Thread: [sqlmap-users] Direct connection to Oracle supported?
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Brian M. <Br...@EC...> - 2013-10-21 17:37:13
|
Using sqlmap on a recently updated Kali installation, I tried to connect to an Oracle db using this command: sqlmap -d Oracle://user:pass@10.10.10.10:1521/SID I get the error message "[CRITICAL] sqlmap was not able to fingerprint the back-end database management system. Support for this DBMS will be implemented at some point. The wiki on github states that Oracle is supported for direct connections, so there is some confusion here. Wireshark confirms no attempt to connect to the server is made at all and the syntax of the command appears correct. Can you confirm whether sqlmap currently supports direct connections to Oracle databases or if there is some other problem? -- Brian Milliron, CEO ECR Security http://www.ECRSecurity.com 512-422-5408 |
|
From: Miroslav S. <mir...@gm...> - 2013-10-21 18:17:56
|
Hi.
sqlmap supports it. Sample console output:
$ python sqlmap.py -d "oracle://SYSTEM:testpass@192.168.5.27:1521/testdb"
-v 5 --banner
sqlmap/1.0-dev-8dac47f - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 20:15:37
[20:15:37] [DEBUG] cleaning up configuration parameters
[20:15:37] [DEBUG] forcing timeout to 10 seconds
[20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 established
[20:15:37] [INFO] the back-end DBMS is Oracle
[20:15:37] [INFO] fetching banner
[20:15:37] [PAYLOAD] SELECT NVL(CAST(banner AS VARCHAR(4000)),' ') FROM
v$version WHERE ROWNUM=1
back-end DBMS: Oracle
banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 -
Prod'
[20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 closed
[*] shutting down at 20:15:37
Could you please check that you run the latest revision from the Github
repository and try to run it with -v 5? Strange thing with your case is
"sqlmap was not able to fingerprint..." while there is no fingerprinting in
sqlmap's direct mode (at least in HEAD revision).
Kind regards,
Miroslav Stampar
On Mon, Oct 21, 2013 at 7:24 PM, Brian Milliron <Br...@ec...>wrote:
> Using sqlmap on a recently updated Kali installation, I tried to connect
> to an Oracle db using this command:
> sqlmap -d Oracle://user:pass@10.10.10.10:1521/SID
> I get the error message "[CRITICAL] sqlmap was not able to fingerprint
> the back-end database management system. Support for this DBMS will be
> implemented at some point.
>
> The wiki on github states that Oracle is supported for direct
> connections, so there is some confusion here. Wireshark confirms no
> attempt to connect to the server is made at all and the syntax of the
> command appears correct. Can you confirm whether sqlmap currently
> supports direct connections to Oracle databases or if there is some
> other problem?
>
>
> --
> Brian Milliron, CEO
> ECR Security
> http://www.ECRSecurity.com
> 512-422-5408
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Yoan A. <yoa...@gm...> - 2013-10-21 18:19:36
|
Maybe you forgot the quotes ? python sqlmap.py -d "mysql://admin:admin@192.168.21.17:3306/testdb" -f --banner --dbs --users On Mon, Oct 21, 2013 at 8:17 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > sqlmap supports it. Sample console output: > > $ python sqlmap.py -d "oracle://SYSTEM:testpass@192.168.5.27:1521/testdb" > -v 5 --banner > > sqlmap/1.0-dev-8dac47f - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 20:15:37 > > [20:15:37] [DEBUG] cleaning up configuration parameters > [20:15:37] [DEBUG] forcing timeout to 10 seconds > [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521established > [20:15:37] [INFO] the back-end DBMS is Oracle > [20:15:37] [INFO] fetching banner > [20:15:37] [PAYLOAD] SELECT NVL(CAST(banner AS VARCHAR(4000)),' ') FROM > v$version WHERE ROWNUM=1 > back-end DBMS: Oracle > banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - > Prod' > [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 closed > > [*] shutting down at 20:15:37 > > Could you please check that you run the latest revision from the Github > repository and try to run it with -v 5? Strange thing with your case is > "sqlmap was not able to fingerprint..." while there is no fingerprinting in > sqlmap's direct mode (at least in HEAD revision). > > Kind regards, > Miroslav Stampar > > > On Mon, Oct 21, 2013 at 7:24 PM, Brian Milliron <Br...@ec...>wrote: > >> Using sqlmap on a recently updated Kali installation, I tried to connect >> to an Oracle db using this command: >> sqlmap -d Oracle://user:pass@10.10.10.10:1521/SID >> I get the error message "[CRITICAL] sqlmap was not able to fingerprint >> the back-end database management system. Support for this DBMS will be >> implemented at some point. >> >> The wiki on github states that Oracle is supported for direct >> connections, so there is some confusion here. Wireshark confirms no >> attempt to connect to the server is made at all and the syntax of the >> command appears correct. Can you confirm whether sqlmap currently >> supports direct connections to Oracle databases or if there is some >> other problem? >> >> >> -- >> Brian Milliron, CEO >> ECR Security >> http://www.ECRSecurity.com >> 512-422-5408 >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- *Yoan AGOSTINI* |
|
From: Brian M. <Br...@EC...> - 2013-10-24 14:56:15
|
Thanks for the sample command and output. It turns out there was a case sensitivity issue. oracle:// vs Oracle:// Once I solved that, sqlmap began complaining about a missing cx_Oracle.py The Kali installation it seems is missing the Oracle client and python libraries. Does sqlmap need a specifc version of these files? > Hi. > > sqlmap supports it. Sample console output: > > $ python sqlmap.py -d "oracle://SYSTEM:testpass@192.168.5.27:1521/testdb" > -v 5 --banner > > sqlmap/1.0-dev-8dac47f - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 20:15:37 > > [20:15:37] [DEBUG] cleaning up configuration parameters > [20:15:37] [DEBUG] forcing timeout to 10 seconds > [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 established > [20:15:37] [INFO] the back-end DBMS is Oracle > [20:15:37] [INFO] fetching banner > [20:15:37] [PAYLOAD] SELECT NVL(CAST(banner AS VARCHAR(4000)),' ') FROM > v$version WHERE ROWNUM=1 > back-end DBMS: Oracle > banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - > Prod' > [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 closed > > [*] shutting down at 20:15:37 > > Could you please check that you run the latest revision from the Github > repository and try to run it with -v 5? Strange thing with your case is > "sqlmap was not able to fingerprint..." while there is no fingerprinting in > sqlmap's direct mode (at least in HEAD revision). > > Kind regards, > Miroslav Stampar |
|
From: Miroslav S. <mir...@gm...> - 2013-10-24 22:04:10
|
Hi. "Does sqlmap need a specifc version of these files?" - not really. It just needs to be compatible with the current Python version. Kind regards, Miroslav Stampar On Thu, Oct 24, 2013 at 4:55 PM, Brian Milliron <Br...@ec...>wrote: > Thanks for the sample command and output. It turns out there was a case > sensitivity issue. oracle:// vs Oracle:// Once I solved that, sqlmap > began complaining about a missing cx_Oracle.py The Kali installation it > seems is missing the Oracle client and python libraries. Does sqlmap > need a specifc version of these files? > > > > Hi. > > > > sqlmap supports it. Sample console output: > > > > $ python sqlmap.py -d "oracle://SYSTEM:testpass@192.168.5.27:1521/testdb > " > > -v 5 --banner > > > > sqlmap/1.0-dev-8dac47f - automatic SQL injection and database > takeover > > tool > > http://sqlmap.org > > > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > > mutual consent is illegal. It is the end user's responsibility to obey > all > > applicable local, state and federal laws. Developers assume no liability > > and are not responsible for any misuse or damage caused by this program > > > > [*] starting at 20:15:37 > > > > [20:15:37] [DEBUG] cleaning up configuration parameters > > [20:15:37] [DEBUG] forcing timeout to 10 seconds > > [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521established > > [20:15:37] [INFO] the back-end DBMS is Oracle > > [20:15:37] [INFO] fetching banner > > [20:15:37] [PAYLOAD] SELECT NVL(CAST(banner AS VARCHAR(4000)),' ') FROM > > v$version WHERE ROWNUM=1 > > back-end DBMS: Oracle > > banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - > > Prod' > > [20:15:37] [INFO] connection to oracle server 192.168.5.27:1521 closed > > > > [*] shutting down at 20:15:37 > > > > Could you please check that you run the latest revision from the Github > > repository and try to run it with -v 5? Strange thing with your case is > > "sqlmap was not able to fingerprint..." while there is no fingerprinting > in > > sqlmap's direct mode (at least in HEAD revision). > > > > Kind regards, > > Miroslav Stampar > > > > > -- Miroslav Stampar http://about.me/stamparm |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X