sqlmap-users Mailing List for sqlmap (Page 117)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Miroslav S. <mir...@gm...> - 2010-11-04 21:51:24
|
hi Ulises. i am glad to see that someone has started using sqlmap against Access databases :) we've done necessary patches to prevent sqlmap crash in this kind of situations, but still, we don't have implemented dumping of tables for MS Access (due to non existent way for column enumeration - if someone has some idea non-brute force related, please say and we'll try to implement it). also, support for this DBMS is still in (early) development phase and we hope that we'll finish it in some reasonable time. kr On Thu, Nov 4, 2010 at 8:05 PM, Ulises2k <uli...@gm...> wrote: > > [15:30:49] [INFO] using '/root/sqlmap-dev/output/xxxx/session' as session > file > [15:30:49] [INFO] resuming injection point 'GET' from session file > [15:30:49] [INFO] resuming injection parameter 'Id' from session file > [15:30:49] [INFO] resuming injection type 'numeric' from session file > [15:30:49] [INFO] resuming match ratio '0.9' from session file > [15:30:49] [INFO] resuming 0 number of parenthesis from session file > [15:30:49] [INFO] resuming back-end DBMS 'microsoft access' from session > file > [15:30:49] [INFO] testing connection to the target url > [15:30:50] [INFO] testing for parenthesis on injectable parameter > [15:30:50] [INFO] the back-end DBMS is Microsoft Access > web server operating system: Windows 2008 > web application technology: ASP.NET, Microsoft IIS 7.5, ASP > back-end DBMS: Microsoft Access > [15:30:50] [ERROR] cannot retrieve table names, back-end DBMS is Access > do you want to use common table existance check? [Y/n/q]Y > [15:30:52] [INFO] checking tables existence using items from > '/root/sqlmap-dev/txt/common-tables.txt' > [15:32:06] [INFO] retrieved: > notas > [15:57:55] [INFO] tried: 1780/1780 items (100%) > > [15:57:55] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run > with the latest development version from the Subversion repository. If the > exception persists, please send by e-mail to > sql...@li... the command line, the following text and > any information needed to reproduce the bug. The developers will try to > reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 0.9-dev (r2265) > Python version: 2.5.2 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 79, in main > start() > File "/root/sqlmap-dev/lib/controller/controller.py", line 298, in start > action() > File "/root/sqlmap-dev/lib/controller/action.py", line 117, in action > conf.dbmsHandler.dumpAll() > File "/root/sqlmap-dev/plugins/generic/enumeration.py", line 1263, in > dumpAll > for db, tables in kb.data.cachedTables.items(): > AttributeError: 'list' object has no attribute 'items' > > > ------------------------------------------------------------------------------ > The Next 800 Companies to Lead America's Growth: New Video Whitepaper > David G. Thomson, author of the best-selling book "Blueprint to a > Billion" shares his insights and actions to help propel your > business during the next growth cycle. Listen Now! > http://p.sf.net/sfu/SAP-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Ulises2k <uli...@gm...> - 2010-11-04 19:06:07
|
[15:30:49] [INFO] using '/root/sqlmap-dev/output/xxxx/session' as session
file
[15:30:49] [INFO] resuming injection point 'GET' from session file
[15:30:49] [INFO] resuming injection parameter 'Id' from session file
[15:30:49] [INFO] resuming injection type 'numeric' from session file
[15:30:49] [INFO] resuming match ratio '0.9' from session file
[15:30:49] [INFO] resuming 0 number of parenthesis from session file
[15:30:49] [INFO] resuming back-end DBMS 'microsoft access' from session
file
[15:30:49] [INFO] testing connection to the target url
[15:30:50] [INFO] testing for parenthesis on injectable parameter
[15:30:50] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft Access
[15:30:50] [ERROR] cannot retrieve table names, back-end DBMS is Access
do you want to use common table existance check? [Y/n/q]Y
[15:30:52] [INFO] checking tables existence using items from
'/root/sqlmap-dev/txt/common-tables.txt'
[15:32:06] [INFO] retrieved:
notas
[15:57:55] [INFO] tried: 1780/1780 items (100%)
[15:57:55] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run
with the latest development version from the Subversion repository. If the
exception persists, please send by e-mail to
sql...@li... the command line, the following text and
any information needed to reproduce the bug. The developers will try to
reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 0.9-dev (r2265)
Python version: 2.5.2
Operating system: posix
Traceback (most recent call last):
File "./sqlmap.py", line 79, in main
start()
File "/root/sqlmap-dev/lib/controller/controller.py", line 298, in start
action()
File "/root/sqlmap-dev/lib/controller/action.py", line 117, in action
conf.dbmsHandler.dumpAll()
File "/root/sqlmap-dev/plugins/generic/enumeration.py", line 1263, in
dumpAll
for db, tables in kb.data.cachedTables.items():
AttributeError: 'list' object has no attribute 'items'
|
|
From: Miroslav S. <mir...@gm...> - 2010-11-04 17:19:05
|
Hi.
Just to inform you all that there was a huge nasty bug in detection
engine ("stable" pages affected) leading to false negatives (on rough
estimate, every 10th target was affected). We've found it thanks to
ToR's (ss...@em...) help.
Plz update to have it fixed.
Kind regards.
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: Miroslav S. <mir...@gm...> - 2010-11-02 18:01:49
|
Hi ToR. Thank you for your report. Update to the latest development revision (r2240) to have it fixed. Kind regards. On Tue, Nov 2, 2010 at 5:31 PM, ToR <ss...@em...> wrote: > [17:16:23] [WARNING] unknown charset 'utf-8, text/html'. Please report by > e-mail to sql...@li.... > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: ToR <ss...@em...> - 2010-11-02 16:31:26
|
[17:16:23] [WARNING] unknown charset 'utf-8, text/html'. Please report by e-mail to sql...@li.... |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-10-25 23:39:32
|
Fixed and committed.
Thanks for reporting.
Bernardo
On Tue, Oct 19, 2010 at 13:53, Anton Mogilin <aza...@ya...> wrote:
>> Can you please provide us with your patch against the root of the svn working copy? 'svn diff . > union.patch will work.
> Hi, of course, here it is:
>
> (though I don't know if this is a proper solution. There were
> "if isinstance(kb.unionPosition, int):" checks in
> lib/techniques/inband/union/test.py)
>
> Index: plugins/dbms/oracle/enumeration.py
> ===================================================================
> --- plugins/dbms/oracle/enumeration.py (revision 2074)
> +++ plugins/dbms/oracle/enumeration.py (working copy)
> @@ -36,7 +36,7 @@
> # Set containing the list of DBMS administrators
> areAdmins = set()
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if query2:
> query = rootQuery["inband"]["query2"]
> condition = rootQuery["inband"]["condition2"]
> @@ -196,7 +196,7 @@
> colQuery = colQuery % column
>
> for db in dbs.keys():
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> query += colQuery
> values = inject.getValue(query, blind=False)
> Index: plugins/dbms/mssqlserver/filesystem.py
> ===================================================================
> --- plugins/dbms/mssqlserver/filesystem.py (revision 2074)
> +++ plugins/dbms/mssqlserver/filesystem.py (working copy)
> @@ -92,7 +92,7 @@
> binToHexQuery = urlencode(binToHexQuery, convall=True)
> inject.goStacked(binToHexQuery)
>
> - if kb.unionPosition:
> + if kb.unionPosition != None:
> result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), sort=False, resumeValue=False, blind=False)
>
> if not result:
> Index: plugins/dbms/mssqlserver/enumeration.py
> ===================================================================
> --- plugins/dbms/mssqlserver/enumeration.py (revision 2074)
> +++ plugins/dbms/mssqlserver/enumeration.py (working copy)
> @@ -48,7 +48,7 @@
> else:
> dbs = [conf.db]
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> for db in dbs:
> if conf.excludeSysDbs and db in self.excludeDbsList:
> infoMsg = "skipping system database '%s'" % db
> @@ -138,7 +138,7 @@
>
> continue
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"] % db
> query += tblQuery
> values = inject.getValue(query, blind=False)
> @@ -223,7 +223,7 @@
>
> continue
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"] % (db, db, db, db, db)
> query += " AND %s" % colQuery.replace("[DB]", db)
> values = inject.getValue(query, blind=False)
> Index: plugins/generic/enumeration.py
> ===================================================================
> --- plugins/generic/enumeration.py (revision 2082)
> +++ plugins/generic/enumeration.py (working copy)
> @@ -138,7 +138,7 @@
> condition = ( kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ) )
> condition |= ( kb.dbms == "MySQL" and not kb.data.has_information_schema )
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if condition:
> query = rootQuery["inband"]["query2"]
> else:
> @@ -195,7 +195,7 @@
>
> logger.info(infoMsg)
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
> query = rootQuery["inband"]["query2"]
> else:
> @@ -392,7 +392,7 @@
> "E": "EXECUTE"
> }
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "MySQL" and not kb.data.has_information_schema:
> query = rootQuery["inband"]["query2"]
> condition = rootQuery["inband"]["condition2"]
> @@ -638,7 +638,7 @@
>
> rootQuery = queries[kb.dbms].dbs
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "MySQL" and not kb.data.has_information_schema:
> query = rootQuery["inband"]["query2"]
> else:
> @@ -705,7 +705,7 @@
>
> rootQuery = queries[kb.dbms].tables
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> condition = rootQuery["inband"]["condition"]
>
> @@ -901,7 +901,7 @@
> infoMsg += "on database '%s'" % conf.db
> logger.info(infoMsg)
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms in ( "MySQL", "PostgreSQL" ):
> query = rootQuery["inband"]["query"] % (conf.tbl, conf.db)
> query += condQuery
> @@ -1080,7 +1080,7 @@
>
> entriesCount = 0
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "Oracle":
> query = rootQuery["inband"]["query"] % (colString, conf.tbl.upper())
> elif kb.dbms == "SQLite":
> @@ -1338,7 +1338,7 @@
> dbQuery = "%s%s" % (dbCond, dbCondParam)
> dbQuery = dbQuery % db
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "MySQL" and not kb.data.has_information_schema:
> query = rootQuery["inband"]["query2"]
> else:
> @@ -1426,7 +1426,7 @@
> tblQuery = "%s%s" % (tblCond, tblCondParam)
> tblQuery = tblQuery % tbl
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> query += tblQuery
> query += exclDbsQuery
> @@ -1547,7 +1547,7 @@
> colQuery = "%s%s" % (colCond, colCondParam)
> colQuery = colQuery % column
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> query += colQuery
> query += exclDbsQuery
> Index: lib/controller/action.py
> ===================================================================
> --- lib/controller/action.py (revision 2074)
> +++ lib/controller/action.py (working copy)
> @@ -60,7 +60,7 @@
> if conf.timeTest:
> conf.dumper.technic("time based blind sql injection payload", timeTest())
>
> - if ( conf.unionUse or conf.unionTest ) and not kb.unionPosition:
> + if ( conf.unionUse or conf.unionTest ) and kb.unionPosition == None:
> conf.dumper.technic("valid union", unionTest())
>
> # Enumeration options
> Index: lib/core/agent.py
> ===================================================================
> --- lib/core/agent.py (revision 2074)
> +++ lib/core/agent.py (working copy)
> @@ -452,7 +452,7 @@
> query = query[len("TOP %s " % topNum):]
> inbandQuery += "TOP %s " % topNum
>
> - if not exprPosition:
> + if exprPosition == None:
> exprPosition = kb.unionPosition
>
> intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
> Index: lib/core/session.py
> ===================================================================
> --- lib/core/session.py (revision 2074)
> +++ lib/core/session.py (working copy)
> @@ -223,7 +223,7 @@
> kb.unionComment = comment
> kb.unionCount = count
>
> - if position:
> + if position != None:
> condition = (
> not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
> ( not kb.resumedQueries[conf.url].has_key("Union position")
> Index: lib/request/inject.py
> ===================================================================
> --- lib/request/inject.py (revision 2074)
> +++ lib/request/inject.py (working copy)
> @@ -347,7 +347,7 @@
>
> expression = expression.replace("DISTINCT ", "")
>
> - if inband and kb.unionPosition:
> + if inband and kb.unionPosition != None:
> value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
>
> if not value:
>
>
>
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F
|
|
From: Miroslav S. <mir...@gm...> - 2010-10-25 15:54:32
|
...also, if you have any great idea, but need a help with implementation, give us a hint and we'll try to help you as much as we can. kind regards. On Mon, Oct 25, 2010 at 5:53 PM, Miroslav Stampar <mir...@gm...> wrote: > Hi. > > We've implemented IDS detection testing with switch '--check-payload'. > It uses PHPIDS set of rules for detection purposes and only warns a > user (not changing anything in the program's workflow). > > Now, as you all know there is also --tamper switch, and couple of > tampering modules in "./tamper" directory. > > Right now we are calling talented security experts/programmers/hackers > who will implement tamper script(s) passing --check-payload. Use any > method you like and consult other tampering scripts for sample of > implementation. If you succeed (no need to be DBMS independent) you'll > get a HUGE thanks in doc/THANKS and will help other users as well. > > Kind regards. > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-10-25 15:53:11
|
Hi. We've implemented IDS detection testing with switch '--check-payload'. It uses PHPIDS set of rules for detection purposes and only warns a user (not changing anything in the program's workflow). Now, as you all know there is also --tamper switch, and couple of tampering modules in "./tamper" directory. Right now we are calling talented security experts/programmers/hackers who will implement tamper script(s) passing --check-payload. Use any method you like and consult other tampering scripts for sample of implementation. If you succeed (no need to be DBMS independent) you'll get a HUGE thanks in doc/THANKS and will help other users as well. Kind regards. -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-10-25 11:38:00
|
We have experienced this behaviour before. On Windows XP as a target, the dbms process user is not able to launch the payload stager (or any other portable executable). However, on W2k3 it works. Bernardo 2010/10/23 Christophe Clémence <cl...@ya...>: > Hi, > It works fine ... but it can't launch the remote exe file, I think it's a > security of windows xp or mysql ... > Thanks ;) > ________________________________ > De : Miroslav Stampar <mir...@gm...> > À : Christophe Clémence <cl...@ya...> > Cc : sql...@li... > Envoyé le : Sam 23 octobre 2010, 8h 46min 17s > Objet : Re: [sqlmap-users] Error on takeover > > Hi Christophe. > > It seems that you are using too old version (it's official but right > now it's too old :) ). In the latest 0.9-dev this is fixed. > > Please checkout the latest development version from our SVN repository > by doing this: > > svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev > > Kind regards. > > > 2010/10/23 Christophe Clémence <cl...@ya...>: >> Hi, I'm trying sqlmap, it works good but when I want to take over the >> server, sqlmap crashes ! >> Here is the command line I used : sqlmap -u >> http://192.168.1.5/sql.php?id=1 >> --os-pwn --msf-path /opt/metasploit3 -v 1 >> It asks me for the languages supported by the server and the root >> directory >> (I wrote "C:/Program Files/wamp/www/") >> It asks for the directory to upload the agent, I wrote the same path ... >> And then ... error ! It did'nt give me the filename of the agent :( >> I noticed that the file agent has been uploaded (I own the target >> server) but the first line begins with the first line of the sql table I >> created for this tests (???) >> And the agent works good (files are uploaded without problems) >> Here is the trace of the error : >> [00:22:13] [ERROR] unhandled exception in sqlmap/0.8, please copy the >> command line and the following text and send by e-mail to >> sql...@li.... The developer will fix it as soon as >> possible: >> sqlmap version: 0.8 >> Python version: 2.5.2 >> Operating system: linux2 >> Traceback (most recent call last): >> File "/usr/bin/sqlmap", line 77, in main >> start() >> File "/usr/share/sqlmap/lib/controller/controller.py", line 259, in >> start >> action() >> File "/usr/share/sqlmap/lib/controller/action.py", line 144, in action >> conf.dbmsHandler.osPwn() >> File "/usr/share/sqlmap/plugins/generic/takeover.py", line 169, in osPwn >> self.initEnv(web=web) >> File "/usr/share/sqlmap/lib/takeover/abstraction.py", line 155, in >> initEnv >> self.webInit() >> File "/usr/share/sqlmap/lib/takeover/web.py", line 189, in webInit >> uplPage, _ = Request.getPage(url=self.webUploaderUrl, direct=True, >> raise404=False) >> File "/usr/share/sqlmap/lib/request/connect.py", line 126, in getPage >> conn = urllib2.urlopen(req) >> File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen >> return _opener.open(url, data) >> File "/usr/lib/python2.5/urllib2.py", line 381, in open >> response = self._open(req, data) >> File "/usr/lib/python2.5/urllib2.py", line 399, in _open >> '_open', req) >> File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain >> result = func(*args) >> File "/usr/lib/python2.5/urllib2.py", line 1107, in http_open >> return self.do_open(httplib.HTTPConnection, req) >> File "/usr/lib/python2.5/urllib2.py", line 1064, in do_open >> h = http_class(host) # will parse host:port >> File "/usr/lib/python2.5/httplib.py", line 639, in __init__ >> self._set_hostport(host, port) >> File "/usr/lib/python2.5/httplib.py", line 651, in _set_hostport >> raise InvalidURL("nonnumeric port: '%s'" % host[i+1:]) >> InvalidURL: nonnumeric port: '' >> [*] shutting down at: 00:22:13 >> >> >> >> ------------------------------------------------------------------------------ >> Nokia and AT&T present the 2010 Calling All Innovators-North America >> contest >> Create new apps & games for the Nokia N8 for consumers in U.S. and Canada >> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in >> marketing >> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store >> http://p.sf.net/sfu/nokia-dev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Ulisses C. <uss...@gm...> - 2010-10-25 04:20:11
|
Like Bernardo said here in this list a couple mails later... " Get sqlmap from svn. Use asterisk to mark the injection point. Eg: www.site.tld/path/category_123*/getItem.do Bernardo Damele A. G. " Maybe helps. Cheers, Ulisses Castro On Mon, Oct 25, 2010 at 1:15 AM, Ryan Fabella <ry...@gm...> wrote: > Dear List, > > i have problem ho to use sqlmap to test within mod_rewrite > > example > > http://victime.com/news/2010/1 > > i found SQLi on 2010 > > it's blind SQLi > > http://victime.com/news/2010 and 1=1/1 > > http://victime.com/news/2010 and 1=0/1 > > how to use with sqlmap. > > Thank you > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Ryan F. <ry...@gm...> - 2010-10-25 03:15:22
|
Dear List, i have problem ho to use sqlmap to test within mod_rewrite example http://victime.com/news/2010/1 i found SQLi on 2010 it's blind SQLi http://victime.com/news/2010 and 1=1/1 http://victime.com/news/2010 and 1=0/1 how to use with sqlmap. Thank you |
|
From: Miroslav S. <mir...@gm...> - 2010-10-24 22:06:40
|
Hi Anton. First of all thank you for your most useful report. We've done necessary changes in code regarding your observations and tested against MySQL v5 (all working fine). Also, we already have a "similar" ticket for this kind of things -> versioning of queries. That means that we'll soon add support for different queries depending on different DBMS versions (like in your case MySQL < v4.1 and after that). Kind regards. On Sat, Oct 23, 2010 at 5:35 PM, Anton Mogilin <aza...@ya...> wrote: > Hi. > > I tried to use sqlmap with MySQL 4.0.15 and found some incompatibilities. > > Once there were an error >> 1064 - You have an error in your SQL syntax. Check the manual that corresponds >> to your MySQL server version for the right syntax to use near >> '(10000)),42' at line 1 > Here is a line from xml/queries.xml: > <cast query="CAST(%s AS CHAR(10000))"/> > According to > http://dev.mysql.com/doc/refman/4.1/en/cast-functions.html#function_convert > the possibility to set max length of string is not available prior 4.1.1. > Replaced that line with > <cast query="CAST(%s AS CHAR)"/> > and the error disappeared. Looks like everything is OK with new MySQL versions > too. Though limiting length of resulting string can be useful... > > And one more: > <banner query="SELECT VERSION()"/> > Error is: >> 1064 - You have an error in your SQL syntax. Check the manual that corresponds >> to your MySQL server version for the right syntax to use near >> 'select version()),42' at line 1 > >From http://dev.mysql.com/doc/refman/4.1/en/subqueries.html : >> Starting with MySQL 4.1, all subquery forms and operations that the SQL >> standard requires are supported, as well as a few features that are >> MySQL-specific. >> With MySQL versions prior to 4.1, it was necessary to work around or avoid >> the use of subqueries. > But with > <banner query="VERSION()"/> > there is no error. And if I'm not wrong there should not be troubles with newer > versions of MySQL. > Also similar thing with "SELECT CURRENT_USER()" and "SELECT DATABASE()". > > May be this things could be fixed? I guess there will be troubles with another > functions with such old software but at least functions above can be done > working. > > > And I'd like to say thanks for keeping enhancing and fixing sqlmap... > > > > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-10-24 09:47:25
|
Get sqlmap from svn. Use asterisk to mark the injection point. Eg: www.site.tld/path/category_123*/getItem.do Bernardo Damele A. G. On 24/ott/2010, at 09:12, Thomas Schreiber <ts...@go...> wrote: > Hi, > > I have discovered an SQL-Injection where the app extracts the parameter for the SQL query from the URL like this: > > www.site.tld/path/category_123/getItem.do > > 123 is the parameter. Changing this to www.site.tld/path/category_'/getItem.do leads to an SQL syntax error. > > As far as I can see, sqlmap does not support adressing the data in the path itself. Any ideas? > > Thank you > Thomas > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Thomas S. <ts...@go...> - 2010-10-24 08:11:26
|
Hi, I have discovered an SQL-Injection where the app extracts the parameter for the SQL query from the URL like this: www.site.tld/path/category_123/getItem.do 123 is the parameter. Changing this to www.site.tld/path/category_'/getItem.do leads to an SQL syntax error. As far as I can see, sqlmap does not support adressing the data in the path itself. Any ideas? Thank you Thomas |
|
From: Anton M. <aza...@ya...> - 2010-10-23 15:35:58
|
Hi. I tried to use sqlmap with MySQL 4.0.15 and found some incompatibilities. Once there were an error > 1064 - You have an error in your SQL syntax. Check the manual that corresponds > to your MySQL server version for the right syntax to use near > '(10000)),42' at line 1 Here is a line from xml/queries.xml: <cast query="CAST(%s AS CHAR(10000))"/> According to http://dev.mysql.com/doc/refman/4.1/en/cast-functions.html#function_convert the possibility to set max length of string is not available prior 4.1.1. Replaced that line with <cast query="CAST(%s AS CHAR)"/> and the error disappeared. Looks like everything is OK with new MySQL versions too. Though limiting length of resulting string can be useful... And one more: <banner query="SELECT VERSION()"/> Error is: > 1064 - You have an error in your SQL syntax. Check the manual that corresponds > to your MySQL server version for the right syntax to use near > 'select version()),42' at line 1 >From http://dev.mysql.com/doc/refman/4.1/en/subqueries.html : > Starting with MySQL 4.1, all subquery forms and operations that the SQL > standard requires are supported, as well as a few features that are > MySQL-specific. > With MySQL versions prior to 4.1, it was necessary to work around or avoid > the use of subqueries. But with <banner query="VERSION()"/> there is no error. And if I'm not wrong there should not be troubles with newer versions of MySQL. Also similar thing with "SELECT CURRENT_USER()" and "SELECT DATABASE()". May be this things could be fixed? I guess there will be troubles with another functions with such old software but at least functions above can be done working. And I'd like to say thanks for keeping enhancing and fixing sqlmap... |
|
From: Christophe C. <cl...@ya...> - 2010-10-23 11:43:11
|
Hi, It works fine ... but it can't launch the remote exe file, I think it's a security of windows xp or mysql ... Thanks ;) ________________________________ De : Miroslav Stampar <mir...@gm...> À : Christophe Clémence <cl...@ya...> Cc : sql...@li... Envoyé le : Sam 23 octobre 2010, 8h 46min 17s Objet : Re: [sqlmap-users] Error on takeover Hi Christophe. It seems that you are using too old version (it's official but right now it's too old :) ). In the latest 0.9-dev this is fixed. Please checkout the latest development version from our SVN repository by doing this: svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev Kind regards. 2010/10/23 Christophe Clémence <cl...@ya...>: > Hi, I'm trying sqlmap, it works good but when I want to take over the > server, sqlmap crashes ! > Here is the command line I used : sqlmap -u http://192.168.1.5/sql.php?id=1 > --os-pwn --msf-path /opt/metasploit3 -v 1 > It asks me for the languages supported by the server and the root directory > (I wrote "C:/Program Files/wamp/www/") > It asks for the directory to upload the agent, I wrote the same path ... > And then ... error ! It did'nt give me the filename of the agent :( > I noticed that the file agent has been uploaded (I own the target > server) but the first line begins with the first line of the sql table I > created for this tests (???) > And the agent works good (files are uploaded without problems) > Here is the trace of the error : > [00:22:13] [ERROR] unhandled exception in sqlmap/0.8, please copy the > command line and the following text and send by e-mail to > sql...@li.... The developer will fix it as soon as > possible: > sqlmap version: 0.8 > Python version: 2.5.2 > Operating system: linux2 > Traceback (most recent call last): > File "/usr/bin/sqlmap", line 77, in main > start() > File "/usr/share/sqlmap/lib/controller/controller.py", line 259, in start > action() > File "/usr/share/sqlmap/lib/controller/action.py", line 144, in action > conf.dbmsHandler.osPwn() > File "/usr/share/sqlmap/plugins/generic/takeover.py", line 169, in osPwn > self.initEnv(web=web) > File "/usr/share/sqlmap/lib/takeover/abstraction.py", line 155, in initEnv > self.webInit() > File "/usr/share/sqlmap/lib/takeover/web.py", line 189, in webInit > uplPage, _ = Request.getPage(url=self.webUploaderUrl, direct=True, > raise404=False) > File "/usr/share/sqlmap/lib/request/connect.py", line 126, in getPage > conn = urllib2.urlopen(req) > File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen > return _opener.open(url, data) > File "/usr/lib/python2.5/urllib2.py", line 381, in open > response = self._open(req, data) > File "/usr/lib/python2.5/urllib2.py", line 399, in _open > '_open', req) > File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain > result = func(*args) > File "/usr/lib/python2.5/urllib2.py", line 1107, in http_open > return self.do_open(httplib.HTTPConnection, req) > File "/usr/lib/python2.5/urllib2.py", line 1064, in do_open > h = http_class(host) # will parse host:port > File "/usr/lib/python2.5/httplib.py", line 639, in __init__ > self._set_hostport(host, port) > File "/usr/lib/python2.5/httplib.py", line 651, in _set_hostport > raise InvalidURL("nonnumeric port: '%s'" % host[i+1:]) > InvalidURL: nonnumeric port: '' > [*] shutting down at: 00:22:13 > > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-10-23 06:46:24
|
Hi Christophe. It seems that you are using too old version (it's official but right now it's too old :) ). In the latest 0.9-dev this is fixed. Please checkout the latest development version from our SVN repository by doing this: svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev Kind regards. 2010/10/23 Christophe Clémence <cl...@ya...>: > Hi, I'm trying sqlmap, it works good but when I want to take over the > server, sqlmap crashes ! > Here is the command line I used : sqlmap -u http://192.168.1.5/sql.php?id=1 > --os-pwn --msf-path /opt/metasploit3 -v 1 > It asks me for the languages supported by the server and the root directory > (I wrote "C:/Program Files/wamp/www/") > It asks for the directory to upload the agent, I wrote the same path ... > And then ... error ! It did'nt give me the filename of the agent :( > I noticed that the file agent has been uploaded (I own the target > server) but the first line begins with the first line of the sql table I > created for this tests (???) > And the agent works good (files are uploaded without problems) > Here is the trace of the error : > [00:22:13] [ERROR] unhandled exception in sqlmap/0.8, please copy the > command line and the following text and send by e-mail to > sql...@li.... The developer will fix it as soon as > possible: > sqlmap version: 0.8 > Python version: 2.5.2 > Operating system: linux2 > Traceback (most recent call last): > File "/usr/bin/sqlmap", line 77, in main > start() > File "/usr/share/sqlmap/lib/controller/controller.py", line 259, in start > action() > File "/usr/share/sqlmap/lib/controller/action.py", line 144, in action > conf.dbmsHandler.osPwn() > File "/usr/share/sqlmap/plugins/generic/takeover.py", line 169, in osPwn > self.initEnv(web=web) > File "/usr/share/sqlmap/lib/takeover/abstraction.py", line 155, in initEnv > self.webInit() > File "/usr/share/sqlmap/lib/takeover/web.py", line 189, in webInit > uplPage, _ = Request.getPage(url=self.webUploaderUrl, direct=True, > raise404=False) > File "/usr/share/sqlmap/lib/request/connect.py", line 126, in getPage > conn = urllib2.urlopen(req) > File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen > return _opener.open(url, data) > File "/usr/lib/python2.5/urllib2.py", line 381, in open > response = self._open(req, data) > File "/usr/lib/python2.5/urllib2.py", line 399, in _open > '_open', req) > File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain > result = func(*args) > File "/usr/lib/python2.5/urllib2.py", line 1107, in http_open > return self.do_open(httplib.HTTPConnection, req) > File "/usr/lib/python2.5/urllib2.py", line 1064, in do_open > h = http_class(host) # will parse host:port > File "/usr/lib/python2.5/httplib.py", line 639, in __init__ > self._set_hostport(host, port) > File "/usr/lib/python2.5/httplib.py", line 651, in _set_hostport > raise InvalidURL("nonnumeric port: '%s'" % host[i+1:]) > InvalidURL: nonnumeric port: '' > [*] shutting down at: 00:22:13 > > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-10-23 06:43:02
|
Hi Anton. Thank you for your report. Now it should be fixed in the latest revision. Kind regards. On Sat, Oct 23, 2010 at 1:55 AM, Anton Mogilin <aza...@ya...> wrote: > Got this for couple of URLs: > > $ ./sqlmap.py -u http://example.org/test.php?id=1 -p id --current-user > > <skipped> > > [03:47:19] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the command line, the following text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 0.9-dev (r2123) > Python version: 2.6.5 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 79, in main > start() > File "/path/to/sqlmap-dev/lib/controller/controller.py", line 294, in start > action() > File "/path/to/sqlmap-dev/lib/controller/action.py", line 75, in action > conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser()) > File "/path/to/sqlmap-dev/plugins/generic/enumeration.py", line 100, in getCurrentUser > query = queries[kb.dbms].currentUser.query > File "/path/to/sqlmap-dev/extra/xmlobject/xmlobject.py", line 351, in __getattr__ > raise AttributeError(attr) > AttributeError: currentUser > > > Seems this trouble was introduced in revision 2122. Switched to rev 2121 and it > works, switched to rev 2122 and got this error. Though I'm not sure because of > some authentication issues: > $ svn update -r 2121 > U plugins/dbms/oracle/enumeration.py > U plugins/dbms/mssqlserver/enumeration.py > U plugins/generic/misc.py > U plugins/generic/enumeration.py > U extra/xmlobject/xmlobject.py > U lib/utils/resume.py > U lib/core/common.py > U lib/core/agent.py > U lib/core/option.py > U lib/request/inject.py > U lib/techniques/blind/inference.py > U lib/techniques/error/use.py > U lib/techniques/error/test.py > U lib/techniques/inband/union/use.py > U lib/techniques/inband/union/test.py > A lib/parse/queriesfile.py > Authentication realm: <https://svn.sqlmap.org:443> Authentication required > Password for 'user': > Authentication realm: <https://svn.sqlmap.org:443> Authentication required > Username: > Password for '': > Authentication realm: <https://svn.sqlmap.org:443> Authentication required > Username: > Password for '': > svn: OPTIONS of 'https://svn.sqlmap.org/sqlmap': authorization failed: Could not authenticate to server: rejected Digest challenge (https://svn.sqlmap.org) > > > > > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Anton M. <aza...@ya...> - 2010-10-22 23:55:33
|
Got this for couple of URLs: $ ./sqlmap.py -u http://example.org/test.php?id=1 -p id --current-user <skipped> [03:47:19] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the command line, the following text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 0.9-dev (r2123) Python version: 2.6.5 Operating system: posix Traceback (most recent call last): File "./sqlmap.py", line 79, in main start() File "/path/to/sqlmap-dev/lib/controller/controller.py", line 294, in start action() File "/path/to/sqlmap-dev/lib/controller/action.py", line 75, in action conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser()) File "/path/to/sqlmap-dev/plugins/generic/enumeration.py", line 100, in getCurrentUser query = queries[kb.dbms].currentUser.query File "/path/to/sqlmap-dev/extra/xmlobject/xmlobject.py", line 351, in __getattr__ raise AttributeError(attr) AttributeError: currentUser Seems this trouble was introduced in revision 2122. Switched to rev 2121 and it works, switched to rev 2122 and got this error. Though I'm not sure because of some authentication issues: $ svn update -r 2121 U plugins/dbms/oracle/enumeration.py U plugins/dbms/mssqlserver/enumeration.py U plugins/generic/misc.py U plugins/generic/enumeration.py U extra/xmlobject/xmlobject.py U lib/utils/resume.py U lib/core/common.py U lib/core/agent.py U lib/core/option.py U lib/request/inject.py U lib/techniques/blind/inference.py U lib/techniques/error/use.py U lib/techniques/error/test.py U lib/techniques/inband/union/use.py U lib/techniques/inband/union/test.py A lib/parse/queriesfile.py Authentication realm: <https://svn.sqlmap.org:443> Authentication required Password for 'user': Authentication realm: <https://svn.sqlmap.org:443> Authentication required Username: Password for '': Authentication realm: <https://svn.sqlmap.org:443> Authentication required Username: Password for '': svn: OPTIONS of 'https://svn.sqlmap.org/sqlmap': authorization failed: Could not authenticate to server: rejected Digest challenge (https://svn.sqlmap.org) |
|
From: Christophe C. <cl...@ya...> - 2010-10-22 22:37:44
|
Hi, I'm trying sqlmap, it works good but when I want to take over the server,
sqlmap crashes !
Here is the command line I used : sqlmap -u http://192.168.1.5/sql.php?id=1
--os-pwn --msf-path /opt/metasploit3 -v 1
It asks me for the languages supported by the server and the root directory (I
wrote "C:/Program Files/wamp/www/")
It asks for the directory to upload the agent, I wrote the same path ...
And then ... error ! It did'nt give me the filename of the agent :(
I noticed that the file agent has been uploaded (I own the target server) but
the first line begins with the first line of the sql table I created for this
tests (???)
And the agent works good (files are uploaded without problems)
Here is the trace of the error :
[00:22:13] [ERROR] unhandled exception in sqlmap/0.8, please copy the command
line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.8
Python version: 2.5.2
Operating system: linux2
Traceback (most recent call last):
File "/usr/bin/sqlmap", line 77, in main
start()
File "/usr/share/sqlmap/lib/controller/controller.py", line 259, in start
action()
File "/usr/share/sqlmap/lib/controller/action.py", line 144, in action
conf.dbmsHandler.osPwn()
File "/usr/share/sqlmap/plugins/generic/takeover.py", line 169, in osPwn
self.initEnv(web=web)
File "/usr/share/sqlmap/lib/takeover/abstraction.py", line 155, in initEnv
self.webInit()
File "/usr/share/sqlmap/lib/takeover/web.py", line 189, in webInit
uplPage, _ = Request.getPage(url=self.webUploaderUrl, direct=True,
raise404=False)
File "/usr/share/sqlmap/lib/request/connect.py", line 126, in getPage
conn = urllib2.urlopen(req)
File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen
return _opener.open(url, data)
File "/usr/lib/python2.5/urllib2.py", line 381, in open
response = self._open(req, data)
File "/usr/lib/python2.5/urllib2.py", line 399, in _open
'_open', req)
File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain
result = func(*args)
File "/usr/lib/python2.5/urllib2.py", line 1107, in http_open
return self.do_open(httplib.HTTPConnection, req)
File "/usr/lib/python2.5/urllib2.py", line 1064, in do_open
h = http_class(host) # will parse host:port
File "/usr/lib/python2.5/httplib.py", line 639, in __init__
self._set_hostport(host, port)
File "/usr/lib/python2.5/httplib.py", line 651, in _set_hostport
raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
InvalidURL: nonnumeric port: ''
[*] shutting down at: 00:22:13
|
|
From: Miroslav S. <mir...@gm...> - 2010-10-19 18:36:23
|
Hi all. Beta --error-test switch (it's currently hidden in help listing) in latest revision check is ready to be used/tested. If passed sqlmap will use error based injection. We've implemented error based injection for 4 major DBMSes (MySQL, MsSQL, PostgreSQL and Oracle) and we are constantly doing upgrades. One comment: it's blazing fast :). Looking forward for error reports. Kind regards. -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Anton M. <aza...@ya...> - 2010-10-19 12:54:01
|
> Can you please provide us with your patch against the root of the svn working copy? 'svn diff . > union.patch will work.
Hi, of course, here it is:
(though I don't know if this is a proper solution. There were
"if isinstance(kb.unionPosition, int):" checks in
lib/techniques/inband/union/test.py)
Index: plugins/dbms/oracle/enumeration.py
===================================================================
--- plugins/dbms/oracle/enumeration.py (revision 2074)
+++ plugins/dbms/oracle/enumeration.py (working copy)
@@ -36,7 +36,7 @@
# Set containing the list of DBMS administrators
areAdmins = set()
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if query2:
query = rootQuery["inband"]["query2"]
condition = rootQuery["inband"]["condition2"]
@@ -196,7 +196,7 @@
colQuery = colQuery % column
for db in dbs.keys():
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"]
query += colQuery
values = inject.getValue(query, blind=False)
Index: plugins/dbms/mssqlserver/filesystem.py
===================================================================
--- plugins/dbms/mssqlserver/filesystem.py (revision 2074)
+++ plugins/dbms/mssqlserver/filesystem.py (working copy)
@@ -92,7 +92,7 @@
binToHexQuery = urlencode(binToHexQuery, convall=True)
inject.goStacked(binToHexQuery)
- if kb.unionPosition:
+ if kb.unionPosition != None:
result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), sort=False, resumeValue=False, blind=False)
if not result:
Index: plugins/dbms/mssqlserver/enumeration.py
===================================================================
--- plugins/dbms/mssqlserver/enumeration.py (revision 2074)
+++ plugins/dbms/mssqlserver/enumeration.py (working copy)
@@ -48,7 +48,7 @@
else:
dbs = [conf.db]
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
for db in dbs:
if conf.excludeSysDbs and db in self.excludeDbsList:
infoMsg = "skipping system database '%s'" % db
@@ -138,7 +138,7 @@
continue
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"] % db
query += tblQuery
values = inject.getValue(query, blind=False)
@@ -223,7 +223,7 @@
continue
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"] % (db, db, db, db, db)
query += " AND %s" % colQuery.replace("[DB]", db)
values = inject.getValue(query, blind=False)
Index: plugins/generic/enumeration.py
===================================================================
--- plugins/generic/enumeration.py (revision 2082)
+++ plugins/generic/enumeration.py (working copy)
@@ -138,7 +138,7 @@
condition = ( kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ) )
condition |= ( kb.dbms == "MySQL" and not kb.data.has_information_schema )
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if condition:
query = rootQuery["inband"]["query2"]
else:
@@ -195,7 +195,7 @@
logger.info(infoMsg)
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
query = rootQuery["inband"]["query2"]
else:
@@ -392,7 +392,7 @@
"E": "EXECUTE"
}
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"]
condition = rootQuery["inband"]["condition2"]
@@ -638,7 +638,7 @@
rootQuery = queries[kb.dbms].dbs
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"]
else:
@@ -705,7 +705,7 @@
rootQuery = queries[kb.dbms].tables
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"]
condition = rootQuery["inband"]["condition"]
@@ -901,7 +901,7 @@
infoMsg += "on database '%s'" % conf.db
logger.info(infoMsg)
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["inband"]["query"] % (conf.tbl, conf.db)
query += condQuery
@@ -1080,7 +1080,7 @@
entriesCount = 0
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms == "Oracle":
query = rootQuery["inband"]["query"] % (colString, conf.tbl.upper())
elif kb.dbms == "SQLite":
@@ -1338,7 +1338,7 @@
dbQuery = "%s%s" % (dbCond, dbCondParam)
dbQuery = dbQuery % db
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"]
else:
@@ -1426,7 +1426,7 @@
tblQuery = "%s%s" % (tblCond, tblCondParam)
tblQuery = tblQuery % tbl
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"]
query += tblQuery
query += exclDbsQuery
@@ -1547,7 +1547,7 @@
colQuery = "%s%s" % (colCond, colCondParam)
colQuery = colQuery % column
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"]
query += colQuery
query += exclDbsQuery
Index: lib/controller/action.py
===================================================================
--- lib/controller/action.py (revision 2074)
+++ lib/controller/action.py (working copy)
@@ -60,7 +60,7 @@
if conf.timeTest:
conf.dumper.technic("time based blind sql injection payload", timeTest())
- if ( conf.unionUse or conf.unionTest ) and not kb.unionPosition:
+ if ( conf.unionUse or conf.unionTest ) and kb.unionPosition == None:
conf.dumper.technic("valid union", unionTest())
# Enumeration options
Index: lib/core/agent.py
===================================================================
--- lib/core/agent.py (revision 2074)
+++ lib/core/agent.py (working copy)
@@ -452,7 +452,7 @@
query = query[len("TOP %s " % topNum):]
inbandQuery += "TOP %s " % topNum
- if not exprPosition:
+ if exprPosition == None:
exprPosition = kb.unionPosition
intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
Index: lib/core/session.py
===================================================================
--- lib/core/session.py (revision 2074)
+++ lib/core/session.py (working copy)
@@ -223,7 +223,7 @@
kb.unionComment = comment
kb.unionCount = count
- if position:
+ if position != None:
condition = (
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
( not kb.resumedQueries[conf.url].has_key("Union position")
Index: lib/request/inject.py
===================================================================
--- lib/request/inject.py (revision 2074)
+++ lib/request/inject.py (working copy)
@@ -347,7 +347,7 @@
expression = expression.replace("DISTINCT ", "")
- if inband and kb.unionPosition:
+ if inband and kb.unionPosition != None:
value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
if not value:
|
|
From: Miroslav S. <mir...@gm...> - 2010-10-19 08:06:43
|
hi. please checkout the latest version from our repository. it seems that you are using 0.9-dev version, but with too old revision. svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev kind regards. p.s. you could instead try to use sqlmap's update mechanism, but as there were some branch mergings you could get some errors regarding permissions. On Mon, Oct 18, 2010 at 4:28 AM, <leg...@sa...> wrote: > -> > > > [03:25:38] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy > the command line and the following text and send by e-mail to > sql...@li.... The developer will fix it as soon > as possible: > sqlmap version: 0.9-dev > Python version: 2.5.2 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 89, in main > start() > File "/pentest/database/sqlmap/lib/controller/controller.py", line > 268, in start > action() > File "/pentest/database/sqlmap/lib/controller/action.py", line 117, > in action > conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) > File "/pentest/database/sqlmap/lib/core/dump.py", line 329, in dbTableValues > self.__write("| %s%s" % (value, blank), n=False) > File "/pentest/database/sqlmap/lib/core/dump.py", line 50, in __write > print data, > UnicodeEncodeError: 'ascii' codec can't encode character u'\xe3' in > position 4: ordinal not in range(128) > > [*] shutting down at: 03:25:38 > > > ------------------------------------------------------------------------------ > Download new Adobe(R) Flash(R) Builder(TM) 4 > The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly > Flex(R) Builder(TM)) enable the development of rich applications that run > across multiple browsers and platforms. Download your free trials today! > http://p.sf.net/sfu/adobe-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-10-19 06:53:13
|
Hi Anton,
Good spot!
Can you please provide us with your patch against the root of the svn working copy? 'svn diff . > union.patch will work.
I will review it and merge.
Bernardo Damele A. G.
On 19 Oct 2010, at 00:32, Anton Mogilin <aza...@ya...> wrote:
> Hello.
>
> One web application has union query injection. But only zero-th column is printed at the page.
> Like this:
>
> <?php
> if (isset($_GET['name']))
> {
> mysql_connect('localhost', 'user', 'TopSecret');
> mysql_select_db('sqlmap_test');
> $result = mysql_query("SELECT * FROM `data` WHERE `name` = '{$_GET['name']}'");
> $row = mysql_fetch_row($result);
> echo $row[0];
> }
> else
> {
> echo '<a href="?name=item_1">Click me</a>';
> }
> ?>
>
> Data in DBMS should be like this:
> mysql> CREATE DATABASE `sqlmap_test`;
> mysql> USE `sqlmap_test`;
> mysql> CREATE TABLE `data` (`name` VARCHAR(255), `value` VARCHAR(255));
> mysql> INSERT INTO `data` VALUES ('item_1', 'foo');
>
> sqlmap can't determine this injection. And after changing "echo $row[0];" to "echo $row[1];" everything is OK.
> In fact it finds, but set "kb.unionPosition" to 0 and after that check if injection was found with code similair to "if kb.unionPosition:".
> As I understand, expected that kb.unionPosition will be None if nothing is found and 1,2,3... if something is found. And so sqlmap interprets 0-th position as it wasn't found ability to use UNION (because 0 in "if kb.unionPosition:" is interpreted as False).
>
> I did rogue patch basically changing
> if kb.unionPosition:
> to
> if kb.unionPosition != None:
> and similair things. Didn't test carefully and I'm definetily not knowledgable enough to ensure that everything is done properly, but in my particular case it helped.
>
> diff -ur sqlmap-dev/lib/controller/action.py sqlmap-dev-edited/lib/controller/action.py
> --- sqlmap-dev/lib/controller/action.py 2010-10-19 01:50:39.241344594 +0400
> +++ sqlmap-dev-edited/lib/controller/action.py 2010-10-19 02:54:13.465340951 +0400
> @@ -60,7 +60,7 @@
> if conf.timeTest:
> conf.dumper.technic("time based blind sql injection payload", timeTest())
>
> - if ( conf.unionUse or conf.unionTest ) and not kb.unionPosition:
> + if ( conf.unionUse or conf.unionTest ) and kb.unionPosition == None:
> conf.dumper.technic("valid union", unionTest())
>
> # Enumeration options
> diff -ur sqlmap-dev/lib/core/agent.py sqlmap-dev-edited/lib/core/agent.py
> --- sqlmap-dev/lib/core/agent.py 2010-10-19 01:50:39.484343548 +0400
> +++ sqlmap-dev-edited/lib/core/agent.py 2010-10-19 02:55:54.672339497 +0400
> @@ -452,7 +452,7 @@
> query = query[len("TOP %s " % topNum):]
> inbandQuery += "TOP %s " % topNum
>
> - if not exprPosition:
> + if exprPosition == None:
> exprPosition = kb.unionPosition
>
> intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
> diff -ur sqlmap-dev/lib/core/session.py sqlmap-dev-edited/lib/core/session.py
> --- sqlmap-dev/lib/core/session.py 2010-10-19 01:50:39.501342465 +0400
> +++ sqlmap-dev-edited/lib/core/session.py 2010-10-19 02:52:27.288339918 +0400
> @@ -223,7 +223,7 @@
> kb.unionComment = comment
> kb.unionCount = count
>
> - if position:
> + if position != None:
> condition = (
> not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
> ( not kb.resumedQueries[conf.url].has_key("Union position")
> diff -ur sqlmap-dev/lib/request/inject.py sqlmap-dev-edited/lib/request/inject.py
> --- sqlmap-dev/lib/request/inject.py 2010-10-19 01:50:39.600342306 +0400
> +++ sqlmap-dev-edited/lib/request/inject.py 2010-10-19 02:51:28.344340250 +0400
> @@ -347,7 +347,7 @@
>
> expression = expression.replace("DISTINCT ", "")
>
> - if inband and kb.unionPosition:
> + if inband and kb.unionPosition != None:
> value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
>
> if not value:
> diff -ur sqlmap-dev/plugins/dbms/mssqlserver/enumeration.py sqlmap-dev-edited/plugins/dbms/mssqlserver/enumeration.py
> --- sqlmap-dev/plugins/dbms/mssqlserver/enumeration.py 2010-10-19 01:50:33.629342785 +0400
> +++ sqlmap-dev-edited/plugins/dbms/mssqlserver/enumeration.py 2010-10-19 03:00:52.724338261 +0400
> @@ -48,7 +48,7 @@
> else:
> dbs = [conf.db]
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> for db in dbs:
> if conf.excludeSysDbs and db in self.excludeDbsList:
> infoMsg = "skipping system database '%s'" % db
> @@ -138,7 +138,7 @@
>
> continue
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"] % db
> query += tblQuery
> values = inject.getValue(query, blind=False)
> @@ -223,7 +223,7 @@
>
> continue
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"] % (db, db, db, db, db)
> query += " AND %s" % colQuery.replace("[DB]", db)
> values = inject.getValue(query, blind=False)
> diff -ur sqlmap-dev/plugins/dbms/mssqlserver/filesystem.py sqlmap-dev-edited/plugins/dbms/mssqlserver/filesystem.py
> --- sqlmap-dev/plugins/dbms/mssqlserver/filesystem.py 2010-10-19 01:50:33.625342874 +0400
> +++ sqlmap-dev-edited/plugins/dbms/mssqlserver/filesystem.py 2010-10-19 03:00:15.052341781 +0400
> @@ -92,7 +92,7 @@
> binToHexQuery = urlencode(binToHexQuery, convall=True)
> inject.goStacked(binToHexQuery)
>
> - if kb.unionPosition:
> + if kb.unionPosition != None:
> result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), sort=False, resumeValue=False, blind=False)
>
> if not result:
> diff -ur sqlmap-dev/plugins/dbms/oracle/enumeration.py sqlmap-dev-edited/plugins/dbms/oracle/enumeration.py
> --- sqlmap-dev/plugins/dbms/oracle/enumeration.py 2010-10-19 01:50:33.577342360 +0400
> +++ sqlmap-dev-edited/plugins/dbms/oracle/enumeration.py 2010-10-19 03:01:11.381340862 +0400
> @@ -36,7 +36,7 @@
> # Set containing the list of DBMS administrators
> areAdmins = set()
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if query2:
> query = rootQuery["inband"]["query2"]
> condition = rootQuery["inband"]["condition2"]
> @@ -196,7 +196,7 @@
> colQuery = colQuery % column
>
> for db in dbs.keys():
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> query += colQuery
> values = inject.getValue(query, blind=False)
> diff -ur sqlmap-dev/plugins/generic/enumeration.py sqlmap-dev-edited/plugins/generic/enumeration.py
> --- sqlmap-dev/plugins/generic/enumeration.py 2010-10-19 01:50:33.817345961 +0400
> +++ sqlmap-dev-edited/plugins/generic/enumeration.py 2010-10-19 02:50:44.488340196 +0400
> @@ -136,7 +136,7 @@
> condition = ( kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ) )
> condition |= ( kb.dbms == "MySQL" and not kb.data.has_information_schema )
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if condition:
> query = rootQuery["inband"]["query2"]
> else:
> @@ -193,7 +193,7 @@
>
> logger.info(infoMsg)
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
> query = rootQuery["inband"]["query2"]
> else:
> @@ -390,7 +390,7 @@
> "E": "EXECUTE"
> }
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "MySQL" and not kb.data.has_information_schema:
> query = rootQuery["inband"]["query2"]
> condition = rootQuery["inband"]["condition2"]
> @@ -636,7 +636,7 @@
>
> rootQuery = queries[kb.dbms].dbs
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "MySQL" and not kb.data.has_information_schema:
> query = rootQuery["inband"]["query2"]
> else:
> @@ -703,7 +703,7 @@
>
> rootQuery = queries[kb.dbms].tables
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> condition = rootQuery["inband"]["condition"]
>
> @@ -899,7 +899,7 @@
> infoMsg += "on database '%s'" % conf.db
> logger.info(infoMsg)
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms in ( "MySQL", "PostgreSQL" ):
> query = rootQuery["inband"]["query"] % (conf.tbl, conf.db)
> query += condQuery
> @@ -1078,7 +1078,7 @@
>
> entriesCount = 0
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "Oracle":
> query = rootQuery["inband"]["query"] % (colString, conf.tbl.upper())
> elif kb.dbms == "SQLite":
> @@ -1336,7 +1336,7 @@
> dbQuery = "%s%s" % (dbCond, dbCondParam)
> dbQuery = dbQuery % db
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "MySQL" and not kb.data.has_information_schema:
> query = rootQuery["inband"]["query2"]
> else:
> @@ -1424,7 +1424,7 @@
> tblQuery = "%s%s" % (tblCond, tblCondParam)
> tblQuery = tblQuery % tbl
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> query += tblQuery
> query += exclDbsQuery
> @@ -1545,7 +1545,7 @@
> colQuery = "%s%s" % (colCond, colCondParam)
> colQuery = colQuery % column
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> query += colQuery
> query += exclDbsQuery
>
> And thanks very much for such helpful program!
>
>
>
>
> ------------------------------------------------------------------------------
> Download new Adobe(R) Flash(R) Builder(TM) 4
> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> Flex(R) Builder(TM)) enable the development of rich applications that run
> across multiple browsers and platforms. Download your free trials today!
> http://p.sf.net/sfu/adobe-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
|
|
From: Miroslav S. <mir...@gm...> - 2010-10-19 06:53:02
|
...also, you can try to run sqlmap with -v 5 in your case and read through response messages to get the big picture. if you'll need help with interpretation you can send console output of -v 5 to me privately and I'll try to help you. bye On Tue, Oct 19, 2010 at 8:45 AM, Miroslav Stampar <mir...@gm...> wrote: > hi Ryan. > > maybe you don't have enough permissions for accessing table mysql.user. > > key query is: SELECT user, password FROM mysql.user > > if you could somehow try to access it manually (...AND EXISTS(SELECT > user, password FROM mysql.user)) and confirm that. > > kr > > On Tue, Oct 19, 2010 at 5:20 AM, Ryan Fabella <ry...@gm...> wrote: >> Dear List, >> >> i use sqlmap-0.9-dev which is built in on backtrack 4 Rc1 >> my target is using mysql 5.1.30really5.0.75-0ubuntu10.3 >> >> but i always cannot grab the hash password. >> >> [WARNING] unable to retrieve the number of password hashes for user >> >> i can get --dbs , --users >> >> need your help. >> >> Thank You >> >> ------------------------------------------------------------------------------ >> Download new Adobe(R) Flash(R) Builder(TM) 4 >> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly >> Flex(R) Builder(TM)) enable the development of rich applications that run >> across multiple browsers and platforms. Download your free trials today! >> http://p.sf.net/sfu/adobe-dev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
48 messages has been excluded from this view by a project administrator.
