Re: [sqlmap-users] bug report

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

union based data retrieving has some serious problems. maybe this
could illustrate:

in generic/enumeration.py (getPasswordHashes):

if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or
isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
...
            value = inject.getValue(query, blind=False)

            if value:
                import pdb
                pdb.set_trace()
                for user, password in value:
                    if not user or user == " ":
                        continue

at that import pdb value variable has the value of:
'__START__sa__DEL__0x01004086ceb60c90646a8ab9889fe3ed8e5c150b5460ece8425a__STOP__'

do you know if there is any possibility that getValue returns this kind of data?

kr

On Thu, Jan 27, 2011 at 3:04 AM, m4l1c3 <mal...@gm...> wrote:
>
> ./sqlmap.py -u "http://DOMAIN:80/LANG/DIR/PARAM.php?xxx=999" --passwords
>
>
>
> sqlmap version: 0.9-dev (r3115)
> Python version: 2.5.2
> Operating system: posix
> Traceback (most recent call last):
>   File "./sqlmap.py", line 83, in main
>     start()
>   File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line
> 414, in start
>     action()
>   File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 77, in
> action
>     conf.dbmsHandler.getPasswordHashes(), "password hash")
>   File "/pentest/database/sqlmap-dev/plugins/generic/enumeration.py", line
> 238, in getPasswordHashes
>     for user, password in value:
> ValueError: need more than 1 value to unpack
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia