sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] Fwd: Bad Encoding

[Brandon P. <bpe...@gm...>]

Or binary md5

Sent from a computer

On Aug 20, 2013, at 7:56, Douglas Brancaglion <dou...@gm...> wrote:

> 
> Hello guys, I have researched a lot about my case even more could not get an answer that resolves my problem.
> 
> In some tests I came across a possible "hash" that is within a table in a microsoft sql server that is coming with the hash sooo weird, I personally have never seen.
> 
> I've tried to convert it in several encodes, however no success.
> 
> Does anyone of you have seen similar case?
> 
> Below is an example of this "hash"
> 
> \ \ x8cĐ \ \ x14Z \ \ xa8 \ \ xd7 # | ż \ \ x04YŚ \ \ xfa? \ \ x82Ę \ \ x18] Š \ \ x02E \ \ x8A \ \ xdf \ \ x80Ĺ \ \ x08P \ \ x9eă
> 
> -- 
> Douglas Brancaglion
> Security Analist
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and 
> AppDynamics. Performance Central is your source for news, insights, 
> analysis and resources for efficient Application Performance Management. 
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] Fwd: Bad Encoding

[Brandon P. <bpe...@gm...>]

Sha-1 hash stored as binary?

Sent from a computer

On Aug 20, 2013, at 7:56, Douglas Brancaglion <dou...@gm...> wrote:

> 
> Hello guys, I have researched a lot about my case even more could not get an answer that resolves my problem.
> 
> In some tests I came across a possible "hash" that is within a table in a microsoft sql server that is coming with the hash sooo weird, I personally have never seen.
> 
> I've tried to convert it in several encodes, however no success.
> 
> Does anyone of you have seen similar case?
> 
> Below is an example of this "hash"
> 
> \ \ x8cĐ \ \ x14Z \ \ xa8 \ \ xd7 # | ż \ \ x04YŚ \ \ xfa? \ \ x82Ę \ \ x18] Š \ \ x02E \ \ x8A \ \ xdf \ \ x80Ĺ \ \ x08P \ \ x9eă
> 
> -- 
> Douglas Brancaglion
> Security Analist
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and 
> AppDynamics. Performance Central is your source for news, insights, 
> analysis and resources for efficient Application Performance Management. 
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

[sqlmap-users] custom injection marker and eval

[Sebastian N. <seb...@sy...>]

Hi,

is there a way to access the value of elements in eval-code, if custom
injection markers are used?

Why am I asking?

==
$ ~/Downloads/sqlmap/sqlmap.py -u
"http://localhost/test.php?argl=1*&foo=2" --eval="print dir()"

[..]

[*] starting at 15:37:51

custom injection marking character ('*') found in option '-u'. Do you
want to process it? [Y/n/q]
[15:37:52] [INFO] testing connection to the target URL
['__builtins__']
[15:37:52] [INFO] heuristics detected web page charset 'ascii'
[..]
==

Is there a way to access the parameters?

Thanks!

Sebastian

[sqlmap-users] Fwd: Bad Encoding

[Douglas B. <dou...@gm...>]

Hello guys, I have researched a lot about my case even more could not get an
answer that resolves my problem.

In some tests I came across a possible "hash" that is within a table in a
microsoft sql server that is coming with the hash sooo weird, I personally have
never seen.

I've tried to convert it in several encodes, however no success.

Does anyone of you have seen similar case?

Below is an example of this "hash"

\ \ x8cĐ \ \ x14Z \ \ xa8 \ \ xd7 # | ż \ \ x04YŚ \ \ xfa? \ \ x82Ę \ \ x18]
Š \ \ x02E \ \ x8A \ \ xdf \ \ x80Ĺ \ \ x08P \ \ x9eă

-- 
Douglas Brancaglion
Security Analist

[sqlmap-users] Bad Encoding

[Douglas B. <dou...@gm...>]

Hello guys, I have researched a lot about my case even more could not get an
answer that resolves my problem.

In some tests I came across a possible "hash" that is within a table in a
microsoft sql server that is coming with the hash sooo weird, I personally have
never seen.

I've tried to convert it in several encodes, however no success.

Does anyone of you have seen similar case?

Below is an example of this "hash"

\ \ x8cĐ \ \ x14Z \ \ xa8 \ \ xd7 # | ż \ \ x04YŚ \ \ xfa? \ \ x82Ę \ \ x18]
Š \ \ x02E \ \ x8A \ \ xdf \ \ x80Ĺ \ \ x08P \ \ x9eă

-- 
Douglas Brancaglion
Security Analist

[sqlmap-users] SQLmap @OWASP AppSec Research in Hamburg

[Tobias G. <tgl...@te...>]

List,

SQLmap has been chosen to be part of the Open Source Security Showcase
@OWASP AppSec Research in Hamburg, Germany NEXT WEEK. We're happy Miroslav
will be there and give a deep insight in SQLmap. We also got the folks
from ws-attacker, BeEF, WAHH, Zed Attack Proxy, OWASP Top10, DOMinator,
Minion and Mallodroid. Of course we have great talks and trainings as
well. 

No Ticket? Don't worry, we still got space for you (more than 400
attendees registered already). Check out https://appsec.eu/ for all
Details. Tickets are really affordable as the conference is a non-profit
OWASP Project. <500 EUR for two days including conference dinner on
Thursday is really worth it.

Miroslav, I'm really looking forward meeting you in person again. Thanks
for coming to OWASP AppSec Research.

Folks, see you all in Hamburg next week.

Cheers

Tobias Glemser
OWASP German Chapter Lead
Orga Team OWASP AppSec Research 2013

Re: [sqlmap-users] testing admin area after authorization

[Sebastian N. <seb...@sy...>]

Hi,

Am 13.08.2013 15:15, schrieb Den:
> Thank you!
> 
> I setted up "--cookie" parameter and got a acces.

If you are running a webproxy (e.g. webscarab or Burp Suite) between
your browser and the server or if you have some development add-ons
installed, you could also make a copy of a complete HTTP-REQUEST send to
the server and load it using "-l file-containing-the-request". It helps
when doing complex queries (e.g. with referer- and agent-checks,
multiple cookies, long POST-bodies or file-attachements).
It can also help with avoiding encoding-problems and/or quoting-issues
(e.g. $ or ! in an url with a linux shell)

All the best,

Sebastian

Re: [sqlmap-users] testing admin area after authorization

[Den <wor...@gm...>]

Thank you!

I setted up "--cookie" parameter and got a acces.
> If you just want to exploit that section, capture a cookie with your
> favorite proxy tool and set it in sqlmap
>
> On Tue, Aug 13, 2013 at 8:43 AM, Den <wor...@gm...> wrote:
>> Hello everybody!
>>
>> Please give me a clue.
>> I've a web site and I should be authorized to enter to a admin area
>> (http://example.com/Login.aspx)
>> I have user/password for this. How can I pass this credentials to sqlmap
>> and test the admin area such as
>> http://example.com/admin/UserEdit.aspx?id=117  ?
>>
>> Thank you in advance.
>>
>> ------------------------------------------------------------------------------
>> Get 100% visibility into Java/.NET code with AppDynamics Lite!
>> It's a free troubleshooting tool designed for production.
>> Get down to code-level detail for bottlenecks, with <2% overhead.
>> Download for free and get started troubleshooting in minutes.
>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] testing admin area after authorization

[Andres R. <and...@gm...>]

If you just want to exploit that section, capture a cookie with your
favorite proxy tool and set it in sqlmap

On Tue, Aug 13, 2013 at 8:43 AM, Den <wor...@gm...> wrote:
> Hello everybody!
>
> Please give me a clue.
> I've a web site and I should be authorized to enter to a admin area
> (http://example.com/Login.aspx)
> I have user/password for this. How can I pass this credentials to sqlmap
> and test the admin area such as
> http://example.com/admin/UserEdit.aspx?id=117  ?
>
> Thank you in advance.
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[sqlmap-users] testing admin area after authorization

[Den <wor...@gm...>]

Hello everybody!

Please give me a clue.
I've a web site and I should be authorized to enter to a admin area 
(http://example.com/Login.aspx)
I have user/password for this. How can I pass this credentials to sqlmap 
and test the admin area such as 
http://example.com/admin/UserEdit.aspx?id=117  ?

Thank you in advance.

[sqlmap-users] hello may i know why i got this ?!

[Bola A. <man...@gm...>]

C:\Python26>python c:\xd\sqlmap.py -h

[00:25:06] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your run
with
 the latest development version from the GitHub repository. If the
exception per
sists, please send by e-mail to 'sql...@li...' or
open a n
ew issue at 'https://github.com/sqlmapproject/sqlmap/issues/new' with the
follow
ing text and any information required to reproduce the bug. The developers
will
try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev
Python version: 2.6
Operating system: nt
Command line: c:\xd\sqlmap.py -h
Technique: None
Back-end DBMS: None (identified)
←[41m←[37mTraceback (most recent call last):
  File "c:\xd\sqlmap.py", line 71, in main
    cmdLineOptions.update(cmdLineParser().__dict__)
  File "c:\xd\lib\parse\cmdline.py", line 767, in cmdLineParser
    (args, _) = parser.parse_args(args)
  File "C:\Python26\lib\optparse.py", line 1378, in parse_args
    stop = self._process_args(largs, rargs, values)
  File "C:\Python26\lib\optparse.py", line 1422, in _process_args
    self._process_short_opts(rargs, values)
  File "C:\Python26\lib\optparse.py", line 1529, in _process_short_opts
    option.process(opt, value, values, self)
  File "C:\Python26\lib\optparse.py", line 782, in process
    self.action, self.dest, opt, value, values, parser)
  File "C:\Python26\lib\optparse.py", line 804, in take_action
    parser.print_help()
  File "C:\Python26\lib\optparse.py", line 1648, in print_help
    file.write(self.format_help().encode(encoding, "replace"))
LookupError: unknown encoding: cp720
←[0m
[*] shutting down at 00:25:06

btw am using win7 64x and python26
Thanks in advance

Re: [sqlmap-users] Database command issue

[Miroslav S. <mir...@gm...>]

Hi.

This is a general error when (user's) Oracle environment is not properly
being set. I'll make a minor patch to warn an user about it (avoiding this
kind of crashes).

Maybe you can find some interesting info at: [1], [2], [3].

Kind regards,
Miroslav Stampar

[1] http://comments.gmane.org/gmane.comp.python.db.cx-oracle/2357
[2] https://forums.oracle.com/thread/1111594
[3]
http://stackoverflow.com/questions/13589683/interfaceerror-unable-to-acquire-oracle-environment-handle-oracle-home-is-corr


On Fri, Aug 9, 2013 at 8:45 PM, rkas solutions <rka...@gm...>wrote:

> Hi
>
> I am using SQLMAP recent build
> sqlmap version: 1.0-dev
> Python version: 2.7.5
>
> --dbms=Oracle and --dbs works fine. It retrieves all schemas/ databases
> from Oracle. But, -D, -T, -C and related database data retrieval commands
> are not producing results.
>
> [14:25:29] [WARNING] the SQL query provided does not return any output
> [14:25:29] [WARNING] in case of continuous data retrieval problems you are
> advis
> ed to try a switch '--no-cast' or switch '--hex'
> [14:25:29] [ERROR] unable to retrieve the table names for any database
> do you want to use common table existence check? [y/N/q] y
> [14:25:55] [INFO] checking table existence using items from
> 'C:\sqlmap\txt\commo
> n-tables.txt'
> [14:25:55] [INFO] adding words used on web page to the check list
> please enter number of threads? [Enter for 1 (current)] 10
> [14:26:01] [INFO] starting 10 threads
> [14:26:10] [WARNING] no table(s) found
> No tables found
> [14:26:10] [INFO] fetched data logged to text files under
> 'C:\sqlmap\output\localhost'
>
> Is there anything I need to setup to make these commands work. Also,
> python sqlmap.py -d "oracle://user:pasword@IP:port/DB" does not work. No
> results and it throws below error.
>
> Technique: DIRECT
> Back-end DBMS: Oracle (identified)
> Traceback (most recent call last):
>   File "sqlmap.py", line 95, in main
>     start()
>   File "C:\sqlmap\lib\controller\controller.py", line 248, in start
>     action()
>   File "C:\sqlmap\lib\controller\action.py", line 32, in action
>     setHandler()
>   File "C:\sqlmap\lib\controller\handler.py", line 96, in setHandler
>     conf.dbmsConnector.connect()
>   File "C:\sqlmap\plugins\dbms\oracle\connector.py", line 43, in connect
>     self.connector = cx_Oracle.connect(dsn=self.__dsn, user=self.user,
> password=
> self.password, mode=cx_Oracle.SYSDBA)
> InterfaceError: Unable to acquire Oracle environment handle
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Database command issue

[rkas s. <rka...@gm...>]

Hi

I am using SQLMAP recent build
sqlmap version: 1.0-dev
Python version: 2.7.5

--dbms=Oracle and --dbs works fine. It retrieves all schemas/ databases
from Oracle. But, -D, -T, -C and related database data retrieval commands
are not producing results.

[14:25:29] [WARNING] the SQL query provided does not return any output
[14:25:29] [WARNING] in case of continuous data retrieval problems you are
advis
ed to try a switch '--no-cast' or switch '--hex'
[14:25:29] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] y
[14:25:55] [INFO] checking table existence using items from
'C:\sqlmap\txt\commo
n-tables.txt'
[14:25:55] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 10
[14:26:01] [INFO] starting 10 threads
[14:26:10] [WARNING] no table(s) found
No tables found
[14:26:10] [INFO] fetched data logged to text files under
'C:\sqlmap\output\localhost'

Is there anything I need to setup to make these commands work. Also, python
sqlmap.py -d "oracle://user:pasword@IP:port/DB" does not work. No results
and it throws below error.

Technique: DIRECT
Back-end DBMS: Oracle (identified)
Traceback (most recent call last):
  File "sqlmap.py", line 95, in main
    start()
  File "C:\sqlmap\lib\controller\controller.py", line 248, in start
    action()
  File "C:\sqlmap\lib\controller\action.py", line 32, in action
    setHandler()
  File "C:\sqlmap\lib\controller\handler.py", line 96, in setHandler
    conf.dbmsConnector.connect()
  File "C:\sqlmap\plugins\dbms\oracle\connector.py", line 43, in connect
    self.connector = cx_Oracle.connect(dsn=self.__dsn, user=self.user,
password=
self.password, mode=cx_Oracle.SYSDBA)
InterfaceError: Unable to acquire Oracle environment handle

Re: [sqlmap-users] [CRITICAL] unhandled exception in sqlmap/1.0-dev-6b826ef

[Miroslav S. <mir...@gm...>]

Hi.

This was fixed with [1].

Kind regards,
Miroslav Stampar

[1] https://github.com/sqlmapproject/sqlmap/issues/497


On Wed, Jul 31, 2013 at 9:40 PM, John Doe <Joh...@gm...>wrote:

> ./sqlmap.py --proxy=http://127.0.0.1:8118 --random-agent --technique=BSU
> --url='
> https://target.host/www/Buggy.aspx?1stParam=329057&2ndParam=1692468&3rdParam=10037
> '
> --threads=4 --dbms=mssql --os=windows -p1stParam,2ndParam,3rdParam
>
>      sqlmap/1.0-dev-6b826ef - automatic SQL injection and database
> takeover tool
>      http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without
> prior mutual consent is illegal. It is the end user's responsibility to
> obey all applicable local, state and federal laws. Developers assume no
> liability and are not responsible for any misuse or damage caused by
> this program
>
> [*] starting at 02:51:21
>
> [02:51:21] [INFO] fetched random HTTP User-Agent header from file
> '/root/sqlmap-git/txt/user-agents.txt': Opera/9.52 (X11; Linux i686; U; fr)
> [02:51:21] [INFO] testing connection to the target URL
> [02:51:24] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
> [02:51:27] [WARNING] target URL is not stable. sqlmap will base the page
> comparison on a sequence matcher. If no dynamic nor injectable
> parameters are detected, or in case of junk results, refer to user's
> manual paragraph 'Page comparison' and provide a string or regular
> expression to match on
> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
> sqlmap got a 302 redirect to 'http://www.target.host/www/Error.html'. Do
> you want to follow? [Y/n]
> [02:51:33] [INFO] heuristics detected web page charset 'UTF-8'
> [02:51:33] [WARNING] heuristic (basic) test shows that GET parameter
> '1stParam' might not be injectable
> [02:51:33] [INFO] testing for SQL injection on GET parameter '1stParam'
> [02:51:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [02:52:08] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
> [02:52:08] [WARNING] time-based comparison needs larger statistical
> model. Making a few dummy requests, please wait..
> [02:52:21] [CRITICAL] there is considerable lagging in connection
> response(s). Please use as high value for option '--time-sec' as
> possible (e.g. 10 or more)
> [02:52:24] [WARNING] HTTP error codes detected during run:
> 403 (Forbidden) - 10 times
>
> [02:52:24] [CRITICAL] unhandled exception in sqlmap/1.0-dev-6b826ef,
> retry your run with the latest development version from the GitHub
> repository. If the exception persists, please send by e-mail to
> 'sql...@li...' or open a new issue at
> 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any information required to reproduce the bug. The developers
> will try to reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev-6b826ef
> Python version: 2.7.4
> Operating system: posix
> Command line: ./sqlmap.py --proxy=********************* --random-agent
> --technique=BSU
>
> --url=**********************************************************************************************************************
> --threads=4 --dbms=mssql --os=windows -p1stParam,2ndParam,3rdParam
> Technique: None
> Back-end DBMS: Microsoft SQL Server (identified)
> Traceback (most recent call last):
>    File "./sqlmap.py", line 95, in main
>      start()
>    File "/root/sqlmap-git/lib/controller/controller.py", line 481, in start
>      injection = checkSqlInjection(place, parameter, value)
>    File "/root/sqlmap-git/lib/controller/checks.py", line 438, in
> checkSqlInjection
>      trueResult = Request.queryPage(reqPayload, place,
> timeBasedCompare=True, raise404=False)
>    File "/root/sqlmap-git/lib/request/connect.py", line 857, in queryPage
>      page, headers, code = Connect.getPage(url=uri, get=get, post=post,
> cookie=cookie, ua=ua, referer=referer, host=host, silent=silent,
> method=method, auxHeaders=auxHeaders, response=response,
> raise404=raise404, ignoreTimeout=timeBasedCompare)
>    File "/root/sqlmap-git/lib/request/connect.py", line 373, in getPage
>      conn = urllib2.urlopen(req)
>    File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
>      return _opener.open(url, data, timeout)
>    File "/usr/lib/python2.7/urllib2.py", line 410, in open
>      response = meth(req, response)
>    File "/usr/lib/python2.7/urllib2.py", line 523, in http_response
>      'http', request, response, code, msg, hdrs)
>    File "/usr/lib/python2.7/urllib2.py", line 442, in error
>      result = self._call_chain(*args)
>    File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
>      result = func(*args)
>    File "/root/sqlmap-git/lib/request/redirecthandler.py", line 115, in
> http_error_302
>      req.headers[HTTP_HEADER.COOKIE] =
> headers[HTTP_HEADER.SET_COOKIE].split(conf.cDel or
> DEFAULT_COOKIE_DELIMITER)[0]
> NameErrorr: global name 'conf' is not defined
>
> [*] shutting down at 02:52:24
>
> # Adding --risk=3 --level=5 --dop-set-cookie results the same at the
> following step (crash occurs on a constant basis):
> [03:04:47] [INFO] setting file for logging HTTP traffic
> [03:04:47] [INFO] fetched random HTTP User-Agent header from file
> '/root/sqlmap-git/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux
> x86_64; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.222.1
> Safari/532.2
> [03:04:47] [INFO] testing connection to the target URL
> [03:04:51] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
> [03:04:57] [WARNING] target URL is not stable. sqlmap will base the page
> comparison on a sequence matcher. If no dynamic nor injectable
> parameters are detected, or in case of junk results, refer to user's
> manual paragraph 'Page comparison' and provide a string or regular
> expression to match on
> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
> sqlmap got a 302 redirect to 'http://www.target.host/www/Error.html'. Do
> you want to follow? [Y/n]
>
> [03:05:04] [CRITICAL] Ka-boom
>
> Last traffic log request/response:
>
>
> ############################################################################
>
> HTTP request [#3]:
> GET
>
> /www/Buggy.aspx?i1stParam=329057%5B%22%2C%2C%5B.%22%5B%27%2C&2ndParam=1692468&3rdParam=10037
> HTTP/1.1
> Accept-language: en-us,en;q=0.5
> Accept-encoding: gzip,deflate
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
> AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.3.154.9 Safari/525.19
> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
> Host: www.target.host
> Pragma: no-cache
> Cache-control: no-cache,no-store
> Connection: close
>
> HTTP redirect [#3] (302 Redirect):
> Content-length: 149
> X-aspnet-version: 2.0.50727
> Content-encoding: gzip
> Set-cookie: ISS-Targ=TesteAB=B; domain=target.host; path=/
> X-powered-by: ASP.NET
> Vary: Accept-Encoding, User-Agent
> Server: Microsoft-IIS/7.0
> Connection: Keep-Alive
> X-server: DALLAS011
> Location: http://www.target.host/www/Error.html
> Cache-control: private
> Date: Wed, 31 Jul 2013 19:01:57 GMT
> Content-type: text/html; charset=UTF-8
>
> <head><title>Document Moved</title></head>
> <body><h1>Object Moved</h1>This document may be found <a
> HREF="http://www.target.host/www/Error.html">here</a></body>
>
>
> ############################################################################
>
> EOF
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Blind injection

[Sebastian N. <seb...@sy...>]

Hi,

    --second-order=S..  Resulting page URL searched for second-order
response

should be what you need :)

Kind regards,

Sebastian Nerz

Am 06.08.2013 13:04, schrieb Marcell Fodor:
> Hi,
> 
> With manual testing, I have a working blind injection in post request. To
> see if the result true/false sqlmap should check for a string at a
> different page. In other words sqlmap should inject to A.php and check for
> a string in B.php
> 
> Can this be done?
> 
> M
> 
> 
> 
> ------------------------------------------------------------------------------
> Get your SQL database under version control now!
> Version control is standard for application code, but databases havent 
> caught up. So what steps can you take to put your SQL databases under 
> version control? Why should you start doing it? Read more to find out.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> 
> 
> 
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> 


-- 
Sebastian Nerz
Dipl.-Inform.
IT-Security Consultant

mailto:seb...@sy...
___________________________________________________________

SySS GmbH
Wohlboldstraße 8
72072 Tübingen
Germany
Voice: +49 7071 407856-31
Fax:   +49 7071 407856-19
WWW:   http://www.syss.de

PGP FP: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2

Geschaeftsfuehrer Sebastian Schreiber
Registergericht: Amtsgericht Stuttgart / HRB 382420
Steuernummer: 86118 / 55809

[sqlmap-users] Blind injection

[Marcell F. <fod...@gm...>]

Hi,

With manual testing, I have a working blind injection in post request. To
see if the result true/false sqlmap should check for a string at a
different page. In other words sqlmap should inject to A.php and check for
a string in B.php

Can this be done?

M

Re: [sqlmap-users] SQLMap not working while testing localhost

[Miroslav S. <mir...@gm...>]

Hi.

We are continuously testing sqlmap in similar conditions and haven't
noticed similar issue(s).

What technique is involved (in first case)? Are you able to retrieve any
data with it?

What does "SQL_INJECTION_UNION_CONDITION" means??

Can you please send a content of a traffic files for both cases (-t
traffic.txt)? If it's an union technique involved (I guess that from that
SQL_INJECTION_UNION_CONDITION) I'll be able to tell you exactly what is
going on from traffic files.

Kind regards,
Miroslav Stampar


On Fri, Aug 2, 2013 at 4:35 PM, rkas solutions <rka...@gm...>wrote:

> Hello Team,
>
> Below test works fine and produces the expected results in SQLMAP output -
> Test Passed and performs SQL Injection
> python sqlmap.py -u "
> http://unix_server:8000/absolute_uri_path_from_burp&where=&addwhere=&criterion=SQL_INJECTION_UNION_CONDITION"
> --cookie=JSESSIONID=values --dbms=Oracle --dbs -p "criterion"
>
> But the below test which is same as above but the only change is the
> server location, now pointed to localhost -- Test failed and did not
> perform SQL Injection
> python sqlmap.py -u "
> http://localhost:8888/absolute_uri_path_from_burp&where=&addwhere=&criterion=SQL_INJECTION_UNION_CONDITION"
> --cookie=JSESSIONID=values --dbms=Oracle --dbs -p "criterion"
>
> Only difference is, when attempting to inject via localhost, DB is still
> the same which is located in the UNIX server so the connection time is more
> through the localhost. Increased SQLMAP --timeout and also tried --time-sec
> options, but not successful. Any suggestions.
>
> Thanks
>
> Ram
>
>
>
>
> ------------------------------------------------------------------------------
> Get your SQL database under version control now!
> Version control is standard for application code, but databases havent
> caught up. So what steps can you take to put your SQL databases under
> version control? Why should you start doing it? Read more to find out.
> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] SQLMap not working while testing localhost

[rkas s. <rka...@gm...>]

Hello Team,

Below test works fine and produces the expected results in SQLMAP output -
Test Passed and performs SQL Injection
python sqlmap.py -u "
http://unix_server:8000/absolute_uri_path_from_burp&where=&addwhere=&criterion=SQL_INJECTION_UNION_CONDITION"
--cookie=JSESSIONID=values --dbms=Oracle --dbs -p "criterion"

But the below test which is same as above but the only change is the server
location, now pointed to localhost -- Test failed and did not perform SQL
Injection
python sqlmap.py -u "
http://localhost:8888/absolute_uri_path_from_burp&where=&addwhere=&criterion=SQL_INJECTION_UNION_CONDITION"
--cookie=JSESSIONID=values --dbms=Oracle --dbs -p "criterion"

Only difference is, when attempting to inject via localhost, DB is still
the same which is located in the UNIX server so the connection time is more
through the localhost. Increased SQLMAP --timeout and also tried --time-sec
options, but not successful. Any suggestions.

Thanks

Ram

Re: [sqlmap-users] Cookie value, how to handle them?

[Sebastian N. <seb...@sy...>]

Am 02.08.2013 15:05, schrieb Andres Riancho:
> foo@bar:~/$ echo "!"
> bash: !: event not found
> foo@bar:~/$ echo '!'
> !

Or write the request to a file and use sqlmaps  "-l" option.

All the best,

Sebastian

Re: [sqlmap-users] Cookie value, how to handle them?

[Andres R. <and...@gm...>]

foo@bar:~/$ echo "!"
bash: !: event not found
foo@bar:~/$ echo '!'
!


On Fri, Aug 2, 2013 at 10:02 AM, Nico Hulkenberg <nic...@in...> wrote:
> Team
>
> #sqlmap -u http://domain.com:80/
> --cookie="JSESSIONID=DLDSQpvPb33G9mrTW2hYQlLNn!-485805556!-490732187;"
> --data="abc&def" --dbs is what i tried,
>
> I got the error msg stating
>
> bash: !-485805556: event not found
>
> then i tried
>
> #sqlmap -u http://domain.com:80/
> --cookie="JSESSIONID=DLDSQpvPb33G9mrTW2hYQlLNn\!-485805556\!-490732187;"
> --data="abc&def" --dbs
>
> now also i am getting \!-485805556\!-490732187;: command not found
>
> how to handle this ! symbol at cookies?
>
>
>
> --Nico
>
>
> ------------------------------------------------------------------------------
> Get your SQL database under version control now!
> Version control is standard for application code, but databases havent
> caught up. So what steps can you take to put your SQL databases under
> version control? Why should you start doing it? Read more to find out.
> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[sqlmap-users] Cookie value, how to handle them?

[Nico H. <nic...@in...>]

<html><head></head><body bgcolor="" style=""><p>Team</p>
<p>#sqlmap -u http://domain.com:80/&nbsp;&nbsp;&nbsp; --cookie="JSESSIONID=DLDSQpvPb33G9mrTW2hYQlLNn!-485805556!-490732187;" --data="abc&amp;def" --dbs is what i tried,</p>
<p>I got the error msg stating</p>
<p>bash: !-485805556: event not found</p>
<p>then i tried</p>
<p>#sqlmap -u http://domain.com:80/&nbsp;&nbsp;&nbsp; --cookie="JSESSIONID=DLDSQpvPb33G9mrTW2hYQlLNn\!-485805556\!-490732187;" --data="abc&amp;def" --dbs</p>
<p>now also i am getting \!-485805556\!-490732187;: command not found</p>
<p>how to handle this ! symbol at cookies?</p>
<p>&nbsp;</p>
<p>--Nico</p></body></html>

[sqlmap-users] SQLMap problem with localhost

[rkas s. <rka...@gm...>]

SQLMap works fine and performs a SQL Injection when the target URL comes
from a hosted application server in UNIX. But, SQLMap throws HTTP error
code 403 when a similar script is tested against localhost running OC4J
standalone connecting to the same database. Any suggestion would be good.

Thanks

rkas

[sqlmap-users] [CRITICAL] unhandled exception in sqlmap/1.0-dev-6b826ef

[John D. <Joh...@gm...>]

./sqlmap.py --proxy=http://127.0.0.1:8118 --random-agent --technique=BSU 
--url='https://target.host/www/Buggy.aspx?1stParam=329057&2ndParam=1692468&3rdParam=10037' 
--threads=4 --dbms=mssql --os=windows -p1stParam,2ndParam,3rdParam

     sqlmap/1.0-dev-6b826ef - automatic SQL injection and database 
takeover tool
     http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without 
prior mutual consent is illegal. It is the end user's responsibility to 
obey all applicable local, state and federal laws. Developers assume no 
liability and are not responsible for any misuse or damage caused by 
this program

[*] starting at 02:51:21

[02:51:21] [INFO] fetched random HTTP User-Agent header from file 
'/root/sqlmap-git/txt/user-agents.txt': Opera/9.52 (X11; Linux i686; U; fr)
[02:51:21] [INFO] testing connection to the target URL
[02:51:24] [INFO] testing if the target URL is stable. This can take a 
couple of seconds
[02:51:27] [WARNING] target URL is not stable. sqlmap will base the page 
comparison on a sequence matcher. If no dynamic nor injectable 
parameters are detected, or in case of junk results, refer to user's 
manual paragraph 'Page comparison' and provide a string or regular 
expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
sqlmap got a 302 redirect to 'http://www.target.host/www/Error.html'. Do 
you want to follow? [Y/n]
[02:51:33] [INFO] heuristics detected web page charset 'UTF-8'
[02:51:33] [WARNING] heuristic (basic) test shows that GET parameter 
'1stParam' might not be injectable
[02:51:33] [INFO] testing for SQL injection on GET parameter '1stParam'
[02:51:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:52:08] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[02:52:08] [WARNING] time-based comparison needs larger statistical 
model. Making a few dummy requests, please wait..
[02:52:21] [CRITICAL] there is considerable lagging in connection 
response(s). Please use as high value for option '--time-sec' as 
possible (e.g. 10 or more)
[02:52:24] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 10 times

[02:52:24] [CRITICAL] unhandled exception in sqlmap/1.0-dev-6b826ef, 
retry your run with the latest development version from the GitHub 
repository. If the exception persists, please send by e-mail to 
'sql...@li...' or open a new issue at 
'https://github.com/sqlmapproject/sqlmap/issues/new' with the following 
text and any information required to reproduce the bug. The developers 
will try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev-6b826ef
Python version: 2.7.4
Operating system: posix
Command line: ./sqlmap.py --proxy=********************* --random-agent 
--technique=BSU 
--url=********************************************************************************************************************** 
--threads=4 --dbms=mssql --os=windows -p1stParam,2ndParam,3rdParam
Technique: None
Back-end DBMS: Microsoft SQL Server (identified)
Traceback (most recent call last):
   File "./sqlmap.py", line 95, in main
     start()
   File "/root/sqlmap-git/lib/controller/controller.py", line 481, in start
     injection = checkSqlInjection(place, parameter, value)
   File "/root/sqlmap-git/lib/controller/checks.py", line 438, in 
checkSqlInjection
     trueResult = Request.queryPage(reqPayload, place, 
timeBasedCompare=True, raise404=False)
   File "/root/sqlmap-git/lib/request/connect.py", line 857, in queryPage
     page, headers, code = Connect.getPage(url=uri, get=get, post=post, 
cookie=cookie, ua=ua, referer=referer, host=host, silent=silent, 
method=method, auxHeaders=auxHeaders, response=response, 
raise404=raise404, ignoreTimeout=timeBasedCompare)
   File "/root/sqlmap-git/lib/request/connect.py", line 373, in getPage
     conn = urllib2.urlopen(req)
   File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
     return _opener.open(url, data, timeout)
   File "/usr/lib/python2.7/urllib2.py", line 410, in open
     response = meth(req, response)
   File "/usr/lib/python2.7/urllib2.py", line 523, in http_response
     'http', request, response, code, msg, hdrs)
   File "/usr/lib/python2.7/urllib2.py", line 442, in error
     result = self._call_chain(*args)
   File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
     result = func(*args)
   File "/root/sqlmap-git/lib/request/redirecthandler.py", line 115, in 
http_error_302
     req.headers[HTTP_HEADER.COOKIE] = 
headers[HTTP_HEADER.SET_COOKIE].split(conf.cDel or 
DEFAULT_COOKIE_DELIMITER)[0]
NameErrorr: global name 'conf' is not defined

[*] shutting down at 02:52:24

# Adding --risk=3 --level=5 --dop-set-cookie results the same at the 
following step (crash occurs on a constant basis):
[03:04:47] [INFO] setting file for logging HTTP traffic
[03:04:47] [INFO] fetched random HTTP User-Agent header from file 
'/root/sqlmap-git/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux 
x86_64; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.222.1 
Safari/532.2
[03:04:47] [INFO] testing connection to the target URL
[03:04:51] [INFO] testing if the target URL is stable. This can take a 
couple of seconds
[03:04:57] [WARNING] target URL is not stable. sqlmap will base the page 
comparison on a sequence matcher. If no dynamic nor injectable 
parameters are detected, or in case of junk results, refer to user's 
manual paragraph 'Page comparison' and provide a string or regular 
expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
sqlmap got a 302 redirect to 'http://www.target.host/www/Error.html'. Do 
you want to follow? [Y/n]

[03:05:04] [CRITICAL] Ka-boom

Last traffic log request/response:

############################################################################

HTTP request [#3]:
GET 
/www/Buggy.aspx?i1stParam=329057%5B%22%2C%2C%5B.%22%5B%27%2C&2ndParam=1692468&3rdParam=10037 
HTTP/1.1
Accept-language: en-us,en;q=0.5
Accept-encoding: gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) 
AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.3.154.9 Safari/525.19
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: www.target.host
Pragma: no-cache
Cache-control: no-cache,no-store
Connection: close

HTTP redirect [#3] (302 Redirect):
Content-length: 149
X-aspnet-version: 2.0.50727
Content-encoding: gzip
Set-cookie: ISS-Targ=TesteAB=B; domain=target.host; path=/
X-powered-by: ASP.NET
Vary: Accept-Encoding, User-Agent
Server: Microsoft-IIS/7.0
Connection: Keep-Alive
X-server: DALLAS011
Location: http://www.target.host/www/Error.html
Cache-control: private
Date: Wed, 31 Jul 2013 19:01:57 GMT
Content-type: text/html; charset=UTF-8

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a 
HREF="http://www.target.host/www/Error.html">here</a></body>

############################################################################

EOF

Re: [sqlmap-users] --eval and Cookie values

[Miroslav S. <mir...@gm...>]

Hi.

Please update to the latest revision and try to use --cookie-del=" "

Kind regards
On Jul 31, 2013 5:49 PM, "Sebastian Nerz" <seb...@sy...> wrote:

> Hi,
>
> thanks! If multiple cookies are now listed with spaces separating them,
> eval will fail with an indent-error:
>
> diff --git a/lib/request/connect.py b/lib/request/connect.py
> index 9056121..92d04e3 100644
> --- a/lib/request/connect.py
> +++ b/lib/request/connect.py
> @@ -755,6 +755,7 @@ class Connect(object):
>                  for part in cookie.split(conf.pDel or
> DEFAULT_COOKIE_DELIMITER):
>                      if '=' in part:
>                          name, value = part.split('=', 1)
> +                        name = name.strip()
>                          value = urldecode(value, convall=True)
>                          evaluateCode("%s=%s" % (name, repr(value)),
> variables)
>
> No promises, but it works here ;)
>
> All the best,
>
> Sebastian
>
> Am 31.07.2013 17:30, schrieb Miroslav Stampar:
> > Hi.
> >
> > It should be supported now :) [1]
> >
> > Kind regards,
> > Miroslav Stampar
> >
> > [1]
> >
> https://github.com/sqlmapproject/sqlmap/commit/ca44b23d2064d02833093cc8a1d0a75e446ec86a
> >
> >
> > On Wed, Jul 31, 2013 at 12:40 PM, Sebastian Nerz <seb...@sy...
> >wrote:
> >
> >> Hi,
> >>
> >> is there a way to access (read/write) Cookie values in custom defined
> >> Python code (--eval)?
> >>
> >> Thanks :)
> >>
> >> All the best,
> >>
> >> Sebastian Nerz
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Get your SQL database under version control now!
> >> Version control is standard for application code, but databases havent
> >> caught up. So what steps can you take to put your SQL databases under
> >> version control? Why should you start doing it? Read more to find out.
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sql...@li...
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>
> >>
> >
> >
>
>
>
>

Re: [sqlmap-users] --eval and Cookie values

[Sebastian N. <seb...@sy...>]

Hi,

thanks! If multiple cookies are now listed with spaces separating them,
eval will fail with an indent-error:

diff --git a/lib/request/connect.py b/lib/request/connect.py
index 9056121..92d04e3 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -755,6 +755,7 @@ class Connect(object):
                 for part in cookie.split(conf.pDel or
DEFAULT_COOKIE_DELIMITER):
                     if '=' in part:
                         name, value = part.split('=', 1)
+                        name = name.strip()
                         value = urldecode(value, convall=True)
                         evaluateCode("%s=%s" % (name, repr(value)),
variables)

No promises, but it works here ;)

All the best,

Sebastian

Am 31.07.2013 17:30, schrieb Miroslav Stampar:
> Hi.
> 
> It should be supported now :) [1]
> 
> Kind regards,
> Miroslav Stampar
> 
> [1]
> https://github.com/sqlmapproject/sqlmap/commit/ca44b23d2064d02833093cc8a1d0a75e446ec86a
> 
> 
> On Wed, Jul 31, 2013 at 12:40 PM, Sebastian Nerz <seb...@sy...>wrote:
> 
>> Hi,
>>
>> is there a way to access (read/write) Cookie values in custom defined
>> Python code (--eval)?
>>
>> Thanks :)
>>
>> All the best,
>>
>> Sebastian Nerz
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Get your SQL database under version control now!
>> Version control is standard for application code, but databases havent
>> caught up. So what steps can you take to put your SQL databases under
>> version control? Why should you start doing it? Read more to find out.
>> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
> 
>