0

When I dump a table entries with sqlmap with --hex key, I get bytes of password hash correctly, but powershell represents these bytes as string. All non-printable characters are escaped and I get these bytes as \\?e1\n\\?dc9I\\?baY\\?ab\\?beV\\?e0W\\?f2\x0f\\?88>. How can I unescape this string to get then original bytes from it?

Stanislav Breslavski
  • 1
  • 2

1 Answers1

0

Going from string to bytes is going to depend on whether it is a string per byte, if so try this:

# simulated output as a byte per string
$str = [string[]][char[]][byte[]](0xE1,0x0A,0xDC,0x39,0x49,0xBA,0x59,0xAB,0xBE,0x56,0xE0,0x57,0xF2,0x0F,0x88,0x3E)

# convert to bytes
$str | Foreach {[byte][char]$_}

If it is a single string, try this:

# simulated output as a single string containing all the bytes
$ofs=''
$str = [string][char[]][byte[]](0xE1,0x0A,0xDC,0x39,0x49,0xBA,0x59,0xAB,0xBE,0x56,0xE0,0x57,0xF2,0x0F,0x88,0x3E)

# convert to bytes
$str.ToCharArray() | % {[byte]$_}
Keith Hill
  • 194,368
  • 42
  • 353
  • 369
  • Sorry, if I'm not mistaken you convert bytes to string but in my case I need the opposite. I know that the value in database is `E10ADC3949BA59ABBE56E057F20F883E` and it is successfully dumped by sqlmap as hex. But powershell represents it in command line like `\\?e1\n\\?dc9I\\?baY\\?ab\\?beV\\?e0W\\?f2\x0f\\?88>`. I need to get first value from the second value. – Stanislav Breslavski Jul 11 '15 at 19:24
  • In my oppinion the first value is represented in shell as ASCII characters. There are non-printable characters in this string, so they are encoded somehow and the second value appears. The question is - what is this encoding? – Stanislav Breslavski Jul 11 '15 at 19:42
  • What output do you get from this: `sqlmap --hex | Foreach {$_.GetType().FullName}` – Keith Hill Jul 11 '15 at 19:51
  • As output I have a lot of `System.String` lines – Stanislav Breslavski Jul 11 '15 at 19:57
  • If the output is System.String, try this. `$str = sqlmap --hex ; $str.ToCharArray() | Foreach { [byte]$_ }` – Keith Hill Jul 11 '15 at 19:58
  • A lot of strings eh? Is there one per byte? If so, drop the `.ToCharArray()` call. – Keith Hill Jul 11 '15 at 20:00
  • A bit more experimenting (guessing on what your output actually looks like) and you may need to cast to char first e.g. `$str | Foreach {[byte][char]$_}` – Keith Hill Jul 11 '15 at 20:11
  • I get nothing, I guess because sqlmap tool requires user interaction. If I take only the second value showed earlier as the value of $str (in double quotes), I have `92 63 56 50 124 92 63 99 98 14 92 63 101 97 92 63 56 97 112 108 76 52 92 63 97 49 104 92 63 57 49 92 63 102 56 78 123`. – Stanislav Breslavski Jul 11 '15 at 20:11
  • But is that really what the utility outputs? This is the crux of the issue. If you assign the output of the utility to $str, what is in $str[0], $str[1], etc. – Keith Hill Jul 11 '15 at 20:19
  • The thing is that the tool outputs a lot of text plus it prompts user what sql-injection texhniques to use, what parameters test, etc. – Stanislav Breslavski Jul 11 '15 at 20:23
  • What you do in `$str | Foreach {[byte][char]$_}` is taking every symbol of second string presented earlier and printing it's char code. As I wrote earlier ago `In my oppinion the first value is represented in shell as ASCII characters. There are non-printable characters in this string, so they are encoded somehow and the second value appears. The question is - what is this encoding? ` – Stanislav Breslavski Jul 11 '15 at 20:47
  • What code page is your shell using? Run `chcp` or `[console]::inputencoding`. BTW you might try asking about this issue on the project's GitHub repo https://github.com/sqlmapproject/sqlmap/issues – Keith Hill Jul 11 '15 at 21:16
  • chcp output says that code page is 866. Yeah, I think about this now too – Stanislav Breslavski Jul 11 '15 at 21:29