Re: [sqlmap-users] bug: -g uses wrong session file
Brought to you by:
inquisb
From: Kasper F. <th...@ma...> - 2010-03-15 12:02:31
|
Hi. I didn't even get to send the new scan. I haven't checked yet, but nice to see it fixed so fast. /Kasper On 15-03-2010 13:01, Miroslav Stampar wrote: > Hi. > > Thank you for your report. Please, update your sqlmap to the latest > version to have it fixed. > > Kind regards. > > On Mon, Mar 15, 2010 at 12:32 PM, Kasper Føns<th...@ma...> wrote: > >> Hello sqlmap users. >> >> It seems that sqlmap i using the wrong session file if a hosts on the >> google dorks are vulnerable and the vulnerability is used. The next >> vulnerable host will use the same session file! >> >> [12:14:17] [INFO] testing url<A>/index.php?id=67,0,0,1,0,0 >> [12:14:17] [INFO] using >> 'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file >> [12:14:17] [INFO] testing connection to the target url >> ... >> [12:14:20] [INFO] testing if the url is stable, wait a few seconds >> [12:14:27] [WARNING] url is not stable, sqlmap will base the page >> comparison on a sequence matcher, if no dynamic nor injectable >> parameters are detected, refer to user's manual paragraph 'Page >> comparison' and provide a string or regular expression to match on >> [12:14:27] [INFO] testing sql injection on GET parameter 'id' with 0 >> parenthesis >> ... >> ... >> >> [12:19:46] [INFO] GET parameter 'id' is double quoted string injectable >> with 3 parenthesis >> do you want to exploit this SQL injection? [Y/n] y >> [12:20:36] [INFO] testing for parenthesis on injectable parameter >> [12:21:00] [INFO] the injectable parameter requires 3 parenthesis >> [12:21:00] [INFO] testing MySQL >> [12:21:08] [WARNING] the back-end DMBS is not MySQL >> [12:21:08] [INFO] testing Oracle >> [12:21:17] [WARNING] the back-end DMBS is not Oracle >> [12:21:17] [INFO] testing PostgreSQL >> [12:21:26] [WARNING] the back-end DMBS is not PostgreSQL >> [12:21:26] [INFO] testing Microsoft SQL Server >> [12:21:34] [INFO] confirming Microsoft SQL Server >> [12:21:43] [INFO] the back-end DBMS is Microsoft SQL Server >> >> web application technology: Apache 1.3.41, PHP 5.2.13 >> back-end DBMS: Microsoft SQL Server 2000 >> >> ... >> ... >> >> GET<B>/edb_og_internet/hardware/index.php?id=32 >> do you want to test this url? [Y/n/q] >> > y >> [12:25:10] [INFO] testing url<B>/edb_og_internet/hardware/index.php?id=32 >> [12:25:10] [INFO] using >> 'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file >> >> I have anonyminized the hosts. >> >> /Kasper >> >> ------------------------------------------------------------------------------ >> Download Intel® Parallel Studio Eval >> Try the new software tools for yourself. Speed compiling, find bugs >> proactively, and fine-tune applications for parallel performance. >> See why Intel Parallel Studio got high marks during beta. >> http://p.sf.net/sfu/intel-sw-dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > |