sqlmap-users Mailing List for sqlmap (Page 72)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Brandon P. <bpe...@gm...> - 2011-12-29 17:02:11
|
[11:00:35] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4638),
retry your run with the latest development version from the Subversion
repository. If the exception persists, please send by e-mail to
sql...@li... the following text and any
information required to reproduce the bug. The developers will try to
reproduce the bug, fix it accordingly and get back to you.sqlmap
version: 1.0-dev (r4638)Python version: 2.7.2+Operating system:
posixCommand line: ./sqlmap.py -r /root/blah --level=3 --dbms=mysql
--technique=eu -o --dump --threads=10 --batchTechnique: ERRORBack-end
DBMS: MySQL (fingerprinted)Traceback (most recent call last): File
"/root/tools/sqlmap/_sqlmap.py", line 83, in main start() File
"/root/tools/sqlmap/lib/controller/controller.py", line 588, in start
action() File "/root/tools/sqlmap/lib/controller/action.py", line
109, in action conf.dbmsHandler.dumpTable() File
"/root/tools/sqlmap/plugins/generic/enumeration.py", line 1772, in
dumpTable conf.dumper.dbTableValues(kb.data.dumpedTable) File
"/root/tools/sqlmap/lib/core/dump.py", line 463, in dbTableValues
self.__write("| %s%s" % (value, blank), n=False, console=console)
File "/root/tools/sqlmap/lib/core/dump.py", line 56, in __write
self.__outputBP.write(text)UnicodeEncodeError: 'ascii' codec can't
encode character u'\u0103' in position 7: ordinal not in range(128)
[*] shutting down at 11:00:35
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
|
|
From: Jacco v. T. <jac...@gm...> - 2011-12-29 12:06:33
|
python sqlmap.py --tor --check-tor -u " http://www.xxxxxxxxx.com/SRVS/CGI-BIN/WEBCGI.EXE/,/?St=458*,E=0000000000330319488*,K=6831*,Sxi=16*,Question4332*=obj%284332*%29:obj%284343*%29,t=startup" --random-agent --schema [06:53:53] [INFO] testing if URI parameter '#5*' is dynamic [06:53:53] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4638), retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 1.0-dev (r4638) Python version: 2.6.5 Operating system: posix Command line: sqlmap.py --tor --check-tor -u ****************************************************************************************************************************************************** --random-agent --schema Technique: UNION Back-end DBMS: None (identified) Traceback (most recent call last): File "/pentest/database/sqlmap/sqlmap/_sqlmap.py", line 83, in main start() File "/pentest/database/sqlmap/sqlmap/lib/controller/controller.py", line 463, in start if not checkDynParam(place, parameter, value): File "/pentest/database/sqlmap/sqlmap/lib/controller/checks.py", line 664, in checkDynParam dynResult = Request.queryPage(payload, place, raise404=False) File "/pentest/database/sqlmap/sqlmap/lib/request/connect.py", line 572, in queryPage if place != PLACE.URI or (value and '?' in value and value.find('?') < value.find(payload)): TypeError: coercing to Unicode: need string or buffer, NoneType found |
|
From: Alexander R. <al...@ri...> - 2011-12-29 01:34:27
|
Hello,
I got this error recently:
sqlmap version: 1.0-dev (r4638)
Python version: 2.6.6
Operating system: posix
Command line: ./sqlmap.py -u
******************************************************* --columns
Technique: UNION
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
File "/home/alex/sqlmap-dev/_sqlmap.py", line 83, in main
start()
File "/home/alex/sqlmap-dev/lib/controller/controller.py", line 588,
in start
action()
File "/home/alex/sqlmap-dev/lib/controller/action.py", line 100, in
action
conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns())
File "/home/alex/sqlmap-dev/plugins/generic/enumeration.py", line
1138, in getColumns
value = inject.getValue(query, blind=False)
File "/home/alex/sqlmap-dev/lib/request/inject.py", line 433, in
getValue
value = __goInband(query, expected, unique, resumeValue, unpack,
dump)
File "/home/alex/sqlmap-dev/lib/request/inject.py", line 381, in
__goInband
output = unionUse(expression, unpack=unpack, dump=dump)
File "/home/alex/sqlmap-dev/lib/techniques/union/use.py", line 239, in
unionUse
output = __oneShotUnionUse(countedExpression, unpack)
File "/home/alex/sqlmap-dev/lib/techniques/union/use.py", line 59, in
__oneShotUnionUse
injExpression = unescaper.unescape(agent.concatQuery(expression,
unpack))
File "/home/alex/sqlmap-dev/lib/core/unescaper.py", line 28, in
unescape
return self[identifiedDbms](expression, quote=quote)
File "/home/alex/sqlmap-dev/plugins/dbms/mysql/syntax.py", line 25, in
unescape
unescaped = unescaped.replace(item, "0x%s" %
binascii.hexlify(item.strip("'")))
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe4' in
position 1: ordinal not in range(128)
I would assume that the problem is that the table whose columns it was
trying to fetch contains an 'ä' (ä in html).
This is the last line before the error dump:
[01:43:06] [INFO] fetching columns for table '`källa`' on database
''
The ä is an 'ä' in unicode written to the screen using ISO8859-1.
Hope you have enough info, otherwise I'd be happy to supply you with
more :-)
Best regards,
Alexander
|
|
From: Miroslav S. <mir...@gm...> - 2011-12-23 10:46:45
|
Hi Shane. Thank you for a suggestion. Find it implemented with the latest commit (r4625). Kind regards, Miroslav Stampar On Fri, Dec 23, 2011 at 6:58 AM, Shane Sewell <ss...@gm...> wrote: > I noticed that the most recent version of Tor suggests the use of SOCKS5 > in lieu of an HTTP proxy, and sqlmap is moving to this approach as well. > However, sqlmap attempts to use to use the default SOCKS Tor port of 9050. > > I have updated my local version to allow users to provide a specific SOCKS > port for Tor by providing "--tor-port". Please see the following diffs if > you're interested in adding this functionality to your version: > > Index: lib/core/option.py > =================================================================== > --- lib/core/option.py (revision 4624) > +++ lib/core/option.py (working copy) > @@ -1732,7 +1732,7 @@ > logger.info(infoMsg) > > # Has to be SOCKS5 to prevent DNS leaks ( > http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29) > - socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5 if conf.torType == > PROXYTYPE.SOCKS5 else socks.PROXY_TYPE_SOCKS4, LOCALHOST, > DEFAULT_TOR_SOCKS_PORT) > + socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5 if conf.torType == > PROXYTYPE.SOCKS5 else socks.PROXY_TYPE_SOCKS4, LOCALHOST, > int(DEFAULT_TOR_SOCKS_PORT if conf.torPort is None else conf.torPort)) > socks.wrapmodule(urllib2) > > def __checkTor(): > Index: lib/core/optiondict.py > =================================================================== > --- lib/core/optiondict.py (revision 4624) > +++ lib/core/optiondict.py (working copy) > @@ -174,6 +174,7 @@ > "updateAll": "boolean", > "tor": "boolean", > "torType": "string", > + "torPort": "integer", > }, > > "Miscellaneous": { > Index: lib/parse/cmdline.py > =================================================================== > --- lib/parse/cmdline.py (revision 4624) > +++ lib/parse/cmdline.py (working copy) > @@ -536,6 +536,9 @@ > > general.add_option("--tor-type", dest="torType", > help="Set Tor proxy type (HTTP - > default, SOCKS4 or SOCKS5)") > + > + general.add_option("--tor-port", dest="torPort", > + help="Set Tor port when using SOCKS4 or > SOCKS5") > > general.add_option("--update", dest="updateAll", > action="store_true", > > > Cheers, > -Shane > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Shane S. <ss...@gm...> - 2011-12-23 05:58:18
|
I noticed that the most recent version of Tor suggests the use of SOCKS5 in
lieu of an HTTP proxy, and sqlmap is moving to this approach as well.
However, sqlmap attempts to use to use the default SOCKS Tor port of 9050.
I have updated my local version to allow users to provide a specific SOCKS
port for Tor by providing "--tor-port". Please see the following diffs if
you're interested in adding this functionality to your version:
Index: lib/core/option.py
===================================================================
--- lib/core/option.py (revision 4624)
+++ lib/core/option.py (working copy)
@@ -1732,7 +1732,7 @@
logger.info(infoMsg)
# Has to be SOCKS5 to prevent DNS leaks (
http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29)
- socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5 if conf.torType ==
PROXYTYPE.SOCKS5 else socks.PROXY_TYPE_SOCKS4, LOCALHOST,
DEFAULT_TOR_SOCKS_PORT)
+ socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5 if conf.torType ==
PROXYTYPE.SOCKS5 else socks.PROXY_TYPE_SOCKS4, LOCALHOST,
int(DEFAULT_TOR_SOCKS_PORT if conf.torPort is None else conf.torPort))
socks.wrapmodule(urllib2)
def __checkTor():
Index: lib/core/optiondict.py
===================================================================
--- lib/core/optiondict.py (revision 4624)
+++ lib/core/optiondict.py (working copy)
@@ -174,6 +174,7 @@
"updateAll": "boolean",
"tor": "boolean",
"torType": "string",
+ "torPort": "integer",
},
"Miscellaneous": {
Index: lib/parse/cmdline.py
===================================================================
--- lib/parse/cmdline.py (revision 4624)
+++ lib/parse/cmdline.py (working copy)
@@ -536,6 +536,9 @@
general.add_option("--tor-type", dest="torType",
help="Set Tor proxy type (HTTP -
default, SOCKS4 or SOCKS5)")
+
+ general.add_option("--tor-port", dest="torPort",
+ help="Set Tor port when using SOCKS4 or
SOCKS5")
general.add_option("--update", dest="updateAll",
action="store_true",
Cheers,
-Shane
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-12-21 15:31:49
|
Hi Chris, On 21 December 2011 14:56, Chris Oakley <chr...@gm...> wrote: > Hi All > > I have a time based blind injection on a machine running Windows Server > 2003, IIS 6 and SQL Server 2000. The user is running as DBA. I should be > able to enable xp_cmdshell, and indeed: Indeed. > ... > As you can see, no output is returned (is this because of the injection type > I wonder?). No, it has nothing to do with the injection type. SQL payloads used by sqlmap has been written and the core has been engineered in a way that regardless of the technique used, sqlmap is able to retrieve the queries' output. The issue is somewhere else. > I've tried the various out of bounds methods with BT and msf too, but this > seems to fail at various stages. > > Could it be that the database server is separate from the web server and is > totally isolated from the outside world by egress rules? This could be, but it looks to me that you're mixing xp_cmdshell/bug with network rules. I think that the issue here is about xp_cmdshell. Could you please relaunch with -v 3 --parse-errors -t traffic.log and send us (privately if you prefer) the whole output and the log file? Thank you. Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
|
From: Miroslav S. <mir...@gm...> - 2011-12-21 15:24:43
|
Hi Chris. Could you please send the traffic file retrieved with -t traffic.txt? Kind regards, Miroslav Stampar Dana 21.12.2011. 15:57 "Chris Oakley" <chr...@gm...> je napisao/la: > Hi All > > I have a time based blind injection on a machine running Windows Server > 2003, IIS 6 and SQL Server 2000. The user is running as DBA. I should be > able to enable xp_cmdshell, and indeed: > > [13:10:12] [INFO] testing if current user is DBA > [13:10:12] [INFO] retrieved: 1 > [13:10:29] [INFO] checking if xp_cmdshell extended procedure is available, > please wait.. > [13:10:40] [INFO] xp_cmdshell extended procedure is available > [13:10:41] [INFO] going to use xp_cmdshell extended procedure for > operating system command execution > [13:10:41] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and > press ENTER > os-shell> dir > do you want to retrieve the command standard output? [Y/n/a] > [13:10:53] [INFO] retrieved: > No output > os-shell> ipconfig > do you want to retrieve the command standard output? [Y/n/a] > [13:11:11] [INFO] retrieved: > No output > os-shell> exit > [13:31:24] [INFO] cleaning up the database management system > [13:31:26] [INFO] Fetched data logged to text files under... > > As you can see, no output is returned (is this because of the injection > type I wonder?). > > I've tried the various out of bounds methods with BT and msf too, but this > seems to fail at various stages. > > Could it be that the database server is separate from the web server and > is totally isolated from the outside world by egress rules? > > I'm trying to understand why in this case nothing seems to be working. > > Any ideas would be great. > > Regards > > Chris > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Chris O. <chr...@gm...> - 2011-12-21 14:56:59
|
Hi All I have a time based blind injection on a machine running Windows Server 2003, IIS 6 and SQL Server 2000. The user is running as DBA. I should be able to enable xp_cmdshell, and indeed: [13:10:12] [INFO] testing if current user is DBA [13:10:12] [INFO] retrieved: 1 [13:10:29] [INFO] checking if xp_cmdshell extended procedure is available, please wait.. [13:10:40] [INFO] xp_cmdshell extended procedure is available [13:10:41] [INFO] going to use xp_cmdshell extended procedure for operating system command execution [13:10:41] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER os-shell> dir do you want to retrieve the command standard output? [Y/n/a] [13:10:53] [INFO] retrieved: No output os-shell> ipconfig do you want to retrieve the command standard output? [Y/n/a] [13:11:11] [INFO] retrieved: No output os-shell> exit [13:31:24] [INFO] cleaning up the database management system [13:31:26] [INFO] Fetched data logged to text files under... As you can see, no output is returned (is this because of the injection type I wonder?). I've tried the various out of bounds methods with BT and msf too, but this seems to fail at various stages. Could it be that the database server is separate from the web server and is totally isolated from the outside world by egress rules? I'm trying to understand why in this case nothing seems to be working. Any ideas would be great. Regards Chris |
|
From: lnxg33k <ah...@is...> - 2011-12-20 13:37:39
|
On 12/20/2011 02:43 PM, Chris Oakley wrote: > Hi > > The first table in a DB is called: "dbo. " (with spaces). After > dumping the table, the following output is received: > > [12:40:39] [CRITICAL] there has been a file opening error for filename > 'C:\Program Files\sqlmap\output\***\dump\ > ***\dbo." ".csv'. Please check write permissions on a file and that > it's not locked by another process. > > I think this is down to the spaces (certainly no permission problems). > > Regards > > Chris > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users If it's space related try to edit line 327 in sqlmap/lib/core/dump.py from: dumpFileName = "%s%s%s.csv" % (dumpDbPath, os.sep, table) to: dumpFileName = "%s%s%s.csv" % (dumpDbPath, os.sep, table.rstrip().rstrip('.')) |
|
From: Chris O. <chr...@gm...> - 2011-12-20 13:21:00
|
Hi Miroslav That, along with the dump-all stop=x fix, work perfectly. Thank you very much for such a prompt fix! Regards Chris On 20 December 2011 13:09, lnxg33k <ah...@is...> wrote: > On 12/20/2011 02:43 PM, Chris Oakley wrote: > > Hi > > The first table in a DB is called: "dbo. " (with spaces). After > dumping the table, the following output is received: > > [12:40:39] [CRITICAL] there has been a file opening error for filename > 'C:\Program Files\sqlmap\output\***\dump\ > ***\dbo." ".csv'. Please check write permissions on a file and that it's > not locked by another process. > > I think this is down to the spaces (certainly no permission problems). > > Regards > > Chris > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/joinhttp://p.sf.net/sfu/intel-appdev > > > > _______________________________________________ > sqlmap-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > If it's space related try to edit line 327 in sqlmap/lib/core/dump.py > from: dumpFileName = "%s%s%s.csv" % (dumpDbPath, os.sep, table) > to: dumpFileName = "%s%s%s.csv" % (dumpDbPath, os.sep, > table.rstrip().rstrip('.')) > |
|
From: Miroslav S. <mir...@gm...> - 2011-12-20 13:04:54
|
Hi Chris. This should be fixed now. Kind regards On Tue, Dec 20, 2011 at 1:43 PM, Chris Oakley <chr...@gm...>wrote: > Hi > > The first table in a DB is called: "dbo. " (with spaces). After > dumping the table, the following output is received: > > [12:40:39] [CRITICAL] there has been a file opening error for filename > 'C:\Program Files\sqlmap\output\***\dump\ > ***\dbo." ".csv'. Please check write permissions on a file and that it's > not locked by another process. > > I think this is down to the spaces (certainly no permission problems). > > Regards > > Chris > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2011-12-20 12:53:10
|
Hi. I believe that this should be hopefully fixed with the latest commit (not sure which DBMS you've run sqlmap against). Kind regards On Tue, Dec 20, 2011 at 12:58 PM, Chris Oakley <chr...@gm... > wrote: > Hi All > > I was under the impression that -D dbname --dump-all --stop=10 would > retrieve the first 10 rows of each table for the given DB, but it seems to > be doing a full retrieve. Is there a way to do this without specifying > each table one at a time/ > > Regards > > Chris > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Chris O. <chr...@gm...> - 2011-12-20 12:43:32
|
Hi The first table in a DB is called: "dbo. " (with spaces). After dumping the table, the following output is received: [12:40:39] [CRITICAL] there has been a file opening error for filename 'C:\Program Files\sqlmap\output\***\dump\ ***\dbo." ".csv'. Please check write permissions on a file and that it's not locked by another process. I think this is down to the spaces (certainly no permission problems). Regards Chris |
|
From: Miroslav S. <mir...@gm...> - 2011-12-20 12:40:57
|
Hi Anindya. With the latest commit (r4598) you should be able to do this (-p host). Kind regards, Miroslav Stampar On Mon, Dec 19, 2011 at 12:29 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > Sorry, but you'll have to wait a bit. Thing is that there is no easy > "patch" solution for it. > > Kind regards > > > On Sun, Dec 18, 2011 at 5:49 PM, A C <ani...@ya...>wrote: > >> I might be able to take a stab at hacking something up - where would I >> attempt to add this functionality? >> >> --Anindya >> >> ------------------------------ >> *From:* Miroslav Stampar <mir...@gm...> >> *To:* A C <ani...@ya...> >> *Cc:* "sql...@li..." < >> sql...@li...> >> *Sent:* Wednesday, December 14, 2011 11:03 AM >> *Subject:* Re: [sqlmap-users] Injection in Host: header >> >> Hi. >> >> This moment there isn't support for Host header. I won't promise anything >> but maybe it will be implemented these days. >> >> Kind regards >> >> On Mon, Dec 12, 2011 at 11:26 PM, A C <ani...@ya...>wrote: >> >> Hi sqlmap users, >> >> I've successfully used sqlmap to do wonderful things though parameters of >> web applications but I've recently come across an app which seems to have a >> possible injection flaw in the Host: header field. in other words, if I put >> a single quote (or other SQL) in the Host: header with my normal HTTP >> request, I will get back a MySQL error similar to the following: >> >> Error: <br />1064: You have an error in your SQL syntax; check the manual >> that c >> orresponds to your MySQL server version for the right syntax to use near >> 'ORDER >> BY pag_gr desc, pag_cat desc, pag_ide desc, sit_typ desc' at line 1 >> >> I'm can't seem to find a way to use sqlmap to perform its normal magic - >> is there a way to do this? >> >> Thanks! >> --Anindya >> >> >> ------------------------------------------------------------------------------ >> Learn Windows Azure Live! Tuesday, Dec 13, 2011 >> Microsoft is holding a special Learn Windows Azure training event for >> developers. It will provide a great way to learn Windows Azure and what it >> provides. You can attend the event by watching it streamed LIVE online. >> Learn more at http://p.sf.net/sfu/ms-windowsazure >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
|
From: Chris O. <chr...@gm...> - 2011-12-20 11:58:30
|
Hi All I was under the impression that -D dbname --dump-all --stop=10 would retrieve the first 10 rows of each table for the given DB, but it seems to be doing a full retrieve. Is there a way to do this without specifying each table one at a time/ Regards Chris |
|
From: Miroslav S. <mir...@gm...> - 2011-12-20 10:22:22
|
Hi Sherif. This should be fixed with the latest commit. Kind regards, Miroslav Stampar On Tue, Dec 20, 2011 at 10:20 AM, Sherif El-Deeb <arc...@gm...>wrote: > The site has Arabic text. > > sqlmap version: 1.0-dev (r4595) > Python version: 2.6.5 > Operating system: posix > Command line: ./sqlmap.py -u ********************** --crawl 4 --form > --random-agent --batch > Technique: None > Back-end DBMS: None (identified) > Traceback (most recent call last): > File "/pentest/database/sqlmap/lib/core/threads.py", line 123, in > runThreads > threadFunction() > File "/pentest/database/sqlmap/lib/utils/crawler.py", line 75, in > crawlThread > soup = BeautifulSoup(content) > File "/pentest/database/sqlmap/extra/beautifulsoup/beautifulsoup.py", > line 1519, in __init__ > BeautifulStoneSoup.__init__(self, *args, **kwargs) > File "/pentest/database/sqlmap/extra/beautifulsoup/beautifulsoup.py", > line 1144, in __init__ > self._feed(isHTML=isHTML) > File "/pentest/database/sqlmap/extra/beautifulsoup/beautifulsoup.py", > line 1186, in _feed > SGMLParser.feed(self, markup) > File "/usr/lib/python2.6/sgmllib.py", line 104, in feed > self.goahead(0) > File "/usr/lib/python2.6/sgmllib.py", line 143, in goahead > k = self.parse_endtag(i) > File "/usr/lib/python2.6/sgmllib.py", line 320, in parse_endtag > self.finish_endtag(tag) > File "/usr/lib/python2.6/sgmllib.py", line 358, in finish_endtag > method = getattr(self, 'end_' + tag) > UnicodeEncodeError: 'ascii' codec can't encode characters in position > 586-587: ordinal not in range(128) > > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Sherif El-D. <arc...@gm...> - 2011-12-20 09:20:58
|
The site has Arabic text.
sqlmap version: 1.0-dev (r4595)
Python version: 2.6.5
Operating system: posix
Command line: ./sqlmap.py -u ********************** --crawl 4 --form
--random-agent --batch
Technique: None
Back-end DBMS: None (identified)
Traceback (most recent call last):
File "/pentest/database/sqlmap/lib/core/threads.py", line 123, in
runThreads
threadFunction()
File "/pentest/database/sqlmap/lib/utils/crawler.py", line 75, in
crawlThread
soup = BeautifulSoup(content)
File "/pentest/database/sqlmap/extra/beautifulsoup/beautifulsoup.py",
line 1519, in __init__
BeautifulStoneSoup.__init__(self, *args, **kwargs)
File "/pentest/database/sqlmap/extra/beautifulsoup/beautifulsoup.py",
line 1144, in __init__
self._feed(isHTML=isHTML)
File "/pentest/database/sqlmap/extra/beautifulsoup/beautifulsoup.py",
line 1186, in _feed
SGMLParser.feed(self, markup)
File "/usr/lib/python2.6/sgmllib.py", line 104, in feed
self.goahead(0)
File "/usr/lib/python2.6/sgmllib.py", line 143, in goahead
k = self.parse_endtag(i)
File "/usr/lib/python2.6/sgmllib.py", line 320, in parse_endtag
self.finish_endtag(tag)
File "/usr/lib/python2.6/sgmllib.py", line 358, in finish_endtag
method = getattr(self, 'end_' + tag)
UnicodeEncodeError: 'ascii' codec can't encode characters in position
586-587: ordinal not in range(128)
|
|
From: Miroslav S. <mir...@gm...> - 2011-12-19 11:29:51
|
Hi. Sorry, but you'll have to wait a bit. Thing is that there is no easy "patch" solution for it. Kind regards On Sun, Dec 18, 2011 at 5:49 PM, A C <ani...@ya...> wrote: > I might be able to take a stab at hacking something up - where would I > attempt to add this functionality? > > --Anindya > > ------------------------------ > *From:* Miroslav Stampar <mir...@gm...> > *To:* A C <ani...@ya...> > *Cc:* "sql...@li..." < > sql...@li...> > *Sent:* Wednesday, December 14, 2011 11:03 AM > *Subject:* Re: [sqlmap-users] Injection in Host: header > > Hi. > > This moment there isn't support for Host header. I won't promise anything > but maybe it will be implemented these days. > > Kind regards > > On Mon, Dec 12, 2011 at 11:26 PM, A C <ani...@ya...>wrote: > > Hi sqlmap users, > > I've successfully used sqlmap to do wonderful things though parameters of > web applications but I've recently come across an app which seems to have a > possible injection flaw in the Host: header field. in other words, if I put > a single quote (or other SQL) in the Host: header with my normal HTTP > request, I will get back a MySQL error similar to the following: > > Error: <br />1064: You have an error in your SQL syntax; check the manual > that c > orresponds to your MySQL server version for the right syntax to use near > 'ORDER > BY pag_gr desc, pag_cat desc, pag_ide desc, sit_typ desc' at line 1 > > I'm can't seem to find a way to use sqlmap to perform its normal magic - > is there a way to do this? > > Thanks! > --Anindya > > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > -- Miroslav Stampar http://about.me/stamparm |
|
From: A C <ani...@ya...> - 2011-12-18 16:49:44
|
I might be able to take a stab at hacking something up - where would I attempt to add this functionality? --Anindya ________________________________ From: Miroslav Stampar <mir...@gm...> To: A C <ani...@ya...> Cc: "sql...@li..." <sql...@li...> Sent: Wednesday, December 14, 2011 11:03 AM Subject: Re: [sqlmap-users] Injection in Host: header Hi. This moment there isn't support for Host header. I won't promise anything but maybe it will be implemented these days. Kind regards On Mon, Dec 12, 2011 at 11:26 PM, A C <ani...@ya...> wrote: Hi sqlmap users, > > >I've successfully used sqlmap to do wonderful things though parameters of web applications but I've recently come across an app which seems to have a possible injection flaw in the Host: header field. in other words, if I put a single quote (or other SQL) in the Host: header with my normal HTTP request, I will get back a MySQL error similar to the following: > > >Error: <br />1064: You have an error in your SQL syntax; check the manual that c >orresponds to your MySQL server version for the right syntax to use near 'ORDER >BY pag_gr desc, pag_cat desc, pag_ide desc, sit_typ desc' at line 1 > > > >I'm can't seem to find a way to use sqlmap to perform its normal magic - is there a way to do this? > > >Thanks! >--Anindya >------------------------------------------------------------------------------ >Learn Windows Azure Live! Tuesday, Dec 13, 2011 >Microsoft is holding a special Learn Windows Azure training event for >developers. It will provide a great way to learn Windows Azure and what it >provides. You can attend the event by watching it streamed LIVE online. >Learn more at http://p.sf.net/sfu/ms-windowsazure >_______________________________________________ >sqlmap-users mailing list >sql...@li... >https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Chris O. <chr...@gm...> - 2011-12-16 09:46:17
|
Thanks to all. Definitely a false positive following all your advice and reasoning. Cheers. On 15 December 2011 10:14, Miroslav Stampar <mir...@gm...>wrote: > Hi. > > I believe that in your case that "appears to be" caused a little > misguidance. With the latest commit that message should be restrained to > 1 appearance per target, so there won't be such large number of those. > > "Appears to be" is just a friendly log message. Be sure that sqlmap checks > that "appears to be" is really a chance for injecting. > > I would say that you should skip this target because of one strong reasons: > - you've received "appears to be" for different boundaries (prefix/suffix > combinations) which is impossible for a positive injectionable target > > Kind regards > > On Wed, Dec 14, 2011 at 4:51 PM, Chris Oakley < > chr...@gm...> wrote: > >> Hi All >> >> I'm having problems with an injection that I think is real. >> >> It's a standard POST request with one of the parameters of the data sent >> being vulnerable. This all happens in an unauthenticated area of the >> application, so there's no need to set the cookie value etc. >> >> The injection point was found with Burp Scanner. It has the following to >> say: >> >> *Issue detail* >> The BLAH parameter appears to be vulnerable to SQL injection attacks. The >> payload %00' was submitted in the BLAH parameter, and a database error >> message was returned. You should review the contents of the error message, >> and the application's handling of other input, to confirm whether a >> vulnerability is present. The database appears to be PostgreSQL. The >> application attempts to block SQL injection attacks but this can be >> circumvented by submitting a URL-encoded NULL byte (%00) before the >> characters that are being blocked. >> >> The server response looks like this: >> >> HTTP/1.1 202 Accepted >> Server: Apache-Coyote/1.1 >> Vary: Accept-Encoding >> Cache-Control: no-cache >> Content-Type: text/xml;charset=UTF-8 >> Date: Wed, 14 Dec 2011 12:48:30 GMT >> Content-Length: 7754 >> >> <?xml version="1.0" encoding="UTF-8"?> >> <errors><error><text><![CDATA[could not load an entity: >> [vyre.content.CollectionSchema#165']; nested exception is >> org.hibernate.exception.DataException: could not load an entity: >> [vyre.content.CollectionSchema#165']]]></text><stack-trace><![CDATA[org.springframework.dao.InvalidDataAccessResourceUsageException: >> could not load an entity: [vyre.content.CollectionSchema#165'] >> at >> org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:618) >> at >> org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412) >> at >> org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:424) >> at >> org.springframework.orm.hibernate3.HibernateTemplate.executeWithNativeSession(HibernateTemplate.java:374) >> at >> org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:560) >> at >> org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:554) >> at >> vyre.core.entity.pl.HibernateStringIdentifierEntityDAO.load(HibernateStringIdentifierEntityDAO.java:47) >> at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >> at java.lang.reflect.Method.invoke(Method.java:597) >> at >> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310) >> at >> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182) >> at >> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149) >> at >> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106) >> at >> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) >> at >> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) >> at $Proxy17.load(Unknown Source) >> at >> vyre.publishing.ContentGatewayAjaxListener.handle(ContentGatewayAjaxListener.java:146) >> at >> vyre.publishing.ajax.AjaxControllerServlet.service(AjaxControllerServlet.java:88) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at vyre.delivery.MainFilter.doFilter(MainFilter.java:145) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> vyre.content.search.permissions.ViewPermissionFilter.doFilter(ViewPermissionFilter.java:27) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198) >> at >> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> com.virginholidays.filter.CacheControlFilter.doFilter(CacheControlFilter.java:26) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> vyre.utils.filters.login.AbstractLoginFilter.doFilter(AbstractLoginFilter.java:95) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> at >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >> at >> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) >> at >> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >> at >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >> at java.lang.Thread.run(Thread.java:619) >> Caused by: org.hibernate.exception.DataException: could not load an >> entity: [vyre.content.CollectionSchema#165'] >> at >> org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:77) >> at >> org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43) >> at org.hibernate.loader.Loader.loadEntity(Loader.java:1874) >> at >> org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:48) >> at >> org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:42) >> at >> org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3049) >> at >> org.hibernate.event.def.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:399) >> at >> org.hibernate.event.def.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:375) >> at >> org.hibernate.event.def.DefaultLoadEventListener.load(DefaultLoadEventListener.java:139) >> at >> org.hibernate.event.def.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:179) >> at >> org.hibernate.event.def.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:103) >> at org.hibernate.impl.SessionImpl.fireLoad(SessionImpl.java:878) >> at org.hibernate.impl.SessionImpl.load(SessionImpl.java:795) >> at org.hibernate.impl.SessionImpl.load(SessionImpl.java:788) >> at >> org.springframework.orm.hibernate3.HibernateTemplate$3.doInHibernate(HibernateTemplate.java:566) >> at >> org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:419) >> ... 46 more >> Caused by: org.postgresql.util.PSQLException: ERROR: invalid byte >> sequence for encoding "UTF8": 0x00 >> at >> org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102) >> at >> org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835) >> at >> org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257) >> at >> org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500) >> at >> org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388) >> at >> org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273) >> at >> org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) >> at >> org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) >> at >> org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186) >> at org.hibernate.loader.Loader.getResultSet(Loader.java:1787) >> at org.hibernate.loader.Loader.doQuery(Loader.java:674) >> at >> org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236) >> at org.hibernate.loader.Loader.loadEntity(Loader.java:1860) >> ... 59 more >> ]]></stack-trace></error></errors> >> >> I've worked my way up to the following sqlmap command: >> >> C:\Program Files\sqlmap>python sqlmap.py -u "http://www.**********/servlet/ajax" >> --data "..........&BLAH=165" -p BLAH --level=5 --risk=2 --dbms=postgresql >> --union-char=1 --tamper=appendnullbyte -f -b >> >> sqlmap/1.0-dev (r4577) - automatic SQL injection and database >> takeover tool >> http://www.sqlmap.org >> >> [!] legal disclaimer: usage of sqlmap for attacking targets without prior >> mutual consent is illegal. It is the end user's responsi >> bility to obey all applicable local, state and federal laws. Authors >> assume no liability and are not responsible for any misuse or >> damage caused by this program >> >> [*] starting at 15:33:52 >> >> [15:33:52] [INFO] loading tamper script 'appendnullbyte' >> [15:33:53] [INFO] using '*****\session' as session file >> [15:33:53] [INFO] testing connection to the target url >> [15:34:00] [WARNING] provided parameter 'BLAH' is not inside the Cookie >> [15:34:00] [INFO] testing if the url is stable, wait a few seconds >> [15:34:03] [INFO] url is stable >> [15:34:03] [INFO] heuristic test shows that POST parameter 'BLAH' might >> be injectable (possible DBMS: PostgreSQL) >> [15:34:03] [INFO] testing sql injection on POST parameter 'BLAH' >> [15:34:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> clause' >> [15:34:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> clause (Generic comment)' >> [15:34:16] [INFO] testing 'Generic boolean-based blind - Parameter >> replace (original value)' >> [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and >> ORDER BY clauses' >> [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and >> ORDER BY clauses (original value)' >> [15:34:16] [INFO] testing 'PostgreSQL boolean-based blind - Parameter >> replace (GENERATE_SERIES - original value)' >> [15:34:17] [INFO] testing 'PostgreSQL stacked conditional-error blind >> queries' >> [15:34:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING >> clause' >> [15:34:27] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING >> clause' >> [15:34:32] [INFO] testing 'PostgreSQL error-based - Parameter replace' >> [15:34:32] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY >> clauses' >> [15:34:32] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >> [15:34:35] [INFO] testing 'PostgreSQL stacked queries (heavy query)' >> [15:34:37] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)' >> [15:34:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >> [15:34:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind >> (comment)' >> [15:34:44] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)' >> [15:34:47] [INFO] testing 'PostgreSQL AND time-based blind (heavy query - >> comment)' >> [15:34:49] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns' >> [15:34:50] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:51] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:53] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:55] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:56] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:58] [INFO] target url appears to be UNION injectable with 1 columns >> [15:34:59] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:01] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:02] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:04] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:06] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:07] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:09] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:10] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:11] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:13] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:14] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:16] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:17] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:19] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:20] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:22] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:23] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:25] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:27] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:29] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:30] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:32] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:33] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:35] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:36] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:37] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:39] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:40] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:42] [INFO] target url appears to be UNION injectable with 1 columns >> [15:35:42] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns' >> [15:36:29] [INFO] testing 'Generic UNION query (1) - 21 to 30 columns' >> [15:37:15] [INFO] testing 'Generic UNION query (1) - 31 to 40 columns' >> [15:38:01] [INFO] testing 'Generic UNION query (1) - 41 to 50 columns' >> [15:38:46] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to >> 10 columns' >> [15:38:47] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:50] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:51] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:53] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:54] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:56] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:57] [INFO] target url appears to be UNION injectable with 1 columns >> [15:38:59] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:00] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:03] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:04] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:05] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:07] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:08] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:10] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:11] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:13] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:14] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:16] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:18] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:19] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:21] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:22] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:24] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:25] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:27] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:28] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:30] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:31] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:33] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:35] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:37] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:38] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:40] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:41] [INFO] target url appears to be UNION injectable with 1 columns >> [15:39:41] [INFO] testing 'Generic UNION query (NUL comment) (1) - 11 to >> 20 columns' >> [15:40:27] [INFO] testing 'Generic UNION query (NUL comment) (1) - 21 to >> 30 columns' >> [15:41:11] [INFO] testing 'Generic UNION query (NUL comment) (1) - 31 to >> 40 columns' >> [15:41:56] [INFO] testing 'Generic UNION query (NUL comment) (1) - 41 to >> 50 columns' >> [15:42:42] [WARNING] POST parameter 'BLAH' is not injectable >> [15:42:42] [CRITICAL] all parameters appear to be not injectable. Try to >> increase --level/--risk values to perform more tests. As >> heuristic test turned out positive you are strongly advised to continue >> on with the tests. Please, consider usage of tampering scr >> ipts as your target might filter the queries. Also, you can try to rerun >> by providing either a valid --string or a valid --regexp, >> refer to the user's manual for details >> >> [*] shutting down at 15:42:42 >> >> I didn't start with all of those arguments for sqlmap - I've tried it >> without: --level=5, --risk=2, --dbms=postgresql, --union-char=1 and >> --tamper=appendnullbyte and got pretty much the same results for each. >> >> Maybe it's not injectable, but I'd like peoples input before I write it >> off, since it looks very suspect to me. >> >> Thanks >> >> Chris >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Cloud Computing - Latest Buzzword or a Glimpse of the Future? >> This paper surveys cloud computing today: What are the benefits? >> Why are businesses embracing it? What are its payoffs and pitfalls? >> http://www.accelacomm.com/jaw/sdnl/114/51425149/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2011-12-16 09:39:50
|
Hi Fernando. Please checkout the latest revision from our SVN repository (v1.0-dev) to have it up to date: svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev Kind regards, Miroslav Stampar On Fri, Dec 16, 2011 at 1:17 AM, Fernando Parodi <fer...@gm...>wrote: > 21:15:08] [INFO] the back-end DBMS is MySQL > web server operating system: Windows 2008 > web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.1.2 > back-end DBMS: MySQL 5.0 > [21:15:08] [INFO] fetching database names > > [21:15:11] [CRITICAL] unhandled exception in sqlmap/0.9, retry your > run with the latest development version from the Subversion > repository. If the exception persists, please send by e-mail to > sql...@li... the following text and any > information required to reproduce the bug. The developers will try to > reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 0.9 (r3630) > Python version: 2.7.2 > Operating system: posix > Command line: sqlmap.py > --url=************************************************************ > --level 2 --dbs > Technique: UNION > Back-end DBMS: MySQL (fingerprinted) > Traceback (most recent call last): > File "sqlmap.py", line 82, in main > start() > File "/root/soft/sqlmap/sqlmap/lib/controller/controller.py", line > 447, in start > action() > File "/root/soft/sqlmap/sqlmap/lib/controller/action.py", line 88, in > action > conf.dumper.dbs(conf.dbmsHandler.getDbs()) > File "/root/soft/sqlmap/sqlmap/plugins/generic/enumeration.py", line > 681, in getDbs > value = inject.getValue(query, blind=False) > File "/root/soft/sqlmap/sqlmap/lib/request/inject.py", line 432, in > getValue > value = __goInband(query, expected, sort, resumeValue, unpack, dump) > File "/root/soft/sqlmap/sqlmap/lib/request/inject.py", line 384, in > __goInband > output = unionUse(expression, unpack=unpack, dump=dump) > File "/root/soft/sqlmap/sqlmap/lib/techniques/inband/union/use.py", > line 235, in unionUse > for num in xrange(startLimit, stopLimit): > TypeError: an integer is required > > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: André S. <and...@gm...> - 2011-12-16 00:29:05
|
Hi, Please update to the last commit *svn* checkout https://*svn*.*sqlmap*.org/*sqlmap*/trunk/*sqlmap sqlmap*-dev I think both reported bugs are already fixed. 2011/12/15 Christopher Schwardt <noo...@gm...> > hi there, i got a traceback for you :) > didn't try the most recent version from your repo, but maybe you're > interested anyway > > greetz > chriz > > > $ sqlmap --proxy=http://localhost:8080/ -u > ' > https://encrypted.google.com/search?client=ubuntu&channel=fs&q=sqlmap&ie=utf-8&oe=utf-8 > ' > > sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...> > and Daniele Bellucci <dan...@gm...> > > [*] starting at: 18:22:34 > > [18:22:34] [INFO] testing connection to the target url > [18:22:34] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the > command line and the following text and send by e-mail to > sql...@li.... The developers will fix it as soon > as possible: > sqlmap version: 0.6.4 > Python version: 2.7.2+ > Operating system: linux2 > Traceback (most recent call last): > File "/usr/bin/sqlmap", line 81, in main > start() > File "/usr/share/sqlmap/lib/controller/controller.py", line 144, in start > if not checkConnection() or not checkString() or not checkRegexp(): > File "/usr/share/sqlmap/lib/controller/checks.py", line 387, in > checkConnection > page, _ = Request.getPage() > File "/usr/share/sqlmap/lib/request/connect.py", line 128, in getPage > conn = urllib2.urlopen(req) > File "/usr/lib/python2.7/urllib2.py", line 126, in urlopen > return _opener.open(url, data, timeout) > File "/usr/lib/python2.7/urllib2.py", line 394, in open > response = self._open(req, data) > File "/usr/lib/python2.7/urllib2.py", line 412, in _open > '_open', req) > File "/usr/lib/python2.7/urllib2.py", line 372, in _call_chain > result = func(*args) > File "/usr/lib/python2.7/urllib2.py", line 1209, in https_open > return self.do_open(httplib.HTTPSConnection, req) > File "/usr/share/sqlmap/lib/request/proxy.py", line 128, in do_open > return urllib2.HTTPSHandler.do_open(self, ProxyHTTPSConnection, req) > File "/usr/lib/python2.7/urllib2.py", line 1140, in do_open > h = http_class(host, timeout=req.timeout) # will parse host:port > TypeError: __init__() got an unexpected keyword argument 'timeout' > > [*] shutting down at: 18:22:34 > > > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Fernando P. <fer...@gm...> - 2011-12-16 00:17:48
|
21:15:08] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.1.2
back-end DBMS: MySQL 5.0
[21:15:08] [INFO] fetching database names
[21:15:11] [CRITICAL] unhandled exception in sqlmap/0.9, retry your
run with the latest development version from the Subversion
repository. If the exception persists, please send by e-mail to
sql...@li... the following text and any
information required to reproduce the bug. The developers will try to
reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 0.9 (r3630)
Python version: 2.7.2
Operating system: posix
Command line: sqlmap.py
--url=************************************************************
--level 2 --dbs
Technique: UNION
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
File "sqlmap.py", line 82, in main
start()
File "/root/soft/sqlmap/sqlmap/lib/controller/controller.py", line
447, in start
action()
File "/root/soft/sqlmap/sqlmap/lib/controller/action.py", line 88, in action
conf.dumper.dbs(conf.dbmsHandler.getDbs())
File "/root/soft/sqlmap/sqlmap/plugins/generic/enumeration.py", line
681, in getDbs
value = inject.getValue(query, blind=False)
File "/root/soft/sqlmap/sqlmap/lib/request/inject.py", line 432, in getValue
value = __goInband(query, expected, sort, resumeValue, unpack, dump)
File "/root/soft/sqlmap/sqlmap/lib/request/inject.py", line 384, in __goInband
output = unionUse(expression, unpack=unpack, dump=dump)
File "/root/soft/sqlmap/sqlmap/lib/techniques/inband/union/use.py",
line 235, in unionUse
for num in xrange(startLimit, stopLimit):
TypeError: an integer is required
|
|
From: Brandon P. <bpe...@gm...> - 2011-12-15 22:35:30
|
Sure, I agree. In my mind, a second argument used in conjection with --batch could be created (say --keep-testing). I will try the patch, thank you. On Thu, Dec 15, 2011 at 4:33 PM, Miroslav Stampar <mir...@gm...> wrote: > Hi Brandon. > > If you mean that question that goes like "GET parameter 'id' is vulnerable. > Do you want to keep testing the others? [y/N]" find the patch attached. > > But, the default behavior of sqlmap won't change. Batch behavior in 99% of > cases suits the need of the user to find any injection point and to exploit > it as soon as possible. > > Kind regards > > On Thu, Dec 15, 2011 at 10:05 PM, Brandon Perry <bpe...@gm...> > wrote: >> >> Hi, I have tried to emulate the ability to run sqlmap via --batch, >> while allowing the scanner to keep testing after it has found a >> successful injection point. Is this possible atm? If not, would a >> patch be appreciated? >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> >> >> ------------------------------------------------------------------------------ >> 10 Tips for Better Server Consolidation >> Server virtualization is being driven by many needs. >> But none more important than the need to reduce IT complexity >> while improving strategic productivity. Learn More! >> http://www.accelacomm.com/jaw/sdnl/114/51507609/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2011-12-15 22:34:02
|
Hi Brandon. If you mean that question that goes like "GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N]" find the patch attached. But, the default behavior of sqlmap won't change. Batch behavior in 99% of cases suits the need of the user to find any injection point and to exploit it as soon as possible. Kind regards On Thu, Dec 15, 2011 at 10:05 PM, Brandon Perry <bpe...@gm...>wrote: > Hi, I have tried to emulate the ability to run sqlmap via --batch, > while allowing the scanner to keep testing after it has found a > successful injection point. Is this possible atm? If not, would a > patch be appreciated? > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > 10 Tips for Better Server Consolidation > Server virtualization is being driven by many needs. > But none more important than the need to reduce IT complexity > while improving strategic productivity. Learn More! > http://www.accelacomm.com/jaw/sdnl/114/51507609/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
48 messages has been excluded from this view by a project administrator.
