Thread: [sqlmap-users] --sql-query: only single field outputs allowed?

Brought to you by: inquisb

sqlmap-users

[sqlmap-users] --sql-query: only single field outputs allowed?

From: <bu...@gm...> - 2011-01-17 00:15:19

Hi there,

testcases:

#1
===========
--sql-query="select username from insecure.user"

output:
select username from insecure.user:    'admin'

#2
===========
--sql-query="select password from insecure.user"

output:
select password from insecure.user:    'foobar'

#3
===========
--sql-query="select * from insecure.user"

output:
select * from insecure.user:    'None'

#4
===========
--sql-query="select username,password from insecure.user"

output:
select username,password from insecure.user:    'None'


Question: Why is the output of #3 and #4 'None'?
(the table has only a single row)

Re: [sqlmap-users] --sql-query: only single field outputs allowed?

From: Miroslav S. <mir...@gm...> - 2011-01-17 00:25:34

hi buawig.

we've done some heavy development in other parts and haven't updated
--sql-shell accordingly. i can only say that we'll try to do our best and
update it in couple of weeks (not a trivial one as now it's only supported
by the part of sqlmap with blind based injections).

kr

On Mon, Jan 17, 2011 at 1:14 AM, <bu...@gm...> wrote:

> Hi there,
>
> testcases:
>
> #1
> ===========
> --sql-query="select username from insecure.user"
>
> output:
> select username from insecure.user:    'admin'
>
> #2
> ===========
> --sql-query="select password from insecure.user"
>
> output:
> select password from insecure.user:    'foobar'
>
> #3
> ===========
> --sql-query="select * from insecure.user"
>
> output:
> select * from insecure.user:    'None'
>
> #4
> ===========
> --sql-query="select username,password from insecure.user"
>
> output:
> select username,password from insecure.user:    'None'
>
>
> Question: Why is the output of #3 and #4 'None'?
> (the table has only a single row)
>
>
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] --sql-query: only single field outputs allowed?

From: <bu...@gm...> - 2011-01-17 00:30:49

On 01/17/2011 12:25 AM, Miroslav Stampar wrote:
> hi buawig.
> 
> we've done some heavy development in other parts and haven't updated
> --sql-shell accordingly. i can only say that we'll try to do our best and
> update it in couple of weeks (not a trivial one as now it's only supported
> by the part of sqlmap with blind based injections).

OK.
Thank you for your fast reply and committing r3004.

Re: [sqlmap-users] --sql-query: only single field outputs allowed?

From: Bernardo D. A. G. <ber...@gm...> - 2011-01-18 23:12:07

Issue closed. Now all technique support --sql-query and --sql-shell
packing/unpacking/retrieval of output.

Thanks for reporting.

Bernardo


On 17 January 2011 00:29,  <bu...@gm...> wrote:
> On 01/17/2011 12:25 AM, Miroslav Stampar wrote:
>> hi buawig.
>>
>> we've done some heavy development in other parts and haven't updated
>> --sql-shell accordingly. i can only say that we'll try to do our best and
>> update it in couple of weeks (not a trivial one as now it's only supported
>> by the part of sqlmap with blind based injections).
>
> OK.
> Thank you for your fast reply and committing r3004.
>
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] --sql-query: only single field outputs allowed?

From: <bu...@gm...> - 2011-01-20 18:15:57

On 01/18/2011 11:12 PM, Bernardo Damele A. G. wrote:
> Issue closed. Now all technique support --sql-query and --sql-shell
> packing/unpacking/retrieval of output.

sql-shell> select id from content
select id from content [3]:
[*] 1
[*] 2
[*] 3


sql-shell> select count(*) from content
[INFO] fetching SQL SELECT statement query output: 'select count(*) from
content'
[WARNING] the SQL query used does not return any output


should the later statement work too?
(r3050)

[sqlmap-users] error

From: Andreas C. (MegaHz) <me...@me...> - 2011-01-19 11:43:07

h,

got this error,

can u help?

thanks

-- Andreas




sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: GalleryID
    Type: UNION query
    Title: Generic NULL UNION query - 1 to 3 columns
    Payload: pageimage=10&page=1&GalleryID=101 UNION ALL SELECT 'oJsf'--
---

[13:09:51] [INFO] testing MySQL
[13:09:52] [WARNING] the back-end DBMS is not MySQL
[13:09:52] [INFO] testing Oracle
[13:09:52] [WARNING] the back-end DBMS is not Oracle
[13:09:52] [INFO] testing PostgreSQL
[13:09:53] [WARNING] the back-end DBMS is not PostgreSQL
[13:09:53] [INFO] testing Microsoft SQL Server
[13:09:54] [WARNING] the back-end DBMS is not Microsoft SQL Server
[13:09:54] [INFO] testing SQLite
[13:09:54] [WARNING] the back-end DBMS is not SQLite
[13:09:54] [INFO] testing Microsoft Access
[13:09:55] [WARNING] the back-end DBMS is not Microsoft Access
[13:09:55] [INFO] testing Firebird
[13:09:55] [WARNING] the back-end DBMS is not Firebird
[13:09:55] [INFO] testing SAP MaxDB
[13:09:56] [WARNING] the back-end DBMS is not SAP MaxDB
[13:09:56] [INFO] testing Sybase
[13:09:56] [WARNING] the back-end DBMS is not Sybase
[13:09:56] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system, but from the HTML error page it was possible to determinate that the back-end DBMS is Microsoft Access. Do not specify the back-end DBMS manually, sqlmap will fingerprint the DBMS for you
[13:09:56] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 9 times

Re: [sqlmap-users] error

From: Bernardo D. A. G. <ber...@gm...> - 2011-01-19 12:39:46

Pelasse send me the command line and the output of -v6 anonymized if
you want. Thank you.

Bernardo

Bernardo Damele A. G.

This message was sent from a smartphone

On 19 Jan 2011, at 11:43, "Andreas Constantinides (MegaHz)"
<me...@me...> wrote:

> h,
>
> got this error,
>
> can u help?
>
> thanks
>
> -- Andreas
>
>
>
>
> sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
> ---
> Place: GET
> Parameter: GalleryID
>    Type: UNION query
>    Title: Generic NULL UNION query - 1 to 3 columns
>    Payload: pageimage=10&page=1&GalleryID=101 UNION ALL SELECT 'oJsf'--
> ---
>
> [13:09:51] [INFO] testing MySQL
> [13:09:52] [WARNING] the back-end DBMS is not MySQL
> [13:09:52] [INFO] testing Oracle
> [13:09:52] [WARNING] the back-end DBMS is not Oracle
> [13:09:52] [INFO] testing PostgreSQL
> [13:09:53] [WARNING] the back-end DBMS is not PostgreSQL
> [13:09:53] [INFO] testing Microsoft SQL Server
> [13:09:54] [WARNING] the back-end DBMS is not Microsoft SQL Server
> [13:09:54] [INFO] testing SQLite
> [13:09:54] [WARNING] the back-end DBMS is not SQLite
> [13:09:54] [INFO] testing Microsoft Access
> [13:09:55] [WARNING] the back-end DBMS is not Microsoft Access
> [13:09:55] [INFO] testing Firebird
> [13:09:55] [WARNING] the back-end DBMS is not Firebird
> [13:09:55] [INFO] testing SAP MaxDB
> [13:09:56] [WARNING] the back-end DBMS is not SAP MaxDB
> [13:09:56] [INFO] testing Sybase
> [13:09:56] [WARNING] the back-end DBMS is not Sybase
> [13:09:56] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system, but from the HTML error page it was possible to determinate that the back-end DBMS is Microsoft Access. Do not specify the back-end DBMS manually, sqlmap will fingerprint the DBMS for you
> [13:09:56] [WARNING] HTTP error codes detected during testing:
> 500 (Internal Server Error) - 9 times
>
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users