sqlmap-users

[sqlmap-users] Bypassing IDS/IPS

[Arturs P. <lva...@in...>]

Hi!<br />Basically this question is about what Havij does and how to do the same w/ SQLMap (or better). I made injections and was able to dump database with Havij in this site - http://nhl.id.lv/?cat=stats&amp;position=Goalie&amp;sort=saves through parameter 'sort'. It used MySQL timebased injection (time is usually 4.x seconds or 3.x - I was not able to set SQLMap to miliseconds or seconds with commas or points) and retrieved all the needed data using slow guessing letters method. But it did the job although it was very slow. With SQLMap it detects MySQL timebased blind, but is not able to retrieve any data. Payload says that there is a possibility of IDS/IPS defence. What should I do to get the database name? Any tampering scripts or combinations of them? Is it possible to get the names of DBs and tables faster than Havij slo-mo guessing?<br />There's another site with which I have a similar problem. That's http://hack-games.com . I set crawling to 2 and use parameters 'doaction' or 'pmid' . SQLMap finds blind boolean injection, but once again hits the IDS/IPS defence. Havij on the same page only without crawling (I specified the page SQLMap found while crawling, but don't remember it :D) found the DB, but it wasn't able to get normal characters instead of square boxes. That is probably just an encoding issue.<br />Could anyone help me to sort out this situation?<br /><br />P.S.<br />Havij also does database name character count retrieval, before guessing the numbers. I'm not sure if SQLMap has such function.<br />P.P.S. <br />I won't use your help to do something illegal with SQLMap, I'm just having fun from hacking. No harm done to any of higher mentioned or any other webpages. <div id="sig_lower">&#160;</div>

Re: [sqlmap-users] Bypassing IDS/IPS

[<du...@al...>]

Since you mentioned "not doing anything illegal", I will just say that, 
checking peoples doors and windows to see if they are open or weak, is 
not ok even if it's fun and all (but if the site you are testing on have 
given you permission, or if you own it, then hack away to your hearts 
content).

Anyway to the issue at hand.

Are you using the latest development version of sqlmap?
If not, then I recommend you do that, since it gets new features and 
updates all the time, and you will probably see your issue solved there.
If you don't have git, then get it, and then do:

git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

//C



On 30.08.2012 17:06, Arturs Pavlovs wrote:
> Hi!
> Basically this question is about what Havij does and how to do the
> same w/ SQLMap (or better). I made injections and was able to dump
> database with Havij in this site -
> http://nhl.id.lv/?cat=stats&position=Goalie&sort=saves through
> parameter 'sort'. It used MySQL timebased injection (time is usually
> 4.x seconds or 3.x - I was not able to set SQLMap to miliseconds or
> seconds with commas or points) and retrieved all the needed data 
> using
> slow guessing letters method. But it did the job although it was very
> slow. With SQLMap it detects MySQL timebased blind, but is not able 
> to
> retrieve any data. Payload says that there is a possibility of 
> IDS/IPS
> defence. What should I do to get the database name? Any tampering
> scripts or combinations of them? Is it possible to get the names of
> DBs and tables faster than Havij slo-mo guessing?
> There's another site with which I have a similar problem. That's
> http://hack-games.com . I set crawling to 2 and use parameters
> 'doaction' or 'pmid' . SQLMap finds blind boolean injection, but once
> again hits the IDS/IPS defence. Havij on the same page only without
> crawling (I specified the page SQLMap found while crawling, but don't
> remember it :D) found the DB, but it wasn't able to get normal
> characters instead of square boxes. That is probably just an encoding
> issue.
> Could anyone help me to sort out this situation?
>
> P.S.
> Havij also does database name character count retrieval, before
> guessing the numbers. I'm not sure if SQLMap has such function.
> P.P.S.
> I won't use your help to do something illegal with SQLMap, I'm just
> having fun from hacking. No harm done to any of higher mentioned or
> any other webpages.

Re: [sqlmap-users] Bypassing IDS/IPS

[Chris O. <chr...@gm...>]

Mentioning live sites on the list... grumble...

On 30 August 2012 16:06, Arturs Pavlovs <lva...@in...> wrote:

> Hi!
> Basically this question is about what Havij does and how to do the same w/
> SQLMap (or better). I made injections and was able to dump database with
> Havij in this site -
> http://nhl.id.lv/?cat=stats&position=Goalie&sort=saves through parameter
> 'sort'. It used MySQL timebased injection (time is usually 4.x seconds or
> 3.x - I was not able to set SQLMap to miliseconds or seconds with commas or
> points) and retrieved all the needed data using slow guessing letters
> method. But it did the job although it was very slow. With SQLMap it
> detects MySQL timebased blind, but is not able to retrieve any data.
> Payload says that there is a possibility of IDS/IPS defence. What should I
> do to get the database name? Any tampering scripts or combinations of them?
> Is it possible to get the names of DBs and tables faster than Havij slo-mo
> guessing?
> There's another site with which I have a similar problem. That's
> http://hack-games.com . I set crawling to 2 and use parameters 'doaction'
> or 'pmid' . SQLMap finds blind boolean injection, but once again hits the
> IDS/IPS defence. Havij on the same page only without crawling (I specified
> the page SQLMap found while crawling, but don't remember it :D) found the
> DB, but it wasn't able to get normal characters instead of square boxes.
> That is probably just an encoding issue.
> Could anyone help me to sort out this situation?
>
> P.S.
> Havij also does database name character count retrieval, before guessing
> the numbers. I'm not sure if SQLMap has such function.
> P.P.S.
> I won't use your help to do something illegal with SQLMap, I'm just having
> fun from hacking. No harm done to any of higher mentioned or any other
> webpages.
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>