>>>> this one :) >>>>> or >>>>> D) don't care (some people tend to use mixed collations which is quite >>>>> romantic) >>>>> >>>>> Also, I would like to ask you all to try out the latest revision with >>>>> cases >>>>> that could be problematic and report impressions. >>>>> >>>>> Kind regards >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-19 14:26:00
|
hi all. as i was really interested into this issue i had to set up a testing environment to find out what's going on :))) i've choose simplest (disposable) testing environment: XAMPP two tables: users_utf8 & users_latin two vulnerable GET pages: get_int_utf8.php & get_int_latin.php well, conclusion and my answer to the given question: "What's should be the general "consensus" for data retrieval": priority among all charsets is the encoding of the web page, and that's because three reasons: 1) connection from the web server to the backend DBMS will be most certainly set to some "compatible" charset with the one at the page itself - that means that all the data from DBMS to the web server will be automatically converted to connection's charset 2) once the web server has replied with the data, in case that the data is not compatible with it's current character set it will in most cases just do a simple replacement with '?' for problematic characters (like in case from latin1 -> utf8) - which means a big screw up for our data in "error" and "union" techniques as the data is irreversibly lost 3) finding out "proper" collation is a futile in a sense that in MySQL for example you can put collation to everything (column, table, connection, user, ...), and there is no "magic" bullet to know the final collation of the retrieved data in a "time constrained" manner. interesting thing that should be pointed out is that you'll most probably have problems with character sets of retrieved data here and there for one obvious reason: web page's connection to the backend DBMS dictates character set used for retrieved data, we "violently" use it in sql injection attacks for different tables with different character sets/collations which were most probably not "meant" to be "compatible" with web page itself, hence you'll lose information irreversibly during the conversion process. kr On Tue, Jan 18, 2011 at 12:13 PM, mitchell <mit...@tu...> wrote: > Will do :) > > # mitchell > > On 18 Jan 2011 13:11, "Miroslav Stampar" <mir...@gm...> wrote: >> hi mitchell. >> >> thank you for your answer. i thought that nobody would :) >> >> we've done some serious work these days in this field and would like >> to have it "stabilized". plz report any "strange" behavior in this >> field if you encounter it. >> >> kr >> >> On Tue, Jan 18, 2011 at 12:01 PM, mitchell <mit...@tu...> wrote: >>> Hi Miroslav, >>> >>> In say 80% of the cases I delt with Bulgarian sites, the data in the >>> database used the same encoding as the encoding announced on the webpage, >>> usually CP-1251. The rest use UTF. >>> >>> # mitchell >>> >>> On 17 Jan 2011 16:52, "Miroslav Stampar" <mir...@gm...> >>> wrote: >>>> Hi all. >>>> >>>> I have a general question to all those pentesters that are retrieving >>>> data >>>> from sites with "funny" charset encodings (...russian, chinese...). >>>> >>>> What's should be the general "consensus" for data retrieval: >>>> >>>> A) assume that the backend DBMS uses the "utf8" charset encoding >>>> or >>>> B) treat data retrieved with the same encoding as used in the page >>>> or >>>> C) find out the proper collation used and use that one? (i am not a fan >>>> of >>>> this one :) >>>> or >>>> D) don't care (some people tend to use mixed collations which is quite >>>> romantic) >>>> >>>> Also, I would like to ask you all to try out the latest revision with >>>> cases >>>> that could be problematic and report impressions. >>>> >>>> Kind regards >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Chris O. <chr...@gm...> - 2011-01-19 14:21:28
|
Thank you Bernardo! On 19 January 2011 14:15, Bernardo Damele A. G. <ber...@gm...>wrote: > If you use it each time, yes. It does not necessarily have to be in > output/. Any path where you have rw access is ok. > > > Bernardo Damele A. G. > > This message was sent from a smartphone > > On 19 Jan 2011, at 14:13, Chris Oakley <chr...@gm...> > wrote: > > So if I use it like this: > > -s output/dir/filename > > Each time I use the command it will avoid this issue? > > Chris > > On 19 January 2011 14:08, Bernardo Damele A. G. <<ber...@gm...> > ber...@gm...> wrote: > >> Chris, >> >> Sqlmap constantly write the session file during a run so it is not >> supposed to be run concurrently twice or more times against the same URL. If >> you really need so specify a different session file to use with switch -s. >> >> Bernardo Damele A. G. >> >> This message was sent from a smartphone >> >> On 19 Jan 2011, at 13:58, Chris Oakley < <chr...@gm...> >> chr...@gm...> wrote: >> >> I've been runnning two simultaneous tests on the same domain, but >> different pages. Previously, when I've completed a test, the session is >> saved in such a way that when the test ends it will jump straight to the >> injection points if it found any when I execute the same or similar >> commands. Now, if I execute the exact same command again, it seems to start >> testing right over from the beginning - and this takes ages. >> >> I am scanning <http://www.example.com/blah/?foo=bar><http://www.example.com/blah/?foo=bar> >> www.example.com/blah/?foo=bar and <http://www.example.com/foo/bar><http://www.example.com/foo/bar> >> www.example.com/foo/bar at the same time, and the output directory only >> has <http://www.example.com> <http://www.example.com>www.example.com with >> a single session file that just looks like >> >> [11:20:37 01/19/11] >> >> [13:41:41 01/19/11] >> >> and a log file that contains the 4 injection points but nothing else. The >> other scan has also found some injection points but none of these feature in >> either of these two files. >> >> Is this because I'm running two tests on the same domain or is it >> something that's broken in the latest dev version? Or is it something >> else? I've tried this with the last few revisions and the latest revision >> on Windows and Linux boxes - same result. >> >> Regards >> >> Chris >> >> >> ------------------------------------------------------------------------------ >> Protect Your Site and Customers from Malware Attacks >> Learn about various malware tactics and how to avoid them. Understand >> malware threats, the impact they can have on your business, and how you >> can protect your company and customers by using code signing. >> <http://p.sf.net/sfu/oracle-sfdevnl>http://p.sf.net/sfu/oracle-sfdevnl >> >> _______________________________________________ >> sqlmap-users mailing list >> <sql...@li...>sql...@li... >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-01-19 14:16:05
|
If you use it each time, yes. It does not necessarily have to be in output/. Any path where you have rw access is ok. Bernardo Damele A. G. This message was sent from a smartphone On 19 Jan 2011, at 14:13, Chris Oakley <chr...@gm...> wrote: So if I use it like this: -s output/dir/filename Each time I use the command it will avoid this issue? Chris On 19 January 2011 14:08, Bernardo Damele A. G. <ber...@gm...>wrote: > Chris, > > Sqlmap constantly write the session file during a run so it is not supposed > to be run concurrently twice or more times against the same URL. If you > really need so specify a different session file to use with switch -s. > > Bernardo Damele A. G. > > This message was sent from a smartphone > > On 19 Jan 2011, at 13:58, Chris Oakley <chr...@gm...> > wrote: > > I've been runnning two simultaneous tests on the same domain, but different > pages. Previously, when I've completed a test, the session is saved in such > a way that when the test ends it will jump straight to the injection points > if it found any when I execute the same or similar commands. Now, if I > execute the exact same command again, it seems to start testing right over > from the beginning - and this takes ages. > > I am scanning <http://www.example.com/blah/?foo=bar> > www.example.com/blah/?foo=bar and <http://www.example.com/foo/bar> > www.example.com/foo/bar at the same time, and the output directory only > has <http://www.example.com>www.example.com with a single session file > that just looks like > > [11:20:37 01/19/11] > > [13:41:41 01/19/11] > > and a log file that contains the 4 injection points but nothing else. The > other scan has also found some injection points but none of these feature in > either of these two files. > > Is this because I'm running two tests on the same domain or is it something > that's broken in the latest dev version? Or is it something else? I've > tried this with the last few revisions and the latest revision on Windows > and Linux boxes - same result. > > Regards > > Chris > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Chris O. <chr...@gm...> - 2011-01-19 14:13:34
|
So if I use it like this: -s output/dir/filename Each time I use the command it will avoid this issue? Chris On 19 January 2011 14:08, Bernardo Damele A. G. <ber...@gm...>wrote: > Chris, > > Sqlmap constantly write the session file during a run so it is not supposed > to be run concurrently twice or more times against the same URL. If you > really need so specify a different session file to use with switch -s. > > Bernardo Damele A. G. > > This message was sent from a smartphone > > On 19 Jan 2011, at 13:58, Chris Oakley <chr...@gm...> > wrote: > > I've been runnning two simultaneous tests on the same domain, but different > pages. Previously, when I've completed a test, the session is saved in such > a way that when the test ends it will jump straight to the injection points > if it found any when I execute the same or similar commands. Now, if I > execute the exact same command again, it seems to start testing right over > from the beginning - and this takes ages. > > I am scanning <http://www.example.com/blah/?foo=bar> > www.example.com/blah/?foo=bar and <http://www.example.com/foo/bar> > www.example.com/foo/bar at the same time, and the output directory only > has <http://www.example.com>www.example.com with a single session file > that just looks like > > [11:20:37 01/19/11] > > [13:41:41 01/19/11] > > and a log file that contains the 4 injection points but nothing else. The > other scan has also found some injection points but none of these feature in > either of these two files. > > Is this because I'm running two tests on the same domain or is it something > that's broken in the latest dev version? Or is it something else? I've > tried this with the last few revisions and the latest revision on Windows > and Linux boxes - same result. > > Regards > > Chris > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-01-19 14:09:10
|
Chris, Sqlmap constantly write the session file during a run so it is not supposed to be run concurrently twice or more times against the same URL. If you really need so specify a different session file to use with switch -s. Bernardo Damele A. G. This message was sent from a smartphone On 19 Jan 2011, at 13:58, Chris Oakley <chr...@gm...> wrote: I've been runnning two simultaneous tests on the same domain, but different pages. Previously, when I've completed a test, the session is saved in such a way that when the test ends it will jump straight to the injection points if it found any when I execute the same or similar commands. Now, if I execute the exact same command again, it seems to start testing right over from the beginning - and this takes ages. I am scanning www.example.com/blah/?foo=bar and www.example.com/foo/bar at the same time, and the output directory only has www.example.com with a single session file that just looks like [11:20:37 01/19/11] [13:41:41 01/19/11] and a log file that contains the 4 injection points but nothing else. The other scan has also found some injection points but none of these feature in either of these two files. Is this because I'm running two tests on the same domain or is it something that's broken in the latest dev version? Or is it something else? I've tried this with the last few revisions and the latest revision on Windows and Linux boxes - same result. Regards Chris ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ sqlmap-users mailing list sql...@li... https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Chris O. <chr...@gm...> - 2011-01-19 13:58:00
|
I've been runnning two simultaneous tests on the same domain, but different pages. Previously, when I've completed a test, the session is saved in such a way that when the test ends it will jump straight to the injection points if it found any when I execute the same or similar commands. Now, if I execute the exact same command again, it seems to start testing right over from the beginning - and this takes ages. I am scanning www.example.com/blah/?foo=bar and www.example.com/foo/bar at the same time, and the output directory only has www.example.com with a single session file that just looks like [11:20:37 01/19/11] [13:41:41 01/19/11] and a log file that contains the 4 injection points but nothing else. The other scan has also found some injection points but none of these feature in either of these two files. Is this because I'm running two tests on the same domain or is it something that's broken in the latest dev version? Or is it something else? I've tried this with the last few revisions and the latest revision on Windows and Linux boxes - same result. Regards Chris |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-01-19 12:39:46
|
Pelasse send me the command line and the output of -v6 anonymized if you want. Thank you. Bernardo Bernardo Damele A. G. This message was sent from a smartphone On 19 Jan 2011, at 11:43, "Andreas Constantinides (MegaHz)" <me...@me...> wrote: > h, > > got this error, > > can u help? > > thanks > > -- Andreas > > > > > sqlmap identified the following injection points with a total of 0 HTTP(s) requests: > --- > Place: GET > Parameter: GalleryID > Type: UNION query > Title: Generic NULL UNION query - 1 to 3 columns > Payload: pageimage=10&page=1&GalleryID=101 UNION ALL SELECT 'oJsf'-- > --- > > [13:09:51] [INFO] testing MySQL > [13:09:52] [WARNING] the back-end DBMS is not MySQL > [13:09:52] [INFO] testing Oracle > [13:09:52] [WARNING] the back-end DBMS is not Oracle > [13:09:52] [INFO] testing PostgreSQL > [13:09:53] [WARNING] the back-end DBMS is not PostgreSQL > [13:09:53] [INFO] testing Microsoft SQL Server > [13:09:54] [WARNING] the back-end DBMS is not Microsoft SQL Server > [13:09:54] [INFO] testing SQLite > [13:09:54] [WARNING] the back-end DBMS is not SQLite > [13:09:54] [INFO] testing Microsoft Access > [13:09:55] [WARNING] the back-end DBMS is not Microsoft Access > [13:09:55] [INFO] testing Firebird > [13:09:55] [WARNING] the back-end DBMS is not Firebird > [13:09:55] [INFO] testing SAP MaxDB > [13:09:56] [WARNING] the back-end DBMS is not SAP MaxDB > [13:09:56] [INFO] testing Sybase > [13:09:56] [WARNING] the back-end DBMS is not Sybase > [13:09:56] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system, but from the HTML error page it was possible to determinate that the back-end DBMS is Microsoft Access. Do not specify the back-end DBMS manually, sqlmap will fingerprint the DBMS for you > [13:09:56] [WARNING] HTTP error codes detected during testing: > 500 (Internal Server Error) - 9 times > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Andreas C. (MegaHz) <me...@me...> - 2011-01-19 11:43:07
|
h,
got this error,
can u help?
thanks
-- Andreas
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: GalleryID
Type: UNION query
Title: Generic NULL UNION query - 1 to 3 columns
Payload: pageimage=10&page=1&GalleryID=101 UNION ALL SELECT 'oJsf'--
---
[13:09:51] [INFO] testing MySQL
[13:09:52] [WARNING] the back-end DBMS is not MySQL
[13:09:52] [INFO] testing Oracle
[13:09:52] [WARNING] the back-end DBMS is not Oracle
[13:09:52] [INFO] testing PostgreSQL
[13:09:53] [WARNING] the back-end DBMS is not PostgreSQL
[13:09:53] [INFO] testing Microsoft SQL Server
[13:09:54] [WARNING] the back-end DBMS is not Microsoft SQL Server
[13:09:54] [INFO] testing SQLite
[13:09:54] [WARNING] the back-end DBMS is not SQLite
[13:09:54] [INFO] testing Microsoft Access
[13:09:55] [WARNING] the back-end DBMS is not Microsoft Access
[13:09:55] [INFO] testing Firebird
[13:09:55] [WARNING] the back-end DBMS is not Firebird
[13:09:55] [INFO] testing SAP MaxDB
[13:09:56] [WARNING] the back-end DBMS is not SAP MaxDB
[13:09:56] [INFO] testing Sybase
[13:09:56] [WARNING] the back-end DBMS is not Sybase
[13:09:56] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system, but from the HTML error page it was possible to determinate that the back-end DBMS is Microsoft Access. Do not specify the back-end DBMS manually, sqlmap will fingerprint the DBMS for you
[13:09:56] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 9 times
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-01-18 23:12:07
|
Issue closed. Now all technique support --sql-query and --sql-shell packing/unpacking/retrieval of output. Thanks for reporting. Bernardo On 17 January 2011 00:29, <bu...@gm...> wrote: > On 01/17/2011 12:25 AM, Miroslav Stampar wrote: >> hi buawig. >> >> we've done some heavy development in other parts and haven't updated >> --sql-shell accordingly. i can only say that we'll try to do our best and >> update it in couple of weeks (not a trivial one as now it's only supported >> by the part of sqlmap with blind based injections). > > OK. > Thank you for your fast reply and committing r3004. > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 21:21:13
|
Hi Antonios. main question is: are you able to reproduce this kind of behavior again? if yes, then sqlmap really has some "bug" and it would be great if you could (maybe privately) provide is with further details from used logs. if no, thing that comes to my mind and that can screw things up is "dynamicity". we've worked hard to make a good comparison/detection engine together with dynamicity removal, but still, pages with lots of garbaged styles/tags/scripts... can screw things up, especially when only a small part of the page is affected by injection itself. hence there are switches like --string and --text-only (removes all tags/scripts/styles and retrieves only pure text) that can do miracles in those kind of cases. KR On Tue, Jan 18, 2011 at 10:04 PM, Antonios Atlasis <ant...@gm...> wrote: > > Hello to the list, > > after spidering a site that is vulnerable to SQLi with Webscarab, I fed its > conversations directory to sqlmap using the -l option. > sqlmap didn't find any SQLi vulnerable. > > Then, I fed a vulnerable URL to sqlmap with the -u option (which URL was > also included in the webscarab conversations and it had also been tested > before with sqlmap), and sqlmap did found this time the specific SQLi > vulnerability. > > Has anyone else observed a problem using Webscarab conversations? Is there > any tip or trick that I can use in order to solve this problem? > > Thanks in advance > > Antonios > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Antonios A. <ant...@gm...> - 2011-01-18 21:04:36
|
Hello to the list, after spidering a site that is vulnerable to SQLi with Webscarab, I fed its conversations directory to sqlmap using the -l option. sqlmap didn't find any SQLi vulnerable. Then, I fed a vulnerable URL to sqlmap with the -u option (which URL was also included in the webscarab conversations and it had also been tested before with sqlmap), and sqlmap did found this time the specific SQLi vulnerability. Has anyone else observed a problem using Webscarab conversations? Is there any tip or trick that I can use in order to solve this problem? Thanks in advance Antonios |
|
From: mitchell <mit...@tu...> - 2011-01-18 11:27:57
|
Hi Miroslav, In say 80% of the cases I delt with Bulgarian sites, the data in the database used the same encoding as the encoding announced on the webpage, usually CP-1251. The rest use UTF. # mitchell On 17 Jan 2011 16:52, "Miroslav Stampar" <mir...@gm...> wrote: > Hi all. > > I have a general question to all those pentesters that are retrieving data > from sites with "funny" charset encodings (...russian, chinese...). > > What's should be the general "consensus" for data retrieval: > > A) assume that the backend DBMS uses the "utf8" charset encoding > or > B) treat data retrieved with the same encoding as used in the page > or > C) find out the proper collation used and use that one? (i am not a fan of > this one :) > or > D) don't care (some people tend to use mixed collations which is quite > romantic) > > Also, I would like to ask you all to try out the latest revision with cases > that could be problematic and report impressions. > > Kind regards |
|
From: mitchell <mit...@tu...> - 2011-01-18 11:20:09
|
Will do :) # mitchell On 18 Jan 2011 13:11, "Miroslav Stampar" <mir...@gm...> wrote: > hi mitchell. > > thank you for your answer. i thought that nobody would :) > > we've done some serious work these days in this field and would like > to have it "stabilized". plz report any "strange" behavior in this > field if you encounter it. > > kr > > On Tue, Jan 18, 2011 at 12:01 PM, mitchell <mit...@tu...> wrote: >> Hi Miroslav, >> >> In say 80% of the cases I delt with Bulgarian sites, the data in the >> database used the same encoding as the encoding announced on the webpage, >> usually CP-1251. The rest use UTF. >> >> # mitchell >> >> On 17 Jan 2011 16:52, "Miroslav Stampar" <mir...@gm...> wrote: >>> Hi all. >>> >>> I have a general question to all those pentesters that are retrieving data >>> from sites with "funny" charset encodings (...russian, chinese...). >>> >>> What's should be the general "consensus" for data retrieval: >>> >>> A) assume that the backend DBMS uses the "utf8" charset encoding >>> or >>> B) treat data retrieved with the same encoding as used in the page >>> or >>> C) find out the proper collation used and use that one? (i am not a fan of >>> this one :) >>> or >>> D) don't care (some people tend to use mixed collations which is quite >>> romantic) >>> >>> Also, I would like to ask you all to try out the latest revision with >>> cases >>> that could be problematic and report impressions. >>> >>> Kind regards >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia |
48 messages has been excluded from this view by a project administrator.
