sqlmap-users Mailing List for sqlmap (Page 113)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <nig...@em...> - 2011-01-08 06:18:05
|
<body bgcolor="#ffffff" background="https://img.web.de/v/p.gif" class="bgRepeatYes" style="background-repeat: repeat; background-color: rgb(255, 255, 255); color: rgb(0, 0, 0); font-family: verdana,geneva; font-size: 9pt; padding-left: 0px;"><div style="min-height: 200px; background-image: url(https://img.web.de/v/p.gif); background-repeat: repeat; background-color: #ffffff; font-family: verdana,geneva; font-size: 9pt; padding-left: 0px;"><span style="font-size: 9pt;"><span style="font-family: verdana,geneva;"><span style="background-color: transparent;"><span style="color: #000000;"><span style="color: #000000;">hi<br />I know its my fault, but a message with the file is locked or not ready looks better ;) <br /><br /></span></span></span></span></span>sqlmap -u "http://xxxxxxx.xxx/retrievePhoto.php?fid=236" --auth-type=basic --auth-cred=xxxx:xxxx -a C:\pentest\sqlmap.0.9\txt\user-agents.txt --level 5 --risk 3 --dump -D xxxx -T xxxxx --threads=3<br /><br />[01:08:43] [INFO] read from file 'C:\pentest\sqlmap.0.9-1\output\xxxxx.xxx\session':<br />[01:08:44] [WARNING] Ctrl+C detected in dumping phase<br /><br />[01:08:44] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversio<br />n repository. If the exception persists, please send by e-mail to sql...@li... the command line, the followi<br />ng text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get<br />back to you.<br />sqlmap version: 0.9-dev<br />Python version: 2.6.5<br />Operating system: nt<br />Traceback (most recent call last):<br /> File "C:\pentest\sqlmap.0.9-1\sqlmap.py", line 83, in main<br /> start()<br /> File "C:\pentest\sqlmap.0.9-1\lib\controller\controller.py", line 404, in start<br /> action()<br /> File "C:\pentest\sqlmap.0.9-1\lib\controller\action.py", line 107, in action<br /> conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable())<br /> File "C:\pentest\sqlmap.0.9-1\lib\core\dump.py", line 262, in dbTableValues<br /> dumpFP = codecs.open(dumpFileName, "wb", conf.dataEncoding)<br /> File "C:\Python26\lib\codecs.py", line 870, in open<br /> file = __builtin__.open(filename, mode, buffering)<br />IOError: [Errno 13] Permission denied: u'C:\\pentest\\sqlmap.0.9-1\\output\\xxxxx.xxx\\dump\\xxxx\\xxxxx.csv'<br /><br />[*] shutting down at: 01:08:44</div></body> |
|
From: Miroslav S. <mir...@gm...> - 2011-01-06 15:52:29
|
hi lorenzo. you are using quite outdated version of sqlmap. please update to the latest development version 0.9/dev from our SVN repository to have that (and other potential) problems fixed: svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev kind regards On Thu, Jan 6, 2011 at 4:47 PM, Lorenzo Mainardi <lor...@gm...> wrote: > sqlmap version: 0.6.4 > Python version: 2.6.6 > Operating system: linux2 > Traceback (most recent call last): > File "/usr/bin/sqlmap", line 78, in main > init(cmdLineOptions) > File "/usr/share/sqlmap/lib/core/option.py", line 770, in init > update() > File "/usr/share/sqlmap/lib/core/update.py", line 349, in update > __updateSqlmap() > File "/usr/share/sqlmap/lib/core/update.py", line 246, in __updateSqlmap > logger.errMsg(errMsg) > AttributeError: Logger instance has no attribute 'errMsg' > > -- > LORENZO MAINARDI > http://blog.mainardi.me > Linux Registered User: 461615 > Key Fingerprint: 76BB 8A70 C275 09F4 613F 3FB7 9DE2 F367 E6F2 3F33 > > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Lorenzo M. <lor...@gm...> - 2011-01-06 15:47:34
|
sqlmap version: 0.6.4
Python version: 2.6.6
Operating system: linux2
Traceback (most recent call last):
File "/usr/bin/sqlmap", line 78, in main
init(cmdLineOptions)
File "/usr/share/sqlmap/lib/core/option.py", line 770, in init
update()
File "/usr/share/sqlmap/lib/core/update.py", line 349, in update
__updateSqlmap()
File "/usr/share/sqlmap/lib/core/update.py", line 246, in __updateSqlmap
logger.errMsg(errMsg)
AttributeError: Logger instance has no attribute 'errMsg'
--
LORENZO MAINARDI
http://blog.mainardi.me
Linux Registered User: 461615
Key Fingerprint: 76BB 8A70 C275 09F4 613F 3FB7 9DE2 F367 E6F2 3F33
|
|
From: Miroslav S. <mir...@gm...> - 2011-01-06 10:03:43
|
thx :) Bernardo and I worked really hard on this one and hope that 0.9 final will be the best version till now. kr On Thu, Jan 6, 2011 at 11:00 AM, Chris Oakley <chr...@gm...>wrote: > Hi Miroslav > > The dev version is even better, 0.9 is looking really promising. I used > higher risk and level settings and it worked absolutely perfectly; found > every sql injection point I knew existed on the page! > > Many thanks > > Chris > > > On 6 January 2011 09:26, Chris Oakley <chr...@gm...>wrote: > >> Hi Miroslav >> >> I'll grab the svn version and take a look at those other options today and >> report back. Many thanks for the assistance. >> >> Chris >> >> >> On 6 January 2011 08:10, Miroslav Stampar <mir...@gm...>wrote: >> >>> ...also, try to use higher --level and --risk for this kind of situations >>> (login pages) >>> >>> kr >>> >>> >>> On Thu, Jan 6, 2011 at 9:06 AM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> hi Chris. >>>> >>>> have you tried with the latest development version from our SVN >>>> repository? >>>> >>>> kr >>>> >>>> On Wed, Jan 5, 2011 at 6:22 PM, Chris Oakley < >>>> chr...@gm...> wrote: >>>> >>>>> Hi all >>>>> >>>>> I'm playing with sqlmap and it seems to be working quite well for GET >>>>> based parameters. However, for POST I'm not sure if it's working. To test >>>>> sqlmap out, I've downloaded and installed Mutillidae ( >>>>> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10) >>>>> and have been looking at the login page. I know that the password field is >>>>> vulnerable to SQL injection, and have entered the following command to >>>>> sqlmap: >>>>> >>>>> sqlmap -u "http://localhost/mutillidae/index.php?page=login.php" >>>>> --method "POST" -- >>>>> data "user_name=foo&password=bar&Submit_button=Submit" --current-user >>>>> --is-dba --flush-session >>>>> >>>>> This results in the following output: >>>>> >>>>> sqlmap/0.8 - automatic SQL injection and database takeover tool >>>>> http://sqlmap.sourceforge.net >>>>> >>>>> [*] starting at: 17:01:17 >>>>> >>>>> [17:01:17] [INFO] using 'C:\Program >>>>> Files\sqlmap-0.8_exe\output\localhost\session' as session file >>>>> [17:01:17] [INFO] flushing session file >>>>> [17:01:17] [INFO] testing connection to the target url >>>>> [17:01:18] [INFO] testing if the url is stable, wait a few seconds >>>>> [17:01:21] [INFO] url is stable >>>>> [17:01:21] [INFO] testing if POST parameter 'password' is dynamic >>>>> [17:01:22] [WARNING] POST parameter 'password' is not dynamic >>>>> [17:01:22] [INFO] testing if POST parameter 'user_name' is dynamic >>>>> [17:01:23] [WARNING] POST parameter 'user_name' is not dynamic >>>>> [17:01:24] [INFO] testing if POST parameter 'Submit_button' is dynamic >>>>> [17:01:25] [WARNING] POST parameter 'Submit_button' is not dynamic >>>>> [17:01:25] [INFO] testing if User-Agent parameter 'User-Agent' is >>>>> dynamic >>>>> [17:01:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >>>>> [17:01:26] [INFO] testing if GET parameter 'page' is dynamic >>>>> [17:01:27] [INFO] confirming that GET parameter 'page' is dynamic >>>>> [17:01:29] [INFO] GET parameter 'page' is dynamic >>>>> [17:01:29] [INFO] testing sql injection on GET parameter 'page' with 0 >>>>> parenthesis >>>>> [17:01:29] [INFO] testing unescaped numeric injection on GET parameter >>>>> 'page' >>>>> [17:01:30] [INFO] GET parameter 'page' is not unescaped numeric >>>>> injectable >>>>> [17:01:30] [INFO] testing single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:31] [INFO] GET parameter 'page' is not single quoted string >>>>> injectable >>>>> [17:01:31] [INFO] testing LIKE single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:32] [INFO] GET parameter 'page' is not LIKE single quoted string >>>>> injectable >>>>> [17:01:32] [INFO] testing double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:34] [INFO] GET parameter 'page' is not double quoted string >>>>> injectable >>>>> [17:01:34] [INFO] testing LIKE double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:35] [INFO] GET parameter 'page' is not LIKE double quoted string >>>>> injectable >>>>> [17:01:35] [INFO] GET parameter 'page' is not injectable with 0 >>>>> parenthesis >>>>> [17:01:35] [INFO] testing sql injection on GET parameter 'page' with 1 >>>>> parenthesis >>>>> [17:01:35] [INFO] testing unescaped numeric injection on GET parameter >>>>> 'page' >>>>> [17:01:36] [INFO] GET parameter 'page' is not unescaped numeric >>>>> injectable >>>>> [17:01:36] [INFO] testing single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:37] [INFO] GET parameter 'page' is not single quoted string >>>>> injectable >>>>> [17:01:37] [INFO] testing LIKE single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:38] [INFO] GET parameter 'page' is not LIKE single quoted string >>>>> injectable >>>>> [17:01:38] [INFO] testing double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:39] [INFO] GET parameter 'page' is not double quoted string >>>>> injectable >>>>> [17:01:39] [INFO] testing LIKE double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:40] [INFO] GET parameter 'page' is not LIKE double quoted string >>>>> injectable >>>>> [17:01:40] [INFO] GET parameter 'page' is not injectable with 1 >>>>> parenthesis >>>>> [17:01:40] [INFO] testing sql injection on GET parameter 'page' with 2 >>>>> parenthesis >>>>> [17:01:40] [INFO] testing unescaped numeric injection on GET parameter >>>>> 'page' >>>>> [17:01:41] [INFO] GET parameter 'page' is not unescaped numeric >>>>> injectable >>>>> [17:01:41] [INFO] testing single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:42] [INFO] GET parameter 'page' is not single quoted string >>>>> injectable >>>>> [17:01:42] [INFO] testing LIKE single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:43] [INFO] GET parameter 'page' is not LIKE single quoted string >>>>> injectable >>>>> [17:01:43] [INFO] testing double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:44] [INFO] GET parameter 'page' is not double quoted string >>>>> injectable >>>>> [17:01:44] [INFO] testing LIKE double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:45] [INFO] GET parameter 'page' is not LIKE double quoted string >>>>> injectable >>>>> [17:01:45] [INFO] GET parameter 'page' is not injectable with 2 >>>>> parenthesis >>>>> [17:01:45] [INFO] testing sql injection on GET parameter 'page' with 3 >>>>> parenthesis >>>>> [17:01:45] [INFO] testing unescaped numeric injection on GET parameter >>>>> 'page' >>>>> [17:01:46] [INFO] GET parameter 'page' is not unescaped numeric >>>>> injectable >>>>> [17:01:46] [INFO] testing single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:47] [INFO] GET parameter 'page' is not single quoted string >>>>> injectable >>>>> [17:01:47] [INFO] testing LIKE single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:49] [INFO] GET parameter 'page' is not LIKE single quoted string >>>>> injectable >>>>> [17:01:49] [INFO] testing double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:50] [INFO] GET parameter 'page' is not double quoted string >>>>> injectable >>>>> [17:01:50] [INFO] testing LIKE double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:51] [INFO] GET parameter 'page' is not LIKE double quoted string >>>>> injectable >>>>> [17:01:51] [INFO] GET parameter 'page' is not injectable with 3 >>>>> parenthesis >>>>> [17:01:51] [WARNING] GET parameter 'page' is not injectable >>>>> >>>>> [*] shutting down at: 17:01:51 >>>>> >>>>> I've used this page with an interception proxy and these three POST >>>>> values are the only ones that are sent. >>>>> >>>>> Does anyone have any idea where I'm going wrong with sqlmap with >>>>> regards to using it with vulnerable POST values? I've managed to enumerate >>>>> databases with vulnerable ?id=x type GET parameters but not this. >>>>> >>>>> Thanks in advance! >>>>> >>>>> Chris >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Learn how Oracle Real Application Clusters (RAC) One Node allows >>>>> customers >>>>> to consolidate database storage, standardize their database >>>>> environment, and, >>>>> should the need arise, upgrade to a full multi-node Oracle RAC database >>>>> without downtime or disruption >>>>> http://p.sf.net/sfu/oracle-sfdevnl >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>> Mobile: +385921010204 (HR 0921010204) >>>> PGP Key ID: 0xB5397B1B >>>> Location: Zagreb, Croatia >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Chris O. <chr...@gm...> - 2011-01-06 10:00:33
|
Hi Miroslav The dev version is even better, 0.9 is looking really promising. I used higher risk and level settings and it worked absolutely perfectly; found every sql injection point I knew existed on the page! Many thanks Chris On 6 January 2011 09:26, Chris Oakley <chr...@gm...> wrote: > Hi Miroslav > > I'll grab the svn version and take a look at those other options today and > report back. Many thanks for the assistance. > > Chris > > > On 6 January 2011 08:10, Miroslav Stampar <mir...@gm...>wrote: > >> ...also, try to use higher --level and --risk for this kind of situations >> (login pages) >> >> kr >> >> >> On Thu, Jan 6, 2011 at 9:06 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> hi Chris. >>> >>> have you tried with the latest development version from our SVN >>> repository? >>> >>> kr >>> >>> On Wed, Jan 5, 2011 at 6:22 PM, Chris Oakley < >>> chr...@gm...> wrote: >>> >>>> Hi all >>>> >>>> I'm playing with sqlmap and it seems to be working quite well for GET >>>> based parameters. However, for POST I'm not sure if it's working. To test >>>> sqlmap out, I've downloaded and installed Mutillidae ( >>>> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10) >>>> and have been looking at the login page. I know that the password field is >>>> vulnerable to SQL injection, and have entered the following command to >>>> sqlmap: >>>> >>>> sqlmap -u "http://localhost/mutillidae/index.php?page=login.php" >>>> --method "POST" -- >>>> data "user_name=foo&password=bar&Submit_button=Submit" --current-user >>>> --is-dba --flush-session >>>> >>>> This results in the following output: >>>> >>>> sqlmap/0.8 - automatic SQL injection and database takeover tool >>>> http://sqlmap.sourceforge.net >>>> >>>> [*] starting at: 17:01:17 >>>> >>>> [17:01:17] [INFO] using 'C:\Program >>>> Files\sqlmap-0.8_exe\output\localhost\session' as session file >>>> [17:01:17] [INFO] flushing session file >>>> [17:01:17] [INFO] testing connection to the target url >>>> [17:01:18] [INFO] testing if the url is stable, wait a few seconds >>>> [17:01:21] [INFO] url is stable >>>> [17:01:21] [INFO] testing if POST parameter 'password' is dynamic >>>> [17:01:22] [WARNING] POST parameter 'password' is not dynamic >>>> [17:01:22] [INFO] testing if POST parameter 'user_name' is dynamic >>>> [17:01:23] [WARNING] POST parameter 'user_name' is not dynamic >>>> [17:01:24] [INFO] testing if POST parameter 'Submit_button' is dynamic >>>> [17:01:25] [WARNING] POST parameter 'Submit_button' is not dynamic >>>> [17:01:25] [INFO] testing if User-Agent parameter 'User-Agent' is >>>> dynamic >>>> [17:01:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >>>> [17:01:26] [INFO] testing if GET parameter 'page' is dynamic >>>> [17:01:27] [INFO] confirming that GET parameter 'page' is dynamic >>>> [17:01:29] [INFO] GET parameter 'page' is dynamic >>>> [17:01:29] [INFO] testing sql injection on GET parameter 'page' with 0 >>>> parenthesis >>>> [17:01:29] [INFO] testing unescaped numeric injection on GET parameter >>>> 'page' >>>> [17:01:30] [INFO] GET parameter 'page' is not unescaped numeric >>>> injectable >>>> [17:01:30] [INFO] testing single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:31] [INFO] GET parameter 'page' is not single quoted string >>>> injectable >>>> [17:01:31] [INFO] testing LIKE single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:32] [INFO] GET parameter 'page' is not LIKE single quoted string >>>> injectable >>>> [17:01:32] [INFO] testing double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:34] [INFO] GET parameter 'page' is not double quoted string >>>> injectable >>>> [17:01:34] [INFO] testing LIKE double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:35] [INFO] GET parameter 'page' is not LIKE double quoted string >>>> injectable >>>> [17:01:35] [INFO] GET parameter 'page' is not injectable with 0 >>>> parenthesis >>>> [17:01:35] [INFO] testing sql injection on GET parameter 'page' with 1 >>>> parenthesis >>>> [17:01:35] [INFO] testing unescaped numeric injection on GET parameter >>>> 'page' >>>> [17:01:36] [INFO] GET parameter 'page' is not unescaped numeric >>>> injectable >>>> [17:01:36] [INFO] testing single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:37] [INFO] GET parameter 'page' is not single quoted string >>>> injectable >>>> [17:01:37] [INFO] testing LIKE single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:38] [INFO] GET parameter 'page' is not LIKE single quoted string >>>> injectable >>>> [17:01:38] [INFO] testing double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:39] [INFO] GET parameter 'page' is not double quoted string >>>> injectable >>>> [17:01:39] [INFO] testing LIKE double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:40] [INFO] GET parameter 'page' is not LIKE double quoted string >>>> injectable >>>> [17:01:40] [INFO] GET parameter 'page' is not injectable with 1 >>>> parenthesis >>>> [17:01:40] [INFO] testing sql injection on GET parameter 'page' with 2 >>>> parenthesis >>>> [17:01:40] [INFO] testing unescaped numeric injection on GET parameter >>>> 'page' >>>> [17:01:41] [INFO] GET parameter 'page' is not unescaped numeric >>>> injectable >>>> [17:01:41] [INFO] testing single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:42] [INFO] GET parameter 'page' is not single quoted string >>>> injectable >>>> [17:01:42] [INFO] testing LIKE single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:43] [INFO] GET parameter 'page' is not LIKE single quoted string >>>> injectable >>>> [17:01:43] [INFO] testing double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:44] [INFO] GET parameter 'page' is not double quoted string >>>> injectable >>>> [17:01:44] [INFO] testing LIKE double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:45] [INFO] GET parameter 'page' is not LIKE double quoted string >>>> injectable >>>> [17:01:45] [INFO] GET parameter 'page' is not injectable with 2 >>>> parenthesis >>>> [17:01:45] [INFO] testing sql injection on GET parameter 'page' with 3 >>>> parenthesis >>>> [17:01:45] [INFO] testing unescaped numeric injection on GET parameter >>>> 'page' >>>> [17:01:46] [INFO] GET parameter 'page' is not unescaped numeric >>>> injectable >>>> [17:01:46] [INFO] testing single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:47] [INFO] GET parameter 'page' is not single quoted string >>>> injectable >>>> [17:01:47] [INFO] testing LIKE single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:49] [INFO] GET parameter 'page' is not LIKE single quoted string >>>> injectable >>>> [17:01:49] [INFO] testing double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:50] [INFO] GET parameter 'page' is not double quoted string >>>> injectable >>>> [17:01:50] [INFO] testing LIKE double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:51] [INFO] GET parameter 'page' is not LIKE double quoted string >>>> injectable >>>> [17:01:51] [INFO] GET parameter 'page' is not injectable with 3 >>>> parenthesis >>>> [17:01:51] [WARNING] GET parameter 'page' is not injectable >>>> >>>> [*] shutting down at: 17:01:51 >>>> >>>> I've used this page with an interception proxy and these three POST >>>> values are the only ones that are sent. >>>> >>>> Does anyone have any idea where I'm going wrong with sqlmap with regards >>>> to using it with vulnerable POST values? I've managed to enumerate >>>> databases with vulnerable ?id=x type GET parameters but not this. >>>> >>>> Thanks in advance! >>>> >>>> Chris >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Learn how Oracle Real Application Clusters (RAC) One Node allows >>>> customers >>>> to consolidate database storage, standardize their database environment, >>>> and, >>>> should the need arise, upgrade to a full multi-node Oracle RAC database >>>> without downtime or disruption >>>> http://p.sf.net/sfu/oracle-sfdevnl >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > |
|
From: Miroslav S. <mir...@gm...> - 2011-01-06 08:10:56
|
...also, try to use higher --level and --risk for this kind of situations (login pages) kr On Thu, Jan 6, 2011 at 9:06 AM, Miroslav Stampar <mir...@gm... > wrote: > hi Chris. > > have you tried with the latest development version from our SVN repository? > > kr > > On Wed, Jan 5, 2011 at 6:22 PM, Chris Oakley <chr...@gm... > > wrote: > >> Hi all >> >> I'm playing with sqlmap and it seems to be working quite well for GET >> based parameters. However, for POST I'm not sure if it's working. To test >> sqlmap out, I've downloaded and installed Mutillidae ( >> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10) >> and have been looking at the login page. I know that the password field is >> vulnerable to SQL injection, and have entered the following command to >> sqlmap: >> >> sqlmap -u "http://localhost/mutillidae/index.php?page=login.php" --method >> "POST" -- >> data "user_name=foo&password=bar&Submit_button=Submit" --current-user >> --is-dba --flush-session >> >> This results in the following output: >> >> sqlmap/0.8 - automatic SQL injection and database takeover tool >> http://sqlmap.sourceforge.net >> >> [*] starting at: 17:01:17 >> >> [17:01:17] [INFO] using 'C:\Program >> Files\sqlmap-0.8_exe\output\localhost\session' as session file >> [17:01:17] [INFO] flushing session file >> [17:01:17] [INFO] testing connection to the target url >> [17:01:18] [INFO] testing if the url is stable, wait a few seconds >> [17:01:21] [INFO] url is stable >> [17:01:21] [INFO] testing if POST parameter 'password' is dynamic >> [17:01:22] [WARNING] POST parameter 'password' is not dynamic >> [17:01:22] [INFO] testing if POST parameter 'user_name' is dynamic >> [17:01:23] [WARNING] POST parameter 'user_name' is not dynamic >> [17:01:24] [INFO] testing if POST parameter 'Submit_button' is dynamic >> [17:01:25] [WARNING] POST parameter 'Submit_button' is not dynamic >> [17:01:25] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic >> [17:01:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >> [17:01:26] [INFO] testing if GET parameter 'page' is dynamic >> [17:01:27] [INFO] confirming that GET parameter 'page' is dynamic >> [17:01:29] [INFO] GET parameter 'page' is dynamic >> [17:01:29] [INFO] testing sql injection on GET parameter 'page' with 0 >> parenthesis >> [17:01:29] [INFO] testing unescaped numeric injection on GET parameter >> 'page' >> [17:01:30] [INFO] GET parameter 'page' is not unescaped numeric injectable >> [17:01:30] [INFO] testing single quoted string injection on GET parameter >> 'page' >> [17:01:31] [INFO] GET parameter 'page' is not single quoted string >> injectable >> [17:01:31] [INFO] testing LIKE single quoted string injection on GET >> parameter 'page' >> [17:01:32] [INFO] GET parameter 'page' is not LIKE single quoted string >> injectable >> [17:01:32] [INFO] testing double quoted string injection on GET parameter >> 'page' >> [17:01:34] [INFO] GET parameter 'page' is not double quoted string >> injectable >> [17:01:34] [INFO] testing LIKE double quoted string injection on GET >> parameter 'page' >> [17:01:35] [INFO] GET parameter 'page' is not LIKE double quoted string >> injectable >> [17:01:35] [INFO] GET parameter 'page' is not injectable with 0 >> parenthesis >> [17:01:35] [INFO] testing sql injection on GET parameter 'page' with 1 >> parenthesis >> [17:01:35] [INFO] testing unescaped numeric injection on GET parameter >> 'page' >> [17:01:36] [INFO] GET parameter 'page' is not unescaped numeric injectable >> [17:01:36] [INFO] testing single quoted string injection on GET parameter >> 'page' >> [17:01:37] [INFO] GET parameter 'page' is not single quoted string >> injectable >> [17:01:37] [INFO] testing LIKE single quoted string injection on GET >> parameter 'page' >> [17:01:38] [INFO] GET parameter 'page' is not LIKE single quoted string >> injectable >> [17:01:38] [INFO] testing double quoted string injection on GET parameter >> 'page' >> [17:01:39] [INFO] GET parameter 'page' is not double quoted string >> injectable >> [17:01:39] [INFO] testing LIKE double quoted string injection on GET >> parameter 'page' >> [17:01:40] [INFO] GET parameter 'page' is not LIKE double quoted string >> injectable >> [17:01:40] [INFO] GET parameter 'page' is not injectable with 1 >> parenthesis >> [17:01:40] [INFO] testing sql injection on GET parameter 'page' with 2 >> parenthesis >> [17:01:40] [INFO] testing unescaped numeric injection on GET parameter >> 'page' >> [17:01:41] [INFO] GET parameter 'page' is not unescaped numeric injectable >> [17:01:41] [INFO] testing single quoted string injection on GET parameter >> 'page' >> [17:01:42] [INFO] GET parameter 'page' is not single quoted string >> injectable >> [17:01:42] [INFO] testing LIKE single quoted string injection on GET >> parameter 'page' >> [17:01:43] [INFO] GET parameter 'page' is not LIKE single quoted string >> injectable >> [17:01:43] [INFO] testing double quoted string injection on GET parameter >> 'page' >> [17:01:44] [INFO] GET parameter 'page' is not double quoted string >> injectable >> [17:01:44] [INFO] testing LIKE double quoted string injection on GET >> parameter 'page' >> [17:01:45] [INFO] GET parameter 'page' is not LIKE double quoted string >> injectable >> [17:01:45] [INFO] GET parameter 'page' is not injectable with 2 >> parenthesis >> [17:01:45] [INFO] testing sql injection on GET parameter 'page' with 3 >> parenthesis >> [17:01:45] [INFO] testing unescaped numeric injection on GET parameter >> 'page' >> [17:01:46] [INFO] GET parameter 'page' is not unescaped numeric injectable >> [17:01:46] [INFO] testing single quoted string injection on GET parameter >> 'page' >> [17:01:47] [INFO] GET parameter 'page' is not single quoted string >> injectable >> [17:01:47] [INFO] testing LIKE single quoted string injection on GET >> parameter 'page' >> [17:01:49] [INFO] GET parameter 'page' is not LIKE single quoted string >> injectable >> [17:01:49] [INFO] testing double quoted string injection on GET parameter >> 'page' >> [17:01:50] [INFO] GET parameter 'page' is not double quoted string >> injectable >> [17:01:50] [INFO] testing LIKE double quoted string injection on GET >> parameter 'page' >> [17:01:51] [INFO] GET parameter 'page' is not LIKE double quoted string >> injectable >> [17:01:51] [INFO] GET parameter 'page' is not injectable with 3 >> parenthesis >> [17:01:51] [WARNING] GET parameter 'page' is not injectable >> >> [*] shutting down at: 17:01:51 >> >> I've used this page with an interception proxy and these three POST values >> are the only ones that are sent. >> >> Does anyone have any idea where I'm going wrong with sqlmap with regards >> to using it with vulnerable POST values? I've managed to enumerate >> databases with vulnerable ?id=x type GET parameters but not this. >> >> Thanks in advance! >> >> Chris >> >> >> ------------------------------------------------------------------------------ >> Learn how Oracle Real Application Clusters (RAC) One Node allows customers >> to consolidate database storage, standardize their database environment, >> and, >> should the need arise, upgrade to a full multi-node Oracle RAC database >> without downtime or disruption >> http://p.sf.net/sfu/oracle-sfdevnl >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-06 08:06:16
|
hi Chris. have you tried with the latest development version from our SVN repository? kr On Wed, Jan 5, 2011 at 6:22 PM, Chris Oakley <chr...@gm...>wrote: > Hi all > > I'm playing with sqlmap and it seems to be working quite well for GET based > parameters. However, for POST I'm not sure if it's working. To test sqlmap > out, I've downloaded and installed Mutillidae ( > http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10) > and have been looking at the login page. I know that the password field is > vulnerable to SQL injection, and have entered the following command to > sqlmap: > > sqlmap -u "http://localhost/mutillidae/index.php?page=login.php" --method > "POST" -- > data "user_name=foo&password=bar&Submit_button=Submit" --current-user > --is-dba --flush-session > > This results in the following output: > > sqlmap/0.8 - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 17:01:17 > > [17:01:17] [INFO] using 'C:\Program > Files\sqlmap-0.8_exe\output\localhost\session' as session file > [17:01:17] [INFO] flushing session file > [17:01:17] [INFO] testing connection to the target url > [17:01:18] [INFO] testing if the url is stable, wait a few seconds > [17:01:21] [INFO] url is stable > [17:01:21] [INFO] testing if POST parameter 'password' is dynamic > [17:01:22] [WARNING] POST parameter 'password' is not dynamic > [17:01:22] [INFO] testing if POST parameter 'user_name' is dynamic > [17:01:23] [WARNING] POST parameter 'user_name' is not dynamic > [17:01:24] [INFO] testing if POST parameter 'Submit_button' is dynamic > [17:01:25] [WARNING] POST parameter 'Submit_button' is not dynamic > [17:01:25] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic > [17:01:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic > [17:01:26] [INFO] testing if GET parameter 'page' is dynamic > [17:01:27] [INFO] confirming that GET parameter 'page' is dynamic > [17:01:29] [INFO] GET parameter 'page' is dynamic > [17:01:29] [INFO] testing sql injection on GET parameter 'page' with 0 > parenthesis > [17:01:29] [INFO] testing unescaped numeric injection on GET parameter > 'page' > [17:01:30] [INFO] GET parameter 'page' is not unescaped numeric injectable > [17:01:30] [INFO] testing single quoted string injection on GET parameter > 'page' > [17:01:31] [INFO] GET parameter 'page' is not single quoted string > injectable > [17:01:31] [INFO] testing LIKE single quoted string injection on GET > parameter 'page' > [17:01:32] [INFO] GET parameter 'page' is not LIKE single quoted string > injectable > [17:01:32] [INFO] testing double quoted string injection on GET parameter > 'page' > [17:01:34] [INFO] GET parameter 'page' is not double quoted string > injectable > [17:01:34] [INFO] testing LIKE double quoted string injection on GET > parameter 'page' > [17:01:35] [INFO] GET parameter 'page' is not LIKE double quoted string > injectable > [17:01:35] [INFO] GET parameter 'page' is not injectable with 0 parenthesis > [17:01:35] [INFO] testing sql injection on GET parameter 'page' with 1 > parenthesis > [17:01:35] [INFO] testing unescaped numeric injection on GET parameter > 'page' > [17:01:36] [INFO] GET parameter 'page' is not unescaped numeric injectable > [17:01:36] [INFO] testing single quoted string injection on GET parameter > 'page' > [17:01:37] [INFO] GET parameter 'page' is not single quoted string > injectable > [17:01:37] [INFO] testing LIKE single quoted string injection on GET > parameter 'page' > [17:01:38] [INFO] GET parameter 'page' is not LIKE single quoted string > injectable > [17:01:38] [INFO] testing double quoted string injection on GET parameter > 'page' > [17:01:39] [INFO] GET parameter 'page' is not double quoted string > injectable > [17:01:39] [INFO] testing LIKE double quoted string injection on GET > parameter 'page' > [17:01:40] [INFO] GET parameter 'page' is not LIKE double quoted string > injectable > [17:01:40] [INFO] GET parameter 'page' is not injectable with 1 parenthesis > [17:01:40] [INFO] testing sql injection on GET parameter 'page' with 2 > parenthesis > [17:01:40] [INFO] testing unescaped numeric injection on GET parameter > 'page' > [17:01:41] [INFO] GET parameter 'page' is not unescaped numeric injectable > [17:01:41] [INFO] testing single quoted string injection on GET parameter > 'page' > [17:01:42] [INFO] GET parameter 'page' is not single quoted string > injectable > [17:01:42] [INFO] testing LIKE single quoted string injection on GET > parameter 'page' > [17:01:43] [INFO] GET parameter 'page' is not LIKE single quoted string > injectable > [17:01:43] [INFO] testing double quoted string injection on GET parameter > 'page' > [17:01:44] [INFO] GET parameter 'page' is not double quoted string > injectable > [17:01:44] [INFO] testing LIKE double quoted string injection on GET > parameter 'page' > [17:01:45] [INFO] GET parameter 'page' is not LIKE double quoted string > injectable > [17:01:45] [INFO] GET parameter 'page' is not injectable with 2 parenthesis > [17:01:45] [INFO] testing sql injection on GET parameter 'page' with 3 > parenthesis > [17:01:45] [INFO] testing unescaped numeric injection on GET parameter > 'page' > [17:01:46] [INFO] GET parameter 'page' is not unescaped numeric injectable > [17:01:46] [INFO] testing single quoted string injection on GET parameter > 'page' > [17:01:47] [INFO] GET parameter 'page' is not single quoted string > injectable > [17:01:47] [INFO] testing LIKE single quoted string injection on GET > parameter 'page' > [17:01:49] [INFO] GET parameter 'page' is not LIKE single quoted string > injectable > [17:01:49] [INFO] testing double quoted string injection on GET parameter > 'page' > [17:01:50] [INFO] GET parameter 'page' is not double quoted string > injectable > [17:01:50] [INFO] testing LIKE double quoted string injection on GET > parameter 'page' > [17:01:51] [INFO] GET parameter 'page' is not LIKE double quoted string > injectable > [17:01:51] [INFO] GET parameter 'page' is not injectable with 3 parenthesis > [17:01:51] [WARNING] GET parameter 'page' is not injectable > > [*] shutting down at: 17:01:51 > > I've used this page with an interception proxy and these three POST values > are the only ones that are sent. > > Does anyone have any idea where I'm going wrong with sqlmap with regards to > using it with vulnerable POST values? I've managed to enumerate databases > with vulnerable ?id=x type GET parameters but not this. > > Thanks in advance! > > Chris > > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-06 08:05:34
|
hi. thank you for your report :). find the bug fixed in the latest commit. kr On Thu, Jan 6, 2011 at 6:18 AM, abc abc <bi...@gm...> wrote: > hello! > i found a bug in the latest sqlmap-dev release! > > commandline: sqlmap.py -g ABCDEF --batch --is-dba --search --union-test > --current-user --current-db --dbs --dump --tables --users --passwords > --common-tables --common-columns -x logdatei.txt > > > error: > > [06:13:56] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your > run with the latest development version from the Subversion repository. > If the exception persists, please send by e-mail to > sql...@li... the command line, the following text > and any information needed to reproduce the bug. The developers will try > to reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 0.9-dev (r2906) > Python version: 2.6.5 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 83, in main > start() > File "/opt/sqli/sqlmap/lib/controller/controller.py", line 247, in start > setupTargetEnv() > File "/opt/sqli/sqlmap/lib/core/target.py", line 302, in setupTargetEnv > __createTargetDirs() > File "/opt/sqli/sqlmap/lib/core/target.py", line 266, in > __createTargetDirs > __configureDumper() > File "/opt/sqli/sqlmap/lib/core/target.py", line 231, in > __configureDumper > conf.dumper.setOutputFile() > File "/opt/sqli/sqlmap/lib/core/xmldump.py", line 498, in setOutputFile > self.__doc.appendChild(self.__root) > File "/usr/lib/python2.6/xml/dom/minidom.py", line 1552, in appendChild > "two document elements disallowed") > HierarchyRequestErr: two document elements disallowed > > [*] shutting down at: 06:13:56 > > > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: abc a. <bi...@gm...> - 2011-01-06 05:56:30
|
hey! without xml support the program runs fine :-) |
|
From: abc a. <bi...@gm...> - 2011-01-06 05:19:08
|
hello!
i found a bug in the latest sqlmap-dev release!
commandline: sqlmap.py -g ABCDEF --batch --is-dba --search --union-test
--current-user --current-db --dbs --dump --tables --users --passwords
--common-tables --common-columns -x logdatei.txt
error:
[06:13:56] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your
run with the latest development version from the Subversion repository.
If the exception persists, please send by e-mail to
sql...@li... the command line, the following text
and any information needed to reproduce the bug. The developers will try
to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 0.9-dev (r2906)
Python version: 2.6.5
Operating system: posix
Traceback (most recent call last):
File "./sqlmap.py", line 83, in main
start()
File "/opt/sqli/sqlmap/lib/controller/controller.py", line 247, in start
setupTargetEnv()
File "/opt/sqli/sqlmap/lib/core/target.py", line 302, in setupTargetEnv
__createTargetDirs()
File "/opt/sqli/sqlmap/lib/core/target.py", line 266, in
__createTargetDirs
__configureDumper()
File "/opt/sqli/sqlmap/lib/core/target.py", line 231, in
__configureDumper
conf.dumper.setOutputFile()
File "/opt/sqli/sqlmap/lib/core/xmldump.py", line 498, in setOutputFile
self.__doc.appendChild(self.__root)
File "/usr/lib/python2.6/xml/dom/minidom.py", line 1552, in appendChild
"two document elements disallowed")
HierarchyRequestErr: two document elements disallowed
[*] shutting down at: 06:13:56
|
|
From: Chris O. <chr...@gm...> - 2011-01-05 17:34:36
|
Hi all I'm playing with sqlmap and it seems to be working quite well for GET based parameters. However, for POST I'm not sure if it's working. To test sqlmap out, I've downloaded and installed Mutillidae ( http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10) and have been looking at the login page. I know that the password field is vulnerable to SQL injection, and have entered the following command to sqlmap: sqlmap -u "http://localhost/mutillidae/index.php?page=login.php" --method "POST" -- data "user_name=foo&password=bar&Submit_button=Submit" --current-user --is-dba --flush-session This results in the following output: sqlmap/0.8 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 17:01:17 [17:01:17] [INFO] using 'C:\Program Files\sqlmap-0.8_exe\output\localhost\session' as session file [17:01:17] [INFO] flushing session file [17:01:17] [INFO] testing connection to the target url [17:01:18] [INFO] testing if the url is stable, wait a few seconds [17:01:21] [INFO] url is stable [17:01:21] [INFO] testing if POST parameter 'password' is dynamic [17:01:22] [WARNING] POST parameter 'password' is not dynamic [17:01:22] [INFO] testing if POST parameter 'user_name' is dynamic [17:01:23] [WARNING] POST parameter 'user_name' is not dynamic [17:01:24] [INFO] testing if POST parameter 'Submit_button' is dynamic [17:01:25] [WARNING] POST parameter 'Submit_button' is not dynamic [17:01:25] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic [17:01:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic [17:01:26] [INFO] testing if GET parameter 'page' is dynamic [17:01:27] [INFO] confirming that GET parameter 'page' is dynamic [17:01:29] [INFO] GET parameter 'page' is dynamic [17:01:29] [INFO] testing sql injection on GET parameter 'page' with 0 parenthesis [17:01:29] [INFO] testing unescaped numeric injection on GET parameter 'page' [17:01:30] [INFO] GET parameter 'page' is not unescaped numeric injectable [17:01:30] [INFO] testing single quoted string injection on GET parameter 'page' [17:01:31] [INFO] GET parameter 'page' is not single quoted string injectable [17:01:31] [INFO] testing LIKE single quoted string injection on GET parameter 'page' [17:01:32] [INFO] GET parameter 'page' is not LIKE single quoted string injectable [17:01:32] [INFO] testing double quoted string injection on GET parameter 'page' [17:01:34] [INFO] GET parameter 'page' is not double quoted string injectable [17:01:34] [INFO] testing LIKE double quoted string injection on GET parameter 'page' [17:01:35] [INFO] GET parameter 'page' is not LIKE double quoted string injectable [17:01:35] [INFO] GET parameter 'page' is not injectable with 0 parenthesis [17:01:35] [INFO] testing sql injection on GET parameter 'page' with 1 parenthesis [17:01:35] [INFO] testing unescaped numeric injection on GET parameter 'page' [17:01:36] [INFO] GET parameter 'page' is not unescaped numeric injectable [17:01:36] [INFO] testing single quoted string injection on GET parameter 'page' [17:01:37] [INFO] GET parameter 'page' is not single quoted string injectable [17:01:37] [INFO] testing LIKE single quoted string injection on GET parameter 'page' [17:01:38] [INFO] GET parameter 'page' is not LIKE single quoted string injectable [17:01:38] [INFO] testing double quoted string injection on GET parameter 'page' [17:01:39] [INFO] GET parameter 'page' is not double quoted string injectable [17:01:39] [INFO] testing LIKE double quoted string injection on GET parameter 'page' [17:01:40] [INFO] GET parameter 'page' is not LIKE double quoted string injectable [17:01:40] [INFO] GET parameter 'page' is not injectable with 1 parenthesis [17:01:40] [INFO] testing sql injection on GET parameter 'page' with 2 parenthesis [17:01:40] [INFO] testing unescaped numeric injection on GET parameter 'page' [17:01:41] [INFO] GET parameter 'page' is not unescaped numeric injectable [17:01:41] [INFO] testing single quoted string injection on GET parameter 'page' [17:01:42] [INFO] GET parameter 'page' is not single quoted string injectable [17:01:42] [INFO] testing LIKE single quoted string injection on GET parameter 'page' [17:01:43] [INFO] GET parameter 'page' is not LIKE single quoted string injectable [17:01:43] [INFO] testing double quoted string injection on GET parameter 'page' [17:01:44] [INFO] GET parameter 'page' is not double quoted string injectable [17:01:44] [INFO] testing LIKE double quoted string injection on GET parameter 'page' [17:01:45] [INFO] GET parameter 'page' is not LIKE double quoted string injectable [17:01:45] [INFO] GET parameter 'page' is not injectable with 2 parenthesis [17:01:45] [INFO] testing sql injection on GET parameter 'page' with 3 parenthesis [17:01:45] [INFO] testing unescaped numeric injection on GET parameter 'page' [17:01:46] [INFO] GET parameter 'page' is not unescaped numeric injectable [17:01:46] [INFO] testing single quoted string injection on GET parameter 'page' [17:01:47] [INFO] GET parameter 'page' is not single quoted string injectable [17:01:47] [INFO] testing LIKE single quoted string injection on GET parameter 'page' [17:01:49] [INFO] GET parameter 'page' is not LIKE single quoted string injectable [17:01:49] [INFO] testing double quoted string injection on GET parameter 'page' [17:01:50] [INFO] GET parameter 'page' is not double quoted string injectable [17:01:50] [INFO] testing LIKE double quoted string injection on GET parameter 'page' [17:01:51] [INFO] GET parameter 'page' is not LIKE double quoted string injectable [17:01:51] [INFO] GET parameter 'page' is not injectable with 3 parenthesis [17:01:51] [WARNING] GET parameter 'page' is not injectable [*] shutting down at: 17:01:51 I've used this page with an interception proxy and these three POST values are the only ones that are sent. Does anyone have any idea where I'm going wrong with sqlmap with regards to using it with vulnerable POST values? I've managed to enumerate databases with vulnerable ?id=x type GET parameters but not this. Thanks in advance! Chris |
|
From: Miroslav S. <mir...@gm...> - 2011-01-05 11:37:44
|
ok. committed the patch. now it should work in multi-threaded mode too. kr p.s. it's quite strange that you get 401 in the middle of table dumping, especially that part with --start=47951. have some theories, but they are only conspiracy related. On Wed, Jan 5, 2011 at 10:19 AM, <nig...@em...> wrote: > Hi, > > the Injection works great for Hours and then this. The only thing i have > changed is the start parameter. > > sqlmap -u "http://xxxxxxx-xxx/show_thumb_main2.php?id=282334&type=gallery" > -a C:\pentest\sqlmap.0.9\txt\user-agents.txt --threads=3 --auth-type=basic > --auth-cred=xxxx:xxxxx -p id --suffix=282334 --level 5 --risk 3 --dump -D > xxxx -T xxxxxx --start=47951 > > File "C:\pentest\sqlmap.0.9\lib\request\basicauthhandler.py", line 33, in > http_error_auth_reqed > self, auth_header, host, req, headers) > File "C:\Python26\lib\urllib2.py", line 833, in http_error_auth_reqed > return self.retry_http_basic_auth(host, req, realm) > File "C:\Python26\lib\urllib2.py", line 843, in retry_http_basic_auth > return self.parent.open(req, timeout=req.timeout) > File "C:\Python26\lib\urllib2.py", line 397, in open > response = meth(req, response) > File "C:\Python26\lib\urllib2.py", line 510, in http_response > 'http', request, response, code, msg, hdrs) > File "C:\Python26\lib\urllib2.py", line 429, in error > result = self._call_chain(*args) > File "C:\Python26\lib\urllib2.py", line 369, in _call_chain > result = func(*args) > File "C:\Python26\lib\urllib2.py", line 855, in http_error_401 > url, req, headers) > File "C:\pentest\sqlmap.0.9\lib\request\basicauthhandler.py", line 33, in > http_error_auth_reqed > self, auth_header, host, req, headers) > File "C:\Python26\lib\urllib2.py", line 833, in http_error_auth_reqed > return self.retry_http_basic_auth(host, req, realm) > File "C:\Python26\lib\urllib2.py", line 843, in retry_http_basic_auth > return self.parent.open(req, timeout=req.timeout) > File "C:\Python26\lib\urllib2.py", line 391, in open > response = self._open(req, data) > File "C:\Python26\lib\urllib2.py", line 409, in _open > '_open', req) > File "C:\Python26\lib\urllib2.py", line 369, in _call_chain > result = func(*args) > File "C:\Python26\lib\urllib2.py", line 1161, in http_open > return self.do_open(httplib.HTTPConnection, req) > File "C:\Python26\lib\urllib2.py", line 1107, in do_open > h = http_class(host, timeout=req.timeout) # will parse host:port > RuntimeError: maximum recursion depth exceeded > > [*] shutting down at: 10:12:52 > > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-05 11:31:26
|
hi. this is a complex Python bug. i've recently found a patch for this kind of behavior, but it seems that the patch only solves the problem with single threaded mode (for those who knows python, line 29 in basicauthhandler.py with "if req is not self.retried_req" is problematic for multi threaded mode). kr On Wed, Jan 5, 2011 at 10:19 AM, <nig...@em...> wrote: > Hi, > > the Injection works great for Hours and then this. The only thing i have > changed is the start parameter. > > sqlmap -u "http://xxxxxxx-xxx/show_thumb_main2.php?id=282334&type=gallery" > -a C:\pentest\sqlmap.0.9\txt\user-agents.txt --threads=3 --auth-type=basic > --auth-cred=xxxx:xxxxx -p id --suffix=282334 --level 5 --risk 3 --dump -D > xxxx -T xxxxxx --start=47951 > > File "C:\pentest\sqlmap.0.9\lib\request\basicauthhandler.py", line 33, in > http_error_auth_reqed > self, auth_header, host, req, headers) > File "C:\Python26\lib\urllib2.py", line 833, in http_error_auth_reqed > return self.retry_http_basic_auth(host, req, realm) > File "C:\Python26\lib\urllib2.py", line 843, in retry_http_basic_auth > return self.parent.open(req, timeout=req.timeout) > File "C:\Python26\lib\urllib2.py", line 397, in open > response = meth(req, response) > File "C:\Python26\lib\urllib2.py", line 510, in http_response > 'http', request, response, code, msg, hdrs) > File "C:\Python26\lib\urllib2.py", line 429, in error > result = self._call_chain(*args) > File "C:\Python26\lib\urllib2.py", line 369, in _call_chain > result = func(*args) > File "C:\Python26\lib\urllib2.py", line 855, in http_error_401 > url, req, headers) > File "C:\pentest\sqlmap.0.9\lib\request\basicauthhandler.py", line 33, in > http_error_auth_reqed > self, auth_header, host, req, headers) > File "C:\Python26\lib\urllib2.py", line 833, in http_error_auth_reqed > return self.retry_http_basic_auth(host, req, realm) > File "C:\Python26\lib\urllib2.py", line 843, in retry_http_basic_auth > return self.parent.open(req, timeout=req.timeout) > File "C:\Python26\lib\urllib2.py", line 391, in open > response = self._open(req, data) > File "C:\Python26\lib\urllib2.py", line 409, in _open > '_open', req) > File "C:\Python26\lib\urllib2.py", line 369, in _call_chain > result = func(*args) > File "C:\Python26\lib\urllib2.py", line 1161, in http_open > return self.do_open(httplib.HTTPConnection, req) > File "C:\Python26\lib\urllib2.py", line 1107, in do_open > h = http_class(host, timeout=req.timeout) # will parse host:port > RuntimeError: maximum recursion depth exceeded > > [*] shutting down at: 10:12:52 > > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: <nig...@em...> - 2011-01-05 09:19:12
|
<body bgcolor="#ffffff" background="https://img.web.de/v/p.gif" class="bgRepeatYes" style="background-repeat: repeat; background-color: rgb(255, 255, 255); color: rgb(0, 0, 0); font-family: verdana,geneva; font-size: 9pt; padding-left: 0px;"><div style="min-height: 200px; background-image: url(https://img.web.de/v/p.gif); background-repeat: repeat; background-color: #ffffff; font-family: verdana,geneva; font-size: 9pt; padding-left: 0px;"><span style="font-size: 9pt;"><span style="font-family: verdana,geneva;"><span style="background-color: transparent;"><span style="color: #000000;"><span style="color: #000000;">Hi,<br /><br />the Injection works great for Hours and then this. The only thing i have changed is the start parameter. </span></span></span></span></span><br /><br />sqlmap -u "http://xxxxxxx-xxx/show_thumb_main2.php?id=282334&type=gallery" -a C:\pentest\sqlmap.0.9\txt\user-agents.txt --threads=3 --auth-type=basic --auth-cred=xxxx:xxxxx -p id --suffix=282334 --level 5 --risk 3 --dump -D xxxx -T xxxxxx --start=47951<br /><br /> File "C:\pentest\sqlmap.0.9\lib\request\basicauthhandler.py", line 33, in http_error_auth_reqed<br /> self, auth_header, host, req, headers)<br /> File "C:\Python26\lib\urllib2.py", line 833, in http_error_auth_reqed<br /> return self.retry_http_basic_auth(host, req, realm)<br /> File "C:\Python26\lib\urllib2.py", line 843, in retry_http_basic_auth<br /> return self.parent.open(req, timeout=req.timeout)<br /> File "C:\Python26\lib\urllib2.py", line 397, in open<br /> response = meth(req, response)<br /> File "C:\Python26\lib\urllib2.py", line 510, in http_response<br /> 'http', request, response, code, msg, hdrs)<br /> File "C:\Python26\lib\urllib2.py", line 429, in error<br /> result = self._call_chain(*args)<br /> File "C:\Python26\lib\urllib2.py", line 369, in _call_chain<br /> result = func(*args)<br /> File "C:\Python26\lib\urllib2.py", line 855, in http_error_401<br /> url, req, headers)<br /> File "C:\pentest\sqlmap.0.9\lib\request\basicauthhandler.py", line 33, in http_error_auth_reqed<br /> self, auth_header, host, req, headers)<br /> File "C:\Python26\lib\urllib2.py", line 833, in http_error_auth_reqed<br /> return self.retry_http_basic_auth(host, req, realm)<br /> File "C:\Python26\lib\urllib2.py", line 843, in retry_http_basic_auth<br /> return self.parent.open(req, timeout=req.timeout)<br /> File "C:\Python26\lib\urllib2.py", line 391, in open<br /> response = self._open(req, data)<br /> File "C:\Python26\lib\urllib2.py", line 409, in _open<br /> '_open', req)<br /> File "C:\Python26\lib\urllib2.py", line 369, in _call_chain<br /> result = func(*args)<br /> File "C:\Python26\lib\urllib2.py", line 1161, in http_open<br /> return self.do_open(httplib.HTTPConnection, req)<br /> File "C:\Python26\lib\urllib2.py", line 1107, in do_open<br /> h = http_class(host, timeout=req.timeout) # will parse host:port<br />RuntimeError: maximum recursion depth exceeded<br /><br />[*] shutting down at: 10:12:52</div></body> |
|
From: Miroslav S. <mir...@gm...> - 2011-01-03 23:36:43
|
hi. thx and find it fixed in the latest commit. kr p.s. please, mails with real site urls send privately to me and/or Bernardo On Mon, Jan 3, 2011 at 11:41 PM, x <dee...@ma...> wrote: > hi, > no idea if it's a bug or not, but: > > cmd: > > sqlmap.py -u "http://www.dutchdesignweek.nl/event.php?id=1472" --dump -T > accounts > > error: > > [23:36:24] [WARNING] Ctrl+C detected in dumping phase > > [23:36:24] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your > run with > the latest development version from the Subversion repository. If the > exception > persists, please send by e-mail to sql...@li... > the comma > nd line, the following text and any information needed to reproduce the > bug. The > developers will try to reproduce the bug, fix it accordingly and get > back to yo > u. > sqlmap version: 0.9-dev (r2891) > Python version: 2.7 > Operating system: nt > Traceback (most recent call last): > File "C:\sqlmap\sqlmap.py", line 83, in main > start() > File "C:\sqlmap\lib\controller\controller.py", line 404, in star > t > action() > File "C:\sqlmap\lib\controller\action.py", line 107, in action > conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) > File "C:\sqlmap\plugins\generic\enumeration.py", line 1380, in d > umpTable > attackDumpedTable() > File "C:\sqlmap\lib\utils\hash.py", line 222, in attackDumpedTab > le > value = table[column]['values'][i] > IndexError: list index out of range > > [*] shutting down at: 23:36:24 > > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: x <dee...@ma...> - 2011-01-03 22:41:59
|
hi, no idea if it's a bug or not, but: cmd: sqlmap.py -u "http://www.dutchdesignweek.nl/event.php?id=1472" --dump -T accounts error: [23:36:24] [WARNING] Ctrl+C detected in dumping phase [23:36:24] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the comma nd line, the following text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to yo u. sqlmap version: 0.9-dev (r2891) Python version: 2.7 Operating system: nt Traceback (most recent call last): File "C:\sqlmap\sqlmap.py", line 83, in main start() File "C:\sqlmap\lib\controller\controller.py", line 404, in star t action() File "C:\sqlmap\lib\controller\action.py", line 107, in action conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) File "C:\sqlmap\plugins\generic\enumeration.py", line 1380, in d umpTable attackDumpedTable() File "C:\sqlmap\lib\utils\hash.py", line 222, in attackDumpedTab le value = table[column]['values'][i] IndexError: list index out of range [*] shutting down at: 23:36:24 |
|
From: Miroslav S. <mir...@gm...> - 2011-01-03 22:04:42
|
hi x. thank you for your report. it resulted in a pretty important update. kind regards. On Mon, Jan 3, 2011 at 9:27 PM, x <dee...@ma...> wrote: > cmd: > > sqlmap.py -u > " > http://www.rscomputerhandel.de/index.php?option=com_content&view=section&layout=blog&id=31&Itemid=88&lang=de > " > > > error: > > [17:54:17] [WARNING] HTTP error codes detected during testing: > 404 (Not Found) - 48 times, 500 (Internal Server Error) - 47 times > > [17:54:17] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your > run with > the latest development version from the Subversion repository. If the > exception > persists, please send by e-mail to sql...@li... > the comma > nd line, the following text and any information needed to reproduce the > bug. The > developers will try to reproduce the bug, fix it accordingly and get > back to yo > u. > sqlmap version: 0.9-dev (r2888) > Python version: 2.7 > Operating system: nt > Traceback (most recent call last): > File "C:\sqlmap\sqlmap.py", line 83, in main > start() > File "C:\sqlmap\lib\controller\controller.py", line 335, in star > t > elif not checkDynParam(place, parameter, value): > File "C:\sqlmap\lib\controller\checks.py", line 540, in checkDyn > Param > dynResult = Request.queryPage(payload, place, raise404=False) > File "C:\sqlmap\lib\request\connect.py", line 454, in queryPage > page, headers = Connect.getPage(url=uri, get=get, post=post, > cookie=cookie, > ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, > response=response, r > aise404=raise404, ignoreTimeout=timeBasedCompare) > File "C:\sqlmap\lib\request\connect.py", line 276, in getPage > responseMsg += getUnicode(logHeaders) > UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 69: > ordinal > not in range(128) > > [*] shutting down at: 17:54:17 > > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: x <dee...@ma...> - 2011-01-03 20:27:56
|
cmd: sqlmap.py -u "http://www.rscomputerhandel.de/index.php?option=com_content&view=section&layout=blog&id=31&Itemid=88&lang=de" error: [17:54:17] [WARNING] HTTP error codes detected during testing: 404 (Not Found) - 48 times, 500 (Internal Server Error) - 47 times [17:54:17] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the comma nd line, the following text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to yo u. sqlmap version: 0.9-dev (r2888) Python version: 2.7 Operating system: nt Traceback (most recent call last): File "C:\sqlmap\sqlmap.py", line 83, in main start() File "C:\sqlmap\lib\controller\controller.py", line 335, in star t elif not checkDynParam(place, parameter, value): File "C:\sqlmap\lib\controller\checks.py", line 540, in checkDyn Param dynResult = Request.queryPage(payload, place, raise404=False) File "C:\sqlmap\lib\request\connect.py", line 454, in queryPage page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, response=response, r aise404=raise404, ignoreTimeout=timeBasedCompare) File "C:\sqlmap\lib\request\connect.py", line 276, in getPage responseMsg += getUnicode(logHeaders) UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 69: ordinal not in range(128) [*] shutting down at: 17:54:17 |
|
From: Miroslav S. <mir...@gm...> - 2011-01-01 12:23:24
|
Hi. Find it fixed in the latest commit. There is still an issue that we haven't "adjusted" xml structure of the output xml session file with the latest changes. Will do. KR, and Happy New Year :) On Fri, Dec 31, 2010 at 7:56 PM, <ra...@jo...> wrote: > C:\pentest\sqlmap-0.9>sqlmap -u " > http://xxxxxxxxxxxxxxxxxxxx.xxx/retrievePhoto.php?fid=236" > --auth-type=basic --auth-cred=xxxx:xxxx -a C:\user-agents.txt --level 5 > --risk 3 -x c:\xxxxx > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 19:40:11 > > [19:40:12] [INFO] fetched random HTTP User-Agent header from file > 'C:\user-agents.txt': Opera/9.00 (Wii; U; ; 1038-58; Wii Shop Channel/1.0; > en) > [19:40:12] [INFO] using 'C:\pentest\sqlmap-0.9\output\xxxxx.xxxx\session' > as session file > [19:40:15] [INFO] resuming injection data from session file > [19:40:15] [INFO] resuming back-end DBMS 'mysql 5.0' from session file > [19:40:15] [INFO] resuming back-end DBMS operating system 'None' from > session file > [19:40:15] [INFO] resuming back-end DBMS 'mysql 5' from session file > [19:40:15] [INFO] resuming back-end DBMS operating system 'None' from > session file > [19:40:15] [INFO] resuming back-end DBMS operating system 'None' from > session file > [19:40:53] [INFO] testing connection to the target url > sqlmap identified the following injection points with 0 HTTP(s) requests: > --- > Place: GET > Parameter: fid > Type: boolean-based blind > Title: AND boolean-based blind - WHERE clause > Payload: fid=236" AND 7994=7994 AND "zBkq"="zBkq > > Type: error-based > Title: MySQL >= 5.0 AND error-based - WHERE clause > Payload: fid=236" AND (SELECT 1744 FROM(SELECT > COUNT(*),CONCAT(CHAR(58,101,115,110,58),(SELECT (CASE WHEN (1744=1744) THEN > 1 ELSE 0 END)),CHAR(58,113,104,110,58),FLOOR(RAND(0)*2))x FROM > information_schema.tables GROUP BY x)a) AND "EkEX"="EkEX > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: fid=236" AND SLEEP(5) AND "Ftwr"="Ftwr > --- > > > [19:40:55] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run > with the latest development version from the Subversion repository. If the > exception persists, please send by e-mail to > sql...@li... the command line, the following text > and any information needed to reproduce the bug. The developers will try to > reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 0.9-dev > Python version: 2.6.6 > Operating system: nt > Traceback (most recent call last): > File "C:\pentest\sqlmap-0.9\sqlmap.py", line 80, in main > start() > File "C:\pentest\sqlmap-0.9\lib\controller\controller.py", > line 387, in start > __showInjections() > File "C:\pentest\sqlmap-0.9\lib\controller\controller.py", > line 121, in __showInjections > dumper.technic(header, data) > File "C:\pentest\sqlmap-0.9\lib\core\dump.py", line 93, in > technic > self.string(header, data) > File "C:\pentest\sqlmap-0.9\lib\core\dump.py", line 65, in > string > self.__write("%s:\n---\n%s\n---\n" % (header, data)) > File "C:\pentest\sqlmap-0.9\lib\core\dump.py", line 38, in > __write > self.__outputFP.write(text) > AttributeError: 'NoneType' object has no attribute 'write' > C:\pentest\sqlmap-0.9> > > > I wish you all a Happy New Year :) > > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: <ra...@jo...> - 2010-12-31 19:11:31
|
C:\pentest\sqlmap-0.9>sqlmap -u "http://xxxxxxxxxxxxxxxxxxxx.xxx/retrievePhoto.php?fid=236" --auth-type=basic --auth-cred=xxxx:xxxx -a C:\user-agents.txt --level 5 --risk 3 -x c:\xxxxx sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 19:40:11 [19:40:12] [INFO] fetched random HTTP User-Agent header from file 'C:\user-agents.txt': Opera/9.00 (Wii; U; ; 1038-58; Wii Shop Channel/1.0; en) [19:40:12] [INFO] using 'C:\pentest\sqlmap-0.9\output\xxxxx.xxxx\session' as session file [19:40:15] [INFO] resuming injection data from session file [19:40:15] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [19:40:15] [INFO] resuming back-end DBMS operating system 'None' from session file [19:40:15] [INFO] resuming back-end DBMS 'mysql 5' from session file [19:40:15] [INFO] resuming back-end DBMS operating system 'None' from session file [19:40:15] [INFO] resuming back-end DBMS operating system 'None' from session file [19:40:53] [INFO] testing connection to the target url sqlmap identified the following injection points with 0 HTTP(s) requests: --- Place: GET Parameter: fid Type: boolean-based blind Title: AND boolean-based blind - WHERE clause Payload: fid=236" AND 7994=7994 AND "zBkq"="zBkq Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE clause Payload: fid=236" AND (SELECT 1744 FROM(SELECT COUNT(*),CONCAT(CHAR(58,101,115,110,58),(SELECT (CASE WHEN (1744=1744) THEN 1 ELSE 0 END)),CHAR(58,113,104,110,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND "EkEX"="EkEX Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: fid=236" AND SLEEP(5) AND "Ftwr"="Ftwr --- [19:40:55] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the command line, the following text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 0.9-dev Python version: 2.6.6 Operating system: nt Traceback (most recent call last): File "C:\pentest\sqlmap-0.9\sqlmap.py", line 80, in main start() File "C:\pentest\sqlmap-0.9\lib\controller\controller.py", line 387, in start __showInjections() File "C:\pentest\sqlmap-0.9\lib\controller\controller.py", line 121, in __showInjections dumper.technic(header, data) File "C:\pentest\sqlmap-0.9\lib\core\dump.py", line 93, in technic self.string(header, data) File "C:\pentest\sqlmap-0.9\lib\core\dump.py", line 65, in string self.__write("%s:\n---\n%s\n---\n" % (header, data)) File "C:\pentest\sqlmap-0.9\lib\core\dump.py", line 38, in __write self.__outputFP.write(text) AttributeError: 'NoneType' object has no attribute 'write' C:\pentest\sqlmap-0.9> I wish you all a Happy New Year :) |
|
From: Miroslav S. <mir...@gm...> - 2010-12-29 15:24:37
|
...and, i've almost forgot to tell you that with the latest patch you'll definitely have more positives than before with all sorts of non-ASCII conformant charset pages. kr On Wed, Dec 29, 2010 at 4:20 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi all. > > I've stumbled upon a page with all cyrilic chars, high match ratio (lots of > javascript inside), and in normal situations you would normally use > --string. But, the problem was that I couldn't type a single cyrilic > character into console (they were replaced with ???, and I wouldn't change > my charset map just to type those in). > > In those cases --text-only is highly desirable and it helped a lot. No more > --string was needed. Also, I've realized that we've left a part in page > processing where we've filtered out all those "strange" characters and > replaced them with '?' - which probably led to a harder finding of a "blind > injectable" pages. > > So, by this latest fix, you'll be able to use --string method with those > "strange" chars (if you properly set your console) as in page response there > is no more replacing with '?'. Also, for all of you 'lazy' ones, use > --text-only wherever you stumble upon pages with strange charsets and with > really minor changes in blind response. > > Kind regards. > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-12-29 15:20:59
|
Hi all. I've stumbled upon a page with all cyrilic chars, high match ratio (lots of javascript inside), and in normal situations you would normally use --string. But, the problem was that I couldn't type a single cyrilic character into console (they were replaced with ???, and I wouldn't change my charset map just to type those in). In those cases --text-only is highly desirable and it helped a lot. No more --string was needed. Also, I've realized that we've left a part in page processing where we've filtered out all those "strange" characters and replaced them with '?' - which probably led to a harder finding of a "blind injectable" pages. So, by this latest fix, you'll be able to use --string method with those "strange" chars (if you properly set your console) as in page response there is no more replacing with '?'. Also, for all of you 'lazy' ones, use --text-only wherever you stumble upon pages with strange charsets and with really minor changes in blind response. Kind regards. -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-12-29 08:19:49
|
hi. this was probably fixed long time ago. update to the latest version from our SVN repository to have it fixed (svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev). kr p.s. if you are trying to change content of the queries.xml with the non-ASCII conformant characters then please try with the latest version and please report. On Wed, Dec 29, 2010 at 6:59 AM, Cheng Roger <hm...@gm...> wrote: > > sqlmap version: 0.8 > Python version: 2.6.2 > Operating system: win32 > Traceback (most recent call last): > File "sqlmap.py", line 74, in main > File "lib\core\option.pyc", line 1141, in init > File "lib\parse\queriesfile.pyc", line 229, in queriesParser > File "xml\sax\__init__.pyc", line 33, in parse > File "xml\sax\expatreader.pyc", line 107, in parse > File "xml\sax\xmlreader.pyc", line 119, in parse > File "xml\sax\expatreader.pyc", line 111, in prepareParser > UnicodeEncodeError: 'ascii' codec can't encode characters in position > 30-31: ord > inal not in range(128) > > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Cheng R. <hm...@gm...> - 2010-12-29 05:59:33
|
sqlmap version: 0.8 Python version: 2.6.2 Operating system: win32 Traceback (most recent call last): File "sqlmap.py", line 74, in main File "lib\core\option.pyc", line 1141, in init File "lib\parse\queriesfile.pyc", line 229, in queriesParser File "xml\sax\__init__.pyc", line 33, in parse File "xml\sax\expatreader.pyc", line 107, in parse File "xml\sax\xmlreader.pyc", line 119, in parse File "xml\sax\expatreader.pyc", line 111, in prepareParser UnicodeEncodeError: 'ascii' codec can't encode characters in position 30-31: ord inal not in range(128) |
|
From: Miroslav S. <mir...@gm...> - 2010-12-28 14:45:18
|
hi. After pair of try/failures with different encode/decode schemes, the conclusion is that urllib2 and ssl in python really have problem with sending of non-ASCII conformant values. The only solution which I can offer at this time is based on a http://en.wikipedia.org/wiki/Unicode_and_HTML. So, basically, now all non-ASCII conformant chars used in headers and/or post data are automatically converted to the format described in that article. Please retry and tell me the results. Also, this was based on an assumption that you've used "tricky" character(s) related to header and/or post. If you've used in somewhere else please tell. kr On Tue, Dec 28, 2010 at 2:36 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > First I thought that this was some kind of python problem, but this moment > I realized that you've probably used non-ASCII compatible cookie and/or > data. Well, I am not sure that python supports net sending of unicode > characters at the lowest level. Will research. > > KR > > > On Tue, Dec 28, 2010 at 6:39 AM, black zero <tim...@gm...>wrote: > >> sqlmap version: 0.9-dev (r2817) >> Python version: 2.6.5 >> Operating system: posix >> Traceback (most recent call last): >> File "sqlmap.py", line 79, in main >> start() >> File "/home/z00/sqlmap-dev/lib/controller/controller.py", line 248, in >> start >> if not checkConnection(suppressOutput=conf.forms) or not >> checkString() or not checkRegexp(): >> File "/home/z00/sqlmap-dev/lib/controller/checks.py", line 764, in >> checkConnection >> page, _ = Request.queryPage(content=True) >> File "/home/z00/sqlmap-dev/lib/request/connect.py", line 438, in >> queryPage >> page, headers = Connect.getPage(url=uri, get=get, post=post, >> cookie=cookie, ua=ua, silent=silent, method=method, >> auxHeaders=auxHeaders, response=response, raise404=raise404, >> ignoreTimeout=timeBasedCompare) >> File "/home/z00/sqlmap-dev/lib/request/connect.py", line 189, in getPage >> conn = urllib2.urlopen(req) >> File "/usr/lib/python2.6/urllib2.py", line 126, in urlopen >> return _opener.open(url, data, timeout) >> File "/usr/lib/python2.6/urllib2.py", line 391, in open >> response = self._open(req, data) >> File "/usr/lib/python2.6/urllib2.py", line 409, in _open >> '_open', req) >> File "/usr/lib/python2.6/urllib2.py", line 369, in _call_chain >> result = func(*args) >> File "/usr/lib/python2.6/urllib2.py", line 1169, in https_open >> return self.do_open(httplib.HTTPSConnection, req) >> File "/usr/lib/python2.6/urllib2.py", line 1133, in do_open >> h.request(req.get_method(), req.get_selector(), req.data, headers) >> File "/usr/lib/python2.6/httplib.py", line 910, in request >> self._send_request(method, url, body, headers) >> File "/usr/lib/python2.6/httplib.py", line 947, in _send_request >> self.endheaders() >> File "/usr/lib/python2.6/httplib.py", line 904, in endheaders >> self._send_output() >> File "/usr/lib/python2.6/httplib.py", line 776, in _send_output >> self.send(msg) >> File "/usr/lib/python2.6/httplib.py", line 755, in send >> self.sock.sendall(str) >> File "/usr/lib/python2.6/ssl.py", line 203, in sendall >> v = self.send(data[count:]) >> File "/usr/lib/python2.6/ssl.py", line 94, in <lambda> >> self.send = lambda data, flags=0: SSLSocket.send(self, data, flags) >> File "/usr/lib/python2.6/ssl.py", line 174, in send >> v = self._sslobj.write(data) >> UnicodeEncodeError: 'ascii' codec can't encode character u'\u0131' in >> position 307: ordinal not in range(128) >> >> >> ------------------------------------------------------------------------------ >> Learn how Oracle Real Application Clusters (RAC) One Node allows customers >> to consolidate database storage, standardize their database environment, >> and, >> should the need arise, upgrade to a full multi-node Oracle RAC database >> without downtime or disruption >> http://p.sf.net/sfu/oracle-sfdevnl >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
48 messages has been excluded from this view by a project administrator.
![https://img.web.de/v/p.gif"](https://img.web.de/v/p.gif"){kind=link}
;){kind=link}