On Wed, Nov 28, 2012 at 10:12 AM, Stephen Shkardoon <s...@ss23.geek.nz>wrote:

> Don't all these current methods rely on either the hostname of the MySQL
> server to be something that actually resolves, or a authentication rule
> using a public IP? If a server is NAT'd, won't both of these fail?
> Could a more reliable way of getting the IP/hostname be make a DNS request
> or simliar, that way you'll get the public IP as long as it can make an
> outgoing connection (which seems more likely on average than having a rule
> for authenticating users with it, or having the hostname be resolvable).
> Maybe sqlmap could try a combination of these for an improved hostname
> lookup? Or is this more work for a edge case (or possibly what I said above
> is wrong and one of the other methods will consistently work).
>
More work than benefit(s). We won't extend this any further than --hostname
switch itself.

I just wrote that last method as it could give you a list of IP addresses
from where root/admin can connect. Thing is that database administrators
tend to put all sorts of IP addresses and a wild guess is that you'll get
some interesting ones there (hostname itself, ip addresses coming from a
local network,...).

>
>
> On Wed, Nov 28, 2012 at 10:04 PM, Miroslav Stampar <
> miroslav.stam...@gmail.com> wrote:
>
>> Hi.
>>
>> If you want to get IP addresses of interest you could try something like
>> this:
>> --sql-query="SELECT host, user FROM mysql.user WHERE user LIKE '%root%'
>> OR user LIKE '%admin%'"
>>
>> back-end DBMS: MySQL >= 5.0.0
>> [10:00:24] [INFO] fetching SQL SELECT statement query output: 'SELECT
>> host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE '%admin%''
>> SELECT host, user FROM mysql.user WHERE user LIKE '%root%' OR user LIKE
>> '%admin%' [6]:
>> [*] 127.0.0.1, root
>> [*] 172.16.162.1, root
>> [*] 192.168.21.1, root
>> [*] debian-5.0-i386, root
>> [*] localhost, root
>>
>> Kind regards,
>> Miroslav Stampar
>>
>>
>> On Wed, Nov 28, 2012 at 9:55 AM, Zaki Akhmad <zakiakh...@gmail.com>wrote:
>>
>>> On Wed, Nov 28, 2012 at 3:53 PM, Leon Jacobs <leonja...@gmail.com>
>>> wrote:
>>> > On Wed, Nov 28, 2012 at 10:48 AM, Miroslav Stampar
>>> > <miroslav.stam...@gmail.com> wrote:
>>> >>
>>> >> That proposed solution is equivalent to the SELECT @@hostname (except
>>> that
>>> >> last one doesn't need that non-query SHOW statement). Only thing is
>>> that
>>> >> you'll get a same result as in --hostname which is not an IP address
>>> that
>>> >> your require. Have to seek what can be used here.
>>> >
>>> >
>>> > Yeah this is perfect. And then hopefully getting the IP is as simple as
>>> > looking up the hostname, assuming it resolves but that is not
>>> guaranteed. =p
>>>
>>> the --sql-query="select @@hostname" works :-)
>>>
>>> --
>>> Zaki Akhmad
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>>
>> ------------------------------------------------------------------------------
>> Keep yourself connected to Go Parallel:
>> INSIGHTS What's next for parallel hardware, programming and related areas?
>> Interviews and blogs by thought leaders keep you ahead of the curve.
>> http://goparallel.sourceforge.net
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>


-- 
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to