6

I've decided to learn sqlmap but having an issue with Sqlmap trimming some of my output, the hash. The hash is about to be 32 characters long but I'm only getting 25 and the warning: 

[WARNING] possible server trimmed output detected (due to its length and/or content): HASH'

It's only trimming this column, not the other ones which I also choose to dump, though I haven't seen them get longer than 25 characters. I tried switch: 

--hex

but it's not giving me any luck.

Been spending hours on finding any solutions for this. Is there any other switches I could try or perhaps another solution?

Stone True
  • 2,022
  • 2
  • 17
  • 25
user3316995
  • 81
  • 4
  • What about reviewing the packet trace to see if the full data is being returned? There is a chance that the webserver is trimming it, too. – schroeder Jul 13 '15 at 20:53
  • what version of sqlmap are you using? – mcgyver5 Jul 14 '15 at 02:49
  • @schroeder I will try that to see if it's the server och Sqlmap that's doing the trimming! – user3316995 Jul 14 '15 at 05:56
  • @mcgyver5 I'm using Sqlmap 0.9 4165. – user3316995 Jul 14 '15 at 05:56
  • @schroeder Have now examined the output and cannot find that the trimming are done client-side, I suppose it's done server-side, but not confirmed. I'm not sure if there's any other way to get around this problem, for example have Sqlmap output first 16 characters of the hash and then ask the same question again but last 16 characters, any ideas? – user3316995 Jul 29 '15 at 16:28
  • I would suggest increasing the verbosity to a higher level (5 or 6). You may then recreate the HTTP requests manually and inspect what is going on with the responses. Alternatively, you can tunnel all traffic from SQLMap through Burp Suite or a similar interception tool to intercept, replay and analyse requests. – infosec Aug 17 '15 at 14:10

1 Answers1

1

Per the sqlmap source code at [Github 1], this warning occurs when the returned data size from the SQL server is less than that requested: 

trimmed = _("%s(?P<result>.*?)<" % (kb.chars.start))

            if trimmed:
                warnMsg = "possible server trimmed output detected "
                warnMsg += "(probably due to its length and/or content): "

This can occur if the SQL programmer decides to be able to query the database element, but not return the whole item. The TEXTSIZE command is one way to do so in SQL Server (there are several others).

The primary reason is to check if there is any data without transferring a large block of data. Hash values are not large, but some systems do truncate password hash values and use the stored partial hash value. Truncating hash values is not a good practice, see Does truncating the cryptographic hash make it impossible to crack?.

Note that changing to --hex would only effect the format of the output display, not the overall size in characters or bytes of the display (01001001 in binary, = 0x49 in hex, =73 in decimal, = the letter "I" in ASCII, but one byte regardless).

Community
  • 1
Stone True
  • 2,022
  • 2
  • 17
  • 25