Don't all these current methods rely on either the hostname of the MySQL
server to be something that actually resolves, or a authentication rule
using a public IP? If a server is NAT'd, won't both of these fail?
Could a more reliable way of getting the IP/hostname be make a DNS request
or simliar, that way you'll get the public IP as long as it can make an
outgoing connection (which seems more likely on average than having a rule
for authenticating users with it, or having the hostname be resolvable).
Maybe sqlmap could try a combination of these for an improved hostname
lookup? Or is this more work for a edge case (or possibly what I said above
is wrong and one of the other methods will consistently work).
On Wed, Nov 28, 2012 at 10:04 PM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> Hi.
>
> If you want to get IP addresses of interest you could try something like
> this:
> --sql-query="SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR
> user LIKE '%admin%'"
>
> back-end DBMS: MySQL >= 5.0.0
> [10:00:24] [INFO] fetching SQL SELECT statement query output: 'SELECT
> host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE '%admin%''
> SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE
> '%admin%' [6]:
> [*] 127.0.0.1, root
> [*] 172.16.162.1, root
> [*] 192.168.21.1, root
> [*] debian-5.0-i386, root
> [*] localhost, root
>
> Kind regards,
> Miroslav Stampar
>
>
> On Wed, Nov 28, 2012 at 9:55 AM, Zaki Akhmad <zakiakh...@gmail.com> wrote:
>
>> On Wed, Nov 28, 2012 at 3:53 PM, Leon Jacobs <leonja...@gmail.com> wrote:
>> > On Wed, Nov 28, 2012 at 10:48 AM, Miroslav Stampar
>> > <miroslav.stam...@gmail.com> wrote:
>> >>
>> >> That proposed solution is equivalent to the SELECT @@hostname (except
>> that
>> >> last one doesn't need that non-query SHOW statement). Only thing is
>> that
>> >> you'll get a same result as in --hostname which is not an IP address
>> that
>> >> your require. Have to seek what can be used here.
>> >
>> >
>> > Yeah this is perfect. And then hopefully getting the IP is as simple as
>> > looking up the hostname, assuming it resolves but that is not
>> guaranteed. =p
>>
>> the --sql-query="select @@hostname" works :-)
>>
>> --
>> Zaki Akhmad
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel:
> INSIGHTS What's next for parallel hardware, programming and related areas?
> Interviews and blogs by thought leaders keep you ahead of the curve.
> http://goparallel.sourceforge.net
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
------------------------------------------------------------------------------
Keep yourself connected to Go Parallel:
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
