Skip to first unread message
Boykàa (nop@live.de)
Aug 16, 2013, 4:24:57 AM8/16/13
to jsql-in...@googlegroups.com
i am really really really a (BIG) fan of this Great tools , i just found it when i was reading some documentations on KALI 1.4 release , afer installing : i tested it on many websites 'local , remote' i think this is the best tool for 5.0> databases , in my point of view its better than hajiv & sqlmap ,,,
but i really hope to fix some issues :
1 - there some problems on 'READ FILES' , 'create web-shell' : well some times it works ,, but many times when i click on them i didn't get any respond from the program ; so i hope you improve the (file /WRITE privilege & the (is-dba) detection function !!
2 - i hope you add some other features like exporting dumped data to HTML format , because it's gonna be more useful !!
3 - if you can add the table/column enumeration Functions & 5< database Compatibility !!!
3 - euuuuuuu,, i hope also if you add a dorking feature on the tool xX
4 - mmm maybe you can add some colors (red,blue,green,yellow) on the console !
okey its all i have for now i hope you read this post & i just wanna say one think to the guy who develop this great baby : http://postimg.org/image/z557l61k1/
because for it takes the place of hajiv & sqlmap :) & its my favorite now ..x
but i really hope to fix some issues :
1 - there some problems on 'READ FILES' , 'create web-shell' : well some times it works ,, but many times when i click on them i didn't get any respond from the program ; so i hope you improve the (file /WRITE privilege & the (is-dba) detection function !!
2 - i hope you add some other features like exporting dumped data to HTML format , because it's gonna be more useful !!
3 - if you can add the table/column enumeration Functions & 5< database Compatibility !!!
3 - euuuuuuu,, i hope also if you add a dorking feature on the tool xX
4 - mmm maybe you can add some colors (red,blue,green,yellow) on the console !
okey its all i have for now i hope you read this post & i just wanna say one think to the guy who develop this great baby : http://postimg.org/image/z557l61k1/
because for it takes the place of hajiv & sqlmap :) & its my favorite now ..x
ron190jSQL
Aug 17, 2013, 7:46:28 PM8/17/13
to jsql-in...@googlegroups.com, hassanh...@gmail.com
Thank you for your warmly post :3
*** as usually lots of writing continuing ***
Making v0.3 back in March the 10th, 2013, adding file reading, webshell and a console to jSQL, it was a nice features addition I guess. Some days after the v0.3 release, on March the 18th, I found this page while lurking the web:
http://bugs.kali.org/view.php?id=120
Someone would add the tool to Kali Linux, I thought 'Nice! Don't know what that Kali Linux is, but, cool'. Much later I realised about the Backtrack's affiliation :) In the meantime, I released the v0.4 in May, including admin page searching, brute force and coder, and an admin from Kali added jSQL to the official distribution in June. Immediately after that I added the Kali/Backtrack's reference to the project main page.
I'm glad someone from a community like Kali provides his thoughts on a tool, it really REALLY help coders.
sqlmap and havij are great tools, used by a lot of peoples. In fact I discovered injection myself with these two among others, and I quickly found what could be improved, like a simpler interface or different algorithm.
Now it's important jSQL can be compared to such great tools. If people throughout the world continue to discover the tool and if I make new quality releases, maybe jSQL will be widly known as one of the best. Sometimes I find a page that lists jSQL next to them, like http://www.sqlinjectionwiki.com/Categories.aspx?catId=5, so it could happen someday.
You are right to point out version 5.0, I have created jSQL at first to only retreive information directly from database, not to guess or dictionary attack the database. As database's structure lower than 5 can't be read like that, jSQL will currently return only the version, database name and the user, not the database structure. So I expect you could be frustrated as a user to not be able to fully read an older database, but in the future I may develop the algorithm to do that. I don't know any other method than to dictionary attack an old database, which I found kind of inefficient, that's why I left it for a future development until now.
On issues:
1. If file privilege is granted to current user then normaly a green square is displayed next to File privilege, or else a red square with a comment 'No FILE privilege' in the log console.
The function getFile() is coded as followed:
http://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/model/InjectionModel.java#852
Pseudo-code:
check if user has file privilege
if user has file priv then
while there is a file to read
read the file and display it in a tab
No response at all is unexpected, maybe you could provide a link to a sanitized screenshot, or any error message displayed in the tool.
2. Exporting to HTML is a good idea and should be easy to do,
3. Dictionary attack for older versions should be possible, but if you have any other method, I'm highly interested,
4. Dork should also be possible. I saw such a tool on one of the 5 videos I have found about jSQL. I didn't know there were tools for dorking before that,
5. The console terminal is currently built from a native JTextarea, I didn't found any terminal component that worked well for me, so I built something dirty that emulates one. Unfortunately I doubt I can tune it and add multiple colors, or autocompletion for example. But I'm definitely not pleased with current terminal, so I may try to improve it in a further release.
*** as usually lots of writing continuing ***
Making v0.3 back in March the 10th, 2013, adding file reading, webshell and a console to jSQL, it was a nice features addition I guess. Some days after the v0.3 release, on March the 18th, I found this page while lurking the web:
http://bugs.kali.org/view.php?id=120
Someone would add the tool to Kali Linux, I thought 'Nice! Don't know what that Kali Linux is, but, cool'. Much later I realised about the Backtrack's affiliation :) In the meantime, I released the v0.4 in May, including admin page searching, brute force and coder, and an admin from Kali added jSQL to the official distribution in June. Immediately after that I added the Kali/Backtrack's reference to the project main page.
I'm glad someone from a community like Kali provides his thoughts on a tool, it really REALLY help coders.
sqlmap and havij are great tools, used by a lot of peoples. In fact I discovered injection myself with these two among others, and I quickly found what could be improved, like a simpler interface or different algorithm.
Now it's important jSQL can be compared to such great tools. If people throughout the world continue to discover the tool and if I make new quality releases, maybe jSQL will be widly known as one of the best. Sometimes I find a page that lists jSQL next to them, like http://www.sqlinjectionwiki.com/Categories.aspx?catId=5, so it could happen someday.
You are right to point out version 5.0, I have created jSQL at first to only retreive information directly from database, not to guess or dictionary attack the database. As database's structure lower than 5 can't be read like that, jSQL will currently return only the version, database name and the user, not the database structure. So I expect you could be frustrated as a user to not be able to fully read an older database, but in the future I may develop the algorithm to do that. I don't know any other method than to dictionary attack an old database, which I found kind of inefficient, that's why I left it for a future development until now.
On issues:
1. If file privilege is granted to current user then normaly a green square is displayed next to File privilege, or else a red square with a comment 'No FILE privilege' in the log console.
The function getFile() is coded as followed:
http://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/model/InjectionModel.java#852
Pseudo-code:
check if user has file privilege
if user has file priv then
while there is a file to read
read the file and display it in a tab
No response at all is unexpected, maybe you could provide a link to a sanitized screenshot, or any error message displayed in the tool.
2. Exporting to HTML is a good idea and should be easy to do,
3. Dictionary attack for older versions should be possible, but if you have any other method, I'm highly interested,
4. Dork should also be possible. I saw such a tool on one of the 5 videos I have found about jSQL. I didn't know there were tools for dorking before that,
5. The console terminal is currently built from a native JTextarea, I didn't found any terminal component that worked well for me, so I built something dirty that emulates one. Unfortunately I doubt I can tune it and add multiple colors, or autocompletion for example. But I'm definitely not pleased with current terminal, so I may try to improve it in a further release.
Boykà nop@live.de
Aug 20, 2013, 8:49:00 AM8/20/13
to jsql-in...@googlegroups.com, hassanh...@gmail.com
check your email adress !
i sent you a video about the issue ^.
okey Broo good luuck.....
i sent you a video about the issue ^.
okey Broo good luuck.....
~ waiting with passion the 0.5 version & i hope it gonna be more powerfull as it now !!
Dj Redder
Aug 21, 2013, 1:59:27 PM8/21/13
to jsql-in...@googlegroups.com, hassanh...@gmail.com
Sometimes i have urls that sqlmap will find vulnerable and not jsql
ron190jSQL
Aug 22, 2013, 5:42:18 AM8/22/13
to jsql-in...@googlegroups.com, hassanh...@gmail.com
From source code, here's the pseudo code that's running:
- User click on button: https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/view/OutputPanel.java#851
A new thread from the View launch the Model to retreive the selected files:
mygui.model.getFile(listFile.getSelectedValuesList());
- Model check that the user has the FILE privilege: https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/model/InjectionModel.java#852
- If that's the case, selected files are retreived in concurrency.
What may occur is an unmanaged exception which does not return any error message, like here:
https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/view/OutputPanel.java#876
https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/view/OutputPanel.java#878
or an exception displayed on the standard error output, which is not displayed anywhere if you have open jSQL with a double click rather than from a console:
https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/view/OutputPanel.java#830
https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/model/InjectionModel.java#916
I will mark on my list to always display something when an exception occurs.
In the meantime, in order to test the second one, could you open again jSQL from a console and keep this one on screen, in order to display standard error when there are such exceptions, you may see new error message occuring.
- User click on button: https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/view/OutputPanel.java#851
A new thread from the View launch the Model to retreive the selected files:
mygui.model.getFile(listFile.getSelectedValuesList());
- Model check that the user has the FILE privilege: https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/model/InjectionModel.java#852
- If that's the case, selected files are retreived in concurrency.
What may occur is an unmanaged exception which does not return any error message, like here:
https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/view/OutputPanel.java#876
https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/view/OutputPanel.java#878
or an exception displayed on the standard error output, which is not displayed anywhere if you have open jSQL with a double click rather than from a console:
https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/view/OutputPanel.java#830
https://code.google.com/p/jsql-injection/source/browse/src/com/jsql/mvc/model/InjectionModel.java#916
I will mark on my list to always display something when an exception occurs.
In the meantime, in order to test the second one, could you open again jSQL from a console and keep this one on screen, in order to display standard error when there are such exceptions, you may see new error message occuring.
ron190jSQL
Aug 22, 2013, 5:58:30 AM8/22/13
to jsql-in...@googlegroups.com, hassanh...@gmail.com
Also maybe the unusual parameters in your url could cause some problem:
http://yoursite.com/page.php?id=2;lang=zo;event=1
I usually found another format instead:
http://yoursite.com/page.php?id=
or
http://yoursite.com/page.php?lang=zo&event=1&id=2
http://yoursite.com/page.php?id=2;lang=zo;event=1
I usually found another format instead:
http://yoursite.com/page.php?id=
or
http://yoursite.com/page.php?lang=zo&event=1&id=2
hassanh...@gmail.com
Aug 26, 2013, 7:22:30 PM8/26/13
to jsql-in...@googlegroups.com, hassanh...@gmail.com
im not familiar with java codes
but , i made i now video & i just sent it to your email bro
take a look at it , because it contain some us-full information's
waiting for your respond dear RON
take care .
but , i made i now video & i just sent it to your email bro
take a look at it , because it contain some us-full information's
waiting for your respond dear RON
take care .
ron190jSQL
Aug 27, 2013, 7:15:15 AM8/27/13
to jsql-in...@googlegroups.com, hassanh...@gmail.com
Thank you for taking of your time to give me information on this bug, it should helped me fix it.
Basically, the error NoSuchMethod appears while calling function getSelectedValuesList(), which is created only since java 7, could you respond to each one of following questions:
- What is your java version (6 or 7)?
- Have you tried on Java 7?
- Have you tried on windows?
- Have you tried on Java 7 on Windows (it's my current config, and I haven't that error)?
- Did it ever worked before?
- Could you tried it on Java 7?
Basically, the error NoSuchMethod appears while calling function getSelectedValuesList(), which is created only since java 7, could you respond to each one of following questions:
- What is your java version (6 or 7)?
- Have you tried on Java 7?
- Have you tried on windows?
- Have you tried on Java 7 on Windows (it's my current config, and I haven't that error)?
- Did it ever worked before?
- Could you tried it on Java 7?
hassanh...@gmail.com
Aug 27, 2013, 8:28:12 AM8/27/13
to jsql-in...@googlegroups.com, hassanh...@gmail.com
- What is your java version (6 or 7)?
~ I HAVE BOUGHT: http://postimg.org/image/d56qmi583/- Have you tried on Java 7?
- Have you tried on windows?
~ BUT I HAVE VIRTUAL WINDOWS XP SP3 MACHINE ON VMWARE
~ SO LETS INSTALL JAVA 7 ON IT & TRY......
~ OKEEEEEEEEYYYYYYYY IT WORKS ON WINDOWS XP BUT ON KALI NOT !!
- Did it ever worked before?
- Could you tried it on Java 7?
mmmmmmmm , okey update java on kali or re-install it again & we will see
~ ....
~ root@kali$ java -showversion
java version "1.6.0_27" xX
mmmmmm , okey lets download a the newest Java SE SDK version.
>> http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
Linux x86 --- 93.12 MB-----jdk-7u25-linux-i586.tar.gz
Downloading ..
-> okey lets unpack it :
tar zxvf jdk-7u25-linux-i586.tar.gz
mv jdk1.7.0_25 /opt/jdk1.7.0_25
okey lets register the downloaded version of Java as an alternative, and make it our default:
here is the commands:
update-alternatives --install /usr/bin/java java /opt/jdk1.7.0_25/bin/java 1
update-alternatives --install /usr/bin/javac javac /opt/jdk1.7.0_25/bin/javac 1
update-alternatives --set java /opt/jdk1.7.0_25/bin/java
update-alternatives --set javac /opt/jdk1.7.0_25/bin/javac
FINE : lets see what version we have now !
root@boyka:/opt# java -version
java version "1.7.0_25"
Java(TM) SE Runtime Environment (build 1.7.0_25-b15)
Java HotSpot(TM) Server VM (build 23.25-b01, mixed mode)
OKEY LETS TRY AGAIN JSQL <3 ^^
cd Desktop
java -jar jsql.jar
-----------------------
Done.
Admin page(s) found: 0/24
*** No FILE privilege
YEAHHHHHHHHHHHHHH ITS WORKING NOW! WITH CHARM !!!!!
i found the SOlution : SO i think KALI HAVE AN OUTDATED VERSION OF JAVA & ThE step above that i does fixed this PROBLEM & NOW IT WORKS FINE BRO
GREAT !!!
ron190jSQL
Aug 27, 2013, 2:41:00 PM8/27/13
to jsql-in...@googlegroups.com, hassanh...@gmail.com
I really like your detailed steps ;D Such detailed info leads more certainly to solution, like it did here.
So, what could we obtain from this situation? I think I won't make the code work for older Java version, jSQL is not made to work for every Java version possible, it's firstly made to work cross plateform. Hence I'm glad you manage to make it work first on Windows then on Linux. However now what I would surely do is to check what Java version the user is running jSQL on, then like displaying a warning to update Java at startup if version is under 7.
Well, now that jSQL is part of Kali distro, I hope that the Java version is 7 in it because else every jSQL users will have this problem :\
So, what could we obtain from this situation? I think I won't make the code work for older Java version, jSQL is not made to work for every Java version possible, it's firstly made to work cross plateform. Hence I'm glad you manage to make it work first on Windows then on Linux. However now what I would surely do is to check what Java version the user is running jSQL on, then like displaying a warning to update Java at startup if version is under 7.
Well, now that jSQL is part of Kali distro, I hope that the Java version is 7 in it because else every jSQL users will have this problem :\
hassanh...@gmail.com
Aug 29, 2013, 8:35:50 AM8/29/13
to jsql-in...@googlegroups.com, hassanh...@gmail.com
i was really glad to help you !!
waiting for thE new Release then ,,,,,
good luck bro (y)
waiting for thE new Release then ,,,,,
good luck bro (y)
Reply all
Reply to author
Forward
0 new messages