Thread: [sqlmap-users] raise InvalidURL nonnumeric port
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Julia W. <ju...@fi...> - 2012-03-16 01:04:56
|
Well, here's a bug report crash-thingy... My cursory analysis is that
the SQL PAYLOAD got sucked back up and, for some mysterious reason,
re-parsed as a host:port value. Something like the hostname being
"10.6.1.142) AND 5306=CAST... etc. ...ELSE 0 END))::" which then means
that the port would be "text||CHR(58) ... and stuff"
Here's some, possibly relevant, options from the config file.
crawlDepth = 10
forceSSL = True
level = 5
risk = 3
tech = BEUST
[18:28:19] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[18:28:19] [PAYLOAD] 10.6.1.142) AND 5306=CAST(CHR(58)||CHR(105)||CHR(105)||CHR(121)||CHR(58)||(SELECT (CASE WHEN (5306=5306) THEN 1 ELSE 0 END))::text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)
[18:28:19] [TRAFFIC OUT] HTTP request [#13922]:
GET // HTTP/1.1
Accept-Encoding: identity
Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Host: 10.6.1.142) AND 5306=CAST(CHR(58)||CHR(105)||CHR(105)||CHR(121)||CHR(58)||(SELECT (CASE WHEN (5306=5306) THEN 1 ELSE 0 END))::text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)
Accept-language: en-us,en;q=0.5
Cookie: _session_id=60273438247a37935d9d37562d6888ba;
Referer: https://10.6.1.142:443//
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Connection: close
[18:28:19] [WARNING] HTTP error codes detected during testing:
400 (Bad Request) - 62 times, 500 (Internal Server Error) - 35 times, 404 (Not Found) - 3572 times
[18:28:19] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4864), retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev (r4864)
Python version: 2.7.2
Operating system: posix
Command line: ./sqlmap.py -c test2.conf -l final_url.lst
Technique: UNION
Back-end DBMS: PostgreSQL (identified)
Traceback (most recent call last):
File "/home/jwolf/Mar_14_12/sqlmap/_sqlmap.py", line 82, in main
start()
File "/home/jwolf/Mar_14_12/sqlmap/lib/controller/controller.py", line 472, in start
injection = checkSqlInjection(place, parameter, value)
File "/home/jwolf/Mar_14_12/sqlmap/lib/controller/checks.py", line 355, in checkSqlInjection
page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False)
File "/home/jwolf/Mar_14_12/sqlmap/lib/request/connect.py", line 719, in queryPage
page, headers, code = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, referer=referer, host=host, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404, ignoreTimeout=timeBasedCompare)
File "/home/jwolf/Mar_14_12/sqlmap/lib/request/connect.py", line 294, in getPage
conn = urllib2.urlopen(req)
File "/usr/lib64/python2.7/urllib2.py", line 126, in urlopen
return _opener.open(url, data, timeout)
File "/usr/lib64/python2.7/urllib2.py", line 400, in open
response = meth(req, response)
File "/usr/lib64/python2.7/urllib2.py", line 513, in http_response
'http', request, response, code, msg, hdrs)
File "/usr/lib64/python2.7/urllib2.py", line 432, in error
result = self._call_chain(*args)
File "/usr/lib64/python2.7/urllib2.py", line 372, in _call_chain
result = func(*args)
File "/home/jwolf/Mar_14_12/sqlmap/lib/request/redirecthandler.py", line 108, in http_error_302
result = urllib2.HTTPRedirectHandler.http_error_302(self, req, fp, code, msg, headers)
File "/usr/lib64/python2.7/urllib2.py", line 619, in http_error_302
return self.parent.open(new, timeout=req.timeout)
File "/usr/lib64/python2.7/urllib2.py", line 394, in open
response = self._open(req, data)
File "/usr/lib64/python2.7/urllib2.py", line 412, in _open
'_open', req)
File "/usr/lib64/python2.7/urllib2.py", line 372, in _call_chain
result = func(*args)
File "/usr/lib64/python2.7/urllib2.py", line 1207, in https_open
return self.do_open(httplib.HTTPSConnection, req)
File "/usr/lib64/python2.7/urllib2.py", line 1140, in do_open
h = http_class(host, timeout=req.timeout) # will parse host:port
File "/usr/lib64/python2.7/httplib.py", line 1146, in __init__
source_address)
File "/usr/lib64/python2.7/httplib.py", line 693, in __init__
self._set_hostport(host, port)
File "/usr/lib64/python2.7/httplib.py", line 718, in _set_hostport
raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
InvalidURL: nonnumeric port: 'text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)'
[*] shutting down at 18:28:19
|
|
From: Miroslav S. <mir...@gm...> - 2012-03-16 10:50:50
|
Hi Julia.
Thank you for your report and a minor explanation of what is going here. We
are doing also an injection of "Host" header on higher levels (e.g.
--level=5) and that's causing the problem in your case. Python's library
httplib is obviously not happy with that. Have to research a bit what we
can be done here.
Kind regards,
Miroslav Stampar
On Fri, Mar 16, 2012 at 1:12 AM, Julia Wolf <ju...@fi...> wrote:
>
> Well, here's a bug report crash-thingy... My cursory analysis is that
> the SQL PAYLOAD got sucked back up and, for some mysterious reason,
> re-parsed as a host:port value. Something like the hostname being
> "10.6.1.142) AND 5306=CAST... etc. ...ELSE 0 END))::" which then means
> that the port would be "text||CHR(58) ... and stuff"
>
> Here's some, possibly relevant, options from the config file.
>
> crawlDepth = 10
> forceSSL = True
> level = 5
> risk = 3
> tech = BEUST
>
>
>
> [18:28:19] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
> clause'
> [18:28:19] [PAYLOAD] 10.6.1.142) AND
> 5306=CAST(CHR(58)||CHR(105)||CHR(105)||CHR(121)||CHR(58)||(SELECT (CASE
> WHEN (5306=5306) THEN 1 ELSE 0
> END))::text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)
> [18:28:19] [TRAFFIC OUT] HTTP request [#13922]:
> GET // HTTP/1.1
> Accept-Encoding: identity
> Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Host: 10.6.1.142) AND
> 5306=CAST(CHR(58)||CHR(105)||CHR(105)||CHR(121)||CHR(58)||(SELECT (CASE
> WHEN (5306=5306) THEN 1 ELSE 0
> END))::text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)
> Accept-language: en-us,en;q=0.5
> Cookie: _session_id=60273438247a37935d9d37562d6888ba;
> Referer: https://10.6.1.142:443//
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
> Gecko/20100101 Firefox/8.0.1
> Connection: close
>
> [18:28:19] [WARNING] HTTP error codes detected during testing:
> 400 (Bad Request) - 62 times, 500 (Internal Server Error) - 35 times, 404
> (Not Found) - 3572 times
>
> [18:28:19] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4864), retry
> your run with the latest development version from the Subversion
> repository. If the exception persists, please send by e-mail to
> sql...@li... the following text and any information
> required to reproduce the bug. The developers will try to reproduce the
> bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev (r4864)
> Python version: 2.7.2
> Operating system: posix
> Command line: ./sqlmap.py -c test2.conf -l final_url.lst
> Technique: UNION
> Back-end DBMS: PostgreSQL (identified)
> Traceback (most recent call last):
> File "/home/jwolf/Mar_14_12/sqlmap/_sqlmap.py", line 82, in main
> start()
> File "/home/jwolf/Mar_14_12/sqlmap/lib/controller/controller.py", line
> 472, in start
> injection = checkSqlInjection(place, parameter, value)
> File "/home/jwolf/Mar_14_12/sqlmap/lib/controller/checks.py", line 355,
> in checkSqlInjection
> page, headers = Request.queryPage(reqPayload, place, content=True,
> raise404=False)
> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/connect.py", line 719, in
> queryPage
> page, headers, code = Connect.getPage(url=uri, get=get, post=post,
> cookie=cookie, ua=ua, referer=referer, host=host, silent=silent,
> method=method, auxHeaders=auxHeaders, response=response, raise404=raise404,
> ignoreTimeout=timeBasedCompare)
> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/connect.py", line 294, in
> getPage
> conn = urllib2.urlopen(req)
> File "/usr/lib64/python2.7/urllib2.py", line 126, in urlopen
> return _opener.open(url, data, timeout)
> File "/usr/lib64/python2.7/urllib2.py", line 400, in open
> response = meth(req, response)
> File "/usr/lib64/python2.7/urllib2.py", line 513, in http_response
> 'http', request, response, code, msg, hdrs)
> File "/usr/lib64/python2.7/urllib2.py", line 432, in error
> result = self._call_chain(*args)
> File "/usr/lib64/python2.7/urllib2.py", line 372, in _call_chain
> result = func(*args)
> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/redirecthandler.py", line
> 108, in http_error_302
> result = urllib2.HTTPRedirectHandler.http_error_302(self, req, fp,
> code, msg, headers)
> File "/usr/lib64/python2.7/urllib2.py", line 619, in http_error_302
> return self.parent.open(new, timeout=req.timeout)
> File "/usr/lib64/python2.7/urllib2.py", line 394, in open
> response = self._open(req, data)
> File "/usr/lib64/python2.7/urllib2.py", line 412, in _open
> '_open', req)
> File "/usr/lib64/python2.7/urllib2.py", line 372, in _call_chain
> result = func(*args)
> File "/usr/lib64/python2.7/urllib2.py", line 1207, in https_open
> return self.do_open(httplib.HTTPSConnection, req)
> File "/usr/lib64/python2.7/urllib2.py", line 1140, in do_open
> h = http_class(host, timeout=req.timeout) # will parse host:port
> File "/usr/lib64/python2.7/httplib.py", line 1146, in __init__
> source_address)
> File "/usr/lib64/python2.7/httplib.py", line 693, in __init__
> self._set_hostport(host, port)
> File "/usr/lib64/python2.7/httplib.py", line 718, in _set_hostport
> raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
> InvalidURL: nonnumeric port:
> 'text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)'
>
> [*] shutting down at 18:28:19
>
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Miroslav S. <mir...@gm...> - 2012-03-16 11:09:27
|
Will "patch" it in an hour or two. HTTP headers should not be url encoded
but in this case character : from payload needs to be replaced with url
encoded counterpart to prevent this kind of behavior.
Kind regards,
Miroslav Stampar
On Fri, Mar 16, 2012 at 11:50 AM, Miroslav Stampar <
mir...@gm...> wrote:
> Hi Julia.
>
> Thank you for your report and a minor explanation of what is going here.
> We are doing also an injection of "Host" header on higher levels (e.g.
> --level=5) and that's causing the problem in your case. Python's library
> httplib is obviously not happy with that. Have to research a bit what we
> can be done here.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Fri, Mar 16, 2012 at 1:12 AM, Julia Wolf <ju...@fi...> wrote:
>
>>
>> Well, here's a bug report crash-thingy... My cursory analysis is that
>> the SQL PAYLOAD got sucked back up and, for some mysterious reason,
>> re-parsed as a host:port value. Something like the hostname being
>> "10.6.1.142) AND 5306=CAST... etc. ...ELSE 0 END))::" which then means
>> that the port would be "text||CHR(58) ... and stuff"
>>
>> Here's some, possibly relevant, options from the config file.
>>
>> crawlDepth = 10
>> forceSSL = True
>> level = 5
>> risk = 3
>> tech = BEUST
>>
>>
>>
>> [18:28:19] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
>> clause'
>> [18:28:19] [PAYLOAD] 10.6.1.142) AND
>> 5306=CAST(CHR(58)||CHR(105)||CHR(105)||CHR(121)||CHR(58)||(SELECT (CASE
>> WHEN (5306=5306) THEN 1 ELSE 0
>> END))::text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)
>> [18:28:19] [TRAFFIC OUT] HTTP request [#13922]:
>> GET // HTTP/1.1
>> Accept-Encoding: identity
>> Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Host: 10.6.1.142) AND
>> 5306=CAST(CHR(58)||CHR(105)||CHR(105)||CHR(121)||CHR(58)||(SELECT (CASE
>> WHEN (5306=5306) THEN 1 ELSE 0
>> END))::text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)
>> Accept-language: en-us,en;q=0.5
>> Cookie: _session_id=60273438247a37935d9d37562d6888ba;
>> Referer: https://10.6.1.142:443//
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
>> Gecko/20100101 Firefox/8.0.1
>> Connection: close
>>
>> [18:28:19] [WARNING] HTTP error codes detected during testing:
>> 400 (Bad Request) - 62 times, 500 (Internal Server Error) - 35 times, 404
>> (Not Found) - 3572 times
>>
>> [18:28:19] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4864),
>> retry your run with the latest development version from the Subversion
>> repository. If the exception persists, please send by e-mail to
>> sql...@li... the following text and any
>> information required to reproduce the bug. The developers will try to
>> reproduce the bug, fix it accordingly and get back to you.
>> sqlmap version: 1.0-dev (r4864)
>> Python version: 2.7.2
>> Operating system: posix
>> Command line: ./sqlmap.py -c test2.conf -l final_url.lst
>> Technique: UNION
>> Back-end DBMS: PostgreSQL (identified)
>> Traceback (most recent call last):
>> File "/home/jwolf/Mar_14_12/sqlmap/_sqlmap.py", line 82, in main
>> start()
>> File "/home/jwolf/Mar_14_12/sqlmap/lib/controller/controller.py", line
>> 472, in start
>> injection = checkSqlInjection(place, parameter, value)
>> File "/home/jwolf/Mar_14_12/sqlmap/lib/controller/checks.py", line 355,
>> in checkSqlInjection
>> page, headers = Request.queryPage(reqPayload, place, content=True,
>> raise404=False)
>> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/connect.py", line 719,
>> in queryPage
>> page, headers, code = Connect.getPage(url=uri, get=get, post=post,
>> cookie=cookie, ua=ua, referer=referer, host=host, silent=silent,
>> method=method, auxHeaders=auxHeaders, response=response, raise404=raise404,
>> ignoreTimeout=timeBasedCompare)
>> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/connect.py", line 294,
>> in getPage
>> conn = urllib2.urlopen(req)
>> File "/usr/lib64/python2.7/urllib2.py", line 126, in urlopen
>> return _opener.open(url, data, timeout)
>> File "/usr/lib64/python2.7/urllib2.py", line 400, in open
>> response = meth(req, response)
>> File "/usr/lib64/python2.7/urllib2.py", line 513, in http_response
>> 'http', request, response, code, msg, hdrs)
>> File "/usr/lib64/python2.7/urllib2.py", line 432, in error
>> result = self._call_chain(*args)
>> File "/usr/lib64/python2.7/urllib2.py", line 372, in _call_chain
>> result = func(*args)
>> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/redirecthandler.py",
>> line 108, in http_error_302
>> result = urllib2.HTTPRedirectHandler.http_error_302(self, req, fp,
>> code, msg, headers)
>> File "/usr/lib64/python2.7/urllib2.py", line 619, in http_error_302
>> return self.parent.open(new, timeout=req.timeout)
>> File "/usr/lib64/python2.7/urllib2.py", line 394, in open
>> response = self._open(req, data)
>> File "/usr/lib64/python2.7/urllib2.py", line 412, in _open
>> '_open', req)
>> File "/usr/lib64/python2.7/urllib2.py", line 372, in _call_chain
>> result = func(*args)
>> File "/usr/lib64/python2.7/urllib2.py", line 1207, in https_open
>> return self.do_open(httplib.HTTPSConnection, req)
>> File "/usr/lib64/python2.7/urllib2.py", line 1140, in do_open
>> h = http_class(host, timeout=req.timeout) # will parse host:port
>> File "/usr/lib64/python2.7/httplib.py", line 1146, in __init__
>> source_address)
>> File "/usr/lib64/python2.7/httplib.py", line 693, in __init__
>> self._set_hostport(host, port)
>> File "/usr/lib64/python2.7/httplib.py", line 718, in _set_hostport
>> raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
>> InvalidURL: nonnumeric port:
>> 'text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)'
>>
>> [*] shutting down at 18:28:19
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF email is sponsosred by:
>> Try Windows Azure free for 90 days Click Here
>> http://p.sf.net/sfu/sfd2d-msazure
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Miroslav S. <mir...@gm...> - 2012-03-16 13:37:43
|
Hi Julia again.
After a through examination I believe that something other is screwed. In
your case "Host" header value is used for establishing origin of request
when the original request hasn't got a full url (server address included).
That's why httplib uses that value to make a full url.
Does this makes sense to you? Do you see any special in your case?
Now, I can't imagine how is this happening. Could you please send me
privately more information? What command line have you used (or
configuration file in your case)? Also, traffic file (or maybe a part of
it) would be great.
Kind regards
On Fri, Mar 16, 2012 at 12:09 PM, Miroslav Stampar <
mir...@gm...> wrote:
> Will "patch" it in an hour or two. HTTP headers should not be url encoded
> but in this case character : from payload needs to be replaced with url
> encoded counterpart to prevent this kind of behavior.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Fri, Mar 16, 2012 at 11:50 AM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> Hi Julia.
>>
>> Thank you for your report and a minor explanation of what is going here.
>> We are doing also an injection of "Host" header on higher levels (e.g.
>> --level=5) and that's causing the problem in your case. Python's library
>> httplib is obviously not happy with that. Have to research a bit what we
>> can be done here.
>>
>> Kind regards,
>> Miroslav Stampar
>>
>>
>> On Fri, Mar 16, 2012 at 1:12 AM, Julia Wolf <ju...@fi...> wrote:
>>
>>>
>>> Well, here's a bug report crash-thingy... My cursory analysis is that
>>> the SQL PAYLOAD got sucked back up and, for some mysterious reason,
>>> re-parsed as a host:port value. Something like the hostname being
>>> "10.6.1.142) AND 5306=CAST... etc. ...ELSE 0 END))::" which then means
>>> that the port would be "text||CHR(58) ... and stuff"
>>>
>>> Here's some, possibly relevant, options from the config file.
>>>
>>> crawlDepth = 10
>>> forceSSL = True
>>> level = 5
>>> risk = 3
>>> tech = BEUST
>>>
>>>
>>>
>>> [18:28:19] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
>>> clause'
>>> [18:28:19] [PAYLOAD] 10.6.1.142) AND
>>> 5306=CAST(CHR(58)||CHR(105)||CHR(105)||CHR(121)||CHR(58)||(SELECT (CASE
>>> WHEN (5306=5306) THEN 1 ELSE 0
>>> END))::text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)
>>> [18:28:19] [TRAFFIC OUT] HTTP request [#13922]:
>>> GET // HTTP/1.1
>>> Accept-Encoding: identity
>>> Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>> Host: 10.6.1.142) AND
>>> 5306=CAST(CHR(58)||CHR(105)||CHR(105)||CHR(121)||CHR(58)||(SELECT (CASE
>>> WHEN (5306=5306) THEN 1 ELSE 0
>>> END))::text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)
>>> Accept-language: en-us,en;q=0.5
>>> Cookie: _session_id=60273438247a37935d9d37562d6888ba;
>>> Referer: https://10.6.1.142:443//
>>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
>>> Gecko/20100101 Firefox/8.0.1
>>> Connection: close
>>>
>>> [18:28:19] [WARNING] HTTP error codes detected during testing:
>>> 400 (Bad Request) - 62 times, 500 (Internal Server Error) - 35 times,
>>> 404 (Not Found) - 3572 times
>>>
>>> [18:28:19] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4864),
>>> retry your run with the latest development version from the Subversion
>>> repository. If the exception persists, please send by e-mail to
>>> sql...@li... the following text and any
>>> information required to reproduce the bug. The developers will try to
>>> reproduce the bug, fix it accordingly and get back to you.
>>> sqlmap version: 1.0-dev (r4864)
>>> Python version: 2.7.2
>>> Operating system: posix
>>> Command line: ./sqlmap.py -c test2.conf -l final_url.lst
>>> Technique: UNION
>>> Back-end DBMS: PostgreSQL (identified)
>>> Traceback (most recent call last):
>>> File "/home/jwolf/Mar_14_12/sqlmap/_sqlmap.py", line 82, in main
>>> start()
>>> File "/home/jwolf/Mar_14_12/sqlmap/lib/controller/controller.py", line
>>> 472, in start
>>> injection = checkSqlInjection(place, parameter, value)
>>> File "/home/jwolf/Mar_14_12/sqlmap/lib/controller/checks.py", line
>>> 355, in checkSqlInjection
>>> page, headers = Request.queryPage(reqPayload, place, content=True,
>>> raise404=False)
>>> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/connect.py", line 719,
>>> in queryPage
>>> page, headers, code = Connect.getPage(url=uri, get=get, post=post,
>>> cookie=cookie, ua=ua, referer=referer, host=host, silent=silent,
>>> method=method, auxHeaders=auxHeaders, response=response, raise404=raise404,
>>> ignoreTimeout=timeBasedCompare)
>>> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/connect.py", line 294,
>>> in getPage
>>> conn = urllib2.urlopen(req)
>>> File "/usr/lib64/python2.7/urllib2.py", line 126, in urlopen
>>> return _opener.open(url, data, timeout)
>>> File "/usr/lib64/python2.7/urllib2.py", line 400, in open
>>> response = meth(req, response)
>>> File "/usr/lib64/python2.7/urllib2.py", line 513, in http_response
>>> 'http', request, response, code, msg, hdrs)
>>> File "/usr/lib64/python2.7/urllib2.py", line 432, in error
>>> result = self._call_chain(*args)
>>> File "/usr/lib64/python2.7/urllib2.py", line 372, in _call_chain
>>> result = func(*args)
>>> File "/home/jwolf/Mar_14_12/sqlmap/lib/request/redirecthandler.py",
>>> line 108, in http_error_302
>>> result = urllib2.HTTPRedirectHandler.http_error_302(self, req, fp,
>>> code, msg, headers)
>>> File "/usr/lib64/python2.7/urllib2.py", line 619, in http_error_302
>>> return self.parent.open(new, timeout=req.timeout)
>>> File "/usr/lib64/python2.7/urllib2.py", line 394, in open
>>> response = self._open(req, data)
>>> File "/usr/lib64/python2.7/urllib2.py", line 412, in _open
>>> '_open', req)
>>> File "/usr/lib64/python2.7/urllib2.py", line 372, in _call_chain
>>> result = func(*args)
>>> File "/usr/lib64/python2.7/urllib2.py", line 1207, in https_open
>>> return self.do_open(httplib.HTTPSConnection, req)
>>> File "/usr/lib64/python2.7/urllib2.py", line 1140, in do_open
>>> h = http_class(host, timeout=req.timeout) # will parse host:port
>>> File "/usr/lib64/python2.7/httplib.py", line 1146, in __init__
>>> source_address)
>>> File "/usr/lib64/python2.7/httplib.py", line 693, in __init__
>>> self._set_hostport(host, port)
>>> File "/usr/lib64/python2.7/httplib.py", line 718, in _set_hostport
>>> raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
>>> InvalidURL: nonnumeric port:
>>> 'text||CHR(58)||CHR(112)||CHR(112)||CHR(107)||CHR(58) AS NUMERIC)'
>>>
>>> [*] shutting down at 18:28:19
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF email is sponsosred by:
>>> Try Windows Azure free for 90 days Click Here
>>> http://p.sf.net/sfu/sfd2d-msazure
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Julia W. <jw...@fi...> - 2012-04-06 00:16:54
Attachments:
more_info.zip
|
On Fri, 16 Mar 2012, Miroslav Stampar wrote:
> After a through examination I believe that something other is screwed. In
> your case "Host" header value is used for establishing origin of request
[...]
> Now, I can't imagine how is this happening. Could you please send me
> privately more information? What command line have you used (or
> configuration file in your case)? Also, traffic file (or maybe a part of
> it) would be great.
Oops, I meant to get back to you sooner. Anyway, attached is the config
file, and the beginnings and endings of the inputs and outputs.
Unrelated... I can't seem to get SQLMap to fully parse Burp logs. It
says
[19:13:04] [DEBUG] parsing targets list from '/home/jwolf/burpreq.log'
[19:13:05] [INFO] sqlmap parsed 18 testable requests from the targets list
[19:13:05] [INFO] sqlmap got a total of 18 targets
I know there's more than eighteen targets...
egrep "^GET|^POST" /home/jwolf/burpreq.log |sort | uniq |wc
262 786 15488
grep "^Content-Type: application/x-www-form-urlencoded" /home/jwolf/burpreq.log |wc
535 1545 33340
|
|
From: Miroslav S. <mir...@gm...> - 2012-04-06 10:38:44
|
On Fri, Apr 6, 2012 at 2:09 AM, Julia Wolf <jw...@fi...> wrote: > On Fri, 16 Mar 2012, Miroslav Stampar wrote: > > After a through examination I believe that something other is screwed. In >> your case "Host" header value is used for establishing origin of request >> > [...] > > Now, I can't imagine how is this happening. Could you please send me >> privately more information? What command line have you used (or >> configuration file in your case)? Also, traffic file (or maybe a part of >> it) would be great. >> > > Oops, I meant to get back to you sooner. Anyway, attached is the config > file, and the beginnings and endings of the inputs and outputs. > > Unrelated... I can't seem to get SQLMap to fully parse Burp logs. It says > > [19:13:04] [DEBUG] parsing targets list from '/home/jwolf/burpreq.log' > [19:13:05] [INFO] sqlmap parsed 18 testable requests from the targets list > [19:13:05] [INFO] sqlmap got a total of 18 targets > > I know there's more than eighteen targets... > Hi. Are you sure there are more than 18 targets with unique parameters inside? That uniq says unique strings it found, but it doesn't go through parameter names to see what can be exploited. For example: ?a=1&b=2 ?a=2&b=3 ?a=3&b=4 ?a=4&b=5 Uniq would tell you 4 here, but sqlmap counts number of GET/POST parameters here which is only 2 (a and b) Kind regards > > egrep "^GET|^POST" /home/jwolf/burpreq.log |sort | uniq |wc > 262 786 15488 > > grep "^Content-Type: application/x-www-form-**urlencoded" > /home/jwolf/burpreq.log |wc > 535 1545 33340 > -- Miroslav Stampar http://about.me/stamparm |
|
From: Julia W. <jw...@fi...> - 2012-04-10 21:48:09
|
On Fri, 6 Apr 2012, Miroslav Stampar wrote: > On Fri, Apr 6, 2012 at 2:09 AM, Julia Wolf <jw...@fi...> wrote: > >> Unrelated... I can't seem to get SQLMap to fully parse Burp logs. It says >> >> [19:13:04] [DEBUG] parsing targets list from '/home/jwolf/burpreq.log' >> [19:13:05] [INFO] sqlmap parsed 18 testable requests from the targets list >> [19:13:05] [INFO] sqlmap got a total of 18 targets >> >> I know there's more than eighteen targets... >> > Are you sure there are more than 18 targets with unique parameters inside? > That uniq says unique strings it found, but it doesn't go through parameter > names to see what can be exploited. There are 293 fields in my recorded session. Another odd thing about this, I chopped the first 509600 bytes (8%) off the beginning of the Burp log (on a record boundary of course) and SQLMap still reports that it only found 18 targets -- but it will still always start with the first URL from the Burp log anyway. (I chopped it elsewhere previously with the same result.) I mean if the Burp log starts with: ====================================================== 6:25:56 PM https://10.6.1.142:443 ====================================================== POST /analysis/filter HTTP/1.1 Host: 10.6.1.142 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/javascript, text/html, application/xml, text/xml, */* [blah blah blah...] Content-Length: ... Cookie: _session_id=ab36ffc767c4fea19473af1a10a03d671; Cache-Control: no-cache utf8=%E2%9C%93&token=0Uocx9Clc&filter_text=moo&case_sensitive=1&username=foo ====================================================== HTTP/1.1 200 OK Date: Thu, 05 Apr 2012 01:25:56 GMT Server: Whatever 2.0 Content-Type: text/javascript; charset=utf-8 [...] ... Then SQLMap will start testing this URI, with these parameters correctly. Oh, I may have spoken too soon... SQLMap seems to be sticking the "======================================================" division onto the end of the last field, "username=foo======================================================" in this example. But other than that it seems to be working ok. (And I mean, 'ok' until it crashes with "InvalidURL: nonnumeric port:" ) |
|
From: Miroslav S. <mir...@gm...> - 2012-04-10 22:04:04
|
Hi Julia. On Tue, Apr 10, 2012 at 11:40 PM, Julia Wolf <jw...@fi...> wrote: > On Fri, 6 Apr 2012, Miroslav Stampar wrote: > > On Fri, Apr 6, 2012 at 2:09 AM, Julia Wolf <jw...@fi...> wrote: >> >> Unrelated... I can't seem to get SQLMap to fully parse Burp logs. It >>> says >>> >>> [19:13:04] [DEBUG] parsing targets list from '/home/jwolf/burpreq.log' >>> [19:13:05] [INFO] sqlmap parsed 18 testable requests from the targets >>> list >>> [19:13:05] [INFO] sqlmap got a total of 18 targets >>> >>> I know there's more than eighteen targets... >>> >>> > Are you sure there are more than 18 targets with unique parameters inside? >> That uniq says unique strings it found, but it doesn't go through >> parameter >> names to see what can be exploited. >> > > There are 293 fields in my recorded session. > > Another odd thing about this, I chopped the first 509600 bytes (8%) off > the beginning of the Burp log (on a record boundary of course) and SQLMap > still reports that it only found 18 targets -- but it will still always > start with the first URL from the Burp log anyway. (I chopped it elsewhere > previously with the same result.) > > I mean if the Burp log starts with: > > ==============================**======================== > 6:25:56 PM https://10.6.1.142:443 > ==============================**======================== > POST /analysis/filter HTTP/1.1 > Host: 10.6.1.142 > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) > Gecko/20100101 Firefox/11.0 > Accept: text/javascript, text/html, application/xml, text/xml, */* > [blah blah blah...] > Content-Length: ... > Cookie: _session_id=**ab36ffc767c4fea19473af1a10a03d**671; Cache-Control: > no-cache > > utf8=%E2%9C%93&token=**0Uocx9Clc&filter_text=moo&** > case_sensitive=1&username=foo > ==============================**======================== > HTTP/1.1 200 OK > Date: Thu, 05 Apr 2012 01:25:56 GMT > Server: Whatever 2.0 > Content-Type: text/javascript; charset=utf-8 > [...] > > ... Then SQLMap will start testing this URI, with these parameters > correctly. > > Oh, I may have spoken too soon... SQLMap seems to be sticking the > "=============================**=========================" division onto > the end of the last field, "username=foo=================** > ==============================**=======" Fixed with last revision r4979 > in this example. But other than that it seems to be working ok. (And I > mean, 'ok' until it crashes with "InvalidURL: nonnumeric port:" ) > > Will take a look KInd regards -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2012-04-13 23:34:48
|
Hi Julia.
Sorry for taking so long to respond.
There are two things that need to be considered before giving a conclusion
on this one:
A) this is a rare case with both redirection and Host header being involved
containing character ':'
B) we've removed a week ago Host header from a default scan on higher
--level/--risk values (user has to explicitly either set 'Host' header
value and/or use -p host together with higher --level/--risk values)
Now, as this is all caused by (IMO) messy programming code of httplib's
_set_hostport() method (...i = host.rfind(':')...j = host.rfind(']')...)
and with those facts given above, this is going to be one of those "stay as
it is" bugs. It's just not worth doing "just in case" dirty patch for such
cases especially because of fact B.
Hence, thank you for your report, but this will be handled only in case of
a second report.
Kind regards
On Wed, Apr 11, 2012 at 12:03 AM, Miroslav Stampar <
mir...@gm...> wrote:
> Hi Julia.
>
> On Tue, Apr 10, 2012 at 11:40 PM, Julia Wolf <jw...@fi...> wrote:
>
>> On Fri, 6 Apr 2012, Miroslav Stampar wrote:
>>
>> On Fri, Apr 6, 2012 at 2:09 AM, Julia Wolf <jw...@fi...> wrote:
>>>
>>> Unrelated... I can't seem to get SQLMap to fully parse Burp logs. It
>>>> says
>>>>
>>>> [19:13:04] [DEBUG] parsing targets list from '/home/jwolf/burpreq.log'
>>>> [19:13:05] [INFO] sqlmap parsed 18 testable requests from the targets
>>>> list
>>>> [19:13:05] [INFO] sqlmap got a total of 18 targets
>>>>
>>>> I know there's more than eighteen targets...
>>>>
>>>>
>> Are you sure there are more than 18 targets with unique parameters
>>> inside?
>>> That uniq says unique strings it found, but it doesn't go through
>>> parameter
>>> names to see what can be exploited.
>>>
>>
>> There are 293 fields in my recorded session.
>>
>> Another odd thing about this, I chopped the first 509600 bytes (8%) off
>> the beginning of the Burp log (on a record boundary of course) and SQLMap
>> still reports that it only found 18 targets -- but it will still always
>> start with the first URL from the Burp log anyway. (I chopped it elsewhere
>> previously with the same result.)
>>
>> I mean if the Burp log starts with:
>>
>> ==============================**========================
>> 6:25:56 PM https://10.6.1.142:443
>> ==============================**========================
>> POST /analysis/filter HTTP/1.1
>> Host: 10.6.1.142
>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0)
>> Gecko/20100101 Firefox/11.0
>> Accept: text/javascript, text/html, application/xml, text/xml, */*
>> [blah blah blah...]
>> Content-Length: ...
>> Cookie: _session_id=**ab36ffc767c4fea19473af1a10a03d**671;
>> Cache-Control: no-cache
>>
>> utf8=%E2%9C%93&token=**0Uocx9Clc&filter_text=moo&**
>> case_sensitive=1&username=foo
>> ==============================**========================
>> HTTP/1.1 200 OK
>> Date: Thu, 05 Apr 2012 01:25:56 GMT
>> Server: Whatever 2.0
>> Content-Type: text/javascript; charset=utf-8
>> [...]
>>
>> ... Then SQLMap will start testing this URI, with these parameters
>> correctly.
>>
>> Oh, I may have spoken too soon... SQLMap seems to be sticking the
>> "=============================**=========================" division onto
>> the end of the last field, "username=foo=================**
>> ==============================**======="
>
> Fixed with last revision r4979
>
>
>> in this example. But other than that it seems to be working ok. (And I
>> mean, 'ok' until it crashes with "InvalidURL: nonnumeric port:" )
>>
>> Will take a look
>
> KInd regards
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X