sqlmap-users Mailing List for sqlmap (Page 73)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Brandon P. <bpe...@gm...> - 2011-12-15 22:20:39
|
Running sqlmap on BadStore (a purposefully insecure web app) (http://www.badstore.net/) results in a POST injection being found. This injection point isn't saved in the results csv, only a GET from the same session is saved. -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Brandon P. <bpe...@gm...> - 2011-12-15 21:05:27
|
Hi, I have tried to emulate the ability to run sqlmap via --batch, while allowing the scanner to keep testing after it has found a successful injection point. Is this possible atm? If not, would a patch be appreciated? -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Christopher S. <noo...@gm...> - 2011-12-15 20:17:07
|
hi there, i got a traceback for you :) didn't try the most recent version from your repo, but maybe you're interested anyway greetz chriz $ sqlmap --proxy=http://localhost:8080/ -u 'https://encrypted.google.com/search?client=ubuntu&channel=fs&q=sqlmap&ie=utf-8&oe=utf-8' sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...> and Daniele Bellucci <dan...@gm...> [*] starting at: 18:22:34 [18:22:34] [INFO] testing connection to the target url [18:22:34] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the command line and the following text and send by e-mail to sql...@li.... The developers will fix it as soon as possible: sqlmap version: 0.6.4 Python version: 2.7.2+ Operating system: linux2 Traceback (most recent call last): File "/usr/bin/sqlmap", line 81, in main start() File "/usr/share/sqlmap/lib/controller/controller.py", line 144, in start if not checkConnection() or not checkString() or not checkRegexp(): File "/usr/share/sqlmap/lib/controller/checks.py", line 387, in checkConnection page, _ = Request.getPage() File "/usr/share/sqlmap/lib/request/connect.py", line 128, in getPage conn = urllib2.urlopen(req) File "/usr/lib/python2.7/urllib2.py", line 126, in urlopen return _opener.open(url, data, timeout) File "/usr/lib/python2.7/urllib2.py", line 394, in open response = self._open(req, data) File "/usr/lib/python2.7/urllib2.py", line 412, in _open '_open', req) File "/usr/lib/python2.7/urllib2.py", line 372, in _call_chain result = func(*args) File "/usr/lib/python2.7/urllib2.py", line 1209, in https_open return self.do_open(httplib.HTTPSConnection, req) File "/usr/share/sqlmap/lib/request/proxy.py", line 128, in do_open return urllib2.HTTPSHandler.do_open(self, ProxyHTTPSConnection, req) File "/usr/lib/python2.7/urllib2.py", line 1140, in do_open h = http_class(host, timeout=req.timeout) # will parse host:port TypeError: __init__() got an unexpected keyword argument 'timeout' [*] shutting down at: 18:22:34 |
|
From: Miroslav S. <mir...@gm...> - 2011-12-15 10:15:04
|
Hi. I believe that in your case that "appears to be" caused a little misguidance. With the latest commit that message should be restrained to 1 appearance per target, so there won't be such large number of those. "Appears to be" is just a friendly log message. Be sure that sqlmap checks that "appears to be" is really a chance for injecting. I would say that you should skip this target because of one strong reasons: - you've received "appears to be" for different boundaries (prefix/suffix combinations) which is impossible for a positive injectionable target Kind regards On Wed, Dec 14, 2011 at 4:51 PM, Chris Oakley <chr...@gm...>wrote: > Hi All > > I'm having problems with an injection that I think is real. > > It's a standard POST request with one of the parameters of the data sent > being vulnerable. This all happens in an unauthenticated area of the > application, so there's no need to set the cookie value etc. > > The injection point was found with Burp Scanner. It has the following to > say: > > *Issue detail* > The BLAH parameter appears to be vulnerable to SQL injection attacks. The > payload %00' was submitted in the BLAH parameter, and a database error > message was returned. You should review the contents of the error message, > and the application's handling of other input, to confirm whether a > vulnerability is present. The database appears to be PostgreSQL. The > application attempts to block SQL injection attacks but this can be > circumvented by submitting a URL-encoded NULL byte (%00) before the > characters that are being blocked. > > The server response looks like this: > > HTTP/1.1 202 Accepted > Server: Apache-Coyote/1.1 > Vary: Accept-Encoding > Cache-Control: no-cache > Content-Type: text/xml;charset=UTF-8 > Date: Wed, 14 Dec 2011 12:48:30 GMT > Content-Length: 7754 > > <?xml version="1.0" encoding="UTF-8"?> > <errors><error><text><![CDATA[could not load an entity: > [vyre.content.CollectionSchema#165']; nested exception is > org.hibernate.exception.DataException: could not load an entity: > [vyre.content.CollectionSchema#165']]]></text><stack-trace><![CDATA[org.springframework.dao.InvalidDataAccessResourceUsageException: > could not load an entity: [vyre.content.CollectionSchema#165'] > at > org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:618) > at > org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412) > at > org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:424) > at > org.springframework.orm.hibernate3.HibernateTemplate.executeWithNativeSession(HibernateTemplate.java:374) > at > org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:560) > at > org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:554) > at > vyre.core.entity.pl.HibernateStringIdentifierEntityDAO.load(HibernateStringIdentifierEntityDAO.java:47) > at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149) > at > org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) > at > org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) > at $Proxy17.load(Unknown Source) > at > vyre.publishing.ContentGatewayAjaxListener.handle(ContentGatewayAjaxListener.java:146) > at > vyre.publishing.ajax.AjaxControllerServlet.service(AjaxControllerServlet.java:88) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at vyre.delivery.MainFilter.doFilter(MainFilter.java:145) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > vyre.content.search.permissions.ViewPermissionFilter.doFilter(ViewPermissionFilter.java:27) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > com.virginholidays.filter.CacheControlFilter.doFilter(CacheControlFilter.java:26) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > vyre.utils.filters.login.AbstractLoginFilter.doFilter(AbstractLoginFilter.java:95) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) > at java.lang.Thread.run(Thread.java:619) > Caused by: org.hibernate.exception.DataException: could not load an > entity: [vyre.content.CollectionSchema#165'] > at > org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:77) > at > org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43) > at org.hibernate.loader.Loader.loadEntity(Loader.java:1874) > at > org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:48) > at > org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:42) > at > org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3049) > at > org.hibernate.event.def.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:399) > at > org.hibernate.event.def.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:375) > at > org.hibernate.event.def.DefaultLoadEventListener.load(DefaultLoadEventListener.java:139) > at > org.hibernate.event.def.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:179) > at > org.hibernate.event.def.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:103) > at org.hibernate.impl.SessionImpl.fireLoad(SessionImpl.java:878) > at org.hibernate.impl.SessionImpl.load(SessionImpl.java:795) > at org.hibernate.impl.SessionImpl.load(SessionImpl.java:788) > at > org.springframework.orm.hibernate3.HibernateTemplate$3.doInHibernate(HibernateTemplate.java:566) > at > org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:419) > ... 46 more > Caused by: org.postgresql.util.PSQLException: ERROR: invalid byte sequence > for encoding "UTF8": 0x00 > at > org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102) > at > org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835) > at > org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273) > at > org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) > at > org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) > at > org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186) > at org.hibernate.loader.Loader.getResultSet(Loader.java:1787) > at org.hibernate.loader.Loader.doQuery(Loader.java:674) > at > org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236) > at org.hibernate.loader.Loader.loadEntity(Loader.java:1860) > ... 59 more > ]]></stack-trace></error></errors> > > I've worked my way up to the following sqlmap command: > > C:\Program Files\sqlmap>python sqlmap.py -u "http://www.**********/servlet/ajax" > --data "..........&BLAH=165" -p BLAH --level=5 --risk=2 --dbms=postgresql > --union-char=1 --tamper=appendnullbyte -f -b > > sqlmap/1.0-dev (r4577) - automatic SQL injection and database takeover > tool > http://www.sqlmap.org > > [!] legal disclaimer: usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsi > bility to obey all applicable local, state and federal laws. Authors > assume no liability and are not responsible for any misuse or > damage caused by this program > > [*] starting at 15:33:52 > > [15:33:52] [INFO] loading tamper script 'appendnullbyte' > [15:33:53] [INFO] using '*****\session' as session file > [15:33:53] [INFO] testing connection to the target url > [15:34:00] [WARNING] provided parameter 'BLAH' is not inside the Cookie > [15:34:00] [INFO] testing if the url is stable, wait a few seconds > [15:34:03] [INFO] url is stable > [15:34:03] [INFO] heuristic test shows that POST parameter 'BLAH' might be > injectable (possible DBMS: PostgreSQL) > [15:34:03] [INFO] testing sql injection on POST parameter 'BLAH' > [15:34:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > [15:34:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause (Generic comment)' > [15:34:16] [INFO] testing 'Generic boolean-based blind - Parameter replace > (original value)' > [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and > ORDER BY clauses' > [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and > ORDER BY clauses (original value)' > [15:34:16] [INFO] testing 'PostgreSQL boolean-based blind - Parameter > replace (GENERATE_SERIES - original value)' > [15:34:17] [INFO] testing 'PostgreSQL stacked conditional-error blind > queries' > [15:34:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING > clause' > [15:34:27] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING > clause' > [15:34:32] [INFO] testing 'PostgreSQL error-based - Parameter replace' > [15:34:32] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY > clauses' > [15:34:32] [INFO] testing 'PostgreSQL > 8.1 stacked queries' > [15:34:35] [INFO] testing 'PostgreSQL stacked queries (heavy query)' > [15:34:37] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)' > [15:34:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' > [15:34:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind (comment)' > [15:34:44] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)' > [15:34:47] [INFO] testing 'PostgreSQL AND time-based blind (heavy query - > comment)' > [15:34:49] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns' > [15:34:50] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:51] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:53] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:55] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:56] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:58] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:59] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:01] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:02] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:04] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:06] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:07] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:09] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:10] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:11] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:13] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:14] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:16] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:17] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:19] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:20] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:22] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:23] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:25] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:27] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:29] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:30] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:32] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:33] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:35] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:36] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:37] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:39] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:40] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:42] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:42] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns' > [15:36:29] [INFO] testing 'Generic UNION query (1) - 21 to 30 columns' > [15:37:15] [INFO] testing 'Generic UNION query (1) - 31 to 40 columns' > [15:38:01] [INFO] testing 'Generic UNION query (1) - 41 to 50 columns' > [15:38:46] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to 10 > columns' > [15:38:47] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:50] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:51] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:53] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:54] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:56] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:57] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:59] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:00] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:03] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:04] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:05] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:07] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:08] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:10] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:11] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:13] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:14] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:16] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:18] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:19] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:21] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:22] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:24] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:25] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:27] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:28] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:30] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:31] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:33] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:35] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:37] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:38] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:40] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:41] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:41] [INFO] testing 'Generic UNION query (NUL comment) (1) - 11 to > 20 columns' > [15:40:27] [INFO] testing 'Generic UNION query (NUL comment) (1) - 21 to > 30 columns' > [15:41:11] [INFO] testing 'Generic UNION query (NUL comment) (1) - 31 to > 40 columns' > [15:41:56] [INFO] testing 'Generic UNION query (NUL comment) (1) - 41 to > 50 columns' > [15:42:42] [WARNING] POST parameter 'BLAH' is not injectable > [15:42:42] [CRITICAL] all parameters appear to be not injectable. Try to > increase --level/--risk values to perform more tests. As > heuristic test turned out positive you are strongly advised to continue on > with the tests. Please, consider usage of tampering scr > ipts as your target might filter the queries. Also, you can try to rerun > by providing either a valid --string or a valid --regexp, > refer to the user's manual for details > > [*] shutting down at 15:42:42 > > I didn't start with all of those arguments for sqlmap - I've tried it > without: --level=5, --risk=2, --dbms=postgresql, --union-char=1 and > --tamper=appendnullbyte and got pretty much the same results for each. > > Maybe it's not injectable, but I'd like peoples input before I write it > off, since it looks very suspect to me. > > Thanks > > Chris > > > > > > ------------------------------------------------------------------------------ > Cloud Computing - Latest Buzzword or a Glimpse of the Future? > This paper surveys cloud computing today: What are the benefits? > Why are businesses embracing it? What are its payoffs and pitfalls? > http://www.accelacomm.com/jaw/sdnl/114/51425149/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2011-12-15 09:16:38
|
Thank you. Find it fixed in the latest commit. Kind regards On Thu, Dec 15, 2011 at 9:45 AM, Jacco van Tuijl <jac...@gm...>wrote: > [03:15:59] [WARNING] unknown web page charset '*'. Please report by e-mail > to sql...@li.... > [03:16:02] [INFO] heuristics detected web page charset 'ascii' > > > > > ------------------------------------------------------------------------------ > 10 Tips for Better Server Consolidation > Server virtualization is being driven by many needs. > But none more important than the need to reduce IT complexity > while improving strategic productivity. Learn More! > http://www.accelacomm.com/jaw/sdnl/114/51507609/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Jacco v. T. <jac...@gm...> - 2011-12-15 08:46:01
|
[03:15:59] [WARNING] unknown web page charset '*'. Please report by e-mail to sql...@li.... [03:16:02] [INFO] heuristics detected web page charset 'ascii' |
|
From: Robin W. <ro...@di...> - 2011-12-14 16:26:54
|
On 14 December 2011 15:51, Chris Oakley <chr...@gm...> wrote: > Hi All > > I'm having problems with an injection that I think is real. > > It's a standard POST request with one of the parameters of the data sent > being vulnerable. This all happens in an unauthenticated area of the > application, so there's no need to set the cookie value etc. > > The injection point was found with Burp Scanner. It has the following to > say: > > Issue detail > The BLAH parameter appears to be vulnerable to SQL injection attacks. The > payload %00' was submitted in the BLAH parameter, and a database error > message was returned. You should review the contents of the error message, > and the application's handling of other input, to confirm whether a > vulnerability is present. The database appears to be PostgreSQL. The > application attempts to block SQL injection attacks but this can be > circumvented by submitting a URL-encoded NULL byte (%00) before the > characters that are being blocked. > > The server response looks like this: > > HTTP/1.1 202 Accepted > Server: Apache-Coyote/1.1 > Vary: Accept-Encoding > Cache-Control: no-cache > Content-Type: text/xml;charset=UTF-8 > Date: Wed, 14 Dec 2011 12:48:30 GMT > Content-Length: 7754 > > <?xml version="1.0" encoding="UTF-8"?> > <errors><error><text><![CDATA[could not load an entity: > [vyre.content.CollectionSchema#165']; nested exception is > org.hibernate.exception.DataException: could not load an entity: > [vyre.content.CollectionSchema#165']]]></text><stack-trace><![CDATA[org.springframework.dao.InvalidDataAccessResourceUsageException: > could not load an entity: [vyre.content.CollectionSchema#165'] > at > org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:618) > at > org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412) > at > org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:424) > at > org.springframework.orm.hibernate3.HibernateTemplate.executeWithNativeSession(HibernateTemplate.java:374) > at > org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:560) > at > org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:554) > at > vyre.core.entity.pl.HibernateStringIdentifierEntityDAO.load(HibernateStringIdentifierEntityDAO.java:47) > at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149) > at > org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) > at > org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) > at $Proxy17.load(Unknown Source) > at > vyre.publishing.ContentGatewayAjaxListener.handle(ContentGatewayAjaxListener.java:146) > at > vyre.publishing.ajax.AjaxControllerServlet.service(AjaxControllerServlet.java:88) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at vyre.delivery.MainFilter.doFilter(MainFilter.java:145) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > vyre.content.search.permissions.ViewPermissionFilter.doFilter(ViewPermissionFilter.java:27) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > com.virginholidays.filter.CacheControlFilter.doFilter(CacheControlFilter.java:26) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > vyre.utils.filters.login.AbstractLoginFilter.doFilter(AbstractLoginFilter.java:95) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) > at java.lang.Thread.run(Thread.java:619) > Caused by: org.hibernate.exception.DataException: could not load an entity: > [vyre.content.CollectionSchema#165'] > at > org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:77) > at > org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43) > at org.hibernate.loader.Loader.loadEntity(Loader.java:1874) > at > org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:48) > at > org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:42) > at > org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3049) > at > org.hibernate.event.def.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:399) > at > org.hibernate.event.def.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:375) > at > org.hibernate.event.def.DefaultLoadEventListener.load(DefaultLoadEventListener.java:139) > at > org.hibernate.event.def.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:179) > at > org.hibernate.event.def.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:103) > at org.hibernate.impl.SessionImpl.fireLoad(SessionImpl.java:878) > at org.hibernate.impl.SessionImpl.load(SessionImpl.java:795) > at org.hibernate.impl.SessionImpl.load(SessionImpl.java:788) > at > org.springframework.orm.hibernate3.HibernateTemplate$3.doInHibernate(HibernateTemplate.java:566) > at > org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:419) > ... 46 more > Caused by: org.postgresql.util.PSQLException: ERROR: invalid byte sequence > for encoding "UTF8": 0x00 > at > org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102) > at > org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835) > at > org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273) > at > org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) > at > org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) > at > org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186) > at org.hibernate.loader.Loader.getResultSet(Loader.java:1787) > at org.hibernate.loader.Loader.doQuery(Loader.java:674) > at > org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236) > at org.hibernate.loader.Loader.loadEntity(Loader.java:1860) > ... 59 more > ]]></stack-trace></error></errors> > > I've worked my way up to the following sqlmap command: > > C:\Program Files\sqlmap>python sqlmap.py -u > "http://www.**********/servlet/ajax" --data "..........&BLAH=165" -p BLAH > --level=5 --risk=2 --dbms=postgresql --union-char=1 --tamper=appendnullbyte > -f -b > > sqlmap/1.0-dev (r4577) - automatic SQL injection and database takeover > tool > http://www.sqlmap.org > > [!] legal disclaimer: usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsi > bility to obey all applicable local, state and federal laws. Authors assume > no liability and are not responsible for any misuse or > damage caused by this program > > [*] starting at 15:33:52 > > [15:33:52] [INFO] loading tamper script 'appendnullbyte' > [15:33:53] [INFO] using '*****\session' as session file > [15:33:53] [INFO] testing connection to the target url > [15:34:00] [WARNING] provided parameter 'BLAH' is not inside the Cookie > [15:34:00] [INFO] testing if the url is stable, wait a few seconds > [15:34:03] [INFO] url is stable > [15:34:03] [INFO] heuristic test shows that POST parameter 'BLAH' might be > injectable (possible DBMS: PostgreSQL) > [15:34:03] [INFO] testing sql injection on POST parameter 'BLAH' > [15:34:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' > [15:34:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause > (Generic comment)' > [15:34:16] [INFO] testing 'Generic boolean-based blind - Parameter replace > (original value)' > [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER > BY clauses' > [15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER > BY clauses (original value)' > [15:34:16] [INFO] testing 'PostgreSQL boolean-based blind - Parameter > replace (GENERATE_SERIES - original value)' > [15:34:17] [INFO] testing 'PostgreSQL stacked conditional-error blind > queries' > [15:34:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING > clause' > [15:34:27] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING > clause' > [15:34:32] [INFO] testing 'PostgreSQL error-based - Parameter replace' > [15:34:32] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY > clauses' > [15:34:32] [INFO] testing 'PostgreSQL > 8.1 stacked queries' > [15:34:35] [INFO] testing 'PostgreSQL stacked queries (heavy query)' > [15:34:37] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)' > [15:34:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' > [15:34:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind (comment)' > [15:34:44] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)' > [15:34:47] [INFO] testing 'PostgreSQL AND time-based blind (heavy query - > comment)' > [15:34:49] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns' > [15:34:50] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:51] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:53] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:55] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:56] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:58] [INFO] target url appears to be UNION injectable with 1 columns > [15:34:59] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:01] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:02] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:04] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:06] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:07] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:09] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:10] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:11] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:13] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:14] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:16] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:17] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:19] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:20] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:22] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:23] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:25] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:27] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:29] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:30] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:32] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:33] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:35] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:36] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:37] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:39] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:40] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:42] [INFO] target url appears to be UNION injectable with 1 columns > [15:35:42] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns' > [15:36:29] [INFO] testing 'Generic UNION query (1) - 21 to 30 columns' > [15:37:15] [INFO] testing 'Generic UNION query (1) - 31 to 40 columns' > [15:38:01] [INFO] testing 'Generic UNION query (1) - 41 to 50 columns' > [15:38:46] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to 10 > columns' > [15:38:47] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:50] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:51] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:53] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:54] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:56] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:57] [INFO] target url appears to be UNION injectable with 1 columns > [15:38:59] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:00] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:03] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:04] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:05] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:07] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:08] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:10] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:11] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:13] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:14] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:16] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:18] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:19] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:21] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:22] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:24] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:25] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:27] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:28] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:30] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:31] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:33] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:35] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:37] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:38] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:40] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:41] [INFO] target url appears to be UNION injectable with 1 columns > [15:39:41] [INFO] testing 'Generic UNION query (NUL comment) (1) - 11 to 20 > columns' > [15:40:27] [INFO] testing 'Generic UNION query (NUL comment) (1) - 21 to 30 > columns' > [15:41:11] [INFO] testing 'Generic UNION query (NUL comment) (1) - 31 to 40 > columns' > [15:41:56] [INFO] testing 'Generic UNION query (NUL comment) (1) - 41 to 50 > columns' > [15:42:42] [WARNING] POST parameter 'BLAH' is not injectable > [15:42:42] [CRITICAL] all parameters appear to be not injectable. Try to > increase --level/--risk values to perform more tests. As > heuristic test turned out positive you are strongly advised to continue on > with the tests. Please, consider usage of tampering scr > ipts as your target might filter the queries. Also, you can try to rerun by > providing either a valid --string or a valid --regexp, > refer to the user's manual for details > > [*] shutting down at 15:42:42 > > I didn't start with all of those arguments for sqlmap - I've tried it > without: --level=5, --risk=2, --dbms=postgresql, --union-char=1 and > --tamper=appendnullbyte and got pretty much the same results for each. > > Maybe it's not injectable, but I'd like peoples input before I write it off, > since it looks very suspect to me. > > Thanks > > Chris > Have you tried working it by hand to see if you can inject something basic into it? I'd get Burp repeater on it and manually work on confirming whether there is injection there or not. Look for something basic like adding a delay or limiting/opening the number of results returned. Robin |
|
From: Miroslav S. <mir...@gm...> - 2011-12-14 16:03:21
|
Hi. This moment there isn't support for Host header. I won't promise anything but maybe it will be implemented these days. Kind regards On Mon, Dec 12, 2011 at 11:26 PM, A C <ani...@ya...> wrote: > Hi sqlmap users, > > I've successfully used sqlmap to do wonderful things though parameters of > web applications but I've recently come across an app which seems to have a > possible injection flaw in the Host: header field. in other words, if I put > a single quote (or other SQL) in the Host: header with my normal HTTP > request, I will get back a MySQL error similar to the following: > > Error: <br />1064: You have an error in your SQL syntax; check the manual > that c > orresponds to your MySQL server version for the right syntax to use near > 'ORDER > BY pag_gr desc, pag_cat desc, pag_ide desc, sit_typ desc' at line 1 > > I'm can't seem to find a way to use sqlmap to perform its normal magic - > is there a way to do this? > > Thanks! > --Anindya > > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Chris O. <chr...@gm...> - 2011-12-14 15:51:30
|
Hi All
I'm having problems with an injection that I think is real.
It's a standard POST request with one of the parameters of the data sent
being vulnerable. This all happens in an unauthenticated area of the
application, so there's no need to set the cookie value etc.
The injection point was found with Burp Scanner. It has the following to
say:
*Issue detail*
The BLAH parameter appears to be vulnerable to SQL injection attacks. The
payload %00' was submitted in the BLAH parameter, and a database error
message was returned. You should review the contents of the error message,
and the application's handling of other input, to confirm whether a
vulnerability is present. The database appears to be PostgreSQL. The
application attempts to block SQL injection attacks but this can be
circumvented by submitting a URL-encoded NULL byte (%00) before the
characters that are being blocked.
The server response looks like this:
HTTP/1.1 202 Accepted
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Cache-Control: no-cache
Content-Type: text/xml;charset=UTF-8
Date: Wed, 14 Dec 2011 12:48:30 GMT
Content-Length: 7754
<?xml version="1.0" encoding="UTF-8"?>
<errors><error><text><![CDATA[could not load an entity:
[vyre.content.CollectionSchema#165']; nested exception is
org.hibernate.exception.DataException: could not load an entity:
[vyre.content.CollectionSchema#165']]]></text><stack-trace><![CDATA[org.springframework.dao.InvalidDataAccessResourceUsageException:
could not load an entity: [vyre.content.CollectionSchema#165']
at
org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:618)
at
org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412)
at
org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:424)
at
org.springframework.orm.hibernate3.HibernateTemplate.executeWithNativeSession(HibernateTemplate.java:374)
at
org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:560)
at
org.springframework.orm.hibernate3.HibernateTemplate.load(HibernateTemplate.java:554)
at
vyre.core.entity.pl.HibernateStringIdentifierEntityDAO.load(HibernateStringIdentifierEntityDAO.java:47)
at sun.reflect.GeneratedMethodAccessor49.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy17.load(Unknown Source)
at
vyre.publishing.ContentGatewayAjaxListener.handle(ContentGatewayAjaxListener.java:146)
at
vyre.publishing.ajax.AjaxControllerServlet.service(AjaxControllerServlet.java:88)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at vyre.delivery.MainFilter.doFilter(MainFilter.java:145)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
vyre.content.search.permissions.ViewPermissionFilter.doFilter(ViewPermissionFilter.java:27)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.virginholidays.filter.CacheControlFilter.doFilter(CacheControlFilter.java:26)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
vyre.utils.filters.login.AbstractLoginFilter.doFilter(AbstractLoginFilter.java:95)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: org.hibernate.exception.DataException: could not load an entity:
[vyre.content.CollectionSchema#165']
at
org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:77)
at
org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43)
at org.hibernate.loader.Loader.loadEntity(Loader.java:1874)
at
org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:48)
at
org.hibernate.loader.entity.AbstractEntityLoader.load(AbstractEntityLoader.java:42)
at
org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:3049)
at
org.hibernate.event.def.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:399)
at
org.hibernate.event.def.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:375)
at
org.hibernate.event.def.DefaultLoadEventListener.load(DefaultLoadEventListener.java:139)
at
org.hibernate.event.def.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:179)
at
org.hibernate.event.def.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:103)
at org.hibernate.impl.SessionImpl.fireLoad(SessionImpl.java:878)
at org.hibernate.impl.SessionImpl.load(SessionImpl.java:795)
at org.hibernate.impl.SessionImpl.load(SessionImpl.java:788)
at
org.springframework.orm.hibernate3.HibernateTemplate$3.doInHibernate(HibernateTemplate.java:566)
at
org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:419)
... 46 more
Caused by: org.postgresql.util.PSQLException: ERROR: invalid byte sequence
for encoding "UTF8": 0x00
at
org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102)
at
org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835)
at
org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257)
at
org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500)
at
org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388)
at
org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273)
at
org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
at
org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
at
org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186)
at org.hibernate.loader.Loader.getResultSet(Loader.java:1787)
at org.hibernate.loader.Loader.doQuery(Loader.java:674)
at
org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236)
at org.hibernate.loader.Loader.loadEntity(Loader.java:1860)
... 59 more
]]></stack-trace></error></errors>
I've worked my way up to the following sqlmap command:
C:\Program Files\sqlmap>python sqlmap.py -u
"http://www.**********/servlet/ajax"
--data "..........&BLAH=165" -p BLAH --level=5 --risk=2 --dbms=postgresql
--union-char=1 --tamper=appendnullbyte -f -b
sqlmap/1.0-dev (r4577) - automatic SQL injection and database takeover
tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsi
bility to obey all applicable local, state and federal laws. Authors assume
no liability and are not responsible for any misuse or
damage caused by this program
[*] starting at 15:33:52
[15:33:52] [INFO] loading tamper script 'appendnullbyte'
[15:33:53] [INFO] using '*****\session' as session file
[15:33:53] [INFO] testing connection to the target url
[15:34:00] [WARNING] provided parameter 'BLAH' is not inside the Cookie
[15:34:00] [INFO] testing if the url is stable, wait a few seconds
[15:34:03] [INFO] url is stable
[15:34:03] [INFO] heuristic test shows that POST parameter 'BLAH' might be
injectable (possible DBMS: PostgreSQL)
[15:34:03] [INFO] testing sql injection on POST parameter 'BLAH'
[15:34:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:34:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause
(Generic comment)'
[15:34:16] [INFO] testing 'Generic boolean-based blind - Parameter replace
(original value)'
[15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER
BY clauses'
[15:34:16] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER
BY clauses (original value)'
[15:34:16] [INFO] testing 'PostgreSQL boolean-based blind - Parameter
replace (GENERATE_SERIES - original value)'
[15:34:17] [INFO] testing 'PostgreSQL stacked conditional-error blind
queries'
[15:34:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
clause'
[15:34:27] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING
clause'
[15:34:32] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[15:34:32] [INFO] testing 'PostgreSQL error-based - GROUP BY and ORDER BY
clauses'
[15:34:32] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:34:35] [INFO] testing 'PostgreSQL stacked queries (heavy query)'
[15:34:37] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)'
[15:34:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:34:42] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind (comment)'
[15:34:44] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)'
[15:34:47] [INFO] testing 'PostgreSQL AND time-based blind (heavy query -
comment)'
[15:34:49] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns'
[15:34:50] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:51] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:53] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:55] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:56] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:58] [INFO] target url appears to be UNION injectable with 1 columns
[15:34:59] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:01] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:02] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:04] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:06] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:07] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:09] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:10] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:11] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:13] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:14] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:16] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:17] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:19] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:20] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:22] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:23] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:25] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:27] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:29] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:30] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:32] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:33] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:35] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:36] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:37] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:39] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:40] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:42] [INFO] target url appears to be UNION injectable with 1 columns
[15:35:42] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns'
[15:36:29] [INFO] testing 'Generic UNION query (1) - 21 to 30 columns'
[15:37:15] [INFO] testing 'Generic UNION query (1) - 31 to 40 columns'
[15:38:01] [INFO] testing 'Generic UNION query (1) - 41 to 50 columns'
[15:38:46] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to 10
columns'
[15:38:47] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:50] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:51] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:53] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:54] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:56] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:57] [INFO] target url appears to be UNION injectable with 1 columns
[15:38:59] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:00] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:03] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:04] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:05] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:07] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:08] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:10] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:11] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:13] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:14] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:16] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:18] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:19] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:21] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:22] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:24] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:25] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:27] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:28] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:30] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:31] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:33] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:35] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:37] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:38] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:40] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:41] [INFO] target url appears to be UNION injectable with 1 columns
[15:39:41] [INFO] testing 'Generic UNION query (NUL comment) (1) - 11 to 20
columns'
[15:40:27] [INFO] testing 'Generic UNION query (NUL comment) (1) - 21 to 30
columns'
[15:41:11] [INFO] testing 'Generic UNION query (NUL comment) (1) - 31 to 40
columns'
[15:41:56] [INFO] testing 'Generic UNION query (NUL comment) (1) - 41 to 50
columns'
[15:42:42] [WARNING] POST parameter 'BLAH' is not injectable
[15:42:42] [CRITICAL] all parameters appear to be not injectable. Try to
increase --level/--risk values to perform more tests. As
heuristic test turned out positive you are strongly advised to continue on
with the tests. Please, consider usage of tampering scr
ipts as your target might filter the queries. Also, you can try to rerun by
providing either a valid --string or a valid --regexp,
refer to the user's manual for details
[*] shutting down at 15:42:42
I didn't start with all of those arguments for sqlmap - I've tried it
without: --level=5, --risk=2, --dbms=postgresql, --union-char=1 and
--tamper=appendnullbyte and got pretty much the same results for each.
Maybe it's not injectable, but I'd like peoples input before I write it
off, since it looks very suspect to me.
Thanks
Chris
|
|
From: Miroslav S. <mir...@gm...> - 2011-12-14 14:47:26
|
Hi Dmitriy. Thank you for your report. It should be fixed (hopefully) with the latest commit. Kind regards On Wed, Dec 14, 2011 at 3:11 PM, Dmitriy Kononov <dmi...@gm...>wrote: > sqlmap/1.0-dev (r4583) - automatic SQL injection and database takeover > tool > http://www.sqlmap.org > > [!] legal disclaimer: usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Authors assume no liability and > are not responsible for any misuse or damage caused by this program > > [*] starting at 16:08:19 > > > [16:08:19] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4583), retry > your run with the latest development version from the Subversion > repository. If the exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the > bug, fix it accordingly and get back to you. > sqlmap version: 1.0-dev (r4583) > Python version: 2.7.1+ > Operating system: posix > Command line: ./sqlmap.py -u *********************** > Technique: None > Back-end DBMS: None (identified) > Traceback (most recent call last): > File "/home/bobbe/Downloads/sqlmap/dev/sqlmap-dev/_sqlmap.py", line 86, > in main > start() > File > "/home/bobbe/Downloads/sqlmap/dev/sqlmap-dev/lib/controller/controller.py", > line 335, in start > setupTargetEnv() > File "/home/bobbe/Downloads/sqlmap/dev/sqlmap-dev/lib/core/target.py", > line 395, in setupTargetEnv > __createTargetDirs() > File "/home/bobbe/Downloads/sqlmap/dev/sqlmap-dev/lib/core/target.py", > line 343, in __createTargetDirs > conf.outputPath = "%s%s%s" % (paths.SQLMAP_OUTPUT_PATH, os.sep, > conf.hostname) > UnicodeDecodeError: 'ascii' codec can't decode byte 0xd0 in position 12: > ordinal not in range(128) > > [*] shutting down at 16:08:19 > > > > ------------------------------------------------------------------------------ > Cloud Computing - Latest Buzzword or a Glimpse of the Future? > This paper surveys cloud computing today: What are the benefits? > Why are businesses embracing it? What are its payoffs and pitfalls? > http://www.accelacomm.com/jaw/sdnl/114/51425149/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Dmitriy K. <dmi...@gm...> - 2011-12-14 14:11:21
|
sqlmap/1.0-dev (r4583) - automatic SQL injection and database takeover
tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Authors assume no liability and
are not responsible for any misuse or damage caused by this program
[*] starting at 16:08:19
[16:08:19] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4583), retry
your run with the latest development version from the Subversion
repository. If the exception persists, please send by e-mail to
sql...@li... the following text and any information
required to reproduce the bug. The developers will try to reproduce the
bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev (r4583)
Python version: 2.7.1+
Operating system: posix
Command line: ./sqlmap.py -u ***********************
Technique: None
Back-end DBMS: None (identified)
Traceback (most recent call last):
File "/home/bobbe/Downloads/sqlmap/dev/sqlmap-dev/_sqlmap.py", line 86,
in main
start()
File
"/home/bobbe/Downloads/sqlmap/dev/sqlmap-dev/lib/controller/controller.py",
line 335, in start
setupTargetEnv()
File "/home/bobbe/Downloads/sqlmap/dev/sqlmap-dev/lib/core/target.py",
line 395, in setupTargetEnv
__createTargetDirs()
File "/home/bobbe/Downloads/sqlmap/dev/sqlmap-dev/lib/core/target.py",
line 343, in __createTargetDirs
conf.outputPath = "%s%s%s" % (paths.SQLMAP_OUTPUT_PATH, os.sep,
conf.hostname)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xd0 in position 12:
ordinal not in range(128)
[*] shutting down at 16:08:19
|
|
From: Miroslav S. <mir...@gm...> - 2011-12-13 10:43:00
|
Hi. Please try to do the 'svn cleanup' first. Nevertheless, you are strongly advised to do the fresh checkout like this: svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev Kind regards, Miroslav Stampar On Fri, Dec 9, 2011 at 10:29 AM, Double Dragon <dou...@gm...>wrote: > root@bt:/pentest/database/sqlmap# ./sqlmap.py --update > > sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover > tool > http://sqlmap.sourceforge.net > > [!] Legal Disclaimer: usage of sqlmap for attacking web servers without > prior mutual consent can be considered as an illegal activity. it is the > final user's responsibility to obey all applicable local, state and federal > laws. authors assume no liability and are not responsible for any misuse or > damage caused by this program. > > [*] starting at: 16:14:55 > > [16:14:55] [INFO] updating sqlmap to latest development version from the > subversion repository > > [16:14:55] *[CRITICAL]* unhandled exception in sqlmap/1.0-dev (r4009), > retry your run with the latest development version from the Subversion > repository. If the exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the > bug, fix it accordingly and get back to you. > sqlmap version: 1.0-dev (r4009) > Python version: 2.6.5 > Operating system: posix > Command line: ./sqlmap.py --update > Technique: None > Back-end DBMS: None (identified) > Traceback (most recent call last): > File "./sqlmap.py", line 78, in main > init(cmdLineOptions) > File "/pentest/database/sqlmap/lib/core/option.py", line 1752, in init > update() > File "/pentest/database/sqlmap/lib/core/update.py", line 71, in update > client.update(rootDir) > ClientError: Working copy '/pentest/database/sqlmap' locked > > [*] shutting down at: 16:14:55 > > > > What should I do? > > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: A C <ani...@ya...> - 2011-12-12 22:26:08
|
Hi sqlmap users, I've successfully used sqlmap to do wonderful things though parameters of web applications but I've recently come across an app which seems to have a possible injection flaw in the Host: header field. in other words, if I put a single quote (or other SQL) in the Host: header with my normal HTTP request, I will get back a MySQL error similar to the following: Error: <br />1064: You have an error in your SQL syntax; check the manual that c orresponds to your MySQL server version for the right syntax to use near 'ORDER BY pag_gr desc, pag_cat desc, pag_ide desc, sit_typ desc' at line 1 I'm can't seem to find a way to use sqlmap to perform its normal magic - is there a way to do this? Thanks! --Anindya |
|
From: Miroslav S. <mir...@gm...> - 2011-12-12 14:32:20
|
Hi. Find it fixed in the latest commit. There shouldn't be such large session files in future. Now, please before you try it again just do the following (just strip the rest after for example first 20 lines from the original session file): head -20 <session_file> > tmp mv tmp <session_file> Kind regards, Miroslav Stampar On Sun, Dec 11, 2011 at 9:32 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > This is odd ass now SQLite is used for SQL responses. Could.you please > take a look into it (at least 'tail' of it) and report what's stored inside? > > Kind regards > On Dec 10, 2011 2:14 PM, "CoeTs7" <tm...@ho...> wrote: > >> hi, veryone: >> first thanks for the improvement the dev team have done. Again i met >> another problem today: >> i want to dump a large table into a csv format file using --dump, but >> the process is interrupted. so i restart the sqlmap to go on dumping >> process. but sqlmap exited with this error: >> >> *sqlmap version: 1.0-dev (r4577)* >> *Python version: 2.6.5* >> *Operating system: posix* >> *Command line: /root/sqlmap-dev/sqlmap.py -u >> ************************************ --data >> __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTExNTc0NTExMDFkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQhidG5Mb2dpbp3vdb50NBPJYzWlZFZWJJY9toPi&__EVENTVALIDATION=%2FwEWBAKpi5vuDwKl1bKzCQK1qbSRCwKC3IeGDFW12pkpDGT2BoBndGNsu1HoD82G&txtUserName=testf&txtPassword=test&btnLogin.x=18&btnLogin.y=9 >> -p txtUserName --technique=E -D ***** -T **************** --dump --thread 10 >> * >> *Technique: None* >> *Back-end DBMS: None (identified)* >> *Traceback (most recent call last):* >> * File "/root/sqlmap-dev/_sqlmap.py", line 86, in main* >> * start()* >> * File "/root/sqlmap-dev/lib/controller/controller.py", line 335, in >> start* >> * setupTargetEnv()* >> * File "/root/sqlmap-dev/lib/core/target.py", line 397, in >> setupTargetEnv* >> * __setOutputResume()* >> * File "/root/sqlmap-dev/lib/core/target.py", line 220, in >> __setOutputResume* >> * for line in readSessionFP.readlines(): # xreadlines doesn't return >> unicode strings when codec.open() is used* >> * File "/usr/lib/python2.6/codecs.py", line 674, in readlines* >> * return self.reader.readlines(sizehint)* >> * File "/usr/lib/python2.6/codecs.py", line 583, in readlines* >> * data = self.read()* >> * File "/usr/lib/python2.6/codecs.py", line 472, in read* >> * newchars, decodedbytes = self.decode(data, self.errors)* >> *MemoryError* >> >> the session file is about 800MB. i think the problem is that sqlmap is >> trying to load the whole session file into memory but there is no enough >> memory left. >> is there any solution to solve this big file problem ? thx a lot. >> >> >> Regards, >> tm3y >> >> >> >> >> ------------------------------------------------------------------------------ >> Learn Windows Azure Live! Tuesday, Dec 13, 2011 >> Microsoft is holding a special Learn Windows Azure training event for >> developers. It will provide a great way to learn Windows Azure and what it >> provides. You can attend the event by watching it streamed LIVE online. >> Learn more at http://p.sf.net/sfu/ms-windowsazure >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2011-12-12 09:33:42
|
Thank you. Find it fixed and committed in current revision. Kind regards On Sat, Dec 10, 2011 at 7:04 AM, <nig...@em...> wrote: > Hi, > > I found a new Bug. > > > [06:00:07] [INFO] testing connection to the target url > [06:00:23] [CRITICAL] page not found (404) > it is not recommended to continue in this kind of cases. Do you want to > quit and make sure that ever > ything is set up properly? [Y/n] n > [06:00:59] [INFO] testing if the url is stable, wait a few seconds > [06:01:03] [WARNING] url is not stable, sqlmap will base the page > comparison on a sequence matcher. > If no dynamic nor injectable parameters are detected, or in case of junk > results, refer to user's ma > nual paragraph 'Page comparison' and provide a string or regular > expression to match on > how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] s > [06:05:00] [INFO] finding static words in longest matching part of dynamic > page content > [06:05:00] [WARNING] HTTP error codes detected during testing: > 404 (Not Found) - 2 times > > > [06:05:00] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4577), retry > your run with the latest > development version from the Subversion repository. If the exception > persists, please send by e-mail > to sql...@li... the following text and any > information required to reproduce > the bug. The developers will try to reproduce the bug, fix it accordingly > and get back to you. > sqlmap version: 1.0-dev (r4577) > Python version: 2.7.2 > Operating system: nt > Command line: C:\test\sqlmap-0-9\sqlmap.py -u ********************* > --crawl=10 - > -threads=6 --random-agent --retries=6 --level 5 --risk 3 -f -b --dbms=mysql > Technique: None > Back-end DBMS: MySQL (identified) > Traceback (most recent call last): > File "C:\test\sqlmap-0-9\_sqlmap.py", line 86, in main > start() > File "C:\test\sqlmap-0-9\lib\controller\controller.py", line 377, in > start > checkStability() > File "C:\test\sqlmap-0-9\lib\controller\checks.py", line 775, in > checkStabilit > y > showStaticWords(firstPage, secondPage) > File "C:\test\sqlmap-0-9\lib\core\common.py", line 1633, in > showStaticWords > match = SequenceMatcher(None, firstPage, > secondPage).find_longest_match(0, len(firstPage), 0, le > n(secondPage)) > TypeError: object of type 'NoneType' has no len() > > [*] shutting down at 06:05:00 > > > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Bob S. <bo...@si...> - 2011-12-11 13:35:27
|
The developer uses -1 to say no menu should be shown, other values have specific meaning. The suggestion to use %2d for the - sign seems to have worked. I just found another such case for the _ character as part of a parameter name.
I am a little surprised that it is assumed more likely that a person captured the requests while doing manual injection testing than the application uses - and _ symbols in their application. I guess using them is a bit of a security measure :-)
SQLMap sure is a great tool and amazingly thorough. I am also pretty impressed with the documentation, it is well written and covers most of what a beginner would want to know. I appreciate it
Thanks!
Bob
----- Original Message -----
From: Miroslav Stampar
To: Bob Simonoff
Cc: sql...@li...
Sent: Sunday, December 11, 2011 3:37 AM
Subject: Re: [sqlmap-users] A incorrectly identified "tainted" parameter
Hi.
Thing is that in general negative parameter values are a leftover from manual injection attempts causing problems in some cases. Hence the warning/error message. Have you tried just to change that -1 value to 1 for ShowMenu parameter?
Kind regards
On Dec 10, 2011 3:23 PM, "Bob Simonoff" <bo...@si...> wrote:
I received this message:
[23:28:33] [CRITICAL] you have provided tainted parameter values (ncmb%26ShowMenu=-1) with most probably leftover chars from manual sql injection tests (;()') or non-valid numerical value. Please, always use only valid parameter values so sqlmap could be able to do a valid run.
Here is a portion of the POSTed data that surrounds this parameter.
fhdn%260=&fhdn%26=&ncmb%26ShowMenu=-1&fhdn%26isYahooGobutton=N
The parameters were captured directly using burpsuite while I was running the UI. I was performing no injection testing when this was captured. I looked for each of the listed parameters in the posted data and they do not appear. (note there are more parameters but I would rather send those privately if possible).
I am running a recent svn extract of the dev stream (1.0)
Thanks
Bob
------------------------------------------------------------------------------
Learn Windows Azure Live! Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for
developers. It will provide a great way to learn Windows Azure and what it
provides. You can attend the event by watching it streamed LIVE online.
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
|
|
From: Miroslav S. <mir...@gm...> - 2011-12-11 08:37:44
|
Hi. Thing is that in general negative parameter values are a leftover from manual injection attempts causing problems in some cases. Hence the warning/error message. Have you tried just to change that -1 value to 1 for ShowMenu parameter? Kind regards On Dec 10, 2011 3:23 PM, "Bob Simonoff" <bo...@si...> wrote: > ** > > I received this message: > > [23:28:33] [CRITICAL] you have provided tainted parameter values > (ncmb%26ShowMenu=-1) with most probably leftover chars from manual sql > injection tests (;()') or non-valid numerical value. Please, always use > only valid parameter values so sqlmap could be able to do a valid run. > > Here is a portion of the POSTed data that surrounds this parameter. > > fhdn%260=&fhdn%26=&ncmb%26ShowMenu=-1&fhdn%26isYahooGobutton=N > > The parameters were captured directly using burpsuite while I was running > the UI. I was performing no injection testing when this was captured. I > looked for each of the listed parameters in the posted data and they do not > appear. (note there are more parameters but I would rather send those > privately if possible). > > I am running a recent svn extract of the dev stream (1.0) > > Thanks > Bob > > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Miroslav S. <mir...@gm...> - 2011-12-11 08:33:01
|
Hi. This is odd ass now SQLite is used for SQL responses. Could.you please take a look into it (at least 'tail' of it) and report what's stored inside? Kind regards On Dec 10, 2011 2:14 PM, "CoeTs7" <tm...@ho...> wrote: > hi, veryone: > first thanks for the improvement the dev team have done. Again i met > another problem today: > i want to dump a large table into a csv format file using --dump, but the > process is interrupted. so i restart the sqlmap to go on dumping process. > but sqlmap exited with this error: > > *sqlmap version: 1.0-dev (r4577)* > *Python version: 2.6.5* > *Operating system: posix* > *Command line: /root/sqlmap-dev/sqlmap.py -u > ************************************ --data > __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTExNTc0NTExMDFkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQhidG5Mb2dpbp3vdb50NBPJYzWlZFZWJJY9toPi&__EVENTVALIDATION=%2FwEWBAKpi5vuDwKl1bKzCQK1qbSRCwKC3IeGDFW12pkpDGT2BoBndGNsu1HoD82G&txtUserName=testf&txtPassword=test&btnLogin.x=18&btnLogin.y=9 > -p txtUserName --technique=E -D ***** -T **************** --dump --thread 10 > * > *Technique: None* > *Back-end DBMS: None (identified)* > *Traceback (most recent call last):* > * File "/root/sqlmap-dev/_sqlmap.py", line 86, in main* > * start()* > * File "/root/sqlmap-dev/lib/controller/controller.py", line 335, in > start* > * setupTargetEnv()* > * File "/root/sqlmap-dev/lib/core/target.py", line 397, in setupTargetEnv > * > * __setOutputResume()* > * File "/root/sqlmap-dev/lib/core/target.py", line 220, in > __setOutputResume* > * for line in readSessionFP.readlines(): # xreadlines doesn't return > unicode strings when codec.open() is used* > * File "/usr/lib/python2.6/codecs.py", line 674, in readlines* > * return self.reader.readlines(sizehint)* > * File "/usr/lib/python2.6/codecs.py", line 583, in readlines* > * data = self.read()* > * File "/usr/lib/python2.6/codecs.py", line 472, in read* > * newchars, decodedbytes = self.decode(data, self.errors)* > *MemoryError* > > the session file is about 800MB. i think the problem is that sqlmap is > trying to load the whole session file into memory but there is no enough > memory left. > is there any solution to solve this big file problem ? thx a lot. > > > Regards, > tm3y > > > > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Brandon P. <bpe...@gm...> - 2011-12-10 18:58:04
|
Can you replace the (-) with %2d, it's hexadecimal representation? On Sat, Dec 10, 2011 at 8:22 AM, Bob Simonoff <bo...@si...> wrote: > > I received this message: > > [23:28:33] [CRITICAL] you have provided tainted parameter values > (ncmb%26ShowMenu=-1) with most probably leftover chars from manual sql > injection tests (;()') or non-valid numerical value. Please, always use only > valid parameter values so sqlmap could be able to do a valid run. > > Here is a portion of the POSTed data that surrounds this parameter. > > fhdn%260=&fhdn%26=&ncmb%26ShowMenu=-1&fhdn%26isYahooGobutton=N > > The parameters were captured directly using burpsuite while I was running > the UI. I was performing no injection testing when this was captured. I > looked for each of the listed parameters in the posted data and they do not > appear. (note there are more parameters but I would rather send those > privately if possible). > > I am running a recent svn extract of the dev stream (1.0) > > Thanks > Bob > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Bob S. <bo...@si...> - 2011-12-10 14:23:04
|
I received this message: [23:28:33] [CRITICAL] you have provided tainted parameter values (ncmb%26ShowMenu=-1) with most probably leftover chars from manual sql injection tests (;()') or non-valid numerical value. Please, always use only valid parameter values so sqlmap could be able to do a valid run. Here is a portion of the POSTed data that surrounds this parameter. fhdn%260=&fhdn%26=&ncmb%26ShowMenu=-1&fhdn%26isYahooGobutton=N The parameters were captured directly using burpsuite while I was running the UI. I was performing no injection testing when this was captured. I looked for each of the listed parameters in the posted data and they do not appear. (note there are more parameters but I would rather send those privately if possible). I am running a recent svn extract of the dev stream (1.0) Thanks Bob |
|
From: CoeTs7 <tm...@ho...> - 2011-12-10 13:13:37
|
hi, veryone:first thanks for the improvement the dev team have done. Again i met another problem today:i want to dump a large table into a csv format file using --dump, but the process is interrupted. so i restart the sqlmap to go on dumping process. but sqlmap exited with this error:sqlmap version: 1.0-dev (r4577)Python version: 2.6.5Operating system: posixCommand line: /root/sqlmap-dev/sqlmap.py -u ************************************ --data __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTExNTc0NTExMDFkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQhidG5Mb2dpbp3vdb50NBPJYzWlZFZWJJY9toPi&__EVENTVALIDATION=%2FwEWBAKpi5vuDwKl1bKzCQK1qbSRCwKC3IeGDFW12pkpDGT2BoBndGNsu1HoD82G&txtUserName=testf&txtPassword=test&btnLogin.x=18&btnLogin.y=9 -p txtUserName --technique=E -D ***** -T **************** --dump --thread 10Technique: NoneBack-end DBMS: None (identified)Traceback (most recent call last): File "/root/sqlmap-dev/_sqlmap.py", line 86, in main start() File "/root/sqlmap-dev/lib/controller/controller.py", line 335, in start setupTargetEnv() File "/root/sqlmap-dev/lib/core/target.py", line 397, in setupTargetEnv __setOutputResume() File "/root/sqlmap-dev/lib/core/target.py", line 220, in __setOutputResume for line in readSessionFP.readlines(): # xreadlines doesn't return unicode strings when codec.open() is used File "/usr/lib/python2.6/codecs.py", line 674, in readlines return self.reader.readlines(sizehint) File "/usr/lib/python2.6/codecs.py", line 583, in readlines data = self.read() File "/usr/lib/python2.6/codecs.py", line 472, in read newchars, decodedbytes = self.decode(data, self.errors)MemoryErrorthe session file is about 800MB. i think the problem is that sqlmap is trying to load the whole session file into memory but there is no enough memory left. is there any solution to solve this big file problem ? thx a lot. Regards, tm3y |
|
From: <nig...@em...> - 2011-12-10 06:04:09
|
Hi, I found a new Bug. [06:00:07] [INFO] testing connection to the target url [06:00:23] [CRITICAL] page not found (404) it is not recommended to continue in this kind of cases. Do you want to quit and make sure that ever ything is set up properly? [Y/n] n [06:00:59] [INFO] testing if the url is stable, wait a few seconds [06:01:03] [WARNING] url is not stable, sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's ma nual paragraph 'Page comparison' and provide a string or regular expression to match on how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] s [06:05:00] [INFO] finding static words in longest matching part of dynamic page content [06:05:00] [WARNING] HTTP error codes detected during testing: 404 (Not Found) - 2 times [06:05:00] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4577), retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 1.0-dev (r4577) Python version: 2.7.2 Operating system: nt Command line: C:\test\sqlmap-0-9\sqlmap.py -u ********************* --crawl=10 - -threads=6 --random-agent --retries=6 --level 5 --risk 3 -f -b --dbms=mysql Technique: None Back-end DBMS: MySQL (identified) Traceback (most recent call last): File "C:\test\sqlmap-0-9\_sqlmap.py", line 86, in main start() File "C:\test\sqlmap-0-9\lib\controller\controller.py", line 377, in start checkStability() File "C:\test\sqlmap-0-9\lib\controller\checks.py", line 775, in checkStabilit y showStaticWords(firstPage, secondPage) File "C:\test\sqlmap-0-9\lib\core\common.py", line 1633, in showStaticWords match = SequenceMatcher(None, firstPage, secondPage).find_longest_match(0, len(firstPage), 0, le n(secondPage)) TypeError: object of type 'NoneType' has no len() [*] shutting down at 06:05:00 |
|
From: Double D. <dou...@gm...> - 2011-12-09 09:29:13
|
root@bt:/pentest/database/sqlmap# ./sqlmap.py --update
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover
tool
http://sqlmap.sourceforge.net
[!] Legal Disclaimer: usage of sqlmap for attacking web servers without
prior mutual consent can be considered as an illegal activity. it is the
final user's responsibility to obey all applicable local, state and federal
laws. authors assume no liability and are not responsible for any misuse or
damage caused by this program.
[*] starting at: 16:14:55
[16:14:55] [INFO] updating sqlmap to latest development version from the
subversion repository
[16:14:55] *[CRITICAL]* unhandled exception in sqlmap/1.0-dev (r4009),
retry your run with the latest development version from the Subversion
repository. If the exception persists, please send by e-mail to
sql...@li... the following text and any information
required to reproduce the bug. The developers will try to reproduce the
bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev (r4009)
Python version: 2.6.5
Operating system: posix
Command line: ./sqlmap.py --update
Technique: None
Back-end DBMS: None (identified)
Traceback (most recent call last):
File "./sqlmap.py", line 78, in main
init(cmdLineOptions)
File "/pentest/database/sqlmap/lib/core/option.py", line 1752, in init
update()
File "/pentest/database/sqlmap/lib/core/update.py", line 71, in update
client.update(rootDir)
ClientError: Working copy '/pentest/database/sqlmap' locked
[*] shutting down at: 16:14:55
What should I do?
|
|
From: Jacco v. T. <jac...@gm...> - 2011-12-08 12:56:17
|
running sqlmap in backtrack 5 it gives me the following error:
sqlmap version: 1.0-dev (r4577)
Python version: 2.6.5
Operating system: posix
Command line: sqlmap.py -u
********************************************************************
--forms --tor --random-agent --dump-all --exclude-sys --level=3 --risk=3 -o
Technique: None
Back-end DBMS: None (identified)
Traceback (most recent call last):
File "/pentest/database/sqlmap/sqlmap/_sqlmap.py", line 77, in main
init(cmdLineOptions)
File "/pentest/database/sqlmap/sqlmap/lib/core/option.py", line 1857, in
init
__findPageForms()
File "/pentest/database/sqlmap/sqlmap/lib/core/option.py", line 540, in
__findPageForms
findPageForms(page, conf.url, True, True)
File "/pentest/database/sqlmap/sqlmap/lib/core/common.py", line 3117, in
findPageForms
item.selected = True
File "/pentest/database/sqlmap/sqlmap/extra/clientform/clientform.py",
line 1653, in __setattr__
self._control._set_selected_state(self, value)
File "/pentest/database/sqlmap/sqlmap/extra/clientform/clientform.py",
line 1917, in _set_selected_state
raise AttributeError("control '%s' is disabled" % self.name)
AttributeError: control
'ctl00$ctl00$SiteMainContent$MainContentLeft$ctl01$ctl00$ListControlRender$VersionFilter'
is disabled
[*] shutting down at 07:39:51
|
|
From: Miroslav S. <mir...@gm...> - 2011-12-05 08:17:52
|
Hi m4l1c3. Find this (both reports) fixed with latest the commit (r4575). Kind regards, Miroslav Stampar p.s. I see you are using combo --crawl --forms --smart. I'll just say nice that you've figured that by yourself as that combination is a really useful one ;) On Mon, Dec 5, 2011 at 3:39 AM, m4l1c3 <mal...@gm...> wrote: > sqlmap version: 1.0-dev (r4574) > Python version: 2.6.5 > Operating system: posix > Command line: ./sqlmap.py -u ********************* --batch --dbs --forms > --crawl 3 --technique=U --threads 10 --level 3 --risk 2 --smart > --random-agent --tor > Technique: None > Back-end DBMS: None (identified) > Traceback (most recent call last): > File "/pentest/database/sqlmap/lib/core/threads.py", line 123, in > runThreads > threadFunction() > File "/pentest/database/sqlmap/lib/utils/crawler.py", line 61, in > crawlThread > content = Request.getPage(url=current, crawling=True, > raise404=False)[0] > File "/pentest/database/sqlmap/lib/request/connect.py", line 302, in > getPage > conn = urllib2.urlopen(req) > File "/usr/lib/python2.6/urllib2.py", line 126, in urlopen > return _opener.open(url, data, timeout) > File "/usr/lib/python2.6/urllib2.py", line 391, in open > response = self._open(req, data) > File "/usr/lib/python2.6/urllib2.py", line 409, in _open > '_open', req) > File "/usr/lib/python2.6/urllib2.py", line 369, in _call_chain > result = func(*args) > File "/usr/lib/python2.6/urllib2.py", line 1161, in http_open > return self.do_open(httplib.HTTPConnection, req) > File "/usr/lib/python2.6/urllib2.py", line 1133, in do_open > h.request(req.get_method(), req.get_selector(), req.data, headers) > File "/usr/lib/python2.6/httplib.py", line 910, in request > self._send_request(method, url, body, headers) > File "/usr/lib/python2.6/httplib.py", line 947, in _send_request > self.endheaders() > File "/usr/lib/python2.6/httplib.py", line 904, in endheaders > self._send_output() > File "/usr/lib/python2.6/httplib.py", line 776, in _send_output > self.send(msg) > File "/usr/lib/python2.6/httplib.py", line 735, in send > self.connect() > File "/usr/lib/python2.6/httplib.py", line 716, in connect > self.timeout) > File "/pentest/database/sqlmap/extra/socks/socks.py", line 410, in > create_connection > except error as _: > NameError: global name 'error' is not defined > [21:37:24] [WARNING] no usable links found (with GET parameters) > > > Thanks, everyone, for your continued efforts to develop this program. > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure > contains a definitive record of customers, application performance, > security threats, fraudulent activity, and more. Splunk takes this > data and makes sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-novd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
48 messages has been excluded from this view by a project administrator.
