sqlmap-users — sqlmap users mailing list

[sqlmap-users] Off by one?

[Pragmatk <pra...@gm...>]

When you cancel a running attack against a host (and you have specified 
a session file), sqlmap will resume where it left. Unfortunately it will 
miss the last character (the one it was in the process of reading). This 
has caused me quite some irritation due to an unstable wifi. I was using 
threads, so I was missing 10 characters for each time I got kicked off 
the wifi.
It would be awesome if someone could look over it and fix.

Thanks in advance,
Joe

[sqlmap-users] Bugs

[Michael O'B. <hac...@gm...>]

[20:43:42] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the
command
line and the following text and send by e-mail to
sql...@li...urceforge
.net. The developers will fix it as soon as possible:
sqlmap version: 0.6.4
Python version: 2.5.4
Operating system: win32
Traceback (most recent call last):
  File "sqlmap.py", line 78, in main
  File "lib\core\option.pyc", line 771, in init
  File "lib\parse\queriesfile.pyc", line 219, in queriesParser
  File "xml\sax\__init__.pyc", line 33, in parse
  File "xml\sax\expatreader.pyc", line 107, in parse
  File "xml\sax\xmlreader.pyc", line 119, in parse
  File "xml\sax\expatreader.pyc", line 111, in prepareParser
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf6' in position
37:
 ordinal not in range(128)

[*] shutting down at: 20:43:42

Were using sqlmap --url=http://www.site.com?click.php?id=12345

[sqlmap-users] SQL injection presentation slides

[Bernardo D. A. G. <ber...@gm...>]

Hi,

I recently presented at three Conferences, for the ones of you
interested, the presentations slides are available online on my
SlideShare page[1].
Some of arguments discussed are SQL injection in ORDER BY and LIMIT
clauses, single entry UNION query SQL injection, bypass of column
numbers, SQL syntax detection, extensive back-end DBMS fingerprint,
sqlmap key features and specific web application technologies IDS
bypasses.

I look forward for feedback from you!

[1] http://www.slideshare.net/inquis

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] sql injection doesn't works

[alfonso c. <alf...@gm...>]

Hi list,

I'm using sqlmap with a website created ad-hoc (Apache/2.2.9 (Ubuntu)
PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch, mysql  Ver 14.12 Distrib 5.0.67,
for debian-linux-gnu (i486) using readline 5.2).

The simple and insecure php code:

...
...
$query = "SELECT id from $db_table where username = '$username'";
$result = mysql_query($query);

while ($row = mysql_fetch_array($result)){
        print "$row[0]<br>";
}
...
...

the MySQL table:

mysql> show columns from tbl_test;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| id       | int(10)     | NO   | PRI | NULL    | auto_increment |
| username | varchar(20) | NO   |     | NULL    |                |
| password | varchar(20) | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+

get_magic_quotes_gpc = Off

Now, I can do sql injection attack with ' or 1=1-'

http://127.0.0.1/test/test_sql.php?username=username1%27%20or%201=1-%27

but with sqlmap...

...
...
[17:58:58] [WARNING] GET parameter 'username' is not injectable

I've also tried with --prefix "'" --postfix "'OR 1=1--'" etc... but nothing.

Any hints?

Thank you,
AL

Re: [sqlmap-users] Need some matching help

[Konrads S. <ko...@sm...>]

So, if You input valid data, then it shows a page and if not (expression
evaluates to false) then blank?
Sounds like a typical blind injection. I wonder if You can match string
against header, so content-len:0 would work.


On 3/4/09, nein wanwan <nei...@gm...> wrote:
>
> Ahoy. Having a problem here couldn't think of any other place to ask for
> help so here I am.
>
> A couple days ago I was using sqlmap to verify a potential injection I had
> found earlier and was able to do some of the different enumerations
> successfully (current-user, current-db, etc).
>
> Anyway, the developers of said application came back in a day and said all
> the problems on the site were fixed (mmhmmm). Turns out all they did was
> remove the custom error page and instead now return a completely blank page
> with a Content-Length of zero. There are obviously no strings to match since
> there is no content...
>
> Basically is there a way to do regex/str matching on the response headers?
> Drawing a blank... maybe there are some other options that would fulfill my
> needs that I'm not seeing?
>
> Thanks.
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,
> CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the
> Enterprise
> -Strategies to boost innovation and cut costs with open source
> participation
> -Receive a $600 discount off the registration fee with the source code:
> SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
--
Konrads Smelkovs
Applied IT sorcery.

Re: [sqlmap-users] Need some matching help

[Patrick W. <pa...@au...>]

I can't remember if it has been implemented in sqlmap, but timedelay should work.

-Patrick

[sqlmap-users] Need some matching help

[nein w. <nei...@gm...>]

Ahoy. Having a problem here couldn't think of any other place to ask for
help so here I am.

A couple days ago I was using sqlmap to verify a potential injection I had
found earlier and was able to do some of the different enumerations
successfully (current-user, current-db, etc).

Anyway, the developers of said application came back in a day and said all
the problems on the site were fixed (mmhmmm). Turns out all they did was
remove the custom error page and instead now return a completely blank page
with a Content-Length of zero. There are obviously no strings to match since
there is no content...

Basically is there a way to do regex/str matching on the response headers?
Drawing a blank... maybe there are some other options that would fulfill my
needs that I'm not seeing?

Thanks.

Re: [sqlmap-users] errors

[Bernardo D. A. G. <ber...@gm...>]

Hi,

On Tue, Mar 3, 2009 at 05:58, Волк <v0l...@gm...> wrote:
>
> [04:03:08] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the command line and the following text and send by e-mail to
> sql...@li.... The developers will fix it as soon as possible:
> sqlmap version: 0.6.4
> Python version: 2.4.1
> Operating system: linux2
> Traceback (most recent call last):
>   File "./sqlmap.py", line 81, in main
>     start()
>   File "/usr/share/.pizdec/sqlmap/lib/controller/controller.py", line 255, in start
>     action()
>   File "/usr/share/.pizdec/sqlmap/lib/controller/action.py", line 137, in action
>     conf.dbmsHandler.osShell()
>   File "/usr/share/.pizdec/sqlmap/plugins/dbms/mysql.py", line 448, in osShell
>     page, _ = Request.getPage(url=uploaderUrl, direct=True)
>   File "/usr/share/.pizdec/sqlmap/lib/request/connect.py", line 128, in getPage
>     conn           = urllib2.urlopen(req)
>   File "/usr/lib/python2.4/urllib2.py", line 130, in urlopen
>     return _opener.open(url, data)
>   File "/usr/lib/python2.4/urllib2.py", line 358, in open
>     response = self._open(req, data)
>   File "/usr/lib/python2.4/urllib2.py", line 376, in _open
>     '_open', req)
>   File "/usr/lib/python2.4/urllib2.py", line 337, in _call_chain
>     result = func(*args)
>   File "/usr/lib/python2.4/urllib2.py", line 1021, in http_open
>     return self.do_open(httplib.HTTPConnection, req)
>   File "/usr/lib/python2.4/urllib2.py", line 980, in do_open
>     h = http_class(host) # will parse host:port
>   File "/usr/lib/python2.4/httplib.py", line 582, in __init__
>     self._set_hostport(host, port)
>   File "/usr/lib/python2.4/httplib.py", line 594, in _set_hostport
>     raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
> InvalidURL: nonnumeric port: '80themes'

It seems that you have a typo in your -u argument ('url' option if
you're using the configuration file option -c). Maybe that you
accidentaly typed the url like 'www.yoursite.tld:80theses..' without
the slash.
Otherwise, if you can confirm that this is not the case, maybe there
is an issue in the web backdoor upload functionality that I missed
when I tested on Python 2.5 and Python 2.6. Could you please give it a
try to a more recent Python version and let me know if the issue
persists? Thanks in advance.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] errors

[Волк <v0l...@gm...>]

[04:03:08] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the command line and the following text and send by e-mail to 
sql...@li.... The developers will fix it as soon as possible:
sqlmap version: 0.6.4
Python version: 2.4.1
Operating system: linux2
Traceback (most recent call last):
   File "./sqlmap.py", line 81, in main
     start()
   File "/usr/share/.pizdec/sqlmap/lib/controller/controller.py", line 255, in start
     action()
   File "/usr/share/.pizdec/sqlmap/lib/controller/action.py", line 137, in action
     conf.dbmsHandler.osShell()
   File "/usr/share/.pizdec/sqlmap/plugins/dbms/mysql.py", line 448, in osShell
     page, _ = Request.getPage(url=uploaderUrl, direct=True)
   File "/usr/share/.pizdec/sqlmap/lib/request/connect.py", line 128, in getPage
     conn           = urllib2.urlopen(req)
   File "/usr/lib/python2.4/urllib2.py", line 130, in urlopen
     return _opener.open(url, data)
   File "/usr/lib/python2.4/urllib2.py", line 358, in open
     response = self._open(req, data)
   File "/usr/lib/python2.4/urllib2.py", line 376, in _open
     '_open', req)
   File "/usr/lib/python2.4/urllib2.py", line 337, in _call_chain
     result = func(*args)
   File "/usr/lib/python2.4/urllib2.py", line 1021, in http_open
     return self.do_open(httplib.HTTPConnection, req)
   File "/usr/lib/python2.4/urllib2.py", line 980, in do_open
     h = http_class(host) # will parse host:port
   File "/usr/lib/python2.4/httplib.py", line 582, in __init__
     self._set_hostport(host, port)
   File "/usr/lib/python2.4/httplib.py", line 594, in _set_hostport
     raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
InvalidURL: nonnumeric port: '80themes'

[*] shutting down at: 04:03:08

Re: [sqlmap-users] Error

[Bernardo D. A. G. <ber...@gm...>]

Hi,

On Mon, Feb 23, 2009 at 00:48, RoMeO <rom...@gm...> wrote:
> ...
>  File "/usr/share/sqlmap/plugins/generic/enumeration.py", line 1043, in dumpAll
>    self.cachedTables = self.getTables()
>  File "/usr/share/sqlmap/plugins/dbms/mssqlserver.py", line 279, in getTables
>    for index in range(int(count)):
> ValueError: invalid literal for int():

Exception handled and commited on svn repository.
Thanks for reporting.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] (no subject)

[Bernardo D. A. G. <ber...@gm...>]

Hi Uran,

It looks to me that you've some not UTF-8 compliant character in your
file system path name or you accidentaly modified some of the file
with a binary char.

Cheers,
Bernardo

On Fri, Feb 13, 2009 at 11:56, Uran Thaçi <ura...@ku...> wrote:
> Hello,
>
> I'm contacting you because regarding to the application, you are the founder
> and wanted to notify about an error I just received.
>
> While executing sqlmap.exe -u sometarget , it gives the following error:
>
>     sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
>                       and Daniele Bellucci <dan...@gm...>
>
> [*] starting at: 12:53:32
>
> [12:53:32] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the
> command
> line and the following text and send by e-mail to
> sql...@li...urceforge
> .net. The developers will fix it as soon as possible:
> sqlmap version: 0.6.4
> Python version: 2.5.4
> Operating system: win32
> Traceback (most recent call last):
>   File "sqlmap.py", line 78, in main
>   File "lib\core\option.pyc", line 771, in init
>   File "lib\parse\queriesfile.pyc", line 219, in queriesParser
>   File "xml\sax\__init__.pyc", line 33, in parse
>   File "xml\sax\expatreader.pyc", line 107, in parse
>   File "xml\sax\xmlreader.pyc", line 119, in parse
>   File "xml\sax\expatreader.pyc", line 111, in prepareParser
> UnicodeEncodeError: 'ascii' codec can't encode character u'\xa0' in position
> 28:
>  ordinal not in range(128)
>
> [*] shutting down at: 12:53:32
>
>
> Uran Thaqi, NOC
> Network System Administrator
>
> Kujtesa Internet Services
> Tel: +381 (0)38 542 170; 542 171;
> Fax: +381 (0)38 549 761
> www.kujtesa.com
> e-mail: ura...@ku...
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] request for improvement/ howto/ usage in some special circumstances

[Bernardo D. A. G. <ber...@gm...>]

Hi Roman,

"power users" as you said know the importance of reading the manual
too before complaining: all of the parameters in the 'Injection'
paragraph allow the user to specify exactly how to deal with the
target.
In your example, as I wrote already, you can use:

    --prefix=PREFIX     Injection payload prefix string
    --postfix=POSTFIX   Injection payload postfix string

If you think that this still does not work, which could happen, than
constructive feedback and bug reports are more than welcome, but still
the effort has also been put in the "forcing the user to understand
how and why it works" direction.

Cheers,
Bernardo

On Thu, Feb 19, 2009 at 13:53, Roman Medina-Heigl Hernandez
<ro...@rs...> wrote:
> I noted a similar problem, as described in:
> http://sourceforge.net/mailarchive/message.php?msg_name=49789446.2000802%40rs-labs.com
>
> In fact, many tools suffer of it. I don't know why people try to enhance a
> tool, adding more complex tasks, trying to build a "for-dummies" tool (with
> auto-* features) while basic needs are not covered at first place. A tool
> should be basic but flexible at first development stage, allowing the user
> to manually define all needed parameters, forcing the user to understand
> how and why it works (let's remember than hackers and pen-testers are not
> "normal" users but some kind of power users...).
>
> Cheers,
> -r
>
> Stiefenhofer, Marek escribió:
>> Dear all,
>>
>> I was working with sqlmap during the last 6 month in several penetration
>> test projects. It's a really powerful tool and saved me sometimes a lot
>> of hard work in exploiting SQL injection problems found in a large
>> variety of web apps.
>>
>> Although I'm really excited about the features of sqlmap I consistently
>> notice some limitations that might be easily worked around and would
>> make a great improvement of the tool's value.
>>
>> In some cases I'm not sure if I just misunderstood something and the
>> problems can already be worked around with correct usage of the tool. So
>> here comes a summary of my problems and suggestions. Feel free to
>> comment or point me to possible solutions.
>>
>> 1.) Dynamic parameter test
>>
>> I do understand that this test is needed to distinguish between
>> potential injectable parameters and non-injectable ones. But when I tell
>> the injectable parameter with -p this test should be omitted. There're
>> lots of vulnerable apps where parameters that are injectable can't be
>> confirmed with the current "dynamic tests".
>>
>>
>> 2.) The dogma of the three different state results: non-injected,
>> true-injected, false-injected
>>
>> The tool assumes that this three states result in different pages.
>> That's not the case for many apps, i.e. most login-forms. Consider the
>> following example PHP code, without error output to the client:
>>
>> $sql = "SELECT * FROM accounts WHERE username='".$_GET['username']."'
>> and password = '".md5($_GET['password'])."'";
>> $result = DB_query($dbconn, $sql) or die( 'Could not execute sql query'
>> );
>> if ($data = DB_fetch_array($result)) {
>>   echo "Welcome you're logged in";
>> }
>> else {
>>   echo "Login failed";
>> }
>>
>> I know this one does not need blind sql injection. There are lots of
>> other ways to misuse it, but it's just an example that I need to use for
>> demonstrating some blind SQL injection issues. Let's see:
>> To my knowledge you can't exploit the above example easily it with
>> sqlmap, because non-injected pages (with wrong login data) and false
>> injected pages produce the same result. Even --string won't help here
>> (anyway a more flexible way to tell the tool how to distinguish between
>> the three states would be great)
>>
>> Furthermore you need to guess a correct username to make any use of
>> sqlmap, because you need to prefix the above statement with:
>> existingusername'
>> ...and an according postfix. This leads to the next problem:
>>
>>
>> 3.) all statements are constructed with AND
>>
>> If sqlmap would also deal with OR statements, the above injection could
>> be found (and hopefully exploited) without constructing correct prefix
>> and suffix, example:
>>
>>
>> True injection: username=' OR '1'='1
>> False injection: username=' OR '1'='0
>>
>> I'm not sure about this last point, but I've found lots of examples in
>> real world, where AND statements won't work at all. Does it make sense
>> to include OR statements in the injection checker or am I just
>> misunderstanding something?
>>
>>
>>
>> Again - I really appreciate the work that led to this tool. I'm looking
>> forward for any comment/ clarification/ or acknowledgement from any user
>> or developer.
>>
>>
>> --Marek
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> ------------------------------------------------------------------------------
>> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
>> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
>> -Strategies to boost innovation and cut costs with open source participation
>> -Receive a $600 discount off the registration fee with the source code: SFAD
>> http://p.sf.net/sfu/XcvMzF8H
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] Error

[RoMeO <rom...@gm...>]

[19:46:40] [ERROR] unhandled exception in sqlmap/0.6.4, please copy
the command line and the following text and send by e-mail to
sql...@li.... The developers will fix it as soon
as possible:
sqlmap version: 0.6.4
Python version: 2.4.3
Operating system: linux2
Traceback (most recent call last):
  File "/usr/bin/sqlmap", line 81, in main
    start()
  File "/usr/share/sqlmap/lib/controller/controller.py", line 255, in start
    action()
  File "/usr/share/sqlmap/lib/controller/action.py", line 120, in action
    conf.dbmsHandler.dumpAll()
  File "/usr/share/sqlmap/plugins/generic/enumeration.py", line 1043, in dumpAll
    self.cachedTables = self.getTables()
  File "/usr/share/sqlmap/plugins/dbms/mssqlserver.py", line 279, in getTables
    for index in range(int(count)):
ValueError: invalid literal for int():

Re: [sqlmap-users] request for improvement/ howto/ usage in some special circumstances

[Roman Medina-H. H. <ro...@rs...>]

I noted a similar problem, as described in:
http://sourceforge.net/mailarchive/message.php?msg_name=49789446.2000802%40rs-labs.com

In fact, many tools suffer of it. I don't know why people try to enhance a
tool, adding more complex tasks, trying to build a "for-dummies" tool (with
auto-* features) while basic needs are not covered at first place. A tool
should be basic but flexible at first development stage, allowing the user
to manually define all needed parameters, forcing the user to understand
how and why it works (let's remember than hackers and pen-testers are not
"normal" users but some kind of power users...).

Cheers,
-r

Stiefenhofer, Marek escribió:
> Dear all,
> 
> I was working with sqlmap during the last 6 month in several penetration
> test projects. It's a really powerful tool and saved me sometimes a lot
> of hard work in exploiting SQL injection problems found in a large
> variety of web apps.
> 
> Although I'm really excited about the features of sqlmap I consistently
> notice some limitations that might be easily worked around and would
> make a great improvement of the tool's value.
> 
> In some cases I'm not sure if I just misunderstood something and the
> problems can already be worked around with correct usage of the tool. So
> here comes a summary of my problems and suggestions. Feel free to
> comment or point me to possible solutions.
> 
> 1.) Dynamic parameter test
> 
> I do understand that this test is needed to distinguish between
> potential injectable parameters and non-injectable ones. But when I tell
> the injectable parameter with -p this test should be omitted. There're
> lots of vulnerable apps where parameters that are injectable can't be
> confirmed with the current "dynamic tests".
> 
> 
> 2.) The dogma of the three different state results: non-injected,
> true-injected, false-injected
> 
> The tool assumes that this three states result in different pages.
> That's not the case for many apps, i.e. most login-forms. Consider the
> following example PHP code, without error output to the client:
> 
> $sql = "SELECT * FROM accounts WHERE username='".$_GET['username']."'
> and password = '".md5($_GET['password'])."'";
> $result = DB_query($dbconn, $sql) or die( 'Could not execute sql query'
> );         
> if ($data = DB_fetch_array($result)) {
>   echo "Welcome you're logged in";
> }
> else {
>   echo "Login failed";
> }
> 
> I know this one does not need blind sql injection. There are lots of
> other ways to misuse it, but it's just an example that I need to use for
> demonstrating some blind SQL injection issues. Let's see:
> To my knowledge you can't exploit the above example easily it with
> sqlmap, because non-injected pages (with wrong login data) and false
> injected pages produce the same result. Even --string won't help here
> (anyway a more flexible way to tell the tool how to distinguish between
> the three states would be great)
> 
> Furthermore you need to guess a correct username to make any use of
> sqlmap, because you need to prefix the above statement with:
> existingusername' 
> ...and an according postfix. This leads to the next problem:
> 
> 
> 3.) all statements are constructed with AND
> 
> If sqlmap would also deal with OR statements, the above injection could
> be found (and hopefully exploited) without constructing correct prefix
> and suffix, example:
> 
> 
> True injection: username=' OR '1'='1
> False injection: username=' OR '1'='0
> 
> I'm not sure about this last point, but I've found lots of examples in
> real world, where AND statements won't work at all. Does it make sense
> to include OR statements in the injection checker or am I just
> misunderstanding something?
> 
> 
> 
> Again - I really appreciate the work that led to this tool. I'm looking
> forward for any comment/ clarification/ or acknowledgement from any user
> or developer.
> 
> 
> --Marek
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] request for improvement/ howto/ usage in some special circumstances

[Bernardo D. A. G. <ber...@gm...>]

For the ones interested in this thread, my reply is on the
sqlmap-devel mailing list.

On Thu, Feb 19, 2009 at 09:42, Stiefenhofer, Marek
<M.S...@r-...> wrote:
> Dear all,
>
> I was working with sqlmap during the last 6 month in several penetration
> test projects. It's a really powerful tool and saved me sometimes a lot
> of hard work in exploiting SQL injection problems found in a large
> variety of web apps.
>
> Although I'm really excited about the features of sqlmap I consistently
> notice some limitations that might be easily worked around and would
> make a great improvement of the tool's value.
>
> In some cases I'm not sure if I just misunderstood something and the
> problems can already be worked around with correct usage of the tool. So
> here comes a summary of my problems and suggestions. Feel free to
> comment or point me to possible solutions.
>
> 1.) Dynamic parameter test
>
> I do understand that this test is needed to distinguish between
> potential injectable parameters and non-injectable ones. But when I tell
> the injectable parameter with -p this test should be omitted. There're
> lots of vulnerable apps where parameters that are injectable can't be
> confirmed with the current "dynamic tests".
>
>
> 2.) The dogma of the three different state results: non-injected,
> true-injected, false-injected
>
> The tool assumes that this three states result in different pages.
> That's not the case for many apps, i.e. most login-forms. Consider the
> following example PHP code, without error output to the client:
>
> $sql = "SELECT * FROM accounts WHERE username='".$_GET['username']."'
> and password = '".md5($_GET['password'])."'";
> $result = DB_query($dbconn, $sql) or die( 'Could not execute sql query'
> );
> if ($data = DB_fetch_array($result)) {
>  echo "Welcome you're logged in";
> }
> else {
>  echo "Login failed";
> }
>
> I know this one does not need blind sql injection. There are lots of
> other ways to misuse it, but it's just an example that I need to use for
> demonstrating some blind SQL injection issues. Let's see:
> To my knowledge you can't exploit the above example easily it with
> sqlmap, because non-injected pages (with wrong login data) and false
> injected pages produce the same result. Even --string won't help here
> (anyway a more flexible way to tell the tool how to distinguish between
> the three states would be great)
>
> Furthermore you need to guess a correct username to make any use of
> sqlmap, because you need to prefix the above statement with:
> existingusername'
> ...and an according postfix. This leads to the next problem:
>
>
> 3.) all statements are constructed with AND
>
> If sqlmap would also deal with OR statements, the above injection could
> be found (and hopefully exploited) without constructing correct prefix
> and suffix, example:
>
>
> True injection: username=' OR '1'='1
> False injection: username=' OR '1'='0
>
> I'm not sure about this last point, but I've found lots of examples in
> real world, where AND statements won't work at all. Does it make sense
> to include OR statements in the injection checker or am I just
> misunderstanding something?
>
>
>
> Again - I really appreciate the work that led to this tool. I'm looking
> forward for any comment/ clarification/ or acknowledgement from any user
> or developer.
>
>
> --Marek
>
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] request for improvement/ howto/ usage in some special circumstances

[Stiefenhofer, M. <M.S...@r-...>]

Dear all,

I was working with sqlmap during the last 6 month in several penetration
test projects. It's a really powerful tool and saved me sometimes a lot
of hard work in exploiting SQL injection problems found in a large
variety of web apps.

Although I'm really excited about the features of sqlmap I consistently
notice some limitations that might be easily worked around and would
make a great improvement of the tool's value.

In some cases I'm not sure if I just misunderstood something and the
problems can already be worked around with correct usage of the tool. So
here comes a summary of my problems and suggestions. Feel free to
comment or point me to possible solutions.

1.) Dynamic parameter test

I do understand that this test is needed to distinguish between
potential injectable parameters and non-injectable ones. But when I tell
the injectable parameter with -p this test should be omitted. There're
lots of vulnerable apps where parameters that are injectable can't be
confirmed with the current "dynamic tests".


2.) The dogma of the three different state results: non-injected,
true-injected, false-injected

The tool assumes that this three states result in different pages.
That's not the case for many apps, i.e. most login-forms. Consider the
following example PHP code, without error output to the client:

$sql = "SELECT * FROM accounts WHERE username='".$_GET['username']."'
and password = '".md5($_GET['password'])."'";
$result = DB_query($dbconn, $sql) or die( 'Could not execute sql query'
);         
if ($data = DB_fetch_array($result)) {
  echo "Welcome you're logged in";
}
else {
  echo "Login failed";
}

I know this one does not need blind sql injection. There are lots of
other ways to misuse it, but it's just an example that I need to use for
demonstrating some blind SQL injection issues. Let's see:
To my knowledge you can't exploit the above example easily it with
sqlmap, because non-injected pages (with wrong login data) and false
injected pages produce the same result. Even --string won't help here
(anyway a more flexible way to tell the tool how to distinguish between
the three states would be great)

Furthermore you need to guess a correct username to make any use of
sqlmap, because you need to prefix the above statement with:
existingusername' 
...and an according postfix. This leads to the next problem:


3.) all statements are constructed with AND

If sqlmap would also deal with OR statements, the above injection could
be found (and hopefully exploited) without constructing correct prefix
and suffix, example:


True injection: username=' OR '1'='1
False injection: username=' OR '1'='0

I'm not sure about this last point, but I've found lots of examples in
real world, where AND statements won't work at all. Does it make sense
to include OR statements in the injection checker or am I just
misunderstanding something?



Again - I really appreciate the work that led to this tool. I'm looking
forward for any comment/ clarification/ or acknowledgement from any user
or developer.


--Marek

[sqlmap-users] (no subject)

[Uran T. <ura...@ku...>]

Hello,

I'm contacting you because regarding to the application, you are the founder and wanted to notify about an error I just received.

While executing sqlmap.exe -u sometarget , it gives the following error:


    sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
                      and Daniele Bellucci <dan...@gm...>

[*] starting at: 12:53:32

[12:53:32] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the command
line and the following text and send by e-mail to sql...@li...urceforge
.net. The developers will fix it as soon as possible:
sqlmap version: 0.6.4
Python version: 2.5.4
Operating system: win32
Traceback (most recent call last):
  File "sqlmap.py", line 78, in main
  File "lib\core\option.pyc", line 771, in init
  File "lib\parse\queriesfile.pyc", line 219, in queriesParser
  File "xml\sax\__init__.pyc", line 33, in parse
  File "xml\sax\expatreader.pyc", line 107, in parse
  File "xml\sax\xmlreader.pyc", line 119, in parse
  File "xml\sax\expatreader.pyc", line 111, in prepareParser
UnicodeEncodeError: 'ascii' codec can't encode character u'\xa0' in position 28:
 ordinal not in range(128)

[*] shutting down at: 12:53:32


Uran Thaqi, NOC
Network System Administrator
 
Kujtesa Internet Services
Tel: +381 (0)38 542 170; 542 171;
Fax: +381 (0)38 549 761
www.kujtesa.com
e-mail: ura...@ku...

Re: [sqlmap-users] sqlmap 0.6.4 and Blind SQLi

[Bernardo D. A. G. <ber...@gm...>]

Hi Rick,

sqlmap has full support for:

* Boolean based blind SQL injection, also called inferential blind SQL injection
* UNION query SQL injection, also called inband SQL injection, either
full and single entry (partial)
* Stacked query SQL injection

It does not support time based blind SQL injection yet, I will work on
it in the long run.

Regards,
Bernardo


On Wed, Feb 11, 2009 at 14:41, Rick Tortorella <rt...@gm...> wrote:
> I read the docs and they state that sqlmap can perform blind sqli. But, it
> can't. I'm tested this using an application that is only susceptible to time
> based blind sqli (which, in point of fact, is the only type of blind IMO...
> if you get varying repsonses back from the server that's not really blind,
> it's more of a limited error response or better yet, varried response sqli).
> sqlmap cannot initialize when used against an application that only has time
> based blind sqli. Is there any plans to update sqlmap to work against these
> types of applications?

-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

[sqlmap-users] FW: sqlmap error

[Delledera, A. (aad4a) <aa...@es...>]

sqlmap version: 0.6.4
Python version: 2.5.1
Operating system: win32
Traceback (most recent call last):
  File "C:\Documents and Settings\aad4a\My Documents\Unzipped\sqlmap-0.6.4\sqlmap-0.6.4\sqlmap.py", line 81, in main
    start()
  File "C:\Documents and Settings\aad4a\My Documents\Unzipped\sqlmap-0.6.4\sqlmap-0.6.4\lib\controller\controller.py", line 1
89, in start
    if not checkDynParam(place, parameter, value):
  File "C:\Documents and Settings\aad4a\My Documents\Unzipped\sqlmap-0.6.4\sqlmap-0.6.4\lib\controller\checks.py", line 263,
in checkDynParam
    dynResult1 = Request.queryPage(payload, place)
  File "C:\Documents and Settings\aad4a\My Documents\Unzipped\sqlmap-0.6.4\sqlmap-0.6.4\lib\request\connect.py", line 273, in
 queryPage
    return comparison(page, headers, getSeqMatcher)
  File "C:\Documents and Settings\aad4a\My Documents\Unzipped\sqlmap-0.6.4\sqlmap-0.6.4\lib\request\comparison.py", line 77,
in comparison
    elif round(conf.seqMatcher.ratio(), 3) >= MATCH_RATIO:
  File "C:\Python25\lib\difflib.py", line 656, in ratio
    self.get_matching_blocks(), 0)
  File "C:\Python25\lib\difflib.py", line 478, in get_matching_blocks
    la, lb = len(self.a), len(self.b)
TypeError: object of type 'NoneType' has no len()
[*] shutting down at: 11:52:41
--
al

[sqlmap-users] sqlmap 0.6.4 released

[Bernardo D. A. G. <ber...@gm...>]

Hi,

I am glad to release sqlmap version 0.6.4.

Thanks to anyone of you that contributed with really appreciated and
useful feedback.

Changes
=======

Some of the new features include:

* Major enhancement to make the comparison algorithm work properly
also on url not stables automatically by using the difflib Sequence
Matcher object.
* Major enhancement to support SQL data definition statements, SQL
data manipulation statements, etc from user in SQL query and SQL shell
if stacked queries are supported by the web application technology.
* Major speed increase in DBMS basic fingerprint.
* Major bug fix to correctly handle custom SQL "limited" queries on
Microsoft SQL Server and Oracle.
* Major bug fix to avoid tracebacks when multiple targets are
specified and one of them is not reachable.


Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.


Download
========

You can download it in various formats:

* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.tar.gz

* Source bzip2 compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.tar.bz2

* Source zip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.zip

* DEB binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.4-1_all.deb

* RPM binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4-1.noarch.rpm

* Portable executable for Windows that does not require the Python
interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4_exe.zip


Documentation
=============

* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf

* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/


Happy hacking!
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Crash when using top / distinct on MSSQL

[Bernardo D. A. G. <ber...@gm...>]

Hi Konrads,

On Mon, Feb 2, 2009 at 19:38, Konrads Smelkovs <ko...@sm...> wrote:
> sql> select TOP 3 distinct oooo  from XXXXXX WHERE aaa <123456
> ...

Fixed and commited on svn repository.
Thanks for reporting this bug.

Regards,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

[sqlmap-users] Crash when using top / distinct on MSSQL

[Konrads S. <ko...@sm...>]

sql> select TOP 3 distinct oooo  from XXXXXX WHERE aaa <123456
[21:35:52] [INFO] fetching SQL SELECT statement query output: 'select TOP 3
distinct abspin from client_acc WHERE abspin<009532'
[21:35:52] [INPUT] can the SQL query provided return multiple entries? [Y/n]

[21:35:53] [INFO] query: SELECT TOP 3 ISNULL(CAST(COUNT(distinct ffff) AS
VARCHAR(8000)), CHAR(32)) FROM dfd_sdf WHERE ggggg <009532
[21:35:53] [INFO] retrieved: 14
[21:36:01] [INFO] performed 20 queries in 7 seconds
[21:36:01] [INPUT] the SQL query provided can return up to 14 entries. How
many entries do you want to retrieve?
[a] All (default)
[#] Specific number
[q] Quit
Choice:
[21:36:12] [ERROR] unhandled exception in sqlmap/0.6.4-rc5, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developers will fix it as soon as
possible:
sqlmap version: 0.6.4-rc5
Python version: 2.5.2
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 81, in main
    start()
  File "/home/konrads/sqlmap/lib/controller/controller.py", line 255, in
start
    action()
  File "/home/konrads/sqlmap/lib/controller/action.py", line 126, in action
    conf.dbmsHandler.sqlShell()
  File "/home/konrads/sqlmap/plugins/generic/enumeration.py", line 1134, in
sqlShell
    output = self.sqlQuery(query)
  File "/home/konrads/sqlmap/plugins/generic/enumeration.py", line 1078, in
sqlQuery
    output = inject.getValue(query, fromUser=True)
  File "/home/konrads/sqlmap/lib/request/inject.py", line 358, in getValue
    value = __goInferenceProxy(expression, fromUser, expected)
  File "/home/konrads/sqlmap/lib/request/inject.py", line 283, in
__goInferenceProxy
    output = __goInferenceFields(expression, expressionFields,
expressionFieldsList, payload, expected, num)
  File "/home/konrads/sqlmap/lib/request/inject.py", line 85, in
__goInferenceFields
    expression = agent.limitQuery(num, expression, field)
  File "/home/konrads/sqlmap/lib/core/agent.py", line 486, in limitQuery
    topNums         =
re.search("TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+",
limitedQuery, re.I).groups()
AttributeError: 'NoneType' object has no attribute 'groups'

--
Konrads Smelkovs
Applied IT sorcery.

Re: [sqlmap-users] sqlmap has stop working...

[Bernardo D. A. G. <ber...@gm...>]

Hi Ignacio,

On Mon, Feb 2, 2009 at 03:46, Ignacio Hernández <nac...@gm...> wrote:
> cmd-line: ./sqlmap.py --update
>
> sqlmap version: 0.6.4-rc5
> Python version: 2.5.2
> Operating system: linux2
> Traceback (most recent call last):
>   File "./sqlmap.py", line 78, in main
>     init(cmdLineOptions)
>   File "/home/nacho/sqlmap/lib/core/option.py", line 770, in init
>     update()
>   File "/home/nacho/sqlmap/lib/core/update.py", line 339, in update
>     __updateSqlmap()
>   File "/home/nacho/sqlmap/lib/core/update.py", line 230, in __updateSqlmap
>     sqlmapNewestVersion, _ = Request.getPage(url=SQLMAP_VERSION_URL,
> direct=True)
>   File "/home/nacho/sqlmap/lib/request/connect.py", line 210, in getPage
>     return Connect.__getPageProxy(get=get, post=post, cookie=cookie, ua=ua,
> direct=direct, multipart=multipart)
>   File "/home/nacho/sqlmap/lib/request/connect.py", line 55, in
> __getPageProxy
>     return Connect.getPage(**kwargs)
>   File "/home/nacho/sqlmap/lib/request/connect.py", line 68, in getPage
>     url       = kwargs.get('url',       conf.url).replace(" ", "%20")
> AttributeError: 'NoneType' object has no attribute 'replace'

It looks like you modify the lib/core/settings.py file. Try to run an
svn update on your sqlmap working copy.
However, since you're running the development version from svn
repository, it makes no sense to update it with the --update option
since it updates from sourceforge file list so as a matter of facts a
downgrade to the stable release 0.6.3.

> Hi Bernardo,
> i was using sqlmap and suddenly it stopped working. I tryed to update it and
> i got this error. When i try to scan an url it shows this message almost
> inmediately without waiting the timeout (about this in rc5 you say it has
> been incresed to 30 seconds but in my case it is still in 15 seconds by
> default)
> ...

I double-checked and the timeout is set to 30 seconds by default,
anyway you can overwrite it with the --timeout option.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

[sqlmap-users] sqlmap has stop working...

[Ignacio H. <nac...@gm...>]

cmd-line: ./sqlmap.py --update


sqlmap version: 0.6.4-rc5
Python version: 2.5.2
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 78, in main
    init(cmdLineOptions)
  File "/home/nacho/sqlmap/lib/core/option.py", line 770, in init
    update()
  File "/home/nacho/sqlmap/lib/core/update.py", line 339, in update
    __updateSqlmap()
  File "/home/nacho/sqlmap/lib/core/update.py", line 230, in __updateSqlmap
    sqlmapNewestVersion, _ = Request.getPage(url=SQLMAP_VERSION_URL,
direct=True)
  File "/home/nacho/sqlmap/lib/request/connect.py", line 210, in getPage
    return Connect.__getPageProxy(get=get, post=post, cookie=cookie, ua=ua,
direct=direct, multipart=multipart)
  File "/home/nacho/sqlmap/lib/request/connect.py", line 55, in
__getPageProxy
    return Connect.getPage(**kwargs)
  File "/home/nacho/sqlmap/lib/request/connect.py", line 68, in getPage
    url       = kwargs.get('url',       conf.url).replace(" ", "%20")
AttributeError: 'NoneType' object has no attribute 'replace'


Hi Bernardo,
i was using sqlmap and suddenly it stopped working. I tryed to update it and
i got this error. When i try to scan an url it shows this message almost
inmediately without waiting the timeout (about this in rc5 you say it has
been incresed to 30 seconds but in my case it is still in 15 seconds by
default)
[04:30:43] [INFO] testing connection to the target url
[04:30:43] [WARNING] unable to connect to the target url or proxy, sqlmap is
going to retry the request
[04:30:44] [WARNING] unable to connect to the target url or proxy, sqlmap is
going to retry the request
[04:30:45] [WARNING] unable to connect to the target url or proxy, sqlmap is
going to retry the request
[04:30:46] [ERROR] unable to connect to the target url or proxy

Internet works ok so that's not the problem.
Regards!,
Nacho.

Re: [sqlmap-users] sqlmap bug

[Bernardo D. A. G. <ber...@gm...>]

Hi Joe,

Joe wrote:
> Bernardo Damele A. G. wrote:
>> Did you check manually for the UNION query SQL injection using only NULL
>> chars or did you really confirm it by inject a string or number in
>> one/some of the NULLs?
> Yup. But again, the app only uses the first returned row. I did both
>   and 2=1 union all select null,null,null,etc
> and
>   and 2=1 union all select 1,2,3,etc
> And both worked fine.

Support for partial UNION query SQL injection has been added already in
sqlmap 0.6.3, but not exactly in this way. I will implement also this
way to exploit partial UNION. Thanks for the idea.

> I will. This user manual ... is it in the svn?

Yes, in all versions, it's the doc/README.pdf file, but you can read it
also online from the homepage link.

-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F