sqlmap-users Mailing List for sqlmap (Page 8)
Brought to you by:
inquisb
You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Miroslav S. <mir...@gm...> - 2015-09-15 11:54:48
|
Hi. A) As I see this "hybrid", you are proposing it as a way to do the "UNION" based file write (INTO DUMPFILE). B) Incorporating this "hybrid" technique into the standard tests would be uberkill (from my perspective). I have a feeling that at least the "time-based" injection would be detected in this kind of cases, so making the "UNION" tests carrying the SLEEP would just detect the same thing (but with usage of UNION technique), but with more requests. So, to go back to the A). sqlmap already tries to use the "INTO OUTFILE ... LINES TERMINATED" in non-UNION cases. Making post-detection tests for number of columns is doable in the "file-write" phase, but I am not convinced that it would do more good than the number of requests required (as ORDER BY is expected to be unusable, we would need to pick the number of columns incrementally). Thoughts? Kind regards On Fri, Sep 11, 2015 at 8:43 PM, Brandon Perry <bpe...@gm...> wrote: > I have had this idea for a while, and I finally came across an injection > that this was useful for me. > > Due to logic in the application, a generic UNION tacked on the end of the > query doesn't work. > > However, a payload of: > > blah=foo"+union+select+null,null,null,null,sleep(5)--%20 > > does result in a response coming back 5 seconds later than the baseline. > Removing or adding a column to the union results in the baseline request > time. > > This was very useful for me, because I was able to use this 'blind union' > in order to write a file to the web root and achieve RCE, even though the > union in and of itself would not let me pull data out en mass (the other > time based payloads did work as well). > > This might be a useful check for sqlmap to implement. Currently, there are > heuristics that sqlmap has to determine whether an injection point is > union-able, but not exploitable with generic NULL/union char payloads. I > think this is determined by the HTTP response data though, not the temporal > aspect of the HTTP response. > > Thoughts? > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: risataim c. <ris...@gm...> - 2015-09-14 14:28:40
|
Use waf of sqlmap ? Example: --tamper="netscaler.py" error |
From: Brandon P. <bpe...@gm...> - 2015-09-14 01:37:20
|
> On Sep 13, 2015, at 8:35 PM, Brandon Perry <bpe...@gm...> wrote: > > >> On Sep 13, 2015, at 8:30 PM, Johnathon Doe <hoo...@gm... <mailto:hoo...@gm...>> wrote: >> >> Sounds cool, but kind of an edge case. I'm just interested to understand more if you don't mind... >> >> Is the sleep function being used within or as a vulnerable column value in your example or is it merely appended to the union injection and before the suffix/delimiter value (unsure because example has a comma before the sleep(5) call)? > > The sleep can be used in any of the columns, it only works when the columns have been balanced on both sides of the UNION. This way, sqlmap could have one extra injection point to support attempting to write a file with. > >> >> Are you leveraging the sleep() location for a time based injection entry point? If you frame the --url --data strings to include the union base and mark the sleep() location with '*' and --technique=T does it work to identify the time based injection (i.e. ./sqpmap.py --url http//somesite.com/ <http://somesite.com/> --data 'bar=foo"+union+select+null,null,null,null*' --technique=T --banner)? > > This was by hand. Oh, I should have read the question more clearly. I didn’t try this, but then sqlmap wouldn’t realize it is a union then. > >> >> On Fri, Sep 11, 2015 at 1:43 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: >> I have had this idea for a while, and I finally came across an injection that this was useful for me. >> >> Due to logic in the application, a generic UNION tacked on the end of the query doesn't work. >> >> However, a payload of: >> >> blah=foo"+union+select+null,null,null,null,sleep(5)--%20 >> >> does result in a response coming back 5 seconds later than the baseline. Removing or adding a column to the union results in the baseline request time. >> >> This was very useful for me, because I was able to use this 'blind union' in order to write a file to the web root and achieve RCE, even though the union in and of itself would not let me pull data out en mass (the other time based payloads did work as well). >> >> This might be a useful check for sqlmap to implement. Currently, there are heuristics that sqlmap has to determine whether an injection point is union-able, but not exploitable with generic NULL/union char payloads. I think this is determined by the HTTP response data though, not the temporal aspect of the HTTP response. >> >> Thoughts? >> >> >> -- >> http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog >> http://www.volatileminds.net <http://www.volatileminds.net/> -- website >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> >> > |
From: Brandon P. <bpe...@gm...> - 2015-09-14 01:35:12
|
> On Sep 13, 2015, at 8:30 PM, Johnathon Doe <hoo...@gm...> wrote: > > Sounds cool, but kind of an edge case. I'm just interested to understand more if you don't mind... > > Is the sleep function being used within or as a vulnerable column value in your example or is it merely appended to the union injection and before the suffix/delimiter value (unsure because example has a comma before the sleep(5) call)? The sleep can be used in any of the columns, it only works when the columns have been balanced on both sides of the UNION. This way, sqlmap could have one extra injection point to support attempting to write a file with. > > Are you leveraging the sleep() location for a time based injection entry point? If you frame the --url --data strings to include the union base and mark the sleep() location with '*' and --technique=T does it work to identify the time based injection (i.e. ./sqpmap.py --url http//somesite.com/ <http://somesite.com/> --data 'bar=foo"+union+select+null,null,null,null*' --technique=T --banner)? This was by hand. > > On Fri, Sep 11, 2015 at 1:43 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: > I have had this idea for a while, and I finally came across an injection that this was useful for me. > > Due to logic in the application, a generic UNION tacked on the end of the query doesn't work. > > However, a payload of: > > blah=foo"+union+select+null,null,null,null,sleep(5)--%20 > > does result in a response coming back 5 seconds later than the baseline. Removing or adding a column to the union results in the baseline request time. > > This was very useful for me, because I was able to use this 'blind union' in order to write a file to the web root and achieve RCE, even though the union in and of itself would not let me pull data out en mass (the other time based payloads did work as well). > > This might be a useful check for sqlmap to implement. Currently, there are heuristics that sqlmap has to determine whether an injection point is union-able, but not exploitable with generic NULL/union char payloads. I think this is determined by the HTTP response data though, not the temporal aspect of the HTTP response. > > Thoughts? > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> > > |
From: Johnathon D. <hoo...@gm...> - 2015-09-14 01:30:37
|
Sounds cool, but kind of an edge case. I'm just interested to understand more if you don't mind... Is the sleep function being used within or as a vulnerable column value in your example or is it merely appended to the union injection and before the suffix/delimiter value (unsure because example has a comma before the sleep(5) call)? Are you leveraging the sleep() location for a time based injection entry point? If you frame the --url --data strings to include the union base and mark the sleep() location with '*' and --technique=T does it work to identify the time based injection (i.e. ./sqpmap.py --url http// somesite.com/ --data 'bar=foo"+union+select+null,null,null,null*' --technique=T --banner)? On Fri, Sep 11, 2015 at 1:43 PM, Brandon Perry <bpe...@gm...> wrote: > I have had this idea for a while, and I finally came across an injection > that this was useful for me. > > Due to logic in the application, a generic UNION tacked on the end of the > query doesn't work. > > However, a payload of: > > blah=foo"+union+select+null,null,null,null,sleep(5)--%20 > > does result in a response coming back 5 seconds later than the baseline. > Removing or adding a column to the union results in the baseline request > time. > > This was very useful for me, because I was able to use this 'blind union' > in order to write a file to the web root and achieve RCE, even though the > union in and of itself would not let me pull data out en mass (the other > time based payloads did work as well). > > This might be a useful check for sqlmap to implement. Currently, there are > heuristics that sqlmap has to determine whether an injection point is > union-able, but not exploitable with generic NULL/union char payloads. I > think this is determined by the HTTP response data though, not the temporal > aspect of the HTTP response. > > Thoughts? > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
From: Brandon P. <bpe...@gm...> - 2015-09-11 18:43:24
|
I have had this idea for a while, and I finally came across an injection that this was useful for me. Due to logic in the application, a generic UNION tacked on the end of the query doesn't work. However, a payload of: blah=foo"+union+select+null,null,null,null,sleep(5)--%20 does result in a response coming back 5 seconds later than the baseline. Removing or adding a column to the union results in the baseline request time. This was very useful for me, because I was able to use this 'blind union' in order to write a file to the web root and achieve RCE, even though the union in and of itself would not let me pull data out en mass (the other time based payloads did work as well). This might be a useful check for sqlmap to implement. Currently, there are heuristics that sqlmap has to determine whether an injection point is union-able, but not exploitable with generic NULL/union char payloads. I think this is determined by the HTTP response data though, not the temporal aspect of the HTTP response. Thoughts? -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
From: Miroslav S. <mir...@gm...> - 2015-08-26 13:34:26
|
Done with https://github.com/sqlmapproject/sqlmap/issues/1360. Thank you for your report :) Bye On Sun, Aug 23, 2015 at 11:34 PM, Johnathon Doe <hoo...@gm...> wrote: > Thank you for the --sql-file update, it does exactly what I wanted! I > think the default original format was only friendly if/when stacked queries > is supported. > > Also as an FYI, the length restriction on xpath functions > (extractvalue/updatexml) are limited to 26 chars due to the fact that it is > expecting a floating point result and thus the value is trimmed to 26 chars > as this is limit on the default precision value returned for floating point > values. Maybe just add a check to which method is used and reduce the chunk > size from 50 to 26 when using either of these methods. I will try to dive > into source later and see if I can't provide some code snippets to help out > a bit more... > > > Always appreciate your quick responses and updates! > > Thanks, > HR > > On Sun, Aug 23, 2015 at 3:54 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> p.s. with the latest commit you can use --sql-file with the content you >> presented (one query per line) >> >> On Sun, Aug 23, 2015 at 10:34 PM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Hi. >>> >>> Currently sqlmap "chunks" error-based query results into 50-char parts. >>> This work(ed) pretty well (in FLOOR(RAND) case). >>> >>> Now you say that same "chunk" limit in your case goes way down. >>> >>> I've tested your claim this moment and it happens that you were right. >>> Limit for EXTRACTVALUE is lower than used 50. >>> >>> Will think about it and do necessary "patching". Will let you know. >>> >>> Bye >>> >>> p.s. I really don't like the idea of one new switch. I'll patch this one >>> and you won't need one (new switch). >>> >>> On Sat, Aug 22, 2015 at 6:59 PM, Johnathon Doe <hoo...@gm...> >>> wrote: >>> >>>> I was trying to leverage sqlmap for an error based injection which >>>> requires using extractvalue technique. Seems to work fine for basic info, >>>> however there is a character limitation to the results with this xpath >>>> methods typically limiting result to 26 chars due to nature of floating >>>> point values it expects or something. Anyways, when dumping password >>>> column, which is MD5 (32 char hex), SQLMAP fails to get the full values. >>>> Now this can easily be accomplished manually via checking length of result >>>> prior to query, then leveraging mid() to extract the chunks of the result. >>>> >>>> like so: >>>> sElEct mid(user_pass, 1,26) from adm_users limit 0,1 >>>> sElEct mid(user_pass, 27,32) from adm_users limit 0,1 >>>> >>>> I can do this from the --sql-shell or via --sql-query, but its taking >>>> forever as I have a number of rows to fetch (150+). Any chance you could >>>> look into adding some length checking to extractvalue attacks and >>>> leveraging mid or substr where needed to get full results? >>>> >>>> Additionally, it would be great if I could load a file with one query >>>> per line to run embedded. I thought the --sql-file option might accomplish >>>> this task but it seems to be looking for a full .sql file to load and run. >>>> I can't find anything in the docs or on the wiki on how to use this option. >>>> Any chance you could shed some light on this option? How should I format >>>> this .sql file for attack payload to be used? >>>> >>>> Can you look into adding a simpler option like a --sql-query-file=FILE >>>> to load one query per line from FILE to embed and run, similar to the >>>> --sql-query option that exists, just allowing for more bulk queries to be >>>> run in a sequential order from file instead of typing them all in manually >>>> for these weird edge case scenarios. >>>> >>>> i.e. cat queries.txt >>>> sElEct mid(user_pass, 1,26) from adm_users limit 0,1 >>>> sElEct mid(user_pass, 27,32) from adm_users limit 0,1 >>>> sElEct mid(user_pass, 1,26) from adm_users limit 1,1 >>>> sElEct mid(user_pass, 27,32) from adm_users limit 1,1 >>>> sElEct mid(user_pass, 1,26) from adm_users limit 2,1 >>>> sElEct mid(user_pass, 27,32) from adm_users limit 2,1 >>>> ... >>>> sElEct mid(user_pass, 1,26) from adm_users limit 150,1 >>>> sElEct mid(user_pass, 27,32) from adm_users limit 150,1 >>>> >>>> Thoughts? >>>> >>>> Thanks, >>>> HR >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > -- Miroslav Stampar http://about.me/stamparm |
From: Johnathon D. <hoo...@gm...> - 2015-08-23 21:34:49
|
Thank you for the --sql-file update, it does exactly what I wanted! I think the default original format was only friendly if/when stacked queries is supported. Also as an FYI, the length restriction on xpath functions (extractvalue/updatexml) are limited to 26 chars due to the fact that it is expecting a floating point result and thus the value is trimmed to 26 chars as this is limit on the default precision value returned for floating point values. Maybe just add a check to which method is used and reduce the chunk size from 50 to 26 when using either of these methods. I will try to dive into source later and see if I can't provide some code snippets to help out a bit more... Always appreciate your quick responses and updates! Thanks, HR On Sun, Aug 23, 2015 at 3:54 PM, Miroslav Stampar < mir...@gm...> wrote: > p.s. with the latest commit you can use --sql-file with the content you > presented (one query per line) > > On Sun, Aug 23, 2015 at 10:34 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi. >> >> Currently sqlmap "chunks" error-based query results into 50-char parts. >> This work(ed) pretty well (in FLOOR(RAND) case). >> >> Now you say that same "chunk" limit in your case goes way down. >> >> I've tested your claim this moment and it happens that you were right. >> Limit for EXTRACTVALUE is lower than used 50. >> >> Will think about it and do necessary "patching". Will let you know. >> >> Bye >> >> p.s. I really don't like the idea of one new switch. I'll patch this one >> and you won't need one (new switch). >> >> On Sat, Aug 22, 2015 at 6:59 PM, Johnathon Doe <hoo...@gm...> >> wrote: >> >>> I was trying to leverage sqlmap for an error based injection which >>> requires using extractvalue technique. Seems to work fine for basic info, >>> however there is a character limitation to the results with this xpath >>> methods typically limiting result to 26 chars due to nature of floating >>> point values it expects or something. Anyways, when dumping password >>> column, which is MD5 (32 char hex), SQLMAP fails to get the full values. >>> Now this can easily be accomplished manually via checking length of result >>> prior to query, then leveraging mid() to extract the chunks of the result. >>> >>> like so: >>> sElEct mid(user_pass, 1,26) from adm_users limit 0,1 >>> sElEct mid(user_pass, 27,32) from adm_users limit 0,1 >>> >>> I can do this from the --sql-shell or via --sql-query, but its taking >>> forever as I have a number of rows to fetch (150+). Any chance you could >>> look into adding some length checking to extractvalue attacks and >>> leveraging mid or substr where needed to get full results? >>> >>> Additionally, it would be great if I could load a file with one query >>> per line to run embedded. I thought the --sql-file option might accomplish >>> this task but it seems to be looking for a full .sql file to load and run. >>> I can't find anything in the docs or on the wiki on how to use this option. >>> Any chance you could shed some light on this option? How should I format >>> this .sql file for attack payload to be used? >>> >>> Can you look into adding a simpler option like a --sql-query-file=FILE >>> to load one query per line from FILE to embed and run, similar to the >>> --sql-query option that exists, just allowing for more bulk queries to be >>> run in a sequential order from file instead of typing them all in manually >>> for these weird edge case scenarios. >>> >>> i.e. cat queries.txt >>> sElEct mid(user_pass, 1,26) from adm_users limit 0,1 >>> sElEct mid(user_pass, 27,32) from adm_users limit 0,1 >>> sElEct mid(user_pass, 1,26) from adm_users limit 1,1 >>> sElEct mid(user_pass, 27,32) from adm_users limit 1,1 >>> sElEct mid(user_pass, 1,26) from adm_users limit 2,1 >>> sElEct mid(user_pass, 27,32) from adm_users limit 2,1 >>> ... >>> sElEct mid(user_pass, 1,26) from adm_users limit 150,1 >>> sElEct mid(user_pass, 27,32) from adm_users limit 150,1 >>> >>> Thoughts? >>> >>> Thanks, >>> HR >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > |
From: Miroslav S. <mir...@gm...> - 2015-08-23 20:54:58
|
p.s. with the latest commit you can use --sql-file with the content you presented (one query per line) On Sun, Aug 23, 2015 at 10:34 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > Currently sqlmap "chunks" error-based query results into 50-char parts. > This work(ed) pretty well (in FLOOR(RAND) case). > > Now you say that same "chunk" limit in your case goes way down. > > I've tested your claim this moment and it happens that you were right. > Limit for EXTRACTVALUE is lower than used 50. > > Will think about it and do necessary "patching". Will let you know. > > Bye > > p.s. I really don't like the idea of one new switch. I'll patch this one > and you won't need one (new switch). > > On Sat, Aug 22, 2015 at 6:59 PM, Johnathon Doe <hoo...@gm...> > wrote: > >> I was trying to leverage sqlmap for an error based injection which >> requires using extractvalue technique. Seems to work fine for basic info, >> however there is a character limitation to the results with this xpath >> methods typically limiting result to 26 chars due to nature of floating >> point values it expects or something. Anyways, when dumping password >> column, which is MD5 (32 char hex), SQLMAP fails to get the full values. >> Now this can easily be accomplished manually via checking length of result >> prior to query, then leveraging mid() to extract the chunks of the result. >> >> like so: >> sElEct mid(user_pass, 1,26) from adm_users limit 0,1 >> sElEct mid(user_pass, 27,32) from adm_users limit 0,1 >> >> I can do this from the --sql-shell or via --sql-query, but its taking >> forever as I have a number of rows to fetch (150+). Any chance you could >> look into adding some length checking to extractvalue attacks and >> leveraging mid or substr where needed to get full results? >> >> Additionally, it would be great if I could load a file with one query per >> line to run embedded. I thought the --sql-file option might accomplish this >> task but it seems to be looking for a full .sql file to load and run. I >> can't find anything in the docs or on the wiki on how to use this option. >> Any chance you could shed some light on this option? How should I format >> this .sql file for attack payload to be used? >> >> Can you look into adding a simpler option like a --sql-query-file=FILE to >> load one query per line from FILE to embed and run, similar to the >> --sql-query option that exists, just allowing for more bulk queries to be >> run in a sequential order from file instead of typing them all in manually >> for these weird edge case scenarios. >> >> i.e. cat queries.txt >> sElEct mid(user_pass, 1,26) from adm_users limit 0,1 >> sElEct mid(user_pass, 27,32) from adm_users limit 0,1 >> sElEct mid(user_pass, 1,26) from adm_users limit 1,1 >> sElEct mid(user_pass, 27,32) from adm_users limit 1,1 >> sElEct mid(user_pass, 1,26) from adm_users limit 2,1 >> sElEct mid(user_pass, 27,32) from adm_users limit 2,1 >> ... >> sElEct mid(user_pass, 1,26) from adm_users limit 150,1 >> sElEct mid(user_pass, 27,32) from adm_users limit 150,1 >> >> Thoughts? >> >> Thanks, >> HR >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2015-08-23 20:34:55
|
Hi. Currently sqlmap "chunks" error-based query results into 50-char parts. This work(ed) pretty well (in FLOOR(RAND) case). Now you say that same "chunk" limit in your case goes way down. I've tested your claim this moment and it happens that you were right. Limit for EXTRACTVALUE is lower than used 50. Will think about it and do necessary "patching". Will let you know. Bye p.s. I really don't like the idea of one new switch. I'll patch this one and you won't need one (new switch). On Sat, Aug 22, 2015 at 6:59 PM, Johnathon Doe <hoo...@gm...> wrote: > I was trying to leverage sqlmap for an error based injection which > requires using extractvalue technique. Seems to work fine for basic info, > however there is a character limitation to the results with this xpath > methods typically limiting result to 26 chars due to nature of floating > point values it expects or something. Anyways, when dumping password > column, which is MD5 (32 char hex), SQLMAP fails to get the full values. > Now this can easily be accomplished manually via checking length of result > prior to query, then leveraging mid() to extract the chunks of the result. > > like so: > sElEct mid(user_pass, 1,26) from adm_users limit 0,1 > sElEct mid(user_pass, 27,32) from adm_users limit 0,1 > > I can do this from the --sql-shell or via --sql-query, but its taking > forever as I have a number of rows to fetch (150+). Any chance you could > look into adding some length checking to extractvalue attacks and > leveraging mid or substr where needed to get full results? > > Additionally, it would be great if I could load a file with one query per > line to run embedded. I thought the --sql-file option might accomplish this > task but it seems to be looking for a full .sql file to load and run. I > can't find anything in the docs or on the wiki on how to use this option. > Any chance you could shed some light on this option? How should I format > this .sql file for attack payload to be used? > > Can you look into adding a simpler option like a --sql-query-file=FILE to > load one query per line from FILE to embed and run, similar to the > --sql-query option that exists, just allowing for more bulk queries to be > run in a sequential order from file instead of typing them all in manually > for these weird edge case scenarios. > > i.e. cat queries.txt > sElEct mid(user_pass, 1,26) from adm_users limit 0,1 > sElEct mid(user_pass, 27,32) from adm_users limit 0,1 > sElEct mid(user_pass, 1,26) from adm_users limit 1,1 > sElEct mid(user_pass, 27,32) from adm_users limit 1,1 > sElEct mid(user_pass, 1,26) from adm_users limit 2,1 > sElEct mid(user_pass, 27,32) from adm_users limit 2,1 > ... > sElEct mid(user_pass, 1,26) from adm_users limit 150,1 > sElEct mid(user_pass, 27,32) from adm_users limit 150,1 > > Thoughts? > > Thanks, > HR > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: Johnathon D. <hoo...@gm...> - 2015-08-22 16:59:14
|
I was trying to leverage sqlmap for an error based injection which requires using extractvalue technique. Seems to work fine for basic info, however there is a character limitation to the results with this xpath methods typically limiting result to 26 chars due to nature of floating point values it expects or something. Anyways, when dumping password column, which is MD5 (32 char hex), SQLMAP fails to get the full values. Now this can easily be accomplished manually via checking length of result prior to query, then leveraging mid() to extract the chunks of the result. like so: sElEct mid(user_pass, 1,26) from adm_users limit 0,1 sElEct mid(user_pass, 27,32) from adm_users limit 0,1 I can do this from the --sql-shell or via --sql-query, but its taking forever as I have a number of rows to fetch (150+). Any chance you could look into adding some length checking to extractvalue attacks and leveraging mid or substr where needed to get full results? Additionally, it would be great if I could load a file with one query per line to run embedded. I thought the --sql-file option might accomplish this task but it seems to be looking for a full .sql file to load and run. I can't find anything in the docs or on the wiki on how to use this option. Any chance you could shed some light on this option? How should I format this .sql file for attack payload to be used? Can you look into adding a simpler option like a --sql-query-file=FILE to load one query per line from FILE to embed and run, similar to the --sql-query option that exists, just allowing for more bulk queries to be run in a sequential order from file instead of typing them all in manually for these weird edge case scenarios. i.e. cat queries.txt sElEct mid(user_pass, 1,26) from adm_users limit 0,1 sElEct mid(user_pass, 27,32) from adm_users limit 0,1 sElEct mid(user_pass, 1,26) from adm_users limit 1,1 sElEct mid(user_pass, 27,32) from adm_users limit 1,1 sElEct mid(user_pass, 1,26) from adm_users limit 2,1 sElEct mid(user_pass, 27,32) from adm_users limit 2,1 ... sElEct mid(user_pass, 1,26) from adm_users limit 150,1 sElEct mid(user_pass, 27,32) from adm_users limit 150,1 Thoughts? Thanks, HR |
From: Christopher D. <chr...@ch...> - 2015-08-20 19:38:48
|
Jonathan, Sorry for the late reply. I actually waited over night and retried. With ( --threads=2 ) instead of --threads=5 and it started working fine. Slow ! But All good. Maybe the interface was tortured or something. Thanks ! Chris. On Sat, Aug 15, 2015 at 12:05 AM, Johnathon Doe <hoo...@gm...> wrote: > if you use a simple sleep command within the --eval argument does that > help any better then the builtin --delay function? set it maybe to 'import > time, random; time.sleep(random.randrange(1,8))' to cause a random sleep on > each request before processing. Haven't tested, just another idea worth > trying. Also have you tried working with the --second-order option if the > results are indeed being output on a second page/request? > > On Fri, Aug 14, 2015 at 9:47 AM, Christopher Downs < > chr...@ch...> wrote: > >> Bummer doesn't work. I'm getting the same errors on 5 and 10 sec delay >> inervals. >> [14:45:11] [ERROR] unable to retrieve the table names for any database >> >> The other idea I was thinking about ( I'm not sure if it's even possible >> ) is like a reverse tamper. We're the data retrieval is set to some other >> response technique the app server would respond too ? >> >> Much appreciated ! >> Chris. >> >> On Fri, Aug 14, 2015 at 9:38 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Try option --delay >>> >>> Bye >>> On Aug 14, 2015 4:30 PM, "Christopher Downs" < >>> chr...@ch...> wrote: >>> >>>> Yeah Exactly. Im wondering if you can do that maybe the strict servers >>>> would not just barf out on retrieval ? I've seen others with this issue and >>>> it's seams pretty obvious. But I'm trying to see if there is anything else >>>> I should try before I know it's not worth it. >>>> >>>> Thanks ! >>>> Chris. >>>> >>>> On Fri, Aug 14, 2015 at 9:18 AM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> Throttle like? You mean like slower data retrieval? >>>>> >>>>> Bye >>>>> On Aug 14, 2015 4:11 PM, "Christopher Downs" < >>>>> chr...@ch...> wrote: >>>>> >>>>>> Good Morning Gents, >>>>>> Is there a way to throttle or manipulate data retrieval through app >>>>>> servers that are puking with strict permissions or am I just out of luck ? >>>>>> I can see this happening in v6 debug mode. I thought I may email the list >>>>>> and ask. >>>>>> >>>>>> Maybe you guys have some thoughts ? >>>>>> >>>>>> sql-shell> select name from Customer LIMIT 10; >>>>>> [13:16:51] [INFO] fetching SQL SELECT statement query output: 'select >>>>>> name from Customer LIMIT 10' >>>>>> [13:16:51] [INFO] retrieving the length of query output >>>>>> [13:16:51] [INFO] retrieved: >>>>>> [13:16:52] [INFO] retrieved: >>>>>> [13:16:52] [INFO] retrieving the length of query output >>>>>> ------ snip for brevity ------ >>>>>> [13:16:54] [INFO] retrieved: >>>>>> [13:16:54] [INFO] retrieving the length of query output >>>>>> [13:16:55] [INFO] retrieved: >>>>>> [13:16:55] [INFO] retrieved: >>>>>> select name from Customer LIMIT 10; [10]: >>>>>> [*] >>>>>> [*] >>>>>> [*] >>>>>> [*] >>>>>> [*] >>>>>> [*] >>>>>> [*] >>>>>> [*] >>>>>> [*] >>>>>> [*] >>>>>> >>>>>> sql-shell> x >>>>>> >>>>>> As a note I am running last nights latest git repo release. >>>>>> 1.0-dev-2c1cde0 >>>>>> >>>>>> Thanks in Advance. >>>>>> Chris. >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>> >>>> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > |
From: Guilherme S. <gui...@gm...> - 2015-08-19 19:04:56
|
Thanks Brandon and Miroslav. worked! =] On Wed, Aug 19, 2015 at 4:01 PM, Miroslav Stampar < mir...@gm...> wrote: > With the latest commit you'll be warned: > > $ python sqlmap.py -u='http://site.com:8081/evsys/!PKG_ZP?pg=1&pi=S' -p > pg --level=5 --risk=3 --dbms=oracle --dbs > [!] potentially miswritten (illegal '=') short option detected ('-u= > http://site.com:8081/evsys/!PKG_ZP?pg=1&pi=S') > ... > > Bye > > On Wed, Aug 19, 2015 at 8:45 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Brandon said ok. You had to enclose the problematic url with single >> quotes. >> >> After that remove that = sign from option -u. >> >> I'll just copy paste the related part from the help listing: >> >> -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1") >> >> Bye >> >> p.s. at the end this is valid: python sqlmap.py -u ' >> http://site.com:8081/evsys/!PKG_ZP?pg=1&pi=S' -p pg --level=5 --risk=3 >> --dbms=oracle --dbs >> >> On Wed, Aug 19, 2015 at 8:24 PM, Brandon Perry <bpe...@gm... >> > wrote: >> >>> That might be a bug, not sure. >>> >>> On Wed, Aug 19, 2015 at 1:04 PM, Guilherme Scombatti < >>> gui...@gm...> wrote: >>> >>>> Same result: [18:03:21] [CRITICAL] invalid target URL >>>> >>>> On Wed, Aug 19, 2015 at 3:00 PM, Brandon Perry < >>>> bpe...@gm...> wrote: >>>> >>>>> Yes, \! >>>>> >>>>> On Wed, Aug 19, 2015 at 12:58 PM, Guilherme Scombatti < >>>>> gui...@gm...> wrote: >>>>> >>>>>> with single quotes the result is: >>>>>> [17:54:41] [CRITICAL] invalid target URL >>>>>> >>>>>> how I escape? \ ? >>>>>> >>>>>> On Wed, Aug 19, 2015 at 2:55 PM, Brandon Perry < >>>>>> bpe...@gm...> wrote: >>>>>> >>>>>>> Yeah, use single quotes, not double quotes, or escape the !. >>>>>>> >>>>>>> On Wed, Aug 19, 2015 at 12:53 PM, Guilherme Scombatti < >>>>>>> gui...@gm...> wrote: >>>>>>> >>>>>>>> my command: >>>>>>>> >>>>>>>> [ec2-user@ip sqlmap-master]$ python sqlmap.py -u=" >>>>>>>> http://site.com:8081/evsys/*!*PKG_ZP?pg=1&pi=S" -p pg --level=5 >>>>>>>> --risk=3 --dbms=oracle --dbs >>>>>>>> *-bash: !PKG_ZP?pg=1: event not found* >>>>>>>> [ec2-user@ip sqlmap-master]$ >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Aug 19, 2015 at 2:47 PM, Brandon Perry < >>>>>>>> bpe...@gm...> wrote: >>>>>>>> >>>>>>>>> Use single quotes or escape it. >>>>>>>>> >>>>>>>>> On Wed, Aug 19, 2015 at 12:42 PM, Guilherme Scombatti < >>>>>>>>> gui...@gm...> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I'm having a problem. I have this url: >>>>>>>>>> http://site.com:8081/evsys/*!*PKG_ZP?pg=1&pi=S >>>>>>>>>> >>>>>>>>>> When I execute sqlmap in this url the return is: >>>>>>>>>> -bash: !PKG_ZP?pg=1: event not found >>>>>>>>>> >>>>>>>>>> The problem is with character "!"...how can I resolve this? The >>>>>>>>>> url just execute with this character. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Guilherme >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> sqlmap-users mailing list >>>>>>>>>> sql...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> http://volatile-minds.blogspot.com -- blog >>>>>>>>> http://www.volatileminds.net -- website >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> http://volatile-minds.blogspot.com -- blog >>>>>>> http://www.volatileminds.net -- website >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> http://volatile-minds.blogspot.com -- blog >>>>> http://www.volatileminds.net -- website >>>>> >>>> >>>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > |
From: Miroslav S. <mir...@gm...> - 2015-08-19 19:01:25
|
With the latest commit you'll be warned: $ python sqlmap.py -u='http://site.com:8081/evsys/!PKG_ZP?pg=1&pi=S' -p pg --level=5 --risk=3 --dbms=oracle --dbs [!] potentially miswritten (illegal '=') short option detected ('-u= http://site.com:8081/evsys/!PKG_ZP?pg=1&pi=S') ... Bye On Wed, Aug 19, 2015 at 8:45 PM, Miroslav Stampar < mir...@gm...> wrote: > Brandon said ok. You had to enclose the problematic url with single quotes. > > After that remove that = sign from option -u. > > I'll just copy paste the related part from the help listing: > > -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1") > > Bye > > p.s. at the end this is valid: python sqlmap.py -u ' > http://site.com:8081/evsys/!PKG_ZP?pg=1&pi=S' -p pg --level=5 --risk=3 > --dbms=oracle --dbs > > On Wed, Aug 19, 2015 at 8:24 PM, Brandon Perry <bpe...@gm...> > wrote: > >> That might be a bug, not sure. >> >> On Wed, Aug 19, 2015 at 1:04 PM, Guilherme Scombatti < >> gui...@gm...> wrote: >> >>> Same result: [18:03:21] [CRITICAL] invalid target URL >>> >>> On Wed, Aug 19, 2015 at 3:00 PM, Brandon Perry < >>> bpe...@gm...> wrote: >>> >>>> Yes, \! >>>> >>>> On Wed, Aug 19, 2015 at 12:58 PM, Guilherme Scombatti < >>>> gui...@gm...> wrote: >>>> >>>>> with single quotes the result is: >>>>> [17:54:41] [CRITICAL] invalid target URL >>>>> >>>>> how I escape? \ ? >>>>> >>>>> On Wed, Aug 19, 2015 at 2:55 PM, Brandon Perry < >>>>> bpe...@gm...> wrote: >>>>> >>>>>> Yeah, use single quotes, not double quotes, or escape the !. >>>>>> >>>>>> On Wed, Aug 19, 2015 at 12:53 PM, Guilherme Scombatti < >>>>>> gui...@gm...> wrote: >>>>>> >>>>>>> my command: >>>>>>> >>>>>>> [ec2-user@ip sqlmap-master]$ python sqlmap.py -u=" >>>>>>> http://site.com:8081/evsys/*!*PKG_ZP?pg=1&pi=S" -p pg --level=5 >>>>>>> --risk=3 --dbms=oracle --dbs >>>>>>> *-bash: !PKG_ZP?pg=1: event not found* >>>>>>> [ec2-user@ip sqlmap-master]$ >>>>>>> >>>>>>> >>>>>>> On Wed, Aug 19, 2015 at 2:47 PM, Brandon Perry < >>>>>>> bpe...@gm...> wrote: >>>>>>> >>>>>>>> Use single quotes or escape it. >>>>>>>> >>>>>>>> On Wed, Aug 19, 2015 at 12:42 PM, Guilherme Scombatti < >>>>>>>> gui...@gm...> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I'm having a problem. I have this url: http://site.com:8081/evsys/ >>>>>>>>> *!*PKG_ZP?pg=1&pi=S >>>>>>>>> >>>>>>>>> When I execute sqlmap in this url the return is: >>>>>>>>> -bash: !PKG_ZP?pg=1: event not found >>>>>>>>> >>>>>>>>> The problem is with character "!"...how can I resolve this? The >>>>>>>>> url just execute with this character. >>>>>>>>> >>>>>>>>> >>>>>>>>> Guilherme >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> sqlmap-users mailing list >>>>>>>>> sql...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> http://volatile-minds.blogspot.com -- blog >>>>>>>> http://www.volatileminds.net -- website >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> http://volatile-minds.blogspot.com -- blog >>>>>> http://www.volatileminds.net -- website >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
From: Miroslav S. <mir...@gm...> - 2015-08-19 18:45:19
|
Brandon said ok. You had to enclose the problematic url with single quotes. After that remove that = sign from option -u. I'll just copy paste the related part from the help listing: -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1") Bye p.s. at the end this is valid: python sqlmap.py -u ' http://site.com:8081/evsys/!PKG_ZP?pg=1&pi=S' -p pg --level=5 --risk=3 --dbms=oracle --dbs On Wed, Aug 19, 2015 at 8:24 PM, Brandon Perry <bpe...@gm...> wrote: > That might be a bug, not sure. > > On Wed, Aug 19, 2015 at 1:04 PM, Guilherme Scombatti < > gui...@gm...> wrote: > >> Same result: [18:03:21] [CRITICAL] invalid target URL >> >> On Wed, Aug 19, 2015 at 3:00 PM, Brandon Perry <bpe...@gm... >> > wrote: >> >>> Yes, \! >>> >>> On Wed, Aug 19, 2015 at 12:58 PM, Guilherme Scombatti < >>> gui...@gm...> wrote: >>> >>>> with single quotes the result is: >>>> [17:54:41] [CRITICAL] invalid target URL >>>> >>>> how I escape? \ ? >>>> >>>> On Wed, Aug 19, 2015 at 2:55 PM, Brandon Perry < >>>> bpe...@gm...> wrote: >>>> >>>>> Yeah, use single quotes, not double quotes, or escape the !. >>>>> >>>>> On Wed, Aug 19, 2015 at 12:53 PM, Guilherme Scombatti < >>>>> gui...@gm...> wrote: >>>>> >>>>>> my command: >>>>>> >>>>>> [ec2-user@ip sqlmap-master]$ python sqlmap.py -u=" >>>>>> http://site.com:8081/evsys/*!*PKG_ZP?pg=1&pi=S" -p pg --level=5 >>>>>> --risk=3 --dbms=oracle --dbs >>>>>> *-bash: !PKG_ZP?pg=1: event not found* >>>>>> [ec2-user@ip sqlmap-master]$ >>>>>> >>>>>> >>>>>> On Wed, Aug 19, 2015 at 2:47 PM, Brandon Perry < >>>>>> bpe...@gm...> wrote: >>>>>> >>>>>>> Use single quotes or escape it. >>>>>>> >>>>>>> On Wed, Aug 19, 2015 at 12:42 PM, Guilherme Scombatti < >>>>>>> gui...@gm...> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I'm having a problem. I have this url: http://site.com:8081/evsys/ >>>>>>>> *!*PKG_ZP?pg=1&pi=S >>>>>>>> >>>>>>>> When I execute sqlmap in this url the return is: >>>>>>>> -bash: !PKG_ZP?pg=1: event not found >>>>>>>> >>>>>>>> The problem is with character "!"...how can I resolve this? The url >>>>>>>> just execute with this character. >>>>>>>> >>>>>>>> >>>>>>>> Guilherme >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> sql...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> http://volatile-minds.blogspot.com -- blog >>>>>>> http://www.volatileminds.net -- website >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> http://volatile-minds.blogspot.com -- blog >>>>> http://www.volatileminds.net -- website >>>>> >>>> >>>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
From: Brandon P. <bpe...@gm...> - 2015-08-19 18:24:41
|
That might be a bug, not sure. On Wed, Aug 19, 2015 at 1:04 PM, Guilherme Scombatti <gui...@gm... > wrote: > Same result: [18:03:21] [CRITICAL] invalid target URL > > On Wed, Aug 19, 2015 at 3:00 PM, Brandon Perry <bpe...@gm...> > wrote: > >> Yes, \! >> >> On Wed, Aug 19, 2015 at 12:58 PM, Guilherme Scombatti < >> gui...@gm...> wrote: >> >>> with single quotes the result is: >>> [17:54:41] [CRITICAL] invalid target URL >>> >>> how I escape? \ ? >>> >>> On Wed, Aug 19, 2015 at 2:55 PM, Brandon Perry < >>> bpe...@gm...> wrote: >>> >>>> Yeah, use single quotes, not double quotes, or escape the !. >>>> >>>> On Wed, Aug 19, 2015 at 12:53 PM, Guilherme Scombatti < >>>> gui...@gm...> wrote: >>>> >>>>> my command: >>>>> >>>>> [ec2-user@ip sqlmap-master]$ python sqlmap.py -u=" >>>>> http://site.com:8081/evsys/*!*PKG_ZP?pg=1&pi=S" -p pg --level=5 >>>>> --risk=3 --dbms=oracle --dbs >>>>> *-bash: !PKG_ZP?pg=1: event not found* >>>>> [ec2-user@ip sqlmap-master]$ >>>>> >>>>> >>>>> On Wed, Aug 19, 2015 at 2:47 PM, Brandon Perry < >>>>> bpe...@gm...> wrote: >>>>> >>>>>> Use single quotes or escape it. >>>>>> >>>>>> On Wed, Aug 19, 2015 at 12:42 PM, Guilherme Scombatti < >>>>>> gui...@gm...> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I'm having a problem. I have this url: http://site.com:8081/evsys/ >>>>>>> *!*PKG_ZP?pg=1&pi=S >>>>>>> >>>>>>> When I execute sqlmap in this url the return is: >>>>>>> -bash: !PKG_ZP?pg=1: event not found >>>>>>> >>>>>>> The problem is with character "!"...how can I resolve this? The url >>>>>>> just execute with this character. >>>>>>> >>>>>>> >>>>>>> Guilherme >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> http://volatile-minds.blogspot.com -- blog >>>>>> http://www.volatileminds.net -- website >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
From: Guilherme S. <gui...@gm...> - 2015-08-19 18:05:10
|
Same result: [18:03:21] [CRITICAL] invalid target URL On Wed, Aug 19, 2015 at 3:00 PM, Brandon Perry <bpe...@gm...> wrote: > Yes, \! > > On Wed, Aug 19, 2015 at 12:58 PM, Guilherme Scombatti < > gui...@gm...> wrote: > >> with single quotes the result is: >> [17:54:41] [CRITICAL] invalid target URL >> >> how I escape? \ ? >> >> On Wed, Aug 19, 2015 at 2:55 PM, Brandon Perry <bpe...@gm... >> > wrote: >> >>> Yeah, use single quotes, not double quotes, or escape the !. >>> >>> On Wed, Aug 19, 2015 at 12:53 PM, Guilherme Scombatti < >>> gui...@gm...> wrote: >>> >>>> my command: >>>> >>>> [ec2-user@ip sqlmap-master]$ python sqlmap.py -u=" >>>> http://site.com:8081/evsys/*!*PKG_ZP?pg=1&pi=S" -p pg --level=5 >>>> --risk=3 --dbms=oracle --dbs >>>> *-bash: !PKG_ZP?pg=1: event not found* >>>> [ec2-user@ip sqlmap-master]$ >>>> >>>> >>>> On Wed, Aug 19, 2015 at 2:47 PM, Brandon Perry < >>>> bpe...@gm...> wrote: >>>> >>>>> Use single quotes or escape it. >>>>> >>>>> On Wed, Aug 19, 2015 at 12:42 PM, Guilherme Scombatti < >>>>> gui...@gm...> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I'm having a problem. I have this url: http://site.com:8081/evsys/*!* >>>>>> PKG_ZP?pg=1&pi=S >>>>>> >>>>>> When I execute sqlmap in this url the return is: >>>>>> -bash: !PKG_ZP?pg=1: event not found >>>>>> >>>>>> The problem is with character "!"...how can I resolve this? The url >>>>>> just execute with this character. >>>>>> >>>>>> >>>>>> Guilherme >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> http://volatile-minds.blogspot.com -- blog >>>>> http://www.volatileminds.net -- website >>>>> >>>> >>>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > |
From: Brandon P. <bpe...@gm...> - 2015-08-19 18:01:07
|
Yes, \! On Wed, Aug 19, 2015 at 12:58 PM, Guilherme Scombatti < gui...@gm...> wrote: > with single quotes the result is: > [17:54:41] [CRITICAL] invalid target URL > > how I escape? \ ? > > On Wed, Aug 19, 2015 at 2:55 PM, Brandon Perry <bpe...@gm...> > wrote: > >> Yeah, use single quotes, not double quotes, or escape the !. >> >> On Wed, Aug 19, 2015 at 12:53 PM, Guilherme Scombatti < >> gui...@gm...> wrote: >> >>> my command: >>> >>> [ec2-user@ip sqlmap-master]$ python sqlmap.py -u=" >>> http://site.com:8081/evsys/*!*PKG_ZP?pg=1&pi=S" -p pg --level=5 >>> --risk=3 --dbms=oracle --dbs >>> *-bash: !PKG_ZP?pg=1: event not found* >>> [ec2-user@ip sqlmap-master]$ >>> >>> >>> On Wed, Aug 19, 2015 at 2:47 PM, Brandon Perry < >>> bpe...@gm...> wrote: >>> >>>> Use single quotes or escape it. >>>> >>>> On Wed, Aug 19, 2015 at 12:42 PM, Guilherme Scombatti < >>>> gui...@gm...> wrote: >>>> >>>>> Hi, >>>>> >>>>> I'm having a problem. I have this url: http://site.com:8081/evsys/*!* >>>>> PKG_ZP?pg=1&pi=S >>>>> >>>>> When I execute sqlmap in this url the return is: >>>>> -bash: !PKG_ZP?pg=1: event not found >>>>> >>>>> The problem is with character "!"...how can I resolve this? The url >>>>> just execute with this character. >>>>> >>>>> >>>>> Guilherme >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
From: Guilherme S. <gui...@gm...> - 2015-08-19 17:59:22
|
with single quotes the result is: [17:54:41] [CRITICAL] invalid target URL how I escape? \ ? On Wed, Aug 19, 2015 at 2:55 PM, Brandon Perry <bpe...@gm...> wrote: > Yeah, use single quotes, not double quotes, or escape the !. > > On Wed, Aug 19, 2015 at 12:53 PM, Guilherme Scombatti < > gui...@gm...> wrote: > >> my command: >> >> [ec2-user@ip sqlmap-master]$ python sqlmap.py -u=" >> http://site.com:8081/evsys/*!*PKG_ZP?pg=1&pi=S" -p pg --level=5 --risk=3 >> --dbms=oracle --dbs >> *-bash: !PKG_ZP?pg=1: event not found* >> [ec2-user@ip sqlmap-master]$ >> >> >> On Wed, Aug 19, 2015 at 2:47 PM, Brandon Perry <bpe...@gm... >> > wrote: >> >>> Use single quotes or escape it. >>> >>> On Wed, Aug 19, 2015 at 12:42 PM, Guilherme Scombatti < >>> gui...@gm...> wrote: >>> >>>> Hi, >>>> >>>> I'm having a problem. I have this url: http://site.com:8081/evsys/*!* >>>> PKG_ZP?pg=1&pi=S >>>> >>>> When I execute sqlmap in this url the return is: >>>> -bash: !PKG_ZP?pg=1: event not found >>>> >>>> The problem is with character "!"...how can I resolve this? The url >>>> just execute with this character. >>>> >>>> >>>> Guilherme >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > |
From: Brandon P. <bpe...@gm...> - 2015-08-19 17:55:31
|
Yeah, use single quotes, not double quotes, or escape the !. On Wed, Aug 19, 2015 at 12:53 PM, Guilherme Scombatti < gui...@gm...> wrote: > my command: > > [ec2-user@ip sqlmap-master]$ python sqlmap.py -u=" > http://site.com:8081/evsys/*!*PKG_ZP?pg=1&pi=S" -p pg --level=5 --risk=3 > --dbms=oracle --dbs > *-bash: !PKG_ZP?pg=1: event not found* > [ec2-user@ip sqlmap-master]$ > > > On Wed, Aug 19, 2015 at 2:47 PM, Brandon Perry <bpe...@gm...> > wrote: > >> Use single quotes or escape it. >> >> On Wed, Aug 19, 2015 at 12:42 PM, Guilherme Scombatti < >> gui...@gm...> wrote: >> >>> Hi, >>> >>> I'm having a problem. I have this url: http://site.com:8081/evsys/*!* >>> PKG_ZP?pg=1&pi=S >>> >>> When I execute sqlmap in this url the return is: >>> -bash: !PKG_ZP?pg=1: event not found >>> >>> The problem is with character "!"...how can I resolve this? The url just >>> execute with this character. >>> >>> >>> Guilherme >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
From: Guilherme S. <gui...@gm...> - 2015-08-19 17:54:22
|
my command: [ec2-user@ip sqlmap-master]$ python sqlmap.py -u=" http://site.com:8081/evsys/*!*PKG_ZP?pg=1&pi=S" -p pg --level=5 --risk=3 --dbms=oracle --dbs *-bash: !PKG_ZP?pg=1: event not found* [ec2-user@ip sqlmap-master]$ On Wed, Aug 19, 2015 at 2:47 PM, Brandon Perry <bpe...@gm...> wrote: > Use single quotes or escape it. > > On Wed, Aug 19, 2015 at 12:42 PM, Guilherme Scombatti < > gui...@gm...> wrote: > >> Hi, >> >> I'm having a problem. I have this url: http://site.com:8081/evsys/*!* >> PKG_ZP?pg=1&pi=S >> >> When I execute sqlmap in this url the return is: >> -bash: !PKG_ZP?pg=1: event not found >> >> The problem is with character "!"...how can I resolve this? The url just >> execute with this character. >> >> >> Guilherme >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > |
From: Brandon P. <bpe...@gm...> - 2015-08-19 17:47:18
|
Use single quotes or escape it. On Wed, Aug 19, 2015 at 12:42 PM, Guilherme Scombatti < gui...@gm...> wrote: > Hi, > > I'm having a problem. I have this url: http://site.com:8081/evsys/*!* > PKG_ZP?pg=1&pi=S > > When I execute sqlmap in this url the return is: > -bash: !PKG_ZP?pg=1: event not found > > The problem is with character "!"...how can I resolve this? The url just > execute with this character. > > > Guilherme > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
From: Guilherme S. <gui...@gm...> - 2015-08-19 17:43:25
|
Hi, I'm having a problem. I have this url: http://site.com:8081/evsys/*!* PKG_ZP?pg=1&pi=S When I execute sqlmap in this url the return is: -bash: !PKG_ZP?pg=1: event not found The problem is with character "!"...how can I resolve this? The url just execute with this character. Guilherme |
From: Johnathon D. <hoo...@gm...> - 2015-08-15 05:05:32
|
if you use a simple sleep command within the --eval argument does that help any better then the builtin --delay function? set it maybe to 'import time, random; time.sleep(random.randrange(1,8))' to cause a random sleep on each request before processing. Haven't tested, just another idea worth trying. Also have you tried working with the --second-order option if the results are indeed being output on a second page/request? On Fri, Aug 14, 2015 at 9:47 AM, Christopher Downs < chr...@ch...> wrote: > Bummer doesn't work. I'm getting the same errors on 5 and 10 sec delay > inervals. > [14:45:11] [ERROR] unable to retrieve the table names for any database > > The other idea I was thinking about ( I'm not sure if it's even possible ) > is like a reverse tamper. We're the data retrieval is set to some other > response technique the app server would respond too ? > > Much appreciated ! > Chris. > > On Fri, Aug 14, 2015 at 9:38 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> Try option --delay >> >> Bye >> On Aug 14, 2015 4:30 PM, "Christopher Downs" <chr...@ch...> >> wrote: >> >>> Yeah Exactly. Im wondering if you can do that maybe the strict servers >>> would not just barf out on retrieval ? I've seen others with this issue and >>> it's seams pretty obvious. But I'm trying to see if there is anything else >>> I should try before I know it's not worth it. >>> >>> Thanks ! >>> Chris. >>> >>> On Fri, Aug 14, 2015 at 9:18 AM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> Throttle like? You mean like slower data retrieval? >>>> >>>> Bye >>>> On Aug 14, 2015 4:11 PM, "Christopher Downs" < >>>> chr...@ch...> wrote: >>>> >>>>> Good Morning Gents, >>>>> Is there a way to throttle or manipulate data retrieval through app >>>>> servers that are puking with strict permissions or am I just out of luck ? >>>>> I can see this happening in v6 debug mode. I thought I may email the list >>>>> and ask. >>>>> >>>>> Maybe you guys have some thoughts ? >>>>> >>>>> sql-shell> select name from Customer LIMIT 10; >>>>> [13:16:51] [INFO] fetching SQL SELECT statement query output: 'select >>>>> name from Customer LIMIT 10' >>>>> [13:16:51] [INFO] retrieving the length of query output >>>>> [13:16:51] [INFO] retrieved: >>>>> [13:16:52] [INFO] retrieved: >>>>> [13:16:52] [INFO] retrieving the length of query output >>>>> ------ snip for brevity ------ >>>>> [13:16:54] [INFO] retrieved: >>>>> [13:16:54] [INFO] retrieving the length of query output >>>>> [13:16:55] [INFO] retrieved: >>>>> [13:16:55] [INFO] retrieved: >>>>> select name from Customer LIMIT 10; [10]: >>>>> [*] >>>>> [*] >>>>> [*] >>>>> [*] >>>>> [*] >>>>> [*] >>>>> [*] >>>>> [*] >>>>> [*] >>>>> [*] >>>>> >>>>> sql-shell> x >>>>> >>>>> As a note I am running last nights latest git repo release. >>>>> 1.0-dev-2c1cde0 >>>>> >>>>> Thanks in Advance. >>>>> Chris. >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>> >>> > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
From: Johnathon D. <hoo...@gm...> - 2015-08-15 05:01:21
|
Here is my project which also leverages the sqlmap API server, the client file might be of interest. I didn't find much documentation outside of Brandon's site so the source is fairly documented if you need another reference to help lend a hand in understanding how it works. https://github.com/Hood3dRob1n/SQLMAP-Web-GUI https://github.com/Hood3dRob1n/SQLMAP-Web-GUI/blob/master/sqlmap/inc/SQLMAPClientAPI.class.php #of most interest to you On Fri, Aug 14, 2015 at 4:31 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > With the latest revision you have a special variable "lastPage" for --eval > purposes. > > For example: python sqlmap.py -u " > http://testphp.vulnweb.com/artists.php?artist=1" --eval="print lastPage" > > Bye > > p.s. for REST API quick reference go to the > http://volatile-minds.blogspot.com/2013/04/unofficial-sqlmap-restful-api.html > as Brandon already suggested > > On Thu, Aug 13, 2015 at 12:11 PM, Vojtěch Polášek <kr...@gm...> > wrote: > >> Thank you very much, this will certainly help in automating Sqlmap. >> But I think it doesn't solve my problem. >> I will try to explain it once more and suggest some possible solution, >> which came to my mind: >> I am trying to find SQL injection flaw in a HTTP request which deletes >> an object. >> Before every request I need to: >> 1. send a POSt request to create an object - every object gets a new ID >> 2. receive response and get new object ID >> 3. send the deletion request which tests for SQL injection flaw. >> As far as I thought about it, the REST API won't help me here. >> The --eval argument seems like the best approach for me. From the usage >> page I can see, that I can change parameter values in the request >> through --eval. That's good. But is it also possible to access >> information send in the last response? That's all I need I think. If I >> could access information from last response within the --eval, I could >> modify original request for deletion to delete the right object. >> I guess that there is some name space which can be accessed by my custom >> script in the context of --eval, right? >> What do you think about it? Do you understand it or should I provide >> more information? >> And one more question - in which class should I look to get list of all >> implemented methods for REST API? I took a brief look at >> lib/utils/api.py, but I can't seem to find the right class. I have never >> worked with Bottle framework before. >> Thanks alot for your help, I really appreciate it. >> Best regards, >> Vojtěch Polášek >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |