[sqlmap-users] provide full path document root

Discussion:

Pagera

2010-03-22 12:20:34 UTC

hello and hope u fine

when im trying --os-shell with --msf
after a while is give me a message like
please provide full path document root
how can i know the full path ?

is there any way to know the path document root full path from sqlmap?
or i have to use another tool to get job done?

and thank for help

Patrick Webster

2010-03-23 13:45:27 UTC

Permalink

Try information disclosure stuff... like umm, manual, Nikto or .. something ;p

I suppose sqlmap could predetermine this if necessary under specific
circumstances (devs!)... but we do it manually and it depends on
permissions of operating systems, folders and files.

-Patrick

Post by Pagera
hello and hope u fine
when im trying --os-shell with --msf
after a while is give me a message like
please provide full path document root
how can i know the full path ?
is there any way to know the path document root full path from sqlmap?
or i have to use another tool to get job done?
and thank for help
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Bernardo Damele A. G.

2010-03-25 10:23:42 UTC

Permalink

Try DirBuster, http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
sqlmap has limited regular expression to detect file system paths so far.

Bernardo

--
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Pagera

2010-03-25 21:18:40 UTC

Permalink

Hello and hope fine
thank bernardo for the DirBuster

a question about Blind sql injection
does SQLMap support this mode?

i used --UNION-USE but it failed .. i have a vulnerable url
im able to view all database information by manipulating the http url
like "version() , etc
but when im using SQLMap the result is that this url is not vulnerable!!!

im wondering if its cuz of not supporting Blind Mode?

and thank for help

David Guimaraes

2010-03-26 00:19:10 UTC

Permalink

Try passing --string parameter to sqlmap.

--string=STRING String to match in page when the query is valid

Post by Pagera
Hello and hope fine
thank bernardo for the DirBuster
a question about Blind sql injection
does SQLMap support this mode?
i used --UNION-USE but it failed .. i have a vulnerable url
im able to view all database information by manipulating the http url
like "version() , etc
but when im using SQLMap the result is that this url is not vulnerable!!!
im wondering if its cuz of not supporting Blind Mode?
and thank for help
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

--
David Gomes Guimarães

Pagera

2010-03-26 14:36:09 UTC

Permalink

hello

it didnt wrok

what im trying to do is
sqlmap -u "http://example.com/images.php?id=10" --string="id"

the url is vulnerable cuz when i use the browser with

http://example.com/images.php?id=10 and 1=2
im able to see the MySql error and i tried so much function like
version() it works
i also used
http://example.com/images.php?id=10 union select
1,2,3,group_concat(table_name),5,6,7 from information_schema.tables
and i got the table names

but when using sqlmap there is nothing it acts like the url is not
vulnerable
i also used --prefix="id" --postfix="1=1"

and also nothing

Post by David Guimaraes
Try passing --string parameter to sqlmap.
--string=STRING String to match in page when the query is valid
Hello and hope fine
thank bernardo for the DirBuster
a question about Blind sql injection
does SQLMap support this mode?
i used --UNION-USE but it failed .. i have a vulnerable url
im able to view all database information by manipulating the http url
like "version() , etc
but when im using SQLMap the result is that this url is not vulnerable!!!
im wondering if its cuz of not supporting Blind Mode?
and thank for help
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
David Gomes Guimarães

Bernardo Damele A. G.

2010-04-29 10:57:21 UTC

Permalink

Please, read carefully the user's manual (doc/README.pdf) for details
on --string.

Bernardo

Post by Pagera
hello
it didnt wrok
what im trying to do is
sqlmap -u "http://example.com/images.php?id=10" --string="id"
the url is vulnerable cuz when i use the browser with
http://example.com/images.php?id=10 and 1=2
im able to see the MySql error and i tried so much function like
version() it works
i also used
http://example.com/images.php?id=10 union select
1,2,3,group_concat(table_name),5,6,7 from information_schema.tables
and i got the table names
but when using sqlmap there is nothing it acts like the url is not
vulnerable
i also used --prefix="id" --postfix="1=1"
and also nothing

Post by David Guimaraes
Try passing --string parameter to sqlmap.
--string=STRING String to match in page when the query is valid
Hello and hope fine
thank bernardo for the DirBuster
a question about Blind sql injection
does SQLMap support this mode?
i used --UNION-USE but it failed .. i have a vulnerable url
im able to view all database information by manipulating the http url
like "version() , etc
but when im using SQLMap the result is that this url is not
vulnerable!!!
im wondering if its cuz of not supporting Blind Mode?
and thank for help
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
David Gomes Guimarães

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

--
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Continue reading on narkive:

Search results for '[sqlmap-users] provide full path document root' (Questions and Answers)

replies

How to link outside of Public_Html Folder?

started 2011-12-26 10:34:49 UTC

programming & design

replies

What is the HTML code needed to enable a download???

started 2007-12-01 17:20:03 UTC

programming & design

replies