[sqlmap-users] question about --batch
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] question about --batch
|
From: Devon <dev...@ao...> - 2012-05-24 15:22:39
|
Hello,
I encountered a situation where --batch ended up prematurely ending a scan of a website. The reason is because there was an invalid link on the site's HTML document, that confused sqlmap into exiting. Here's the output which I think should explain it better:
root@apj351:~# ./sqlmap.py --random-agent --threads=5 -u 'http://XXXXXXXXXXXXXXXXXX/' --crawl=5 --batch
sqlmap/1.0-dev (r5058) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 08:06:59
[08:06:59] [INFO] fetched random HTTP User-Agent header from file '/opt/sqlmap/txt/user-agents.txt': Opera/9.80 (X11; Linux x86_64; U; en-GB) Presto/2.2.15 Version/10.01
[08:06:59] [INFO] starting crawler
[08:06:59] [INFO] searching for links with depth 1
[08:07:00] [INFO] heuristics detected web page charset 'ascii'
[08:07:00] [INFO] searching for links with depth 2
[08:07:00] [INFO] starting 5 threads
[08:07:02] [INFO] 3/57 links visited (5%)
[08:07:02] [INFO] heuristics detected web page charset 'utf-8'
[08:07:12] [INFO] 28/57 links visited (49%)
[08:07:12] [INFO] heuristics detected web page charset 'ISO-8859-2'
[08:07:22] [INFO] searching for links with depth 3
[08:07:22] [INFO] starting 5 threads
[08:07:47] [INFO] searching for links with depth 4
[08:07:47] [INFO] starting 5 threads
[08:08:14] [INFO] searching for links with depth 5
[08:08:14] [INFO] starting 5 threads
[08:08:41] [INFO] sqlmap got a total of 20 targets
[08:08:41] [INFO] url 1:
GET http:/XXXXXXXXXXXXXXXXXX/YYYYYYYYYYY.aspx?selected=03. Something somsething something (Yadda yadda)
do you want to test this url? [Y/n/q]
> Y
[08:08:41] [INFO] testing url http:/XXXXXXXXXXXXXXXXXX/YYYYYYYYYYY.aspx?selected=03. Something somsething something (Yadda yadda)
[08:08:41] [WARNING] it appears that you have provided tainted parameter values ('selected=03. Something somsething something (Yadda yadda)') with most probably leftover chars from manual sql injection tests (;()') or non-valid numerical value. Please, always use only valid parameter values so sqlmap could be able to properly run
[08:08:41] [INFO] Are you sure you want to continue? [y/N] N
[*] shutting down at 08:08:41
I think in addition to --batch, it would be useful to have something like --yes which just assumes "yes" for any prompt that comes up. It is just an idea, but I thought it might be useful since --batch is most often used in non-interactive scripts where the user might not catch what happened.
|
