sqlmap-users Mailing List for sqlmap (Page 131)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Miroslav S. <mir...@gm...> - 2010-03-10 14:18:13
|
Hi. Thank you for your report. After some researching we've found two serious bugs in sqlmap threading, and we've fixed them accordingly. One of them was related to non-thread safe usage of difflib, as could be suspected from your report. Please, update your sqlmap to the latest development version. Kind regards, Miroslav Stampar On Sat, Mar 6, 2010 at 3:54 PM, Kasper Føns <th...@ma...> wrote: > Hell sqlmap users. > > I am using your software on Windows 7. > > I just tried fetching column definitions from a table using --threads=30. > > It found the first column name, but afterwards this happened: > [15:51:20] [INFO] retrieving the length of query output > [15:51:20] [INFO] retrieved: 7 > [15:51:23] [INFO] starting 7 threads > [15:51:23] [INFO] retrieved: [15:51:24] [ERROR] thread 7: unhandled > exception in sqlmap/0.7, please copy the command line and the following > text and send by e-mail to sql...@li.... The > developer will fix it as soon as possible: > sqlmap version: 0.7 > Python version: 2.6.1 > Operating system: win32 > Traceback (most recent call last): > File "lib\techniques\blind\inference.pyc", line 157, in downloadThread > File "lib\techniques\blind\inference.pyc", line 106, in getChar > File "lib\request\connect.pyc", line 279, in queryPage > File "lib\request\comparison.pyc", line 72, in comparison > File "difflib.pyc", line 660, in ratio > File "difflib.pyc", line 494, in get_matching_blocks > File "difflib.pyc", line 439, in find_longest_match > IndexError: string index out of range > [15:51:27] [INFO] partially retrieved: wwtwww > [15:51:27] [ERROR] something unexpected happen into the threads > > [*] shutting down at: 15:51:27 > > The value that it should find was "int<10>". > > Should I provide more information? > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Ignacio H. <nac...@gm...> - 2010-03-09 14:35:19
|
You can use the "-p param" option to avoid the dinamicy tests. And also i think the detection engine is going to be rewiritten to fix some flaws. Just try "-p searchquery" Cheers 2010/3/8 Wu, Michael <Mic...@fm...> > Hi, > I'm just starting with SQLMap. I have an app that has known SQL inject > vulnerabilities. http://www.badstore.net/ > > Here is the url after the application is installed and configured. > http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money&action=sear > ch&x=0&y=0<http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money&action=sear%0Ach&x=0&y=0> > > The searchquery parameter is known to have SQL injection vulnerabilities > (confirmed manaully as follows), > http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money%27&action=s > earch&x=0&y=0<http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money%27&action=s%0Aearch&x=0&y=0> > DBD::mysql::st execute failed: You have an error in your SQL syntax; > check the manual that corresponds to your MySQL server version for the > right syntax to use near ''Money'' IN (itemnum,sdesc,ldesc)' at line 1 > at /usr/local/apache/cgi-bin/badstore.cgi line 207. > > but SQL map 0.7 and 0.8-dev consistently report that this parameter is > not "dynamic". Could someone help please? > > SQL map output > GET > http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s > earch&x=19&y=12<http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s%0Aearch&x=19&y=12> > do you want to test this url? [Y/n/q] > > Y > [17:33:16] [INFO] testing url > http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s > earch&x=19&y=12<http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s%0Aearch&x=19&y=12> > [17:33:16] [INFO] testing connection to the target url > [17:33:16] [INFO] testing if the url is stable, wait a few seconds > [17:33:18] [INFO] url is stable > ... > > [17:33:21] [INFO] testing if GET parameter 'x' is dynamic > [17:33:21] [WARNING] GET parameter 'x' is not dynamic > [17:33:21] [INFO] testing if GET parameter 'searchquery' is dynamic > [17:33:21] [WARNING] GET parameter 'searchquery' is not dynamic > [17:33:21] [INFO] testing if GET parameter 'y' is dynamic > [17:33:21] [WARNING] GET parameter 'y' is not dynamic > > Regards > > Michael > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Wu, M. <Mic...@FM...> - 2010-03-08 23:16:53
|
Hi, I'm just starting with SQLMap. I have an app that has known SQL inject vulnerabilities. http://www.badstore.net/ Here is the url after the application is installed and configured. http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money&action=sear ch&x=0&y=0 The searchquery parameter is known to have SQL injection vulnerabilities (confirmed manaully as follows), http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money%27&action=s earch&x=0&y=0 DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Money'' IN (itemnum,sdesc,ldesc)' at line 1 at /usr/local/apache/cgi-bin/badstore.cgi line 207. but SQL map 0.7 and 0.8-dev consistently report that this parameter is not "dynamic". Could someone help please? SQL map output GET http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s earch&x=19&y=12 do you want to test this url? [Y/n/q] > Y [17:33:16] [INFO] testing url http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s earch&x=19&y=12 [17:33:16] [INFO] testing connection to the target url [17:33:16] [INFO] testing if the url is stable, wait a few seconds [17:33:18] [INFO] url is stable ... [17:33:21] [INFO] testing if GET parameter 'x' is dynamic [17:33:21] [WARNING] GET parameter 'x' is not dynamic [17:33:21] [INFO] testing if GET parameter 'searchquery' is dynamic [17:33:21] [WARNING] GET parameter 'searchquery' is not dynamic [17:33:21] [INFO] testing if GET parameter 'y' is dynamic [17:33:21] [WARNING] GET parameter 'y' is not dynamic Regards Michael |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-03-06 14:58:00
|
Multi-threading support might behave unexpectedly, but should not crash. Again, try sqlmap development version, threading has been tweaked a bit recently. I think 30 is too high value anyway, usually I try with 3 or 5 at first and see how the application behaves. Bernardo On Sat, Mar 6, 2010 at 14:54, Kasper Føns <th...@ma...> wrote: > Hell sqlmap users. > > I am using your software on Windows 7. > > I just tried fetching column definitions from a table using --threads=30. > > It found the first column name, but afterwards this happened: > [15:51:20] [INFO] retrieving the length of query output > [15:51:20] [INFO] retrieved: 7 > [15:51:23] [INFO] starting 7 threads > [15:51:23] [INFO] retrieved: [15:51:24] [ERROR] thread 7: unhandled > exception in sqlmap/0.7, please copy the command line and the following > text and send by e-mail to sql...@li.... The > developer will fix it as soon as possible: > sqlmap version: 0.7 > Python version: 2.6.1 > Operating system: win32 > Traceback (most recent call last): > File "lib\techniques\blind\inference.pyc", line 157, in downloadThread > File "lib\techniques\blind\inference.pyc", line 106, in getChar > File "lib\request\connect.pyc", line 279, in queryPage > File "lib\request\comparison.pyc", line 72, in comparison > File "difflib.pyc", line 660, in ratio > File "difflib.pyc", line 494, in get_matching_blocks > File "difflib.pyc", line 439, in find_longest_match > IndexError: string index out of range > [15:51:27] [INFO] partially retrieved: wwtwww > [15:51:27] [ERROR] something unexpected happen into the threads > > [*] shutting down at: 15:51:27 > > The value that it should find was "int<10>". > > Should I provide more information? -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Kasper F. <th...@ma...> - 2010-03-06 14:55:00
|
Hell sqlmap users. I am using your software on Windows 7. I just tried fetching column definitions from a table using --threads=30. It found the first column name, but afterwards this happened: [15:51:20] [INFO] retrieving the length of query output [15:51:20] [INFO] retrieved: 7 [15:51:23] [INFO] starting 7 threads [15:51:23] [INFO] retrieved: [15:51:24] [ERROR] thread 7: unhandled exception in sqlmap/0.7, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.7 Python version: 2.6.1 Operating system: win32 Traceback (most recent call last): File "lib\techniques\blind\inference.pyc", line 157, in downloadThread File "lib\techniques\blind\inference.pyc", line 106, in getChar File "lib\request\connect.pyc", line 279, in queryPage File "lib\request\comparison.pyc", line 72, in comparison File "difflib.pyc", line 660, in ratio File "difflib.pyc", line 494, in get_matching_blocks File "difflib.pyc", line 439, in find_longest_match IndexError: string index out of range [15:51:27] [INFO] partially retrieved: wwtwww [15:51:27] [ERROR] something unexpected happen into the threads [*] shutting down at: 15:51:27 The value that it should find was "int<10>". Should I provide more information? |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-03-06 14:51:37
|
Fixed months ago in the development version on subversion repository. Bernardo On Sat, Mar 6, 2010 at 12:27, Kasper Føns <th...@ma...> wrote: > Hell sqlmap users. > > I am using your software on Windows 7. > > I have not been able to use --os-shell once yet. Everytime it is used, I > get the following: > > [ERROR] unhandled exception in sqlmap/0.7, please copy the command line > and the following text and send by e-mail to > sql...@li.... The developer will fix it as soon as > possible: > sqlmap version: 0.7 > Python version: 2.6.1 > Operating system: win32 > Traceback (most recent call last): > File "sqlmap.py", line 84, in main > File "lib\controller\controller.pyc", line 263, in start > File "lib\controller\action.pyc", line 140, in action > File "plugins\generic\takeover.pyc", line 295, in osShell > File "plugins\generic\takeover.pyc", line 187, in __webBackdoorInit > File "lib\request\connect.pyc", line 131, in getPage > File "urllib2.pyc", line 124, in urlopen > File "urllib2.pyc", line 383, in open > File "urllib2.pyc", line 401, in _open > File "urllib2.pyc", line 361, in _call_chain > File "urllib2.pyc", line 1130, in http_open > File "urllib2.pyc", line 1087, in do_open > File "httplib.pyc", line 656, in __init__ > File "httplib.pyc", line 668, in _set_hostport > InvalidURL: nonnumeric port: '80\var\www' > > It seems that the port is given, but in addition the upload bath is also > given - which is strange. > > Should I provide more information? > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Kasper F. <th...@ma...> - 2010-03-06 12:27:50
|
Hell sqlmap users. I am using your software on Windows 7. I have not been able to use --os-shell once yet. Everytime it is used, I get the following: [ERROR] unhandled exception in sqlmap/0.7, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.7 Python version: 2.6.1 Operating system: win32 Traceback (most recent call last): File "sqlmap.py", line 84, in main File "lib\controller\controller.pyc", line 263, in start File "lib\controller\action.pyc", line 140, in action File "plugins\generic\takeover.pyc", line 295, in osShell File "plugins\generic\takeover.pyc", line 187, in __webBackdoorInit File "lib\request\connect.pyc", line 131, in getPage File "urllib2.pyc", line 124, in urlopen File "urllib2.pyc", line 383, in open File "urllib2.pyc", line 401, in _open File "urllib2.pyc", line 361, in _call_chain File "urllib2.pyc", line 1130, in http_open File "urllib2.pyc", line 1087, in do_open File "httplib.pyc", line 656, in __init__ File "httplib.pyc", line 668, in _set_hostport InvalidURL: nonnumeric port: '80\var\www' It seems that the port is given, but in addition the upload bath is also given - which is strange. Should I provide more information? |
|
From: Miroslav S. <mir...@gm...> - 2010-03-05 15:20:08
|
Dear Kasper. We can consider this as a bug, but... Python has a serious problems around proper usage of special (unicode) characters. Let's say that it's possible to implement this, but will require more than just few lines of code to be modified ;) We'll put this on a wish list and try to fix it, but can't promise you that it will be tomorrow. Kind regards, Miroslav Stampar On Fri, Mar 5, 2010 at 3:56 PM, Kasper Føns <th...@ma...> wrote: > Hell sqlmap users. > > I am using your software on Windows 7, and I have a path with a ø in it. > > The problem is that sqlmap does not like these special paths, and I > would consider this as a bug. > > Here is a minimal example showing the problem: > C:\ø>sqlmap.exe -u www.google.dk > > sqlmap/0.7 > by Bernardo Damele A. G. <ber...@gm...> > > [*] starting at: 15:55:08 > > [15:55:08] [ERROR] unhandled exception in sqlmap/0.7, please copy the > command line and the following text and send by e-mail to > sql...@li.... The developer will fix it as soon as > possible: > sqlmap version: 0.7 > Python version: 2.6.1 > Operating system: win32 > Traceback (most recent call last): > File "sqlmap.py", line 81, in main > File "lib\core\option.pyc", line 1011, in init > File "lib\parse\queriesfile.pyc", line 222, in queriesParser > File "xml\sax\__init__.pyc", line 33, in parse > File "xml\sax\expatreader.pyc", line 107, in parse > File "xml\sax\xmlreader.pyc", line 119, in parse > File "xml\sax\expatreader.pyc", line 111, in prepareParser > UnicodeEncodeError: 'ascii' codec can't encode character u'\xf8' in > position 3: > ordinal not in range(128) > > [*] shutting down at: 15:55:08 > > > C:\ø> > > I hope this can be solved. > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Kasper F. <th...@ma...> - 2010-03-05 15:12:14
|
Hell sqlmap users. I am using your software on Windows 7, and I have a path with a ø in it. The problem is that sqlmap does not like these special paths, and I would consider this as a bug. Here is a minimal example showing the problem: C:\ø>sqlmap.exe -u www.google.dk sqlmap/0.7 by Bernardo Damele A. G. <ber...@gm...> [*] starting at: 15:55:08 [15:55:08] [ERROR] unhandled exception in sqlmap/0.7, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.7 Python version: 2.6.1 Operating system: win32 Traceback (most recent call last): File "sqlmap.py", line 81, in main File "lib\core\option.pyc", line 1011, in init File "lib\parse\queriesfile.pyc", line 222, in queriesParser File "xml\sax\__init__.pyc", line 33, in parse File "xml\sax\expatreader.pyc", line 107, in parse File "xml\sax\xmlreader.pyc", line 119, in parse File "xml\sax\expatreader.pyc", line 111, in prepareParser UnicodeEncodeError: 'ascii' codec can't encode character u'\xf8' in position 3: ordinal not in range(128) [*] shutting down at: 15:55:08 C:\ø> I hope this can be solved. |
|
From: Miroslav S. <mir...@gm...> - 2010-03-04 08:49:49
|
Hi Eric. This was reported few weeks ago and (hopefully) fixed. Please try to update to the latest development version and give it a try. ( svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap/ ) Kind regards, Miroslav Stampar On Thu, Mar 4, 2010 at 2:32 AM, Eric <eri...@gm...> wrote: > > [02:26:20] [INFO] testing if the url is stable, wait a few seconds > [02:26:20] [WARNING] the target url responded with an unknown HTTP status code, > try to force the HTTP User-Agent header with option --user-agent or -a, skipping > to next url > [02:26:21] [WARNING] the target url responded with an unknown HTTP status code, > try to force the HTTP User-Agent header with option --user-agent or -a, skipping > to next url > [02:26:21] [ERROR] unhandled exception in sqlmap/0.7, please copy the command li > ne and the following text and send by e-mail to sql...@li...urceforge.n > et. The developer will fix it as soon as possible: > sqlmap version: 0.7 > Python version: 2.6.1 > Operating system: win32 > Traceback (most recent call last): > File "sqlmap.py", line 84, in main > File "lib\controller\controller.pyc", line 178, in start > File "lib\controller\checks.pyc", line 304, in checkStability > File "lib\core\convert.pyc", line 54, in md5hash > TypeError: md5() argument 1 must be string or read-only buffer, not None > > [*] shutting down at: 02:26:21 > > KEE UPP THE GOOD WORK!!!! > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Eric <eri...@gm...> - 2010-03-04 01:32:44
|
[02:26:20] [INFO] testing if the url is stable, wait a few seconds [02:26:20] [WARNING] the target url responded with an unknown HTTP status code, try to force the HTTP User-Agent header with option --user-agent or -a, skipping to next url [02:26:21] [WARNING] the target url responded with an unknown HTTP status code, try to force the HTTP User-Agent header with option --user-agent or -a, skipping to next url [02:26:21] [ERROR] unhandled exception in sqlmap/0.7, please copy the command li ne and the following text and send by e-mail to sql...@li...urceforge.n et. The developer will fix it as soon as possible: sqlmap version: 0.7 Python version: 2.6.1 Operating system: win32 Traceback (most recent call last): File "sqlmap.py", line 84, in main File "lib\controller\controller.pyc", line 178, in start File "lib\controller\checks.pyc", line 304, in checkStability File "lib\core\convert.pyc", line 54, in md5hash TypeError: md5() argument 1 must be string or read-only buffer, not None [*] shutting down at: 02:26:21 KEE UPP THE GOOD WORK!!!! |
|
From: Miroslav S. <mir...@gm...> - 2010-03-01 10:53:28
|
Hi Daniel. Thank you for reporting this issue. We've found it inside the code and fixed it. Now, there shouldn't be crashes like this anymore and we've also improved (hope so) the MSSQL version parsing and recognition routine. Kind regards, Miroslav Stampar On 28.2.2010 10:23, Daniel Hückmann wrote: > Running SVN revision 1347 (latest) and using the most up to date XML > versions file. System environment is as follows: > > Python 2.6.4 (r264:75706, Dec 7 2009, 18:45:15) [GCC 4.4.1] on linux2 > Ubuntu 9.10 (Karmic - x86/32bit) 2.6.31-19-generic > > The initial enumeration without banner grabbing, returns and then > confirms that the DBMS is Microsoft SQL server (expected behaviour). > However running any subsequent operations (including -f and/or -b) > returns: > > [00:35:51] [ERROR] sqlmap was not able to fingerprint the back-end > database management system. Support for this DBMS will be implemented > if you ask, just drop us an email > > If I erase the output folder for that scan, it works once again, but > only for the first scan. However if I erase the output folder, and > then try to banner grab, the following happens: > > sbit@hati:/opt/sqlmap$ ./sqlmap.py -u > "http://www.[REDACTED].com/[REDACTED].asp?[REDACTED]=[REDACTED]" -f > --banner > > sqlmap/0.8-rc7 - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 00:40:16 > > [00:40:16] [INFO] using > '/opt/sqlmap/output/www.[REDACTED].com/session' as session file > [00:40:16] [INFO] testing connection to the target url > [00:40:17] [INFO] testing if the url is stable, wait a few seconds > [00:40:19] [INFO] url is stable > [00:40:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic > [00:40:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic > [00:40:20] [INFO] testing if Cookie parameter 'ASPSESSIONIDCSCDTATD' > is dynamic > [00:40:21] [WARNING] Cookie parameter 'ASPSESSIONIDCSCDTATD' is not > dynamic > [00:40:21] [INFO] testing if GET parameter '[REDACTED]' is dynamic > [00:40:21] [INFO] confirming that GET parameter '[REDACTED]' is dynamic > [00:40:22] [INFO] GET parameter '[REDACTED]' is dynamic > [00:40:22] [INFO] testing sql injection on GET parameter '[REDACTED]' > with 0 parenthesis > [00:40:22] [INFO] testing unescaped numeric injection on GET parameter > '[REDACTED]' > [00:40:22] [INFO] GET parameter '[REDACTED]' is not unescaped numeric > injectable > [00:40:22] [INFO] testing single quoted string injection on GET > parameter '[REDACTED]' > [00:40:23] [INFO] confirming single quoted string injection on GET > parameter '[REDACTED]' > [00:40:24] [INFO] GET parameter '[REDACTED]' is single quoted string > injectable with 0 parenthesis > [00:40:24] [INFO] testing for parenthesis on injectable parameter > [00:40:28] [INFO] the injectable parameter requires 0 parenthesis > [00:40:28] [INFO] testing MySQL > [00:40:28] [WARNING] the back-end DMBS is not MySQL > [00:40:28] [INFO] testing Oracle > [00:40:28] [WARNING] the back-end DMBS is not Oracle > [00:40:28] [INFO] testing PostgreSQL > [00:40:28] [WARNING] the back-end DMBS is not PostgreSQL > [00:40:28] [INFO] testing Microsoft SQL Server > [00:40:29] [INFO] confirming Microsoft SQL Server > [00:40:34] [INFO] the back-end DBMS is Microsoft SQL Server > [00:40:34] [INFO] fetching banner > [00:40:34] [INFO] retrieved: Microsoft SQL Server 2008 (SP1) - > 10.0.2531.0 (X64) > Mar 29 2009 10:11:52 > Copyright (c) 1988-2008 Microsoft Corporation > Web Edition (64-bit) on Windows NT 6.0 <X64> (Build 6001: Service > Pack 1) (VM) > > [00:59:32] [INFO] the back-end DBMS operating system is Windows 2003 > Service Pack 1 > [00:59:32] [ERROR] unhandled exception in sqlmap/0.8-rc7 - automatic > SQL injection and database takeover tool, please copy the command line > and the following text and send by e-mail to > sql...@li... > <mailto:sql...@li...>. The developer will fix it > as soon as possible: > sqlmap version: 0.8-rc7 > Python version: 2.6.4 > Operating system: linux2 > Traceback (most recent call last): > File "./sqlmap.py", line 77, in main > start() > File "/opt/sqlmap/lib/controller/controller.py", line 257, in start > action() > File "/opt/sqlmap/lib/controller/action.py", line 68, in action > print "%s\n" % conf.dbmsHandler.getFingerprint() > File "/opt/sqlmap/plugins/dbms/mssqlserver.py", line 152, in > getFingerprint > release = kb.bannerFp["dbmsRelease"] > KeyError: 'dbmsRelease' > > [*] shutting down at: 00:59:32 > > > Daniel Hückmann - Sophsec Intrusion Labs - Silicon Forest (PDX) > -------------------------------------------------------------------------- > http://www.google.com/profiles/sanitybit > http://twitter.com/sanitybit > > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Daniel H. <san...@gm...> - 2010-02-28 09:24:13
|
Running SVN revision 1347 (latest) and using the most up to date XML
versions file. System environment is as follows:
Python 2.6.4 (r264:75706, Dec 7 2009, 18:45:15) [GCC 4.4.1] on linux2
Ubuntu 9.10 (Karmic - x86/32bit) 2.6.31-19-generic
The initial enumeration without banner grabbing, returns and then confirms
that the DBMS is Microsoft SQL server (expected behaviour). However running
any subsequent operations (including -f and/or -b) returns:
[00:35:51] [ERROR] sqlmap was not able to fingerprint the back-end database
management system. Support for this DBMS will be implemented if you ask,
just drop us an email
If I erase the output folder for that scan, it works once again, but only
for the first scan. However if I erase the output folder, and then try to
banner grab, the following happens:
sbit@hati:/opt/sqlmap$ ./sqlmap.py -u
"http://www.[REDACTED].com/[REDACTED].asp?[REDACTED]=[REDACTED]"
-f --banner
sqlmap/0.8-rc7 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 00:40:16
[00:40:16] [INFO] using '/opt/sqlmap/output/www.[REDACTED].com/session' as
session file
[00:40:16] [INFO] testing connection to the target url
[00:40:17] [INFO] testing if the url is stable, wait a few seconds
[00:40:19] [INFO] url is stable
[00:40:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[00:40:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[00:40:20] [INFO] testing if Cookie parameter 'ASPSESSIONIDCSCDTATD' is
dynamic
[00:40:21] [WARNING] Cookie parameter 'ASPSESSIONIDCSCDTATD' is not dynamic
[00:40:21] [INFO] testing if GET parameter '[REDACTED]' is dynamic
[00:40:21] [INFO] confirming that GET parameter '[REDACTED]' is dynamic
[00:40:22] [INFO] GET parameter '[REDACTED]' is dynamic
[00:40:22] [INFO] testing sql injection on GET parameter '[REDACTED]' with 0
parenthesis
[00:40:22] [INFO] testing unescaped numeric injection on GET parameter
'[REDACTED]'
[00:40:22] [INFO] GET parameter '[REDACTED]' is not unescaped numeric
injectable
[00:40:22] [INFO] testing single quoted string injection on GET parameter
'[REDACTED]'
[00:40:23] [INFO] confirming single quoted string injection on GET parameter
'[REDACTED]'
[00:40:24] [INFO] GET parameter '[REDACTED]' is single quoted string
injectable with 0 parenthesis
[00:40:24] [INFO] testing for parenthesis on injectable parameter
[00:40:28] [INFO] the injectable parameter requires 0 parenthesis
[00:40:28] [INFO] testing MySQL
[00:40:28] [WARNING] the back-end DMBS is not MySQL
[00:40:28] [INFO] testing Oracle
[00:40:28] [WARNING] the back-end DMBS is not Oracle
[00:40:28] [INFO] testing PostgreSQL
[00:40:28] [WARNING] the back-end DMBS is not PostgreSQL
[00:40:28] [INFO] testing Microsoft SQL Server
[00:40:29] [INFO] confirming Microsoft SQL Server
[00:40:34] [INFO] the back-end DBMS is Microsoft SQL Server
[00:40:34] [INFO] fetching banner
[00:40:34] [INFO] retrieved: Microsoft SQL Server 2008 (SP1) - 10.0.2531.0
(X64)
Mar 29 2009 10:11:52
Copyright (c) 1988-2008 Microsoft Corporation
Web Edition (64-bit) on Windows NT 6.0 <X64> (Build 6001: Service Pack
1) (VM)
[00:59:32] [INFO] the back-end DBMS operating system is Windows 2003 Service
Pack 1
[00:59:32] [ERROR] unhandled exception in sqlmap/0.8-rc7 - automatic SQL
injection and database takeover tool, please copy the command line and the
following text and send by e-mail to sql...@li.... The
developer will fix it as soon as possible:
sqlmap version: 0.8-rc7
Python version: 2.6.4
Operating system: linux2
Traceback (most recent call last):
File "./sqlmap.py", line 77, in main
start()
File "/opt/sqlmap/lib/controller/controller.py", line 257, in start
action()
File "/opt/sqlmap/lib/controller/action.py", line 68, in action
print "%s\n" % conf.dbmsHandler.getFingerprint()
File "/opt/sqlmap/plugins/dbms/mssqlserver.py", line 152, in
getFingerprint
release = kb.bannerFp["dbmsRelease"]
KeyError: 'dbmsRelease'
[*] shutting down at: 00:59:32
Daniel Hückmann - Sophsec Intrusion Labs - Silicon Forest (PDX)
--------------------------------------------------------------------------
http://www.google.com/profiles/sanitybit
http://twitter.com/sanitybit
|
|
From: Miroslav S. <mir...@gm...> - 2010-02-23 11:14:28
|
Hi.
We'll take into the consideration implementation of the program option which
could do this automatically - in case of inference tests usage of between
program structure instead of standard lesser/greater - or maybe use it as a
primary concept.
Kind regards.
On Tue, Feb 23, 2010 at 10:59 AM, velky brat <vel...@gm...> wrote:
> Ok, I have resolved the problem. Just brief info for other users:
> If characters like '<' or '>' are filtered, it is possible to modify query
> like this
>
>
> <inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/>
>
> vb
>
>
> On Sat, Feb 20, 2010 at 6:38 PM, velky brat <vel...@gm...> wrote:
>
>> Hello,
>> I have found blind SQL injection in the GET parameter of audited MySQL
>> application (also sqlmap is able to identify the injection), but it is not
>> possible to dump any data (like --current-user or --current-db). Only
>> option, which is working is --fingerprint (gives correct result of mySQL 5
>> version), all other options gave the same result as "None".
>> Because it looked strange to me, I made some basic tests manually with
>> following results:
>>
>>
>> http://localhost/index.php?id=9 AND 1 = 1 ---> TRUE (should be TRUE)
>> http://localhost/index.php?id=9 AND 1 = 0 ---> FALSE (should be FALSE)
>>
>> http://localhost/index.php?id=9 AND 6 > 5 ---> FALSE (should be TRUE)
>> http://localhost/index.php?id=9 AND 6 < 5 ---> FALSE (should be FALSE)
>>
>> http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 5 ---> FALSE
>> http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 10 ---> TRUE
>>
>> As you can see from these results, it looks that characters "<" and ">"
>> are filtered within application.
>>
>> However, injection is still working. I suppose, that sqlmap uses these
>> characters ("<",">") really often during dumping of data from database.
>> So I have changed the following line in mysql section of queries.xml file:
>>
>> original line:
>> <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
>>
>> updated line:
>> <inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/>
>>
>> Unfortunatelly, the result was same (None). What else should be modified?
>>
>> Is it be possible to use BETWEEN statement instead of ">" in current
>> version of sqlmap?
>> Is it already supported somehow in sqlmap or would it appear in future
>> versions?
>>
>> Thank you in advance
>>
>> vb
>>
>>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
|
|
From: velky b. <vel...@gm...> - 2010-02-23 10:30:48
|
Ok, I have resolved the problem. Just brief info for other users:
If characters like '<' or '>' are filtered, it is possible to modify query
like this
<inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/>
vb
On Sat, Feb 20, 2010 at 6:38 PM, velky brat <vel...@gm...> wrote:
> Hello,
> I have found blind SQL injection in the GET parameter of audited MySQL
> application (also sqlmap is able to identify the injection), but it is not
> possible to dump any data (like --current-user or --current-db). Only
> option, which is working is --fingerprint (gives correct result of mySQL 5
> version), all other options gave the same result as "None".
> Because it looked strange to me, I made some basic tests manually with
> following results:
>
>
> http://localhost/index.php?id=9 AND 1 = 1 ---> TRUE (should be TRUE)
> http://localhost/index.php?id=9 AND 1 = 0 ---> FALSE (should be FALSE)
>
> http://localhost/index.php?id=9 AND 6 > 5 ---> FALSE (should be TRUE)
> http://localhost/index.php?id=9 AND 6 < 5 ---> FALSE (should be FALSE)
>
> http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 5 ---> FALSE
> http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 10 ---> TRUE
>
> As you can see from these results, it looks that characters "<" and ">"
> are filtered within application.
>
> However, injection is still working. I suppose, that sqlmap uses these
> characters ("<",">") really often during dumping of data from database.
> So I have changed the following line in mysql section of queries.xml file:
>
> original line:
> <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
>
> updated line:
> <inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/>
>
> Unfortunatelly, the result was same (None). What else should be modified?
>
> Is it be possible to use BETWEEN statement instead of ">" in current
> version of sqlmap?
> Is it already supported somehow in sqlmap or would it appear in future
> versions?
>
> Thank you in advance
>
> vb
>
>
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-02-23 09:31:56
|
Ryan, if sqlmap can't detect the SQL injection after you give a try to the latest development version, then try to exploit it yourself manually, identify the SQL payload and provide sqlmap with --prefix, --postfix and, if needed, --string. Refer to the user's manual for details and examples. Bernardo On Tue, Feb 23, 2010 at 00:33, Ryan Dewhurst <rya...@gm...> wrote: > Ok, the cookies now seem to be being sent however sqlmap is still > reporting that it is uninjectable. The working command is: > > #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1" > --cookie="security=low; PHPSESSID=25e295bd67654538970df074f7083d2d" -p > id -v 3 > > I have checked and double checked the cookie values. > > On 23 February 2010 00:21, Ryan Dewhurst <rya...@gm...> wrote: >> I removed the ; from the command and it seemed to test the id >> parameter however it is saying it is not injectable when it clearly >> is. >> >> I am running MySQL5. The one pre installed in Backtrack 4 Final by default. >> >> Thank you. >> >> On 23 February 2010 00:17, Ryan Dewhurst <rya...@gm...> wrote: >>> When I add the -p flag I get the following error: >>> >>> bash: -p: command not found >>> >>> Because it is interpreting the flag as a separate command It must be >>> my cookie syntax which is incorrect. It is possibly ending the sqlmap >>> command after the ; >>> >>> Does any one know if I am using the correct syntax for the cookies? >>> >>> Thanks again! >>> >>> On 23 February 2010 00:12, Patrick Webster <pa...@au...> wrote: >>>> try adding >>>> >>>> -p id >>>> >>>> to force it to test id >>>> >>>> -Patrick >>>> >>>> On Tue, Feb 23, 2010 at 11:09 AM, Ryan Dewhurst <rya...@gm...> wrote: >>>>> Hi, >>>>> Trying to get sqlmap to run against DVWA's SQL injection page. DVWA >>>>> has a normal PHP login form which when logged in sets the following >>>>> cookies: >>>>> >>>>> Cookies: security=low; PHPSESSID=25e295bd67654538970df074f7083d2d >>>>> >>>>> Here is the command and error I am receiving, any help appreciated. >>>>> >>>>> ------------------------------------------------------------------------------------------------------ >>>>> #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1" >>>>> --cookie=security=low; PHPSESSID=25e295bd67654538970df074f7083d2d >>>>> >>>>> sqlmap/0.8-rc4 >>>>> by Bernardo Damele A. G. <ber...@gm...> >>>>> >>>>> [*] starting at: 00:03:28 >>>>> >>>>> [00:03:28] [INFO] using >>>>> '/pentest/database/sqlmap/output/127.0.0.1/session' as session file >>>>> [00:03:28] [INFO] resuming match ratio '0.998' from session file >>>>> [00:03:28] [INFO] testing connection to the target url >>>>> you provided an HTTP Cookie header value. The target url provided its >>>>> own Cookie within the HTTP Set-Cookie header. Do you want to continue >>>>> using the HTTP Cookie values that you provided? [Y/n] y >>>>> [00:03:41] [INFO] testing if the url is stable, wait a few seconds >>>>> [00:03:42] [INFO] url is stable >>>>> [00:03:42] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic >>>>> [00:03:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >>>>> [00:03:42] [INFO] testing if Cookie parameter 'security' is dynamic >>>>> [00:03:42] [WARNING] Cookie parameter 'security' is not dynamic >>>>> [00:03:42] [INFO] testing if GET parameter 'id' is dynamic >>>>> [00:03:43] [WARNING] GET parameter 'id' is not dynamic >>>>> >>>>> [*] shutting down at: 00:03:43 >>>>> --------------------------------------------------------------------------------------------------------------------- >>>>> >>>>> Thank you, >>>>> Ryan >>>>> >>>>> -- >>>>> Ryan Dewhurst >>>>> >>>>> http://www.ethicalhack3r.co.uk >>>>> http://www.dvwa.co.uk >>>>> http://www.twitter.com/ethicalhack3r >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Download Intel® Parallel Studio Eval >>>>> Try the new software tools for yourself. Speed compiling, find bugs >>>>> proactively, and fine-tune applications for parallel performance. >>>>> See why Intel Parallel Studio got high marks during beta. >>>>> http://p.sf.net/sfu/intel-sw-dev >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>> >>> >>> >>> -- >>> Ryan Dewhurst >>> >>> http://www.ethicalhack3r.co.uk >>> http://www.dvwa.co.uk >>> http://www.twitter.com/ethicalhack3r >>> >> >> >> >> -- >> Ryan Dewhurst >> >> http://www.ethicalhack3r.co.uk >> http://www.dvwa.co.uk >> http://www.twitter.com/ethicalhack3r >> > > > > -- > Ryan Dewhurst > > http://www.ethicalhack3r.co.uk > http://www.dvwa.co.uk > http://www.twitter.com/ethicalhack3r > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Miroslav S. <mir...@gm...> - 2010-02-23 09:12:46
|
Hi. There was a bug with sqlmap when proxy was set (http_proxy environment variable on lnx) and sqlmap was run against the 127.0.0.1/localhostaddresses. Same thing was happening to me too. Maybe this is not the same, but I would recommend you to get the latest development version from the official pages (svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap/) and take a shot. Kind regards. On Tue, Feb 23, 2010 at 1:33 AM, Ryan Dewhurst <rya...@gm...>wrote: > Ok, the cookies now seem to be being sent however sqlmap is still > reporting that it is uninjectable. The working command is: > > #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1" > --cookie="security=low; PHPSESSID=25e295bd67654538970df074f7083d2d" -p > id -v 3 > > I have checked and double checked the cookie values. > > On 23 February 2010 00:21, Ryan Dewhurst <rya...@gm...> wrote: > > I removed the ; from the command and it seemed to test the id > > parameter however it is saying it is not injectable when it clearly > > is. > > > > I am running MySQL5. The one pre installed in Backtrack 4 Final by > default. > > > > Thank you. > > > > On 23 February 2010 00:17, Ryan Dewhurst <rya...@gm...> wrote: > >> When I add the -p flag I get the following error: > >> > >> bash: -p: command not found > >> > >> Because it is interpreting the flag as a separate command It must be > >> my cookie syntax which is incorrect. It is possibly ending the sqlmap > >> command after the ; > >> > >> Does any one know if I am using the correct syntax for the cookies? > >> > >> Thanks again! > >> > >> On 23 February 2010 00:12, Patrick Webster <pa...@au...> wrote: > >>> try adding > >>> > >>> -p id > >>> > >>> to force it to test id > >>> > >>> -Patrick > >>> > >>> On Tue, Feb 23, 2010 at 11:09 AM, Ryan Dewhurst < > rya...@gm...> wrote: > >>>> Hi, > >>>> Trying to get sqlmap to run against DVWA's SQL injection page. DVWA > >>>> has a normal PHP login form which when logged in sets the following > >>>> cookies: > >>>> > >>>> Cookies: security=low; PHPSESSID=25e295bd67654538970df074f7083d2d > >>>> > >>>> Here is the command and error I am receiving, any help appreciated. > >>>> > >>>> > ------------------------------------------------------------------------------------------------------ > >>>> #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1 > " > >>>> --cookie=security=low; PHPSESSID=25e295bd67654538970df074f7083d2d > >>>> > >>>> sqlmap/0.8-rc4 > >>>> by Bernardo Damele A. G. <ber...@gm...> > >>>> > >>>> [*] starting at: 00:03:28 > >>>> > >>>> [00:03:28] [INFO] using > >>>> '/pentest/database/sqlmap/output/127.0.0.1/session' as session file > >>>> [00:03:28] [INFO] resuming match ratio '0.998' from session file > >>>> [00:03:28] [INFO] testing connection to the target url > >>>> you provided an HTTP Cookie header value. The target url provided its > >>>> own Cookie within the HTTP Set-Cookie header. Do you want to continue > >>>> using the HTTP Cookie values that you provided? [Y/n] y > >>>> [00:03:41] [INFO] testing if the url is stable, wait a few seconds > >>>> [00:03:42] [INFO] url is stable > >>>> [00:03:42] [INFO] testing if User-Agent parameter 'User-Agent' is > dynamic > >>>> [00:03:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic > >>>> [00:03:42] [INFO] testing if Cookie parameter 'security' is dynamic > >>>> [00:03:42] [WARNING] Cookie parameter 'security' is not dynamic > >>>> [00:03:42] [INFO] testing if GET parameter 'id' is dynamic > >>>> [00:03:43] [WARNING] GET parameter 'id' is not dynamic > >>>> > >>>> [*] shutting down at: 00:03:43 > >>>> > --------------------------------------------------------------------------------------------------------------------- > >>>> > >>>> Thank you, > >>>> Ryan > >>>> > >>>> -- > >>>> Ryan Dewhurst > >>>> > >>>> http://www.ethicalhack3r.co.uk > >>>> http://www.dvwa.co.uk > >>>> http://www.twitter.com/ethicalhack3r > >>>> > >>>> > ------------------------------------------------------------------------------ > >>>> Download Intel® Parallel Studio Eval > >>>> Try the new software tools for yourself. Speed compiling, find bugs > >>>> proactively, and fine-tune applications for parallel performance. > >>>> See why Intel Parallel Studio got high marks during beta. > >>>> http://p.sf.net/sfu/intel-sw-dev > >>>> _______________________________________________ > >>>> sqlmap-users mailing list > >>>> sql...@li... > >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >>>> > >>> > >> > >> > >> > >> -- > >> Ryan Dewhurst > >> > >> http://www.ethicalhack3r.co.uk > >> http://www.dvwa.co.uk > >> http://www.twitter.com/ethicalhack3r > >> > > > > > > > > -- > > Ryan Dewhurst > > > > http://www.ethicalhack3r.co.uk > > http://www.dvwa.co.uk > > http://www.twitter.com/ethicalhack3r > > > > > > -- > Ryan Dewhurst > > http://www.ethicalhack3r.co.uk > http://www.dvwa.co.uk > http://www.twitter.com/ethicalhack3r > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Ryan D. <rya...@gm...> - 2010-02-23 01:30:31
|
When I add the -p flag I get the following error: bash: -p: command not found Because it is interpreting the flag as a separate command It must be my cookie syntax which is incorrect. It is possibly ending the sqlmap command after the ; Does any one know if I am using the correct syntax for the cookies? Thanks again! On 23 February 2010 00:12, Patrick Webster <pa...@au...> wrote: > try adding > > -p id > > to force it to test id > > -Patrick > > On Tue, Feb 23, 2010 at 11:09 AM, Ryan Dewhurst <rya...@gm...> wrote: >> Hi, >> Trying to get sqlmap to run against DVWA's SQL injection page. DVWA >> has a normal PHP login form which when logged in sets the following >> cookies: >> >> Cookies: security=low; PHPSESSID=25e295bd67654538970df074f7083d2d >> >> Here is the command and error I am receiving, any help appreciated. >> >> ------------------------------------------------------------------------------------------------------ >> #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1" >> --cookie=security=low; PHPSESSID=25e295bd67654538970df074f7083d2d >> >> sqlmap/0.8-rc4 >> by Bernardo Damele A. G. <ber...@gm...> >> >> [*] starting at: 00:03:28 >> >> [00:03:28] [INFO] using >> '/pentest/database/sqlmap/output/127.0.0.1/session' as session file >> [00:03:28] [INFO] resuming match ratio '0.998' from session file >> [00:03:28] [INFO] testing connection to the target url >> you provided an HTTP Cookie header value. The target url provided its >> own Cookie within the HTTP Set-Cookie header. Do you want to continue >> using the HTTP Cookie values that you provided? [Y/n] y >> [00:03:41] [INFO] testing if the url is stable, wait a few seconds >> [00:03:42] [INFO] url is stable >> [00:03:42] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic >> [00:03:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >> [00:03:42] [INFO] testing if Cookie parameter 'security' is dynamic >> [00:03:42] [WARNING] Cookie parameter 'security' is not dynamic >> [00:03:42] [INFO] testing if GET parameter 'id' is dynamic >> [00:03:43] [WARNING] GET parameter 'id' is not dynamic >> >> [*] shutting down at: 00:03:43 >> --------------------------------------------------------------------------------------------------------------------- >> >> Thank you, >> Ryan >> >> -- >> Ryan Dewhurst >> >> http://www.ethicalhack3r.co.uk >> http://www.dvwa.co.uk >> http://www.twitter.com/ethicalhack3r >> >> ------------------------------------------------------------------------------ >> Download Intel® Parallel Studio Eval >> Try the new software tools for yourself. Speed compiling, find bugs >> proactively, and fine-tune applications for parallel performance. >> See why Intel Parallel Studio got high marks during beta. >> http://p.sf.net/sfu/intel-sw-dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > -- Ryan Dewhurst http://www.ethicalhack3r.co.uk http://www.dvwa.co.uk http://www.twitter.com/ethicalhack3r |
|
From: Ryan D. <rya...@gm...> - 2010-02-23 01:28:38
|
I removed the ; from the command and it seemed to test the id parameter however it is saying it is not injectable when it clearly is. I am running MySQL5. The one pre installed in Backtrack 4 Final by default. Thank you. On 23 February 2010 00:17, Ryan Dewhurst <rya...@gm...> wrote: > When I add the -p flag I get the following error: > > bash: -p: command not found > > Because it is interpreting the flag as a separate command It must be > my cookie syntax which is incorrect. It is possibly ending the sqlmap > command after the ; > > Does any one know if I am using the correct syntax for the cookies? > > Thanks again! > > On 23 February 2010 00:12, Patrick Webster <pa...@au...> wrote: >> try adding >> >> -p id >> >> to force it to test id >> >> -Patrick >> >> On Tue, Feb 23, 2010 at 11:09 AM, Ryan Dewhurst <rya...@gm...> wrote: >>> Hi, >>> Trying to get sqlmap to run against DVWA's SQL injection page. DVWA >>> has a normal PHP login form which when logged in sets the following >>> cookies: >>> >>> Cookies: security=low; PHPSESSID=25e295bd67654538970df074f7083d2d >>> >>> Here is the command and error I am receiving, any help appreciated. >>> >>> ------------------------------------------------------------------------------------------------------ >>> #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1" >>> --cookie=security=low; PHPSESSID=25e295bd67654538970df074f7083d2d >>> >>> sqlmap/0.8-rc4 >>> by Bernardo Damele A. G. <ber...@gm...> >>> >>> [*] starting at: 00:03:28 >>> >>> [00:03:28] [INFO] using >>> '/pentest/database/sqlmap/output/127.0.0.1/session' as session file >>> [00:03:28] [INFO] resuming match ratio '0.998' from session file >>> [00:03:28] [INFO] testing connection to the target url >>> you provided an HTTP Cookie header value. The target url provided its >>> own Cookie within the HTTP Set-Cookie header. Do you want to continue >>> using the HTTP Cookie values that you provided? [Y/n] y >>> [00:03:41] [INFO] testing if the url is stable, wait a few seconds >>> [00:03:42] [INFO] url is stable >>> [00:03:42] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic >>> [00:03:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >>> [00:03:42] [INFO] testing if Cookie parameter 'security' is dynamic >>> [00:03:42] [WARNING] Cookie parameter 'security' is not dynamic >>> [00:03:42] [INFO] testing if GET parameter 'id' is dynamic >>> [00:03:43] [WARNING] GET parameter 'id' is not dynamic >>> >>> [*] shutting down at: 00:03:43 >>> --------------------------------------------------------------------------------------------------------------------- >>> >>> Thank you, >>> Ryan >>> >>> -- >>> Ryan Dewhurst >>> >>> http://www.ethicalhack3r.co.uk >>> http://www.dvwa.co.uk >>> http://www.twitter.com/ethicalhack3r >>> >>> ------------------------------------------------------------------------------ >>> Download Intel® Parallel Studio Eval >>> Try the new software tools for yourself. Speed compiling, find bugs >>> proactively, and fine-tune applications for parallel performance. >>> See why Intel Parallel Studio got high marks during beta. >>> http://p.sf.net/sfu/intel-sw-dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> > > > > -- > Ryan Dewhurst > > http://www.ethicalhack3r.co.uk > http://www.dvwa.co.uk > http://www.twitter.com/ethicalhack3r > -- Ryan Dewhurst http://www.ethicalhack3r.co.uk http://www.dvwa.co.uk http://www.twitter.com/ethicalhack3r |
|
From: Patrick W. <pa...@au...> - 2010-02-23 01:13:41
|
try adding -p id to force it to test id -Patrick On Tue, Feb 23, 2010 at 11:09 AM, Ryan Dewhurst <rya...@gm...> wrote: > Hi, > Trying to get sqlmap to run against DVWA's SQL injection page. DVWA > has a normal PHP login form which when logged in sets the following > cookies: > > Cookies: security=low; PHPSESSID=25e295bd67654538970df074f7083d2d > > Here is the command and error I am receiving, any help appreciated. > > ------------------------------------------------------------------------------------------------------ > #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1" > --cookie=security=low; PHPSESSID=25e295bd67654538970df074f7083d2d > > sqlmap/0.8-rc4 > by Bernardo Damele A. G. <ber...@gm...> > > [*] starting at: 00:03:28 > > [00:03:28] [INFO] using > '/pentest/database/sqlmap/output/127.0.0.1/session' as session file > [00:03:28] [INFO] resuming match ratio '0.998' from session file > [00:03:28] [INFO] testing connection to the target url > you provided an HTTP Cookie header value. The target url provided its > own Cookie within the HTTP Set-Cookie header. Do you want to continue > using the HTTP Cookie values that you provided? [Y/n] y > [00:03:41] [INFO] testing if the url is stable, wait a few seconds > [00:03:42] [INFO] url is stable > [00:03:42] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic > [00:03:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic > [00:03:42] [INFO] testing if Cookie parameter 'security' is dynamic > [00:03:42] [WARNING] Cookie parameter 'security' is not dynamic > [00:03:42] [INFO] testing if GET parameter 'id' is dynamic > [00:03:43] [WARNING] GET parameter 'id' is not dynamic > > [*] shutting down at: 00:03:43 > --------------------------------------------------------------------------------------------------------------------- > > Thank you, > Ryan > > -- > Ryan Dewhurst > > http://www.ethicalhack3r.co.uk > http://www.dvwa.co.uk > http://www.twitter.com/ethicalhack3r > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Ryan D. <rya...@gm...> - 2010-02-23 00:42:26
|
Ok, the cookies now seem to be being sent however sqlmap is still reporting that it is uninjectable. The working command is: #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1" --cookie="security=low; PHPSESSID=25e295bd67654538970df074f7083d2d" -p id -v 3 I have checked and double checked the cookie values. On 23 February 2010 00:21, Ryan Dewhurst <rya...@gm...> wrote: > I removed the ; from the command and it seemed to test the id > parameter however it is saying it is not injectable when it clearly > is. > > I am running MySQL5. The one pre installed in Backtrack 4 Final by default. > > Thank you. > > On 23 February 2010 00:17, Ryan Dewhurst <rya...@gm...> wrote: >> When I add the -p flag I get the following error: >> >> bash: -p: command not found >> >> Because it is interpreting the flag as a separate command It must be >> my cookie syntax which is incorrect. It is possibly ending the sqlmap >> command after the ; >> >> Does any one know if I am using the correct syntax for the cookies? >> >> Thanks again! >> >> On 23 February 2010 00:12, Patrick Webster <pa...@au...> wrote: >>> try adding >>> >>> -p id >>> >>> to force it to test id >>> >>> -Patrick >>> >>> On Tue, Feb 23, 2010 at 11:09 AM, Ryan Dewhurst <rya...@gm...> wrote: >>>> Hi, >>>> Trying to get sqlmap to run against DVWA's SQL injection page. DVWA >>>> has a normal PHP login form which when logged in sets the following >>>> cookies: >>>> >>>> Cookies: security=low; PHPSESSID=25e295bd67654538970df074f7083d2d >>>> >>>> Here is the command and error I am receiving, any help appreciated. >>>> >>>> ------------------------------------------------------------------------------------------------------ >>>> #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1" >>>> --cookie=security=low; PHPSESSID=25e295bd67654538970df074f7083d2d >>>> >>>> sqlmap/0.8-rc4 >>>> by Bernardo Damele A. G. <ber...@gm...> >>>> >>>> [*] starting at: 00:03:28 >>>> >>>> [00:03:28] [INFO] using >>>> '/pentest/database/sqlmap/output/127.0.0.1/session' as session file >>>> [00:03:28] [INFO] resuming match ratio '0.998' from session file >>>> [00:03:28] [INFO] testing connection to the target url >>>> you provided an HTTP Cookie header value. The target url provided its >>>> own Cookie within the HTTP Set-Cookie header. Do you want to continue >>>> using the HTTP Cookie values that you provided? [Y/n] y >>>> [00:03:41] [INFO] testing if the url is stable, wait a few seconds >>>> [00:03:42] [INFO] url is stable >>>> [00:03:42] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic >>>> [00:03:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >>>> [00:03:42] [INFO] testing if Cookie parameter 'security' is dynamic >>>> [00:03:42] [WARNING] Cookie parameter 'security' is not dynamic >>>> [00:03:42] [INFO] testing if GET parameter 'id' is dynamic >>>> [00:03:43] [WARNING] GET parameter 'id' is not dynamic >>>> >>>> [*] shutting down at: 00:03:43 >>>> --------------------------------------------------------------------------------------------------------------------- >>>> >>>> Thank you, >>>> Ryan >>>> >>>> -- >>>> Ryan Dewhurst >>>> >>>> http://www.ethicalhack3r.co.uk >>>> http://www.dvwa.co.uk >>>> http://www.twitter.com/ethicalhack3r >>>> >>>> ------------------------------------------------------------------------------ >>>> Download Intel® Parallel Studio Eval >>>> Try the new software tools for yourself. Speed compiling, find bugs >>>> proactively, and fine-tune applications for parallel performance. >>>> See why Intel Parallel Studio got high marks during beta. >>>> http://p.sf.net/sfu/intel-sw-dev >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >> >> >> >> -- >> Ryan Dewhurst >> >> http://www.ethicalhack3r.co.uk >> http://www.dvwa.co.uk >> http://www.twitter.com/ethicalhack3r >> > > > > -- > Ryan Dewhurst > > http://www.ethicalhack3r.co.uk > http://www.dvwa.co.uk > http://www.twitter.com/ethicalhack3r > -- Ryan Dewhurst http://www.ethicalhack3r.co.uk http://www.dvwa.co.uk http://www.twitter.com/ethicalhack3r |
|
From: Ryan D. <rya...@gm...> - 2010-02-23 00:09:57
|
Hi,
Trying to get sqlmap to run against DVWA's SQL injection page. DVWA
has a normal PHP login form which when logged in sets the following
cookies:
Cookies: security=low; PHPSESSID=25e295bd67654538970df074f7083d2d
Here is the command and error I am receiving, any help appreciated.
------------------------------------------------------------------------------------------------------
#./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1"
--cookie=security=low; PHPSESSID=25e295bd67654538970df074f7083d2d
sqlmap/0.8-rc4
by Bernardo Damele A. G. <ber...@gm...>
[*] starting at: 00:03:28
[00:03:28] [INFO] using
'/pentest/database/sqlmap/output/127.0.0.1/session' as session file
[00:03:28] [INFO] resuming match ratio '0.998' from session file
[00:03:28] [INFO] testing connection to the target url
you provided an HTTP Cookie header value. The target url provided its
own Cookie within the HTTP Set-Cookie header. Do you want to continue
using the HTTP Cookie values that you provided? [Y/n] y
[00:03:41] [INFO] testing if the url is stable, wait a few seconds
[00:03:42] [INFO] url is stable
[00:03:42] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[00:03:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[00:03:42] [INFO] testing if Cookie parameter 'security' is dynamic
[00:03:42] [WARNING] Cookie parameter 'security' is not dynamic
[00:03:42] [INFO] testing if GET parameter 'id' is dynamic
[00:03:43] [WARNING] GET parameter 'id' is not dynamic
[*] shutting down at: 00:03:43
---------------------------------------------------------------------------------------------------------------------
Thank you,
Ryan
--
Ryan Dewhurst
http://www.ethicalhack3r.co.uk
http://www.dvwa.co.uk
http://www.twitter.com/ethicalhack3r
|
|
From: velky b. <vel...@gm...> - 2010-02-20 17:38:26
|
Hello,
I have found blind SQL injection in the GET parameter of audited MySQL
application (also sqlmap is able to identify the injection), but it is not
possible to dump any data (like --current-user or --current-db). Only
option, which is working is --fingerprint (gives correct result of mySQL 5
version), all other options gave the same result as "None".
Because it looked strange to me, I made some basic tests manually with
following results:
http://localhost/index.php?id=9 AND 1 = 1 ---> TRUE (should be TRUE)
http://localhost/index.php?id=9 AND 1 = 0 ---> FALSE (should be FALSE)
http://localhost/index.php?id=9 AND 6 > 5 ---> FALSE (should be TRUE)
http://localhost/index.php?id=9 AND 6 < 5 ---> FALSE (should be FALSE)
http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 5 ---> FALSE
http://localhost/index.php?id=9 AND 6 BETWEEN 0 and 10 ---> TRUE
As you can see from these results, it looks that characters "<" and ">" are
filtered within application.
However, injection is still working. I suppose, that sqlmap uses these
characters ("<",">") really often during dumping of data from database.
So I have changed the following line in mysql section of queries.xml file:
original line:
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
updated line:
<inference query="AND ORD(MID((%s), %d, 1)) BETWEEN 0 AND %d"/>
Unfortunatelly, the result was same (None). What else should be modified?
Is it be possible to use BETWEEN statement instead of ">" in current version
of sqlmap?
Is it already supported somehow in sqlmap or would it appear in future
versions?
Thank you in advance
vb
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-02-16 11:17:33
|
Sam, On Wed, Feb 10, 2010 at 22:32, Sam Elliot <dr...@bu...> wrote: > I have manually confirmed a simple 'waitfor%20delay'0:0:20'- sql > injection vector in a site test, but when I try to replicate this with > SQLMap using the '--time-test' option it does not even perform any 'wait > for delay' type vectors as shown in the usage options. > ... By (weak) design, sqlmap tries specified --stacked-test, --time-test and --union-test only if beforehand it detected a boolean based blind sql injection. This is wrong and will be fixed starting from March. Regards, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-02-16 11:07:12
|
Brian, On Mon, Feb 15, 2010 at 22:41, <Bri...@gm...> wrote: > ... > I tried to dump some infos from Tables using the optional options --start and --stop, but it always gives me out the first entry till the last of the Table and not as specified starting from the 2nd till the 4th. > > The valnerable site is using MySQL >= 5.0.0 so there shouldnt be a problem with using information_schema. > > ...\sqlmap-0.7_exe\sqlmap.exe" -u "http://www.xxxxx.php?userid=x" --dump -T TABLES -D information_schema --start 2 --stop 4 This is fixed since a few weeks in the development version, you can grab a copy from the subversion repository. > I tried it also with other options like this one: > > ...\sqlmap-0.7_exe\sqlmap.exe" -u "http://www.xxxxx.php?userid=x" --tables -D information_schema --start 2 --stop 4 --start and --stop work only in conjunction with --dump and --dump-all at the moment, this is by design. > or with the syntax from the pdf README: > --start= > --stop= > ... Both syntaxes work the same way. > or this one: > sqlmap-0.7_exe\sqlmap.exe" -u http://www.xxxxx.php?userid=x --dump -T TAB > LE_NAME --start=58 --stop=98 > > [00:52:38] [INFO] fetching number of columns for table 'TABLE_NAME' on database'xxx' > [00:52:38] [INFO] retrieved: 0 > [00:52:55] [ERROR] unable to retrieve the number of columns for table 'TABLE_NAME' on database 'xxx' Is the DB user privileged enough to access 'information_schema' database? If so, give a try to sqlmap development version. > ... > Another question I have is about the option --passwords > > for example it gives me this error message: > when i tried the option --passwords together with -U option. > > "[ERROR] unable to retrieve the password hashes for the database users" Are you sure that the provided user (-U) exist? Check with --users. Are you sure that the DB user is privileged enough to access the 'mysql' database? > Why does the program tries to dump it from the database "users", I never speciefied it to search on this database, does the program use it as standard DBS for the --password option and can I change it? It uses 'mysql.user' or 'information_schema' depending on the MySQL version, see yourself the SQL queries used in xml/queries.xml file. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
48 messages has been excluded from this view by a project administrator.
