sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] sqlmap bug

[Bernardo D. A. G. <ber...@gm...>]

Hi Joe,

Joe wrote:
> I'm having problems with sqlmap. I've confirmed the bug manually with 
> union all select, but sqlmap is still reporting it as a blind hole. 

Did you check manually for the UNION query SQL injection using only NULL
chars or did you really confirm it by inject a string or number in
one/some of the NULLs?

> Additionally: I get this message:
> ...
>    File "lib\techniques\blind\inference.pyc", line 233, in bisection
>    File "lib\techniques\blind\inference.pyc", line 102, in getChar

Try with the latest development release from subversion repository and
let us know.
By the way, in this latest release you can also choose the technique to
detect the UNION injection, with option --union-tech, please refer to
the updated user's manual for details.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

[sqlmap-users] sqlmap bug

[Joe <jo...@sh...>]

I'm having problems with sqlmap. I've confirmed the bug manually with 
union all select, but sqlmap is still reporting it as a blind hole. 
Additionally: I get this message:

[17:39:46] [WARNING] missing database parameter, sqlmap is going to use 
the current database to enumerate table 'roller_fantasy' columns
[17:39:46] [INFO] fetching current database
[17:39:46] [INFO] query:  UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, 
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 
CONCAT(CHAR(79,114,82,88,78,80),IFNULL(CAST(DATABASE() AS CHAR(10000)), 
CHAR(32)),CHAR(117,108,90,77,81,80)), NULL, NULL#  %23
[17:39:46] [WARNING] for some reasons it was not possible to retrieve 
the query
output through inband SQL injection technique, sqlmap is going blind
[17:39:46] [INFO] query: IFNULL(CAST(DATABASE() AS CHAR(10000)), CHAR(32))
[17:39:46] [INFO] retrieved: [17:39:46] [ERROR] unhandled exception in 
sqlmap/0.
6.3, please copy the command line and the following text and send by 
e-mail to sql...@li.... The developers will fix it 
as soon as possible:
sqlmap version: 0.6.3
Python version: 2.5.1
Operating system: win32
Traceback (most recent call last):
   File "sqlmap.py", line 81, in main
   File "lib\controller\controller.pyc", line 267, in start
   File "lib\controller\action.pyc", line 111, in action
   File "plugins\generic\enumeration.pyc", line 734, in getColumns
   File "plugins\generic\enumeration.pyc", line 114, in getCurrentDb
   File "lib\request\inject.pyc", line 329, in getValue
   File "lib\request\inject.pyc", line 265, in __goInferenceProxy
   File "lib\request\inject.pyc", line 88, in __goInferenceFields
   File "lib\request\inject.pyc", line 60, in __goInference
   File "lib\techniques\blind\inference.pyc", line 233, in bisection
   File "lib\techniques\blind\inference.pyc", line 102, in getChar
ValueError: incomplete format

[*] shutting down at: 17:39:46


I hope it helps.

-Joe

Re: [sqlmap-users] Parameter "is not dynamic"

[Bernardo D. A. G. <ber...@gm...>]

Hi Roman,

Roman Medina-Heigl Hernandez wrote:
> ...
> The page in question is a user/password form, sent via POST method, where
> only the user parameter (called "txtUsuario") is injectable. I manually
> checked it and:
> - if an arbitrary user is entered, I get a 200 response with "Incorrect
> user" message.
> - if I enter a "'" char, I get a 500 response and an error message from the
> database :)
> - if I enter the typical "aaa' or ''='" (which is evaluated to TRUE), I get
> a 200 response, this time with "Incorrect password" (so user test is
> passed!!!).

The comparison and dynamicity test is done based on page content, not on
response codes. However, it has been strongly improved for the next release.

> Former tests show that it is clearly vulnerable to (blind) sql injection,
> but I didn't get it to exploit with sqlmap....
> ...

Use the latest version available from sqlmap subversion repository or
wait as long as I release it as stable in a few days.

> ...
> I've sniffed the requests sent by sqlmap and it sent the following 5 requests:
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=9378&txtPwd=a&Submit=aceptar
> 
> I guess the first requests are tests for stability (that's ok), and the
> last one is for "dynamic"-test. Since both "a" and "9378" values return the
> same response (code 200, with string "Incorrect user"), it believes the
> parameter is not dynamic (I guess). But this logic is non-sense: why is
> sqlmap checking for 9378? Why did't it try with a "'"? Is there any way to
> disable this "dynamic test"?

Try to call sqlmap providing as txtUsuario a valid username rather than
'a'. By the way, sqlmap does not implement yet automatical login
bypasses, but you can do that manually using the latest development
version by combining options --prefix and --postfix. I went through this
topic already on this mailing list, check on the online archives.

Regards,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Bug: Multiple result retrieval from MSSQL 2000 in Blind SQL mode fails

[Bernardo D. A. G. <ber...@gm...>]

Hi Konrads,

Konrads Smelkovs wrote:
> ...
> And so it goes on, without retrieving anything. --tables switch fails
> equally.
> 
> However, doing a simple select name from sysobjects works.
> ...

Fixed and commited on svn.
Thanks for reporting.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Hope this helps some, please reply to what the problem is.

[Bernardo D. A. G. <ber...@gm...>]

Hi George,

On Thu, Jan 29, 2009 at 11:03, George Gray <squ...@go...> wrote:
> ...
>  File "/usr/share/sqlmap/lib/techniques/blind/inference.py", line
> 102, in getChar
>    forgedPayload = payload % (expressionUnescaped, idx, limit)
> TypeError: not enough arguments for format string

This should be already fixed in sqlmap version 0.6.4-rcX that you can
get from sqlmap subversion repository.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

[sqlmap-users] Hope this helps some, please reply to what the problem is.

[George G. <squ...@go...>]

[11:00:15] [INFO] testing for parenthesis on injectable parameter
[11:00:20] [INFO] the injectable parameter requires 0 parenthesis
[11:00:20] [INFO] testing MySQL
[11:00:20] [INFO] query: CONCAT(CHAR(57), CHAR(57))
[11:00:20] [INFO] retrieved: [11:00:20] [ERROR] unhandled exception in
sqlmap/0.6.3, please copy the command line and the following text and
send by e-mail to sql...@li.... The developers
will fix it as soon as possible:
sqlmap version: 0.6.3
Python version: 2.5.2
Operating system: linux2
Traceback (most recent call last):
  File "/usr/bin/sqlmap", line 81, in main
    start()
  File "/usr/share/sqlmap/lib/controller/controller.py", line 267, in start
    action()
  File "/usr/share/sqlmap/lib/controller/action.py", line 49, in action
    conf.dbmsHandler = setHandler()
  File "/usr/share/sqlmap/lib/controller/handler.py", line 65, in setHandler
    if dbmsHandler.checkDbms():
  File "/usr/share/sqlmap/plugins/dbms/mysql.py", line 254, in checkDbms
    if inject.getValue(query) == (randInt * 2):
  File "/usr/share/sqlmap/lib/request/inject.py", line 329, in getValue
    value = __goInferenceProxy(expression, fromUser, expected)
  File "/usr/share/sqlmap/lib/request/inject.py", line 270, in
__goInferenceProxy
    returnValue = __goInference(payload, expression)
  File "/usr/share/sqlmap/lib/request/inject.py", line 60, in __goInference
    count, value = bisection(payload, expression, length=length)
  File "/usr/share/sqlmap/lib/techniques/blind/inference.py", line
233, in bisection
    val = getChar(index)
  File "/usr/share/sqlmap/lib/techniques/blind/inference.py", line
102, in getChar
    forgedPayload = payload % (expressionUnescaped, idx, limit)
TypeError: not enough arguments for format string

[*] shutting down at: 11:00:20



-- 
A man goes to the doctor. Says he's depressed. He says life seems
harsh and cruel. Says he feels all alone in a threatening world where
what lies ahead is vague and uncertain. The doctor says "The treatment
is simple. The great clown Pagliacci is in town tonight. Go and see
him, that should pick you up." The man bursts into tears. He says "But
doctor... I am Pagliacci."

Re: [sqlmap-users] Parameter "is not dynamic"

[Roman Medina-H. H. <ro...@rs...>]

Please, Bernardo, some comments about this? Thank you.
-r

Roman Medina-Heigl Hernandez escribió:
> Hello,
> 
> I'm trying sqlmap (latest windows exe) against a vulnerable site and I
> always get sqlmap telling that the parameter is not dynamic (then sqlmap is
> terminated). Could you explain how does this logic (the dynamic test) work?
> 
> The page in question is a user/password form, sent via POST method, where
> only the user parameter (called "txtUsuario") is injectable. I manually
> checked it and:
> - if an arbitrary user is entered, I get a 200 response with "Incorrect
> user" message.
> - if I enter a "'" char, I get a 500 response and an error message from the
> database :)
> - if I enter the typical "aaa' or ''='" (which is evaluated to TRUE), I get
> a 200 response, this time with "Incorrect password" (so user test is
> passed!!!).
> 
> Former tests show that it is clearly vulnerable to (blind) sql injection,
> but I didn't get it to exploit with sqlmap....
> 
> This is what I'm using and the faulty results:
> 
> C:\SQLMAP~1.3_E>sqlmap -v 2 -u "https://www.victim.com:4
> 43/LoginAction.do" --method POST --data "txtUsuario=a&txtPwd=a&Submit=ace
> ptar" -p "txtUsuario"
> 
>     sqlmap/0.6.3 coded by Bernardo Damele A. G. <ber...@gm...>
>                         and Daniele Bellucci <dan...@gm...>
> 
> [*] starting at: 16:20:16
> 
> [16:20:16] [DEBUG] initializing the configuration
> [16:20:16] [DEBUG] initializing the knowledge base
> [16:20:16] [DEBUG] cleaning up configuration parameters
> [16:20:16] [DEBUG] setting the HTTP method to POST
> [16:20:16] [DEBUG] creating HTTP requests opener object
> [16:20:16] [DEBUG] parsing XML queries file
> [16:20:16] [INFO] testing connection to the target url
> [16:20:18] [WARNING] the testable parameter 'txtUsuario' you provided is
> not int
> o the Cookie
> [16:20:18] [INFO] testing if the url is stable, wait a few seconds
> [16:20:23] [INFO] url is stable
> [16:20:23] [INFO] testing if POST parameter 'txtUsuario' is dynamic
> [16:20:24] [WARNING] POST parameter 'txtUsuario' is not dynamic
> 
> [*] shutting down at: 16:20:24
> 
> 
> C:\SQLMAP~1.3_E>
> 
> 
> I've sniffed the requests sent by sqlmap and it sent the following 5 requests:
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=a&txtPwd=a&Submit=aceptar
> txtUsuario=9378&txtPwd=a&Submit=aceptar
> 
> I guess the first requests are tests for stability (that's ok), and the
> last one is for "dynamic"-test. Since both "a" and "9378" values return the
> same response (code 200, with string "Incorrect user"), it believes the
> parameter is not dynamic (I guess). But this logic is non-sense: why is
> sqlmap checking for 9378? Why did't it try with a "'"? Is there any way to
> disable this "dynamic test"?
> 
> I also tried with --string, with no luck. Could you help me, please? Which
> exact command line would you enter in my scenario?
> 
> Thank you.
> 
> Cheers,
> -Roman
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

-- 

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Re: [sqlmap-users] Bug: Unhandled exception while doing a sql-shell query on MSSQL 2000, blind mode with ORDER clause

[Konrads S. <ko...@sm...>]

You are welcome. I didn't think that my patch was perfect ;)

I wanted say that sqlmap is a great tool. I hope I will be able to
contribute some more
--
Konrads Smelkovs
Applied IT sorcery.


On Wed, Jan 28, 2009 at 4:54 PM, Bernardo Damele A. G. <
ber...@gm...> wrote:

> Hi Konrads,
>
> On Wed, Jan 28, 2009 at 12:42, Konrads Smelkovs <ko...@sm...>
> wrote:
> > ...
> >     untilOrderChar = countedExpression.index(" ORDER BY ")
> > ValueError: substring not found
>
> Fixed and commited on svn repository.
> Thanks for notyfing.
>
> PS: you patch could do the trick but there was another way to do it
> properly in the lib/core/common.py library file.
>
> Cheers,
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
> PGP Key ID: 0x05F5A30F
>

Re: [sqlmap-users] Bug: Unhandled exception while doing a sql-shell query on MSSQL 2000, blind mode with ORDER clause

[Bernardo D. A. G. <ber...@gm...>]

Hi Konrads,

On Wed, Jan 28, 2009 at 12:42, Konrads Smelkovs <ko...@sm...> wrote:
> ...
>     untilOrderChar = countedExpression.index(" ORDER BY ")
> ValueError: substring not found

Fixed and commited on svn repository.
Thanks for notyfing.

PS: you patch could do the trick but there was another way to do it
properly in the lib/core/common.py library file.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Bug: Unhandled exception while doing a sql-shell query on MSSQL 2000, blind mode with ORDER clause

[Konrads S. <ko...@sm...>]

Perhaps this diff solves it:


Index: lib/core/agent.py
===================================================================
--- lib/core/agent.py    (revision 330)
+++ lib/core/agent.py    (working copy)
@@ -458,7 +458,7 @@

         elif kb.dbms == "Oracle":
             if " ORDER BY " in limitedQuery and "(SELECT " in limitedQuery:
-                limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY
")]
+                limitedQuery = limitedQuery[:limitedQuery.lower().index("
ORDER BY ")]

             if query.startswith("SELECT "):
                 limitedQuery = "%s FROM (%s, %s" % (untilFrom, untilFrom,
limitStr)
@@ -469,7 +469,7 @@

         elif kb.dbms == "Microsoft SQL Server":
             if " ORDER BY " in limitedQuery:
-                limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY
")]
+                limitedQuery = limitedQuery[:limitedQuery.lower().index("
ORDER BY ")]

             if not limitedQuery.startswith("SELECT TOP ") and not
limitedQuery.startswith("TOP "):
                 limitedQuery  = limitedQuery.replace("SELECT ", (limitStr %
1), 1)
Index: lib/request/inject.py
===================================================================
--- lib/request/inject.py    (revision 330)
+++ lib/request/inject.py    (working copy)
@@ -205,7 +205,7 @@
                     countedExpression =
expression.replace(expressionFields, countFirstField, 1)

                     if re.search(" ORDER BY ", expression, re.I):
-                        untilOrderChar = countedExpression.index(" ORDER BY
")
+                        untilOrderChar = countedExpression.lower().index("
ORDER BY ")
                         countedExpression =
countedExpression[:untilOrderChar]

                     count = resume(countedExpression, payload)
@@ -342,7 +342,7 @@

     if inband and conf.unionUse and kb.dbms:
         if kb.dbms == "Oracle" and " ORDER BY " in expression:
-            expression = expression[:expression.index(" ORDER BY ")]
+            expression = expression[:expression.lower().index(" ORDER BY
")]

         value = __goInband(expression, expected)

Index: lib/techniques/inband/union/use.py
===================================================================
--- lib/techniques/inband/union/use.py    (revision 330)
+++ lib/techniques/inband/union/use.py    (working copy)
@@ -231,7 +231,7 @@
                     countedExpression = origExpr.replace(expressionFields,
countFirstField, 1)

                     if re.search(" ORDER BY ", expression, re.I):
-                        untilOrderChar = countedExpression.index(" ORDER BY
")
+                        untilOrderChar = countedExpression.lower().index("
ORDER BY ")
                         countedExpression =
countedExpression[:untilOrderChar]

                     count = resume(countedExpression, None)

--
Konrads Smelkovs
Applied IT sorcery.


On Wed, Jan 28, 2009 at 2:42 PM, Konrads Smelkovs <ko...@sm...>wrote:

> [14:39:38] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or
> 'q' and press ENTER
> sql> select name from sysobjects ORDER by xtype DESC
> [14:39:43] [INFO] fetching SQL SELECT statement query output: 'select name
> from sysobjects ORDER by xtype DESC'
> [14:39:43] [INPUT] can the SQL query provided return multiple entries?
> [Y/n]
> [14:39:44] [ERROR] unhandled exception in sqlmap/0.6.4-rc4, please copy the
> command line and the following text and send by e-mail to
> sql...@li.... The developers will fix it as soon as
> possible:
> sqlmap version: 0.6.4-rc4
> Python version: 2.5.2
> Operating system: linux2
> Traceback (most recent call last):
>   File "./sqlmap.py", line 81, in main
>     start()
>   File "/home/konrads/sqlmap/lib/controller/controller.py", line 255, in
> start
>     action()
>   File "/home/konrads/sqlmap/lib/controller/action.py", line 126, in action
>     conf.dbmsHandler.sqlShell()
>   File "/home/konrads/sqlmap/plugins/generic/enumeration.py", line 1117, in
> sqlShell
>     output = self.sqlQuery(query)
>   File "/home/konrads/sqlmap/plugins/generic/enumeration.py", line 1061, in
> sqlQuery
>     output = inject.getValue(query, fromUser=True)
>   File "/home/konrads/sqlmap/lib/request/inject.py", line 358, in getValue
>     value = __goInferenceProxy(expression, fromUser, expected)
>   File "/home/konrads/sqlmap/lib/request/inject.py", line 208, in
> __goInferenceProxy
>     untilOrderChar = countedExpression.index(" ORDER BY ")
> ValueError: substring not found
>
> [*] shutting down at: 14:39:44
>
> --
> Konrads Smelkovs
> Applied IT sorcery.
>

[sqlmap-users] Bug: Multiple result retrieval from MSSQL 2000 in Blind SQL mode fails

[Konrads S. <ko...@sm...>]

Hello,

While pentesting a client's solution, I discovered that sqlmap fails to
retrieve multiple entries (e.g. tables).

sql> select name from client
[14:32:40] [INFO] fetching SQL SELECT statement query output: 'select name
from client'
[14:32:40] [INPUT] can the SQL query provided return multiple entries? [Y/n]

[14:32:41] [INFO] query: SELECT ISNULL(CAST(COUNT(name) AS VARCHAR(8000)),
CHAR(32)) FROM client
[14:32:41] [INFO] retrieved: 14
[14:32:49] [INFO] performed 20 queries in 7 seconds
[14:32:49] [INPUT] the SQL query provided can return up to 14 entries. How
many entries do you want to retrieve?
[a] All (default)
[#] Specific number
[q] Quit
Choice: a
[14:32:51] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM client WHERE name NOT IN (SELECT TOP 0 name FROM client)
[14:32:51] [INFO] retrieved: ValidResponse1
[14:33:17] [INFO] performed 69 queries in 26 seconds
[14:33:17] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM client WHERE name NOT IN (SELECT TOP 1 name FROM client)
[14:33:17] [INFO] retrieved: ValidResponse2
...
[14:35:05] [INFO] retrieved: Restor^C
[14:35:24] [ERROR] user aborted

[*] shutting down at: 14:35:24

So far, works!
konrads@talon:~/sqlmap$ ./sqlmap.py --method="POST" --data="${DATA}" -p z4
-u "http://${IP}/${URL};jsessionid=${JSESSIONID}" --proxy="
http://localhost:8080" --string="${STRING}" -s somesession --sql-shell

    sqlmap/0.6.4-rc4 coded by Bernardo Damele A. G. <
ber...@gm...>
                        and Daniele Bellucci <dan...@gm...>

[*] starting at: 14:35:25

[14:35:25] [INFO] resuming ....
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, JSP
back-end DBMS: Microsoft SQL Server 2000

[14:35:26] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or
'q' and press ENTER
sql>
sql> select name from sysobjects where xtype='U'
[14:36:11] [INFO] fetching SQL SELECT statement query output: 'select name
from sysobjects where xtype='U''
[14:36:11] [INPUT] can the SQL query provided return multiple entries? [Y/n]

[14:36:12] [INFO] query: SELECT ISNULL(CAST(COUNT(name) AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85)
[14:36:12] [INFO] retrieved: 28
[14:36:19] [INFO] performed 20 queries in 7 seconds
[14:36:19] [INPUT] the SQL query provided can return up to 28 entries. How
many entries do you want to retrieve?
[a] All (default)
[#] Specific number
[q] Quit
Choice: a
[14:36:21] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85) WHERE name NOT IN (SELECT TOP
0 name FROM sysobjects WHERE xtype=CHAR(85))
[14:36:21] [INFO] retrieved:
[14:36:24] [INFO] performed 6 queries in 2 seconds
[14:36:24] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85) WHERE name NOT IN (SELECT TOP
1 name FROM sysobjects WHERE xtype=CHAR(85))
[14:36:24] [INFO] retrieved:
[14:36:26] [INFO] performed 6 queries in 2 seconds
[14:36:26] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85) WHERE name NOT IN (SELECT TOP
2 name FROM sysobjects WHERE xtype=CHAR(85))
[14:36:26] [INFO] retrieved:
[14:36:29] [INFO] performed 6 queries in 2 seconds
[14:36:29] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85) WHERE name NOT IN (SELECT TOP
3 name FROM sysobjects WHERE xtype=CHAR(85))
[14:36:29] [INFO] retrieved:
[14:36:31] [INFO] performed 6 queries in 2 seconds
[14:36:31] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85) WHERE name NOT IN (SELECT TOP
4 name FROM sysobjects WHERE xtype=CHAR(85))
[14:36:31] [INFO] retrieved: ^C
[14:36:32] [ERROR] user aborted

[*] shutting down at: 14:36:32

And so it goes on, without retrieving anything. --tables switch fails
equally.

However, doing a simple select name from sysobjects works.


[14:39:52] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or
'q' and press ENTER
sql> select name from sysobjects
[14:39:56] [INFO] fetching SQL SELECT statement query output: 'select name
from sysobjects '
[14:39:56] [INPUT] can the SQL query provided return multiple entries? [Y/n]

[14:39:57] [INFO] query: SELECT ISNULL(CAST(COUNT(name) AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects
[14:39:57] [INFO] retrieved: 86
[14:40:04] [INFO] performed 20 queries in 7 seconds
[14:40:04] [INPUT] the SQL query provided can return up to 86 entries. How
many entries do you want to retrieve?
[a] All (default)
[#] Specific number
[q] Quit
Choice:
[14:40:06] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects  WHERE name NOT IN (SELECT TOP 0 name FROM
sysobjects )
[14:40:06] [INFO] retrieved: Tbl1
[14:40:22] [INFO] performed 41 queries in 15 seconds
[14:40:22] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects  WHERE name NOT IN (SELECT TOP 1 name FROM
sysobjects )
[14:40:22] [INFO] retrieved: Tbl2

...

--
Konrads Smelkovs
Applied IT sorcery.

[sqlmap-users] Bug: Unhandled exception while doing a sql-shell query on MSSQL 2000, blind mode with ORDER clause

[Konrads S. <ko...@sm...>]

[14:39:38] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or
'q' and press ENTER
sql> select name from sysobjects ORDER by xtype DESC
[14:39:43] [INFO] fetching SQL SELECT statement query output: 'select name
from sysobjects ORDER by xtype DESC'
[14:39:43] [INPUT] can the SQL query provided return multiple entries? [Y/n]

[14:39:44] [ERROR] unhandled exception in sqlmap/0.6.4-rc4, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developers will fix it as soon as
possible:
sqlmap version: 0.6.4-rc4
Python version: 2.5.2
Operating system: linux2
Traceback (most recent call last):
  File "./sqlmap.py", line 81, in main
    start()
  File "/home/konrads/sqlmap/lib/controller/controller.py", line 255, in
start
    action()
  File "/home/konrads/sqlmap/lib/controller/action.py", line 126, in action
    conf.dbmsHandler.sqlShell()
  File "/home/konrads/sqlmap/plugins/generic/enumeration.py", line 1117, in
sqlShell
    output = self.sqlQuery(query)
  File "/home/konrads/sqlmap/plugins/generic/enumeration.py", line 1061, in
sqlQuery
    output = inject.getValue(query, fromUser=True)
  File "/home/konrads/sqlmap/lib/request/inject.py", line 358, in getValue
    value = __goInferenceProxy(expression, fromUser, expected)
  File "/home/konrads/sqlmap/lib/request/inject.py", line 208, in
__goInferenceProxy
    untilOrderChar = countedExpression.index(" ORDER BY ")
ValueError: substring not found

[*] shutting down at: 14:39:44

--
Konrads Smelkovs
Applied IT sorcery.

[sqlmap-users] Parameter "is not dynamic"

[Roman Medina-H. H. <ro...@rs...>]

Hello,

I'm trying sqlmap (latest windows exe) against a vulnerable site and I
always get sqlmap telling that the parameter is not dynamic (then sqlmap is
terminated). Could you explain how does this logic (the dynamic test) work?

The page in question is a user/password form, sent via POST method, where
only the user parameter (called "txtUsuario") is injectable. I manually
checked it and:
- if an arbitrary user is entered, I get a 200 response with "Incorrect
user" message.
- if I enter a "'" char, I get a 500 response and an error message from the
database :)
- if I enter the typical "aaa' or ''='" (which is evaluated to TRUE), I get
a 200 response, this time with "Incorrect password" (so user test is
passed!!!).

Former tests show that it is clearly vulnerable to (blind) sql injection,
but I didn't get it to exploit with sqlmap....

This is what I'm using and the faulty results:

C:\SQLMAP~1.3_E>sqlmap -v 2 -u "https://www.victim.com:4
43/LoginAction.do" --method POST --data "txtUsuario=a&txtPwd=a&Submit=ace
ptar" -p "txtUsuario"

    sqlmap/0.6.3 coded by Bernardo Damele A. G. <ber...@gm...>
                        and Daniele Bellucci <dan...@gm...>

[*] starting at: 16:20:16

[16:20:16] [DEBUG] initializing the configuration
[16:20:16] [DEBUG] initializing the knowledge base
[16:20:16] [DEBUG] cleaning up configuration parameters
[16:20:16] [DEBUG] setting the HTTP method to POST
[16:20:16] [DEBUG] creating HTTP requests opener object
[16:20:16] [DEBUG] parsing XML queries file
[16:20:16] [INFO] testing connection to the target url
[16:20:18] [WARNING] the testable parameter 'txtUsuario' you provided is
not int
o the Cookie
[16:20:18] [INFO] testing if the url is stable, wait a few seconds
[16:20:23] [INFO] url is stable
[16:20:23] [INFO] testing if POST parameter 'txtUsuario' is dynamic
[16:20:24] [WARNING] POST parameter 'txtUsuario' is not dynamic

[*] shutting down at: 16:20:24


C:\SQLMAP~1.3_E>


I've sniffed the requests sent by sqlmap and it sent the following 5 requests:
txtUsuario=a&txtPwd=a&Submit=aceptar
txtUsuario=a&txtPwd=a&Submit=aceptar
txtUsuario=a&txtPwd=a&Submit=aceptar
txtUsuario=a&txtPwd=a&Submit=aceptar
txtUsuario=9378&txtPwd=a&Submit=aceptar

I guess the first requests are tests for stability (that's ok), and the
last one is for "dynamic"-test. Since both "a" and "9378" values return the
same response (code 200, with string "Incorrect user"), it believes the
parameter is not dynamic (I guess). But this logic is non-sense: why is
sqlmap checking for 9378? Why did't it try with a "'"? Is there any way to
disable this "dynamic test"?

I also tried with --string, with no luck. Could you help me, please? Which
exact command line would you enter in my scenario?

Thank you.

Cheers,
-Roman

Re: [sqlmap-users] Bug

[Bernardo D. A. G. <ber...@gm...>]

Hi Ümit,

On Thu, Jan 22, 2009 at 14:05, Ümit Seren <uem...@gm...> wrote:
> ...
> /Users/uemit/Documents/Downloads/sqlmap-0.6.3/lib/core/convert.py:27:
> DeprecationWarning: the md5 module is deprecated; use hashlib instead
>  import md5
> /Users/uemit/Documents/Downloads/sqlmap-0.6.3/lib/core/convert.py:28:
> DeprecationWarning: the sha module is deprecated; use the hashlib
> module instead
>  import sha

I will deal with this Python warning message soon.

> sqlmap version: 0.6.3
> Python version: 2.6.1
> Operating system: darwin
> Traceback (most recent call last):
>  File "sqlmap.py", line 81, in main
>    start()
>  File "/Users/uemit/Documents/Downloads/sqlmap-0.6.3/lib/controller/controller.py",
> line 267, in start
>    action()
>  File "/Users/uemit/Documents/Downloads/sqlmap-0.6.3/lib/controller/action.py",
> line 134, in action
>    conf.dbmsHandler.osShell()
>  File "/Users/uemit/Documents/Downloads/sqlmap-0.6.3/plugins/dbms/mysql.py",
> line 473, in osShell
>    page, _ = Request.getPage(url=uploaderUrl, multipart=multipartParams)
> ValueError: too many values to unpack

This has been fixed weeks ago in the sqlmap subversion trunk version.
Feel free to svn checkout and give a try to the upcoming 0.6.4
version. However, I am going to release the new version very soon,
stay tuned!

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

[sqlmap-users] Bug

[Ümit S. <uem...@gm...>]

uemitlaptop:~/Documents/Downloads/sqlmap-0.6.3 uemit$ python sqlmap.py
-u "192.168.1.39/testAPPs/news.php?datum=2007-01-01"
--string='Willkommen' --union-use --os-shell
/Users/uemit/Documents/Downloads/sqlmap-0.6.3/lib/core/convert.py:27:
DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5
/Users/uemit/Documents/Downloads/sqlmap-0.6.3/lib/core/convert.py:28:
DeprecationWarning: the sha module is deprecated; use the hashlib
module instead
  import sha

sqlmap version: 0.6.3
Python version: 2.6.1
Operating system: darwin
Traceback (most recent call last):
  File "sqlmap.py", line 81, in main
    start()
  File "/Users/uemit/Documents/Downloads/sqlmap-0.6.3/lib/controller/controller.py",
line 267, in start
    action()
  File "/Users/uemit/Documents/Downloads/sqlmap-0.6.3/lib/controller/action.py",
line 134, in action
    conf.dbmsHandler.osShell()
  File "/Users/uemit/Documents/Downloads/sqlmap-0.6.3/plugins/dbms/mysql.py",
line 473, in osShell
    page, _ = Request.getPage(url=uploaderUrl, multipart=multipartParams)
ValueError: too many values to unpack

Re: [sqlmap-users] Garbled output

[Bernardo D. A. G. <ber...@gm...>]

That has nothing to do. Again, it might be caused by the page content
dinamicity based on the information you provided.

On Wed, Jan 21, 2009 at 09:39, fuzion <ad...@nu...> wrote:
> Interesting idea, but it sqlmap is running on the same machine hosting apache :)
>
> On Wed, Jan 21, 2009 at 3:24 AM, Bernardo Damele A. G.
> <ber...@gm...> wrote:
>> Hi,
>>
>> On Wed, Jan 21, 2009 at 01:45, fuzion <ad...@nu...> wrote:
>>> ...
>>> [19:40:46] [INFO] testing for parenthesis on injectable parameter
>>> [19:40:46] [INFO] the injectable parameter requires 3 parenthesis
>>> [19:40:46] [INFO] testing MySQL
>>> [19:40:46] [INFO] confirming MySQL
>>> [19:40:46] [INFO] query: SELECT 9 FROM information_schema.TABLES LIMIT 0, 1
>>> [19:40:46] [INFO] retrieved: ow♂_K/{oX=WY{Y⌂vz_L~gm;o⌂1~W
>>> [19:40:52] [ERROR] user aborted
>>
>> It looks like the site is extremely unstable in its HTTP response
>> contents. Try to provide a --string or a --regexp to match on. Refer
>> to sqlmap user's manual (doc/README.pdf) 'Page comparison' paragraph
>> for details.
>>
>> Regards,
>> --
>> Bernardo Damele A. G.
>>
>> E-mail / Jabber: bernardo.damele (at) gmail.com
>> Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
>> PGP Key ID: 0x05F5A30F
>>
>
>
>
> --
> http://www.nukeit.org
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Garbled output

[fuzion <ad...@nu...>]

Interesting idea, but it sqlmap is running on the same machine hosting apache :)

On Wed, Jan 21, 2009 at 3:24 AM, Bernardo Damele A. G.
<ber...@gm...> wrote:
> Hi,
>
> On Wed, Jan 21, 2009 at 01:45, fuzion <ad...@nu...> wrote:
>> ...
>> [19:40:46] [INFO] testing for parenthesis on injectable parameter
>> [19:40:46] [INFO] the injectable parameter requires 3 parenthesis
>> [19:40:46] [INFO] testing MySQL
>> [19:40:46] [INFO] confirming MySQL
>> [19:40:46] [INFO] query: SELECT 9 FROM information_schema.TABLES LIMIT 0, 1
>> [19:40:46] [INFO] retrieved: ow♂_K/{oX=WY{Y⌂vz_L~gm;o⌂1~W
>> [19:40:52] [ERROR] user aborted
>
> It looks like the site is extremely unstable in its HTTP response
> contents. Try to provide a --string or a --regexp to match on. Refer
> to sqlmap user's manual (doc/README.pdf) 'Page comparison' paragraph
> for details.
>
> Regards,
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
> PGP Key ID: 0x05F5A30F
>



-- 
http://www.nukeit.org

Re: [sqlmap-users] Garbled output

[Bernardo D. A. G. <ber...@gm...>]

Hi,

On Wed, Jan 21, 2009 at 01:45, fuzion <ad...@nu...> wrote:
> ...
> [19:40:46] [INFO] testing for parenthesis on injectable parameter
> [19:40:46] [INFO] the injectable parameter requires 3 parenthesis
> [19:40:46] [INFO] testing MySQL
> [19:40:46] [INFO] confirming MySQL
> [19:40:46] [INFO] query: SELECT 9 FROM information_schema.TABLES LIMIT 0, 1
> [19:40:46] [INFO] retrieved: ow♂_K/{oX=WY{Y⌂vz_L~gm;o⌂1~W
> [19:40:52] [ERROR] user aborted

It looks like the site is extremely unstable in its HTTP response
contents. Try to provide a --string or a --regexp to match on. Refer
to sqlmap user's manual (doc/README.pdf) 'Page comparison' paragraph
for details.

Regards,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

[sqlmap-users] Garbled output

[fuzion <ad...@nu...>]

I was testing a script with the lastest svn r346 (and a few revisions
prior) and I keep getting garbled output:

[19:40:39] [INPUT] there were multiple injection points, please select
the one to use to go ahead:
[0] place: POST, parameter: email, type: stringdouble (default)
[1] place: User-Agent, parameter: User-Agent, type: numeric
[q] Quit
Choice: 0
[19:40:46] [INFO] testing for parenthesis on injectable parameter
[19:40:46] [INFO] the injectable parameter requires 3 parenthesis
[19:40:46] [INFO] testing MySQL
[19:40:46] [INFO] confirming MySQL
[19:40:46] [INFO] query: SELECT 9 FROM information_schema.TABLES LIMIT 0, 1
[19:40:46] [INFO] retrieved: ow♂_K/{oX=WY{Y⌂vz_L~gm;o⌂1~W
[19:40:52] [ERROR] user aborted

Here's the command I used:
sqlmap.py -u "http://site/forgot.php" --method=POST
--data="email=1&location=%2Fforgot%2Ephp" --dbms=mysql

Any idea what's causing this? It's the same DB I've always used for testing...


-- 
http://www.nukeit.org

Re: [sqlmap-users] Garbled output

[fuzion <ad...@nu...>]

Addendum:

I just noticed that my -u was "http://serverip:80/forgot.php"
When I remove the port :80 it doesn't even show that it's injectable...

-- 
http://www.nukeit.org

Re: [sqlmap-users] SQL injection exploitation internals presentation

[Bedirhan U. <bed...@gm...>]

Hi Bernardo,
An internal conference. sounds good. I've looked at the slides, you should
have mentioned about the sqlibench
<http://code.google.com/p/sqlibench> and give
a small amount of info on how sqlmap performs against other injectors...
cheers,
bedirhan


2009/1/10 Bernardo Damele A. G. <ber...@gm...>

> Hi,
>
> yesterday I gave a presentation titled "SQL injection exploitation
> internals: How do I exploit this web application injection point?" to my
> colleagues at my Company third internal conference.
>
> The presentation has a preamble on SQL injection definition, sqlmap and
> its features then I presented common and uncommon problems and
> respective solutions with examples that a penetration tester or a SQL
> injection tool developer faces when he wants to take complete advantage
> of any kind of web application SQL injection flaw on real world web
> applications.
>
> I think that it is worth a read also for others so I put the slides
> online on SlideShare at
>
> http://www.slideshare.net/inquis/sql-injection-exploitation-internals-presentation
>
> Cheers,
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
> PGP Key ID: 0x05F5A30F
>
>
>
> ------------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It is the best place to buy or sell services for
> just about anything Open Source.
> http://p.sf.net/sfu/Xq1LFB
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Bedirhan Urgun
http://www.webguvenligi.org
http://www.owasp.org/index.php/Turkey

Türkçe Web Uygulama Güvenliği E-Posta Listesine üye olmak için:
https://lists.owasp.org/mailman/listinfo/owasp-turkey

[sqlmap-users] SQL injection exploitation internals presentation

[Bernardo D. A. G. <ber...@gm...>]

Hi,

yesterday I gave a presentation titled "SQL injection exploitation
internals: How do I exploit this web application injection point?" to my
colleagues at my Company third internal conference.

The presentation has a preamble on SQL injection definition, sqlmap and
its features then I presented common and uncommon problems and
respective solutions with examples that a penetration tester or a SQL
injection tool developer faces when he wants to take complete advantage
of any kind of web application SQL injection flaw on real world web
applications.

I think that it is worth a read also for others so I put the slides
online on SlideShare at
http://www.slideshare.net/inquis/sql-injection-exploitation-internals-presentation

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Repport Error form Darkness.MKD

[Bernardo D. A. G. <ber...@gm...>]

Hi,

On Wed, Jan 7, 2009 at 00:26, Darkness. MKD <dar...@gm...> wrote:
> ...
> sqlmap version: 0.6.3
> Python version: 2.5.1
> Operating system: win32
> Traceback (most recent call last):
>   File "sqlmap.py", line 78, in main
>   File "lib\core\option.pyc", line 746, in init
>   File "lib\core\update.pyc", line 344, in update
>   File "lib\core\update.pyc", line 56, in __updateMSSQLXML
>   File "lib\request\connect.pyc", line 209, in getPage
>   File "lib\request\connect.pyc", line 56, in __getPageProxy
>   File "lib\request\connect.pyc", line 69, in getPage
> AttributeError: 'NoneType' object has no attribute 'replace'

It looks like the MSSQL_VERSIONS_URL variable has been changed/removed
lib/core/settings.py. Restore it and run again, however, at the moment
0.6.3 is the latest stable release.

I plan to release 0.6.4 in a week or so.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

[sqlmap-users] Repport Error form Darkness.MKD

[Darkness.MKD <dar...@gm...>]

On Windows XP SP3

Command: sqlmap.exe --update

sqlmap version: 0.6.3
Python version: 2.5.1
Operating system: win32
Traceback (most recent call last):
  File "sqlmap.py", line 78, in main
  File "lib\core\option.pyc", line 746, in init
  File "lib\core\update.pyc", line 344, in update
  File "lib\core\update.pyc", line 56, in __updateMSSQLXML
  File "lib\request\connect.pyc", line 209, in getPage
  File "lib\request\connect.pyc", line 56, in __getPageProxy
  File "lib\request\connect.pyc", line 69, in getPage
AttributeError: 'NoneType' object has no attribute 'replace'

[*] shutting down at: 01:23:10

Re: [sqlmap-users] [ERROR] unhandled exception in sqlmap/0.6.3

[Bernardo D. A. G. <ber...@gm...>]

Hi Alessandro,

On Wed, Dec 31, 2008 at 02:45, Alessandro Di Giuseppe
<a.d...@gm...> wrote:
> ...
> [21:42:06] [ERROR] unhandled exception in sqlmap/0.6.3, please copy the
> command
> line and the following text and send by e-mail to
> sql...@li...urceforge
> .net. The developers will fix it as soon as possible:
> sqlmap version: 0.6.3
> Python version: 2.5.1
> Operating system: win32
> Traceback (most recent call last):
>   File "sqlmap.py", line 81, in main
>   File "lib\controller\controller.pyc", line 178, in start
>   File "lib\controller\checks.pyc", line 300, in checkStability
>   File "lib\request\connect.pyc", line 267, in queryPage
> TypeError: 'NoneType' object is not iterable

This bug should have been fixed 13 days ago on sqlmap subversion
repository since commit 271.
If you want, give sqlmap development version a try and let us know.

Cheers,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F