sqlmap-users Mailing List for sqlmap (Page 126)
Brought to you by:
inquisb
You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-05-20 12:51:41
|
James, On Thu, May 20, 2010 at 12:30, <ja...@ev...> wrote: > ... > Have you noted that SQLMap misses a lot of vulns? Simple ones like > > windowsistrash.asp?id=1';waitfor delay '00:00:15' > > And also more complex POST vulns? I've been using SQLNinja on the advice > > of my friend Bert and it appears to pwn windoze better than SQLmap... > ... As I said several times, sqlmap can detect only boolean-based blind SQL injection at first. If and once it identifies this type of injection, it can be used to test and exploit UNION query and stacked queries. This is a design flaw which will be fixed in the upcoming months. sqlninja is not able to detect the injection, you have to instruct it where it is and how to exploit it in the sqlninja.conf file. It uses only waitfor delay (time-based blind SQL injection) to enumerate very little data, the only data needed to takeover it. This is why it "pwn windoze better". -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Ignacio H. <nac...@gm...> - 2010-05-20 11:49:07
|
It's a known flag on sqlmap the false negatives and they are working on it. Is a complex task as some pages output the url you are using to inject the the output page. For example if sqlmap is checking if injection works and try: "vuln.php?id=1 and 1=1", on the output page it can be echoed something like: <a href="http://www.site.com/vuln.php?id=1 and 1=1&otherparam=2"> and that can mess up the detection engine... I tryed to make an aporoach to solve this but definitively my python (and general programming )knowledge was not enought to work on a project like sqlmap. :) To get data faster from slow sites you can try a semi blid technique i discovered some time ago (well, i think it was already discovered by someone else but i hadn't notice). It is some kind of semi-blind injection using arithmetical based injection. For example if you are trying to inject on the news app of a web site they can sometimes echo to the response page something like "This is the X news posted here" where x is the news id selected. The url could be something like: site.com?newsid=6 you can inject something like this to get one char for each query you make: vuln.php?newsid=128-(ascii(mid( (select version()),1,1))) So if its echoed: "This is the 51 news posted here" you know the char is "M" (128-51=77, 77=M). You can make an script to automatize this. I made one but i cant find it right now. I hope it helps, Regards. 2010/5/20 <ja...@ev...> > > Yeah, Thats the weird thing. Stacked SHOULD be enabled. Also no UNION > > ability. I guess im boned. :) The injection doesnt respond to any errors.. > > Thats actually how i found it. Feeding "'" to an arg gave me a blank page > > which is usually good. I suppose it could be a false negative. I will > > inspect further. Also; > > > > A general message to the SQLmap users: > > > > Have you noted that SQLMap misses a lot of vulns? Simple ones like > > windowsistrash.asp?id=1';waitfor delay '00:00:15' > > And also more complex POST vulns? I've been using SQLNinja on the advice > > of my friend Bert and it appears to pwn windoze better than SQLmap... > > > > Bernardo -- Any clue on this? I can provide a few examples of sites in > > private where SQLNinja succeded and SQLMap failed to detect the GET or POST > > vuln. > > Im always using SVN too, btw. > > > > If anyone else has noticed this.. please reply.. lets squash this bug... > > > > James @ EV6.net > > > > > > On Thu, 20 May 2010 12:19:45 +0100, "Bernardo Damele A. G." > > <ber...@gm...> wrote: > > > James, > > > > > > On Thu, May 20, 2010 at 06:14, <ja...@ev...> wrote: > > >> ... > > >> Im currently attempting to attack an interesting setup.. A > > >> RedHat(Apache) > > >> > > >> box with a PHP front end linked to a MS SQL db. > > > > > > It's a quite common setup. I've seen also Windows/Apache/PHP(or Perl) > > > with back-end MSSQL or MySQL recently. > > > > > >> Since its Apache+Linux it > > >> > > >> doesnt support stacked queries.. > > > > > > Mmmh, PHP does support stacked queries when the back-end is MSSQL. Try > > > yourself with a SQL payload like ; WAITFOR DELAY '0:2:00';-- > > > > > >> Its also slow as dog crap going up a hill > > >> > > >> with the blind injection. Does anyone know of a way to use the > > OPENROWSET > > >> > > >> type attack without stacked queries? > > > > > > You can try with UNION ALL SELECT 'foobar' FROM OPENROWSET... > > > > > >> Or basically have any ideas how I can > > >> > > >> get enough proof of data from this box relatively quick? > > > > > > If it is affected by an error-based SQL injection also, something like > > > AND 1=(SELECT ...) might do the trick otherwise a UNION query SQL > > > injection can help, if vulnerable. > > > > > > Cheers, > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
From: <ja...@ev...> - 2010-05-20 11:41:02
|
Hi, Sorry if this is duplicate, I clicked "getting started" in firefox by accident while sending this email.. Yeah I know PHP/MSSQL should support stacked queries but it appears to be disabled.. Judging from the rest of this pen test it just simply cannot be on purpose. Im thinking maybe a false negative.. However, diagnosing is a little tricky. The webserver just returns a blank page instead of an error (grrr). I will do some more checking if possible. Theres also no UNION ability ;( A general note to SQLMap users / Developers: I've been using sqlmap pretty much since 0.6 or something and I've noted time and time again it misses simple vulns (on stable pages) for stuff like http://microsoft.com/windowsucks.aspx?id=31337';waitfor delay '00:00:15'-- Its also quite terrible at detecting POST vulns. The POST vulns i've been testing are mostly shitty login.asp scripts. Bert told me I should be using SQLNinja so I tried it out and viola, it exploits the vulns however SQLNinja is more of a database takeover tool and I need data from the db's as proof for the job. Just wondering if anyone has noted this and possibly maybe we can send Bernardo some example sites (IN PRIVATE) where SQLNinja was able to succeed and SQLMap failed detection. Lets all submit some urls -- IN PRIVATE -- where SQLmap wasnt able to detect a POST or GET vuln that sqlninja was able to detect? Please? Lets make sqlmap awesomer. Also, It'd be nice if SQLMap supported uploading debug.exe .scr's and converting them to .exe's on the db box. AND... [07:29:27] [INFO] retrieved: sqlmap got a 302 redirect to /index.php - What target address do you want to use from now on? http://www.fbi.gov:80/search/score.php (default) or provide another target address based also on the redirection got from the application I think? SQLmap is supposed to log that to the session file and use it every time however it does indeed ask me every time on the same page, same db, same dump params. If it isnt setup that way... It'd be nice or maybe a cmd arp that is something along the lines of --static-url What do you guys think? James P.S. All URL's have been censored to protect the idiots who pay me. On Thu, 20 May 2010 12:19:45 +0100, "Bernardo Damele A. G." <ber...@gm...> wrote: > James, > > On Thu, May 20, 2010 at 06:14, <ja...@ev...> wrote: >> ... >> Im currently attempting to attack an interesting setup.. A >> RedHat(Apache) >> >> box with a PHP front end linked to a MS SQL db. > > It's a quite common setup. I've seen also Windows/Apache/PHP(or Perl) > with back-end MSSQL or MySQL recently. > >> Since its Apache+Linux it >> >> doesnt support stacked queries.. > > Mmmh, PHP does support stacked queries when the back-end is MSSQL. Try > yourself with a SQL payload like ; WAITFOR DELAY '0:2:00';-- > >> Its also slow as dog crap going up a hill >> >> with the blind injection. Does anyone know of a way to use the OPENROWSET >> >> type attack without stacked queries? > > You can try with UNION ALL SELECT 'foobar' FROM OPENROWSET... > >> Or basically have any ideas how I can >> >> get enough proof of data from this box relatively quick? > > If it is affected by an error-based SQL injection also, something like > AND 1=(SELECT ...) might do the trick otherwise a UNION query SQL > injection can help, if vulnerable. > > Cheers, |
From: <ja...@ev...> - 2010-05-20 11:30:10
|
Yeah, Thats the weird thing. Stacked SHOULD be enabled. Also no UNION ability. I guess im boned. :) The injection doesnt respond to any errors.. Thats actually how i found it. Feeding "'" to an arg gave me a blank page which is usually good. I suppose it could be a false negative. I will inspect further. Also; A general message to the SQLmap users: Have you noted that SQLMap misses a lot of vulns? Simple ones like windowsistrash.asp?id=1';waitfor delay '00:00:15' And also more complex POST vulns? I've been using SQLNinja on the advice of my friend Bert and it appears to pwn windoze better than SQLmap... Bernardo -- Any clue on this? I can provide a few examples of sites in private where SQLNinja succeded and SQLMap failed to detect the GET or POST vuln. Im always using SVN too, btw. If anyone else has noticed this.. please reply.. lets squash this bug... James @ EV6.net On Thu, 20 May 2010 12:19:45 +0100, "Bernardo Damele A. G." <ber...@gm...> wrote: > James, > > On Thu, May 20, 2010 at 06:14, <ja...@ev...> wrote: >> ... >> Im currently attempting to attack an interesting setup.. A >> RedHat(Apache) >> >> box with a PHP front end linked to a MS SQL db. > > It's a quite common setup. I've seen also Windows/Apache/PHP(or Perl) > with back-end MSSQL or MySQL recently. > >> Since its Apache+Linux it >> >> doesnt support stacked queries.. > > Mmmh, PHP does support stacked queries when the back-end is MSSQL. Try > yourself with a SQL payload like ; WAITFOR DELAY '0:2:00';-- > >> Its also slow as dog crap going up a hill >> >> with the blind injection. Does anyone know of a way to use the OPENROWSET >> >> type attack without stacked queries? > > You can try with UNION ALL SELECT 'foobar' FROM OPENROWSET... > >> Or basically have any ideas how I can >> >> get enough proof of data from this box relatively quick? > > If it is affected by an error-based SQL injection also, something like > AND 1=(SELECT ...) might do the trick otherwise a UNION query SQL > injection can help, if vulnerable. > > Cheers, |
From: Bernardo D. A. G. <ber...@gm...> - 2010-05-20 11:19:52
|
James, On Thu, May 20, 2010 at 06:14, <ja...@ev...> wrote: > ... > Im currently attempting to attack an interesting setup.. A RedHat(Apache) > > box with a PHP front end linked to a MS SQL db. It's a quite common setup. I've seen also Windows/Apache/PHP(or Perl) with back-end MSSQL or MySQL recently. > Since its Apache+Linux it > > doesnt support stacked queries.. Mmmh, PHP does support stacked queries when the back-end is MSSQL. Try yourself with a SQL payload like ; WAITFOR DELAY '0:2:00';-- > Its also slow as dog crap going up a hill > > with the blind injection. Does anyone know of a way to use the OPENROWSET > > type attack without stacked queries? You can try with UNION ALL SELECT 'foobar' FROM OPENROWSET... > Or basically have any ideas how I can > > get enough proof of data from this box relatively quick? If it is affected by an error-based SQL injection also, something like AND 1=(SELECT ...) might do the trick otherwise a UNION query SQL injection can help, if vulnerable. Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Bernardo D. A. G. <ber...@gm...> - 2010-05-20 09:04:16
|
UNION query SQL injection by its nature "append" your injected query output to the original SELECT statement. It might occur that this (--union-test / --union-use) change a lot the HTTP responses so sqlmap is not able to distinguish anymore if the test successes or not. This is yet another problem in the detection engine and once again, it will be fixed (hopefully) when we will rewrite from scratch the detection engine. All, in the meanwhile check yourself manually the SQL injection via browser, maybe passing via a proxy (Burp is my choice) so you can easily repeat requests, compare responses, etc. Then spot a string (or regexp) to be used afterwards in sqlmap (--string or --regexp) and, as you've seen David, this solves the problem. Bernardo On Mon, May 10, 2010 at 17:55, David Guimaraes <sk...@gm...> wrote: > Hmm.. seems to work through --string parameter... > > So I have to pass the --string parameter whenever I use the union > technique to sqlmap identify it correctly!?! > > > On Mon, May 10, 2010 at 11:09 AM, Bernardo Damele A. G. > <ber...@gm...> wrote: >> For me it works with no problems against SQL injection on SELECT with >> more than a column. >> Try to provide sqlmap with --string or --regex. Also, try with >> --union-tech orderby. >> >> Bernardo >> >> >> On Sun, May 9, 2010 at 21:33, David Guimaraes <sk...@gm...> wrote: >>> I noticed that this is already happening for some time ago, sqlmap >>> fails to properly detect UNION inband sql injection .. even in cases >>> where the detection is quite simple as shown below: >>> >>> http://www.vulnsite.com/vulnscript.php?id=42 and 1 = 0 union all >>> select 1,2,3,4,5,6 (mysql) >>> >>> I am currently editing the sessions file directly to use the UNION >>> technique with sqlmap. >>> >>> By using the --union-test and verbose level 2, it was possible to >>> identify that sqlmap not completely test the technique of NULL >>> bruteforcing UNION. It tests only a single column, and reports that >>> have found the flaw.. as show below: >>> >>> 16:58:09] [INFO] testing inband sql injection on parameter 'id' with >>> NULL bruteforcing technique >>> [16:58:09] [TRAFFIC OUT] HTTP request: >>> GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%203967=3967 >>> HTTP/1.1 >>> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >>> Host: www.vulnsite.com >>> Accept-language: en-us,en;q=0.5 >>> Cookie: >>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >>> Connection: close >>> >>> [16:58:10] [INFO] confirming full inband sql injection on parameter 'id' >>> [16:58:10] [TRAFFIC OUT] HTTP request: >>> GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204073=4073 >>> HTTP/1.1 >>> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >>> Host: www.vulnsite.com >>> Accept-language: en-us,en;q=0.5 >>> Cookie: >>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >>> Connection: close >>> >>> [16:58:10] [WARNING] the target url is not affected by an exploitable >>> full inband sql injection vulnerability >>> [16:58:10] [INFO] confirming partial (single entry) inband sql >>> injection on parameter 'id' by appending a false condition after the >>> parameter value >>> [16:58:11] [TRAFFIC OUT] HTTP request: >>> GET /vulnscript.php?id=42%20AND%206261=6262%20UNION%20ALL%20SELECT%20NULL%23%20AND%206194=6194 >>> HTTP/1.1 >>> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >>> Host: www.vulnsite.com >>> Accept-language: en-us,en;q=0.5 >>> Cookie: >>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >>> Connection: close >>> >>> [16:58:11] [WARNING] the target url is not affected by an exploitable >>> partial (single entry) inband sql injection vulnerability >>> [16:58:11] [INFO] confirming partial (single entry) inband sql >>> injection on parameter 'id' with negative parameter value >>> [16:58:11] [TRAFFIC OUT] HTTP request: >>> GET /vulnscript.php?id=-42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204970=4970 >>> HTTP/1.1 >>> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >>> Host: www.vulnsite.com >>> Accept-language: en-us,en;q=0.5 >>> Cookie: >>> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >>> Connection: close >>> >>> [16:58:12] [WARNING] the target url is not affected by an exploitable >>> partial (single entry) inband sql injection vulnerability >>> valid union: None >>> >>> Sqlmap documentation says: "By default sqlmap uses the NULL >>> bruteforcing technique to detect the number of columns within the >>> original SELECT statement." >>> >>> I think the correct use of brute force technique would be to test >>> several columns until find the correct number. Right? >>> >>> -- >>> David Gomes Guimarães >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Bernardo Damele A. G. >> >> E-mail / Jabber: bernardo.damele (at) gmail.com >> Mobile: +447788962949 (UK 07788962949) >> PGP Key ID: 0x05F5A30F >> > > > > -- > David Gomes Guimarães > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: <ja...@ev...> - 2010-05-20 05:14:33
|
Hello, Im currently attempting to attack an interesting setup.. A RedHat(Apache) box with a PHP front end linked to a MS SQL db. Since its Apache+Linux it doesnt support stacked queries.. Its also slow as dog crap going up a hill with the blind injection. Does anyone know of a way to use the OPENROWSET type attack without stacked queries? Or basically have any ideas how I can get enough proof of data from this box relatively quick? Thanks James |
From: <ja...@ev...> - 2010-05-18 23:47:55
|
[19:10:35] [INFO] resuming back-end DBMS 'microsoft sql server 2000' from session file [19:10:35] [INFO] resuming union comment '--' from session file [19:10:35] [INFO] resuming union count 3 from session file [19:10:35] [INFO] testing connection to the target url [19:10:36] [INFO] testing for parenthesis on injectable parameter [19:10:36] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows web application technology: ASP.NET, Microsoft IIS 6.0 back-end DBMS: Microsoft SQL Server 2000 do you want to retrieve the SQL statement output? [Y/n] y [19:10:38] [INFO] fetching SQL query output: ''SELECT OptIn,FirstName,LastName,HomePhone,Zip,Email,DateCreated FROM Customer WHERE DateCreated LIKE '%2009%'' [19:10:38] [INFO] the SQL query provided has more than a field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind can the SQL query provided return multiple entries? [Y/n] y [19:10:39] [INFO] retrieving the length of query output [19:10:39] [ERROR] Unenclosed ' in 'LTRIM(STR(LEN(COUNT('SELECT OptIn))))' [*] shutting down at: 19:10:39 sqlmap/0.9-dev -- latest svn also, does --threads work when executing a --sql-query or anything in a --sql-shell? thx |
From: Miroslav S. <mir...@gm...> - 2010-05-15 20:46:06
|
Hi. Thank you for your report. This was "patched" weeks ago. Please use the latest development version from SVN repository to have it fixed (svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev). Kind regards. On Sat, May 15, 2010 at 9:50 PM, Tiago Natel de Moura <tia...@gm... > wrote: > Error when executing this command-line: python sqlmap.py -v5 -u > http://[meu-host]/vuln.asp?id=1 --os-cmd=dir > > Stack: > > [16:47:08] [INFO] retrieved: [16:47:43] [ERROR] unhandled exception in > sqlmap/0.8, please copy the command line and the following text and > send by e-mail to sql...@li.... The developer > will fix it as soon as possible: > sqlmap version: 0.8 > Python version: 2.6.2 > Operating system: linux2 > Traceback (most recent call last): > File "sqlmap.py", line 77, in main > start() > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/controller/controller.py", > line 259, in start > action() > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/controller/action.py", > line 138, in action > conf.dbmsHandler.osCmd() > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/plugins/generic/takeover.py", > line 78, in osCmd > self.runCmd(conf.osCmd) > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/takeover/abstraction.py", > line 90, in runCmd > output = self.evalCmd(cmd) > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/takeover/abstraction.py", > line 72, in evalCmd > return self.xpCmdshellEvalCmd(cmd, first, last) > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/takeover/xp_cmdshell.py", > line 138, in xpCmdshellEvalCmd > output = inject.getValue("SELECT %s FROM %s" % (self.tblField, > self.cmdTblName), resumeValue=False, sort=False, firstChar=first, > lastChar=last) > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/inject.py", > line 373, in getValue > value = __goInferenceProxy(expression, fromUser, expected, batch, > resumeValue, unpack, charsetType, firstChar, lastChar) > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/inject.py", > line 303, in __goInferenceProxy > outputs = __goInferenceFields(expression, expressionFields, > expressionFieldsList, payload, expected, resumeValue=resumeValue, > charsetType=charsetType, firstChar=firstChar, lastChar=lastChar) > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/inject.py", > line 95, in __goInferenceFields > output = __goInference(payload, expressionReplaced, charsetType, > firstChar, lastChar) > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/inject.py", > line 55, in __goInference > count, value = bisection(payload, expression, length, charsetType, > firstChar, lastChar) > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/techniques/blind/inference.py", > line 281, in bisection > val = getChar(index, asciiTbl) > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/techniques/blind/inference.py", > line 125, in getChar > result = Request.queryPage(forgedPayload) > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/connect.py", > line 282, in queryPage > page, headers = Connect.getPage(get=get, post=post, cookie=cookie, > ua=ua, silent=silent) > File > "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/connect.py", > line 179, in getPage > page = e.read() > File "/usr/lib/python2.6/socket.py", line 327, in read > data = self._sock.recv(rbufsize) > File "/usr/lib/python2.6/httplib.py", line 537, in read > s = self.fp.read(amt) > File "/usr/lib/python2.6/socket.py", line 351, in read > data = self._sock.recv(left) > timeout: timed out > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: Tiago N. de M. <tia...@gm...> - 2010-05-15 19:51:12
|
Error when executing this command-line: python sqlmap.py -v5 -u http://[meu-host]/vuln.asp?id=1 --os-cmd=dir Stack: [16:47:08] [INFO] retrieved: [16:47:43] [ERROR] unhandled exception in sqlmap/0.8, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.8 Python version: 2.6.2 Operating system: linux2 Traceback (most recent call last): File "sqlmap.py", line 77, in main start() File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/controller/controller.py", line 259, in start action() File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/controller/action.py", line 138, in action conf.dbmsHandler.osCmd() File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/plugins/generic/takeover.py", line 78, in osCmd self.runCmd(conf.osCmd) File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/takeover/abstraction.py", line 90, in runCmd output = self.evalCmd(cmd) File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/takeover/abstraction.py", line 72, in evalCmd return self.xpCmdshellEvalCmd(cmd, first, last) File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/takeover/xp_cmdshell.py", line 138, in xpCmdshellEvalCmd output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, sort=False, firstChar=first, lastChar=last) File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/inject.py", line 373, in getValue value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/inject.py", line 303, in __goInferenceProxy outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar) File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/inject.py", line 95, in __goInferenceFields output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar) File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/inject.py", line 55, in __goInference count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar) File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/techniques/blind/inference.py", line 281, in bisection val = getChar(index, asciiTbl) File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/techniques/blind/inference.py", line 125, in getChar result = Request.queryPage(forgedPayload) File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/connect.py", line 282, in queryPage page, headers = Connect.getPage(get=get, post=post, cookie=cookie, ua=ua, silent=silent) File "/home/i4k/programacao/hacking/SQL_Injection/sqlmap/lib/request/connect.py", line 179, in getPage page = e.read() File "/usr/lib/python2.6/socket.py", line 327, in read data = self._sock.recv(rbufsize) File "/usr/lib/python2.6/httplib.py", line 537, in read s = self.fp.read(amt) File "/usr/lib/python2.6/socket.py", line 351, in read data = self._sock.recv(left) timeout: timed out |
From: Miroslav S. <mir...@gm...> - 2010-05-13 14:15:57
|
Hi all. After the initial Kasper's "complaint", preliminary testing and some researching we've come to this: http://ted.onflash.org/2005/06/python-cpu-tuning.php The problem seems to be really in the "Python internal C FrameLoop" - or in plain speak, python runs the program as fast as it can without any real rest stops. Research results show that if we put a small time delay in page retrieval method, which is a main backbone function of the sqlmap, CPU intensivity dramatically decreases. Sample command used: time python sqlmap.py -u " http://xxx.xxx.xxx.xxx/somedir/get_int.php?id=1" --ignore-proxy --threads=2 --read-file /etc/shells --flush-session 1) With time.sleep(.001) (or in plain speak 1/1000 of a second) at end of getPage method in lib/request/connect module: 5.368u 1.100s 0:14.01 46.1% 0+0k 0+48io 0pf+0w 2) Without: 9.160u 1.932s 0:10.94 101.3% 0+0k 0+48io 0pf+0w You can spot the difference quite easy. So, the real question now is to put it as a default value there or leave the choice to the user. You can see that there is a slow down of 3 seconds after all, but you have to have on your mind that this was a test done on a local VM, while there shouldn't be such a difference in a real life case. Also, benefits are more then obvious (cca. 100% drops to less than 50%) Kind regards. On Mon, Mar 15, 2010 at 2:24 PM, Kasper Føns <th...@ma...> wrote: > Dead Miroslav > > That was not the point I was trying to make. It would ofcourse be nice to > utilize the 100% of my computer when a program wants to, but I can see that > python is crippled in the matter. But what I was asking about was: > I think it is strange that sqlmap uses 50% of my cpu - What operations > could require that much cpu? It seems that if a connection to a target is > slow, sqlmap still uses 50% of the cpu. Is it besy-waiting for the thread > that is doing the I/O operation to complete? > > I'll try again: > I would see sqlmap's main bottlenet as the internet connection. I can't > find anything to justify to use my CPU as much as it does. Therefore I think > some thread is besy-waiting, which really cripples the system (especially if > I only had 1 CPU). So my question is, is it busy-waiting? > > PS: Thanks for the nice link. Was interesting reading. > > /Kasper > > > On 15-03-2010 13:17, Miroslav Stampar wrote: > >> Dear Kasper. >> >> Python has an "technical" issue dealing with multithreading programs. >> In part that it can't run threads on multiple cores, it has a really >> nasty "GIL" problem which is discussed here: >> http://www.snaplogic.com/blog/?p=94. Threading of sqlmap really speeds >> it up, but the side effect is that CPU-throttling you are talking >> about, especially in a high number of threads used. >> >> Kind regards. >> >> On Mon, Mar 15, 2010 at 12:55 PM, Kasper Føns<th...@ma...> wrote: >> >> >>> Hello sqlmap users. >>> >>> I have a question about how sqlmap utilizes the cpu. On my computer the >>> CPU being utilized is nearly always 50%, and since I have two cores I >>> suspect some thread to be in deadlock or maybe doing busy-waiting. >>> If using busy-waiting, I would suggest using an event-based approach >>> instead. >>> >>> /Kasper >>> >>> >>> ------------------------------------------------------------------------------ >>> Download Intel® Parallel Studio Eval >>> Try the new software tools for yourself. Speed compiling, find bugs >>> proactively, and fine-tune applications for parallel performance. >>> See why Intel Parallel Studio got high marks during beta. >>> http://p.sf.net/sfu/intel-sw-dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >> >> >> >> > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: Kasper F. <th...@ma...> - 2010-05-11 13:54:45
|
Hi Miroslav That did a great thing! Length output is fetched amazingly fast now, and not much time is spent reading the sessionfile. Great job! Nicely done. On 11-05-2010 15:42, Miroslav Stampar wrote: > Hi. > > Bug is fixed, and those speed optimizations are implemented :) > > Thank you for your report(s) Kasper and keep up the good work. > > Bye. > > On Tue, May 11, 2010 at 11:53 AM, Kasper Føns <th...@ma... > <mailto:th...@ma...>> wrote: > > Hello Sqlmap. > > Bug: > When using sqlmap with --threads option, sqlmap first fetches the > length > of the thing to fetch, and afterwards starts some threads to fetch it. > Lets say it found a length 5 output, then it will write: > > _ _ _ _ _ > Then, when sqlmap finds the first of these, it will write this: > > - - - - - (1/5 20%) > But, notice that it DID NOT write the letter it found. When the next > letter is found it will write > > x _ _ _ _ (2/5 40%) > It seems that it is "one-character behind" in displaying it to the > user. > > Optimization 1: > As just mentioned, when using --threads sqlmap first fetches the > length > of the output. It seems to me that no special fetching method is used > for this, just one thread that fetches the number like any other > output. > But we know it is a number, and therefore we should be able to > decrease > the binary-searching to only search in the range of these numbers. A > smart way to implement this might be to first check if the > character we > are trying to find is larger or equal to 0, and then check if it is > smaller than or equal to 9. This should decrease the range, but > still be > able to find non-number outputs. > > Optimization 2: > I have notized, that when having a rather large session file, > sqlmap is > crunching on this for a very long time - I don't know what it is > doing, > but my guess is that it is building some datastructure over the > file. If > I have a 4MB session file, sqlmap will use 100% of the CPU for > about ½-1 > minute. I have no concrete idea to decrease this time, but I feel that > it is an awfully long time, especially if a connection is lost, and I > have to restart multiple times. > > /Kasper > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com <http://gmail.com> > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > |
From: Miroslav S. <mir...@gm...> - 2010-05-11 13:42:26
|
Hi. Bug is fixed, and those speed optimizations are implemented :) Thank you for your report(s) Kasper and keep up the good work. Bye. On Tue, May 11, 2010 at 11:53 AM, Kasper Føns <th...@ma...> wrote: > Hello Sqlmap. > > Bug: > When using sqlmap with --threads option, sqlmap first fetches the length > of the thing to fetch, and afterwards starts some threads to fetch it. > Lets say it found a length 5 output, then it will write: > > _ _ _ _ _ > Then, when sqlmap finds the first of these, it will write this: > > - - - - - (1/5 20%) > But, notice that it DID NOT write the letter it found. When the next > letter is found it will write > > x _ _ _ _ (2/5 40%) > It seems that it is "one-character behind" in displaying it to the user. > > Optimization 1: > As just mentioned, when using --threads sqlmap first fetches the length > of the output. It seems to me that no special fetching method is used > for this, just one thread that fetches the number like any other output. > But we know it is a number, and therefore we should be able to decrease > the binary-searching to only search in the range of these numbers. A > smart way to implement this might be to first check if the character we > are trying to find is larger or equal to 0, and then check if it is > smaller than or equal to 9. This should decrease the range, but still be > able to find non-number outputs. > > Optimization 2: > I have notized, that when having a rather large session file, sqlmap is > crunching on this for a very long time - I don't know what it is doing, > but my guess is that it is building some datastructure over the file. If > I have a 4MB session file, sqlmap will use 100% of the CPU for about ½-1 > minute. I have no concrete idea to decrease this time, but I feel that > it is an awfully long time, especially if a connection is lost, and I > have to restart multiple times. > > /Kasper > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: Miroslav S. <mir...@gm...> - 2010-05-11 11:07:11
|
Hi. You can checkout the latest development version from SVN repository and have that bug fixed. We will checkout that optimization suggestions you've proposed and let you know afterwards. Kind regards. On Tue, May 11, 2010 at 11:53 AM, Kasper Føns <th...@ma...> wrote: > Hello Sqlmap. > > Bug: > When using sqlmap with --threads option, sqlmap first fetches the length > of the thing to fetch, and afterwards starts some threads to fetch it. > Lets say it found a length 5 output, then it will write: > > _ _ _ _ _ > Then, when sqlmap finds the first of these, it will write this: > > - - - - - (1/5 20%) > But, notice that it DID NOT write the letter it found. When the next > letter is found it will write > > x _ _ _ _ (2/5 40%) > It seems that it is "one-character behind" in displaying it to the user. > > Optimization 1: > As just mentioned, when using --threads sqlmap first fetches the length > of the output. It seems to me that no special fetching method is used > for this, just one thread that fetches the number like any other output. > But we know it is a number, and therefore we should be able to decrease > the binary-searching to only search in the range of these numbers. A > smart way to implement this might be to first check if the character we > are trying to find is larger or equal to 0, and then check if it is > smaller than or equal to 9. This should decrease the range, but still be > able to find non-number outputs. > > Optimization 2: > I have notized, that when having a rather large session file, sqlmap is > crunching on this for a very long time - I don't know what it is doing, > but my guess is that it is building some datastructure over the file. If > I have a 4MB session file, sqlmap will use 100% of the CPU for about ½-1 > minute. I have no concrete idea to decrease this time, but I feel that > it is an awfully long time, especially if a connection is lost, and I > have to restart multiple times. > > /Kasper > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: Kasper F. <th...@ma...> - 2010-05-11 09:53:24
|
Hello Sqlmap. Bug: When using sqlmap with --threads option, sqlmap first fetches the length of the thing to fetch, and afterwards starts some threads to fetch it. Lets say it found a length 5 output, then it will write: _ _ _ _ _ Then, when sqlmap finds the first of these, it will write this: - - - - - (1/5 20%) But, notice that it DID NOT write the letter it found. When the next letter is found it will write x _ _ _ _ (2/5 40%) It seems that it is "one-character behind" in displaying it to the user. Optimization 1: As just mentioned, when using --threads sqlmap first fetches the length of the output. It seems to me that no special fetching method is used for this, just one thread that fetches the number like any other output. But we know it is a number, and therefore we should be able to decrease the binary-searching to only search in the range of these numbers. A smart way to implement this might be to first check if the character we are trying to find is larger or equal to 0, and then check if it is smaller than or equal to 9. This should decrease the range, but still be able to find non-number outputs. Optimization 2: I have notized, that when having a rather large session file, sqlmap is crunching on this for a very long time - I don't know what it is doing, but my guess is that it is building some datastructure over the file. If I have a 4MB session file, sqlmap will use 100% of the CPU for about ½-1 minute. I have no concrete idea to decrease this time, but I feel that it is an awfully long time, especially if a connection is lost, and I have to restart multiple times. /Kasper |
From: David G. <sk...@gm...> - 2010-05-10 16:56:13
|
Hmm.. seems to work through --string parameter... So I have to pass the --string parameter whenever I use the union technique to sqlmap identify it correctly!?! On Mon, May 10, 2010 at 11:09 AM, Bernardo Damele A. G. <ber...@gm...> wrote: > For me it works with no problems against SQL injection on SELECT with > more than a column. > Try to provide sqlmap with --string or --regex. Also, try with > --union-tech orderby. > > Bernardo > > > On Sun, May 9, 2010 at 21:33, David Guimaraes <sk...@gm...> wrote: >> I noticed that this is already happening for some time ago, sqlmap >> fails to properly detect UNION inband sql injection .. even in cases >> where the detection is quite simple as shown below: >> >> http://www.vulnsite.com/vulnscript.php?id=42 and 1 = 0 union all >> select 1,2,3,4,5,6 (mysql) >> >> I am currently editing the sessions file directly to use the UNION >> technique with sqlmap. >> >> By using the --union-test and verbose level 2, it was possible to >> identify that sqlmap not completely test the technique of NULL >> bruteforcing UNION. It tests only a single column, and reports that >> have found the flaw.. as show below: >> >> 16:58:09] [INFO] testing inband sql injection on parameter 'id' with >> NULL bruteforcing technique >> [16:58:09] [TRAFFIC OUT] HTTP request: >> GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%203967=3967 >> HTTP/1.1 >> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >> Host: www.vulnsite.com >> Accept-language: en-us,en;q=0.5 >> Cookie: >> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >> Connection: close >> >> [16:58:10] [INFO] confirming full inband sql injection on parameter 'id' >> [16:58:10] [TRAFFIC OUT] HTTP request: >> GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204073=4073 >> HTTP/1.1 >> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >> Host: www.vulnsite.com >> Accept-language: en-us,en;q=0.5 >> Cookie: >> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >> Connection: close >> >> [16:58:10] [WARNING] the target url is not affected by an exploitable >> full inband sql injection vulnerability >> [16:58:10] [INFO] confirming partial (single entry) inband sql >> injection on parameter 'id' by appending a false condition after the >> parameter value >> [16:58:11] [TRAFFIC OUT] HTTP request: >> GET /vulnscript.php?id=42%20AND%206261=6262%20UNION%20ALL%20SELECT%20NULL%23%20AND%206194=6194 >> HTTP/1.1 >> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >> Host: www.vulnsite.com >> Accept-language: en-us,en;q=0.5 >> Cookie: >> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >> Connection: close >> >> [16:58:11] [WARNING] the target url is not affected by an exploitable >> partial (single entry) inband sql injection vulnerability >> [16:58:11] [INFO] confirming partial (single entry) inband sql >> injection on parameter 'id' with negative parameter value >> [16:58:11] [TRAFFIC OUT] HTTP request: >> GET /vulnscript.php?id=-42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204970=4970 >> HTTP/1.1 >> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >> Host: www.vulnsite.com >> Accept-language: en-us,en;q=0.5 >> Cookie: >> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >> User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) >> Connection: close >> >> [16:58:12] [WARNING] the target url is not affected by an exploitable >> partial (single entry) inband sql injection vulnerability >> valid union: None >> >> Sqlmap documentation says: "By default sqlmap uses the NULL >> bruteforcing technique to detect the number of columns within the >> original SELECT statement." >> >> I think the correct use of brute force technique would be to test >> several columns until find the correct number. Right? >> >> -- >> David Gomes Guimarães >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: 0x05F5A30F > -- David Gomes Guimarães |
From: Bernardo D. A. G. <ber...@gm...> - 2010-05-10 14:09:13
|
For me it works with no problems against SQL injection on SELECT with more than a column. Try to provide sqlmap with --string or --regex. Also, try with --union-tech orderby. Bernardo On Sun, May 9, 2010 at 21:33, David Guimaraes <sk...@gm...> wrote: > I noticed that this is already happening for some time ago, sqlmap > fails to properly detect UNION inband sql injection .. even in cases > where the detection is quite simple as shown below: > > http://www.vulnsite.com/vulnscript.php?id=42 and 1 = 0 union all > select 1,2,3,4,5,6 (mysql) > > I am currently editing the sessions file directly to use the UNION > technique with sqlmap. > > By using the --union-test and verbose level 2, it was possible to > identify that sqlmap not completely test the technique of NULL > bruteforcing UNION. It tests only a single column, and reports that > have found the flaw.. as show below: > > 16:58:09] [INFO] testing inband sql injection on parameter 'id' with > NULL bruteforcing technique > [16:58:09] [TRAFFIC OUT] HTTP request: > GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%203967=3967 > HTTP/1.1 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: www.vulnsite.com > Accept-language: en-us,en;q=0.5 > Cookie: > Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) > Connection: close > > [16:58:10] [INFO] confirming full inband sql injection on parameter 'id' > [16:58:10] [TRAFFIC OUT] HTTP request: > GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204073=4073 > HTTP/1.1 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: www.vulnsite.com > Accept-language: en-us,en;q=0.5 > Cookie: > Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) > Connection: close > > [16:58:10] [WARNING] the target url is not affected by an exploitable > full inband sql injection vulnerability > [16:58:10] [INFO] confirming partial (single entry) inband sql > injection on parameter 'id' by appending a false condition after the > parameter value > [16:58:11] [TRAFFIC OUT] HTTP request: > GET /vulnscript.php?id=42%20AND%206261=6262%20UNION%20ALL%20SELECT%20NULL%23%20AND%206194=6194 > HTTP/1.1 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: www.vulnsite.com > Accept-language: en-us,en;q=0.5 > Cookie: > Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) > Connection: close > > [16:58:11] [WARNING] the target url is not affected by an exploitable > partial (single entry) inband sql injection vulnerability > [16:58:11] [INFO] confirming partial (single entry) inband sql > injection on parameter 'id' with negative parameter value > [16:58:11] [TRAFFIC OUT] HTTP request: > GET /vulnscript.php?id=-42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204970=4970 > HTTP/1.1 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: www.vulnsite.com > Accept-language: en-us,en;q=0.5 > Cookie: > Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) > Connection: close > > [16:58:12] [WARNING] the target url is not affected by an exploitable > partial (single entry) inband sql injection vulnerability > valid union: None > > Sqlmap documentation says: "By default sqlmap uses the NULL > bruteforcing technique to detect the number of columns within the > original SELECT statement." > > I think the correct use of brute force technique would be to test > several columns until find the correct number. Right? > > -- > David Gomes Guimarães > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Alessandro T. <ale...@lo...> - 2010-05-10 11:34:06
|
2010/5/10 Puja Giri <pg...@cy...>: > I want to use you sql map tool for the Web application testing for QL > injection flaws. Just wanted to ask, will it work for Web applications? It's sqlmap. It's SQL injections. You have at least to read and understand http://sqlmap.sourceforge.net/ before any silly question. > "Legal Disclaimer: This electronic message and all contents contain > information from Cybage Software Private Limited which may be privileged, > confidential, or otherwise protected from disclosure. The information is > intended to be for the addressee(s) only. If you are not an addressee, any > disclosure, copy, distribution, or use of the contents of this message is > strictly prohibited. If you have received this electronic message in error > please notify the sender by reply e-mail to and destroy the original message > and all copies. Cybage has taken every reasonable precaution to minimize the > risk of malicious content in the mail, but is not liable for any damage you > may sustain as a result of any malicious content in this e-mail. You should > carry out your own malicious content checks before opening the e-mail or > attachment." > www.cybage.com Oh yeah? This ia a confidential mail sended to a public mailing list? -- Alessandro `jekil` Tanasi Email: ale...@ta... MSN: ale...@lo... |
From: Puja G. <pg...@cy...> - 2010-05-10 06:18:30
|
Hello Sir, I want to use you sql map tool for the Web application testing for QL injection flaws. Just wanted to ask, will it work for Web applications? Regards, Puja Giri,QA Engineer Cybage Software Pvt. Ltd. (An SEI-CMMI Level 5 assessed & ISO 27001 Company) Pune, India Phone(O):91-20-66041700, Ext:7013 Fax:91-20-66041701 "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com |
From: David G. <sk...@gm...> - 2010-05-09 20:33:55
|
I noticed that this is already happening for some time ago, sqlmap fails to properly detect UNION inband sql injection .. even in cases where the detection is quite simple as shown below: http://www.vulnsite.com/vulnscript.php?id=42 and 1 = 0 union all select 1,2,3,4,5,6 (mysql) I am currently editing the sessions file directly to use the UNION technique with sqlmap. By using the --union-test and verbose level 2, it was possible to identify that sqlmap not completely test the technique of NULL bruteforcing UNION. It tests only a single column, and reports that have found the flaw.. as show below: 16:58:09] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing technique [16:58:09] [TRAFFIC OUT] HTTP request: GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%203967=3967 HTTP/1.1 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: www.vulnsite.com Accept-language: en-us,en;q=0.5 Cookie: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) Connection: close [16:58:10] [INFO] confirming full inband sql injection on parameter 'id' [16:58:10] [TRAFFIC OUT] HTTP request: GET /vulnscript.php?id=42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204073=4073 HTTP/1.1 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: www.vulnsite.com Accept-language: en-us,en;q=0.5 Cookie: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) Connection: close [16:58:10] [WARNING] the target url is not affected by an exploitable full inband sql injection vulnerability [16:58:10] [INFO] confirming partial (single entry) inband sql injection on parameter 'id' by appending a false condition after the parameter value [16:58:11] [TRAFFIC OUT] HTTP request: GET /vulnscript.php?id=42%20AND%206261=6262%20UNION%20ALL%20SELECT%20NULL%23%20AND%206194=6194 HTTP/1.1 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: www.vulnsite.com Accept-language: en-us,en;q=0.5 Cookie: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) Connection: close [16:58:11] [WARNING] the target url is not affected by an exploitable partial (single entry) inband sql injection vulnerability [16:58:11] [INFO] confirming partial (single entry) inband sql injection on parameter 'id' with negative parameter value [16:58:11] [TRAFFIC OUT] HTTP request: GET /vulnscript.php?id=-42%20UNION%20ALL%20SELECT%20NULL%23%20AND%204970=4970 HTTP/1.1 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: www.vulnsite.com Accept-language: en-us,en;q=0.5 Cookie: Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-agent: sqlmap/0.9-dev (http://sqlmap.sourceforge.net) Connection: close [16:58:12] [WARNING] the target url is not affected by an exploitable partial (single entry) inband sql injection vulnerability valid union: None Sqlmap documentation says: "By default sqlmap uses the NULL bruteforcing technique to detect the number of columns within the original SELECT statement." I think the correct use of brute force technique would be to test several columns until find the correct number. Right? -- David Gomes Guimarães |
From: Miroslav S. <mir...@gm...> - 2010-05-04 08:03:29
|
Hi. Thank you for your report. Block is properly sanitized and checked in into latest SVN revision. Please check out latest development version to have it fixed. Kind regards. On Tue, May 4, 2010 at 9:37 AM, Thierry Zoller <Th...@zo...> wrote: > [01:21:15] [INFO] retrieved: IM[01:22:53] [ERROR] unhandled exception in sqlmap/0.8-rc4, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: > sqlmap version: 0.8-rc4 > Python version: 2.5.2 > Operating system: linux2 > Traceback (most recent call last): > File "./sqlmap.py", line 80, in main > start() > File "/pentest/database/sqlmap/lib/controller/controller.py", line 259, in start > action() > File "/pentest/database/sqlmap/lib/controller/action.py", line 108, in action > dumper.dbTables(conf.dbmsHandler.getTables()) > File "/pentest/database/sqlmap/plugins/dbms/mssqlserver.py", line 379, in getTables > table = inject.getValue(query, inband=False) > File "/pentest/database/sqlmap/lib/request/inject.py", line 373, in getValue > value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) > File "/pentest/database/sqlmap/lib/request/inject.py", line 303, in __goInferenceProxy > outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar) > File "/pentest/database/sqlmap/lib/request/inject.py", line 95, in __goInferenceFields > output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar) > File "/pentest/database/sqlmap/lib/request/inject.py", line 55, in __goInference > count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar) > File "/pentest/database/sqlmap/lib/techniques/blind/inference.py", line 239, in bisection > val = getChar(index, asciiTbl) > File "/pentest/database/sqlmap/lib/techniques/blind/inference.py", line 121, in getChar > result = Request.queryPage(forgedPayload) > File "/pentest/database/sqlmap/lib/request/connect.py", line 279, in queryPage > page, headers = Connect.getPage(get=get, post=post, cookie=cookie, ua=ua, silent=silent) > File "/pentest/database/sqlmap/lib/request/connect.py", line 176, in getPage > page = e.read() > File "/usr/lib/python2.5/socket.py", line 304, in read > data = self._sock.recv(rbufsize) > File "/usr/lib/python2.5/httplib.py", line 509, in read > return self._read_chunked(amt) > File "/usr/lib/python2.5/httplib.py", line 563, in _read_chunked > value += self._safe_read(chunk_left) > File "/usr/lib/python2.5/httplib.py", line 602, in _safe_read > chunk = self.fp.read(min(amt, MAXAMOUNT)) > File "/usr/lib/python2.5/socket.py", line 328, in read > data = self._sock.recv(left) > timeout: timed out > > [*] shutting down at: 01:22:53 > > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: Thierry Z. <Th...@Zo...> - 2010-05-04 07:37:59
|
[01:21:15] [INFO] retrieved: IM[01:22:53] [ERROR] unhandled exception in sqlmap/0.8-rc4, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.8-rc4 Python version: 2.5.2 Operating system: linux2 Traceback (most recent call last): File "./sqlmap.py", line 80, in main start() File "/pentest/database/sqlmap/lib/controller/controller.py", line 259, in start action() File "/pentest/database/sqlmap/lib/controller/action.py", line 108, in action dumper.dbTables(conf.dbmsHandler.getTables()) File "/pentest/database/sqlmap/plugins/dbms/mssqlserver.py", line 379, in getTables table = inject.getValue(query, inband=False) File "/pentest/database/sqlmap/lib/request/inject.py", line 373, in getValue value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) File "/pentest/database/sqlmap/lib/request/inject.py", line 303, in __goInferenceProxy outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar) File "/pentest/database/sqlmap/lib/request/inject.py", line 95, in __goInferenceFields output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar) File "/pentest/database/sqlmap/lib/request/inject.py", line 55, in __goInference count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar) File "/pentest/database/sqlmap/lib/techniques/blind/inference.py", line 239, in bisection val = getChar(index, asciiTbl) File "/pentest/database/sqlmap/lib/techniques/blind/inference.py", line 121, in getChar result = Request.queryPage(forgedPayload) File "/pentest/database/sqlmap/lib/request/connect.py", line 279, in queryPage page, headers = Connect.getPage(get=get, post=post, cookie=cookie, ua=ua, silent=silent) File "/pentest/database/sqlmap/lib/request/connect.py", line 176, in getPage page = e.read() File "/usr/lib/python2.5/socket.py", line 304, in read data = self._sock.recv(rbufsize) File "/usr/lib/python2.5/httplib.py", line 509, in read return self._read_chunked(amt) File "/usr/lib/python2.5/httplib.py", line 563, in _read_chunked value += self._safe_read(chunk_left) File "/usr/lib/python2.5/httplib.py", line 602, in _safe_read chunk = self.fp.read(min(amt, MAXAMOUNT)) File "/usr/lib/python2.5/socket.py", line 328, in read data = self._sock.recv(left) timeout: timed out [*] shutting down at: 01:22:53 |
From: shaohua p. <pa...@kn...> - 2010-05-03 15:46:33
|
Sometimes,I do use sqlmap for auto-check work, and if the output path could be set to a special path whitch not within sqlmap. Regards, pan |
From: Ole R. <ol...@gm...> - 2010-05-03 14:54:24
|
The following works in SqlMap: select name from users The following does NOT work in SqlMap: select NOW(), name from users Both should work as they do in MySql console. Regards, Ole |
From: Thierry Z. <Th...@Zo...> - 2010-05-03 13:07:51
|
[08:15:55] [INFO] retrieved: BESMg[08:19:54] [ERROR] unhandled exception in sqlmap/0.8-rc4, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.8-rc4 Python version: 2.5.2 Operating system: linux2 Traceback (most recent call last): File "./sqlmap.py", line 80, in main start() File "/pentest/database/sqlmap/lib/controller/controller.py", line 259, in start action() File "/pentest/database/sqlmap/lib/controller/action.py", line 108, in action dumper.dbTables(conf.dbmsHandler.getTables()) File "/pentest/database/sqlmap/plugins/dbms/mssqlserver.py", line 331, in getTables dbs = self.getDbs() File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line 674, in getDbs db = inject.getValue(query, inband=False) File "/pentest/database/sqlmap/lib/request/inject.py", line 373, in getValue value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) File "/pentest/database/sqlmap/lib/request/inject.py", line 303, in __goInferenceProxy outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar) File "/pentest/database/sqlmap/lib/request/inject.py", line 95, in __goInferenceFields output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar) File "/pentest/database/sqlmap/lib/request/inject.py", line 55, in __goInference count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar) File "/pentest/database/sqlmap/lib/techniques/blind/inference.py", line 239, in bisection val = getChar(index, asciiTbl) File "/pentest/database/sqlmap/lib/techniques/blind/inference.py", line 121, in getChar result = Request.queryPage(forgedPayload) File "/pentest/database/sqlmap/lib/request/connect.py", line 279, in queryPage page, headers = Connect.getPage(get=get, post=post, cookie=cookie, ua=ua, silent=silent) File "/pentest/database/sqlmap/lib/request/connect.py", line 176, in getPage page = e.read() File "/usr/lib/python2.5/socket.py", line 304, in read data = self._sock.recv(rbufsize) File "/usr/lib/python2.5/httplib.py", line 509, in read return self._read_chunked(amt) File "/usr/lib/python2.5/httplib.py", line 563, in _read_chunked value += self._safe_read(chunk_left) File "/usr/lib/python2.5/httplib.py", line 602, in _safe_read chunk = self.fp.read(min(amt, MAXAMOUNT)) File "/usr/lib/python2.5/socket.py", line 328, in read data = self._sock.recv(left) timeout: timed out [*] shutting down at: 08:19:54 |