SQLninja help: the server responded with HTTP/1.1 302 Found !

[ElAnarchisto]

Hi !

I get this error when i want to test SQLninja on my own server.

[-] Warning... the server responded with HTTP/1.1 302 Found
Check configuration, as things might not be working as expected !

What i am doing wrong ?

How i should modify the configuration file of sqlninja in order to work fine ?


Thank you !

[espreto]

He has edited the file sqlninja.conf?
Be even more detailed!
I recommend reading the sqlninja-howto.html.

Regards,

[ElAnarchisto]

###################################
# SQLNINJA CONFIGURATION FILE #
###################################

# WARNING 1: options are case sensitive
# WARNING 2: don't forget to URL-encode, when needed. This applies to:
# - page
# - stringstart
# - stringend
# see sqlninja-howto.html for more information and examples

# Host (required)
# host = x.x.x.x
host = CENSORED BY MYSELF

# Port (optional, default: 80)
port = 80

# Use SSL (yes/no/auto. Default: no)
# ssl = auto
ssl = no

# Method to use (optional, default: GET)
method = POST
#method = GET

# Vulnerable page (e.g.: /dir/target.asp)
# page = /somepage.asp
page = /isr/index.php

# Start of the exploit string. It must include the vulnerable parameter
# and the character sequence that allows us to start injecting commands. In
# general this means, at least:
# - an apostrophe (if the parameter is a string)
# - a semicolon (to end the original query)
# It must also include everything necessary to properly close the original
# query, like an appropriate number of closing brackets. Don't forget
# to URL-encode, where needed (e.g. spaces)
# For instance, if we consider the following TSQL command:
# exec master..xp_cmdshell 'dir c:\'
# and the string to inject is the following:
# aaa=1&bbb=x';exec+master..xp_cmdshell+'dir+c:'
# this parameter should look like this:
# stringstart = aaa=1&bbb=x';
#stringstart = id=1;
stringstart = %3Fquery%3D1%26in%3D0%26search%3DSearch%25273B

# If you need to add some more parameters after the vulnerable one, put
# them here (don't forget the leading "&" sign). This option can also be
# used when commenting the rest of the original query does not work and you
# need to add some SQL code instead. If this is the case, you need to set
# "appendcomment" option to "no". Don't forget the leading "&" sign and
# to URL-encode, where needed.
# e.g.: stringend = &param3=aaa
stringend = &cb=bb80567a23

# Local host: your IP address (for backscan and revshell modes)
lhost = CENSORED

# Interface to sniff when in backscan mode
device = eth0

# Evasion techniques to be used. Possible choices are:
# 1 - Query hex-encoding
# 2 - Comments as separators
# 3 - Random case
# 4 - Random URI encoding
# All techniques can be combined, so the following is legal:
# evasion = 1234
# However, keep in mind that using too many techniques at once leads to very
# long queries, that might create problems when using GET. Default: no evasion
# evasion = 12

# Path to metasploit executable. Only needed if msfpayload and
# msfcli are not already in the path
#msfpath = /home/sqlninja/trunk/
msfpath = /pentest/exploits/framework3

# Encoder to use with msfencode. If the option is not present, no encoding
# is used. However, it's definitely recommended to use it, if you suspect that
# an AV is present. A list of available encoders can be retrieved by simply
# running "msfencoder -l"
# msfencoder = x86/shikata_ga_nai

# Number of times to encode the metasploit payload. Default: 5
# msfencodecount = 5

# If you can execute commands but SQL Server does not run as SYSTEM,
# you can use churrasco.exe to steal the appropriate token and escalate
# privileges. Enable this option to use churrasco.exe before executing
# a command. This is especially useful with the metasploit module and VNC
# Obviously, you first need to upload churrasco.exe using
# the upload module!
# usechurrasco = yes

# Proxy host to use (default: none)
# proxyhost = 127.0.0.1

# Proxy port to use (default: 8080)
# proxyport = 8080

# Additional headers to include into the request. E.g.:
# Host: Test.com Web Based Testing and Certification Software v2.0
# Connection: close
# Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx
# Authorization: Basic yyyyyyyyyyyyyyyyyyyyy
# Important: Do not remove "--headers_start--" and "--headers_end--"
--headers_start--
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.7,it;q=0.3
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Content-Type: application/x-www-form-urlencoded
Connection: close
--headers_end--

# Domain to use for dnstunnel mode
domain = sqlninja.net

# tcpdump filter (optional)
# filter = src host x.x.x.x

# Backscan timeout after web request conclusion (Default: 5 secs)
timeout = 30

# Maximum hostname length for DNS tunnel (Max: 250 - Default: 250)
hostnamelength = 250

# IP address to return to DNS queries (default: 10.255.255.254)
# resolvedip = 10.255.255.254

# Name of the procedure to use/create to launch commands. Default is
# "xp_cmdshell". If set to "NULL", openrowset+sp_oacreate will be used
# for each command
# xp_name = xp_cmdshell

# Time value for the WAITFOR during inference attack of fingerprint and
# bruteforce mode. A higher value makes things slower but will yeld more
# precise results against slow targets.
# Min: 3 seconds. Max: 59 seconds. Default: 5 seconds
blindtime = 5

# Number of script lines to upload with a single HTTP request. A higher number
# obviously means a faster upload. However, do not push this too high if your
# request contains very long parameters. Maximum is 30, and 10 is a default
# safe value providing already a good speed
# lines_per_request = 10

# If the remote server returns a custom error page instead of a standard
# HTTP error code (e.g. 500 Server Error), it is wise to set this value to
# some string that is present in such a page. This will help sqlninja in
# figuring out if things seem to be wrong
# errorstring = "an error has occurred"
errorstring = "Warning: mysql_num_rows()"

# By default, sqlninja appends two hyphens to the injected query in order
# to comment out any spurious SQL code. This is good and works in
# approximately 99% of the cases. However, you might want to change this
# behavior in some very specific scenarios. Change this setting only if you
# really know what you are doing,
# Possible values: yes/no
# appendcomment = yes

# By default, sqlninja uses HTTP version 1.0, which should be ok for
# pretty much all webservers out there. If for some reason you need to
# use HTTP 1.1, specify it here.
# In case you use HTTP 1.1, add a "Connection: close" header in the
# headers section of the configuration file
# httpversion = 0

# When using the Metasploit module DEP is not a problem anymore, since in
# all recent versions of the framework the stager will take care of it by
# itself. However, if needed you can still roll back to the old sqlninja
# behavior and disable DEP by whitelisting the stager with a call to
# xp_regwrite. To do so, set 'checkdep' to 'yes'
# checkdep = no

This is the configuration file. It is well done ? What i am doing wrong ?

Thank you !

[espreto]

Review the settings:

Code:

root@bt:/pentest/database/sqlninja# mv sqlninja.conf sqlninja.conf-bkp

And then:

Code:

root@bt:/pentest/database/sqlninja# ./sqlninja -m test
Sqlninja rel. 0.2.5
Copyright (C) 2006-2010 icesurfer <r00t@northernfortress.net>
[-] sqlninja.conf does not exist. You want to creat it now ? [y/n]
> y
...snip...

Follow supplementing the information.

See sqlninja-howto.html for more information and examples

Regards,