sqlmap-users Mailing List for sqlmap (Page 140)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Philippe A. R. S. <sc...@co...> - 2009-04-17 20:32:58
|
There's also an english version now: http://www.h-online.com/security/SQL-injection-reloaded-access-to-the-operating-system--/news/113095 |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-04-17 14:39:59
|
Hi Philippe, On Fri, Apr 17, 2009 at 14:00, Philippe A. R. Schaeffer <sc...@co...> wrote: > Nice article: > http://www.heise.de/newsticker/SQL-Injection-reloaded-Zugriff-auf-das-Betriebssystem--/meldung/136340 > > It may show up in english on http://www.h-online.com/ Thanks for notifying about it! Regards, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
|
From: Philippe A. R. S. <sc...@co...> - 2009-04-17 13:30:08
|
Nice article: http://www.heise.de/newsticker/SQL-Injection-reloaded-Zugriff-auf-das-Betriebssystem--/meldung/136340 It may show up in english on http://www.h-online.com/ Keep up the good work! Cheers, Philippe |
|
From: Pragmatk <pra...@gm...> - 2009-04-16 16:27:01
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 li...@li... wrote: > Well, I can see this thread is going nowhere and wreaks of sarcasm > rather than a discussion of a differences found using sqlmap in > proxy mode. While my first message was indeed sarcastic, the one previous to this one was 100% serious. The problem with using a "proxy" like Burp is that the GET http://endhost:endport/enduri HTTP/1.1 is required in order for the HTTP Proxy to work. In most cases you would use the (in my opinion) superior SOCKS protocol which allows raw traffic to be passed on in a much nicer way. Had sqlmap been using Burp as a SOCKS proxy, you would not have had your issue. I do not, however, see the problem in establishing the initial session in FF / Burp and modifying the requests to match those of sqlmap? > The session tokens work fine not using sqlmap in proxy mode. Hmm, that could indicate that you'll have to send proper GETs. Consider using another logging tool than Burp or patching sqlmap's urllib-objects to use a SOCKS proxy when establishing connections. - -- Joe / "Pragmatk" [ 6426 C563 2592 0BB8 5193 797E 1A09 9E97 323C 7837 ] [ gpg --recv-keys --keyserver pgp.mit.edu 0x323C7837 ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJJ52OLAAoJEBoJnpcyPHg3i5gP/1y4w+sem6AnhS3yWp3aQfZG hKTEoX2lx7XJrW5deqrpuXUnRW8VmCeOqIByLfTZ49SA34AyYOvK/uchwM3c5ycc 4Xjje2iavvrxyobQvUrn4vh6VBCxDW/FcQYAXWRzrA1qbOi9ih/uh9ZKdzUQLplQ 4qLx5m/QmaI0aOtLJ4ZIJggQXy6eMtGAAFbPrrjywnD3tqLEmzD5xv+5TN2eVhvY kVG8R5KVFoSgDwXVipOWs1JmZsKCvJf/MAWyt4nwzPvTROMW8CjL+F17Z9IblEK7 BFcEXRrVvIVqKCrZC489IFoQs6MdNT7BwqxByCFOQ6u83Q/pk8rRi0Ber3yH8uVb 6+LE0tw8O1HOIXhusUVtD3165YFCxRr7oZoySaW6RgLP7Gfxd57bmU4ouB3N+KXi aEah3taKsQ09WWm2vHy2G0EyqQQx3SLsfi15FFQQ31TX9TwpQFtx4Sal9o6mDcMY 1iPQGUOaXuyExPi9gKAcEV4SOeyhfgZP7tPFmJ+mgLTDtJ1MowtP/zOwGB9FIXgN 2ivF8diZYmo9vaoewTiAlZ/ZbHGIeNyDkdbKIjU3ddcjYOgxABrmO8V8TEf0MRdt sNvqkiM/qF1wuRMKHqhy1HtXPnH6+Sie+vbqoPAhjKPyWeTbx8g4JXBY0XLkjDha d0cGKb+UgQX/VCc0BrqN =a4ak -----END PGP SIGNATURE----- |
|
From: <li...@li...> - 2009-04-16 15:53:10
|
Well, I can see this thread is going nowhere and wreaks of sarcasm rather than a discussion of a differences found using sqlmap in proxy mode. The session tokens work fine not using sqlmap in proxy mode. On Thu, Apr 16, 2009 at 05:34:55PM +0100, Pragmatk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > li...@li... wrote: > > I was noting a difference between how sqlmap works in proxy > > vs non-proxy mode to the point where obtained session tokens > > will not work. I am inquiring if there is a way to make > > sqlmap work differently, regardless of protocol. > The proxy feature works perfectly well. It is your proxy - or rather: > your use of it - that is incorrect. That being said, I'm guessing Burp > probably has some sort of feature capable of rewrite requests. If not, I > suggest you write one. > > > Session credentials are obtained using firefox to burp suite. > > Running sqlmap through burp using the same obtained session > > token does not work because sqlmap uses different requests > > than the obtained token. > Err, I lost you there. I thought your issue was sqlmap's > http://host:port/requesturi-requests that screwed your sessions? How are > the session tokens passed? Are you supplying them correctly to sqlmap? > > - -- > Joe / "Pragmatk" > [ 6426 C563 2592 0BB8 5193 797E 1A09 9E97 323C 7837 ] > [ gpg --recv-keys --keyserver pgp.mit.edu 0x323C7837 ] |
|
From: Pragmatk <pra...@gm...> - 2009-04-16 15:39:25
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 li...@li... wrote: > I was noting a difference between how sqlmap works in proxy > vs non-proxy mode to the point where obtained session tokens > will not work. I am inquiring if there is a way to make > sqlmap work differently, regardless of protocol. The proxy feature works perfectly well. It is your proxy - or rather: your use of it - that is incorrect. That being said, I'm guessing Burp probably has some sort of feature capable of rewrite requests. If not, I suggest you write one. > Session credentials are obtained using firefox to burp suite. > Running sqlmap through burp using the same obtained session > token does not work because sqlmap uses different requests > than the obtained token. Err, I lost you there. I thought your issue was sqlmap's http://host:port/requesturi-requests that screwed your sessions? How are the session tokens passed? Are you supplying them correctly to sqlmap? - -- Joe / "Pragmatk" [ 6426 C563 2592 0BB8 5193 797E 1A09 9E97 323C 7837 ] [ gpg --recv-keys --keyserver pgp.mit.edu 0x323C7837 ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJJ514uAAoJEBoJnpcyPHg3VBkQAIUozYFopzfuP3qV/3m22Yn9 ssN5TCmbh+b8dwJ9LCJq7vqMnnoXCiLbCnFlCi1eFWUX8kMnAmNZzvxWpx3KAObR ZY174HIgKDniaS5/qaGCChcBF+sGN7OoaVJgldn5J9ff0b3MXWxRYjp/RkZSzrrV 3KrQ2Iz40+vzeWXaYWDLbtTyqfXvqM03q5uE56kU1Ii/dWHrPfXCA7knwjNT05Pv ECAWl0aK+ugjDM8nrTQI//Jl9t1FJe681DCt0eNi7lND3UKTpaEvh+wULwC62D6Z Loujan50w2PEG9G2KZ/ml2BfkIebWYx9bu4yWdMEvNfmIyjI09R1Uda8NiEpdJDv mptLDt0H0xXmvznjVZv0Q79kD92VjX8Tnu2vKdUGLfdfllzPRGqDh6t0wyHyFOTQ Bkx03uqK7YaDf0rpyvb/BFeED5klak2X7+KpO2kz2Ab4/7eapq0W0Uzjr9uyNbwg H74VW1nmtBmhjP+pL8YCjpspFufYskLd4ltYsrZSDpOEyBJss+iZDDYfV7OkjSx+ cQHOnyt7UDv9bQ2CMu6bBGPVL9d9kuR3coBvkiTo0HbEtUWqQYKpMHyqdKW1dm19 vIy+zk8PAEtx+fUaaGuyf91SSL9VRFO8TmYuALAqafoXAtTOO6MQExOmHNjFQisb dtNiRPFFzQ1cFI3nkLbO =6gl7 -----END PGP SIGNATURE----- |
|
From: <li...@li...> - 2009-04-16 15:33:53
|
All I care about is getting the sqlmap to funnel all requests through a proxy that I control to log the results (ie. burp). I was noting a difference between how sqlmap works in proxy vs non-proxy mode to the point where obtained session tokens will not work. I am inquiring if there is a way to make sqlmap work differently, regardless of protocol. Session credentials are obtained using firefox to burp suite. Running sqlmap through burp using the same obtained session token does not work because sqlmap uses different requests than the obtained token. On Thu, Apr 16, 2009 at 04:00:40PM +0100, Pragmatk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > li...@li... wrote: > > I'm currently conducting a pen-test where I am successfully able to > > enumerate data from a database using sqlmap (blind sql injection). > Since you're pentesting web applications, and because you decided to > read --help before posting, So surely you know how a HTTP proxy works. > > > My session cookies will working when not using the proxy in sqlmap. > > Using the proxy setting will not work (proxy through burp suite). > > When not using the proxy, sqlmap will use a GET request without the > > host:port information and just use the /url. > Based on the facts that you > 1) Have read --help > and 2) Are pentesting web applications > and 3) (Based one (2)) Know how a HTTP proxy works > > I conclude that you're inquiring about the possibility of having sqlmap > go take a shit on the HTTP proxy protocol and break its built-in proxy > support. What I fail to understand is what you're looking to gain by > doing so. > > - -- > Joe / "Pragmatk" > [ 6426 C563 2592 0BB8 5193 797E 1A09 9E97 323C 7837 ] > [ gpg --recv-keys --keyserver pgp.mit.edu 0x323C7837 ] |
|
From: Pragmatk <pra...@gm...> - 2009-04-16 14:05:23
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
li...@li... wrote:
> I'm currently conducting a pen-test where I am successfully able to
> enumerate data from a database using sqlmap (blind sql injection).
Since you're pentesting web applications, and because you decided to
read --help before posting, So surely you know how a HTTP proxy works.
> My session cookies will working when not using the proxy in sqlmap.
> Using the proxy setting will not work (proxy through burp suite).
> When not using the proxy, sqlmap will use a GET request without the
> host:port information and just use the /url.
Based on the facts that you
1) Have read --help
and 2) Are pentesting web applications
and 3) (Based one (2)) Know how a HTTP proxy works
I conclude that you're inquiring about the possibility of having sqlmap
go take a shit on the HTTP proxy protocol and break its built-in proxy
support. What I fail to understand is what you're looking to gain by
doing so.
- --
Joe / "Pragmatk"
[ 6426 C563 2592 0BB8 5193 797E 1A09 9E97 323C 7837 ]
[ gpg --recv-keys --keyserver pgp.mit.edu 0x323C7837 ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIcBAEBAgAGBQJJ50gWAAoJEBoJnpcyPHg3VsAQAL53bjZwdYPrgGP9ldmXyjnt
mdTdsfOPRzEz0I6o4PsjKDQ5uPkivIVE+x6LRW16YTTIWay+0jauU1gEFAWOkO8g
dcxRRHz5kZ3mrm5TYA9VFmkZGCvwSp6hvrHAiFVcWKFcjelW8zH/LS3Dc+YcS8q7
6/bOxk3CnDPmwNujIlfZTtWzVb/t++BJAfCma39Q2g5+xg32rKCGjWJ9hzDXMWgj
DxvV/BZtYmUpvjAkpdkgXs8rdyy26UYKt01z65Vb31csZ1F0/Chym4tOxRi1nhsV
vgHivE97p/ABOMbeirdzeKMD6XQhgSCZkUPA8L9ABuSwcPA5ICJ8jgWBdlxZsKS6
ZMM+TDdBV2Ciu6kUEdN/dX6RoTx7izCarkNqMrwqSkXVSUFyiBzS0aQ6z0KJOs40
jkTJsD8wG+UnaX8zrDpG++96PcoUiIhihPhIGu0NWUgcTkHGbS4ySag9TaAzsqyn
TCHjiyzd9VsKyP39pU5vN+PZgg3322RR9KSvbManJOuA+0kta2R+4bYnQ8zhQO4X
nFuNB8p6P91/nMLhQ7+JIxvtcbVAI4CToBV69MDqjFjk0wtUDH9s1qltgk87RDIC
ekQ+PZfkO4oU+CRVaLJWN6b/RYkR0vT2nhBp/JQQvUp27mZRSTSDXYu7ozVR3Cu+
yyykYJoy5Ttb8FKpuTnM
=Ev4c
-----END PGP SIGNATURE-----
|
|
From: <li...@li...> - 2009-04-16 13:00:00
|
I'm currently conducting a pen-test where I am successfully able to enumerate data from a database using sqlmap (blind sql injection). However, I've noticed that sqlmap acts differently using a proxy vs not using a proxy. My session cookies will working when not using the proxy in sqlmap. Using the proxy setting will not work (proxy through burp suite). When not using the proxy, sqlmap will use a GET request without the host:port information and just use the /url. When using a proxy, sqlmap will use http://hostname:port/url instead. Because of the differences, my session state will not work the same. Is there a way in sqlmap to have the proxy usage be the same as the non-proxy usage so that I can use the session credentials obtained using burp suite. |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-04-05 12:06:32
|
Hi Kyprianos, On Sat, Apr 4, 2009 at 16:36, Kyprianos Vassilopoulos <kyp...@gm...> wrote: > Hi, > I have a mac book pro and i tried to run sqlmap as normal user and not > superuser (root). I got this unhandled exception. I tried exactly the same > query with root account and everything works fine but i felt you should know > about this issue. > ... It seems to me it is a user permission problem to create the output/ subfolder. I tried on a MacBook Pro with Python 2.6 as a normal user within his /Users directory and it worked. Check the permissions in your /Users/pentest/Desktop/sqlmap-0.6.4/ folder, it needs to be rwx for the user 'pentest'. Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
|
From: Kyprianos V. <kyp...@gm...> - 2009-04-04 15:37:02
|
Hi,
I have a mac book pro and i tried to run sqlmap as normal user and not
superuser (root). I got this unhandled exception. I tried exactly the same
query with root account and everything works fine but i felt you should know
about this issue.
[06:27:03] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developers will fix it as soon as
possible:
sqlmap version: 0.6.4
Python version: 2.5.1
Operating system: darwin
Traceback (most recent call last):
File "sqlmap.py", line 81, in main
start()
File "/Users/pentest/Desktop/sqlmap-0.6.4/lib/controller/controller.py",
line 254, in start
createTargetDirs()
File "/Users/pentest/Desktop/sqlmap-0.6.4/lib/core/target.py", line 232,
in createTargetDirs
os.makedirs(conf.outputPath, 0755)
File
"/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/os.py",
line 172, in makedirs
mkdir(name, mode)
OSError: [Errno 13] Permission denied:
'/Users/pentest/Desktop/sqlmap-0.6.4/output/www.website.gr'
[*] shutting down at: 06:27:03
Kyprianos Vasilopoulos
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-04-03 22:20:28
|
Hi Kristian, On Fri, Apr 3, 2009 at 23:16, Kristian Erik Hermansen <kri...@gm...> wrote: > Congrats Bernado! Thanks! > As the only monetarily donating user to the sqlmap project (am I > still?), I must advise that you hook up with Anthony Lineberry when > you get there. He's from LA too and I caught his talk when I was > speaking at the Southern CAlifornia Linux Expo (SCALE) last month. > Awesome stuff and a chill dude... Thanks for this tip and yes, you're still the only monetarily donating user, other than OWASP during the Spring of Code back in 2007 ;) > http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Lineberry > http://scale7x.socallinuxexpo.org/conference-info/speakers/anthony-lineberry > http://scale7x.socallinuxexpo.org/conference-info/speakers/kristian-erik-hermansen-0 Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
|
From: Kristian E. H. <kri...@gm...> - 2009-04-03 22:16:54
|
Congrats Bernado! As the only monetarily donating user to the sqlmap project (am I still?), I must advise that you hook up with Anthony Lineberry when you get there. He's from LA too and I caught his talk when I was speaking at the Southern CAlifornia Linux Expo (SCALE) last month. Awesome stuff and a chill dude... http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Lineberry http://scale7x.socallinuxexpo.org/conference-info/speakers/anthony-lineberry http://scale7x.socallinuxexpo.org/conference-info/speakers/kristian-erik-hermansen-0 Good luck with your talk :-D Cheers, On Fri, Apr 3, 2009 at 2:56 PM, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi, > > I have been selected as a speaker[1] for Black Hat Europe 2009 > Briefings[2]! I am scheduled[3] to talk on April 16 at 12:00. > > My presentation is titled "Advanced SQL Injection exploitation to > operating system full control" and the abstract is as follows: > > --8<-- > Over ten years have passed since a famous hacker coined the term "SQL > injection" and it is still considered one of the major web application > threats, affecting over 70% of web application on the Net. A lot has > been said on this specific vulnerability, but not all of the aspects > and implications have been uncovered, yet. > > It's time to explore new ways to get complete control over the > database management system's underlying operating system through a SQL > injection vulnerability in those over-looked and theoretically not > exploitable scenarios: From the command execution on MySQL and > PostgreSQL to a stored procedure's buffer overflow exploitation on > Microsoft SQL Server. These and much more will be unveiled and > demonstrated with my own tool's [sqlmap] new version that I will > release at the Conference. > --8<-- > > The Conference will take place on April 14 - 17, 2009 at Moevenpick > Hotel City Centre in Amsterdam (The Netherlands), don't miss it if you > can! > > [1] http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele > [2] http://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html > [3] http://www.blackhat.com/html/bh-europe-09/bh-eu-09-schedule.html > > Cheers, > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobiles: +447788962949 (UK), +393493821385 (IT) > PGP Key ID: 0x05F5A30F > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Kristian Erik Hermansen |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-04-03 21:56:37
|
Hi, I have been selected as a speaker[1] for Black Hat Europe 2009 Briefings[2]! I am scheduled[3] to talk on April 16 at 12:00. My presentation is titled "Advanced SQL Injection exploitation to operating system full control" and the abstract is as follows: --8<-- Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet. It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's [sqlmap] new version that I will release at the Conference. --8<-- The Conference will take place on April 14 - 17, 2009 at Moevenpick Hotel City Centre in Amsterdam (The Netherlands), don't miss it if you can! [1] http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele [2] http://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html [3] http://www.blackhat.com/html/bh-europe-09/bh-eu-09-schedule.html Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-04-03 14:59:18
|
Hi Joe, On Wed, Mar 25, 2009 at 16:40, Pragmatk <pra...@gm...> wrote: > When you cancel a running attack against a host (and you have specified > a session file), sqlmap will resume where it left. Unfortunately it will > miss the last character (the one it was in the process of reading). It "misses" the last character because it is still processing it: if you stop sqlmap while the bisection algorithm is detecting its value, it can not obviously be saved to the session file. sqlmap saves to the session file in real-time only enumerated data it is sure about the value, character by character. > This > has caused me quite some irritation due to an unstable wifi. I was using > threads, so I was missing 10 characters for each time I got kicked off > the wifi. > It would be awesome if someone could look over it and fix. A slightly different principle applies when you're running sqlmap with multithreading: the tool only output the enumerated data to the session file when all the threads for the SQL statement in exam are done. The number of threads corresponds to max(num_threads_from_user, statement_value_length_precalculated). Hope this clarifies a bit how it works. Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-04-03 14:43:43
|
Hi Michael, we already discussed this problem here, http://sourceforge.net/mailarchive/forum.php?thread_name=D62CD87C87854C359E43DF1D04DE7377%40naru&forum_name=sqlmap-users Cheers, Bernardo On Thu, Mar 19, 2009 at 20:46, Michael O'Brady <hac...@gm...> wrote: > [20:43:42] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the > command > line and the following text and send by e-mail to > sql...@li...urceforge > .net. The developers will fix it as soon as possible: > sqlmap version: 0.6.4 > Python version: 2.5.4 > Operating system: win32 > Traceback (most recent call last): > File "sqlmap.py", line 78, in main > File "lib\core\option.pyc", line 771, in init > File "lib\parse\queriesfile.pyc", line 219, in queriesParser > File "xml\sax\__init__.pyc", line 33, in parse > File "xml\sax\expatreader.pyc", line 107, in parse > File "xml\sax\xmlreader.pyc", line 119, in parse > File "xml\sax\expatreader.pyc", line 111, in prepareParser > UnicodeEncodeError: 'ascii' codec can't encode character u'\xf6' in position > 37: > ordinal not in range(128) > > [*] shutting down at: 20:43:42 > > Were using sqlmap --url=http://www.site.com?click.php?id=12345 -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-04-03 14:34:03
|
Hi Joe, On Thu, Mar 26, 2009 at 13:36, Pragmatk <pra...@gm...> wrote: > ... > Depending on the charset of the schema, you can on some of the more exotic > multi-byte charset ones. From my personal cheatsheet: > ... This is very uncommon, but it is well detailed on Chris Shiflett blog and sla.ckers.org forum. > Also interesting, I'll keep that in mind. Do you have any examples / links > to posts about that? sla.ckers.org forum and OWASP double encoding attack page. >> If the parameter is an integer so not between single quote you can >> bypass magic_quotes_gpc by casting to CHAR(), or similar dbms >> function, all the 'strings' in your injected SQL statement: sqlmap >> does it automatically. > > I normally use hex notation as that takes up less bytes. > ie 0x4142434445 == 'ABCDE' This does not work on the majority of database softwares, good to mention thus. Regards, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-04-03 14:29:55
|
Hi, On Wed, Apr 1, 2009 at 11:19, jebe8668 <jeb...@gm...> wrote: > ... > [ERROR] sqlmap was not able to fingerprint the back-end database > management system. Support for this DBMS will be implemented if you ask, > just drop us an email > ... This happen because, for some reasons, it looks like the dbms user is not allowed to call CONNECTION_ID() option, which I use in sqlmap to fingerprint MySQL at first try. I've the very same test environment, among others, and it works smoothly. > if I add option --dbms MySQL I get As a work-around run sqlmap with --dbms "MySQL 5": it won't perform any fingerprint request. Regards, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-04-03 14:27:15
|
Hi Simon, On Fri, Apr 3, 2009 at 14:11, Simon Orr <Sim...@te...> wrote: > ... > I've tried both the windows executable and (in case it was an issue with the > EXE build, using python). I've included the EXE command and output below... > In this case I'm using a Login form on my local PC with a SQL backend which > I've left vulnerable to SQL injection to allow me to test sqlmap. When > running under Python 3.0.1 it errored. When running under 2.6 I get the same > output as below with a couple of warnings about the hash function being > deprecated. Ignore the deprecation warning, it's because a native python library have been deprecated from Python 2.6, but it still work. Do not use it under Python 3.0, I never tested it on that version yet. > ... > If it _is_ trying to use the proxy settings detected on my PC, it should > find one that is ignored for addresses inside the LAN. If not, it would need > to authenticate against the proxy using NTLM. > ... Regarding your connection issue, it is probably relying on your global/local proxy variable. Check your environment variables settings and remove the proxy one, give it a try then. If you still have this problem, pass me the output of sqlmap run with -v 5 option and, in case, a traffic dump in pcap format, but this should not be required since it is clearly a network problem, not directly related to the tool. Regards, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
|
From: Simon O. <Sim...@Te...> - 2009-04-03 13:40:23
|
Hi All,
Firstly, let me say I'm new to sqlmap and this mailing list, so Hi
everyone - Hopefully I'll be here for a while
We have some applications which are being penetration tested by an
external auditor and some issues have been found. I'd like to add
testing with sqlmap to our release procedure (alongside improved testing
and implementing best practice). Hopefully this will act as a final
safeguard. (NB: I've yet to see it working so I'm not sure how suitable
it will be)
The issue I'm having is that sqlmap seems to be unable to connect to any
machines from my PC (including loopback). We do have a proxy which
requires authentication for connections leaving the local network
however since both my PC and the servers I'll be testing are on the same
LAN, the proxy shouldn't be an issue (Although I may need to play with
it to make Auto-update work).
I've tried both the windows executable and (in case it was an issue with
the EXE build, using python). I've included the EXE command and output
below... In this case I'm using a Login form on my local PC with a SQL
backend which I've left vulnerable to SQL injection to allow me to test
sqlmap. When running under Python 3.0.1 it errored. When running under
2.6 I get the same output as below with a couple of warnings about the
hash function being deprecated.
If it _is_ trying to use the proxy settings detected on my PC, it should
find one that is ignored for addresses inside the LAN. If not, it would
need to authenticate against the proxy using NTLM.
To confirm, I can browse to the URL in IE/FF and if I telnet directly to
port 80 and send the correct headers, I get an HTTP 200 and the correct
page contents back - So my machine is capable of connecting directly
without a proxy.
I'm not sure what other information would be useful for debugging -
Please let me know
Any help greatly appreciated.
Regards,
Simon
------------------------------------------------------------------------
------------------------------------------------------------------------
---------------------------------------
C:\sqlmap>sqlmap -u
"http://localhost:81/Logintest.asp?Login=1&Password=1" -v 2 --eta
sqlmap/0.6.4 coded by Bernardo Damele A. G.
<ber...@gm...>
and Daniele Bellucci <dan...@gm...>
[*] starting at: 13:48:15
[13:48:16] [INFO] testing connection to the target url
[13:48:31] [WARNING] unable to connect to the target url or proxy,
sqlmap is going to retry the request
[13:48:47] [WARNING] unable to connect to the target url or proxy,
sqlmap is going to retry the request
[13:49:03] [WARNING] unable to connect to the target url or proxy,
sqlmap is going to retry the request
[13:49:19] [ERROR] unable to connect to the target url or proxy
[*] shutting down at: 13:49:19
Simon Orr
Senior Analyst/Programmer
Teleperformance
Office: +44 (0) 117 916 5000
DL: +44 (0) 117 916 8140
E-mail: Sim...@Te...
<mailto:Sim...@Te...>
Web: www.Teleperformance.co.uk <http://www.teleperformance.co.uk/>
Teleperformance values: Integrity - Respect - Professionalism -
Innovation - Commitment
The information contained in this communication is privileged and confidential. The content is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by telephone or e-mail, and delete this message from your systems.
Teleperformance is a trading style of MM Teleperformance Ltd: Reg No. 02060289 England: Registered Office: St James House, Moon Street, Bristol, BS2 8QY. VAT No.763 0980 18.
P Please think of the environment before you print this email
|
|
From: jebe8668 <jeb...@gm...> - 2009-04-01 10:20:22
|
Hi all, testing sqlmap-0.64 on an Ubuntu box, with: apache 2 2.2.4-3ubuntu0.2 mysql 5.0.45-Debian_1ubuntu3.4-log php5.2.3-1ubuntu6.5 exploitable php: $query = "SELECT c2 FROM cms WHERE c1=".$_GET['id']; I can do union inj by hand, but sqlmap returns: GET parameter 'id' is unescaped numeric injectable with 0 parenthesis but dies on error: [ERROR] sqlmap was not able to fingerprint the back-end database management system. Support for this DBMS will be implemented if you ask, just drop us an email if I add option --dbms MySQL I get [12:19:06] [INFO] testing MySQL [12:19:06] [WARNING] the back-end DMBS is not MySQL [12:19:06] [ERROR] sqlmap was not able to fingerprint the back-end database management system. Support for this DBMS will be implemented if you ask, just drop us an email what's going on ? Note that I have succesfully used sqlmap against an oracle10 dbms with php5 in front... cheers |
|
From: Pragmatk <pra...@gm...> - 2009-03-26 11:40:27
|
Bernardo Damele A. G. wrote: > Hi Alfonso, > > If the parameter where you are trying to inject is a string (e.g. > url.com/page.php?parameter=value, value is a string) you basically can > not on MySQL/PostgreSQL, but I found and documented on my blog Depending on the charset of the schema, you can on some of the more exotic multi-byte charset ones. From my personal cheatsheet: big5 [A1-F9] sjis [81-9F], [E0-FC] gbk [81-FE] cp932 [81-9F], [E0-FC] ^-- vulnerable charsets for addslashes & others. ie big5: %a1%5c > (bernardodamele.blogspot.com) a technique to do that on Oracle and > MSSQL. Interesting! Thank you for the link! > There are a few techniques to do that by double-encoding or utf-7 > encoding the single quote, but they often do not do the trick. Also interesting, I'll keep that in mind. Do you have any examples / links to posts about that? > If the parameter is an integer so not between single quote you can > bypass magic_quotes_gpc by casting to CHAR(), or similar dbms > function, all the 'strings' in your injected SQL statement: sqlmap > does it automatically. I normally use hex notation as that takes up less bytes. ie 0x4142434445 == 'ABCDE' It also has the bonus that it's castable to int columns. Joe "Pragmatk" |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-03-26 00:47:49
|
Hi Patrick, for the moment sqlmap has only support to test for time delay with --time-test. Full support for time based blind SQL injection technique will come in the long run. Cheers, Bernardo On Thu, Mar 5, 2009 at 04:39, Patrick Webster <pa...@au...> wrote: > I can't remember if it has been implemented in sqlmap, but timedelay should > work. > > -Patrick > ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA > -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise > -Strategies to boost innovation and cut costs with open source participation > -Receive a $600 discount off the registration fee with the source code: SFAD > http://p.sf.net/sfu/XcvMzF8H > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-03-26 00:41:18
|
Hi Alfonso,
Please, provide sqlmap with the --string option. Read the user's
manual for details.
Cheers,
Bernardo
On Sun, Mar 8, 2009 at 17:02, alfonso caponi <alf...@gm...> wrote:
> Hi list,
>
> I'm using sqlmap with a website created ad-hoc (Apache/2.2.9 (Ubuntu)
> PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch, mysql Ver 14.12 Distrib 5.0.67,
> for debian-linux-gnu (i486) using readline 5.2).
>
> The simple and insecure php code:
>
> ...
> ...
> $query = "SELECT id from $db_table where username = '$username'";
> $result = mysql_query($query);
>
> while ($row = mysql_fetch_array($result)){
> print "$row[0]<br>";
> }
> ...
> ...
>
> the MySQL table:
>
> mysql> show columns from tbl_test;
> +----------+-------------+------+-----+---------+----------------+
> | Field | Type | Null | Key | Default | Extra |
> +----------+-------------+------+-----+---------+----------------+
> | id | int(10) | NO | PRI | NULL | auto_increment |
> | username | varchar(20) | NO | | NULL | |
> | password | varchar(20) | NO | | NULL | |
> +----------+-------------+------+-----+---------+----------------+
>
> get_magic_quotes_gpc = Off
>
> Now, I can do sql injection attack with ' or 1=1-'
>
> http://127.0.0.1/test/test_sql.php?username=username1%27%20or%201=1-%27
>
> but with sqlmap...
>
> ...
> ...
> [17:58:58] [WARNING] GET parameter 'username' is not injectable
>
> I've also tried with --prefix "'" --postfix "'OR 1=1--'" etc... but nothing.
>
> Any hints?
>
> Thank you,
> AL
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-03-26 00:39:22
|
Hi Alfonso, If the parameter where you are trying to inject is a string (e.g. url.com/page.php?parameter=value, value is a string) you basically can not on MySQL/PostgreSQL, but I found and documented on my blog (bernardodamele.blogspot.com) a technique to do that on Oracle and MSSQL. There are a few techniques to do that by double-encoding or utf-7 encoding the single quote, but they often do not do the trick. If the parameter is an integer so not between single quote you can bypass magic_quotes_gpc by casting to CHAR(), or similar dbms function, all the 'strings' in your injected SQL statement: sqlmap does it automatically. Cheers, Bernardo On Fri, Mar 6, 2009 at 11:15, alfonso caponi <alf...@gm...> wrote: > Hi, > > I'm trying sqlmap against a website (Apache/2.2.8 (Ubuntu) > PHP/5.2.4-2ubuntu5.5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g + mysql > 14.12) vulnerable, written ad-hoc to test sql scanners. Sqlmap works very > fine (with magic_quotes_gpc off), but I've a question: how can I use it (or > others tecniques) to bypass magic_quotes_gpc check? I read from Internet > (slides, doc, http://www.securityfocus.com/bid/32673/info ecc.) that > magic_quotes is deprecated and not very safe... but I can't able to bypass > it with encoding strings ecc. > > Have you any hints or idea? > > Thank you very much for your time, > AL > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
48 messages has been excluded from this view by a project administrator.
