Re: [sqlmap-users] bug: -g uses wrong session file
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2010-03-15 12:01:10
|
Hi. Thank you for your report. Please, update your sqlmap to the latest version to have it fixed. Kind regards. On Mon, Mar 15, 2010 at 12:32 PM, Kasper Føns <th...@ma...> wrote: > Hello sqlmap users. > > It seems that sqlmap i using the wrong session file if a hosts on the > google dorks are vulnerable and the vulnerability is used. The next > vulnerable host will use the same session file! > > [12:14:17] [INFO] testing url <A>/index.php?id=67,0,0,1,0,0 > [12:14:17] [INFO] using > 'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file > [12:14:17] [INFO] testing connection to the target url > ... > [12:14:20] [INFO] testing if the url is stable, wait a few seconds > [12:14:27] [WARNING] url is not stable, sqlmap will base the page > comparison on a sequence matcher, if no dynamic nor injectable > parameters are detected, refer to user's manual paragraph 'Page > comparison' and provide a string or regular expression to match on > [12:14:27] [INFO] testing sql injection on GET parameter 'id' with 0 > parenthesis > ... > ... > > [12:19:46] [INFO] GET parameter 'id' is double quoted string injectable > with 3 parenthesis > do you want to exploit this SQL injection? [Y/n] y > [12:20:36] [INFO] testing for parenthesis on injectable parameter > [12:21:00] [INFO] the injectable parameter requires 3 parenthesis > [12:21:00] [INFO] testing MySQL > [12:21:08] [WARNING] the back-end DMBS is not MySQL > [12:21:08] [INFO] testing Oracle > [12:21:17] [WARNING] the back-end DMBS is not Oracle > [12:21:17] [INFO] testing PostgreSQL > [12:21:26] [WARNING] the back-end DMBS is not PostgreSQL > [12:21:26] [INFO] testing Microsoft SQL Server > [12:21:34] [INFO] confirming Microsoft SQL Server > [12:21:43] [INFO] the back-end DBMS is Microsoft SQL Server > > web application technology: Apache 1.3.41, PHP 5.2.13 > back-end DBMS: Microsoft SQL Server 2000 > > ... > ... > > GET <B>/edb_og_internet/hardware/index.php?id=32 > do you want to test this url? [Y/n/q] > > y > [12:25:10] [INFO] testing url <B>/edb_og_internet/hardware/index.php?id=32 > [12:25:10] [INFO] using > 'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file > > I have anonyminized the hosts. > > /Kasper > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |