Thread: [sqlmap-users] provide full path document root
Brought to you by:
inquisb
From: Pagera <pag...@gm...> - 2010-03-22 12:18:47
|
hello and hope u fine when im trying --os-shell with --msf after a while is give me a message like please provide full path document root how can i know the full path ? is there any way to know the path document root full path from sqlmap? or i have to use another tool to get job done? and thank for help |
From: Patrick W. <pa...@au...> - 2010-03-23 14:09:18
|
Try information disclosure stuff... like umm, manual, Nikto or .. something ;p I suppose sqlmap could predetermine this if necessary under specific circumstances (devs!)... but we do it manually and it depends on permissions of operating systems, folders and files. -Patrick On Mon, Mar 22, 2010 at 11:20 PM, Pagera <pag...@gm...> wrote: > hello and hope u fine > > when im trying --os-shell with --msf > after a while is give me a message like > please provide full path document root > how can i know the full path ? > > is there any way to know the path document root full path from sqlmap? > or i have to use another tool to get job done? > > and thank for help > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
From: Bernardo D. A. G. <ber...@gm...> - 2010-03-25 10:23:49
|
Try DirBuster, http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project sqlmap has limited regular expression to detect file system paths so far. Bernardo On Mon, Mar 22, 2010 at 12:20, Pagera <pag...@gm...> wrote: > hello and hope u fine > > when im trying --os-shell with --msf > after a while is give me a message like > please provide full path document root > how can i know the full path ? > > is there any way to know the path document root full path from sqlmap? > or i have to use another tool to get job done? > > and thank for help > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Pagera <pag...@gm...> - 2010-03-25 21:15:10
|
Hello and hope fine thank bernardo for the DirBuster a question about Blind sql injection does SQLMap support this mode? i used --UNION-USE but it failed .. i have a vulnerable url im able to view all database information by manipulating the http url like "version() , etc but when im using SQLMap the result is that this url is not vulnerable!!! im wondering if its cuz of not supporting Blind Mode? and thank for help |
From: David G. <sk...@gm...> - 2010-03-26 00:20:49
|
Try passing --string parameter to sqlmap. --string=STRING String to match in page when the query is valid On Thu, Mar 25, 2010 at 6:18 PM, Pagera <pag...@gm...> wrote: > Hello and hope fine > thank bernardo for the DirBuster > > a question about Blind sql injection > does SQLMap support this mode? > > i used --UNION-USE but it failed .. i have a vulnerable url > im able to view all database information by manipulating the http url > like "version() , etc > but when im using SQLMap the result is that this url is not vulnerable!!! > > im wondering if its cuz of not supporting Blind Mode? > > and thank for help > > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- David Gomes Guimarães |
From: Pagera <pag...@gm...> - 2010-03-26 14:32:45
|
hello it didnt wrok what im trying to do is sqlmap -u "http://example.com/images.php?id=10" --string="id" the url is vulnerable cuz when i use the browser with http://example.com/images.php?id=10 and 1=2 im able to see the MySql error and i tried so much function like version() it works i also used http://example.com/images.php?id=10 union select 1,2,3,group_concat(table_name),5,6,7 from information_schema.tables and i got the table names but when using sqlmap there is nothing it acts like the url is not vulnerable i also used --prefix="id" --postfix="1=1" and also nothing David Guimaraes wrote: > Try passing --string parameter to sqlmap. > > --string=STRING String to match in page when the query is valid > > On Thu, Mar 25, 2010 at 6:18 PM, Pagera <pag...@gm... > <mailto:pag...@gm...>> wrote: > > Hello and hope fine > thank bernardo for the DirBuster > > a question about Blind sql injection > does SQLMap support this mode? > > i used --UNION-USE but it failed .. i have a vulnerable url > im able to view all database information by manipulating the http url > like "version() , etc > but when im using SQLMap the result is that this url is not > vulnerable!!! > > im wondering if its cuz of not supporting Blind Mode? > > and thank for help > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > David Gomes Guimarães |
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-29 10:57:28
|
Please, read carefully the user's manual (doc/README.pdf) for details on --string. Bernardo On Fri, Mar 26, 2010 at 16:36, Pagera <pag...@gm...> wrote: > hello > > it didnt wrok > > what im trying to do is > sqlmap -u "http://example.com/images.php?id=10" --string="id" > > the url is vulnerable cuz when i use the browser with > > http://example.com/images.php?id=10 and 1=2 > im able to see the MySql error and i tried so much function like > version() it works > i also used > http://example.com/images.php?id=10 union select > 1,2,3,group_concat(table_name),5,6,7 from information_schema.tables > and i got the table names > > but when using sqlmap there is nothing it acts like the url is not > vulnerable > i also used --prefix="id" --postfix="1=1" > > and also nothing > > > > > David Guimaraes wrote: >> Try passing --string parameter to sqlmap. >> >> --string=STRING String to match in page when the query is valid >> >> On Thu, Mar 25, 2010 at 6:18 PM, Pagera <pag...@gm... >> <mailto:pag...@gm...>> wrote: >> >> Hello and hope fine >> thank bernardo for the DirBuster >> >> a question about Blind sql injection >> does SQLMap support this mode? >> >> i used --UNION-USE but it failed .. i have a vulnerable url >> im able to view all database information by manipulating the http url >> like "version() , etc >> but when im using SQLMap the result is that this url is not >> vulnerable!!! >> >> im wondering if its cuz of not supporting Blind Mode? >> >> and thank for help >> >> >> >> ------------------------------------------------------------------------------ >> Download Intel® Parallel Studio Eval >> Try the new software tools for yourself. Speed compiling, find bugs >> proactively, and fine-tune applications for parallel performance. >> See why Intel Parallel Studio got high marks during beta. >> http://p.sf.net/sfu/intel-sw-dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> David Gomes Guimarães > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |