[sqlmap-users] bug: -g uses wrong session file

[Kasper F. <th...@ma...>]

Hello sqlmap users.

It seems that sqlmap i using the wrong session file if a hosts on the 
google dorks are vulnerable and the vulnerability is used. The next 
vulnerable host will use the same session file!

[12:14:17] [INFO] testing url <A>/index.php?id=67,0,0,1,0,0
[12:14:17] [INFO] using 
'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file
[12:14:17] [INFO] testing connection to the target url
...
[12:14:20] [INFO] testing if the url is stable, wait a few seconds
[12:14:27] [WARNING] url is not stable, sqlmap will base the page 
comparison on a sequence matcher, if no dynamic nor injectable 
parameters are detected, refer to user's manual paragraph 'Page 
comparison' and provide a string or regular expression to match on
[12:14:27] [INFO] testing sql injection on GET parameter 'id' with 0 
parenthesis
...
...

[12:19:46] [INFO] GET parameter 'id' is double quoted string injectable 
with 3 parenthesis
do you want to exploit this SQL injection? [Y/n] y
[12:20:36] [INFO] testing for parenthesis on injectable parameter
[12:21:00] [INFO] the injectable parameter requires 3 parenthesis
[12:21:00] [INFO] testing MySQL
[12:21:08] [WARNING] the back-end DMBS is not MySQL
[12:21:08] [INFO] testing Oracle
[12:21:17] [WARNING] the back-end DMBS is not Oracle
[12:21:17] [INFO] testing PostgreSQL
[12:21:26] [WARNING] the back-end DMBS is not PostgreSQL
[12:21:26] [INFO] testing Microsoft SQL Server
[12:21:34] [INFO] confirming Microsoft SQL Server
[12:21:43] [INFO] the back-end DBMS is Microsoft SQL Server

web application technology: Apache 1.3.41, PHP 5.2.13
back-end DBMS: Microsoft SQL Server 2000

...
...

GET <B>/edb_og_internet/hardware/index.php?id=32
do you want to test this url? [Y/n/q]
 > y
[12:25:10] [INFO] testing url <B>/edb_og_internet/hardware/index.php?id=32
[12:25:10] [INFO] using 
'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file

I have anonyminized the hosts.

/Kasper