Re: [sqlmap-users] sqlmap --start and --stop command problem!
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] sqlmap --start and --stop command problem!
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-02-16 11:07:12
|
Brian, On Mon, Feb 15, 2010 at 22:41, <Bri...@gm...> wrote: > ... > I tried to dump some infos from Tables using the optional options --start and --stop, but it always gives me out the first entry till the last of the Table and not as specified starting from the 2nd till the 4th. > > The valnerable site is using MySQL >= 5.0.0 so there shouldnt be a problem with using information_schema. > > ...\sqlmap-0.7_exe\sqlmap.exe" -u "http://www.xxxxx.php?userid=x" --dump -T TABLES -D information_schema --start 2 --stop 4 This is fixed since a few weeks in the development version, you can grab a copy from the subversion repository. > I tried it also with other options like this one: > > ...\sqlmap-0.7_exe\sqlmap.exe" -u "http://www.xxxxx.php?userid=x" --tables -D information_schema --start 2 --stop 4 --start and --stop work only in conjunction with --dump and --dump-all at the moment, this is by design. > or with the syntax from the pdf README: > --start= > --stop= > ... Both syntaxes work the same way. > or this one: > sqlmap-0.7_exe\sqlmap.exe" -u http://www.xxxxx.php?userid=x --dump -T TAB > LE_NAME --start=58 --stop=98 > > [00:52:38] [INFO] fetching number of columns for table 'TABLE_NAME' on database'xxx' > [00:52:38] [INFO] retrieved: 0 > [00:52:55] [ERROR] unable to retrieve the number of columns for table 'TABLE_NAME' on database 'xxx' Is the DB user privileged enough to access 'information_schema' database? If so, give a try to sqlmap development version. > ... > Another question I have is about the option --passwords > > for example it gives me this error message: > when i tried the option --passwords together with -U option. > > "[ERROR] unable to retrieve the password hashes for the database users" Are you sure that the provided user (-U) exist? Check with --users. Are you sure that the DB user is privileged enough to access the 'mysql' database? > Why does the program tries to dump it from the database "users", I never speciefied it to search on this database, does the program use it as standard DBS for the --password option and can I change it? It uses 'mysql.user' or 'information_schema' depending on the MySQL version, see yourself the SQL queries used in xml/queries.xml file. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
