Thread: [sqlmap-users] hmm
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: <ja...@ev...> - 2010-05-20 05:14:33
|
Hello, Im currently attempting to attack an interesting setup.. A RedHat(Apache) box with a PHP front end linked to a MS SQL db. Since its Apache+Linux it doesnt support stacked queries.. Its also slow as dog crap going up a hill with the blind injection. Does anyone know of a way to use the OPENROWSET type attack without stacked queries? Or basically have any ideas how I can get enough proof of data from this box relatively quick? Thanks James |
|
From: <ja...@ev...> - 2010-05-20 14:50:41
|
i dont think you understand my brand of sarcasm. |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-05-20 11:19:52
|
James, On Thu, May 20, 2010 at 06:14, <ja...@ev...> wrote: > ... > Im currently attempting to attack an interesting setup.. A RedHat(Apache) > > box with a PHP front end linked to a MS SQL db. It's a quite common setup. I've seen also Windows/Apache/PHP(or Perl) with back-end MSSQL or MySQL recently. > Since its Apache+Linux it > > doesnt support stacked queries.. Mmmh, PHP does support stacked queries when the back-end is MSSQL. Try yourself with a SQL payload like ; WAITFOR DELAY '0:2:00';-- > Its also slow as dog crap going up a hill > > with the blind injection. Does anyone know of a way to use the OPENROWSET > > type attack without stacked queries? You can try with UNION ALL SELECT 'foobar' FROM OPENROWSET... > Or basically have any ideas how I can > > get enough proof of data from this box relatively quick? If it is affected by an error-based SQL injection also, something like AND 1=(SELECT ...) might do the trick otherwise a UNION query SQL injection can help, if vulnerable. Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: <ja...@ev...> - 2010-05-20 11:30:10
|
Yeah, Thats the weird thing. Stacked SHOULD be enabled. Also no UNION ability. I guess im boned. :) The injection doesnt respond to any errors.. Thats actually how i found it. Feeding "'" to an arg gave me a blank page which is usually good. I suppose it could be a false negative. I will inspect further. Also; A general message to the SQLmap users: Have you noted that SQLMap misses a lot of vulns? Simple ones like windowsistrash.asp?id=1';waitfor delay '00:00:15' And also more complex POST vulns? I've been using SQLNinja on the advice of my friend Bert and it appears to pwn windoze better than SQLmap... Bernardo -- Any clue on this? I can provide a few examples of sites in private where SQLNinja succeded and SQLMap failed to detect the GET or POST vuln. Im always using SVN too, btw. If anyone else has noticed this.. please reply.. lets squash this bug... James @ EV6.net On Thu, 20 May 2010 12:19:45 +0100, "Bernardo Damele A. G." <ber...@gm...> wrote: > James, > > On Thu, May 20, 2010 at 06:14, <ja...@ev...> wrote: >> ... >> Im currently attempting to attack an interesting setup.. A >> RedHat(Apache) >> >> box with a PHP front end linked to a MS SQL db. > > It's a quite common setup. I've seen also Windows/Apache/PHP(or Perl) > with back-end MSSQL or MySQL recently. > >> Since its Apache+Linux it >> >> doesnt support stacked queries.. > > Mmmh, PHP does support stacked queries when the back-end is MSSQL. Try > yourself with a SQL payload like ; WAITFOR DELAY '0:2:00';-- > >> Its also slow as dog crap going up a hill >> >> with the blind injection. Does anyone know of a way to use the OPENROWSET >> >> type attack without stacked queries? > > You can try with UNION ALL SELECT 'foobar' FROM OPENROWSET... > >> Or basically have any ideas how I can >> >> get enough proof of data from this box relatively quick? > > If it is affected by an error-based SQL injection also, something like > AND 1=(SELECT ...) might do the trick otherwise a UNION query SQL > injection can help, if vulnerable. > > Cheers, |
|
From: Ignacio H. <nac...@gm...> - 2010-05-20 11:49:07
|
It's a known flag on sqlmap the false negatives and they are working on it. Is a complex task as some pages output the url you are using to inject the the output page. For example if sqlmap is checking if injection works and try: "vuln.php?id=1 and 1=1", on the output page it can be echoed something like: <a href="http://www.site.com/vuln.php?id=1 and 1=1&otherparam=2"> and that can mess up the detection engine... I tryed to make an aporoach to solve this but definitively my python (and general programming )knowledge was not enought to work on a project like sqlmap. :) To get data faster from slow sites you can try a semi blid technique i discovered some time ago (well, i think it was already discovered by someone else but i hadn't notice). It is some kind of semi-blind injection using arithmetical based injection. For example if you are trying to inject on the news app of a web site they can sometimes echo to the response page something like "This is the X news posted here" where x is the news id selected. The url could be something like: site.com?newsid=6 you can inject something like this to get one char for each query you make: vuln.php?newsid=128-(ascii(mid( (select version()),1,1))) So if its echoed: "This is the 51 news posted here" you know the char is "M" (128-51=77, 77=M). You can make an script to automatize this. I made one but i cant find it right now. I hope it helps, Regards. 2010/5/20 <ja...@ev...> > > Yeah, Thats the weird thing. Stacked SHOULD be enabled. Also no UNION > > ability. I guess im boned. :) The injection doesnt respond to any errors.. > > Thats actually how i found it. Feeding "'" to an arg gave me a blank page > > which is usually good. I suppose it could be a false negative. I will > > inspect further. Also; > > > > A general message to the SQLmap users: > > > > Have you noted that SQLMap misses a lot of vulns? Simple ones like > > windowsistrash.asp?id=1';waitfor delay '00:00:15' > > And also more complex POST vulns? I've been using SQLNinja on the advice > > of my friend Bert and it appears to pwn windoze better than SQLmap... > > > > Bernardo -- Any clue on this? I can provide a few examples of sites in > > private where SQLNinja succeded and SQLMap failed to detect the GET or POST > > vuln. > > Im always using SVN too, btw. > > > > If anyone else has noticed this.. please reply.. lets squash this bug... > > > > James @ EV6.net > > > > > > On Thu, 20 May 2010 12:19:45 +0100, "Bernardo Damele A. G." > > <ber...@gm...> wrote: > > > James, > > > > > > On Thu, May 20, 2010 at 06:14, <ja...@ev...> wrote: > > >> ... > > >> Im currently attempting to attack an interesting setup.. A > > >> RedHat(Apache) > > >> > > >> box with a PHP front end linked to a MS SQL db. > > > > > > It's a quite common setup. I've seen also Windows/Apache/PHP(or Perl) > > > with back-end MSSQL or MySQL recently. > > > > > >> Since its Apache+Linux it > > >> > > >> doesnt support stacked queries.. > > > > > > Mmmh, PHP does support stacked queries when the back-end is MSSQL. Try > > > yourself with a SQL payload like ; WAITFOR DELAY '0:2:00';-- > > > > > >> Its also slow as dog crap going up a hill > > >> > > >> with the blind injection. Does anyone know of a way to use the > > OPENROWSET > > >> > > >> type attack without stacked queries? > > > > > > You can try with UNION ALL SELECT 'foobar' FROM OPENROWSET... > > > > > >> Or basically have any ideas how I can > > >> > > >> get enough proof of data from this box relatively quick? > > > > > > If it is affected by an error-based SQL injection also, something like > > > AND 1=(SELECT ...) might do the trick otherwise a UNION query SQL > > > injection can help, if vulnerable. > > > > > > Cheers, > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: <ja...@ev...> - 2010-05-20 11:41:02
|
Hi, Sorry if this is duplicate, I clicked "getting started" in firefox by accident while sending this email.. Yeah I know PHP/MSSQL should support stacked queries but it appears to be disabled.. Judging from the rest of this pen test it just simply cannot be on purpose. Im thinking maybe a false negative.. However, diagnosing is a little tricky. The webserver just returns a blank page instead of an error (grrr). I will do some more checking if possible. Theres also no UNION ability ;( A general note to SQLMap users / Developers: I've been using sqlmap pretty much since 0.6 or something and I've noted time and time again it misses simple vulns (on stable pages) for stuff like http://microsoft.com/windowsucks.aspx?id=31337';waitfor delay '00:00:15'-- Its also quite terrible at detecting POST vulns. The POST vulns i've been testing are mostly shitty login.asp scripts. Bert told me I should be using SQLNinja so I tried it out and viola, it exploits the vulns however SQLNinja is more of a database takeover tool and I need data from the db's as proof for the job. Just wondering if anyone has noted this and possibly maybe we can send Bernardo some example sites (IN PRIVATE) where SQLNinja was able to succeed and SQLMap failed detection. Lets all submit some urls -- IN PRIVATE -- where SQLmap wasnt able to detect a POST or GET vuln that sqlninja was able to detect? Please? Lets make sqlmap awesomer. Also, It'd be nice if SQLMap supported uploading debug.exe .scr's and converting them to .exe's on the db box. AND... [07:29:27] [INFO] retrieved: sqlmap got a 302 redirect to /index.php - What target address do you want to use from now on? http://www.fbi.gov:80/search/score.php (default) or provide another target address based also on the redirection got from the application I think? SQLmap is supposed to log that to the session file and use it every time however it does indeed ask me every time on the same page, same db, same dump params. If it isnt setup that way... It'd be nice or maybe a cmd arp that is something along the lines of --static-url What do you guys think? James P.S. All URL's have been censored to protect the idiots who pay me. On Thu, 20 May 2010 12:19:45 +0100, "Bernardo Damele A. G." <ber...@gm...> wrote: > James, > > On Thu, May 20, 2010 at 06:14, <ja...@ev...> wrote: >> ... >> Im currently attempting to attack an interesting setup.. A >> RedHat(Apache) >> >> box with a PHP front end linked to a MS SQL db. > > It's a quite common setup. I've seen also Windows/Apache/PHP(or Perl) > with back-end MSSQL or MySQL recently. > >> Since its Apache+Linux it >> >> doesnt support stacked queries.. > > Mmmh, PHP does support stacked queries when the back-end is MSSQL. Try > yourself with a SQL payload like ; WAITFOR DELAY '0:2:00';-- > >> Its also slow as dog crap going up a hill >> >> with the blind injection. Does anyone know of a way to use the OPENROWSET >> >> type attack without stacked queries? > > You can try with UNION ALL SELECT 'foobar' FROM OPENROWSET... > >> Or basically have any ideas how I can >> >> get enough proof of data from this box relatively quick? > > If it is affected by an error-based SQL injection also, something like > AND 1=(SELECT ...) might do the trick otherwise a UNION query SQL > injection can help, if vulnerable. > > Cheers, |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-05-20 15:08:54
|
Hi, On Thu, May 20, 2010 at 12:40, <ja...@ev...> wrote: > ... > Also, It'd be nice if SQLMap supported uploading debug.exe .scr's and > > converting them to .exe's on the db box. It does so since about April 2009 and much more. I recommend you better read doc/README.pdf. There are tons of example for each single switch/feature. I know, reading the manual can be boring, maybe watching some videos is a bit less? http://sqlmap.sourceforge.net/demo.html > [07:29:27] [INFO] retrieved: sqlmap got a 302 redirect to /index.php - > > What target address do you want to use from now on? > > http://www.fbi.gov:80/search/score.php (default) or provide another target > > address based also on the redirection got from the application > > > > I think? SQLmap is supposed to log that to the session file and use it > > every time however it does indeed ask me every time on the same page, same Redirect(ed) URL is one of the few things it is not yet stored/resumed from session file. I will work on this soon. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-05-20 12:51:41
|
James, On Thu, May 20, 2010 at 12:30, <ja...@ev...> wrote: > ... > Have you noted that SQLMap misses a lot of vulns? Simple ones like > > windowsistrash.asp?id=1';waitfor delay '00:00:15' > > And also more complex POST vulns? I've been using SQLNinja on the advice > > of my friend Bert and it appears to pwn windoze better than SQLmap... > ... As I said several times, sqlmap can detect only boolean-based blind SQL injection at first. If and once it identifies this type of injection, it can be used to test and exploit UNION query and stacked queries. This is a design flaw which will be fixed in the upcoming months. sqlninja is not able to detect the injection, you have to instruct it where it is and how to exploit it in the sqlninja.conf file. It uses only waitfor delay (time-based blind SQL injection) to enumerate very little data, the only data needed to takeover it. This is why it "pwn windoze better". -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
|
From: David G. <sk...@gm...> - 2010-05-21 13:47:08
|
On Thu, May 20, 2010 at 9:20 AM, Bernardo Damele A. G. < ber...@gm...> wrote: > James, > > On Thu, May 20, 2010 at 12:30, <ja...@ev...> wrote: > > ... > > Have you noted that SQLMap misses a lot of vulns? Simple ones like > > > > windowsistrash.asp?id=1';waitfor delay '00:00:15' > > > > And also more complex POST vulns? I've been using SQLNinja on the advice > > > > of my friend Bert and it appears to pwn windoze better than SQLmap... > > ... > > As I said several times, sqlmap can detect only boolean-based blind > SQL injection at first. If and once it identifies this type of > injection, it can be used to test and exploit UNION query and stacked > queries. This is a design flaw which will be fixed in the upcoming > months. > We are eagerly waiting for it to become true!! >] > sqlninja is not able to detect the injection, you have to instruct it > where it is and how to exploit it in the sqlninja.conf file. It uses > only waitfor delay (time-based blind SQL injection) to enumerate very > little data, the only data needed to takeover it. This is why it "pwn > windoze better". > > Yes, sqlninja can collect just some infos from the database, like the version (2000/2005), database user, privs, etc.. It just a "pnwge" MSSQL tool. Also, icesurf(the developer) just released version 0.2.5 these days. I usually use the tools in backtrack for pententing databases (/pentest/dabase). For full-blind (time-based) sql injection as you need, I always use the tool "sqlbrute.py" with some modifications to suit my needs. Tools for pentesting databases, as available in backtrack, can be described on this page: http://itbreathes.com/?p=59 -- David Gomes Guimarães |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X