sqlmap-users Mailing List for sqlmap (Page 128)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Ethan R. <eth...@gm...> - 2010-04-20 07:20:21
|
[root]# ./sqlmap.py -u http://192.168.1.7/insecure.php --method=POST
--data="name=bobby&submit=Search" -p name --os-pwn
sqlmap/0.8 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 02:10:57
[02:10:57] [WARNING] you did not provide the local path where Metasploit
Framework 3 is installed
[02:10:57] [WARNING] sqlmap is going to look for Metasploit Framework 3
installation into the environment paths
[02:10:57] [INFO] Metasploit Framework 3 has been found installed in the
'/usr/local/bin' path
[02:10:57] [INFO] using '/home/ethan/installs/sqlmap/output/
192.168.1.7/session' as session file
[02:10:57] [INFO] testing connection to the target url
[02:10:58] [INFO] testing if the url is stable, wait a few seconds
[02:10:59] [INFO] url is stable
[02:10:59] [INFO] testing sql injection on POST parameter 'name' with 0
parenthesis
[02:11:00] [INFO] testing unescaped numeric injection on POST parameter
'name'
[02:11:00] [INFO] POST parameter 'name' is not unescaped numeric injectable
[02:11:00] [INFO] testing single quoted string injection on POST parameter
'name'
[02:11:00] [INFO] confirming single quoted string injection on POST
parameter 'name'
[02:11:00] [INFO] POST parameter 'name' is single quoted string injectable
with 0 parenthesis
[02:11:00] [INFO] testing for parenthesis on injectable parameter
[02:11:01] [INFO] the injectable parameter requires 0 parenthesis
[02:11:01] [INFO] testing MySQL
[02:11:01] [INFO] confirming MySQL
[02:11:02] [INFO] retrieved: 4
[02:11:03] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: MySQL >= 5.0.0
[02:11:03] [INFO] testing stacked queries support on parameter 'name'
[02:11:03] [INFO] detecting back-end DBMS version from its banner
[02:11:03] [INFO] retrieved: 5.1.41
[02:11:15] [WARNING] the web application does not support stacked queries on
parameter 'name'
[02:11:15] [INFO] going to use a web backdoor to execute the payload stager
[02:11:15] [INFO] fingerprinting the back-end DBMS operating system
[02:11:15] [INFO] retrieved: \
[02:11:18] [INFO] the back-end DBMS operating system is Windows
[02:11:18] [INFO] trying to upload the uploader agent
which web application language does the web server support?
[1] ASP (default)
[2] PHP
[3] JSP
> 2
[02:11:21] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/]:
[02:11:22] [INFO] retrieved web server full paths:
'C:\xampp\htdocs\insecure.php'
please provide any additional web server full path to try to upload the
agent [C:/xampp/htdocs/]:
[02:11:23] [ERROR] unhandled exception in sqlmap/0.8, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.8
Python version: 2.5.2
Operating system: linux2
Traceback (most recent call last):
File "./sqlmap.py", line 77, in main
start()
File "/home/ethan/installs/sqlmap/lib/controller/controller.py", line 259,
in start
action()
File "/home/ethan/installs/sqlmap/lib/controller/action.py", line 144, in
action
conf.dbmsHandler.osPwn()
File "/home/ethan/installs/sqlmap/plugins/generic/takeover.py", line 169,
in osPwn
self.initEnv(web=web)
File "/home/ethan/installs/sqlmap/lib/takeover/abstraction.py", line 155,
in initEnv
self.webInit()
File "/home/ethan/installs/sqlmap/lib/takeover/web.py", line 189, in
webInit
uplPage, _ = Request.getPage(url=self.webUploaderUrl, direct=True,
raise404=False)
File "/home/ethan/installs/sqlmap/lib/request/connect.py", line 126, in
getPage
conn = urllib2.urlopen(req)
File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen
return _opener.open(url, data)
File "/usr/lib/python2.5/urllib2.py", line 381, in open
response = self._open(req, data)
File "/usr/lib/python2.5/urllib2.py", line 399, in _open
'_open', req)
File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain
result = func(*args)
File "/usr/lib/python2.5/urllib2.py", line 1107, in http_open
return self.do_open(httplib.HTTPConnection, req)
File "/usr/lib/python2.5/urllib2.py", line 1064, in do_open
h = http_class(host) # will parse host:port
File "/usr/lib/python2.5/httplib.py", line 639, in __init__
self._set_hostport(host, port)
File "/usr/lib/python2.5/httplib.py", line 651, in _set_hostport
raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
InvalidURL: nonnumeric port: ''
[*] shutting down at: 02:11:23
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-19 11:52:04
|
Hi Vitaly, sqlmap does not support error-based SQL injection yet: This will come in the upcoming months with the new design and rewrite from scratch of the detection engine. Support to exploit injection points in Oracle Application Server is another task, not planned at the moment though. If you are happy to help, feel free to provide us with patch files to support OAP. Cheers, Bernardo On Sun, Apr 18, 2010 at 17:45, <d...@ds...> wrote: > > First, Sorry for my bad English I'm from Romania > > > > I use sqlmap to test web app+oracle db. > > Maybe will be done to use for oracle blind injetion technique like this > > > > http://example.com/app.jsp?id=21 and(1)=(select > > upper(XMLType(chr(60)||chr(58)||chr(58)||(select > > replace(banner,chr(32),chr(58)) from sys.v_$version where > > rownum=1)||chr(62))) from dual)-- > > > > it work only if print error is on, but technique will be useful i think. > > if need i cant post a real link with example. > > I write a small tool in python to use this technique but use a lot of > > utilities are not comfortable really want to see this technique in sqlmap > > :) > > if you need some form of assistance with this task would be happy to assist > > you > > > > two, Implement support of Oracle Application server to sqlmap :) > > Sqlmap dont know how to work with it, but exist more than one technique to > > exploit sql injection for Oracle Application Server > > > > if you're busy with other matters I would take to embed this technique in > > sqlmap with your help :) > > > > > > ____________________________________________________________________________________________________________________________________________________ > > Vitaly Turenko aka DSU (d[at]dsu.com.ua) > > My Oracle security blog http://dsu.com.ua/ > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: <d...@ds...> - 2010-04-18 17:12:43
|
First, Sorry for my bad English I'm from Romania I use sqlmap to test web app+oracle db. Maybe will be done to use for oracle blind injetion technique like this http://example.com/app.jsp?id=21 and(1)=(select upper(XMLType(chr(60)||chr(58)||chr(58)||(select replace(banner,chr(32),chr(58)) from sys.v_$version where rownum=1)||chr(62))) from dual)-- it work only if print error is on, but technique will be useful i think. if need i cant post a real link with example. I write a small tool in python to use this technique but use a lot of utilities are not comfortable really want to see this technique in sqlmap :) if you need some form of assistance with this task would be happy to assist you two, Implement support of Oracle Application server to sqlmap :) Sqlmap dont know how to work with it, but exist more than one technique to exploit sql injection for Oracle Application Server if you're busy with other matters I would take to embed this technique in sqlmap with your help :) ____________________________________________________________________________________________________________________________________________________ Vitaly Turenko aka DSU (d[at]dsu.com.ua) My Oracle security blog http://dsu.com.ua/ |
|
From: Miroslav S. <mir...@gm...> - 2010-04-15 09:36:53
|
Hi. Implemented by your request :). Try the latest SVN version. Kind regards. On Thu, Apr 15, 2010 at 12:07 AM, Ole Rasmussen <ol...@gm...> wrote: > Many DBs are often designed such that table/db names are coherent. > Something often seen is that every table name is prefixed with some > string describing somewhat the relations in the table. An example: > > DB table1: > data_catalogs > data_catalogs_log > data_catalyst > data_emails > data_emails_old > > I don't know if SqlMap takes proximity of the last found table names > into account when enumerating - if it doesn't that could greatly speed > up enumerating table names like in the above example. > When SqlMap acquires the name 'data_catalogs' it could start the next > query by checking if the first letter is 'd' (which it is in the above > example), circumventing the need to do the binary relation search. If > the letter isn't 'd' then all we lost is adding a single query, but we > save a lot of queries if it is. Next time (if the letter was 'd') it > would check if the letter was 'a', then 't' and so on. > This would of course only work if the data is fetched in sorted order, > but I haven't encountered a case where it isn't yet - I guess it must > be sorted in INFORMATION tables in MySql? If it is then I think this > only underlines why you should implement the suggested proximity > queries. It might also be advantageous to exploit that the information > is sorted even without proximity queries; if we just received a table > name starting with 'd' then we know the next table name starts with at > least 'd' as well - I'm not sure if SqlMap already exploits this? > > Regards, > Ole > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Ole R. <ol...@gm...> - 2010-04-14 22:07:51
|
Many DBs are often designed such that table/db names are coherent. Something often seen is that every table name is prefixed with some string describing somewhat the relations in the table. An example: DB table1: data_catalogs data_catalogs_log data_catalyst data_emails data_emails_old I don't know if SqlMap takes proximity of the last found table names into account when enumerating - if it doesn't that could greatly speed up enumerating table names like in the above example. When SqlMap acquires the name 'data_catalogs' it could start the next query by checking if the first letter is 'd' (which it is in the above example), circumventing the need to do the binary relation search. If the letter isn't 'd' then all we lost is adding a single query, but we save a lot of queries if it is. Next time (if the letter was 'd') it would check if the letter was 'a', then 't' and so on. This would of course only work if the data is fetched in sorted order, but I haven't encountered a case where it isn't yet - I guess it must be sorted in INFORMATION tables in MySql? If it is then I think this only underlines why you should implement the suggested proximity queries. It might also be advantageous to exploit that the information is sorted even without proximity queries; if we just received a table name starting with 'd' then we know the next table name starts with at least 'd' as well - I'm not sure if SqlMap already exploits this? Regards, Ole |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-14 08:15:31
|
Get the latest version from subversion. We committed recently an early support for Access. Bernardo On Wed, Apr 14, 2010 at 01:39, Pagera <pag...@gm...> wrote: > hello > is there any access support in sqlmap > > cuz it show this message: > Support for this DBMS will be implemented if you ask, just drop us an email > > thankx > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Pagera <pag...@gm...> - 2010-04-13 23:35:40
|
hello is there any access support in sqlmap cuz it show this message: Support for this DBMS will be implemented if you ask, just drop us an email thankx |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-09 15:51:26
|
Fixed wherever possible and committed. Thanks for reporting. Bernardo On Fri, Apr 2, 2010 at 09:36, Daliev Ilya <da...@ya...> wrote: > Hello SQLMAP users. > > Version: sqlmap/0.8-rc7 > When using partial (single row) inband sql injection with mssql sqlmap uses > construction like this > > field1=field1_value union all select top 1 some_field from some_table where > some_field not in (select top N some_field from some_table) > > Microsoft says that unordered result set with top clause are nondeterministic. > Even more, results obtained with different N are the same. May be it's better > to use skip/limit clause or something like this > > field1=field1_value union all select top 1 some_field from some_table where > some_field not in (select top N some_field from some_table order by 1) and > some_field in (select top N+1 some_field from some_table order by 1) > > > Regards, Daliev Ilya > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Miroslav S. <mir...@gm...> - 2010-04-09 10:40:27
|
Thank you for another report :) Fixed and committed. Kind regards. On Fri, Apr 9, 2010 at 12:24 PM, shi...@gm... <shi...@gm...> wrote: > [12:22:23] [INFO] testing for parenthesis on injectable parameter > [12:22:23] [INFO] testing Microsoft SQL Server > [12:22:28] [INFO] confirming Microsoft SQL Server > [12:22:40] [INFO] the back-end DBMS is Microsoft SQL Server > > [12:22:40] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: > sqlmap version: 0.9-dev > Python version: 2.6.1 > Operating system: darwin > Traceback (most recent call last): > File "./sqlmap.py", line 78, in main > start() > File "/Users/hagbart/source/sqlmap_svn/lib/controller/controller.py", line 267, in start > action() > File "/Users/hagbart/source/sqlmap_svn/lib/controller/action.py", line 68, in action > print "%s\n" % conf.dbmsHandler.getFingerprint() > File "/Users/hagbart/source/sqlmap_svn/plugins/dbms/mssqlserver/fingerprint.py", line 58, in getFingerprint > actVer = formatDBMSfp() > File "/Users/hagbart/source/sqlmap_svn/lib/core/common.py", line 139, in formatDBMSfp > if ( not versions or versions == [None] ) and kb.dbmsVersion[0] != "Unknown": > TypeError: 'NoneType' object is unsubscriptable > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: <shi...@gm...> - 2010-04-09 10:25:06
|
[12:22:23] [INFO] testing for parenthesis on injectable parameter
[12:22:23] [INFO] testing Microsoft SQL Server
[12:22:28] [INFO] confirming Microsoft SQL Server
[12:22:40] [INFO] the back-end DBMS is Microsoft SQL Server
[12:22:40] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible:
sqlmap version: 0.9-dev
Python version: 2.6.1
Operating system: darwin
Traceback (most recent call last):
File "./sqlmap.py", line 78, in main
start()
File "/Users/hagbart/source/sqlmap_svn/lib/controller/controller.py", line 267, in start
action()
File "/Users/hagbart/source/sqlmap_svn/lib/controller/action.py", line 68, in action
print "%s\n" % conf.dbmsHandler.getFingerprint()
File "/Users/hagbart/source/sqlmap_svn/plugins/dbms/mssqlserver/fingerprint.py", line 58, in getFingerprint
actVer = formatDBMSfp()
File "/Users/hagbart/source/sqlmap_svn/lib/core/common.py", line 139, in formatDBMSfp
if ( not versions or versions == [None] ) and kb.dbmsVersion[0] != "Unknown":
TypeError: 'NoneType' object is unsubscriptable
|
|
From: Miroslav S. <mir...@gm...> - 2010-04-09 10:16:48
|
Thank you for your report. Now it should be fixed and committed. Kind regards. On Fri, Apr 9, 2010 at 11:52 AM, shi...@gm... <shi...@gm...> wrote: > xxxxxx01:sqlmap_svn xxxxxxxt$ python sqlmap.py --update > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 11:50:46 > > [11:50:46] [INFO] updating sqlmap to latest development version from the subversion repository > [11:50:46] [INFO] update in progress . done > [11:50:47] [INFO] updated to the latest revision 1550 > [11:50:47] [INFO] updating Microsoft SQL Server XML versions file > > [11:50:50] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: > sqlmap version: 0.9-dev > Python version: 2.6.1 > Operating system: darwin > Traceback (most recent call last): > File "sqlmap.py", line 77, in main > init(cmdLineOptions) > File "/Users/hagbart/source/sqlmap_svn/lib/core/option.py", line 1074, in init > update() > File "/Users/hagbart/source/sqlmap_svn/lib/core/update.py", line 261, in update > __updateMSSQLXML() > File "/Users/hagbart/source/sqlmap_svn/lib/core/update.py", line 57, in __updateMSSQLXML > mssqlVersionsHtmlString, _ = Request.getPage(url=MSSQL_VERSIONS_URL, direct=True) > File "/Users/hagbart/source/sqlmap_svn/lib/request/connect.py", line 161, in getPage > for _, cookie in enumerate(conf.cj): > TypeError: 'NoneType' object is not iterable > > [*] shutting down at: 11:50:51 > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: <shi...@gm...> - 2010-04-09 09:52:51
|
xxxxxx01:sqlmap_svn xxxxxxxt$ python sqlmap.py --update
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 11:50:46
[11:50:46] [INFO] updating sqlmap to latest development version from the subversion repository
[11:50:46] [INFO] update in progress . done
[11:50:47] [INFO] updated to the latest revision 1550
[11:50:47] [INFO] updating Microsoft SQL Server XML versions file
[11:50:50] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible:
sqlmap version: 0.9-dev
Python version: 2.6.1
Operating system: darwin
Traceback (most recent call last):
File "sqlmap.py", line 77, in main
init(cmdLineOptions)
File "/Users/hagbart/source/sqlmap_svn/lib/core/option.py", line 1074, in init
update()
File "/Users/hagbart/source/sqlmap_svn/lib/core/update.py", line 261, in update
__updateMSSQLXML()
File "/Users/hagbart/source/sqlmap_svn/lib/core/update.py", line 57, in __updateMSSQLXML
mssqlVersionsHtmlString, _ = Request.getPage(url=MSSQL_VERSIONS_URL, direct=True)
File "/Users/hagbart/source/sqlmap_svn/lib/request/connect.py", line 161, in getPage
for _, cookie in enumerate(conf.cj):
TypeError: 'NoneType' object is not iterable
[*] shutting down at: 11:50:51
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-07 09:16:52
|
Steve, We do not plan to release any new version in the short term. I suggest you to use the latest development version from subversion repository. Bernardo On Wed, Apr 7, 2010 at 03:18, Steve Pinkham <ste...@gm...> wrote: > There seem to be a number of bugfixes since the last release version. > Is there a bugfix release planned for the near future, or should I > include the SVN version of sqlmap in the next version of our Web > Security Dojo project? > > Steve > -- > | Steven Pinkham, Security Researcher | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Steve P. <ste...@gm...> - 2010-04-07 02:18:13
|
There seem to be a number of bugfixes since the last release version. Is there a bugfix release planned for the near future, or should I include the SVN version of sqlmap in the next version of our Web Security Dojo project? Steve -- | Steven Pinkham, Security Researcher | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-06 11:26:55
|
James, If the web server returns a HTTP return code 301 or 302, sqlmap (as of 0.9-dev) asks the user if he wants to follow the redirection or not (assuming the web server sent a Location or URI header in the HTTP response). In your case it does. "page not found" error message is displayed only when the HTTP return code is 404 so the redirected page might return such code. Can you please provide us with the -v 5 output and/or a pcap of the traffic? If it's a sensible site, do so privately please. Regards, Bernardo On Mon, Apr 5, 2010 at 22:22, <ja...@ev...> wrote: > > Hello, > > I'm exploiting a redirection script.. > http://site.com/redirect.asp?sid=7321. > > When i feed it a ' at the end of the URL i get.. > > Microsoft OLE DB Provider for SQL Server error '80040e14' > > Unclosed quotation mark after the character string ''. > > /redirect.asp, line 23 > > Looks good, right? No. > > [jl@rashid-abdul-abmerhenijan sqlmap-dev]$ ./sqlmap -u > "http://site/redirect.asp?sid=7321" -v 5 > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 17:20:07 > > [17:20:07] [DEBUG] initializing the configuration > [17:20:07] [DEBUG] initializing the knowledge base > [17:20:07] [DEBUG] cleaning up configuration parameters > [17:20:07] [DEBUG] setting the HTTP timeout > [17:20:07] [DEBUG] setting the HTTP method to GET > [17:20:07] [DEBUG] creating HTTP requests opener object > [17:20:07] [DEBUG] parsing XML queries file > [17:20:07] [INFO] using '/home/jl/sqlmap-dev/output/site/session' as > session file > [17:20:07] [INFO] testing connection to the target url > [17:20:07] [ERROR] page not found > > [*] shutting down at: 17:20:07 > > Is there some way to get SQLmap to exploit this? > > Here is the raw output > > Escape character is '^]'. > GET /redirect.asp?sid=7321 HTTP/1.0 > > HTTP/1.1 302 Object moved > Connection: close > Date: Mon, 05 Apr 2010 21:18:52 GMT > Server: Microsoft-IIS/6.0 > X-Powered-By: ASP.NET > Location: censored_url.com/whatever_data > Content-Length: 175 > Content-Type: text/html > Set-Cookie: source=; path=/ > Set-Cookie: sid=220216217218; path=/ > Cache-control: private > > <head><title>Object moved</title></head> > <body><h1>Object Moved</h1>This object may be found <a HREF="censored for > privacy">here</a>.</body> > Connection closed by foreign host. > > Using latest SQLMap SVN -- Btw, good work on the MS Access support!@! > > -James @ Ev6.NET > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-06 11:16:46
|
Hi, If you have ever been the first to report a bug or have suggested a feature that has been implemented or scheduled (when we wrote you so) and your name is not in the contributors file[1] you can report it privately to us[2] and we will adapt accordingly. If, for any reason, you want your name to be removed from the file, you can as well drop us an email. [1] http://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/THANKS [2] http://sqlmap.sourceforge.net/#author Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-06 08:55:14
|
Hi David, On Mon, Apr 5, 2010 at 21:38, David Guimaraes <sk...@gm...> wrote: > ... > I've tried several ways to circumvent this form to gain unauthorized access, > but i not get success in the handling of sql injection. However, nessus > reported that the field is vulnerable to Time-Based Sql Injection by > manipulating the parameter j_username with the following query: > > j_username = ';%20select%20pg_sleep%20(10)-- > > Tested the failure, I noticed that you can only make a time-based blind sql > injection. But even passing the parameter --time-test for the sqlmap, and > setting the option in sqlmap.conf timetest to true, does not make sqlmap > test time-based sql inj. sqlmap at first has to detect a boolean-based blind sql injection to be able to proceed testing for time based blind sql injection (with, --time-test, yes). This is a design flaw of the tool and will be fixed in the next months while we will be working on the refactoring of the detection engine. At the moment you can't use sqlmap to exploit this kind of sql injection. By the way, this is detailed in the user's manual[1]. [1] http://sqlmap.sourceforge.net/doc/README.html#ss5.5 Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Miroslav S. <mir...@gm...> - 2010-04-05 23:10:16
|
Hi. Fixed and commited. Thank you for your report. Kind regards. On Mon, Apr 5, 2010 at 9:52 PM, David Guimaraes <sk...@gm...> wrote: > The problem happens with any dbms i pass. Oracle, MySQL, Postgre,etc.. > > # ./sqlmap.py -u "http://xxx" --data "xxx" -p xxx -v 2 --time-test --dbms > oracle > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 16:49:25 > > [16:49:25] [DEBUG] initializing the configuration > [16:49:25] [DEBUG] initializing the knowledge base > [16:49:25] [DEBUG] cleaning up configuration parameters > [16:49:25] [DEBUG] setting the HTTP timeout > [16:49:25] [DEBUG] setting the HTTP method to GET > [16:49:25] [DEBUG] creating HTTP requests opener object > [16:49:25] [DEBUG] forcing back-end DBMS to user defined value > > [16:49:25] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the > command line and the following text and send by e-mail to > sql...@li.... The developer will fix it as soon as > possible: > sqlmap version: 0.9-dev > Python version: 2.5.2 > Operating system: linux2 > Traceback (most recent call last): > File "./sqlmap.py", line 77, in main > init(cmdLineOptions) > File "/home/skys/sqlmap-dev/lib/core/option.py", line 1074, in init > __setDBMS() > File "/home/skys/sqlmap-dev/lib/core/option.py", line 503, in __setDBMS > "|".join([alias for alias in FIREBIRD_ALIASES])) > TypeError: not all arguments converted during string formatting > > [*] shutting down at: 16:49:25 > > # svn info > Path: . > URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap > Repository Root: https://svn.sqlmap.org/sqlmap > Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb > Revision: 1536 > Node Kind: directory > Schedule: normal > Last Changed Author: stamparm > Last Changed Rev: 1536 > Last Changed Date: 2010-04-04 11:38:48 -0300 (Sun, 04 Apr 2010) > > > -- > David Gomes Guimarães > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: <ja...@ev...> - 2010-04-05 21:40:13
|
Hello, I'm exploiting a redirection script.. http://site.com/redirect.asp?sid=7321. When i feed it a ' at the end of the URL i get.. Microsoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark after the character string ''. /redirect.asp, line 23 Looks good, right? No. [jl@rashid-abdul-abmerhenijan sqlmap-dev]$ ./sqlmap -u "http://site/redirect.asp?sid=7321" -v 5 sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 17:20:07 [17:20:07] [DEBUG] initializing the configuration [17:20:07] [DEBUG] initializing the knowledge base [17:20:07] [DEBUG] cleaning up configuration parameters [17:20:07] [DEBUG] setting the HTTP timeout [17:20:07] [DEBUG] setting the HTTP method to GET [17:20:07] [DEBUG] creating HTTP requests opener object [17:20:07] [DEBUG] parsing XML queries file [17:20:07] [INFO] using '/home/jl/sqlmap-dev/output/site/session' as session file [17:20:07] [INFO] testing connection to the target url [17:20:07] [ERROR] page not found [*] shutting down at: 17:20:07 Is there some way to get SQLmap to exploit this? Here is the raw output Escape character is '^]'. GET /redirect.asp?sid=7321 HTTP/1.0 HTTP/1.1 302 Object moved Connection: close Date: Mon, 05 Apr 2010 21:18:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: censored_url.com/whatever_data Content-Length: 175 Content-Type: text/html Set-Cookie: source=; path=/ Set-Cookie: sid=220216217218; path=/ Cache-control: private <head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="censored for privacy">here</a>.</body> Connection closed by foreign host. Using latest SQLMap SVN -- Btw, good work on the MS Access support!@! -James @ Ev6.NET |
|
From: David G. <sk...@gm...> - 2010-04-05 20:38:45
|
I have one site in Java which is only vulnerable to this type of technique
(time-based blind sql inj), where all others simply do not work.
Theoretically speaking, I have a login form that receives 2 parameters from
the user via the POST method, which is the login and password.
I've tried several ways to circumvent this form to gain unauthorized access,
but i not get success in the handling of sql injection. However, nessus
reported that the field is vulnerable to Time-Based Sql Injection by
manipulating the parameter j_username with the following query:
j_username = ';%20select%20pg_sleep%20(10)--
Tested the failure, I noticed that you can only make a time-based blind sql
injection. But even passing the parameter --time-test for the sqlmap, and
setting the option in sqlmap.conf timetest to true, does not make sqlmap
test time-based sql inj.
# ./sqlmap.py -u "http:/xxxx/xxxx/j_xx_xxx" --data
"action=Login&j_password=&j_username=" -p j_username -v 2 --time-test
--time-sec 4 --dbms postgresql
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 17:34:40
[17:34:40] [DEBUG] initializing the configuration
[17:34:40] [DEBUG] initializing the knowledge base
[17:34:40] [DEBUG] cleaning up configuration parameters
[17:34:40] [DEBUG] setting the HTTP timeout
[17:34:40] [DEBUG] setting the HTTP method to GET
[17:34:40] [DEBUG] creating HTTP requests opener object
[17:34:40] [DEBUG] forcing back-end DBMS to user defined value
[17:34:40] [DEBUG] parsing XML queries file
[17:34:40] [INFO] using '/home/skys/sqlmap-dev/output/xxx/session' as
session file
[17:34:40] [INFO] testing connection to the target url
sqlmap got a 302 redirect to
http://xxx/xxx/index.html;jsessionid=8EF344E0CF2864CF8DCDF23F730E0F57 - What
target address do you want to use from now on?
http://xxx:80/xxx/j_xxx_xxx(default) or provide another target address
based also on the redirection
got from the application
>
[17:34:41] [WARNING] the testable parameter 'j_username' you provided is not
into the Cookie
[17:34:41] [INFO] testing if the url is stable, wait a few seconds
[17:34:42] [INFO] url is stable
[17:34:42] [INFO] testing sql injection on POST parameter 'j_username' with
0 parenthesis
[17:34:42] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:42] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:42] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:42] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:42] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:42] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 0
parenthesis
[17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with
1 parenthesis
[17:34:43] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:43] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:43] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:43] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:43] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 1
parenthesis
[17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with
2 parenthesis
[17:34:43] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:43] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:43] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:43] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:43] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 2
parenthesis
[17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with
3 parenthesis
[17:34:43] [INFO] testing unescaped numeric injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric
injectable
[17:34:43] [INFO] testing single quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not single quoted string
injectable
[17:34:43] [INFO] testing LIKE single quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted
string injectable
[17:34:43] [INFO] testing double quoted string injection on POST parameter
'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not double quoted string
injectable
[17:34:43] [INFO] testing LIKE double quoted string injection on POST
parameter 'j_username'
[17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted
string injectable
[17:34:43] [INFO] POST parameter 'j_username' is not injectable with 3
parenthesis
[17:34:43] [WARNING] POST parameter 'j_username' is not injectable
[17:34:43] [ERROR] all parameters are not injectable
[*] shutting down at: 17:34:43
# svn info
Path: .
URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap
Repository Root: https://svn.sqlmap.org/sqlmap
Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb
Revision: 1536
Node Kind: directory
Schedule: normal
Last Changed Author: stamparm
Last Changed Rev: 1536
Last Changed Date: 2010-04-04 11:38:48 -0300 (Sun, 04 Apr 2010)
--
David Gomes Guimarães
|
|
From: David G. <sk...@gm...> - 2010-04-05 19:53:29
|
The problem happens with any dbms i pass. Oracle, MySQL, Postgre,etc..
# ./sqlmap.py -u "http://xxx" --data "xxx" -p xxx -v 2 --time-test --dbms
oracle
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 16:49:25
[16:49:25] [DEBUG] initializing the configuration
[16:49:25] [DEBUG] initializing the knowledge base
[16:49:25] [DEBUG] cleaning up configuration parameters
[16:49:25] [DEBUG] setting the HTTP timeout
[16:49:25] [DEBUG] setting the HTTP method to GET
[16:49:25] [DEBUG] creating HTTP requests opener object
[16:49:25] [DEBUG] forcing back-end DBMS to user defined value
[16:49:25] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.9-dev
Python version: 2.5.2
Operating system: linux2
Traceback (most recent call last):
File "./sqlmap.py", line 77, in main
init(cmdLineOptions)
File "/home/skys/sqlmap-dev/lib/core/option.py", line 1074, in init
__setDBMS()
File "/home/skys/sqlmap-dev/lib/core/option.py", line 503, in __setDBMS
"|".join([alias for alias in FIREBIRD_ALIASES]))
TypeError: not all arguments converted during string formatting
[*] shutting down at: 16:49:25
# svn info
Path: .
URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap
Repository Root: https://svn.sqlmap.org/sqlmap
Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb
Revision: 1536
Node Kind: directory
Schedule: normal
Last Changed Author: stamparm
Last Changed Rev: 1536
Last Changed Date: 2010-04-04 11:38:48 -0300 (Sun, 04 Apr 2010)
--
David Gomes Guimarães
|
|
From: Miroslav S. <mir...@gm...> - 2010-04-05 11:33:55
|
Fixed and commited
On Fri, Apr 2, 2010 at 6:16 PM, Ole Rasmussen <ol...@gm...> wrote:
> I believe there's a bug when executing the following via sql-shell:
> "SELECT REPLACE('something', 's', 'b')"
> The result is:
> [INFO] the SQL query provided has more than a field. sqlmap will now
> unpack it into distinct queries to be able to retrieve the output even if we are
> going blind
>
> and then it returns nothing. This is clearly incorrect - looks like
> SqlMap thinks it's a list of fields.
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
|
|
From: Miroslav S. <mir...@gm...> - 2010-04-04 14:40:04
|
Hi Kasper. Thank you for spotting and reporting the bug. Now it should be fixed and commited. Kind regards, Miroslav Stampar On Sun, Apr 4, 2010 at 10:11 AM, Kasper Føns <th...@ma...> wrote: > Hello Sqlmap. > > It seems that when using sqlmap with the -g option, sqlmap wants to > collect cookie parameters. > The problem is that when switching from one target to another, any > previous cookie parameters are still kept - thought invalid for the new > target. > > /Kasper > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Kasper F. <th...@ma...> - 2010-04-04 08:11:45
|
Hello Sqlmap. It seems that when using sqlmap with the -g option, sqlmap wants to collect cookie parameters. The problem is that when switching from one target to another, any previous cookie parameters are still kept - thought invalid for the new target. /Kasper |
|
From: Ole R. <ol...@gm...> - 2010-04-02 16:16:47
|
I believe there's a bug when executing the following via sql-shell:
"SELECT REPLACE('something', 's', 'b')"
The result is:
[INFO] the SQL query provided has more than a field. sqlmap will now
unpack it into distinct queries to be able to retrieve the output even if we are
going blind
and then it returns nothing. This is clearly incorrect - looks like
SqlMap thinks it's a list of fields.
|
48 messages has been excluded from this view by a project administrator.
