sqlmap-users — sqlmap users mailing list

[sqlmap-users] Bugreport: sqlmap

[Alexander H. <ah...@pr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bernado,

just tested RC2 and it came up with the following error:


URL:

http://xx.xx/blah/default.rad?AppID=SC_EIDA&WSID=Login_Welcome&pLID=EIDA_SC_Login&OCat=%271/

Error:


[20:13:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2000
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server

[20:13:55] [INFO] fetching database users password hashes
[20:13:55] [INFO] fetching database users
[20:13:55] [ERROR] unhandled exception in sqlmap/0.7rc2, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:

sqlmap version: 0.7rc2
Python version: 2.6.2
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 84, in main
    start()
  File
"/home/xaitax/security/tools/sqlmap/lib/controller/controller.py", line
263, in start
    action()
  File "/home/xaitax/security/tools/sqlmap/lib/controller/action.py",
line 101, in action
    conf.dbmsHandler.getPasswordHashes(), "password hash")
  File
"/home/xaitax/security/tools/sqlmap/plugins/generic/enumeration.py",
line 277, in getPasswordHashes
    users = self.getUsers()
  File
"/home/xaitax/security/tools/sqlmap/plugins/generic/enumeration.py",
line 176, in getUsers
    condition  = ( kb.dbms == "Microsoft SQL Server" and
kb.dbmsVersion[0] in ( "2005", "2008" ) )
IndexError: list index out of range

[*] shutting down at: 20:13:55


Best regards,
Alex

- --
Alexander Hagenah

Dubai, UAE.

phone:	+971 (0)50 1576446
email:	ah...@pr...
jabber:	roo...@ja...

gpg-id:	0x354C0DDB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkn4fXEACgkQVN79IjVMDdst0ACdHRZkCoKL67EqpQTQ8yWB+LW5
udIAn1TgOPdioaaepGNQLuxaAgrbE9eG
=IgSu
-----END PGP SIGNATURE-----

Re: [sqlmap-users] more bugs... sorry :)

[Christian E. E. <c_e...@ya...>]

Hmm! It's likely those script aren't tested before submitting,
Bernardo, if you need some help, maybe it's the time to grant svn write access to some developers, what do you think ?
Cheers.
 ---
Christian Eric Edjenguele
IT Security Software Developer & Researcher / Business Developer / Enterprise Software Architect
mobile (IT): +39 3408580513




________________________________
Da: Patrick Webster <pa...@au...>
A: sql...@li...
Inviato: Mercoledì 29 aprile 2009, 8:29:45
Oggetto: [sqlmap-users] more bugs... sorry :)

[16:28:33] [ERROR] unhandled exception in sqlmap/0.7rc2, please copy the command line and the following text and send by e-mail to sql...@li.... The developer will fix it as soon as possible:
sqlmap version: 0.7rc2
Python version: 2.4.3
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 84, in main
    start()
  File "/home/patrick/sqlmap/lib/controller/controller.py", line 263, in start
    action()
  File "/home/patrick/sqlmap/lib/controller/action.py", line 111, in action
    dumper.dbTables(conf.dbmsHandler.getTables())
  File "/home/patrick/sqlmap/lib/core/dump.py", line 146, in dbTables
    tables.sort(key=lambda x: x.lower())
AttributeError: 'str' object has no attribute 'sort'


      

[sqlmap-users] more bugs... sorry :)

[Patrick W. <pa...@au...>]

[16:28:33] [ERROR] unhandled exception in sqlmap/0.7rc2, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.7rc2
Python version: 2.4.3
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 84, in main
    start()
  File "/home/patrick/sqlmap/lib/controller/controller.py", line 263, in
start
    action()
  File "/home/patrick/sqlmap/lib/controller/action.py", line 111, in action
    dumper.dbTables(conf.dbmsHandler.getTables())
  File "/home/patrick/sqlmap/lib/core/dump.py", line 146, in dbTables
    tables.sort(key=lambda x: x.lower())
AttributeError: 'str' object has no attribute 'sort'

[sqlmap-users] --os-shell

[Nicolas K. <kr...@an...>]

Bernardo thank you for the changes, we keep in mind that trunk is not 
stable.
    As you wrote earlier --os-shell option needs to be fixed as it's still 
not operating in the latest revision (744).  It's a very usefull option for 
pen-testing and making the client believe that there is a problem with their 
website, it gives the ability to demonstrate, easy and fast, the flaws in 
the web/database structure of the application.

Regards,
Nicolas 

Re: [sqlmap-users] --os-shell

[Bernardo D. A. G. <ber...@gm...>]

Hi Nicolas,

Fixed and commited.

On Tue, Apr 28, 2009 at 01:09, Nicolas Krassas <kr...@an...> wrote:
> Hi again, thanks for the quick fix, there seems to be though another issue
> with --os-shell
>
> the command executed is just sqlmap.py -u "host" --os-shell , the output of
> the command follows:
>
> sqlmap version: 0.7rc2
> Python version: 2.5.4
> Operating system: linux2
> Traceback (most recent call last):
>  File "./sqlmap.py", line 84, in main
>    start()
>  File "/home/dreamer/sqlmap/lib/controller/controller.py", line 263, in
> start
>    action()
>  File "/home/dreamer/sqlmap/lib/controller/action.py", line 140, in action
>    conf.dbmsHandler.osShell()
>  File "/home/dreamer/sqlmap/plugins/generic/takeover.py", line 260, in
> osShell
>    self.__webBackdoorOsShell()
>  File "/home/dreamer/sqlmap/plugins/generic/takeover.py", line 100, in
> __webBackdoorOsShell
>    kb.docRoot  = getDocRoot()
>  File "/home/dreamer/sqlmap/lib/core/common.py", line 245, in getDocRoot
>    index   = absFilePath.index(conf.path)
> ValueError: substring not found


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] unhandled exception = absFilePath.index(conf.path)

[Bernardo D. A. G. <ber...@gm...>]

The --os-shell/--os-cmd functionality via web backdoor upload is
OUTDATED. The code is DEPRECATED. I will fix it in the short term.

On Tue, Apr 28, 2009 at 07:04, Patrick Webster <pa...@au...> wrote:
> [15:54:24] [ERROR] unhandled exception in sqlmap/0.7rc2, please copy the
> command line and the following text and send by e-mail to
> sql...@li.... The developer will fix it as soon as
> possible:
> sqlmap version: 0.7rc2
> Python version: 2.4.3
> Operating system: linux2
> Traceback (most recent call last):
>   File "./sqlmap.py", line 84, in main
>     start()
>   File "/home/patrick/sqlmap/lib/controller/controller.py", line 263, in
> start
>     action()
>   File "/home/patrick/sqlmap/lib/controller/action.py", line 140, in action
>     conf.dbmsHandler.osShell()
>   File "/home/patrick/sqlmap/plugins/generic/takeover.py", line 260, in
> osShell
>     self.__webBackdoorOsShell()
>   File "/home/patrick/sqlmap/plugins/generic/takeover.py", line 100, in
> __webBackdoorOsShell
>     kb.docRoot  = getDocRoot()
>   File "/home/patrick/sqlmap/lib/core/common.py", line 245, in getDocRoot
>     index   = absFilePath.index(conf.path)
> ValueError: substring not found
>
>
> ------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations
> Conference from O'Reilly Media. Velocity features a full day of
> expert-led, hands-on workshops and two days of sessions from industry
> leaders in dedicated Performance & Operations tracks. Use code vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] unhandled exception = absFilePath.index(conf.path)

[Patrick W. <pa...@au...>]

[15:54:24] [ERROR] unhandled exception in sqlmap/0.7rc2, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.7rc2
Python version: 2.4.3
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 84, in main
    start()
  File "/home/patrick/sqlmap/lib/controller/controller.py", line 263, in
start
    action()
  File "/home/patrick/sqlmap/lib/controller/action.py", line 140, in action
    conf.dbmsHandler.osShell()
  File "/home/patrick/sqlmap/plugins/generic/takeover.py", line 260, in
osShell
    self.__webBackdoorOsShell()
  File "/home/patrick/sqlmap/plugins/generic/takeover.py", line 100, in
__webBackdoorOsShell
    kb.docRoot  = getDocRoot()
  File "/home/patrick/sqlmap/lib/core/common.py", line 245, in getDocRoot
    index   = absFilePath.index(conf.path)
ValueError: substring not found

[sqlmap-users] --os-shell

[Nicolas K. <kr...@an...>]

Hi again, thanks for the quick fix, there seems to be though another issue 
with --os-shell

the command executed is just sqlmap.py -u "host" --os-shell , the output of 
the command follows:

sqlmap version: 0.7rc2
Python version: 2.5.4
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 84, in main
    start()
  File "/home/dreamer/sqlmap/lib/controller/controller.py", line 263, in 
start
    action()
  File "/home/dreamer/sqlmap/lib/controller/action.py", line 140, in action
    conf.dbmsHandler.osShell()
  File "/home/dreamer/sqlmap/plugins/generic/takeover.py", line 260, in 
osShell
    self.__webBackdoorOsShell()
  File "/home/dreamer/sqlmap/plugins/generic/takeover.py", line 100, in 
__webBackdoorOsShell
    kb.docRoot  = getDocRoot()
  File "/home/dreamer/sqlmap/lib/core/common.py", line 245, in getDocRoot
    index   = absFilePath.index(conf.path)
ValueError: substring not found

Regards,
Nicolas 

Re: [sqlmap-users] sqlmap/0.7rc1 update broken

[Bernardo D. A. G. <ber...@gm...>]

I can't reproduce this bug. Please, get the latest sqlmap version from
svn and try again.

Cheers,
Bernardo


On Sun, Apr 26, 2009 at 18:20, Authorisation <aut...@gm...> wrote:
> Hi,
>
> It appears that the update function is broken as well.
>
> ./sqlmap.py --update
>
>     sqlmap/0.7rc1
>     by Bernardo Damele A. G. <ber...@gm...>
>
> [*] starting at: 18:16:49
>
> [18:16:49] [INFO] updating sqlmap
> [18:16:50] [INFO] you are already running sqlmap latest stable version
> [18:16:50] [INFO] updating Microsoft SQL Server XML versions file
> [18:17:23] [WARNING] unable to connect to the target url or proxy, sqlmap is
> going to retry the request
> [18:17:24] [ERROR] unhandled exception in sqlmap/0.7rc1, please copy the
> command line and the following text and send by e-mail to
> sql...@li.... The developer will fix it as soon as
> possible:
> sqlmap version: 0.7rc1
> Python version: 2.5.1
> Operating system: linux2
> Traceback (most recent call last):
>   File "./sqlmap.py", line 78, in main
>     init(cmdLineOptions)
>   File "/opt/web/sqlmap/lib/core/option.py", line 964, in init
>     update()
>   File "/opt/web/sqlmap/lib/core/update.py", line 340, in update
>     __updateMSSQLXML()
>   File "/opt/web/sqlmap/lib/core/update.py", line 57, in __updateMSSQLXML
>     mssqlVersionsHtmlString, _ = Request.getPage(url=MSSQL_VERSIONS_URL,
> direct=True)
>   File "/opt/web/sqlmap/lib/request/connect.py", line 213, in getPage
>     return Connect.__getPageProxy(get=get, post=post, cookie=cookie, ua=ua,
> direct=direct, multipart=multipart)
>   File "/opt/web/sqlmap/lib/request/connect.py", line 54, in __getPageProxy
>     return Connect.getPage(**kwargs)
>   File "/opt/web/sqlmap/lib/request/connect.py", line 67, in getPage
>     url       = kwargs.get('url',       conf.url).replace(" ", "%20")
> AttributeError: 'NoneType' object has no attribute 'replace'


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] SQLMAP exception error on -os-shell & -os-cmd options

[Bernardo D. A. G. <ber...@gm...>]

Hi "authorisation",

On Sat, Apr 25, 2009 at 08:12, Authorisation <aut...@gm...> wrote:
> ...
>   File "/opt/pentest/web/sqlmap/plugins/dbms/oracle.py", line 259, in
> osShell
>     raise sqlmapUnsupportedFeatureException, errMsg
> NameError: global name 'sqlmapUnsupportedFeatureException' is not defined

Fixed and commited on svn. Thanks for reporting.

PS: what an email address.. does it look only to me like it is used
for phishing attacks?

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] --os-shell solution

[Nicolas K. <kr...@an...>]

Hi i notice that somebody had the same problem, so here is the solution

change the following lines at plugins/generic/takeover.py around line number 
28, from
.....
import re

from lib.core.common import getDirectories
.....
to
....
import re

from lib.core.agent import agent
from lib.core.common import fileToStr
from lib.core.common import getDirectories
.....

That will be just adding the missing function definitions.

Regards,
Dinos

[sqlmap-users] sqlmap/0.7rc1 update broken

[Authorisation <aut...@gm...>]

Hi,

It appears that the update function is broken as well.

./sqlmap.py --update

    sqlmap/0.7rc1
    by Bernardo Damele A. G. <ber...@gm...>

[*] starting at: 18:16:49

[18:16:49] [INFO] updating sqlmap
[18:16:50] [INFO] you are already running sqlmap latest stable version
[18:16:50] [INFO] updating Microsoft SQL Server XML versions file
[18:17:23] [WARNING] unable to connect to the target url or proxy, sqlmap is
going to retry the request
[18:17:24] [ERROR] unhandled exception in sqlmap/0.7rc1, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.7rc1
Python version: 2.5.1
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 78, in main
    init(cmdLineOptions)
  File "/opt/web/sqlmap/lib/core/option.py", line 964, in init
    update()
  File "/opt/web/sqlmap/lib/core/update.py", line 340, in update
    __updateMSSQLXML()
  File "/opt/web/sqlmap/lib/core/update.py", line 57, in __updateMSSQLXML
    mssqlVersionsHtmlString, _ = Request.getPage(url=MSSQL_VERSIONS_URL,
direct=True)
  File "/opt/web/sqlmap/lib/request/connect.py", line 213, in getPage
    return Connect.__getPageProxy(get=get, post=post, cookie=cookie, ua=ua,
direct=direct, multipart=multipart)
  File "/opt/web/sqlmap/lib/request/connect.py", line 54, in __getPageProxy
    return Connect.getPage(**kwargs)
  File "/opt/web/sqlmap/lib/request/connect.py", line 67, in getPage
    url       = kwargs.get('url',       conf.url).replace(" ", "%20")
AttributeError: 'NoneType' object has no attribute 'replace'

Re: [sqlmap-users] testing --os-shell

[Christian E. E. <c_e...@ya...>]

Hello,
sqlmap seems to have serious issue with the --os-shell option
I have the same problem,

 [02:36:31] [INFO] testing for parenthesis on injectable parameter
 [02:36:34] [INFO] the injectable parameter requires 0 parenthesis
 [02:36:34] [INFO] testing MySQL
 [02:36:36] [INFO] confirming MySQL
 [02:36:37] [INFO] retrieved: 0
 [02:36:54] [INFO] the back-end DBMS is MySQL

 web application technology: Apache 2.0.63, PHP 5.2..5
 back-end DBMS: MySQL >= 5.0.0

 [02:36:54] [INFO] testing stacked queries support on parameter 'noticiaID'
 [02:36:54] [INFO] detecting back-end DBMS version from its banner
 [02:36:54] [INFO] retrieved: 5.0.67
 [02:38:36] [WARNING] the web application does not support stacked
 queries on parameter 'noticiaID'
 [02:38:36] [INFO] going to upload a web page backdoor for command execution
 [02:38:36] [INFO] retrieving web application directories
 [02:38:36] [WARNING] unable to retrieve the injectable file absolute system 
 path
 [02:38:36] [WARNING] unable to retrieve the remote web server document root
 please provide the web server document root [/var/www]:
 please provide a list of directories absolute path comma separated
 that you want sqlmap to try to upload the agent [/var/www/test]:
 [02:38:51] [INFO] trying to upload the uploader agent
 [02:38:51] [ERROR] unhandled exception in sqlmap/0.7rc1, please copy
 the command line and the following text and send by e-mail to
 sqlmap-users@lists..sourceforge.net. The developer will fix it as soon
 as possible:
 sqlmap version: 0.7rc1
 Python version: 2.5.2
 Operating system: linux2
 Traceback (most recent call last):
  File "./sqlmap.py", line 81, in main
    start()
  File "/home/ulises2k/programas/sqlmap-svn/lib/controller/controller.py",
 line 265, in start
    action()
  File "/home/ulises2k/programas/sqlmap-svn/lib/controller/action.py",
 line 140, in action
    conf.dbmsHandler.osShell()
  File "/home/ulises2k/programas/sqlmap-svn/plugins/generic/takeover.py",
 line 286, in osShell
   self.__webBackdoorOsShell()
  File "/home/ulises2k/programas/sqlmap-svn/plugins/generic/takeover.py",
 line 145, in __webBackdoorOsShell
    uploaderStr  = fileToStr("%s/%s" % (paths.SQLMAP_SHELL_PATH, uploaderName))
 NameError: global name 'fileToStr' is not defined

 [*] shutting down at: 02:38:51


 ---
Christian Eric Edjenguele
IT Security Software Developer & Researcher / Business Developer / Enterprise Software Architect
mobile (IT): +39 3408580513



----- Messaggio originale -----
> Da: Nicolas Krassas <kr...@an...>
> A: sql...@li...
> Inviato: Domenica 26 aprile 2009, 8:22:00
> Oggetto: [sqlmap-users] testing --os-shell
> 
> Hi,
>     Trying some test on --os-shell i'm getting the following error.
> 
> sqlmap version: 0.7rc2
> Python version: 2.5.2
> Operating system: linux2
> Traceback (most recent call last):
>   File "./sqlmap.py", line 84, in main
>     start()
>   File "/root/sqlmap/lib/controller/controller.py", line 265, in start
>     action()
>   File "/root/sqlmap/lib/controller/action.py", line 140, in action
>     conf.dbmsHandler.osShell()
>   File "/root/sqlmap/plugins/generic/takeover.py", line 286, in osShell
>     self.__webBackdoorOsShell()
>   File "/root/sqlmap/plugins/generic/takeover.py", line 145, in 
> __webBackdoorOsShell
>     uploaderStr  = fileToStr("%s/%s" % (paths.SQLMAP_SHELL_PATH, 
> uploaderName))
> NameError: global name 'fileToStr' is not defined
> 
> 
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensign option that enables unlimited
> royalty-free distribution of the report engine for externally facing 
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users



      

[sqlmap-users] testing --os-shell

[Nicolas K. <kr...@an...>]

Hi,
    Trying some test on --os-shell i'm getting the following error.

sqlmap version: 0.7rc2
Python version: 2.5.2
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 84, in main
    start()
  File "/root/sqlmap/lib/controller/controller.py", line 265, in start
    action()
  File "/root/sqlmap/lib/controller/action.py", line 140, in action
    conf.dbmsHandler.osShell()
  File "/root/sqlmap/plugins/generic/takeover.py", line 286, in osShell
    self.__webBackdoorOsShell()
  File "/root/sqlmap/plugins/generic/takeover.py", line 145, in 
__webBackdoorOsShell
    uploaderStr  = fileToStr("%s/%s" % (paths.SQLMAP_SHELL_PATH, 
uploaderName))
NameError: global name 'fileToStr' is not defined

[sqlmap-users] SQLMAP exception error on -os-shell & -os-cmd options

[Authorisation <aut...@gm...>]

Hi Guys,

I get the following error when trying -os-cmd & -os-shell options: My OS is
'Fedora 8'.

$sqlmap.py -u "http://XXXXXXXXXX/XXXXXXXXXX?record=42" --eta -v1 --os-shell


[08:07:42] [ERROR] unhandled exception in sqlmap/0.7rc1, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.7rc1
Python version: 2.5.1
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 81, in main
    start()
  File "/opt/pentest/web/sqlmap/lib/controller/controller.py", line 265, in
start
    action()
  File "/opt/pentest/web/sqlmap/lib/controller/action.py", line 140, in
action
    conf.dbmsHandler.osShell()
  File "/opt/pentest/web/sqlmap/plugins/dbms/oracle.py", line 259, in
osShell
    raise sqlmapUnsupportedFeatureException, errMsg
NameError: global name 'sqlmapUnsupportedFeatureException' is not defined

Re: [sqlmap-users] Error when creating shell-code (--os-bof)

[Bernardo D. A. G. <ber...@gm...>]

Hi Gabriel,

On Thu, Apr 23, 2009 at 20:33, Gabriel "Pato" Lima <pa...@bu...> wrote:
> ...
> [16:20:42] [INFO] creation in progress .. quit unexpectedly by signal 1
> [16:20:44] [ERROR] failed to create the shellcode
>
> [*] shutting down at: 16:20:44
>
> I tried other encoding types too, and with shell payload.
> There's no error, but there is a "unexpectedly quit" .. Is this a bug\error
> in code, or the server is really patched?

First of all, be sure that you're running sqlmap by providing
Metasploit 3.2 or updated trunk SVN working directory.
Then svn update your sqlmap working copy, I just commited a minor
update that will display also the reason why the shellcode creation
failed. Please, come back with this message.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] Error when creating shell-code (--os-bof)

[Gabriel \Pato\ L. <pa...@bu...>]

Hi again.
I was testing --os-bof in a box with xp_cmdshell and ... :

[16:20:10] [INFO] checking if xp_cmdshell extended procedure is available,
wait..
[16:20:18] [INFO] xp_cmdshell extended procedure is available
[16:20:29] [INFO] creating Metasploit Framework 3 multi-stage shellcode for
the exploit
which connection type do you want to use?
[1] Bind TCP (default)
[2] Bind TCP (No NX)
[3] Reverse TCP
[4] Reverse TCP (No NX)
> 1
which is the back-end DBMS address? [200.169.132.219]
which remote port numer do you want to use? [26333] 7777
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
which payload encoding do you want to use?
[1] No Encoder
[2] Alpha2 Alphanumeric Mixedcase Encoder
[3] Alpha2 Alphanumeric Uppercase Encoder
[4] Avoid UTF8/tolower
[5] Call+4 Dword XOR Encoder
[6] Single-byte XOR Countdown Encoder
[7] Variable-length Fnstenv/mov Dword XOR Encoder
[8] Polymorphic Jump/Call XOR Additive Feedback Encoder
[9] Non-Alpha Encoder
[10] Non-Upper Encoder
[11] Polymorphic XOR Additive Feedback Encoder (default)
[12] Alpha2 Alphanumeric Unicode Mixedcase Encoder
[13] Alpha2 Alphanumeric Unicode Uppercase Encoder
> 11
[16:20:42] [INFO] creation in progress .. quit unexpectedly by signal 1
[16:20:44] [ERROR] failed to create the shellcode

[*] shutting down at: 16:20:44

I tried other encoding types too, and with shell payload.
There's no error, but there is a "unexpectedly quit" .. Is this a bug\error
in code, or the server is really patched?

Thanks alot,
Best Regards,
Gabriel.
-- 
Gabriel Lima

Re: [sqlmap-users] sqlmap 7rc1: Error when trying to turn xp_cmdshell on

[Bernardo D. A. G. <ber...@gm...>]

Hi Gabriel,

On Thu, Apr 23, 2009 at 06:51, Gabriel "Pato" Lima <pa...@bu...> wrote:
> ...
> When I try to turn xp_cmdshell on, this is what happens:
> ...
>   File "/home/gabriel/sqlmap/lib/takeover/xp_cmdshell.py", line 106, in
> __xpCmdshellConfigure
>     if kb.dbmsVersion[0] in ( "2005", "2008" ):
> IndexError: list index out of range

Thanks for reporting this bug.
Fixed and commited on subversion repository.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] sqlmap 7rc1: Error when trying to turn xp_cmdshell on

[Gabriel \Pato\ L. <pa...@bu...>]

Hey guys! First... uau! sqlmap 7 is amazing! Thank's alot, Bernardo!

When I try to turn xp_cmdshell on, this is what happens:

[02:49:04] [WARNING] the functionality requested might not work because the
session user is not a database administrator
[02:49:04] [INFO] checking if xp_cmdshell extended procedure is available,
wait..
xp_cmdshell extended procedure does not seem to be available. Do you want
sqlmap to try to re-enable it? [Y/n] Y
[02:49:10] [ERROR] unhandled exception in sqlmap/0.7rc1, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon as
possible:
sqlmap version: 0.7rc1
Python version: 2.6.2
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 81, in main
    start()
  File "/home/gabriel/sqlmap/lib/controller/controller.py", line 265, in
start
    action()
  File "/home/gabriel/sqlmap/lib/controller/action.py", line 143, in action
    conf.dbmsHandler.osPwn()
  File "/home/gabriel/sqlmap/plugins/generic/takeover.py", line 298, in
osPwn
    self.initEnv()
  File "/home/gabriel/sqlmap/lib/takeover/abstraction.py", line 167, in
initEnv
    self.xpCmdshellInit(mandatory)
  File "/home/gabriel/sqlmap/lib/takeover/xp_cmdshell.py", line 181, in
xpCmdshellInit
    self.__xpCmdshellConfigure(1)
  File "/home/gabriel/sqlmap/lib/takeover/xp_cmdshell.py", line 106, in
__xpCmdshellConfigure
    if kb.dbmsVersion[0] in ( "2005", "2008" ):
IndexError: list index out of range

[sqlmap-users] sqlmap 0.7rc1 released

[Bernardo D. A. G. <ber...@gm...>]

Hi,

I am glad to release sqlmap version 0.7rc1.
WARNING: This release is a candidate, it only works on Linux so please
do not complain that it does not work on your Windows or Mac OS X
systems.

Thanks to anyone of you that contributed with really appreciated and
useful feedback.

Changes
=======

Some of the new features include:

* Added support to execute arbitrary commands on the database server
underlying operating system either returning the standard output or
not via UDF injection on MySQL and PostgreSQL and via xp_cmdshell()
stored procedure on Microsoft SQL Server;
* Added support for out-of-band connection between the attacker box
and the database server underlying operating system via stand-alone
payload stager created by Metasploit and supporting Meterpreter, shell
and VNC payloads for both Windows and Linux;
* Added support for out-of-band connection via Microsoft SQL Server
2000 and 2005 'sp_replwritetovarbin' stored procedure heap-based
buffer overflow (MS09-004) exploitation with multi-stage Metasploit
payload support;
* Added support for out-of-band connection via SMB reflection attack
with UNC path request from the database server to the attacker box by
using the Metasploit smb_relay exploit;
* Added support to read and write (upload) both text and binary files
on the database server underlying file system for MySQL, PostgreSQL
and Microsoft SQL Server;
* Added database process' user privilege escalation via Windows Access
Tokens kidnapping on MySQL and Microsoft SQL Server via either
Meterpreter's incognito extension or Churrasco stand-alone executable;
* Speed up the inference algorithm by providing the minimum required
charset for the query output;
* Major bug fix in the comparison algorithm to correctly handle also
the case that the url is stable and the False response changes the
page content very little;
* Many minor bug fixes, minor enhancements and layout adjustments.


Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.


Download
========

You can download it in two formats:

* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7rc1.tar.gz

* Source zip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7rc1.zip


Documentation
=============

* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf

* "Advanced SQL injection to operating system full control"
whitepaper[1] and slides[2] presented at Black Hat Europe 2009 in
Amsterdam (The Netherlands) on April 16, 2009

[1] http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf
[2] http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides


Happy hacking!

-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] (no subject)

[Bernardo D. A. G. <ber...@gm...>]

Hi,

sqlmap does not support the http://uid:pw...@do...d syntax to
authenticate to a site. Instead use the --auth-type and --auth-cred
options to provide authentication type and credentials. Please refer
to the user's manual for further information.

Regards,
Bernardo


On Tue, Apr 21, 2009 at 11:39,  <al...@gm...> wrote:
> C:\Programme\sqlmap-0.6.4_exe>sqlmap.exe -u http://uid:pw...@do...d -f
>
>    sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
>                      and Daniele Bellucci <dan...@gm...>
>
> [*] starting at: 12:35:27
>
> [12:35:27] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the command
> line and the following text and send by e-mail to sql...@li...urceforge
> .net. The developers will fix it as soon as possible:
> sqlmap version: 0.6.4
> Python version: 2.5.4
> Operating system: win32
> Traceback (most recent call last):
>  File "sqlmap.py", line 81, in main
>  File "lib\controller\controller.pyc", line 142, in start
>  File "lib\core\target.pyc", line 216, in initTargetEnv
>  File "lib\core\common.pyc", line 566, in parseTargetUrl
> ValueError: invalid literal for int() with base 10: 'sch...@te...m
> sung.de'
>
> [*] shutting down at: 12:35:27
> ...


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] (no subject)

[<al...@gm...>]

C:\Programme\sqlmap-0.6.4_exe>sqlmap.exe -u http://uid:pw...@do...d -f

    sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
                      and Daniele Bellucci <dan...@gm...>

[*] starting at: 12:35:27

[12:35:27] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the command
line and the following text and send by e-mail to sql...@li...urceforge
.net. The developers will fix it as soon as possible:
sqlmap version: 0.6.4
Python version: 2.5.4
Operating system: win32
Traceback (most recent call last):
  File "sqlmap.py", line 81, in main
  File "lib\controller\controller.pyc", line 142, in start
  File "lib\core\target.pyc", line 216, in initTargetEnv
  File "lib\core\common.pyc", line 566, in parseTargetUrl
ValueError: invalid literal for int() with base 10: 'sch...@te...m
sung.de'

[*] shutting down at: 12:35:27


C:\Programme\sqlmap-0.6.4_exe>
-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger01

Re: [sqlmap-users] [WARNING] GET parameter 'ID' is not dynamic?? But it is...

[Bernardo D. A. G. <ber...@gm...>]

Hi,

On Sat, Apr 18, 2009 at 13:22, Newslettersucks <New...@gm...> wrote:
> ...
> i tried the following command:
>
> C:\sqlmap-0.6.4_exe\sqlmap-0.6.4_exe>sqlmap.exe -u "
> http://www.xyz.com/index.php?page=bday.php&ID=11297" --string "jams
> Paolletoi" -p "ID" -v 2
> ...
> [14:02:37] [INFO] testing if GET parameter 'ID' is dynamic
> [14:02:47] [WARNING] GET parameter 'ID' is not dynamic
> ...
> So what can i do?
> ...

It looks like the string that you provided is on both True and False
response pages. Try to avoid providing it.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] German article on Bernardo and sql-map at BlackHat

[Bernardo D. A. G. <ber...@gm...>]

Hi,

In the last days I've got 3,282 new unique visitors coming from this
heise.de article, sweet!

Cheers,
Bernardo


On Fri, Apr 17, 2009 at 21:32, Philippe A. R. Schaeffer
<sc...@co...> wrote:
> There's also an english version now:
>
> http://www.h-online.com/security/SQL-injection-reloaded-access-to-the-operating-system--/news/113095

-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] [WARNING] GET parameter 'ID' is not dynamic?? But it is...

[Newslettersucks <New...@gm...>]

Hi,

i tried the following command:

C:\sqlmap-0.6.4_exe\sqlmap-0.6.4_exe>sqlmap.exe -u "
http://www.xyz.com/index.php?page=bday.php&ID=11297" --string "jams
Paolletoi" -p "ID" -v 2


this is my output:
[*] starting at: 14:02:00

[14:02:00] [DEBUG] initializing the configuration
[14:02:00] [DEBUG] initializing the knowledge base
[14:02:00] [DEBUG] cleaning up configuration parameters
[14:02:00] [DEBUG] setting the HTTP method to GET
[14:02:00] [DEBUG] creating HTTP requests opener object
[14:02:00] [DEBUG] parsing XML queries file
[14:02:00] [INFO] testing connection to the target url
[14:02:14] [WARNING] unable to connect to the target url or proxy,
sqlmap is goi
ng to retry the request
[14:02:29] [INFO] testing if the provided string is within the target
URL page c
ontent
[14:02:37] [WARNING] the testable parameter 'ID' you provided is not
into the Co
okie
[14:02:37] [INFO] testing if GET parameter 'ID' is dynamic
[14:02:47] [WARNING] GET parameter 'ID' is not dynamic

[*] shutting down at: 14:02:47

Unfortunaly it's not working :(
The parameter 'ID' is vulnerable, cause if i change it to ID=' i can see
SQL-errors...

So what can i do?

Greetings
ns