sqlmap-users Mailing List for sqlmap (Page 4)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Indra Z. <net...@gm...> - 2016-04-22 04:56:31
|
hi all, i just wondering, when i tried to do --os-pwn on sqlmap in my "DVWA windows machine" i got an error [WARNING] unable to upload the file through the web file stager to '/tmp' i wonder is it only avaliable for linux OS ? thanks Indra Z -- --from the net with zero space-- |
|
From: Indra Z. <net...@gm...> - 2016-04-08 07:22:33
|
it works.. thanks bro On Apr 8, 2016 2:15 PM, "Miroslav Stampar" <mir...@gm...> wrote: > You should use queries in --sql-query. sp_helptext is a T-SQL procedure to > display the definition (-> can't be used in queries) > > For your case you could take a look into something like: > http://stackoverflow.com/a/26884231 (<- OBJECT_DEFINITION) > > Bye > > On Thu, Apr 7, 2016 at 9:33 PM, Indra Zulkarnain <net...@gm...> > wrote: > >> hi all >> >> i just wondering how do i display a stored procedure with sqlmap help >> can i do that with --query sp_helptext ? >> >> thanks >> Net >> >> -- >> --from the net with zero space-- >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2016-04-08 07:15:14
|
You should use queries in --sql-query. sp_helptext is a T-SQL procedure to display the definition (-> can't be used in queries) For your case you could take a look into something like: http://stackoverflow.com/a/26884231 (<- OBJECT_DEFINITION) Bye On Thu, Apr 7, 2016 at 9:33 PM, Indra Zulkarnain <net...@gm...> wrote: > hi all > > i just wondering how do i display a stored procedure with sqlmap help > can i do that with --query sp_helptext ? > > thanks > Net > > -- > --from the net with zero space-- > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Indra Z. <net...@gm...> - 2016-04-07 19:33:48
|
hi all i just wondering how do i display a stored procedure with sqlmap help can i do that with --query sp_helptext ? thanks Net -- --from the net with zero space-- |
|
From: Miroslav S. <mir...@gm...> - 2016-03-14 16:26:53
|
Hardly will sqlmap give all the correct payloads right away.
Though, to recreate sessions you could take a look into the:
--safe-url=SAFEURL URL address to visit frequently during testing
--safe-post=SAFE.. POST data to send to a safe URL
--safe-req=SAFER.. Load safe HTTP request from a file
--safe-freq=SAFE.. Test requests between two visits to a given safe URL
With "safe URL" mechanism you could visit the "session recreation" page at
every <freq> times. sqlmap should take the new session cookie at every
visit.
Bye
On Mon, Mar 14, 2016 at 5:10 PM, Marcell Fodor <fod...@gm...>
wrote:
> Hi,
>
> I have an application where the injection is pretty straightforward:
>
> ?asd= (case when(123=123 *) then 1 else 2 end)
>
> Problem is, when Sqlmap tries the injection point, it sends query which
> results in incorrect syntax on the server side and crashes the session. I
> can make the it working by Burp Marcos, recreating the session prior all
> sqlmap test requests, and sqlmap will find the injection point working
> after a few tries.
>
> Is there a more elegant way to do this?
>
>
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Marcell F. <fod...@gm...> - 2016-03-14 16:10:32
|
Hi, I have an application where the injection is pretty straightforward: ?asd= (case when(123=123 *) then 1 else 2 end) Problem is, when Sqlmap tries the injection point, it sends query which results in incorrect syntax on the server side and crashes the session. I can make the it working by Burp Marcos, recreating the session prior all sqlmap test requests, and sqlmap will find the injection point working after a few tries. Is there a more elegant way to do this? |
|
From: Yonatan <ris...@gm...> - 2016-03-06 19:40:07
|
as enabling xp_cmdshell with sqlmap? |
|
From: Miroslav S. <mir...@gm...> - 2016-02-22 16:43:06
|
sqlmap says that integer casting is probable, hence to not expect SQLi findings. Integer casting is an usual way how to fight SQLi. Bye On Feb 22, 2016 16:40, "aurel labroue" <lab...@ya...> wrote: > Hi, > I'm trying to run nmap on the Blind SQL challenge from DVWA website (lvl > low), and i get this error that i don't understand: > > [ERROR] possible integer casting detected (e.g. > "$id=intval($_REQUEST['id'])") at the back-end web application > > > Cheers > > N.B: i'm running nmap on Kali 2.0 on a virtual Machine and Metasploitable > (where DVWA is installed) also on a virtual machine and same computer. > > > > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: aurel l. <lab...@ya...> - 2016-02-22 15:40:15
|
Hi,I'm trying to run nmap on the Blind SQL challenge from DVWA website (lvl low), and i get this error that i don't understand: [ERROR] possible integer casting detected (e.g. "$id=intval($_REQUEST['id'])") at the back-end web application Cheers N.B: i'm running nmap on Kali 2.0 on a virtual Machine and Metasploitable (where DVWA is installed) also on a virtual machine and same computer. |
|
From: Miroslav S. <mir...@gm...> - 2016-01-26 06:33:32
|
Please update to the latest revision and retry. It should be fixed now. Bye On Mon, Jan 25, 2016 at 4:22 PM, David Martinez <dav...@gm...> wrote: > Hello, > > Exploiting the machine CsharpVulnJson from vulnhub: > https://www.vulnhub.com/entry/csharp-vulnjson,134 > > I found and error when sqlmap fingerprint postgresql. > > Sqlmap always detect 9.1 when the real version is 9.3.9. This causes > that when sqlmap create sys_eval, sys_exec functions the server answer > with the error: incompatible library “/tmp/libsxqfo.so”: version > mismatch > > If I copy the udf lib from 9.3 directory to 9.1 it works fine. > > I tried to modify fingeprint.py adding the 9.3 version new function > array_remove like this: > > if > inject.checkBooleanExpression("ARRAY[1]=array_remove(ARRAY[1,2], > 2)"): > Backend.setVersion(">= 9.3.0") > elif > inject.checkBooleanExpression("REVERSE('sqlmap')='pamlqs'"): > Backend.setVersionList([">= 9.1.0", "< 9.3.0"]) > > But no lucky. If I erase the line that check 9.1 when create the > sys_exec function also take the 9.1 udf lib. > > I don't know how to proceed. > > > Best regards. > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: David M. <dav...@gm...> - 2016-01-25 15:22:13
|
Hello, Exploiting the machine CsharpVulnJson from vulnhub: https://www.vulnhub.com/entry/csharp-vulnjson,134 I found and error when sqlmap fingerprint postgresql. Sqlmap always detect 9.1 when the real version is 9.3.9. This causes that when sqlmap create sys_eval, sys_exec functions the server answer with the error: incompatible library “/tmp/libsxqfo.so”: version mismatch If I copy the udf lib from 9.3 directory to 9.1 it works fine. I tried to modify fingeprint.py adding the 9.3 version new function array_remove like this: if inject.checkBooleanExpression("ARRAY[1]=array_remove(ARRAY[1,2], 2)"): Backend.setVersion(">= 9.3.0") elif inject.checkBooleanExpression("REVERSE('sqlmap')='pamlqs'"): Backend.setVersionList([">= 9.1.0", "< 9.3.0"]) But no lucky. If I erase the line that check 9.1 when create the sys_exec function also take the 9.1 udf lib. I don't know how to proceed. Best regards. |
|
From: Mithun V. <mit...@ow...> - 2016-01-20 14:02:02
|
Hi Miroslav, The situation is that I can't rerun or hit the system again for a couple of days due to a business issue. In the meanwhile, I need to extract all payloads injected from the scan that I already ran today. If I cannot see payloads from the exploit phase, can you please point me to the logic in the code where these payloads are generated? I saw a few xml files under the payloads folder, and along with these xml files and the code, I can try to reverse engineer and probably regenerate those payloads again. I am assuming that the same payloads are generated in every scan for a given database type (say Oracle)? Thanks, Mithun You can see all testing payloads by rerunning with -v 3. You can't see payloads that sqlmap generated during the exploitation phase. Results of those payloads are stored inside the appropriate session.sqlite, but with hashed queries/payloads. Without doing this session files would explode in case of huge table dumps. Bye On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan < mit...@ow...> wrote: > Hello Everyone, > > I need to retrieve all payloads inserted by SQLMap into vulnerable > parameters. Is it possible? > > Right now, in my output directory, I can see a log file with only one > payload example. Does the tool store all payloads that it injects? How can > I pull out this information? > > Thanks, > Mithun > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Mithun V. <mit...@ow...> - 2016-01-20 13:47:46
|
Great. Thanks so much. I'll take a look and let you know. Also, let us say I scan the same URL in front of an Oracle DB twice, then the payloads for both scans should be exactly same, right? Since it is the same URL/DB? Thanks, Mithun On Jan 20, 2016 7:09 PM, "Miroslav Stampar" <mir...@gm...> wrote: > You can take a look into xml/payloads/*.xml and xml/boundaries.xml for > testing phase payloads > You can take a look into lib/controller/checks.py for testing phase > generation of payloads > > You can take a look into xml/boundaries.xml and xml/queries.xml for > exploitation phase payloads > You can take a look into plugins/*.py and lib/core/agent.py for > exploitation phase payloads > > Bye > > p.s. each DBMS has its own payloads. Practically, two same MySQL platforms > (with same vulnerability) should generate pretty similar payloads. But, if > one MySQL platform is vulnerable to boolean SQLi and the other to UNION > SQLi you can't expect same payloads > > On Wed, Jan 20, 2016 at 2:33 PM, Mithun Vaidhyanathan < > mit...@ow...> wrote: > >> Hi Miroslav, >> >> The situation is that I can't rerun or hit the system again for a couple >> of days due to a business issue. In the meanwhile, I need to extract all >> payloads injected from the scan that I already ran today. If I cannot see >> payloads from the exploit phase, can you please point me to the logic in >> the code where these payloads are generated? I saw a few xml files under >> the payloads folder, and along with these xml files and the code, I can try >> to reverse engineer and probably regenerate those payloads again. I am >> assuming that the same payloads are generated in every scan for a given >> database type (say Oracle)? >> >> Thanks, >> Mithun >> On Jan 20, 2016 6:19 PM, "Miroslav Stampar" <mir...@gm...> >> wrote: >> >>> You can see all testing payloads by rerunning with -v 3. >>> >>> You can't see payloads that sqlmap generated during the exploitation >>> phase. Results of those payloads are stored inside the appropriate >>> session.sqlite, but with hashed queries/payloads. Without doing this >>> session files would explode in case of huge table dumps. >>> >>> Bye >>> >>> On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan < >>> mit...@ow...> wrote: >>> >>>> Hello Everyone, >>>> >>>> I need to retrieve all payloads inserted by SQLMap into vulnerable >>>> parameters. Is it possible? >>>> >>>> Right now, in my output directory, I can see a log file with only one >>>> payload example. Does the tool store all payloads that it injects? How can >>>> I pull out this information? >>>> >>>> Thanks, >>>> Mithun >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>>> Monitor end-to-end web transactions and take corrective actions now >>>> Troubleshoot faster and improve end-user experience. Signup Now! >>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2016-01-20 13:39:57
|
You can take a look into xml/payloads/*.xml and xml/boundaries.xml for testing phase payloads You can take a look into lib/controller/checks.py for testing phase generation of payloads You can take a look into xml/boundaries.xml and xml/queries.xml for exploitation phase payloads You can take a look into plugins/*.py and lib/core/agent.py for exploitation phase payloads Bye p.s. each DBMS has its own payloads. Practically, two same MySQL platforms (with same vulnerability) should generate pretty similar payloads. But, if one MySQL platform is vulnerable to boolean SQLi and the other to UNION SQLi you can't expect same payloads On Wed, Jan 20, 2016 at 2:33 PM, Mithun Vaidhyanathan < mit...@ow...> wrote: > Hi Miroslav, > > The situation is that I can't rerun or hit the system again for a couple > of days due to a business issue. In the meanwhile, I need to extract all > payloads injected from the scan that I already ran today. If I cannot see > payloads from the exploit phase, can you please point me to the logic in > the code where these payloads are generated? I saw a few xml files under > the payloads folder, and along with these xml files and the code, I can try > to reverse engineer and probably regenerate those payloads again. I am > assuming that the same payloads are generated in every scan for a given > database type (say Oracle)? > > Thanks, > Mithun > On Jan 20, 2016 6:19 PM, "Miroslav Stampar" <mir...@gm...> > wrote: > >> You can see all testing payloads by rerunning with -v 3. >> >> You can't see payloads that sqlmap generated during the exploitation >> phase. Results of those payloads are stored inside the appropriate >> session.sqlite, but with hashed queries/payloads. Without doing this >> session files would explode in case of huge table dumps. >> >> Bye >> >> On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan < >> mit...@ow...> wrote: >> >>> Hello Everyone, >>> >>> I need to retrieve all payloads inserted by SQLMap into vulnerable >>> parameters. Is it possible? >>> >>> Right now, in my output directory, I can see a log file with only one >>> payload example. Does the tool store all payloads that it injects? How can >>> I pull out this information? >>> >>> Thanks, >>> Mithun >>> >>> >>> ------------------------------------------------------------------------------ >>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>> Monitor end-to-end web transactions and take corrective actions now >>> Troubleshoot faster and improve end-user experience. Signup Now! >>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > -- Miroslav Stampar http://about.me/stamparm |
|
From: Mithun V. <mit...@ow...> - 2016-01-20 13:33:19
|
Hi Miroslav, The situation is that I can't rerun or hit the system again for a couple of days due to a business issue. In the meanwhile, I need to extract all payloads injected from the scan that I already ran today. If I cannot see payloads from the exploit phase, can you please point me to the logic in the code where these payloads are generated? I saw a few xml files under the payloads folder, and along with these xml files and the code, I can try to reverse engineer and probably regenerate those payloads again. I am assuming that the same payloads are generated in every scan for a given database type (say Oracle)? Thanks, Mithun On Jan 20, 2016 6:19 PM, "Miroslav Stampar" <mir...@gm...> wrote: > You can see all testing payloads by rerunning with -v 3. > > You can't see payloads that sqlmap generated during the exploitation > phase. Results of those payloads are stored inside the appropriate > session.sqlite, but with hashed queries/payloads. Without doing this > session files would explode in case of huge table dumps. > > Bye > > On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan < > mit...@ow...> wrote: > >> Hello Everyone, >> >> I need to retrieve all payloads inserted by SQLMap into vulnerable >> parameters. Is it possible? >> >> Right now, in my output directory, I can see a log file with only one >> payload example. Does the tool store all payloads that it injects? How can >> I pull out this information? >> >> Thanks, >> Mithun >> >> >> ------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2016-01-20 12:49:22
|
You can see all testing payloads by rerunning with -v 3. You can't see payloads that sqlmap generated during the exploitation phase. Results of those payloads are stored inside the appropriate session.sqlite, but with hashed queries/payloads. Without doing this session files would explode in case of huge table dumps. Bye On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan < mit...@ow...> wrote: > Hello Everyone, > > I need to retrieve all payloads inserted by SQLMap into vulnerable > parameters. Is it possible? > > Right now, in my output directory, I can see a log file with only one > payload example. Does the tool store all payloads that it injects? How can > I pull out this information? > > Thanks, > Mithun > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Mithun V. <mit...@ow...> - 2016-01-20 12:30:48
|
Hello Everyone, I need to retrieve all payloads inserted by SQLMap into vulnerable parameters. Is it possible? Right now, in my output directory, I can see a log file with only one payload example. Does the tool store all payloads that it injects? How can I pull out this information? Thanks, Mithun |
|
From: Miroslav S. <mir...@gm...> - 2015-12-06 22:13:08
|
Hi. My 2 cents: "sqlmap - security development in Python" http://www.slideshare.net/stamparm/euro-python-2011miroslavstamparsqlmapsecuritydevelopmentinpython "DNS exfiltration using sqlmap" http://www.slideshare.net/stamparm/dns-exfiltration-using-sqlmap-13163281 "sqlmap - Under the Hood" http://www.slideshare.net/stamparm/ph-days-2013miroslavstamparsqlmapunderthehood "Heuristic methods used in sqlmap" http://www.slideshare.net/stamparm/f-sec-2013miroslavstamparheuristicmethodsusedinsqlmap "sqlmap - why (not how) it works?" http://www.slideshare.net/stamparm/sqlmap-why-not-how-it-works-53947145 Kind regards, Miroslav Stampar On Sun, Dec 6, 2015 at 4:47 PM, Jacek Wielemborek <d3...@gm...> wrote: > Hello, > > I just found that sqlmap doesn't have a Wikipedia article. I could cook > up some small stub, but I could use some references so that it doesn't > get remove because of no proven article notability. Could you provide me > with links to presentations, papers and other proofs of sqlmap > notability that I could put on Wikipedia? > > Cheers, > d33tah > > > > ------------------------------------------------------------------------------ > Go from Idea to Many App Stores Faster with Intel(R) XDK > Give your users amazing mobile app experiences with Intel(R) XDK. > Use one codebase in this all-in-one HTML5 development environment. > Design, debug & build mobile apps & 2D/3D high-impact games for multiple > OSs. > http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Jacek W. <d3...@gm...> - 2015-12-06 15:47:40
|
Hello, I just found that sqlmap doesn't have a Wikipedia article. I could cook up some small stub, but I could use some references so that it doesn't get remove because of no proven article notability. Could you provide me with links to presentations, papers and other proofs of sqlmap notability that I could put on Wikipedia? Cheers, d33tah |
|
From: Brandon P. <bpe...@gm...> - 2015-11-16 19:01:05
|
Ah, that's great to know. I will have to look at this more deeply. Thanks for the quick response. On Mon, Nov 16, 2015 at 12:59 PM, Miroslav Stampar < mir...@gm...> wrote: > Also, please don't run with -o to see what sqlmap does, as I know that you > like to use that switch. -o turns on character prediction which > statistically predicts which could be the current character based on > previous responses. In those cases sqlmap compares to most likely chars at > the beginning while using binary search in case of miss. > > Bye > On Nov 16, 2015 7:53 PM, "Miroslav Stampar" <mir...@gm...> > wrote: > >> Please run with -v 3 to see what sqlmap does. It doesn't iterate serially >> for all characters. It uses binary search. On average it requires cca. 5-6 >> requests per char. >> >> Bye >> On Nov 16, 2015 7:28 PM, "Brandon Perry" <bpe...@gm...> >> wrote: >> >>> The other night, I was performing a boolean-based attack. I realised >>> that iterating from a-zA-Z0-9 as bytes to compare on the SQL server could >>> be optimized, but only for Latin/English languages, so not sure how useful >>> this would be. >>> >>> During boolean-based blind attacks, would it be useful to use a >>> character frequency map as opposed to iterating over each potential char >>> serially? >>> >>> For instance: >>> >>> >>> https://en.wikipedia.org/wiki/Letter_frequency#Relative_frequencies_of_letters_in_the_English_language >>> >>> Note that the top 5 letters in the English language are e, t, a, o, and >>> i. Statistically speaking, bruteforcing in the order of the character >>> frequency could greatly decrease the number of HTTP requests required to >>> determine a given character. >>> >>> >>> However, this might be too complex/out of scope for sqlmap. Was just a >>> thought I had. Thoughts? >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >>> >>> ------------------------------------------------------------------------------ >>> Presto, an open source distributed SQL query engine for big data, >>> initially >>> developed by Facebook, enables you to easily query your data on Hadoop >>> in a >>> more interactive manner. Teradata is also now providing full enterprise >>> support for Presto. Download a free open source copy now. >>> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-11-16 18:59:08
|
Also, please don't run with -o to see what sqlmap does, as I know that you like to use that switch. -o turns on character prediction which statistically predicts which could be the current character based on previous responses. In those cases sqlmap compares to most likely chars at the beginning while using binary search in case of miss. Bye On Nov 16, 2015 7:53 PM, "Miroslav Stampar" <mir...@gm...> wrote: > Please run with -v 3 to see what sqlmap does. It doesn't iterate serially > for all characters. It uses binary search. On average it requires cca. 5-6 > requests per char. > > Bye > On Nov 16, 2015 7:28 PM, "Brandon Perry" <bpe...@gm...> > wrote: > >> The other night, I was performing a boolean-based attack. I realised that >> iterating from a-zA-Z0-9 as bytes to compare on the SQL server could be >> optimized, but only for Latin/English languages, so not sure how useful >> this would be. >> >> During boolean-based blind attacks, would it be useful to use a character >> frequency map as opposed to iterating over each potential char serially? >> >> For instance: >> >> >> https://en.wikipedia.org/wiki/Letter_frequency#Relative_frequencies_of_letters_in_the_English_language >> >> Note that the top 5 letters in the English language are e, t, a, o, and >> i. Statistically speaking, bruteforcing in the order of the character >> frequency could greatly decrease the number of HTTP requests required to >> determine a given character. >> >> >> However, this might be too complex/out of scope for sqlmap. Was just a >> thought I had. Thoughts? >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> Presto, an open source distributed SQL query engine for big data, >> initially >> developed by Facebook, enables you to easily query your data on Hadoop in >> a >> more interactive manner. Teradata is also now providing full enterprise >> support for Presto. Download a free open source copy now. >> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> |
|
From: Miroslav S. <mir...@gm...> - 2015-11-16 18:54:07
|
Please run with -v 3 to see what sqlmap does. It doesn't iterate serially for all characters. It uses binary search. On average it requires cca. 5-6 requests per char. Bye On Nov 16, 2015 7:28 PM, "Brandon Perry" <bpe...@gm...> wrote: > The other night, I was performing a boolean-based attack. I realised that > iterating from a-zA-Z0-9 as bytes to compare on the SQL server could be > optimized, but only for Latin/English languages, so not sure how useful > this would be. > > During boolean-based blind attacks, would it be useful to use a character > frequency map as opposed to iterating over each potential char serially? > > For instance: > > > https://en.wikipedia.org/wiki/Letter_frequency#Relative_frequencies_of_letters_in_the_English_language > > Note that the top 5 letters in the English language are e, t, a, o, and i. > Statistically speaking, bruteforcing in the order of the character > frequency could greatly decrease the number of HTTP requests required to > determine a given character. > > > However, this might be too complex/out of scope for sqlmap. Was just a > thought I had. Thoughts? > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > Presto, an open source distributed SQL query engine for big data, initially > developed by Facebook, enables you to easily query your data on Hadoop in a > more interactive manner. Teradata is also now providing full enterprise > support for Presto. Download a free open source copy now. > http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Brandon P. <bpe...@gm...> - 2015-11-16 18:41:09
|
Also, obviously password hashes and the like are not english, so this would mostly be useful potentially for table/column name enumeration. On Mon, Nov 16, 2015 at 12:28 PM, Brandon Perry <bpe...@gm...> wrote: > The other night, I was performing a boolean-based attack. I realised that > iterating from a-zA-Z0-9 as bytes to compare on the SQL server could be > optimized, but only for Latin/English languages, so not sure how useful > this would be. > > During boolean-based blind attacks, would it be useful to use a character > frequency map as opposed to iterating over each potential char serially? > > For instance: > > > https://en.wikipedia.org/wiki/Letter_frequency#Relative_frequencies_of_letters_in_the_English_language > > Note that the top 5 letters in the English language are e, t, a, o, and i. > Statistically speaking, bruteforcing in the order of the character > frequency could greatly decrease the number of HTTP requests required to > determine a given character. > > > However, this might be too complex/out of scope for sqlmap. Was just a > thought I had. Thoughts? > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Brandon P. <bpe...@gm...> - 2015-11-16 18:28:21
|
The other night, I was performing a boolean-based attack. I realised that iterating from a-zA-Z0-9 as bytes to compare on the SQL server could be optimized, but only for Latin/English languages, so not sure how useful this would be. During boolean-based blind attacks, would it be useful to use a character frequency map as opposed to iterating over each potential char serially? For instance: https://en.wikipedia.org/wiki/Letter_frequency#Relative_frequencies_of_letters_in_the_English_language Note that the top 5 letters in the English language are e, t, a, o, and i. Statistically speaking, bruteforcing in the order of the character frequency could greatly decrease the number of HTTP requests required to determine a given character. However, this might be too complex/out of scope for sqlmap. Was just a thought I had. Thoughts? -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Rodrigo Z. S. <rod...@gm...> - 2015-11-14 20:41:18
|
I finally discovery why the program wasn't working. I was trying to use in a table and it use the default: where column_name > (char string) So the program get the next element testing if it is bigger than previous. So it get the name: JOAO To get the next, the sqlmap create: WHERE CONVERT(NVARCHAR(4000),tablename)>CHAR(74)+CHAR(79)+CHAR(65)+CHAR(79)) So the next it get is: JOĂO So, this is a problem. I just see now that I need to configure the encoding. But the caracter it get was Ă (wiki <https://en.wikipedia.org/wiki/%C4%82>), but the real character in portuguese language is à (wiki <https://en.wikipedia.org/wiki/%C3%83>) and now the sqlmap do this: WHERE CONVERT(NVARCHAR(4000),tablename)>CHAR(74)+CHAR(79)+*NCHAR(258)* +CHAR(79) The problem is it now only get the JOĂO. He did a wrong encode. Because the program try to get the next with a bigger then, if it get the same result it is obvious a error. So why not ask to user to choose another encode, or maybe ask if he want put the next string to try to get a bigger than that. The worst thing is getting the same thing all times. No one want it. By the way, I solved the problem putting a --charset=ISO-8859-1 |
48 messages has been excluded from this view by a project administrator.
