Re: [sqlmap-users] Sqlmap/DNS exfil

>> 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ ? >> www.testsite.org <http://www.testsite.org/>. (30) >> 16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A >> 173.213.231.200 (46) >> 16:58:04.079921 IP 8.8.8.8.53 > 97.8

Re: [sqlmap-users] Sqlmap/DNS exfil

7.91.210.56778: 15627 0/1/0 (117) >> 16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A? >> www.testsite.org. (30) >> 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ ? >> www.testsite.org. (30) >> 16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/

Re: [sqlmap-users] Sqlmap/DNS exfil

.testsite.org>. (30) 16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A 173.213.231.200 (46) 16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117) It doesn't seem like an injection pattern is being tried that is getting the DNS exfiltration to occur...

Re: [sqlmap-users] Sqlmap/DNS exfil

1/0/0 A >> 173.213.231.200 (46) >> 16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117) >> 16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A? >> www.testsite.org. (30) >> 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA? >&

Re: [sqlmap-users] Sqlmap/DNS exfil

16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A > 173.213.231.200 (46) > 16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117) > 16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A? > www.testsite.org. (30) > 16:59:09.078623 IP 97.87

Re: [sqlmap-users] Sqlmap/DNS exfil

.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A 173.213.231.200 (46) 16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117) It doesn't seem like an injection pattern is being tried that is getting the DNS exfiltration to occur... or else I'm doing something else wrong. Thanks, V _

Re: [sqlmap-users] Sqlmap/DNS exfil

I would suggest you to run the wireshark or similar when running the --dns-domain to properly debug what is going on. There could be really lots of problems before you fine tune it (e.g. other service running on :53). About the "forcing" sqlmap for using dns-exfil. It will always at least try to t

Re: [sqlmap-users] sqlmap on Wikipedia?

Hi. My 2 cents: "sqlmap - security development in Python" http://www.slideshare.net/stamparm/euro-python-2011miroslavstamparsqlmapsecuritydevelopmentinpython "DNS exfiltration using sqlmap" http://www.slideshare.net/stamparm/dns-exfiltration-using-sqlmap-13163281 "sqlmap - Under the Hood" http:

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Hi, continuing using Sqlmap from Windows machine, now I am able to get everything without garbled characters and even without using safe url. Vojta Dne 13.10.2015 v 21:14 Miroslav Stampar napsal(a): > > Problem is that request/responses are slow. Can't see why is this > happening. > > Can you plea

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Hi, I have several interesting findings. I have to run Sqlmap on my Windows machine because of my presentation. So current setup is like this: Webgoat running on my physical Arch Linux box with OpenJDK. Sqlmap running on Windows 7 64 bit in virtual machine virtualized with Virtualbox. Sqlmap connec

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Problem is that request/responses are slow. Can't see why is this happening. Can you please send also the traffic.txt (-t traffic.txt) for such run? I don't have a clue why a simple connection test takes this slow. Bye On Oct 13, 2015 9:12 PM, "Brandon Perry" wrote: > Nothing looks wrong in th

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Nothing looks wrong in that pastebin? It retrieved the username of SA just fine it seems. No garbled text is in the output. What were you expecting to happen? On Tue, Oct 13, 2015 at 2:08 PM, Vojtěch Polášek wrote: > Hi, > http://pastebin.com/Q9RKsffG > I am running Arch Linux 64 bit and I am r

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Hi, http://pastebin.com/Q9RKsffG I am running Arch Linux 64 bit and I am running Webgoat from the single jar file. I am using OpenJDK. Thank you, Vojta Dne 13.10.2015 v 18:54 Miroslav Stampar napsal(a): > > Yup. The master branch is a good branch. > > And you are having difficulties even if you us

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Yup. The master branch is a good branch. And you are having difficulties even if you use a --flush-session along with switches/options I've used? This is strange. I've run this numerous times in last few days. Can you please send a complete console output as I've sent for my runs? Also, on which

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Greetings, now it works but... I don't know what am I doing wrong, but it takes very looong time for Sqlmap to finish this run. In your output, it takes several seconds, for me it takes almost a hour to get this done. Also I found out that if I try to use --keep-alive, it is much faster, it takes a

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Thank you very much, this sounds great. I will be able to show this Sqlmap feature and that's good. I will try it as soon as possible. Vojta Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): > Hi. > > There has been a lot work here. Please update to the latest revision > and retry it again. > >

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Hi. There has been a lot work here. Please update to the latest revision and retry it again. One word of advice regarding WebGoat. It has a bad routine that automatically closes the SQLi after it finds certain keywords in requests. Basically, afterwards it just says "* Congratulations. You have s

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Hi. There is still more work here to be done. Will let you know. I am going to try to finish it today. Bye On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek wrote: > Greetings, > I have still problems exploiting HSQL databases. current-user is still > returning garbled characters etc. > Is it

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Greetings, I have still problems exploiting HSQL databases. current-user is still returning garbled characters etc. Is it still working for you? Thanks, Vojta Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): > > I've used that same request file without any problems (with latest > patches/revisio

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Hello, Here are some debugging information. This is output of Sqlmap running, exploiting and trying to get current db user: http://cloud.vojtapolasek.eu/index.php/s/cCBLy5MGR46pXOe And this is the traffic file: http://cloud.vojtapolasek.eu/index.php/s/jheCneiJfxzrLGV I used: sqlmap -r request --lev

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

I've used that same request file without any problems (with latest patches/revision). Will retest tomorrow. Please retry everything with --flush-session Bye On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" wrote: > Greetings, > thanks for your prompt response. > Unfortunatelly, it is still not working

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Greetings, thanks for your prompt response. Unfortunatelly, it is still not working as expected. There is problem with retrieving of current user and information from HSQL database in general. Moreover, when using following request file from the same application, Sqlmap identified backend database

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Fixed tons of bugs and pushed. Please retry it again. Bye On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar wrote: > Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it > right now. > > Bye > > On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < > miroslav.stam...@gmail.com> wro

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it right now. Bye On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar wrote: > Hi again. > > Please update to the latest revision and retry it again (with > --flush-session). > > Backend used is HSQLDB while the sqlmap wrongly reco

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Hi again. Please update to the latest revision and retry it again (with --flush-session). Backend used is HSQLDB while the sqlmap wrongly recognized it as MySQL (because HSQLDB is MySQL look-alike) Bye On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek wrote: > Hi, > You can download Webgoat he

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Have you tried to manually extract some data? If not then give it a try, from doing it you'll be able to work out if you need any tampering or if there are any other special requirements. Robin On 9 October 2015 at 11:49, Vojtěch Polášek wrote: > Hi, > You can download Webgoat here: > https://we

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Hi, You can download Webgoat here: https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar Just run java- jar WebGoat-6.0.1-war-exec.jar And you can login at localhost:8080/WebGoat with name webgoat and password webgoat

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

p.s. you can always use something like http://testphp.vulnweb.com/artists.php?artist=1 for a quick test/show off On Fri, Oct 9, 2015 at 11:16 AM, Miroslav Stampar < miroslav.stam...@gmail.com> wrote: > Hi. > > Can you please send a used sqlmap command along with the basic info on > vulnerable env

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Hi. Can you please send a used sqlmap command along with the basic info on vulnerable environment (e.g. just a plain Webgoat, URL this and that)? Bye On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek wrote: > Greetings, > I am running Webgoat from standalone jar file, so I can't see any logs. >

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

> On Oct 8, 2015, at 3:52 PM, Vojtěch Polášek wrote: > > Greetings, > I am running Webgoat from standalone jar file, so I can't see any logs. > I will try to see some logs from inside the application. Anyway, I > didn't expect this application to contain any kind of filtering. > I hope to show S

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

Greetings, I am running Webgoat from standalone jar file, so I can't see any logs. I will try to see some logs from inside the application. Anyway, I didn't expect this application to contain any kind of filtering. I hope to show Sqlmap in action to some people from a large company and I wanted to

Re: [sqlmap-users] Sqlmap can not exploit Webgoat

You should look in the logs of the web server and see what they say. I bet you need --tamper=between Sent from a phone > On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek wrote: > > Greetings, > I tried to verify Sqlmap's functionality by running it against Webgoat > version 6.0.1. You can try it y

Re: [sqlmap-users] Sqlmap SigSegv on beep

Can you please go to the "sqlmap/extra/beep" and from there run the: python -vv beep.py > /tmp/run.txt 2>&1 ...and send me back the content of file /tmp/run.txt ? Bye On Sun, Jul 19, 2015 at 4:42 PM, Vojtěch Polášek wrote: > Hi, > I am running latest Sqlmap from Git and I am receiving SigSegv

Re: [sqlmap-users] SQLmap --os-pwn Meterpreter BUG

Not able to reproduce. Can you please send the complete output of -v 3 (even the "executing local command" parts). It seems that you are either getting the binary shellcodeexec payload (I am getting the alphanum in both msfvenom and non-msfvenom environment) or the remote path contains non-ASCII ch

Re: [sqlmap-users] SQLmap --os-shell BUG

That was fast! Thanks Miroslav. Great tool! On Sat, Jul 4, 2015 at 4:47 PM, Miroslav Stampar wrote: > Thank you for your report. Fixed with the latest revision ( > https://github.com/sqlmapproject/sqlmap/issues/1290) > > Bye > > On Sun, Jul 5, 2015 at 1:16 AM, Danux wrote: > >> With yours is no

Re: [sqlmap-users] SQLmap --os-shell BUG

Thank you for your report. Fixed with the latest revision ( https://github.com/sqlmapproject/sqlmap/issues/1290) Bye On Sun, Jul 5, 2015 at 1:16 AM, Danux wrote: > With yours is not throwing the error, you can reproduce my case with the > owasppractice examples, I am attaching the source code h

Re: [sqlmap-users] SQLmap --os-shell BUG

Something is really wrong happening here. One user is having the identical problem like you (AttributeError: 'NoneType' object has no attribute 'replace') and I am not able to reproduce. Can you please rerun your sqlmap version with " http://testphp.vulnweb.com/artists.php?artist=1"; and tell me i

Re: [sqlmap-users] SQLmap --os-shell BUG

Just clone git and got 1.0-dev-166dc98 version but got a unhandled exception error: ./sqlmap.py -u http://OwaspPractice/injection/lessons/lesson03/index.php?code=N --os-shell --prefix "\")" --flush-session -v3 /sqlmap'. If the exception persists, please open a new issue at ' https://github.com/s

Re: [sqlmap-users] SQLmap --os-shell BUG

I believe that you are using an old revision. For a long time there is at least a git revision or a pseudo "non-git" number appearing when "sqlmap --version" is being used. Please update to the latest revision from the official github repository and rerun the sqlmap. Bye On Sun, Jul 5, 2015 at 1

Re: [sqlmap-users] SQLmap --os-shell BUG

Thanks sqlmap --version sqlmap/1.0-dev In the meantime I will patch procs/mysql/write_file_limit.sql On Sat, Jul 4, 2015 at 3:40 PM, Miroslav Stampar wrote: > Which revision/version of sqlmap do you use? There has been a related > patch a month ago. Will check tomorrow. > > Bye > > On Sun,

Re: [sqlmap-users] SQLmap --os-shell BUG

Which revision/version of sqlmap do you use? There has been a related patch a month ago. Will check tomorrow. Bye On Sun, Jul 5, 2015 at 12:33 AM, Danux wrote: > Hello list, there is an issue with sqlmap when using the --os-shell option > in version sqlmap/1.0-dev and MySQL: 5.5.35-0+wheezy1 (D

Re: [sqlmap-users] Sqlmap Beginner

Hi. If you are using only GET parameters to pass arguments to your web application then you could manually find all different links on your web site containing parameters. Then you should pass those to sqlmap (e.g. by enlisting them line by line in a file and using option -m to pass such file to s

Re: [sqlmap-users] Sqlmap and redirects

Hi. Sending you a sample run from my machine with the latest revision: --- stamparm@Laptop:~/Dropbox/Work/sqlmap$ pwd /home/stamparm/Dropbox/Work/sqlmap stamparm@Laptop:~/Dropbox/Work/sqlmap$ ll /tmp/request.txt -rw-r--r-- 1 stamparm stamparm 327 Jun 18 11:33 /tmp/request.txt stamparm@Laptop:~/D

Re: [sqlmap-users] Sqlmap and redirects

Hi, thank you very much, it works. I have another question. Sqlmap can't work with relative paths when using -r or -c switch for loading requests or config files. Maybe this is true for other switches, but I can confirm it here. It just says that file was not found. It works only with absolute path

Re: [sqlmap-users] Sqlmap and redirects

Hi Vojtěch. Can you please update and try it now? Bye On Mon, Jun 15, 2015 at 11:59 AM, Vojtěch Polášek wrote: > Hi, > I am testing an application, which works in this way: > You send a request as a POST request and application returns 302 Found. > Web browser uses location field to send a GET

Re: [sqlmap-users] sqlmap-users Digest, Vol 48, Issue 3

I tried that with a custom mark for --data. My point I need to hit is the RemotingMessage AMF object with the data Params of "RemoteUsername=null" and "RemotePassword=null" this triggers the exception by hand. I'm trying to figure out if I can get sqlmap to do this. It's not looking like it. *"143

Re: [sqlmap-users] sqlmap-users Digest, Vol 48, Issue 3

@Brandon Excellent. Very well done sir... Seeing if maybe I can do something like this. Thanks. Chris. On Fri, May 29, 2015 at 7:01 AM, wrote: > Send sqlmap-users mailing list submissions to > sqlmap-users@lists.sourceforge.net > > To subscribe or unsubscribe via the World Wide Web, vis

Re: [sqlmap-users] SQLMAP Blind injection not supported

Oh nevermind, I was using an HTTP request loaded from a file, but using the -u parameter seems to work fine. Thanks anyway. 2015-02-19 22:38 GMT+01:00 Loïc THOMAS : > Hi. > > SQLmap wouldn't detect an injection though manually it works perfectly. > It is on a post request. > > Using this value wi

Re: [sqlmap-users] Sqlmap Bug

Hi. Thank you for your report and find it fixed now. Kind regards, Miroslav Stampar On Wed, Oct 22, 2014 at 9:53 PM, Seb wrote: > [19:49:15] [CRITICAL] unhandled exception occurred in > sqlmap/1.0-dev-nongit-20141022. It is recommended to retry your run with > the latest development version fr

Re: [sqlmap-users] sqlmap no colors!

You have a reduced version of Python, commonly a result of custom build. Please get the official build to get everything up and running. Bye On Oct 16, 2014 2:27 AM, "FLO" wrote: > Hey, > When i want to start sqlmap, i type in "python sqlmap.py", and when i do > this, i get following error messa

Re: [sqlmap-users] sqlmap no colors!

Hey, When i want to start sqlmap, i type in "python sqlmap.py", and when i do this, i get following error message: "missing one or more core extensions ('gzip' , 'ssl' , 'sqlite' , 'zlib') most probably because current version of Python has been built without appropriate dev packages (e.g. 'libs

Re: [sqlmap-users] sqlmap security

Both are secure if you know what are you doing. Also, --tor should work out of box if you have a Tor bundle installed (e.g. Vidalia) Bye On Oct 13, 2014 8:35 PM, "FLO" wrote: > Hey, > I am curious about the security level of sqlmap.. is it more secure to > use --tor or --proxy? > And is it enoug

Re: [sqlmap-users] sqlmap no colors!

You are most probably running the old version of sqlmap (installed on your system via system repository). Please do this: 1) cd /tmp 2) git clone https://github.com/sqlmapproject/sqlmap.git 3) cd /tmp/sqlmap 4) python sqlmap.py Bye On Sun, Oct 12, 2014 at 9:45 PM, FLO wrote: > Hey Guys, > I u

Re: [sqlmap-users] sqlmap no colors!

Sync the last sqlmap version. Cheers 2014-10-12 20:45 GMT+01:00 FLO : > Hey Guys, > I use sqlmap 0.9 at freebsd 10.0 system, and i have the problem, that in > my shell: when i run the command "sqlmap" there is no color highlighting! > I only have black letters, and white background. Normally i ha

Re: [sqlmap-users] SQLMAP ERROR, SQLmap disappearing

http://sourceforge.net/p/sqlmap/mailman/sqlmap-users/thread/51e205b9.8020...@gmail.com/ Bye On Tue, Sep 30, 2014 at 10:39 AM, Ogunwede Stephen wrote: > Hello, > I installed smtpmap, but it keeps disappearing each time i press enter. > > Also i have this error on it > > sqlmap: error: missing a

Re: [sqlmap-users] sqlmap bug

Thanks! 17.09.2014, 12:19, "Miroslav Stampar" : > Fixed with  > https://github.com/sqlmapproject/sqlmap/commit/ffa7e2f6e905a5bd0aeab98b51f512529e5024e0#diff-ee248665d16721810ef658a78e5d83a2 > > On Sun, Sep 14, 2014 at 7:29 PM, bockor wrote: >> sqlmap version: 1.0-dev >> Python version: 2.7.6 >> O

Re: [sqlmap-users] SQLMap bug

Hi Nedko. Thank you for your report. It should be fixed now. Bye On Wed, Sep 17, 2014 at 9:09 AM, Nedko Hristov wrote: > Hi guys. I try to run SQL Map against company's script that I'm testing > and I got next error message with the uname -a and errors on exit: > > > root@nedko:/var/www/sqlmap

Re: [sqlmap-users] sqlmap bug

Fixed with https://github.com/sqlmapproject/sqlmap/commit/ffa7e2f6e905a5bd0aeab98b51f512529e5024e0#diff-ee248665d16721810ef658a78e5d83a2 On Sun, Sep 14, 2014 at 7:29 PM, bockor wrote: > sqlmap version: 1.0-dev > Python version: 2.7.6 > Operating system: posix > Command line: ./sqlmap.py --beep -

Re: [sqlmap-users] SQLMAP throws 404 error - unable to upload the file stager

I'd assume on LAMP that the file is written using INTO OUTFILE so what you could try is SSH to the box, use the MySQL client to connect as the user the web app uses and try to create the file manually just to see if it can be created. Robin On 18 Aug 2014 00:54, "Omara" wrote: > I also get "it l

Re: [sqlmap-users] SQLMAP throws 404 error - unable to upload the file stager

I also get "it looks like the file has not been written, this can occur if the DBMS process' user has no write privileges in the destination path" when I try to read and write a file to the destination path on the DBMS. So the question now is, how to make the destination path /var/www/dvwa/hack

Re: [sqlmap-users] SQLMAP throws 404 error - unable to upload the file stager

Brandon Perry writes: > > > Can you write to /tmp? > > Pick a directory you KNOW you should be able to write to, and ensure you can write to that first. > > Also, maybe SELinux/AppArmor are getting in the way. > > > On Fri, Aug 15, 2014 at 9:52 AM, Omara wrote: > Brandon Perry ...> write

Re: [sqlmap-users] SQLMAP throws 404 error - unable to upload the file stager

Can you write to /tmp? Pick a directory you KNOW you should be able to write to, and ensure you can write to that first. Also, maybe SELinux/AppArmor are getting in the way. On Fri, Aug 15, 2014 at 9:52 AM, Omara wrote: > Brandon Perry writes: > > > > > > > Can you write to /tmp? > > Instea

Re: [sqlmap-users] SQLMAP throws 404 error - unable to upload the file stager

Brandon Perry writes: > > > Can you write to /tmp? > Instead of chowning the directory, just chmod -R 777 the dir you want to write the payload to, that's how many docs on the internet tell people to make an upload directory, for instance, writable by the web server. > > Of course, this is i

Re: [sqlmap-users] SQLMAP throws 404 error - unable to upload the file stager

Can you write to /tmp? Instead of chowning the directory, just chmod -R 777 the dir you want to write the payload to, that's how many docs on the internet tell people to make an upload directory, for instance, writable by the web server. Of course, this is incorrect, but it's definitely easier th

Re: [sqlmap-users] SQLMAP throws 404 error - unable to upload the file stager

Brandon Perry writes: > > > Does the mysql user have write permissions on the web server?  A properly configured web server where chown www-data:www-data was done, as opposed to chmod 777 on the web dir, which is an improper configuration, will not allow the mysql user to write to the web root.

Re: [sqlmap-users] SQLMAP throws 404 error - unable to upload the file stager

Does the mysql user have write permissions on the web server? A properly configured web server where chown www-data:www-data was done, as opposed to chmod 777 on the web dir, which is an improper configuration, will not allow the mysql user to write to the web root. On Wed, Aug 13, 2014 at 6:47

Re: [sqlmap-users] SQLMap extracts weird chars

Hi. Most probably a false positive. Bye On Sat, May 3, 2014 at 11:02 PM, Dev <1240635...@qq.com> wrote: > I can't figure out why this happens > > > > > root@pk:~# sqlmap -u "http://www.net/m_view.php?ps_db=notice&ps_boid=149"; > --current-db > > sqlmap/1.0-dev-b54651b - automatic SQL injec

Re: [sqlmap-users] sqlmap cannot write file due to permissions

Hi. In majority of cases user can't do anything. It's an usual way how to mitigate this kind of vulnerabilites (by using low privileged DBMS accounts). Kind regards, Miroslav Stampar On Mon, Apr 21, 2014 at 4:35 PM, MR Mokhtar wrote: > Hi > i have sql injection and i can dump all tables and e

Re: [sqlmap-users] sqlmap with Sybase

Strange thing is that you are not getting anything with --parse-errors as you are dealing with a "missing database" problem inlined with error-based technique. Can you please send a traffic file (if you want you can send it privately to me) for that same run (where you've used --parse-errors)? By

Re: [sqlmap-users] sqlmap with Sybase

Sure. The --parse-errors switch doesn't seem to produce anything additional? I added -v3 just in case. -- $ python sqlmap.py ... --dbms=sybase --batch --technique=E --threads=8 --fresh-queries -D ENERGY_MASTER --tables --parse-errors -v3 sqlmap/1.0-dev-59d667d - automatic SQL injection and da

Re: [sqlmap-users] sqlmap with Sybase

Hi. Can you please copy/paste the console output you get for sqlmap run with: python sqlmap.py ... -D ENERGY --tables --parse-errors Also, for: python sqlmap.py ... --dbs Bye On Mar 25, 2014 7:16 PM, "les paul" wrote: > Hi all, > > I'm running into trouble with sqlmap against a Sybase db. He

Re: [sqlmap-users] Sqlmap terminated when try to execute system command via sqli

Hi. That file should be there (in regular installations). Is there a possibility that you are running a sqlmap from one place and that you have a sqlmap installed from official repository at the other place? Simple said, that directory "/usr/share/sqlmap/udf/mysql..." looks like it's a part of th

Re: [sqlmap-users] SQLmap plugin error

Hi. You are using an ancient version v0.7. Please update to the latest v1.0-dev from our Github repository. Bye On Tue, Nov 26, 2013 at 11:21 AM, Pushpa JL wrote: > Hi, > > I have been using sqlmap plugin with burpsuite for a while > and from since today afternoon, there is an

Re: [sqlmap-users] SQLmap

Hi. Use --union-cols=18 then. Also, you can force the dbms by using --dbms=mysql. Kind regards, Miroslav Stampar On Oct 31, 2013 9:25 PM, "remi driessens" wrote: > hi developers from sqlmap > > i have a problem with sqlmap everytime i do this on my vulnerable site it > gives me all tested param

Re: [sqlmap-users] SQLmap

I'd imagine that if you want answers, you're going to have to give a little more information than that. On 29 October 2013 18:39, remi driessens wrote: > hi developers from sqlmap > > i have a problem with sqlmap everytime i do this on my vulnerable site it > gives me all tested parameters apea

Re: [sqlmap-users] sqlmap error - log attached

Hi. That file is a standard part of sqlmap. Please remove the sqlmap directory and retrieve it with: git clone https://github.com/sqlmapproject/sqlmap.git Kind regards, Miroslav Stampar On Mon, Sep 2, 2013 at 3:27 AM, Jeff Samuel wrote: > Hi, here´s the error log > > ** ** > > ==

Re: [sqlmap-users] SQLMAP Permission Denied on DUMP

Hi. sqlmap warns with "permission denied" in data dumping process ONLY when there is an explicit DBMS error message stating that the user doesn't have permissions to access that resource. There is no way around it. Kind regards, Miroslav Stampar On Mon, Sep 2, 2013 at 10:42 AM, Mahdi Hazaveh wr

Re: [sqlmap-users] sqlmap dying when handling unicode

Hi. Can you please retry it now? Spotted a bug and fixed it. Kind regards, Miroslav Stampar On Fri, Aug 30, 2013 at 12:16 PM, Sebastian Nerz wrote: > Hi, > > Am 30.08.2013 12:15, schrieb Miroslav Stampar: > > > > Does your original case use GET parameters? That could be a bug in sqlmap > > (ap

Re: [sqlmap-users] sqlmap dying when handling unicode

Hi, Am 30.08.2013 12:15, schrieb Miroslav Stampar: > > Does your original case use GET parameters? That could be a bug in sqlmap > (appending to GET while there is no GET in the first place). No, it only contains COOKIE parameters. Kind regards, Sebastian Nerz > > Kind regards, > Miroslav St

Re: [sqlmap-users] sqlmap dying when handling unicode

Hi. Does your original case use GET parameters? That could be a bug in sqlmap (appending to GET while there is no GET in the first place). Kind regards, Miroslav Stampar On Fri, Aug 30, 2013 at 12:09 PM, Sebastian Nerz wrote: > Hi there, > > sqlmap is dying, when it should handle unicode. What

Re: [sqlmap-users] SQLMap not working while testing localhost

Hi. We are continuously testing sqlmap in similar conditions and haven't noticed similar issue(s). What technique is involved (in first case)? Are you able to retrieve any data with it? What does "SQL_INJECTION_UNION_CONDITION" means?? Can you please send a content of a traffic files for both c

Re: [sqlmap-users] sqlmap log file

p.s. just in case, try to rerun with A) --union-char=1 B) --text-only p.p.s. if everytime you have a different number in "appears to be UNION injectable with x columns" then the page "dynamicity" is screwing you up On Fri, Jun 28, 2013 at 10:24 AM, Miroslav Stampar < miroslav.stam...@gmail.com>

Re: [sqlmap-users] sqlmap log file

Hi Heidi. 1) appears != is. I am not sure if there is much explanation here to be done. To sqlmap something "appeared" to be injectable (because of our heuristic mechanisms) and in further MORE SERIOUS testing it concluded that "it is not injectable" 2) New info is being logged, but only data from

Re: [sqlmap-users] SQLMAP Bug

Hi Joe. Thank you for your report and find it fixed now with the latest update. Kind regards, Miroslav Stampar On Sun, May 26, 2013 at 3:30 AM, Joe O'Hara wrote: > The error is as follows: > os: Ubuntu 13.04 > > sqlmap version: 1.0-dev > Python version: 2.7.4 > Operating system: posix > Comma

Re: [sqlmap-users] [SQLMAP] Unhandled exception for IPv6

Hi again. I would really need to know the format of those urls inside to handle this problem appropriately. Kind regards, Miroslav Stampar On May 22, 2013 6:12 PM, "Miroslav Stampar" wrote: > Hi. > > Can you please send the content of that list file? > > Kind regards, > Miroslav Stampar > Dana

Re: [sqlmap-users] [SQLMAP] Unhandled exception for IPv6

Hi. Can you please send the content of that list file? Kind regards, Miroslav Stampar Dana 22.5.2013. 16:07 "e.novellalore...@student.ru.nl" < e.novellalore...@student.ru.nl> je napisao/la: > Hi guys, > > I have pasted this exception in order to you can have a look if it is > possible to fix it

Re: [sqlmap-users] SQLmap crashing

Hi Phillip. Thank you for your report and find it fixed in our official repository [1]. Kind regards, Miroslav Stampar [1] https://github.com/sqlmapproject/sqlmap On Fri, Apr 19, 2013 at 3:34 PM, Phillip Wylie wrote: > Hi Miroslav, > > Here is the rest of the traceback. The first time I got t

Re: [sqlmap-users] SQLmap crashing

Hi Phillip. Could you please send a whole traceback? Those few lines below "Back-end DBMS" are crucial for us to find and resolve an issue. Kind regards, Miroslav Stampar On Thu, Apr 18, 2013 at 11:45 PM, Phillip Wylie wrote: > [17:20:18] [CRITICAL] unhandled exception in sqlmap/1.0-dev-b7d4af

Re: [sqlmap-users] Sqlmap and direct connect error

Hi Vladimir. Find it "patched" with the latest commit [1]. Basically, those combinations should not be allowed (-d and --url; -d and --tor; etc.) and now we've added new option validation checks for this kind of cases. Kind regards, Miroslav Stampar [1] https://github.com/sqlmapproject/sqlmap/co

Re: [sqlmap-users] Sqlmap Bug

Hi. This should be fixed now. Kind regards, Miroslav Stampar On Wed, Mar 27, 2013 at 3:39 AM, b1lack wrote: > Hello Great hack: >I really like this tool,Today, however, I found that > injection project encountered a problem. >Do not know how to contact

Re: [sqlmap-users] sqlmap can not support stacked queries in aspx+mssql?

Hi. sqlmap hasn't been able to detect that it's exploitable through stacking. Maybe some characters are filtered out. Maybe you are using --proxy or --tor which introduce lagging which are causing problems like yours. Use --flush-session --time-sec=20 if you are going to retry. The best way how

Re: [sqlmap-users] sqlmap-unhandled exception

Hi. Could you please copy paste the whole traceback (that stack trace below that message you've sent)? Kind regards, Miroslav Stampar Dana 10.2.2013. 14:44 "Nicholas Work" je napisao/la: > sqlmap version: 1.0-dev-7c06a93 > Python version: 2.6.5 > Operating system: posix > Command line: ./sqlmap

Re: [sqlmap-users] SQLMAP bug

Fixed now. Bernardo & Miroslav On 7 January 2013 17:20, Bernardo Damele A. G. wrote: > Hi Yuri, > > I noticed this too[1] few minutes ago. > We're working on a fix as I type. > > [1] https://github.com/sqlmapproject/sqlmap/issues/305#issuecomment-11960592 > > Bernardo > > > On 7 January 2013 16

Re: [sqlmap-users] SQLMAP bug

Hi Yuri, I noticed this too[1] few minutes ago. We're working on a fix as I type. [1] https://github.com/sqlmapproject/sqlmap/issues/305#issuecomment-11960592 Bernardo On 7 January 2013 16:50, Jerzy Yuri Kramarz wrote: > Hi Guys, > > Great tool but for the first time ever I've managed to see

Re: [sqlmap-users] sqlmap bug, unhandled exception in sqlmap/1.0-dev-648d91d

Hi. Thank you for your report and find it "patched" in the latest revision. Thing is that you've left out of disk space on drive used for storing traffic file. Kind regards, Miroslav Stampar On Sun, Dec 30, 2012 at 6:31 AM, 沸水浮冰 wrote: > [01:13:42] [CRITICAL] unhandled exception in sqlmap/1.0-

Re: [sqlmap-users] sqlmap issue/bug

Hi. You haven't copy-pasted whole exception message. Please do it so we could spot what's going on Kind regards, Miroslav Stampar On Wed, Dec 19, 2012 at 2:31 PM, Sensėjus Tūrbo wrote: > hi, > > i faced the issue using sqlmap while auditing db2 database. Newest > development release failed to

Re: [sqlmap-users] sqlmap not compatible with python < 3.2 anymore?

You rock (as always) ;) Thanks Am 14.12.2012 14:35, schrieb Miroslav Stampar: > Fixed. > > Bye > > On Fri, Dec 14, 2012 at 2:22 PM, Dennis > wrote: > > Hi guys, > > since I updated sqlmap today, I get the following python error (using > Python 2.6.7): >

Re: [sqlmap-users] sqlmap not compatible with python < 3.2 anymore?

Fixed. Bye On Fri, Dec 14, 2012 at 2:22 PM, Dennis wrote: > Hi guys, > > since I updated sqlmap today, I get the following python error (using > Python 2.6.7): > $ ./sqlmap.py --help > Traceback (most recent call last): > File "./sqlmap.py", line 15, in > from _sqlmap import main > Fil

Re: [sqlmap-users] SQLmap -l option bug

Thank you, Miro, for patching. Regards Karel Marhoul On 9.10.2012 11:36, Miroslav Stampar wrote: > Hi Karel. > > This should be fixed now [1]. > > Kind regards, > Miroslav Stampar > > [1] https://github.com/sqlmapproject/sqlmap/issues/198 > > On Tue, Oct 9, 2012 at 11:04 AM, Karel Marhoul

Re: [sqlmap-users] SQLmap -l option bug

I could confirm this behavior with these versions of burp: Burp Suite Proffesional 1.4.12 Burp Suite Proffesional 1.5rc3 Patch would be appreciated. Regards Karel On 9.10.2012 10:49, Miroslav Stampar wrote: > Hi again. > > It's a preamble, but the request itself is down below. We process > req

  1   2   >