Thread: [sqlmap-users] A bug and a sugestion
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Stuffe <stu...@gm...> - 2009-07-29 16:22:37
|
I just fired up the version of sqlmap, but it couldnt find the web root,
although it should be simple to do.
A simple regex could identify all php errors, they all start like <b>Parse
error</b>:, <b>Notice</n>:, <b>Warning</b>:, <b>Fatal error</b>: etc,
After that comes some random crap and then comes the url you are looking
for, inside a <b> tag, eg. <b>C:\wamp\www\index.php</b>.
Here are some examples:
<b>Notice</b>: Undefined index: b in <b>C:\wamp\www\index.php</b> on line
<b>12</b>
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL
result resource in <b>C:\wamp\www\index.php</b> on line <b>14</b>
<b>Parse error</b>: parse error, expecting `'('' in <b>C:\wamp\www\index.php
</b> on line <b>28</b>
As you can see, they are not hard to extract with a regex. And they can
often be generated, if you insert something that brakes the sql query or by
typecasting the a get var as an array
(like index.php?a[]=now_a_becomes_an_array) or other tricks.
Any way, when the error message is found, it should be checked wheather or
not the last part of the url is equal to the last part of the internal
path,
if they are equal, you know the webroot.
eg. http://example.com/whatever/index.php gives the error:
<b>Notice</b>: Undefined index: b in
<b>C:\wamp\www\whatever\index.php</b>on line
<b>12</b>
you replace \ with / and compare:
http://example.com/whatever/index.php
with
C:/wamp/www/whatever/index.php
and see find that C:/wamp/www/ must be the webroot.
Now i dont know if or how sqlmap is trying to retrieve the webroot, but it
wasnt able to find these things in my tests (even though they were all over
the place).
Any way, It also crashed on me when I tried to upload a webshell:
C:\Documents and Settings\Administrator>"C:\Documents and
Settings\Administrator
\Desktop\sqlmap-0.7_exe\sqlmap.exe" -u http://localhost/?a=1 --os-shell
sqlmap/0.7
by Bernardo Damele A. G. <ber...@gm...>
[*] starting at: 17:37:18
[17:37:18] [INFO] testing connection to the target url
[17:37:18] [INFO] testing if the url is stable, wait a few seconds
[17:37:19] [INFO] url is stable
[17:37:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[17:37:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[17:37:20] [INFO] testing if GET parameter 'a' is dynamic
[17:37:20] [INFO] confirming that GET parameter 'a' is dynamic
[17:37:20] [INFO] GET parameter 'a' is dynamic
[17:37:20] [INFO] testing sql injection on GET parameter 'a' with 0
parenthesis
[17:37:20] [INFO] testing unescaped numeric injection on GET parameter 'a'
[17:37:20] [INFO] confirming unescaped numeric injection on GET parameter
'a'
[17:37:20] [INFO] GET parameter 'a' is unescaped numeric injectable with 0
paren
thesis
[17:37:20] [INFO] testing for parenthesis on injectable parameter
[17:37:20] [INFO] the injectable parameter requires 0 parenthesis
[17:37:20] [INFO] testing MySQL
[17:37:20] [INFO] confirming MySQL
[17:37:20] [INFO] retrieved: 9
[17:37:20] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.0.63, PHP 5.2.9
back-end DBMS: MySQL >= 5.0.0
[17:37:20] [INFO] testing stacked queries support on parameter 'a'
[17:37:20] [INFO] detecting back-end DBMS version from its banner
[17:37:20] [INFO] retrieved: 5.1.33
[17:37:20] [WARNING] the web application does not support stacked queries on
par
ameter 'a'
[17:37:20] [INFO] going to upload a web page backdoor for command execution
[17:37:20] [INFO] fingerprinting the back-end DBMS operating system
[17:37:20] [INFO] retrieved: c
[17:37:20] [INFO] the back-end DBMS operating system is Windows
[17:37:20] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/Inetpub/wwwroot/]:
C:/wamp/www/
[17:37:46] [INFO] retrieved web server full paths: 'C:\wamp\www, C:\'
please provide any additional web server full path to try to upload the
agent [C
:/Inetpub/wwwroot/test/]: C:/wamp/www/test/
[17:37:51] [INFO] trying to upload the uploader agent
which web application language does the web server support?
[1] ASP
[2] PHP (default)
[3] JSP
> 2
[17:37:53] [ERROR] unhandled exception in sqlmap/0.7, please copy the
command li
ne and the following text and send by e-mail to
sql...@li...urceforge.n
et. The developer will fix it as soon as possible:
sqlmap version: 0.7
Python version: 2.6.1
Operating system: win32
Traceback (most recent call last):
File "sqlmap.py", line 84, in main
File "lib\controller\controller.pyc", line 263, in start
File "lib\controller\action.pyc", line 140, in action
File "plugins\generic\takeover.pyc", line 295, in osShell
File "plugins\generic\takeover.pyc", line 187, in __webBackdoorInit
File "lib\request\connect.pyc", line 131, in getPage
File "urllib2.pyc", line 124, in urlopen
File "urllib2.pyc", line 383, in open
File "urllib2.pyc", line 401, in _open
File "urllib2.pyc", line 361, in _call_chain
File "urllib2.pyc", line 1130, in http_open
File "urllib2.pyc", line 1087, in do_open
File "httplib.pyc", line 656, in __init__
File "httplib.pyc", line 668, in _set_hostport
InvalidURL: nonnumeric port: '80\test'
[*] shutting down at: 17:37:53
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-07-30 12:05:47
|
Hi Stuffe,
On Wed, Jul 29, 2009 at 17:22, Stuffe<stu...@gm...> wrote:
> I just fired up the version of sqlmap, but it couldnt find the web root,
> although it should be simple to do.
> A simple regex could identify all php errors, they all start like <b>Parse
> error</b>:, <b>Notice</n>:, <b>Warning</b>:, <b>Fatal error</b>: etc,
> After that comes some random crap and then comes the url you are looking
> for, inside a <b> tag, eg. <b>C:\wamp\www\index.php</b>.
> Here are some examples:
> <b>Notice</b>: Undefined index: b in <b>C:\wamp\www\index.php</b> on line
> <b>12</b>
> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL
> result resource in <b>C:\wamp\www\index.php</b> on line <b>14</b>
> <b>Parse error</b>: parse error, expecting `'('' in
> <b>C:\wamp\www\index.php</b> on line <b>28</b>
> As you can see, they are not hard to extract with a regex. And they can
> often be generated, if you insert something that brakes the sql query or by
> typecasting the a get var as an array
> (like index.php?a[]=now_a_becomes_an_array) or other tricks.
I will improve the HTML parsing function as soon as possible, thanks
for reporting.
> Any way, when the error message is found, it should be checked wheather or
> not the last part of the url is equal to the last part of the internal
> path,
> if they are equal, you know the webroot.
> ...
This is done already. If it does not work, then it's a bug. Let me know.
> Any way, It also crashed on me when I tried to upload a webshell:
> C:\Documents and Settings\Administrator>"C:\Documents and
> Settings\Administrator
> \Desktop\sqlmap-0.7_exe\sqlmap.exe" -u http://localhost/?a=1 --os-shell
> sqlmap/0.7
> by Bernardo Damele A. G. <ber...@gm...>
> [*] starting at: 17:37:18
> [17:37:18] [INFO] testing connection to the target url
> [17:37:18] [INFO] testing if the url is stable, wait a few seconds
> [17:37:19] [INFO] url is stable
> [17:37:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> [17:37:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> [17:37:20] [INFO] testing if GET parameter 'a' is dynamic
> [17:37:20] [INFO] confirming that GET parameter 'a' is dynamic
> [17:37:20] [INFO] GET parameter 'a' is dynamic
> [17:37:20] [INFO] testing sql injection on GET parameter 'a' with 0
> parenthesis
> [17:37:20] [INFO] testing unescaped numeric injection on GET parameter 'a'
> [17:37:20] [INFO] confirming unescaped numeric injection on GET parameter
> 'a'
> [17:37:20] [INFO] GET parameter 'a' is unescaped numeric injectable with 0
> paren
> thesis
> [17:37:20] [INFO] testing for parenthesis on injectable parameter
> [17:37:20] [INFO] the injectable parameter requires 0 parenthesis
> [17:37:20] [INFO] testing MySQL
> [17:37:20] [INFO] confirming MySQL
> [17:37:20] [INFO] retrieved: 9
> [17:37:20] [INFO] the back-end DBMS is MySQL
> web server operating system: Windows
> web application technology: Apache 2.0.63, PHP 5.2.9
> back-end DBMS: MySQL >= 5.0.0
> [17:37:20] [INFO] testing stacked queries support on parameter 'a'
> [17:37:20] [INFO] detecting back-end DBMS version from its banner
> [17:37:20] [INFO] retrieved: 5.1.33
> [17:37:20] [WARNING] the web application does not support stacked queries on
> par
> ameter 'a'
> [17:37:20] [INFO] going to upload a web page backdoor for command execution
> [17:37:20] [INFO] fingerprinting the back-end DBMS operating system
> [17:37:20] [INFO] retrieved: c
> [17:37:20] [INFO] the back-end DBMS operating system is Windows
> [17:37:20] [WARNING] unable to retrieve the web server document root
> please provide the web server document root [C:/Inetpub/wwwroot/]:
> C:/wamp/www/
> [17:37:46] [INFO] retrieved web server full paths: 'C:\wamp\www, C:\'
> please provide any additional web server full path to try to upload the
> agent [C
> :/Inetpub/wwwroot/test/]: C:/wamp/www/test/
> [17:37:51] [INFO] trying to upload the uploader agent
> which web application language does the web server support?
> [1] ASP
> [2] PHP (default)
> [3] JSP
>> 2
> [17:37:53] [ERROR] unhandled exception in sqlmap/0.7, please copy the
> command li
> ne and the following text and send by e-mail to
> sql...@li...urceforge.n
> et. The developer will fix it as soon as possible:
> sqlmap version: 0.7
> Python version: 2.6.1
> Operating system: win32
> Traceback (most recent call last):
> File "sqlmap.py", line 84, in main
> File "lib\controller\controller.pyc", line 263, in start
> File "lib\controller\action.pyc", line 140, in action
> File "plugins\generic\takeover.pyc", line 295, in osShell
> File "plugins\generic\takeover.pyc", line 187, in __webBackdoorInit
> File "lib\request\connect.pyc", line 131, in getPage
> File "urllib2.pyc", line 124, in urlopen
> File "urllib2.pyc", line 383, in open
> File "urllib2.pyc", line 401, in _open
> File "urllib2.pyc", line 361, in _call_chain
> File "urllib2.pyc", line 1130, in http_open
> File "urllib2.pyc", line 1087, in do_open
> File "httplib.pyc", line 656, in __init__
> File "httplib.pyc", line 668, in _set_hostport
> InvalidURL: nonnumeric port: '80\test'
> [*] shutting down at: 17:37:53
This bug is fixed and commited now. Please, let me know if the web
root works properly in your test environment or if you find any other
bug.
Cheers,
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X