Thread: [sqlmap-users] See list of all payloads inserted by SQLMap
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Mithun V. <mit...@ow...> - 2016-01-20 12:30:48
|
Hello Everyone, I need to retrieve all payloads inserted by SQLMap into vulnerable parameters. Is it possible? Right now, in my output directory, I can see a log file with only one payload example. Does the tool store all payloads that it injects? How can I pull out this information? Thanks, Mithun |
|
From: Miroslav S. <mir...@gm...> - 2016-01-20 12:49:22
|
You can see all testing payloads by rerunning with -v 3. You can't see payloads that sqlmap generated during the exploitation phase. Results of those payloads are stored inside the appropriate session.sqlite, but with hashed queries/payloads. Without doing this session files would explode in case of huge table dumps. Bye On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan < mit...@ow...> wrote: > Hello Everyone, > > I need to retrieve all payloads inserted by SQLMap into vulnerable > parameters. Is it possible? > > Right now, in my output directory, I can see a log file with only one > payload example. Does the tool store all payloads that it injects? How can > I pull out this information? > > Thanks, > Mithun > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Mithun V. <mit...@ow...> - 2016-01-20 14:02:02
|
Hi Miroslav, The situation is that I can't rerun or hit the system again for a couple of days due to a business issue. In the meanwhile, I need to extract all payloads injected from the scan that I already ran today. If I cannot see payloads from the exploit phase, can you please point me to the logic in the code where these payloads are generated? I saw a few xml files under the payloads folder, and along with these xml files and the code, I can try to reverse engineer and probably regenerate those payloads again. I am assuming that the same payloads are generated in every scan for a given database type (say Oracle)? Thanks, Mithun You can see all testing payloads by rerunning with -v 3. You can't see payloads that sqlmap generated during the exploitation phase. Results of those payloads are stored inside the appropriate session.sqlite, but with hashed queries/payloads. Without doing this session files would explode in case of huge table dumps. Bye On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan < mit...@ow...> wrote: > Hello Everyone, > > I need to retrieve all payloads inserted by SQLMap into vulnerable > parameters. Is it possible? > > Right now, in my output directory, I can see a log file with only one > payload example. Does the tool store all payloads that it injects? How can > I pull out this information? > > Thanks, > Mithun > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Mithun V. <mit...@ow...> - 2016-01-20 13:33:19
|
Hi Miroslav, The situation is that I can't rerun or hit the system again for a couple of days due to a business issue. In the meanwhile, I need to extract all payloads injected from the scan that I already ran today. If I cannot see payloads from the exploit phase, can you please point me to the logic in the code where these payloads are generated? I saw a few xml files under the payloads folder, and along with these xml files and the code, I can try to reverse engineer and probably regenerate those payloads again. I am assuming that the same payloads are generated in every scan for a given database type (say Oracle)? Thanks, Mithun On Jan 20, 2016 6:19 PM, "Miroslav Stampar" <mir...@gm...> wrote: > You can see all testing payloads by rerunning with -v 3. > > You can't see payloads that sqlmap generated during the exploitation > phase. Results of those payloads are stored inside the appropriate > session.sqlite, but with hashed queries/payloads. Without doing this > session files would explode in case of huge table dumps. > > Bye > > On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan < > mit...@ow...> wrote: > >> Hello Everyone, >> >> I need to retrieve all payloads inserted by SQLMap into vulnerable >> parameters. Is it possible? >> >> Right now, in my output directory, I can see a log file with only one >> payload example. Does the tool store all payloads that it injects? How can >> I pull out this information? >> >> Thanks, >> Mithun >> >> >> ------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2016-01-20 13:39:57
|
You can take a look into xml/payloads/*.xml and xml/boundaries.xml for testing phase payloads You can take a look into lib/controller/checks.py for testing phase generation of payloads You can take a look into xml/boundaries.xml and xml/queries.xml for exploitation phase payloads You can take a look into plugins/*.py and lib/core/agent.py for exploitation phase payloads Bye p.s. each DBMS has its own payloads. Practically, two same MySQL platforms (with same vulnerability) should generate pretty similar payloads. But, if one MySQL platform is vulnerable to boolean SQLi and the other to UNION SQLi you can't expect same payloads On Wed, Jan 20, 2016 at 2:33 PM, Mithun Vaidhyanathan < mit...@ow...> wrote: > Hi Miroslav, > > The situation is that I can't rerun or hit the system again for a couple > of days due to a business issue. In the meanwhile, I need to extract all > payloads injected from the scan that I already ran today. If I cannot see > payloads from the exploit phase, can you please point me to the logic in > the code where these payloads are generated? I saw a few xml files under > the payloads folder, and along with these xml files and the code, I can try > to reverse engineer and probably regenerate those payloads again. I am > assuming that the same payloads are generated in every scan for a given > database type (say Oracle)? > > Thanks, > Mithun > On Jan 20, 2016 6:19 PM, "Miroslav Stampar" <mir...@gm...> > wrote: > >> You can see all testing payloads by rerunning with -v 3. >> >> You can't see payloads that sqlmap generated during the exploitation >> phase. Results of those payloads are stored inside the appropriate >> session.sqlite, but with hashed queries/payloads. Without doing this >> session files would explode in case of huge table dumps. >> >> Bye >> >> On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan < >> mit...@ow...> wrote: >> >>> Hello Everyone, >>> >>> I need to retrieve all payloads inserted by SQLMap into vulnerable >>> parameters. Is it possible? >>> >>> Right now, in my output directory, I can see a log file with only one >>> payload example. Does the tool store all payloads that it injects? How can >>> I pull out this information? >>> >>> Thanks, >>> Mithun >>> >>> >>> ------------------------------------------------------------------------------ >>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>> Monitor end-to-end web transactions and take corrective actions now >>> Troubleshoot faster and improve end-user experience. Signup Now! >>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > -- Miroslav Stampar http://about.me/stamparm |
|
From: Mithun V. <mit...@ow...> - 2016-01-20 13:47:46
|
Great. Thanks so much. I'll take a look and let you know. Also, let us say I scan the same URL in front of an Oracle DB twice, then the payloads for both scans should be exactly same, right? Since it is the same URL/DB? Thanks, Mithun On Jan 20, 2016 7:09 PM, "Miroslav Stampar" <mir...@gm...> wrote: > You can take a look into xml/payloads/*.xml and xml/boundaries.xml for > testing phase payloads > You can take a look into lib/controller/checks.py for testing phase > generation of payloads > > You can take a look into xml/boundaries.xml and xml/queries.xml for > exploitation phase payloads > You can take a look into plugins/*.py and lib/core/agent.py for > exploitation phase payloads > > Bye > > p.s. each DBMS has its own payloads. Practically, two same MySQL platforms > (with same vulnerability) should generate pretty similar payloads. But, if > one MySQL platform is vulnerable to boolean SQLi and the other to UNION > SQLi you can't expect same payloads > > On Wed, Jan 20, 2016 at 2:33 PM, Mithun Vaidhyanathan < > mit...@ow...> wrote: > >> Hi Miroslav, >> >> The situation is that I can't rerun or hit the system again for a couple >> of days due to a business issue. In the meanwhile, I need to extract all >> payloads injected from the scan that I already ran today. If I cannot see >> payloads from the exploit phase, can you please point me to the logic in >> the code where these payloads are generated? I saw a few xml files under >> the payloads folder, and along with these xml files and the code, I can try >> to reverse engineer and probably regenerate those payloads again. I am >> assuming that the same payloads are generated in every scan for a given >> database type (say Oracle)? >> >> Thanks, >> Mithun >> On Jan 20, 2016 6:19 PM, "Miroslav Stampar" <mir...@gm...> >> wrote: >> >>> You can see all testing payloads by rerunning with -v 3. >>> >>> You can't see payloads that sqlmap generated during the exploitation >>> phase. Results of those payloads are stored inside the appropriate >>> session.sqlite, but with hashed queries/payloads. Without doing this >>> session files would explode in case of huge table dumps. >>> >>> Bye >>> >>> On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan < >>> mit...@ow...> wrote: >>> >>>> Hello Everyone, >>>> >>>> I need to retrieve all payloads inserted by SQLMap into vulnerable >>>> parameters. Is it possible? >>>> >>>> Right now, in my output directory, I can see a log file with only one >>>> payload example. Does the tool store all payloads that it injects? How can >>>> I pull out this information? >>>> >>>> Thanks, >>>> Mithun >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>>> Monitor end-to-end web transactions and take corrective actions now >>>> Troubleshoot faster and improve end-user experience. Signup Now! >>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X