sqlmap-users Mailing List for sqlmap (Page 95)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: execute <ex...@gm...> - 2011-05-07 17:46:26
|
Hey,
I'm using the error-based technique for extracting data from an MSSQL server
(2005 - 9.00.4053.00). It seems like concating the sub-query with a string
doesn't work well - for some reason, the webserver returns the regular
response for row not found instead of throwing an error.
I tested it manually and found the following:
- ') AND 3792=CONVERT(INT,(SELECT TOP 1 name FROM sysobjects WHERE xtype
= 'U')) -- - Works well - throws an error with a table name ("Conversion
failed when converting the nvarchar value 'TABLE-NAME' to data type int.
")
- ') AND 3792=CONVERT(INT,(SELECT TOP 1 'x:' + name FROM sysobjects WHERE
xtype = 'U')) -- - Works well - throws an error with a table name
("Conversion
failed when converting the nvarchar value 'x:TABLE-NAME' to data type int.
")
- ') AND 3792=CONVERT(INT,'x:'+(SELECT TOP 1 name FROM sysobjects WHERE
xtype = 'U')) -- - Doesn't work - just returns 'page not found' (not an
404 error, an error from the script telling that no rows were found)
Can anyone test and confirm this? I'm not quite sure why that happens, but
it seems like it can easily be fixed by adding the strings inside the
sub-query (SELECT ':foo'+...+':bar:') instead of outside of it as it does
now.
Thanks
|
|
From: ultramegaman <sec...@ul...> - 2011-05-07 16:36:35
|
Rev. 3854
I was running it in a screen session, so I'm missing the top part of
the error message. The only command-line flag given was --dump-all
Sorry I can't be more helpful.
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1683, in dumpAll
data = self.dumpTable()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1395, in dumpTable
return self.dumpAll()
File "/tmp/sqlmap-dev/plugins/generic/enumeration.py", line 1663, in dumpAll
logger.info(infoMsg)
File "/usr/lib/python2.6/logging/__init__.py", line 1056, in info
self._log(INFO, msg, args, **kwargs)
File "/usr/lib/python2.6/logging/__init__.py", line 1173, in _log
self.handle(record)
File "/usr/lib/python2.6/logging/__init__.py", line 1183, in handle
self.callHandlers(record)
File "/usr/lib/python2.6/logging/__init__.py", line 1220, in callHandlers
hdlr.handle(record)
File "/usr/lib/python2.6/logging/__init__.py", line 679, in handle
self.emit(record)
File "/usr/lib/python2.6/logging/__init__.py", line 804, in emit
self.handleError(record)
File "/usr/lib/python2.6/logging/__init__.py", line 733, in handleError
traceback.print_exception(ei[0], ei[1], ei[2], None, sys.stderr)
File "/usr/lib/python2.6/traceback.py", line 125, in print_exception
print_tb(tb, limit, file)
File "/usr/lib/python2.6/traceback.py", line 57, in print_tb
if hasattr(sys, 'tracebacklimit'):
AttributeError: 'module' object has no attribute 'tracebacklimit'
|
|
From: Alexander H. <ah...@pr...> - 2011-05-07 13:36:39
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
sqlmap version: 1.0-dev (r3854)
Python version: 2.6.6
Operating system: posix
Command line: ./sqlmap.py -u
***********************************************************************
- --is-dba
Technique: UNION
Back-end DBMS: Microsoft Access (fingerprinted)
Traceback (most recent call last):
File "./sqlmap.py", line 83, in main
start()
File "/home/tools/sqlmap/lib/controller/controller.py", line 494, in start
action()
File "/home/tools/sqlmap/lib/controller/action.py", line 70, in action
conf.dumper.dba(conf.dbmsHandler.isDba())
File "/home/tools/sqlmap/plugins/generic/enumeration.py", line 151, in
isDba
query = queries[Backend.getIdentifiedDbms()].is_dba.query
File "/home/tools/sqlmap/extra/xmlobject/xmlobject.py", line 372, in
__getattr__
raise AttributeError(attr)
AttributeError: query
[*] shutting down at: 16:00:39
- --
Alexander Hagenah
Dubai, UAE.
Mobile: +971 (0)50 6448151
Key ID (2048bit): 0x354C0DDB
Fingerprint: FBA1 439F 7343 3729 18AF D62C 54DE FD22 354C 0DDB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk3FRy4ACgkQVN79IjVMDdvRcgCgpnYcNTfobHClUHVj2bsZIiaM
yLsAn14wNdKJopF0FTFLa9uKxmVXivdn
=B6C6
-----END PGP SIGNATURE-----
|
|
From: Miroslav S. <mir...@gm...> - 2011-05-06 14:00:50
|
hi wlad. On Fri, May 6, 2011 at 3:52 PM, W W <wla...@li...> wrote: > Hi there is some problems with sqlmap. At first only SQL comment character > which is used is #. I tried editing xml/queries.xml manually to enforce > using -- because in some situations injections with # or /* did'nt working. > So nothing happened after editing, and thats why i cant use it successfuly, > but there is union injection 100%. with how many columns? Second. Some code implies sending http > response header in blind injecton when appears false situation. For example, > http://url/script?id=1 and 1=1 Response code:200(OK) but when > http://url/script?id=1 and 1=0 Response code (404)not found etc. This really > kicks sqlmap out of mission immediatly. this shouldn't be a problem. in blind injections sqlmap uses 404 as a response for FALSE. > > Tested on sqlmap/0.9(stable) and sqlmap/1.0-dev (r3849) > Python 2.7 could you please contact me privately with further details and i could later today help you with this situation? > > Thanks for a great work :) > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: W W <wla...@li...> - 2011-05-06 13:52:43
|
Hi there is some problems with sqlmap. At first only SQL comment character which is used is #. I tried editing xml/queries.xml manually to enforce using -- because in some situations injections with # or /* did'nt working. So nothing happened after editing, and thats why i cant use it successfuly, but there is union injection 100%. Second. Some code implies sending http response header in blind injecton when appears false situation. For example, http://url/script?id=1 and 1=1 Response code:200(OK) but when http://url/script?id=1 and 1=0 Response code (404)not found etc. This really kicks sqlmap out of mission immediatly. Tested on sqlmap/0.9(stable) and sqlmap/1.0-dev (r3849) Python 2.7 Thanks for a great work :) |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-05-05 22:25:44
|
Hi Muto, On 5 May 2011 19:58, Muto kirov <mut...@gm...> wrote: > I have set up a vulnerable php site with MySQL and used sqlmap against it to > test it. All working, except for the --os-shell, --os-pwn and the other os > system access commands. The problem is that sqlmap cannot upload the stager, > even when i specify the correct document root. Why is that happening ? Did you verify that at least one folder within the document root is writable by the OS user running the Apache instance (www-data or nobody on GNU/Linux usually)? If so, please rerun by providing *first* the document root (eg. /var/www) and secondly, when asked, the exact full path of the writable directory (eg /var/www/writablefolder). If the folder is writable and the MySQL instance is running on the same OS of the web server and the DBMS user running the query (session user) has at least the FILE privilege, then sqlmap will succeed. If not, then there is potentially a bug and I recommend you answer to Miroslav's questions and provide us with further details (-t traffic.log -v3 --fresh-queries full output). Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Miroslav S. <mir...@gm...> - 2011-05-05 20:54:26
|
hi Muto. obviously it's very hard to answer generic questions like these :) to get into the core there are 5 thing that would be very helpul to futher investigate this case: 1) which backend OS are you using for hosting PHP/MySQL web server 2) which techniques are recognized as exploitable (blind, timed,....) 3) what's the version of backend MySQL (5.5?) 4) it would be great if you could post the resulting traffic.txt after usage of: -t traffic.txt --fresh-queries 5) what are the simptoms (warnings, criticals,...) after running those --os-... switches kr On Thu, May 5, 2011 at 8:58 PM, Muto kirov <mut...@gm...> wrote: > I have set up a vulnerable php site with MySQL and used sqlmap against it to > test it. All working, except for the --os-shell, --os-pwn and the other os > system access commands. The problem is that sqlmap cannot upload the stager, > even when i specify the correct document root. Why is that happening ? > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Muto k. <mut...@gm...> - 2011-05-05 20:04:31
|
I have set up a vulnerable php site with MySQL and used sqlmap against it to test it. All working, except for the --os-shell, --os-pwn and the other os system access commands. The problem is that sqlmap cannot upload the stager, even when i specify the correct document root. Why is that happening ? |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-05-05 10:51:29
|
It has been recently documented in the user's manual under 'URI injection point' paragraph. You'll see that in the version from subversion. Bernardo On 5 May 2011 11:36, Adrian Lewis <bra...@gm...> wrote: > > Ahh, wasnt aware of that. I'll give it a go and report back. Cheers > On Thu, May 5, 2011 at 9:10 AM, Miroslav Stampar <mir...@gm...> wrote: >> >> hi Adrian. >> >> have you tried to scan like this: >> >> ./sqlmap.py -u "http://www.example.com/news/99*" >> >> that * mark will point sqlmap to scan for sql injection inside the URI itself. >> >> kr >> >> On Thu, May 5, 2011 at 9:33 AM, Adrian Lewis <bra...@gm...> wrote: >> > Hi All, >> > Hoping you might have some insight here. I've been using SQLMap for a while >> > and it's fantastic, very promptly updated too, been watching the list for a >> > while :) >> > Ran into a case a while back where the client was using rewritten URLs i.e. >> > rather than http://www.example.com/index.php?id=99 the URL was >> > http://www.example.com/news/99 >> > The ID field was vuln to SQLi but there was an automatic redirect >> > (unconditional) if I used the full URI (index.php... etc). >> > Tried to use SQLMap to have a go at it but it didnt seem up to it. Is this >> > by design or is there a way this could be altered in some way? >> > >> > Cheers! >> > ------------------------------------------------------------------------------ >> > WhatsUp Gold - Download Free Network Management Software >> > The most intuitive, comprehensive, and cost-effective network >> > management toolset available today. Delivers lowest initial >> > acquisition cost and overall TCO of any competing solution. >> > http://p.sf.net/sfu/whatsupgold-sd >> > _______________________________________________ >> > sqlmap-users mailing list >> > sql...@li... >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > >> > >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> PGP Key ID: 0xB5397B1B > > > > -- > > Adrian Lewis > > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Adrian L. <bra...@gm...> - 2011-05-05 10:36:55
|
Ahh, wasnt aware of that. I'll give it a go and report back. Cheers On Thu, May 5, 2011 at 9:10 AM, Miroslav Stampar <mir...@gm... > wrote: > hi Adrian. > > have you tried to scan like this: > > ./sqlmap.py -u "http://www.example.com/news/99*" > > that * mark will point sqlmap to scan for sql injection inside the URI > itself. > > kr > > On Thu, May 5, 2011 at 9:33 AM, Adrian Lewis <bra...@gm...> wrote: > > Hi All, > > Hoping you might have some insight here. I've been using SQLMap for a > while > > and it's fantastic, very promptly updated too, been watching the list for > a > > while :) > > Ran into a case a while back where the client was using rewritten URLs > i.e. > > rather than http://www.example.com/index.php?id=99 the URL was > > http://www.example.com/news/99 > > The ID field was vuln to SQLi but there was an automatic redirect > > (unconditional) if I used the full URI (index.php... etc). > > Tried to use SQLMap to have a go at it but it didnt seem up to it. Is > this > > by design or is there a way this could be altered in some way? > > > > Cheers! > > > ------------------------------------------------------------------------------ > > WhatsUp Gold - Download Free Network Management Software > > The most intuitive, comprehensive, and cost-effective network > > management toolset available today. Delivers lowest initial > > acquisition cost and overall TCO of any competing solution. > > http://p.sf.net/sfu/whatsupgold-sd > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Adrian Lewis |
|
From: Miroslav S. <mir...@gm...> - 2011-05-05 08:10:30
|
hi Adrian. have you tried to scan like this: ./sqlmap.py -u "http://www.example.com/news/99*" that * mark will point sqlmap to scan for sql injection inside the URI itself. kr On Thu, May 5, 2011 at 9:33 AM, Adrian Lewis <bra...@gm...> wrote: > Hi All, > Hoping you might have some insight here. I've been using SQLMap for a while > and it's fantastic, very promptly updated too, been watching the list for a > while :) > Ran into a case a while back where the client was using rewritten URLs i.e. > rather than http://www.example.com/index.php?id=99 the URL was > http://www.example.com/news/99 > The ID field was vuln to SQLi but there was an automatic redirect > (unconditional) if I used the full URI (index.php... etc). > Tried to use SQLMap to have a go at it but it didnt seem up to it. Is this > by design or is there a way this could be altered in some way? > > Cheers! > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Adrian L. <bra...@gm...> - 2011-05-05 07:33:11
|
Hi All, Hoping you might have some insight here. I've been using SQLMap for a while and it's fantastic, very promptly updated too, been watching the list for a while :) Ran into a case a while back where the client was using rewritten URLs i.e. rather than http://www.example.com/index.php?id=99 the URL was http://www.example.com/news/99 The ID field was vuln to SQLi but there was an automatic redirect (unconditional) if I used the full URI (index.php... etc). Tried to use SQLMap to have a go at it but it didnt seem up to it. Is this by design or is there a way this could be altered in some way? Cheers! |
|
From: <bu...@gm...> - 2011-05-04 14:21:42
|
On 05/04/2011 04:13 PM, Bernardo Damele A. G. wrote: > Done - svn.sqlmap.org SSL certificate is now signed by a valid CA, > StartSSL. > Also, I recently realized that svn checks the SSL certificate validity. Great, no more warnings and questions. Thanks! |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-05-04 14:14:03
|
Hi, On 3 May 2011 16:32, <bu...@gm...> wrote: > On 04/17/2011 06:15 PM, Bernardo Damele A. G. wrote: >> This would not solve anything as svn command does not check >> certificate validity. It would only serve for access from the browser >> as far as I know. Nevertheless, we can consider to get a CA signed >> certificate. > > What is the current status on this? Thanks for reminding buawig. Done - svn.sqlmap.org SSL certificate is now signed by a valid CA, StartSSL. Thanks for suggesting that Steve. The strength of the certificate, SSL protocols supported and ciphers available can be see on the Qualys SSL Labs report, http://goo.gl/lUp90. Also, I recently realized that svn checks the SSL certificate validity. Cheers, Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-05-04 13:39:02
|
On 4 May 2011 13:26, <bu...@gm...> wrote: > ... >> * Implement out-of-band for data fetching: we may possibly implement >> this. It would be split down in the following functions: >> * HTTP requests (Oracle UTL_HTTP) >> * UNC paths (can be done in all DBMS afaik) >> * openrowset (to replicate dbms remotely on MSSQL) >> * db_link() (to replicate dbms remotely on PgSQL) > > Will this also include DNS based exfiltration? (UTL_INADDR, ..) > http://article.gmane.org/gmane.comp.security.sqlmap/1073 Like I replied to you buawig at that time[1], it will possibly make it to 1.0, I simply did not mention this specific vector here. [1] http://article.gmane.org/gmane.comp.security.sqlmap/1075 -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Miroslav S. <mir...@gm...> - 2011-05-04 12:32:25
|
On Wed, May 4, 2011 at 2:26 PM, <bu...@gm...> wrote: > On 05/04/2011 12:15 PM, Bernardo Damele A. G. wrote: >> * Confirm injection in another page (feature requested by someone on >> the mailing list) > > Great! > >> * Implement out-of-band for data fetching: we may possibly implement >> this. It would be split down in the following functions: >> * HTTP requests (Oracle UTL_HTTP) >> * UNC paths (can be done in all DBMS afaik) >> * openrowset (to replicate dbms remotely on MSSQL) >> * db_link() (to replicate dbms remotely on PgSQL) > > Will this also include DNS based exfiltration? (UTL_INADDR, ..) > http://article.gmane.org/gmane.comp.security.sqlmap/1073 yes :) > > > > > > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: <bu...@gm...> - 2011-05-04 12:27:49
|
On 05/04/2011 12:15 PM, Bernardo Damele A. G. wrote: > * Confirm injection in another page (feature requested by someone on > the mailing list) Great! > * Implement out-of-band for data fetching: we may possibly implement > this. It would be split down in the following functions: > * HTTP requests (Oracle UTL_HTTP) > * UNC paths (can be done in all DBMS afaik) > * openrowset (to replicate dbms remotely on MSSQL) > * db_link() (to replicate dbms remotely on PgSQL) Will this also include DNS based exfiltration? (UTL_INADDR, ..) http://article.gmane.org/gmane.comp.security.sqlmap/1073 |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-05-04 10:15:17
|
Hi, Now that some weeks have passed since 0.9 has been released and we have got the first bunch of bug reports and feature requests (thanks!) it's time to plan the development for the upcoming release: 1.0! Miroslav and I came up with a pretty well defined list of things to do, but we would appreciate a lot your feedback, comments and help in implementing these and other features. Detection/bisection: * Implement anti-CSRF protection bypass (e.g. .NET VIEWSTATE): this will definitely be in! * Blind SQL injection possible enhancements[1]: we will evaluate this and see if the benefit is worth the code changes, as our bisection algorithm these days is pretty strong, fast and has a lot of possible optimizations always (see -o switch and other relevant ones). * Confirm injection in another page (feature requested by someone on the mailing list) Enumeration: * Enumerate binary fields data: Miroslav has been putting lots of effort into support for unicode characters, recognition of page/dbms encoding and enumeration of "dodgy" character. The next step will be enumeration of binary data (e.g. images in blob datatype columns alike) and reconstruction of this data automatically locally. * Implement out-of-band for data fetching: we may possibly implement this. It would be split down in the following functions: * HTTP requests (Oracle UTL_HTTP) * UNC paths (can be done in all DBMS afaik) * openrowset (to replicate dbms remotely on MSSQL) * db_link() (to replicate dbms remotely on PgSQL) * Data extraction for multiple entries on a single line: we have started to work on this feature. It has been a long time requested feature by many of you. Miscellaneous: * IDS/IPS Evasion: we have got --tamper and support for custom tamper scripts (see user's manual). The next step will be to automatically detect and bypass custom-implemented IDS/IPS and some specific enterprise-grade IPS/WAF solutions. * Report/output in XML/XSLT: feature requested many times. Partially implemented some time ago. It was too outdated and bugged, so did not make it for 0.9. We will possibly implement for 1.0 Plugins: * Support for PostgreSQL 9.0: it is on its way. Active fingerprint (-f) has been adapted. Takeover switch --os-pwn for Windows 32-bit too. Soon LInux and Windows 64-bit too. * Identify linked/cluster DBMS servers when possible: afaik can be done on MSSQL. Any idea how to do this on other DBMS like Oracle? Request: * Decode/reencode parameters in base64/hex: low priority, but might save hell lots of time during pentests where the vulnerable parameter's value has to be encoded before sent to the web server. Takeover: * Operating system access support on Oracle: this might seem easy and very much useful. It's not. Oracle by design does not support stacked queries in SQL statements. It does within PL/SQL code in functions/triggers/etc. Therefore, if the web applications that you are targeting has a SQL injection within a custom or default function/procedure then yes, you are likely to privesc and takeover the OS. Ideas and help to implement this feature is more than welcome! * File system access support on Oracle: same as above. * Option to escalate DBMS user privileges via PL/SQL on Oracle: same as above. * Option to perform DBA password brute-force on PgSQL/MSSQL: it will make it to 1.0. * Download shellcodeexec/file via TFTP/FTP/HTTP from the attacker machine (for --file-write and --os-pwn). There are few other TODO items, mostly related to code refactoring, bug fixes and mandatory things to be done before these features can be worked out. Now we look forward to read from you. Thank you! [1] http://websec.wordpress.com/2011/04/06/blind-sqli-techniques/ -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Miroslav S. <mir...@gm...> - 2011-05-03 15:40:36
|
it seems that you are our "quality assurance" officer :) On Tue, May 3, 2011 at 5:32 PM, <bu...@gm...> wrote: > On 04/17/2011 06:15 PM, Bernardo Damele A. G. wrote: >> This would not solve anything as svn command does not check >> certificate validity. It would only serve for access from the browser >> as far as I know. Nevertheless, we can consider to get a CA signed >> certificate. > > What is the current status on this? > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: <bu...@gm...> - 2011-05-03 15:33:19
|
On 04/17/2011 06:15 PM, Bernardo Damele A. G. wrote: > This would not solve anything as svn command does not check > certificate validity. It would only serve for access from the browser > as far as I know. Nevertheless, we can consider to get a CA signed > certificate. What is the current status on this? |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-05-03 15:20:00
|
On 3 May 2011 16:10, <bu...@gm...> wrote: > On 05/03/2011 04:45 PM, Bernardo Damele A. G. wrote: >> Thanks for reminding buawig. Please, do not hesitate to report if it >> is not clear enough. >> Find it committed now, r3839. See doc/README.[html|pdf] > > Are you also going to put/update it on the website? > http://sqlmap.sourceforge.net/doc/README.pdf No, we keep the stable 0.9 on the site, even if it lacks the URI injection paragraph. The devel code+documentation is on the svn repository. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: <bu...@gm...> - 2011-05-03 15:10:21
|
On 05/03/2011 04:45 PM, Bernardo Damele A. G. wrote: > Thanks for reminding buawig. Please, do not hesitate to report if it > is not clear enough. > Find it committed now, r3839. See doc/README.[html|pdf] Are you also going to put/update it on the website? http://sqlmap.sourceforge.net/doc/README.pdf |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-05-03 14:45:48
|
Thanks for reminding buawig. Please, do not hesitate to report if it is not clear enough. Find it committed now, r3839. See doc/README.[html|pdf] Bernardo On 3 May 2011 15:14, <bu...@gm...> wrote: > On 04/11/2011 10:08 PM, Bernardo Damele A. G. wrote: >> Sorry, it is not documented. I will update it soon. Thanks for the note. > > On 04/28/2011 02:43 PM, Bernardo Damele A. G. wrote: >> I will update the user's manual with this feature at some point like >> someone else pointed out. > > Yes, I'm still waiting :) > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: <bu...@gm...> - 2011-05-03 14:14:22
|
On 04/11/2011 10:08 PM, Bernardo Damele A. G. wrote: > Sorry, it is not documented. I will update it soon. Thanks for the note. On 04/28/2011 02:43 PM, Bernardo Damele A. G. wrote: > I will update the user's manual with this feature at some point like > someone else pointed out. Yes, I'm still waiting :) |
|
From: Miroslav S. <mir...@gm...> - 2011-05-03 10:20:50
|
hi Tom.
thank you for your report. please, update and retry it. it should be
fixed with the latest commit (r3830).
kr
On Tue, May 3, 2011 at 11:12 AM, Tom Thumb <k1...@li...> wrote:
> I'm not getting any files in the 'dump' folder. Also, using --replicate
> produces the following error:
>
> [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3828), retry your run
> with the latest development version from the Subversion repository. If the
> exception persists, please send by e-mail to
> sql...@li... the following text and any information
> required to reproduce the bug. The developers will try to reproduce the bug,
> fix it accordingly and get back to you.
> sqlmap version: 1.0-dev (r3828)
> Python version: 2.6.6
> Operating system: posix
> Command line: sqlmap.py
> --url=***************************************************** --risk=3
> --level=5 --forms --dbms=mssql --text-only --threads=3 --dump -D ******* -T
> ***************** --replicate -v 3
> Technique: UNION
> Back-end DBMS: Microsoft SQL Server (fingerprinted)
> Traceback (most recent call last):
> File "sqlmap.py", line 83, in main
> start()
> File "/home/tom/Downloads/sqlmap-dev/lib/controller/controller.py", line
> 485, in start
> action()
> File "/home/tom/Downloads/sqlmap-dev/lib/controller/action.py", line 109,
> in action
> conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable())
> File "/home/tom/Downloads/sqlmap-dev/lib/core/dump.py", line 373, in
> dbTableValues
> rtable = replication.createTable(table, cols)
> File "/home/tom/Downloads/sqlmap-dev/lib/core/replication.py", line 97, in
> createTable
> return Replication.Table(parent=self, name=tblname, columns=columns,
> typeless=typeless)
> File "/home/tom/Downloads/sqlmap-dev/lib/core/replication.py", line 59, in
> __init__
> self.parent.cursor.execute('CREATE TABLE %s (%s)' % (self.name,
> ','.join('%s %s' % (colname, coltype) for colname, coltype in
> self.columns)))
> OperationalError: unknown database dbo
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today. Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B
|
48 messages has been excluded from this view by a project administrator.
