Thread: [sqlmap-users] ms sql database names' enum

Brought to you by: inquisb

sqlmap-users

[sqlmap-users] ms sql database names' enum

From: Henry W. <mic...@gm...> - 2012-07-03 00:01:39

I've met dozens of practical cases when --dbs switch becomes useless 
with --dbms=mssql (can't say precisely, but maybe <2008 versions). The 
only workaround proved itself useful is retrieval of db_name(i++) using 
--sql-shell while other standart techniques were totally useless. 
Another reason i decided to compose this miserable letter is that i 
would like to see debug information on how page is being parsed in order 
to determine exact string or regexp or whatever sqlmap uses to pick up 
context output or to determine the boolean value for positive logical 
answer. Uploading specific files for mssql would be great too, because 
currently i choose another commercial products which are ugly, heavy, 
gui and windows only in order to execute os commands (that thing 
appeared to be broken in almost every semi-complicated case while worked 
fine on some fucking retarded pangolin\webcruiser\e.t.c. tools) or 
upload something over designed and accessible routines of ms sql in 
certain cases. Maybe i'm missing some concepts , but the first thing 
i've mentioned above deserves your attention for sure. Thanks :*

Re: [sqlmap-users] ms sql database names' enum

From: Bernardo D. A. G. <ber...@gm...> - 2012-07-03 09:50:11

Hi Henry,

On 3 July 2012 01:01, Henry Waves <mic...@gm...> wrote:
> I've met dozens of practical cases when --dbs switch becomes useless
> with --dbms=mssql (can't say precisely, but maybe <2008 versions). The
> only workaround proved itself useful is retrieval of db_name(i++) using
> --sql-shell while other standart techniques were totally useless.

We have been notified already that there might be a bug with --dbs and
--tables on MSSQL (particularly version 2008). We will look closely in
the upcoming weeks into reproducing this bug, if any, across all MSSQL
versions. I have opened issue #55[1] for the time being and will keep
you posted there with comments.

> Another reason i decided to compose this miserable letter is that i
> would like to see debug information on how page is being parsed in order
> to determine exact string or regexp or whatever sqlmap uses to pick up
> context output or to determine the boolean value for positive logical
> answer.

If you run sqlmap with -v 3 not only you see all injected SQLi
payloads, but following detection, it shows you also the exact vector
used to identify the vulnerable and exploitable SQLi technique.

> Uploading specific files for mssql would be great too, because
> currently i choose another commercial products which are ugly, heavy,
> gui and windows only in order to execute os commands (that thing
> appeared to be broken in almost every semi-complicated case while worked
> fine on some fucking retarded pangolin\webcruiser\e.t.c. tools) or
> upload something over designed and accessible routines of ms sql in
> certain cases. Maybe i'm missing some concepts , but the first thing
> i've mentioned above deserves your attention for sure. Thanks :*

We have got support to interact with the underlying file system since
2009. Relevant switches are --file-read, --file-write and --file-dest.
--tmp-path might also be of use here, check the user's manual for
details and examples.
I am not aware at the moment of any bug related to these switches, but
please go ahead and open an issue[2] with details to reproduce the
bug, if any. I have recently retested all these switched across all
three supported DBMS (MSSQL, PgSQL and MySQL) and they all worked
fine.

[1] https://github.com/sqlmapproject/sqlmap/issues/55
[2] https://github.com/sqlmapproject/sqlmap/issues/new


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)

Re: [sqlmap-users] ms sql database names' enum

From: Miroslav S. <mir...@gm...> - 2012-07-03 18:17:09

Hi Henry.

Find "SELECT DB_NAME(i++)" mechanism implemented with the latest commit
(27fdccc) as a fallback in case that standard one fails.

Kind regards,
Miroslav Stampar

On Tue, Jul 3, 2012 at 2:01 AM, Henry Waves <mic...@gm...> wrote:

> I've met dozens of practical cases when --dbs switch becomes useless
> with --dbms=mssql (can't say precisely, but maybe <2008 versions). The
> only workaround proved itself useful is retrieval of db_name(i++) using
> --sql-shell while other standart techniques were totally useless.
> Another reason i decided to compose this miserable letter is that i
> would like to see debug information on how page is being parsed in order
> to determine exact string or regexp or whatever sqlmap uses to pick up
> context output or to determine the boolean value for positive logical
> answer. Uploading specific files for mssql would be great too, because
> currently i choose another commercial products which are ugly, heavy,
> gui and windows only in order to execute os commands (that thing
> appeared to be broken in almost every semi-complicated case while worked
> fine on some fucking retarded pangolin\webcruiser\e.t.c. tools) or
> upload something over designed and accessible routines of ms sql in
> certain cases. Maybe i'm missing some concepts , but the first thing
> i've mentioned above deserves your attention for sure. Thanks :*
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] proxy usage capabilities

From: Henry W. <mic...@gm...> - 2012-07-04 03:23:40

Thanks for all the great job that You've already done guys. The reason 
why i decided to compose this letter is that we all know that proxy 
server is a thing that will eventually 'die' with a very high 
probability and this fact leads us to fair logical conclusion - there 
should be proxy list usage implementation. Not that sqlmap lacks of 
stability to resume its' sessions, but such thing could help much.

Re: [sqlmap-users] proxy usage capabilities

From: Miroslav S. <mir...@gm...> - 2012-07-04 16:48:43

Hi Henry.

If I understood you well you want to supply proxy list to sqlmap?

Kind regards,
Miroslav Stampar
On Jul 4, 2012 11:13 AM, "Henry Waves" <mic...@gm...> wrote:

> Thanks for all the great job that You've already done guys. The reason
> why i decided to compose this letter is that we all know that proxy
> server is a thing that will eventually 'die' with a very high
> probability and this fact leads us to fair logical conclusion - there
> should be proxy list usage implementation. Not that sqlmap lacks of
> stability to resume its' sessions, but such thing could help much.
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>