sqlmap-users — sqlmap users mailing list

[sqlmap-users] unhandled exception in sqlmap/0.8

[Pavel S. <sap...@gm...>]

sqlmap version: 0.8
Python version: 2.6.4
Operating system: linux2
Traceback (most recent call last):
  File "/usr/bin/sqlmap", line 77, in main
    start()
  File "/usr/share/sqlmap/lib/controller/controller.py", line 259, in start
    action()
  File "/usr/share/sqlmap/lib/controller/action.py", line 88, in action
    dumper.string("current database", conf.dbmsHandler.getCurrentDb())
  File "/usr/share/sqlmap/plugins/generic/enumeration.py", line 146, in
getCurrentDb
    kb.data.currentDb = inject.getValue(query)
  File "/usr/share/sqlmap/lib/request/inject.py", line 373, in getValue
    value = __goInferenceProxy(expression, fromUser, expected, batch,
resumeValue, unpack, charsetType, firstChar, lastChar)
  File "/usr/share/sqlmap/lib/request/inject.py", line 123, in
__goInferenceProxy
    output = resume(expression, payload)
  File "/usr/share/sqlmap/lib/utils/resume.py", line 152, in resume
    if len(resumedValue) == int(length):
ValueError: invalid literal for int() with base 10: '\x02'

[sqlmap-users] sqlmap error

[Faisal H. <fai...@gm...>]

sqlmap version: 0.8
Python version: 2.6.5
Operating system: linux2
Traceback (most recent call last):
  File "sqlmap.py", line 77, in main
    start()
  File "/home/0x00/sqlmap/lib/controller/controller.py", line 259, in start
    action()
  File "/home/0x00/sqlmap/lib/controller/action.py", line 144, in action
    conf.dbmsHandler.osPwn()
  File "/home/0x00/sqlmap/plugins/generic/takeover.py", line 169, in osPwn
    self.initEnv(web=web)
  File "/home/0x00/sqlmap/lib/takeover/abstraction.py", line 155, in initEnv
    self.webInit()
  File "/home/0x00/sqlmap/lib/takeover/web.py", line 189, in webInit
    uplPage, _  = Request.getPage(url=self.webUploaderUrl, direct=True,
raise404=False)
  File "/home/0x00/sqlmap/lib/request/connect.py", line 126, in getPage
    conn           = urllib2.urlopen(req)
  File "/usr/local/lib/python2.6/urllib2.py", line 126, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/local/lib/python2.6/urllib2.py", line 391, in open
    response = self._open(req, data)
  File "/usr/local/lib/python2.6/urllib2.py", line 409, in _open
    '_open', req)
  File "/usr/local/lib/python2.6/urllib2.py", line 369, in _call_chain
    result = func(*args)
  File "/usr/local/lib/python2.6/urllib2.py", line 1161, in http_open
    return self.do_open(httplib.HTTPConnection, req)
  File "/usr/local/lib/python2.6/urllib2.py", line 1107, in do_open
    h = http_class(host, timeout=req.timeout) # will parse host:port
  File "/usr/local/lib/python2.6/httplib.py", line 657, in __init__
    self._set_hostport(host, port)
  File "/usr/local/lib/python2.6/httplib.py", line 682, in _set_hostport
    raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
InvalidURL: nonnumeric port: ''

Re: [sqlmap-users] Bug

[Miroslav S. <mir...@gm...>]

please update to the latest 0.9-dev version from our SVN repository
(svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev)
because we've done lots of work regarding this kind of stuff since
v0.8.

kind regards.

On Sat, Sep 11, 2010 at 10:35 AM,  <nig...@em...> wrote:
> sqlmap version: 0.8
> Python version: 2.6.2
> Operating system: win32
> Traceback (most recent call last):
>  File "sqlmap.py", line 77, in main
>  File "lib\controller\controller.pyc", line 259, in start
>  File "lib\controller\action.pyc", line 114, in action
>  File "plugins\generic\enumeration.pyc", line 1369, in dumpTable
>  File "lib\request\inject.pyc", line 373, in getValue
>  File "lib\request\inject.pyc", line 123, in __goInferenceProxy
>  File "lib\utils\resume.pyc", line 130, in resume
> UnicodeDecodeError: 'ascii' codec can't decode byte 0x80 in position 4: ordinal not in range(128)
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

[sqlmap-users] Bug

[<nig...@em...>]

sqlmap version: 0.8
Python version: 2.6.2
Operating system: win32
Traceback (most recent call last):
 File "sqlmap.py", line 77, in main
 File "lib\controller\controller.pyc", line 259, in start
 File "lib\controller\action.pyc", line 114, in action
 File "plugins\generic\enumeration.pyc", line 1369, in dumpTable
 File "lib\request\inject.pyc", line 373, in getValue
 File "lib\request\inject.pyc", line 123, in __goInferenceProxy
 File "lib\utils\resume.pyc", line 130, in resume
UnicodeDecodeError: 'ascii' codec can't decode byte 0x80 in position 4: ordinal not in range(128)

Re: [sqlmap-users] error data

[Miroslav S. <mir...@gm...>]

thank you Marek for your report. found and fixed two "issues"
regarding your report :). update to get it fixed.

kr

2010/9/9 Marek Sarvaš <mar...@gm...>:
>  ./sqlmap.py -g "site:datamax.sk" --threads=7 --dump-all --excl-reg
> "Dynamic content: ([\d]+)"
>
>     sqlmap/0.9-dev - automatic SQL injection and database takeover tool
>     http://sqlmap.sourceforge.net
>
> [*] starting at: 13:48:41
>
> [13:48:42] [INFO] first request to Google to get the session cookie
> [13:48:47] [INFO] using Google result page #1
> [13:48:51] [INFO] sqlmap got 100 results for your Google dork
> expression, 12 of them are testable targets
> [13:48:51] [INFO] sqlmap got a total of 12 targets
> url 1:
> GET http://www.datamax.sk/index.php?PageID=300
> do you want to test this url? [Y/n/q]
>  > n
> url 2:
> GET http://www.datamax.sk/index.php?PageID=83
> do you want to test this url? [Y/n/q]
>  > y
> [13:48:55] [INFO] testing url http://www.datamax.sk/index.php?PageID=83
> [13:48:55] [INFO] using
> '/home/xaka/sqlmap-dev/output/www.datamax.sk/session' as session file
> [13:48:55] [INFO] testing connection to the target url
> [13:48:55] [WARNING] unknown charset 'windows1250'. please report by
> e-mail to sql...@li....
>
> [13:48:55] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy
> the command line and the following text and send by e-mail to
> sql...@li.... The developer will fix it as soon as
> possible:
> sqlmap version: 0.9-dev
> Python version: 2.6.5
> Operating system: posix
> Traceback (most recent call last):
>   File "./sqlmap.py", line 89, in main
>     start()
>   File "/home/xaka/sqlmap-dev/lib/controller/controller.py", line 159,
> in start
>     if not checkConnection() or not checkString() or not checkRegexp():
>   File "/home/xaka/sqlmap-dev/lib/controller/checks.py", line 395, in
> checkConnection
>     page, _ = Request.getPage()
>   File "/home/xaka/sqlmap-dev/lib/request/connect.py", line 192, in getPage
>     page = decodePage(page, responseHeaders.get("Content-Encoding"),
> responseHeaders.get("Content-Type"))
>   File "/home/xaka/sqlmap-dev/lib/request/basic.py", line 137, in
> decodePage
>     page = unicode(page, charset)     #don't use getUnicode here. it
> needs to stay as is.
> UnicodeDecodeError: 'utf8' codec can't decode byte 0x9e in position 261:
> unexpected code byte
>
> [*] shutting down at: 13:48:55
>
> --
> Príjemný deň
> Marek Sarvaš
>
> tel       0907 / 405 701
> ICQ       277766377
> SKYPE     marek.sarvas
> WEB       www.ms.knihy-duma.sk
> ----------------------------------------------------
> Táto správa neobsahuje a ani nemôže obsahovať vírus, pretože nepoužívam žiadne produkty založené na platforme Microsoft Windows.
> ----------------------------------------------------
> This report don't contains  virus and don't may contain a virus, because I do not use any products based on Microsoft Windows.
> ----------------------------------------------------
>
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

[sqlmap-users] error data

[Marek S. <mar...@gm...>]

  ./sqlmap.py -g "site:datamax.sk" --threads=7 --dump-all --excl-reg 
"Dynamic content: ([\d]+)"

     sqlmap/0.9-dev - automatic SQL injection and database takeover tool
     http://sqlmap.sourceforge.net

[*] starting at: 13:48:41

[13:48:42] [INFO] first request to Google to get the session cookie
[13:48:47] [INFO] using Google result page #1
[13:48:51] [INFO] sqlmap got 100 results for your Google dork 
expression, 12 of them are testable targets
[13:48:51] [INFO] sqlmap got a total of 12 targets
url 1:
GET http://www.datamax.sk/index.php?PageID=300
do you want to test this url? [Y/n/q]
 > n
url 2:
GET http://www.datamax.sk/index.php?PageID=83
do you want to test this url? [Y/n/q]
 > y
[13:48:55] [INFO] testing url http://www.datamax.sk/index.php?PageID=83
[13:48:55] [INFO] using 
'/home/xaka/sqlmap-dev/output/www.datamax.sk/session' as session file
[13:48:55] [INFO] testing connection to the target url
[13:48:55] [WARNING] unknown charset 'windows1250'. please report by 
e-mail to sql...@li....

[13:48:55] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy 
the command line and the following text and send by e-mail to 
sql...@li.... The developer will fix it as soon as 
possible:
sqlmap version: 0.9-dev
Python version: 2.6.5
Operating system: posix
Traceback (most recent call last):
   File "./sqlmap.py", line 89, in main
     start()
   File "/home/xaka/sqlmap-dev/lib/controller/controller.py", line 159, 
in start
     if not checkConnection() or not checkString() or not checkRegexp():
   File "/home/xaka/sqlmap-dev/lib/controller/checks.py", line 395, in 
checkConnection
     page, _ = Request.getPage()
   File "/home/xaka/sqlmap-dev/lib/request/connect.py", line 192, in getPage
     page = decodePage(page, responseHeaders.get("Content-Encoding"), 
responseHeaders.get("Content-Type"))
   File "/home/xaka/sqlmap-dev/lib/request/basic.py", line 137, in 
decodePage
     page = unicode(page, charset)     #don't use getUnicode here. it 
needs to stay as is.
UnicodeDecodeError: 'utf8' codec can't decode byte 0x9e in position 261: 
unexpected code byte

[*] shutting down at: 13:48:55

-- 
Príjemný deň
Marek Sarvaš

tel       0907 / 405 701
ICQ       277766377
SKYPE     marek.sarvas
WEB       www.ms.knihy-duma.sk
----------------------------------------------------
Táto správa neobsahuje a ani nemôže obsahovať vírus, pretože nepoužívam žiadne produkty založené na platforme Microsoft Windows.
----------------------------------------------------
This report don't contains  virus and don't may contain a virus, because I do not use any products based on Microsoft Windows.
----------------------------------------------------

Re: [sqlmap-users] TypeError: getUnicode() takes exactly 1 argument (2 given)

[Miroslav S. <mir...@gm...>]

Thank you for your report. Found and fixed.

Best regards

2010/9/7 shaohua pan <pa...@kn...>:
> When packed sqlmap with py2exe, found this problem:
>
> Traceback (most recent call last):
>   File "sqlmap.py", line 120, in <module>
>   File "sqlmap.py", line 76, in main
>   File "sqlmap.py", line 67, in modulePath
> TypeError: getUnicode() takes exactly 1 argument (2 given)
>
> The error raised in modulePath() on line 67 :
>       return os.path.dirname(getUnicode(sys.executable,
> sys.getfilesystemencoding()))
>
>
> --
> ------------------------------------------------------------------
> 潘少华
> 手机: 13811789330
> ------------------------------------------------------------------
> 北京知道创宇信息技术有限公司
> 地址：北京市回龙观龙腾六区13号楼4单元101
> 邮编：102200
> 电话：010-81721153
> 传真：010-81721153
> 网址：www.knownsec.com
>
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

[sqlmap-users] TypeError: getUnicode() takes exactly 1 argument (2 given)

[shaohua p. <pa...@kn...>]

When packed sqlmap with py2exe, found this problem:

Traceback (most recent call last):
  File "sqlmap.py", line 120, in <module>
  File "sqlmap.py", line 76, in main
  File "sqlmap.py", line 67, in modulePath
TypeError: getUnicode() takes exactly 1 argument (2 given)

The error raised in modulePath() on line 67 :
      return os.path.dirname(getUnicode(sys.executable,
sys.getfilesystemencoding()))


-- 
------------------------------------------------------------------
潘少华
手机: 13811789330
------------------------------------------------------------------
北京知道创宇信息技术有限公司
地址：北京市回龙观龙腾六区13号楼4单元101
邮编：102200
电话：010-81721153
传真：010-81721153
网址：www.knownsec.com

Re: [sqlmap-users] SQLmap replace space by comments?

[Bernardo D. A. G. <ber...@gm...>]

Hi,

Pass sqlmap requests through a HTTP proxy like Burp
(www.portswigger.net/suite/) with --proxy http://127.0.0.1:8080 option
and use Burp Match&Replace functionality if possible otherwise hack
into sqlmap lib/core/request.py code.

Cheers,
Bernardo

On Sat, Sep 4, 2010 at 15:35, Richard Miles
<ric...@go...> wrote:
> Hi bernardo,
>
> I'm testing a app and the site is protected by a IPS, so I have to use
> comments /**/ to bypass it, I have to use comments instead of spaces.
>
> So, when I run SQLmap it fails because the IPS drop the connection
>
> [08:14:49] [INFO] testing unescaped numeric injection on GET parameter 'id'
> [08:14:50] [WARNING] unable to connect to the target url or proxy,
> sqlmap is going to retry the request
> [08:14:51] [WARNING] unable to connect to the target url or proxy,
> sqlmap is going to retry the request
> [08:14:53] [WARNING] unable to connect to the target url or proxy,
> sqlmap is going to retry the request
> [08:14:54] [ERROR] unable to connect to the target url or proxy
>
> [*] shutting down at: 08:14:54
>
> There is a simples to way to tell SQLmap to replace all spaces on the
> queries with comments? I tried --prefix and --postfix, but it doesn't
> appear to be why they are used for.
>
> If there is no easy way, can you please me what file / line I should
> replace on the SQLmap source to replace all spaces with comments?
>
> Thanks and congratulations for the nice tool.
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] ImportError: No module named warnings sqlmap.py sqlmap-dev

[<dig...@us...>]

Hi.

i have been download sqlmap-dev from link u give at 
https://svn.sqlmap.org/sqlmap/trunk/sqlmap


C:\sqlmap>sqlmap.py
Traceback (most recent call last):
  File "C:\sqlmap\sqlmap.py", line 30, in ?
    import warnings
ImportError: No module named warnings

sqlmap.py source :

01.#!/usr/bin/env python
02.
03."""
04.$Id$
05.
06.This file is part of the sqlmap project, 
http://sqlmap.sourceforge.net.
07.
08.Copyright (c) 2007-2010 Bernardo Damele A. G. 
<ber...@gm...>
09.Copyright (c) 2006 Daniele Bellucci <dan...@gm...>
10.
11.sqlmap is free software; you can redistribute it and/or modify it 
under
12.the terms of the GNU General Public License as published by the Free
13.Software Foundation version 2 of the License.
14.
15.sqlmap is distributed in the hope that it will be useful, but 
WITHOUT ANY
16.WARRANTY; without even the implied warranty of MERCHANTABILITY or 
FITNESS
17.FOR A PARTICULAR PURPOSE.  See the GNU General Public License for 
more
18.details.
19.
20.You should have received a copy of the GNU General Public License 
along
21.with sqlmap; if not, write to the Free Software Foundation, Inc., 51
22.Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
23."""
24.
25.import codecs
25.import os
27.import sys
28.import time
29.import traceback
30.import warnings
[===]


Kind regards.

-----Original Message-----
From: Miroslav Stampar <mir...@gm...>
To: dig...@us...
Cc: sql...@li...
Sent: Mon, Sep 6, 2010 3:31 pm
Subject: Re: [sqlmap-users] [ERROR 10054] unhandled exception in 
sqlmap/0.8

Hi.

Could you please try to do this using latest development version from
our SVN repository (svn checkout
https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev). In the mean
time (from version 0.8 onwards) we've done some checking for this kind
of stuff.

Kind regards.

Re: [sqlmap-users] [ERROR 10054] unhandled exception in sqlmap/0.8

[Miroslav S. <mir...@gm...>]

Hi.

Could you please try to do this using latest development version from
our SVN repository (svn checkout
https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev). In the mean
time (from version 0.8 onwards) we've done some checking for this kind
of stuff.

Kind regards.

On Mon, Sep 6, 2010 at 8:23 AM,  <dig...@us...> wrote:
> C:\sqlmap-0.8_exe>sqlmap -u "http://www.victim.com/index.cfm?pid=9"
> --current-d
> b -v 0
>
>    sqlmap/0.8 - automatic SQL injection and database takeover tool
>    http://sqlmap.sourceforge.net
>
> [*] starting at: 13:08:22
>
> you did not provide any string to match. Do you want to use the resumed
> string t
> o be matched in page when the query is valid? [Y/n] y
> web server operating system: Windows
> web application technology: ASP.NET, Microsoft IIS 6.0
> back-end DBMS: Microsoft SQL Server 2000
>
> [13:17:06] [ERROR] unhandled exception in sqlmap/0.8, please copy the
> command li
> ne and the following text and send by e-mail to
> sql...@li...urceforge.n
> et. The developer will fix it as soon as possible:
> sqlmap version: 0.8
> Python version: 2.6.2
> Operating system: win32
> Traceback (most recent call last):
>  File "sqlmap.py", line 77, in main
>  File "lib\controller\controller.pyc", line 259, in start
>  File "lib\controller\action.pyc", line 88, in action
>  File "plugins\generic\enumeration.pyc", line 146, in getCurrentDb
>  File "lib\request\inject.pyc", line 373, in getValue
>  File "lib\request\inject.pyc", line 303, in __goInferenceProxy
>  File "lib\request\inject.pyc", line 95, in __goInferenceFields
>  File "lib\request\inject.pyc", line 55, in __goInference
>  File "lib\techniques\blind\inference.pyc", line 281, in bisection
>  File "lib\techniques\blind\inference.pyc", line 125, in getChar
>  File "lib\request\connect.pyc", line 282, in queryPage
>  File "lib\request\connect.pyc", line 179, in getPage
>  File "socket.pyc", line 327, in read
>  File "httplib.pyc", line 537, in read
>  File "socket.pyc", line 351, in read
> error: [Errno 10054] An existing connection was forcibly closed by the
> remote ho
> st
>
> [*] shutting down at: 13:17:06
>
>
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

[sqlmap-users] [ERROR 10054] unhandled exception in sqlmap/0.8

[<dig...@us...>]

C:\sqlmap-0.8_exe>sqlmap -u "http://www.victim.com/index.cfm?pid=9" 
--current-d
b -v 0

    sqlmap/0.8 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 13:08:22

you did not provide any string to match. Do you want to use the resumed 
string t
o be matched in page when the query is valid? [Y/n] y
web server operating system: Windows
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000

[13:17:06] [ERROR] unhandled exception in sqlmap/0.8, please copy the 
command li
ne and the following text and send by e-mail to 
sql...@li...urceforge.n
et. The developer will fix it as soon as possible:
sqlmap version: 0.8
Python version: 2.6.2
Operating system: win32
Traceback (most recent call last):
  File "sqlmap.py", line 77, in main
  File "lib\controller\controller.pyc", line 259, in start
  File "lib\controller\action.pyc", line 88, in action
  File "plugins\generic\enumeration.pyc", line 146, in getCurrentDb
  File "lib\request\inject.pyc", line 373, in getValue
  File "lib\request\inject.pyc", line 303, in __goInferenceProxy
  File "lib\request\inject.pyc", line 95, in __goInferenceFields
  File "lib\request\inject.pyc", line 55, in __goInference
  File "lib\techniques\blind\inference.pyc", line 281, in bisection
  File "lib\techniques\blind\inference.pyc", line 125, in getChar
  File "lib\request\connect.pyc", line 282, in queryPage
  File "lib\request\connect.pyc", line 179, in getPage
  File "socket.pyc", line 327, in read
  File "httplib.pyc", line 537, in read
  File "socket.pyc", line 351, in read
error: [Errno 10054] An existing connection was forcibly closed by the 
remote ho
st

[*] shutting down at: 13:17:06

Re: [sqlmap-users] unhandled exception in sqlmap

[Miroslav S. <mir...@gm...>]

could you please try to run this with new 0.9-dev version from our SVN
repository (from linux: svn checkout
https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev ; from windows
please download TortoiseSVN and enter
https://svn.sqlmap.org/sqlmap/trunk/sqlmap as the URL of the
repository). we've done lots of similar fixes since then.

kind regards.

On Thu, Sep 2, 2010 at 11:05 AM,  <in...@pc...> wrote:
> [11:02:00] [ERROR] unhandled exception in sqlmap/0.8, please copy the command li
> ne and the following text and send by e-mail to sql...@li...urceforge.n
> et. The developer will fix it as soon as possible:
> sqlmap version: 0.8
> Python version: 2.6.2
> Operating system: win32
> Traceback (most recent call last):
>  File "sqlmap.py", line 77, in main
>  File "lib\controller\controller.pyc", line 259, in start
>  File "lib\controller\action.pyc", line 114, in action
>  File "plugins\generic\enumeration.pyc", line 1369, in dumpTable
>  File "lib\request\inject.pyc", line 373, in getValue
>  File "lib\request\inject.pyc", line 123, in __goInferenceProxy
>  File "lib\utils\resume.pyc", line 130, in resume
> UnicodeDecodeError: 'ascii' codec can't decode byte 0x80 in position 10: ordinal
>  not in range(128)
>
> [*] shutting down at: 11:02:00
>
>
> E:\sqlmap>
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

[sqlmap-users] unhandled exception in sqlmap

[<in...@pc...>]

[11:02:00] [ERROR] unhandled exception in sqlmap/0.8, please copy the command li
ne and the following text and send by e-mail to sql...@li...urceforge.n
et. The developer will fix it as soon as possible:
sqlmap version: 0.8
Python version: 2.6.2
Operating system: win32
Traceback (most recent call last):
  File "sqlmap.py", line 77, in main
  File "lib\controller\controller.pyc", line 259, in start
  File "lib\controller\action.pyc", line 114, in action
  File "plugins\generic\enumeration.pyc", line 1369, in dumpTable
  File "lib\request\inject.pyc", line 373, in getValue
  File "lib\request\inject.pyc", line 123, in __goInferenceProxy
  File "lib\utils\resume.pyc", line 130, in resume
UnicodeDecodeError: 'ascii' codec can't decode byte 0x80 in position 10: ordinal
 not in range(128)

[*] shutting down at: 11:02:00


E:\sqlmap>

Re: [sqlmap-users] Bug

[Miroslav S. <mir...@gm...>]

fixed (hopefully) and committed

On Wed, Sep 1, 2010 at 2:59 AM, David Guimaraes <sk...@gm...> wrote:
> $ ./sqlmap.py -u "http://vulnsite/site/vulnphp.php?id=179" -p id
> --union-test --string "XXX" -D XXX_uk -T eventos --dump
>
>    sqlmap/0.9-dev - automatic SQL injection and database takeover tool
>    http://sqlmap.sourceforge.net
>
> [*] starting at: 21:47:55
>
> [21:47:55] [INFO] using '/path/sqlmap8/output/vulnsite/session' as session file
> [21:47:55] [INFO] resuming string match 'XXX' from session file
> [21:47:55] [INFO] resuming injection point 'GET' from session file
> [21:47:55] [INFO] resuming injection parameter 'id' from session file
> [21:47:55] [INFO] resuming injection type 'numeric' from session file
> [21:47:55] [INFO] resuming 0 number of parenthesis from session file
> [21:47:55] [INFO] resuming back-end DBMS 'mysql 5' from session file
> [21:47:55] [INFO] resuming union comment '#' from session file
> [21:47:55] [INFO] resuming union count 8 from session file
> [21:47:55] [INFO] resuming union position 3 from session file
> [21:48:00] [INFO] testing connection to the target url
> [21:48:02] [INFO] testing for parenthesis on injectable parameter
> [21:48:02] [INFO] the back-end DBMS is MySQL
>
> web application technology: PHP 5.2.14, Apache 2.2.16
> back-end DBMS: MySQL 5
>
> [21:48:02] [INFO] fetching columns for table 'eventos' on database 'XXX_uk'
> [21:48:03] [INFO] fetching entries for table 'eventos' on database 'XXX_uk'
>
> [21:48:05] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy
> the command line and the following text and send by e-mail to
> sql...@li.... The developer will fix it as soon
> as possible:
> sqlmap version: 0.9-dev
> Python version: 2.5.2
> Operating system: posix
> Traceback (most recent call last):
>  File "./sqlmap.py", line 89, in main
>    start()
>  File "/pentest/database/sqlmap8/lib/controller/controller.py", line
> 278, in start
>    action()
>  File "/pentest/database/sqlmap8/lib/controller/action.py", line 117, in action
>    conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable())
>  File "/pentest/database/sqlmap8/plugins/generic/enumeration.py",
> line 1067, in dumpTable
>    colEntry = entry[index]
> IndexError: list index out of range
>
> [*] shutting down at: 21:48:05
>
> $ svn info
> Path: .
> URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap
> Repository Root: https://svn.sqlmap.org/sqlmap
> Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb
> Revision: 1836
> Node Kind: directory
> Schedule: normal
> Last Changed Author: stamparm
> Last Changed Rev: 1836
> Last Changed Date: 2010-08-31 11:31:17 -0300 (Tue, 31 Aug 2010)
>
> --
> David Gomes Guimarães
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

[sqlmap-users] Bug

[David G. <sk...@gm...>]

$ ./sqlmap.py -u "http://vulnsite/site/vulnphp.php?id=179" -p id
--union-test --string "XXX" -D XXX_uk -T eventos --dump

    sqlmap/0.9-dev - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 21:47:55

[21:47:55] [INFO] using '/path/sqlmap8/output/vulnsite/session' as session file
[21:47:55] [INFO] resuming string match 'XXX' from session file
[21:47:55] [INFO] resuming injection point 'GET' from session file
[21:47:55] [INFO] resuming injection parameter 'id' from session file
[21:47:55] [INFO] resuming injection type 'numeric' from session file
[21:47:55] [INFO] resuming 0 number of parenthesis from session file
[21:47:55] [INFO] resuming back-end DBMS 'mysql 5' from session file
[21:47:55] [INFO] resuming union comment '#' from session file
[21:47:55] [INFO] resuming union count 8 from session file
[21:47:55] [INFO] resuming union position 3 from session file
[21:48:00] [INFO] testing connection to the target url
[21:48:02] [INFO] testing for parenthesis on injectable parameter
[21:48:02] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: MySQL 5

[21:48:02] [INFO] fetching columns for table 'eventos' on database 'XXX_uk'
[21:48:03] [INFO] fetching entries for table 'eventos' on database 'XXX_uk'

[21:48:05] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy
the command line and the following text and send by e-mail to
sql...@li.... The developer will fix it as soon
as possible:
sqlmap version: 0.9-dev
Python version: 2.5.2
Operating system: posix
Traceback (most recent call last):
  File "./sqlmap.py", line 89, in main
    start()
  File "/pentest/database/sqlmap8/lib/controller/controller.py", line
278, in start
    action()
  File "/pentest/database/sqlmap8/lib/controller/action.py", line 117, in action
    conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable())
  File "/pentest/database/sqlmap8/plugins/generic/enumeration.py",
line 1067, in dumpTable
    colEntry = entry[index]
IndexError: list index out of range

[*] shutting down at: 21:48:05

$ svn info
Path: .
URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap
Repository Root: https://svn.sqlmap.org/sqlmap
Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb
Revision: 1836
Node Kind: directory
Schedule: normal
Last Changed Author: stamparm
Last Changed Rev: 1836
Last Changed Date: 2010-08-31 11:31:17 -0300 (Tue, 31 Aug 2010)

-- 
David Gomes Guimarães

Re: [sqlmap-users] error

[Miroslav S. <mir...@gm...>]

Thank you Marek :)

Found and fixed.

Kind regards.

On Sat, Aug 21, 2010 at 9:47 PM, Marek Sarvaš <mar...@gm...> wrote:
> [xaka@local sqlmap-dev]$ ./sqlmap.py -u
> "http://www.asdss.sk/ViewFile.aspx?docid=5441" --batch --threads=10
> --dump --dbs --excl-reg "Dynamic content: ([\d]+)"
>
>     sqlmap/0.9-dev - automatic SQL injection and database takeover tool
>     http://sqlmap.sourceforge.net
>
> [*] starting at: 21:46:40
>
> [21:46:40] [INFO] using
> '/home/xaka/sqlmap-dev/output/www.asdss.sk/session' as session file
> [21:46:40] [INFO] resuming match ratio '0.9' from session file
> [21:46:40] [INFO] testing connection to the target url
>
> [21:46:43] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy
> the command line and the following text and send by e-mail to
> sql...@li.... The developer will fix it as soon as
> possible:
> sqlmap version: 0.9-dev
> Python version: 2.6.5
> Operating system: posix
> Traceback (most recent call last):
>   File "./sqlmap.py", line 89, in main
>     start()
>   File "/home/xaka/sqlmap-dev/lib/controller/controller.py", line 159,
> in start
>     if not checkConnection() or not checkString() or not checkRegexp():
>   File "/home/xaka/sqlmap-dev/lib/controller/checks.py", line 395, in
> checkConnection
>     page, _ = Request.getPage()
>   File "/home/xaka/sqlmap-dev/lib/request/connect.py", line 259, in getPage
>     responseMsg += getUnicode(responseHeaders)
>   File "/home/xaka/sqlmap-dev/lib/core/common.py", line 1404, in getUnicode
>     return unicode(value)
> UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position
> 188: ordinal not in range(128)
>
> [*] shutting down at: 21:46:43
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

Re: [sqlmap-users] Help with Testable Parameters

[John O. <jo...@gm...>]

Miroslav,

Thanks, FYI  Christov pointed me to this link:

http://sourceforge.net/mailarchive/message.php?msg_name=4C3F94D3.5030408%40gmail.com

Best
John

On Sun, Aug 15, 2010 at 5:11 PM, Miroslav Stampar <
mir...@gm...> wrote:

> hi.
>
> if you want to test that GET parameter provided with -p option, you
> should put it inside the dynamic part of the working URL you use for
> testing.
>
> for example: ./sqlmap.py -p "usersupplieddata" -u
> "http://test.com/index.php?usersupplieddata=1".
>
> in this case i can see that you've used usersupplieddata as part of
> the directory structure (../usersupplieddata), while it should be put
> as a parameter (...?usersupplieddata=434334).
>
> On Fri, Aug 13, 2010 at 10:51 PM, John Ouellette <jo...@gm...> wrote:
> > Hi all.
> > I am just starting  using sqlmap 0.8 (on windows XP) to get SQL map to
> test
> > SQL injection against my web application (LAMP).
> > It seems like it's not finding my testable parameters because the get
> > request is as follows:
> > GET /data/usersupplieddata HTTP/1.1
> > and not like the typical get_int.php?id=1 etc.
> > I've tried the -p option as follows:
> > -p "usersupplieddata"
> > I am  getting the error message as follows:
> >
> > 16:30:29] [DEBUG] initializing the configuration
> > 16:30:29] [DEBUG] initializing the knowledge base
> > 16:30:29] [DEBUG] cleaning up configuration parameters
> > 16:30:29] [DEBUG] setting the HTTP timeout
> > 16:30:29] [DEBUG] setting the HTTP Cookie header
> > 16:30:29] [DEBUG] setting the HTTP method to GET
> > 16:30:29] [DEBUG] forcing back-end DBMS to user defined value
> > 16:30:29] [DEBUG] forcing back-end DBMS operating system to user defined
> > value
> > 16:30:29] [DEBUG] creating HTTP requests opener object
> > 16:30:29] [DEBUG] parsing XML queries file
> > 16:30:29] [WARNING] the testable parameter 'usersupplieddata' you
> provided
> > is not into the Cookie
> > 16:30:29] [ERROR] all testable parameters you provided are not present
> > within the GET, POST and Cookie parameters
> > I have confirmed that that string  is in fact being sent to the Web
> server
> > as in the above request, so I'm confused at the error message.
> > Does anyone have any suggestions, or have they encountered this type of
> > situation?
> > Thanks in advance
> > John
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > This SF.net email is sponsored by
> >
> > Make an app they can't live without
> > Enter the BlackBerry Developer Challenge
> > http://p.sf.net/sfu/RIM-dev2dev
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
>

[sqlmap-users] error

[Marek S. <mar...@gm...>]

[xaka@local sqlmap-dev]$ ./sqlmap.py -u 
"http://www.asdss.sk/ViewFile.aspx?docid=5441" --batch --threads=10 
--dump --dbs --excl-reg "Dynamic content: ([\d]+)"

     sqlmap/0.9-dev - automatic SQL injection and database takeover tool
     http://sqlmap.sourceforge.net

[*] starting at: 21:46:40

[21:46:40] [INFO] using 
'/home/xaka/sqlmap-dev/output/www.asdss.sk/session' as session file
[21:46:40] [INFO] resuming match ratio '0.9' from session file
[21:46:40] [INFO] testing connection to the target url

[21:46:43] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy 
the command line and the following text and send by e-mail to 
sql...@li.... The developer will fix it as soon as 
possible:
sqlmap version: 0.9-dev
Python version: 2.6.5
Operating system: posix
Traceback (most recent call last):
   File "./sqlmap.py", line 89, in main
     start()
   File "/home/xaka/sqlmap-dev/lib/controller/controller.py", line 159, 
in start
     if not checkConnection() or not checkString() or not checkRegexp():
   File "/home/xaka/sqlmap-dev/lib/controller/checks.py", line 395, in 
checkConnection
     page, _ = Request.getPage()
   File "/home/xaka/sqlmap-dev/lib/request/connect.py", line 259, in getPage
     responseMsg += getUnicode(responseHeaders)
   File "/home/xaka/sqlmap-dev/lib/core/common.py", line 1404, in getUnicode
     return unicode(value)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 
188: ordinal not in range(128)

[*] shutting down at: 21:46:43

[sqlmap-users] SQLMAP question

[Mat L. <map...@ho...>]

My colleague were looking to use SQLMAP to test against SQLInjection in a few of our in house intranet pages.  Before the testing we decided to setup a basic ASP.NET page to use SQLMAP against to get a better understanding of the product.  We setup a very simple page that takes in a parameter named ID in the query string.  The page will then extract the query string parameter ID and then build a dynamic SQL statement ("SELECT * FROM books where bookID = '" + IDparameter + "'") to run to retrieve the book that matches the given ID.  The results are then bound to a gridview control on the page.  If no books are found that match the given ID or an error occurs in the retrieval of the book the gridview is simply bound to null.  The page is very simple and seems to work as we expected.  The problem is we cannot get SQLMAP to identify that there is a SQLInjection vulnerability with the ID parameter.  Here is what we are sending sqlmap -u "http://localhost/sqltesting/booktesting.aspx?id=1".  When sending this command SQLMAP does not find the vulnerability.  Below is the output of the above command.  Just wondering if anyone can help us understand why SQLMAP is not locating the vulnerability.  Any help would be greatly appreciated.
 
Thanks 
Matt
 
[11:22:46] [INFO] testing connection to the target url
[11:22:46] [INFO] testing if the url is stable, wait a few seconds
[11:22:47] [INFO] url is stable
[11:22:47] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
 
[11:22:47] [INFO] testing unescaped numeric injection on GET parameter 'id'
[11:22:47] [INFO] GET parameter 'id' is not unescaped numeric injectable
[11:22:47] [INFO] testing single quoted string injection on GET parameter 'id'
[11:22:47] [INFO] confirming single quoted string injection on GET parameter 'id
'
[11:22:47] [INFO] GET parameter 'id' is not single quoted string injectable
[11:22:47] [INFO] testing LIKE single quoted string injection on GET parameter '
id'
[11:22:47] [INFO] confirming LIKE single quoted string injection on GET paramete
r 'id'
[11:22:48] [INFO] GET parameter 'id' is not LIKE single quoted string injectable
 
[11:22:48] [INFO] testing double quoted string injection on GET parameter 'id'
[11:22:48] [INFO] GET parameter 'id' is not double quoted string injectable
[11:22:48] [INFO] testing LIKE double quoted string injection on GET parameter '
id'
[11:22:48] [INFO] GET parameter 'id' is not LIKE double quoted string injectable
 
[11:22:48] [INFO] GET parameter 'id' is not injectable with 0 parenthesis
[11:22:48] [INFO] testing sql injection on GET parameter 'id' with 1 parenthesis
 
[11:22:48] [INFO] testing unescaped numeric injection on GET parameter 'id'
[11:22:48] [INFO] GET parameter 'id' is not unescaped numeric injectable
[11:22:48] [INFO] testing single quoted string injection on GET parameter 'id'
[11:22:48] [INFO] GET parameter 'id' is not single quoted string injectable
[11:22:48] [INFO] testing LIKE single quoted string injection on GET parameter '
id'
[11:22:48] [INFO] GET parameter 'id' is not LIKE single quoted string injectable
 
[11:22:48] [INFO] testing double quoted string injection on GET parameter 'id'
[11:22:48] [INFO] GET parameter 'id' is not double quoted string injectable
[11:22:48] [INFO] testing LIKE double quoted string injection on GET parameter '
id'
[11:22:48] [INFO] GET parameter 'id' is not LIKE double quoted string injectable
 
[11:22:48] [INFO] GET parameter 'id' is not injectable with 1 parenthesis
[11:22:48] [INFO] testing sql injection on GET parameter 'id' with 2 parenthesis
 
[11:22:48] [INFO] testing unescaped numeric injection on GET parameter 'id'
[11:22:48] [INFO] GET parameter 'id' is not unescaped numeric injectable
[11:22:48] [INFO] testing single quoted string injection on GET parameter 'id'
[11:22:48] [INFO] GET parameter 'id' is not single quoted string injectable
[11:22:48] [INFO] testing LIKE single quoted string injection on GET parameter '
id'
[11:22:48] [INFO] GET parameter 'id' is not LIKE single quoted string injectable
 
[11:22:48] [INFO] testing double quoted string injection on GET parameter 'id'
[11:22:48] [INFO] GET parameter 'id' is not double quoted string injectable
[11:22:48] [INFO] testing LIKE double quoted string injection on GET parameter '
id'
[11:22:48] [INFO] GET parameter 'id' is not LIKE double quoted string injectable
 
[11:22:48] [INFO] GET parameter 'id' is not injectable with 2 parenthesis
[11:22:48] [INFO] testing sql injection on GET parameter 'id' with 3 parenthesis
 
[11:22:48] [INFO] testing unescaped numeric injection on GET parameter 'id'
[11:22:48] [INFO] GET parameter 'id' is not unescaped numeric injectable
[11:22:48] [INFO] testing single quoted string injection on GET parameter 'id'
[11:22:48] [INFO] GET parameter 'id' is not single quoted string injectable
[11:22:48] [INFO] testing LIKE single quoted string injection on GET parameter '
id'
[11:22:48] [INFO] GET parameter 'id' is not LIKE single quoted string injectable
 
[11:22:48] [INFO] testing double quoted string injection on GET parameter 'id'
[11:22:48] [INFO] GET parameter 'id' is not double quoted string injectable
[11:22:48] [INFO] testing LIKE double quoted string injection on GET parameter '
id'
[11:22:48] [INFO] GET parameter 'id' is not LIKE double quoted string injectable
 
[11:22:48] [INFO] GET parameter 'id' is not injectable with 3 parenthesis
[11:22:48] [WARNING] GET parameter 'id' is not injectable 		 	   		  

Re: [sqlmap-users] Help with Testable Parameters

[Miroslav S. <mir...@gm...>]

hi.

if you want to test that GET parameter provided with -p option, you
should put it inside the dynamic part of the working URL you use for
testing.

for example: ./sqlmap.py -p "usersupplieddata" -u
"http://test.com/index.php?usersupplieddata=1".

in this case i can see that you've used usersupplieddata as part of
the directory structure (../usersupplieddata), while it should be put
as a parameter (...?usersupplieddata=434334).

On Fri, Aug 13, 2010 at 10:51 PM, John Ouellette <jo...@gm...> wrote:
> Hi all.
> I am just starting  using sqlmap 0.8 (on windows XP) to get SQL map to test
> SQL injection against my web application (LAMP).
> It seems like it's not finding my testable parameters because the get
> request is as follows:
> GET /data/usersupplieddata HTTP/1.1
> and not like the typical get_int.php?id=1 etc.
> I've tried the -p option as follows:
> -p "usersupplieddata"
> I am  getting the error message as follows:
>
> 16:30:29] [DEBUG] initializing the configuration
> 16:30:29] [DEBUG] initializing the knowledge base
> 16:30:29] [DEBUG] cleaning up configuration parameters
> 16:30:29] [DEBUG] setting the HTTP timeout
> 16:30:29] [DEBUG] setting the HTTP Cookie header
> 16:30:29] [DEBUG] setting the HTTP method to GET
> 16:30:29] [DEBUG] forcing back-end DBMS to user defined value
> 16:30:29] [DEBUG] forcing back-end DBMS operating system to user defined
> value
> 16:30:29] [DEBUG] creating HTTP requests opener object
> 16:30:29] [DEBUG] parsing XML queries file
> 16:30:29] [WARNING] the testable parameter 'usersupplieddata' you provided
> is not into the Cookie
> 16:30:29] [ERROR] all testable parameters you provided are not present
> within the GET, POST and Cookie parameters
> I have confirmed that that string  is in fact being sent to the Web server
> as in the above request, so I'm confused at the error message.
> Does anyone have any suggestions, or have they encountered this type of
> situation?
> Thanks in advance
> John
>
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

Re: [sqlmap-users] sqlmat error

[Miroslav S. <mir...@gm...>]

hi.

this was fixed few days ago (i believe so). please update to have it fixed.

kind regards.

2010/8/15 Marek Sarvaš <mar...@gm...>:
> [09:01:54] [INFO] testing url
> http://www.msp-bb.sk/historia-historia-msp.html?start=2
> [09:01:54] [INFO] using
> '/home/xaka/sqlmap-dev/output/www.msp-bb.sk/session' as session file
> [09:01:54] [INFO] resuming match ratio '0.9' from session file
> [09:01:54] [INFO] resuming injection point 'GET' from session file
> [09:01:54] [INFO] resuming injection parameter 'start' from session file
> [09:01:54] [INFO] resuming injection type 'likesingle' from session file
> [09:01:54] [INFO] resuming 3 number of parenthesis from session file
> [09:01:54] [INFO] resuming back-end DBMS 'mysql 4' from session file
> [09:01:59] [INFO] testing connection to the target url
> [09:02:02] [INFO] do you want to exploit this SQL injection? [Y/n] Y
> [09:02:02] [INFO] testing for parenthesis on injectable parameter
> [09:02:02] [INFO] the back-end DBMS is MySQL
>
> [09:02:02] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy
> the command line and the following text and send by e-mail to
> sql...@li.... The developer will fix it as soon as
> possible:
> sqlmap version: 0.9-dev
> Python version: 2.6.5
> Operating system: posix
> Traceback (most recent call last):
>   File "./sqlmap.py", line 89, in main
>     start()
>   File "/home/xaka/sqlmap-dev/lib/controller/controller.py", line 278,
> in start
>     action()
>   File "/home/xaka/sqlmap-dev/lib/controller/action.py", line 67, in action
>     print "%s\n" % conf.dbmsHandler.getFingerprint()
>   File "/home/xaka/sqlmap-dev/plugins/dbms/mysql/fingerprint.py", line
> 117, in getFingerprint
>     actVer  = formatDBMSfp()
>   File "/home/xaka/sqlmap-dev/lib/core/common.py", line 164, in
> formatDBMSfp
>     while None in versions:
> TypeError: argument of type 'NoneType' is not iterable
>
> [*] shutting down at: 09:02:02
>
> --
> Príjemný deň
> Marek Sarvaš
>
> tel       0907 / 405 701
> ICQ       277766377
> SKYPE     marek.sarvas
> ----------------------------------------------------
> Táto správa neobsahuje a ani nemôže obsahovať vírus, pretože nepoužívam žiadne produkty založené na platforme Microsoft Windows.
> ----------------------------------------------------
> This report don't contains  virus and don't may contain a virus, because I do not use any products based on Microsoft Windows.
> ----------------------------------------------------
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

[sqlmap-users] sqlmat error

[Marek S. <mar...@gm...>]

[09:01:54] [INFO] testing url 
http://www.msp-bb.sk/historia-historia-msp.html?start=2
[09:01:54] [INFO] using 
'/home/xaka/sqlmap-dev/output/www.msp-bb.sk/session' as session file
[09:01:54] [INFO] resuming match ratio '0.9' from session file
[09:01:54] [INFO] resuming injection point 'GET' from session file
[09:01:54] [INFO] resuming injection parameter 'start' from session file
[09:01:54] [INFO] resuming injection type 'likesingle' from session file
[09:01:54] [INFO] resuming 3 number of parenthesis from session file
[09:01:54] [INFO] resuming back-end DBMS 'mysql 4' from session file
[09:01:59] [INFO] testing connection to the target url
[09:02:02] [INFO] do you want to exploit this SQL injection? [Y/n] Y
[09:02:02] [INFO] testing for parenthesis on injectable parameter
[09:02:02] [INFO] the back-end DBMS is MySQL

[09:02:02] [ERROR] unhandled exception in sqlmap/0.9-dev, please copy 
the command line and the following text and send by e-mail to 
sql...@li.... The developer will fix it as soon as 
possible:
sqlmap version: 0.9-dev
Python version: 2.6.5
Operating system: posix
Traceback (most recent call last):
   File "./sqlmap.py", line 89, in main
     start()
   File "/home/xaka/sqlmap-dev/lib/controller/controller.py", line 278, 
in start
     action()
   File "/home/xaka/sqlmap-dev/lib/controller/action.py", line 67, in action
     print "%s\n" % conf.dbmsHandler.getFingerprint()
   File "/home/xaka/sqlmap-dev/plugins/dbms/mysql/fingerprint.py", line 
117, in getFingerprint
     actVer  = formatDBMSfp()
   File "/home/xaka/sqlmap-dev/lib/core/common.py", line 164, in 
formatDBMSfp
     while None in versions:
TypeError: argument of type 'NoneType' is not iterable

[*] shutting down at: 09:02:02

-- 
Príjemný deň
Marek Sarvaš

tel       0907 / 405 701
ICQ       277766377
SKYPE     marek.sarvas
----------------------------------------------------
Táto správa neobsahuje a ani nemôže obsahovať vírus, pretože nepoužívam žiadne produkty založené na platforme Microsoft Windows.
----------------------------------------------------
This report don't contains  virus and don't may contain a virus, because I do not use any products based on Microsoft Windows.
----------------------------------------------------

[sqlmap-users] Help with Testable Parameters

[John O. <jo...@gm...>]

Hi all.

I am just starting  using sqlmap 0.8 (on windows XP) to get SQL map to test
SQL injection against my web application (LAMP).

It seems like it's not finding my testable parameters because the get
request is as follows:

GET /data/usersupplieddata HTTP/1.1

and not like the typical get_int.php?id=1 etc.

I've tried the -p option as follows:

-p "usersupplieddata"

I am  getting the error message as follows:


16:30:29] [DEBUG] initializing the configuration
16:30:29] [DEBUG] initializing the knowledge base
16:30:29] [DEBUG] cleaning up configuration parameters
16:30:29] [DEBUG] setting the HTTP timeout
16:30:29] [DEBUG] setting the HTTP Cookie header
16:30:29] [DEBUG] setting the HTTP method to GET
16:30:29] [DEBUG] forcing back-end DBMS to user defined value
16:30:29] [DEBUG] forcing back-end DBMS operating system to user defined
value
16:30:29] [DEBUG] creating HTTP requests opener object
16:30:29] [DEBUG] parsing XML queries file
16:30:29] [WARNING] the testable parameter 'usersupplieddata' you provided
is not into the Cookie
16:30:29] [ERROR] all testable parameters you provided are not present
within the GET, POST and Cookie parameters

I have confirmed that that string  is in fact being sent to the Web server
as in the above request, so I'm confused at the error message.
Does anyone have any suggestions, or have they encountered this type of
situation?

Thanks in advance
John

Re: [sqlmap-users] Match ratio threshold too low by default?

[Miroslav S. <mir...@gm...>]

Ok. Now we look at the same code. That conf.matchRatio is a setting we
use now for MATCH_RATIO you mentioned before.

All in all, now if you check out latest development version from our
repository (svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap
sqlmap-dev), you'll see that there is a new option --ratio which is
exactly what you requested.

Best regards

On Tue, Aug 10, 2010 at 5:39 PM, Matthijs Kooijman <mat...@st...> wrote:
> Hi Miroslav,
>
>> As there is a possibility that sun has burned my brains these days,
>> please send a description how you've reached that version with that
>> TODO comment and I'll gladly try to reproduce it.
> This is from the 0.6.4 Debian package. I've checked the source package,
> it's in there as well, and there seem to be no relevant Debian specific
> patches).
>
> I tried to have a look around in your SVN repository, but there's no
> online browse tool, and access was denied to anything but trunk, so I
> didn't spend much time on that.
>
>> p.s. Have you considered a possibility that you've written it there
>> (locally) by yourself?
> Yup, I'm sure of that.
>
> One more look at request.py in trunk, shows that this todo was just
> implemented by someone already:
>
> https://svn.sqlmap.org/sqlmap/trunk/sqlmap/lib/request/comparison.py
>
> I'm not completely sure what the new code does (there seems to be some
> ratio auto-detection) and if it would adequately handle my case (with a
> very small change), so perhaps someone can have a look at that.
>
> Gr.
>
> Matthijs
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkxhcpgACgkQz0nQ5oovr7zKMwCeM5Kjw6q04ZhZ1qnuGncatKDf
> QUQAoKkmbg5RDTaFsATl+QPbIlYqucvE
> =Q2BN
> -----END PGP SIGNATURE-----
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B