sqlmap-users — sqlmap users mailing list

[sqlmap-users] unhandled exception

[Happy U. <rob...@gm...>]

[02:27:07] [CRITICAL] unhandled exception in sqlmap/1.0-dev-a371f18,
retry your run with the latest development version from the G
itHub repository. If the exception persists, please send by e-mail to
'sql...@li...' or open a new issue at
'https://github.com/sqlmapproject/sqlmap/issues/new' with the following
text and any information required to reproduce the bug. Th
e developers will try to reproduce the bug, fix it accordingly and get
back to you.
sqlmap version: 1.0-dev-a371f18
Python version: 2.7.3
Operating system: nt
Command line: D:\Soft\sqlmap-dev\sqlmap.py -c c
**********************************************************************************
********** ********** *********************************************
--dump --stop 2 -p id --technique=B
Technique: BOOLEAN
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
  File "D:\Soft\sqlmap-dev\sqlmap.py", line 87, in main
    start()
  File "D:\Soft\sqlmap-dev\lib\controller\controller.py", line 576, in start
    action()
  File "D:\Soft\sqlmap-dev\lib\controller\action.py", line 127, in action
    conf.dbmsHandler.dumpTable()
  File "D:\Soft\sqlmap-dev\plugins\generic\entries.py", line 136, in
dumpTable
    _ = agent.preprocessField(tbl, column)
  File "D:\Soft\sqlmap-dev\lib\core\agent.py", line 479, in preprocessField
    if conf.db in table:
TypeError: coercing to Unicode: need string or buffer, NoneType found

Re: [sqlmap-users] SQLi in parameter's name

[Miroslav S. <mir...@gm...>]

Hi Karel.

This is one of those requests that are in need of a new option/switch among
hundreds of others, where we need to reject because of an easy around
solution. I would not say a thing if this would be used in decent
percentage of runs.

Kind regards,
Miroslav Stampar
On Mar 31, 2013 9:58 PM, "Karel Marhoul" <rez...@se...> wrote:

> Ok, let's have for example following URL:
>
> http://example.com/?name1=value1&name2=value2&name3=value3
>
> If I do something like this:
>
> sqlmap -u http://example.com/?name1=value1&name2=value2&name3=value3
>
> sqlmap wil try inject payloads into parameter values, server headers,
> cookies and so on, but NOT into parameter names.
>
> Proposed parameter should work similar to this:
>
> sqlmap --inject-names -u
> http://example.com/?name1=value1&name2=value2&name3=value3
>
> And sqlmap will AUTOMATICALLY try to inject payload also into parameter
> names.
>
> Why I want this parameter instead of manually inserting '*' symbol?
> Because I often use sqlmap in conjunction with burp, where I take burp's
> log and give it to sqlmap for testing (via -l parameter). In this
> scenario, it would be painful to insert '*' after each parameter name.
>
> I hope I expressed it clear:)
>
> Best regards and happy easter
>
> Karel Marhoul
>
> On 31.3.2013 0:11, mitchell wrote:
> > So you have an option to inject wherever you want, but you want another
> > option to inject "inside parameter names"? Maybe, I am missing something
> > here...
> >
> > ~~
> > # m.
> >
> >
> > On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rez...@se...
> > <mailto:rez...@se...>> wrote:
> >
> >     Hello,
> >
> >     yes '*' works, but I have to put it behind parameter's name
> manually. I
> >     wish there was an option to tell sqlmap to automatically try SQLi not
> >     only inside parameter values but also inside parameter names. Is is
> >     possible to add such functionality?
> >
> >     Kind Regards
> >
> >     Karel Marhoul
> >
> >     On 28.3.2013 15:41, Miroslav Stampar wrote:
> >      > Hi.
> >      >
> >      > Just use custom injection mark character.
> >      >
> >      > For example:
> >      >
> >      > python sqlmap.py -u "http://www.target.com/vuln.php?id*=1"
> >      >
> >      > will try to inject into the parameter name id.
> >      >
> >      > Kind regards,
> >      > Miroslav Stampar
> >      >
> >      > On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se...
> >     <mailto:rez...@se...>
> >      > <mailto:rez...@se... <mailto:rez...@se...>>>
> wrote:
> >      >
> >      >     Hello,
> >      >
> >      >     During one assessment I have found the web application that is
> >      >     vulnerable to
> >      >     the SQL injection not in parameter values but in parameter
> >     names itself.
> >      >
> >      >     This is something sqlmap is unable to find. Is it possible to
> >     add such
> >      >     functionality (e.g. by optional parameter) to sqlmap?
> >      >
> >      >     Regards
> >      >
> >      >     Karel Marhoul
> >      >
> >      >
> >
> ------------------------------------------------------------------------------
> >      >     Own the Future-Intel&reg; Level Up Game Demo Contest 2013
> >      >     Rise to greatness in Intel's independent game demo contest.
> >      >     Compete for recognition, cash, and the chance to get your game
> >      >     on Steam. $5K grand prize plus 10 genre and skill prizes.
> >      >     Submit your demo by 6/6/13.
> http://p.sf.net/sfu/intel_levelupd2d
> >      >     _______________________________________________
> >      >     sqlmap-users mailing list
> >      > sql...@li...
> >     <mailto:sql...@li...>
> >      >     <mailto:sql...@li...
> >     <mailto:sql...@li...>>
> >      > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >      >
> >      >
> >      >
> >      >
> >      > --
> >      > Miroslav Stampar
> >      > http://about.me/stamparm
> >
> >
> >
> ------------------------------------------------------------------------------
> >     Own the Future-Intel(R) Level Up Game Demo Contest 2013
> >     Rise to greatness in Intel's independent game demo contest. Compete
> >     for recognition, cash, and the chance to get your game on Steam.
> >     $5K grand prize plus 10 genre and skill prizes. Submit your demo
> >     by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
> >     _______________________________________________
> >     sqlmap-users mailing list
> >     sql...@li...
> >     <mailto:sql...@li...>
> >     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel(R) Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest. Compete
> for recognition, cash, and the chance to get your game on Steam.
> $5K grand prize plus 10 genre and skill prizes. Submit your demo
> by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] SQLi in parameter's name

[mitchell <mit...@tu...>]

Actually, it's not that painful :-)

$ cat test.burp | sed '/^GET/s/=/\*=/g '
======================================================
3:09:06 PM  http://example.com:80  [192.0.43.10]
======================================================
GET /?name1*=value1&name2*=value2&name3*=value3 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101
Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: bg,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive


======================================================

Anyway, it's up to the devs if they want to implement such an option.

Happy Easter to you too!

~~
# m.

On Sun, Mar 31, 2013 at 12:35 PM, Karel Marhoul <rez...@se...>wrote:

> Ok, let's have for example following URL:
>
> http://example.com/?name1=**value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3>
>
> If I do something like this:
>
> sqlmap -u http://example.com/?name1=**value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3>
>
> sqlmap wil try inject payloads into parameter values, server headers,
> cookies and so on, but NOT into parameter names.
>
> Proposed parameter should work similar to this:
>
> sqlmap --inject-names -u http://example.com/?name1=**
> value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3>
>
> And sqlmap will AUTOMATICALLY try to inject payload also into parameter
> names.
>
> Why I want this parameter instead of manually inserting '*' symbol?
> Because I often use sqlmap in conjunction with burp, where I take burp's
> log and give it to sqlmap for testing (via -l parameter). In this scenario,
> it would be painful to insert '*' after each parameter name.
>
> I hope I expressed it clear:)
>
> Best regards and happy easter
>
> Karel Marhoul
>
>
> On 31.3.2013 0:11, mitchell wrote:
>
>> So you have an option to inject wherever you want, but you want another
>> option to inject "inside parameter names"? Maybe, I am missing something
>> here...
>>
>> ~~
>> # m.
>>
>>
>> On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rez...@se...
>> <mailto:rez...@se...>> wrote:
>>
>>     Hello,
>>
>>     yes '*' works, but I have to put it behind parameter's name manually.
>> I
>>     wish there was an option to tell sqlmap to automatically try SQLi not
>>     only inside parameter values but also inside parameter names. Is is
>>     possible to add such functionality?
>>
>>     Kind Regards
>>
>>     Karel Marhoul
>>
>>     On 28.3.2013 15:41, Miroslav Stampar wrote:
>>      > Hi.
>>      >
>>      > Just use custom injection mark character.
>>      >
>>      > For example:
>>      >
>>      > python sqlmap.py -u "http://www.target.com/vuln.**php?id*=1<http://www.target.com/vuln.php?id*=1>
>> "
>>      >
>>      > will try to inject into the parameter name id.
>>      >
>>      > Kind regards,
>>      > Miroslav Stampar
>>      >
>>      > On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se...
>>     <mailto:rez...@se...>
>>      > <mailto:rez...@se... <mailto:rez...@se...>>**>
>> wrote:
>>      >
>>      >     Hello,
>>      >
>>      >     During one assessment I have found the web application that is
>>      >     vulnerable to
>>      >     the SQL injection not in parameter values but in parameter
>>     names itself.
>>      >
>>      >     This is something sqlmap is unable to find. Is it possible to
>>     add such
>>      >     functionality (e.g. by optional parameter) to sqlmap?
>>      >
>>      >     Regards
>>      >
>>      >     Karel Marhoul
>>      >
>>      >
>>     ------------------------------**------------------------------**
>> ------------------
>>      >     Own the Future-Intel&reg; Level Up Game Demo Contest 2013
>>      >     Rise to greatness in Intel's independent game demo contest.
>>      >     Compete for recognition, cash, and the chance to get your game
>>      >     on Steam. $5K grand prize plus 10 genre and skill prizes.
>>      >     Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_**
>> levelupd2d <http://p.sf.net/sfu/intel_levelupd2d>
>>      >     ______________________________**_________________
>>      >     sqlmap-users mailing list
>>      > sqlmap-users@lists.**sourceforge.net<sql...@li...>
>>     <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...>
>> >
>>      >     <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...>
>>
>>     <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...>
>> >>
>>      > https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>>      >
>>      >
>>      >
>>      >
>>      > --
>>      > Miroslav Stampar
>>      > http://about.me/stamparm
>>
>>
>>     ------------------------------**------------------------------**
>> ------------------
>>     Own the Future-Intel(R) Level Up Game Demo Contest 2013
>>     Rise to greatness in Intel's independent game demo contest. Compete
>>     for recognition, cash, and the chance to get your game on Steam.
>>     $5K grand prize plus 10 genre and skill prizes. Submit your demo
>>     by 6/6/13. http://altfarm.mediaplex.com/**ad/ck/12124-176961-30367-2<http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2>
>>     ______________________________**_________________
>>     sqlmap-users mailing list
>>     sqlmap-users@lists.**sourceforge.net<sql...@li...>
>>     <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...>
>> >
>>     https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>>
>>
>>
>

Re: [sqlmap-users] SQLi in parameter's name

[Karel M. <rez...@se...>]

Ok, let's have for example following URL:

http://example.com/?name1=value1&name2=value2&name3=value3

If I do something like this:

sqlmap -u http://example.com/?name1=value1&name2=value2&name3=value3

sqlmap wil try inject payloads into parameter values, server headers, 
cookies and so on, but NOT into parameter names.

Proposed parameter should work similar to this:

sqlmap --inject-names -u 
http://example.com/?name1=value1&name2=value2&name3=value3

And sqlmap will AUTOMATICALLY try to inject payload also into parameter 
names.

Why I want this parameter instead of manually inserting '*' symbol? 
Because I often use sqlmap in conjunction with burp, where I take burp's 
log and give it to sqlmap for testing (via -l parameter). In this 
scenario, it would be painful to insert '*' after each parameter name.

I hope I expressed it clear:)

Best regards and happy easter

Karel Marhoul

On 31.3.2013 0:11, mitchell wrote:
> So you have an option to inject wherever you want, but you want another
> option to inject "inside parameter names"? Maybe, I am missing something
> here...
>
> ~~
> # m.
>
>
> On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rez...@se...
> <mailto:rez...@se...>> wrote:
>
>     Hello,
>
>     yes '*' works, but I have to put it behind parameter's name manually. I
>     wish there was an option to tell sqlmap to automatically try SQLi not
>     only inside parameter values but also inside parameter names. Is is
>     possible to add such functionality?
>
>     Kind Regards
>
>     Karel Marhoul
>
>     On 28.3.2013 15:41, Miroslav Stampar wrote:
>      > Hi.
>      >
>      > Just use custom injection mark character.
>      >
>      > For example:
>      >
>      > python sqlmap.py -u "http://www.target.com/vuln.php?id*=1"
>      >
>      > will try to inject into the parameter name id.
>      >
>      > Kind regards,
>      > Miroslav Stampar
>      >
>      > On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se...
>     <mailto:rez...@se...>
>      > <mailto:rez...@se... <mailto:rez...@se...>>> wrote:
>      >
>      >     Hello,
>      >
>      >     During one assessment I have found the web application that is
>      >     vulnerable to
>      >     the SQL injection not in parameter values but in parameter
>     names itself.
>      >
>      >     This is something sqlmap is unable to find. Is it possible to
>     add such
>      >     functionality (e.g. by optional parameter) to sqlmap?
>      >
>      >     Regards
>      >
>      >     Karel Marhoul
>      >
>      >
>     ------------------------------------------------------------------------------
>      >     Own the Future-Intel&reg; Level Up Game Demo Contest 2013
>      >     Rise to greatness in Intel's independent game demo contest.
>      >     Compete for recognition, cash, and the chance to get your game
>      >     on Steam. $5K grand prize plus 10 genre and skill prizes.
>      >     Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>      >     _______________________________________________
>      >     sqlmap-users mailing list
>      > sql...@li...
>     <mailto:sql...@li...>
>      >     <mailto:sql...@li...
>     <mailto:sql...@li...>>
>      > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>      >
>      >
>      >
>      >
>      > --
>      > Miroslav Stampar
>      > http://about.me/stamparm
>
>
>     ------------------------------------------------------------------------------
>     Own the Future-Intel(R) Level Up Game Demo Contest 2013
>     Rise to greatness in Intel's independent game demo contest. Compete
>     for recognition, cash, and the chance to get your game on Steam.
>     $5K grand prize plus 10 genre and skill prizes. Submit your demo
>     by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
>     _______________________________________________
>     sqlmap-users mailing list
>     sql...@li...
>     <mailto:sql...@li...>
>     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] SQLi in parameter's name

[mitchell <mit...@tu...>]

So you have an option to inject wherever you want, but you want another
option to inject "inside parameter names"? Maybe, I am missing something
here...

~~
# m.


On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rez...@se...> wrote:

> Hello,
>
> yes '*' works, but I have to put it behind parameter's name manually. I
> wish there was an option to tell sqlmap to automatically try SQLi not
> only inside parameter values but also inside parameter names. Is is
> possible to add such functionality?
>
> Kind Regards
>
> Karel Marhoul
>
> On 28.3.2013 15:41, Miroslav Stampar wrote:
> > Hi.
> >
> > Just use custom injection mark character.
> >
> > For example:
> >
> > python sqlmap.py -u "http://www.target.com/vuln.php?id*=1"
> >
> > will try to inject into the parameter name id.
> >
> > Kind regards,
> > Miroslav Stampar
> >
> > On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se...
> > <mailto:rez...@se...>> wrote:
> >
> >     Hello,
> >
> >     During one assessment I have found the web application that is
> >     vulnerable to
> >     the SQL injection not in parameter values but in parameter names
> itself.
> >
> >     This is something sqlmap is unable to find. Is it possible to add
> such
> >     functionality (e.g. by optional parameter) to sqlmap?
> >
> >     Regards
> >
> >     Karel Marhoul
> >
> >
> ------------------------------------------------------------------------------
> >     Own the Future-Intel&reg; Level Up Game Demo Contest 2013
> >     Rise to greatness in Intel's independent game demo contest.
> >     Compete for recognition, cash, and the chance to get your game
> >     on Steam. $5K grand prize plus 10 genre and skill prizes.
> >     Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> >     _______________________________________________
> >     sqlmap-users mailing list
> >     sql...@li...
> >     <mailto:sql...@li...>
> >     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel(R) Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest. Compete
> for recognition, cash, and the chance to get your game on Steam.
> $5K grand prize plus 10 genre and skill prizes. Submit your demo
> by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] Kali Linux

[Michael D. W. <mi...@it...>]

Test with other  tools to make sure it's not sqlmap.   Could be something
with your network/routing.

 

--

Michael D. Wood

www.itsecuritypros.org

 

From: Kaiecca Dixon [mailto:kai...@ho...] 
Sent: Wednesday, March 27, 2013 11:34 AM
To: sql...@li...
Subject: [sqlmap-users] Kali Linux

 

Hi,

I was wondering if anybody may be able to offer me some assistance/guidance?

I have recently installed Kali Linux and was learning sqlmap (all was
running fine). However, sqlmap no longer works. No matter what options are
used, I am always told that it can't connect to the proxy or url, before
shutting down.

All of my connections are routed via a VPN (OpenVPN). I was previously using
sqlmap + vpn on exactly the same system with no issue.

Please help

Thanks

K Dixon

Re: [sqlmap-users] SQLi in parameter's name

[Miroslav S. <mir...@gm...>]

this will inject before name:
python sqlmap.py -u "http://www.target.com/vuln.php?*id=1"
this will inject after name:
python sqlmap.py -u "http://www.target.com/vuln.php?id*=1"

this will inject into name:
python sqlmap.py -u "http://www.target.com/vuln.php?i*d=1"

this will inject before value:
python sqlmap.py -u "http://www.target.com/vuln.php?id=*1"

this will inject after value:
python sqlmap.py -u "http://www.target.com/vuln.php?id=1*"

Which combination do you need? We are not going to make a new switch for
this kind of things because you can use * to mark your "special need".

Kind regards,
Miroslav Stampar
On Thu, Mar 28, 2013 at 7:06 PM, Karel Marhoul <rez...@se...> wrote:

> Hello,
>
> yes '*' works, but I have to put it behind parameter's name manually. I
> wish there was an option to tell sqlmap to automatically try SQLi not only
> inside parameter values but also inside parameter names. Is is possible to
> add such functionality?
>
> Kind Regards
>
> Karel Marhoul
>
> On 28.3.2013 15:41, Miroslav Stampar wrote:
>
>> Hi.
>>
>> Just use custom injection mark character.
>>
>> For example:
>>
>> python sqlmap.py -u "http://www.target.com/vuln.**php?id*=1<http://www.target.com/vuln.php?id*=1>
>> "
>>
>> will try to inject into the parameter name id.
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se...
>> <mailto:rez...@se...>> wrote:
>>
>>     Hello,
>>
>>     During one assessment I have found the web application that is
>>     vulnerable to
>>     the SQL injection not in parameter values but in parameter names
>> itself.
>>
>>     This is something sqlmap is unable to find. Is it possible to add such
>>     functionality (e.g. by optional parameter) to sqlmap?
>>
>>     Regards
>>
>>     Karel Marhoul
>>
>>     ------------------------------**------------------------------**
>> ------------------
>>     Own the Future-Intel&reg; Level Up Game Demo Contest 2013
>>     Rise to greatness in Intel's independent game demo contest.
>>     Compete for recognition, cash, and the chance to get your game
>>     on Steam. $5K grand prize plus 10 genre and skill prizes.
>>     Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_**levelupd2d<http://p.sf.net/sfu/intel_levelupd2d>
>>     ______________________________**_________________
>>     sqlmap-users mailing list
>>     sqlmap-users@lists.**sourceforge.net<sql...@li...>
>>     <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...>
>> >
>>     https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] SQLi in parameter's name

[Karel M. <rez...@se...>]

Hello,

yes '*' works, but I have to put it behind parameter's name manually. I 
wish there was an option to tell sqlmap to automatically try SQLi not 
only inside parameter values but also inside parameter names. Is is 
possible to add such functionality?

Kind Regards

Karel Marhoul

On 28.3.2013 15:41, Miroslav Stampar wrote:
> Hi.
>
> Just use custom injection mark character.
>
> For example:
>
> python sqlmap.py -u "http://www.target.com/vuln.php?id*=1"
>
> will try to inject into the parameter name id.
>
> Kind regards,
> Miroslav Stampar
>
> On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se...
> <mailto:rez...@se...>> wrote:
>
>     Hello,
>
>     During one assessment I have found the web application that is
>     vulnerable to
>     the SQL injection not in parameter values but in parameter names itself.
>
>     This is something sqlmap is unable to find. Is it possible to add such
>     functionality (e.g. by optional parameter) to sqlmap?
>
>     Regards
>
>     Karel Marhoul
>
>     ------------------------------------------------------------------------------
>     Own the Future-Intel&reg; Level Up Game Demo Contest 2013
>     Rise to greatness in Intel's independent game demo contest.
>     Compete for recognition, cash, and the chance to get your game
>     on Steam. $5K grand prize plus 10 genre and skill prizes.
>     Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>     _______________________________________________
>     sqlmap-users mailing list
>     sql...@li...
>     <mailto:sql...@li...>
>     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm

Re: [sqlmap-users] Kali Linux

[Miroslav S. <mir...@gm...>]

Hi.

It seems that you are having some non-sqlmap related issues. It's really
hard to help in situations where user tells that suddenly "sqlmap no longer
works".

Have you tried to run other tools on Kali?

Have you tried to use --ignore-proxy if you are having a system-wide
default proxy set and trying to access the host on LAN?

Are you trying to access to an outside the LAN target and you are behind a
proxy, while you haven't set proxy setting through option '--proxy' and/or
environment variables http_proxy and/or https_proxy?

As you are using VPN it would be really great if you could test other tools
so you could see if everything is routed properly.

Anyway, from my perspective, you are having some non-sqlmap issue here.

Kind regards,
Miroslav Stampar

On Wed, Mar 27, 2013 at 4:34 PM, Kaiecca Dixon <kai...@ho...>wrote:

> Hi,
>
> I was wondering if anybody may be able to offer me some
> assistance/guidance?
>
> I have recently installed Kali Linux and was learning sqlmap (all was
> running fine). However, sqlmap no longer works. No matter what options are
> used, I am always told that it can't connect to the proxy or url, before
> shutting down.
>
> All of my connections are routed via a VPN (OpenVPN). I was previously
> using sqlmap + vpn on exactly the same system with no issue.
>
> Please help
>
> Thanks
>
> K Dixon
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel® Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game
> on Steam. $5K grand prize plus 10 genre and skill prizes.
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] SQLi in parameter's name

[Miroslav S. <mir...@gm...>]

Hi.

Just use custom injection mark character.

For example:

python sqlmap.py -u "http://www.target.com/vuln.php?id*=1"

will try to inject into the parameter name id.

Kind regards,
Miroslav Stampar

On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se...> wrote:

> Hello,
>
> During one assessment I have found the web application that is vulnerable
> to
> the SQL injection not in parameter values but in parameter names itself.
>
> This is something sqlmap is unable to find. Is it possible to add such
> functionality (e.g. by optional parameter) to sqlmap?
>
> Regards
>
> Karel Marhoul
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel&reg; Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game
> on Steam. $5K grand prize plus 10 genre and skill prizes.
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Sqlmap Bug

[Miroslav S. <mir...@gm...>]

Hi.

This should be fixed now.

Kind regards,
Miroslav Stampar

On Wed, Mar 27, 2013 at 3:39 AM, b1lack <b1...@16...> wrote:

>  Hello Great hack:
>                    I really like this tool,Today, however, I found that
> injection project encountered a problem.
>                    Do not know how to contact to the love of friends of
> Internet security abroad?I come from China!
>
>
> Error message:
> [10:34:24] [CRITICAL] unhandled exception in sqlmap/1.0-dev-c19a283, retry
> your run with the latest development version from the GitHub repository. If
> the exception persists, please send by e-mail to '
> sql...@li...' or open a new issue at '
> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any information required to reproduce the bug. The developers will
> try to reproduce the bug, fix it accordingly and get back to
> you.
>
> sqlmap version:
> 1.0-dev-c19a283
>
> Python version:
> 2.6.5
>
> Operating system:
> posix
>
> Command line: ./sqlmap.py -u
> *********************************************************** --random-agent
> --tables -D ******* -T ******** --dump --stop
> 2
> Technique:
> BOOLEAN
>
> Back-end DBMS: Microsoft SQL Server
> (fingerprinted)
> Traceback (most recent call last):
>   File "./sqlmap.py", line 87, in main
>     start()
>   File "/pentest/database/sqlmap/lib/controller/controller.py", line 576,
> in start
>     action()
>   File "/pentest/database/sqlmap/lib/controller/action.py", line 109, in
> action
>     conf.dumper.dbTables(conf.dbmsHandler.getTables())
>   File "/pentest/database/sqlmap/lib/core/dump.py", line 236, in dbTables
>     blank = " " * (maxlength - len(normalizeUnicode(table) or str(table)))
> UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-1:
> ordinal not in range(128)
>
>
>
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel&reg; Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game
> on Steam. $5K grand prize plus 10 genre and skill prizes.
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Kali Linux

[Kaiecca D. <kai...@ho...>]

Hi,

I was wondering if anybody may be able to offer me some assistance/guidance?

I have recently installed Kali Linux and was learning sqlmap (all was running fine). However, sqlmap no longer works. No matter what options are used, I am always told that it can't connect to the proxy or url, before shutting down.

All of my connections are routed via a VPN (OpenVPN). I was previously using sqlmap + vpn on exactly the same system with no issue.

Please help

Thanks

K Dixon
 		 	   		  

Re: [sqlmap-users] Issue when using -p with JSON requests

[Miroslav S. <mir...@gm...>]

Hi.

Just to have it officially here on ML. There were couple of problems
related. Now everything works as expected.

Kind regards,
Miroslav Stampar

On Tue, Mar 26, 2013 at 2:39 PM, Pieter de Boer <pi...@th...>wrote:

> Hi all,
>
> My colleague is having an issue with POST/GET behaviour with JSON
> requests in sqlmap/1.0-dev-64ba880. He asked me to forward this to the
> mailinglist:
>
>
> I have the following request which i load with the -l flag:
>
> --
> POST /blup?param=2 HTTP/1.1
> Host: http://test.tld
> User-Agent: Test
> Accept: application/json, text/javascript, */*; q=0.01
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Content-Type: application/json; charset=utf-8
> X-Requested-With: XMLHttpRequest
> Content-Length: 116
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache
>
>
> {"jq":{"Search":false,"nd":1,"PageSize":50,"PageIndex":1,"SortIndex":"","SortOrder":"asc"}}
> --
>
> - If i do not specify a parameter with -p then sqlmap will happily test
> all parameters (including the ones in the URL) using HTTP POST requests
> with the JSON data.
>
> - If i enter 'N' at  "JSON like data found in POST data. Do you want to
> process it? [Y/n/q] " then it will start to do HTTP GET requests for the
> parameters in the URL.
>
> - If i specify '-p param' then sqlmap will start to do HTTP GET requests
> and it will leave out the JSON data.
>
> If i do the same request from the command line:
>
> --
> sqlmap.py -u "http://test.tld/blup?param=2"
>
> --data="{"jqGridRequest":{"IsSearch":false,"nd":1364299479869,"PageSize":50,"PageIndex":1,"SortIndex":"","SortOrder":"asc"}}"
> -p param
> --
>
> Then sqlmap will not prompt me for "JSON like data found in POST data.
> Do you want to process it? [Y/n/q] " and it will test normally so it
> seems to be related to the JSON detection.
>
> Could you have a look at this behaviour and maybe fix sqlmap so that it
> will keep doing HTTP POST requests even when the JSON data is not
> processed?
>
>
> Thanks!
> Pieter
>
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel&reg; Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game
> on Steam. $5K grand prize plus 10 genre and skill prizes.
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] SQLi in parameter's name

[a a <rez...@se...>]

Hello,

During one assessment I have found the web application that is vulnerable to 
the SQL injection not in parameter values but in parameter names itself.

This is something sqlmap is unable to find. Is it possible to add such 
functionality (e.g. by optional parameter) to sqlmap?

Regards

Karel Marhoul

[sqlmap-users] Sqlmap Bug

[b1lack <b1...@16...>]

 Hello Great hack:
                   I really like this tool,Today, however, I found that injection project encountered a problem.
                   Do not know how to contact to the love of friends of Internet security abroad?I come from China!


Error message:
[10:34:24] [CRITICAL] unhandled exception in sqlmap/1.0-dev-c19a283, retry your run with the latest development version from the GitHub repository. If the exception persists, please send by e-mail to 'sql...@li...' or open a new issue at 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.                                                                                 
sqlmap version: 1.0-dev-c19a283                                                                               
Python version: 2.6.5                                                                                         
Operating system: posix                                                                                       
Command line: ./sqlmap.py -u *********************************************************** --random-agent --tables -D ******* -T ******** --dump --stop 2                                                                      
Technique: BOOLEAN                                                                                            
Back-end DBMS: Microsoft SQL Server (fingerprinted)                                                           
Traceback (most recent call last):
  File "./sqlmap.py", line 87, in main
    start()
  File "/pentest/database/sqlmap/lib/controller/controller.py", line 576, in start
    action()
  File "/pentest/database/sqlmap/lib/controller/action.py", line 109, in action
    conf.dumper.dbTables(conf.dbmsHandler.getTables())
  File "/pentest/database/sqlmap/lib/core/dump.py", line 236, in dbTables
    blank = " " * (maxlength - len(normalizeUnicode(table) or str(table)))
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-1: ordinal not in range(128)

[sqlmap-users] Issue when using -p with JSON requests

[Pieter de B. <pi...@th...>]

Hi all,

My colleague is having an issue with POST/GET behaviour with JSON 
requests in sqlmap/1.0-dev-64ba880. He asked me to forward this to the 
mailinglist:


I have the following request which i load with the -l flag:

--
POST /blup?param=2 HTTP/1.1
Host: http://test.tld
User-Agent: Test
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 116
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

{"jq":{"Search":false,"nd":1,"PageSize":50,"PageIndex":1,"SortIndex":"","SortOrder":"asc"}}
--

- If i do not specify a parameter with -p then sqlmap will happily test 
all parameters (including the ones in the URL) using HTTP POST requests 
with the JSON data.

- If i enter 'N' at  "JSON like data found in POST data. Do you want to 
process it? [Y/n/q] " then it will start to do HTTP GET requests for the 
parameters in the URL.

- If i specify '-p param' then sqlmap will start to do HTTP GET requests 
and it will leave out the JSON data.

If i do the same request from the command line:

--
sqlmap.py -u "http://test.tld/blup?param=2" 
--data="{"jqGridRequest":{"IsSearch":false,"nd":1364299479869,"PageSize":50,"PageIndex":1,"SortIndex":"","SortOrder":"asc"}}" 
-p param
--

Then sqlmap will not prompt me for "JSON like data found in POST data. 
Do you want to process it? [Y/n/q] " and it will test normally so it 
seems to be related to the JSON detection.

Could you have a look at this behaviour and maybe fix sqlmap so that it 
will keep doing HTTP POST requests even when the JSON data is not processed?


Thanks!
Pieter

Re: [sqlmap-users] mysql_fetch_array(): - false positive

[Miroslav S. <mir...@gm...>]

Hi.

Could you please explain what is a false positive here exactly? Also, could
you please explain what does a term 'false positive' means?

Kind regards,
Miroslav Stampar
On Mar 22, 2013 7:28 AM, "Mardian Gunawan" <gun...@gm...> wrote:

> Hi,
>
> How you doing guys.
>
> im testing and manually put ' (tick) and the web spawn this error:
>
> Warning: mysql_fetch_array(): supplied argument is not a valid MySQL
> result resource in /var/www/status.php on line 9
>
> using sqlmap level=3 and risk=3, sqlmap says "heuristic (parsing) test
> shows that GET parameter 'user' might be injectable (possible DBMS:
> 'MySQL')" yet I got is false positive.
>
> the web has no protection, I'm using --check-waf too.
>
> mostly with this error sqlmap can get through, any suggestion/hint guys?
>
>
> Thanks :))
> --
> Cheers,
> Gunma
> http://gunma.rootedker.nl
>
>
>
> --
> Cheers,
> Gunma
> http://gunma.rootedker.nl
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

[sqlmap-users] mysql_fetch_array(): - false positive

[Mardian G. <gun...@gm...>]

Hi,

How you doing guys.

im testing and manually put ' (tick) and the web spawn this error:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL
result resource in /var/www/status.php on line 9

using sqlmap level=3 and risk=3, sqlmap says "heuristic (parsing) test
shows that GET parameter 'user' might be injectable (possible DBMS:
'MySQL')" yet I got is false positive.

the web has no protection, I'm using --check-waf too.

mostly with this error sqlmap can get through, any suggestion/hint guys?


Thanks :))
-- 
Cheers,
Gunma
http://gunma.rootedker.nl



-- 
Cheers,
Gunma
http://gunma.rootedker.nl

[sqlmap-users] Keeping track of development progress

[Bernardo D. A. G. <ber...@gm...>]

Hi,

Historically this mailing list has proved to be an excellent vector to
report bugs for you and it still is - thanks to your feedback,
numerous bugs have been identified and fixed over time.

We seek for ways to keep our users' happy and have introduced last
year another vector to report bugs and suggest features: GitHub
issues[1]. We have even had a few code contributions via pull
requests[2], thanks!

The downside of the mailing list is that we haven't used it
periodically to communicate new features. This probably does not
affect the most of you that keep track of commits via GitHub.
To address this, we have opted to use Twitter fast and efficient way
of communicating: https://twitter.com/sqlmap. Alongside GitHub commit
history[3] and GitHub closed tickets[4], the @sqlmap Twitter account
is an effective way to keep on top of the development: not only seeing
bugs being hunted down, also by learning about new features - perhaps
your long awaited features has just been implemented!

I encourage you all to follow us on Twitter too!

[1] https://github.com/sqlmapproject/sqlmap/issues/new
[2] https://github.com/sqlmapproject/sqlmap/pulls?direction=desc&page=1&sort=updated&state=closed
[3] https://github.com/sqlmapproject/sqlmap/commits/master
[4] https://github.com/sqlmapproject/sqlmap/issues?milestone=&page=1&sort=updated&state=closed

Thank you.
Bernardo


--
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)

Re: [sqlmap-users] Upcoming sqlmap 1.0 stable release

[Luka P. <lu...@pu...>]

Great work & great team, congrats!


On Wed, Mar 20, 2013 at 6:12 PM, Bernardo Damele A. G. <
ber...@gm...> wrote:

> Hi fellow sqlmap supporters,
>
> After about two years worth of development since the previous
> (supposedly) stable 0.9 release, a couple of hundreds of bug fixes,
> half a hundred of new features developed, thousands of emails
> exchanged, a few public appearances at nerds' conferences and at
> stylish social gatherings, being called "dumb mother fuckers" by
> someone for "making simple and easy for anyone to hack any one else"
> and, on the other hand, being praised and referenced in a dozen books
> and presentation by others (thanks!)..
>
> ..we have cut the release and are currently wrapping the tool
> (including documentation, yes for real, can't believe either myself)
> for the stable release of version 1.0 in the upcoming quarter!
>
> If you have any further bug to report, now it's the time to speak out[1].
>
> Thanks for your feedback throughout the journey so far.. expect a few
> news by the time the sun will burn your skin in western summer!
>
> [1] https://github.com/sqlmapproject/sqlmap/issues/new
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] MS Access: provide option to specify table name to detect union based sqli vuln

[Miroslav S. <mir...@gm...>]

Hi Buawig.

Implemented as requested [1].

Now, in your case, you can (e.g.) use --union-from=foobar which will
enforce usage of table name foobar in UNION query injection payloads.

Kind regards,
Miroslav Stampar

[1] https://github.com/sqlmapproject/sqlmap/issues/423

On Tue, Mar 19, 2013 at 8:34 PM, buawig <bu...@gm...> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> I've got a simple union based sqli (resulting webpage shows only one
> entry/row).
>
> Valid statements that show the numbers in the resulting html page:
>
> ...&id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar
> ...&id=123 union select top 1 1,2,3,4,5,6,7,8,9,10,11,12,13 from foobar
>
> - - foobar is an existing table (gathered via error messages in html)
> - - password is a valid column in the foobar table
>
> The following URL gives you one password:
>
> ...&id=123 union select top 1 1,2,3,4,5,6,password,8,9,10,11,12,13
> from foobar
>
>
> Now I wanted to hand over to sqlmap to dump all passwords:
>
> sqlmap -u <url> -p id --dbms="Microsoft Access" -T foobar -C password
> - --dump
>
> which did not work out (0 entries retrieved), but it was confirmed
> that the table has several hundred entries.
>
> - - sqlmap was able to detect the number of columns is 13 (correct)
> - - sqlmap confirmed a bolean-based blind sqli vulnerability (but no
> UNION based sqli)
> - - sqlmap was able to confirm the existence of table name (with --tables)
> (echo foobar >  txt/common-tables.txt)
> - - sqlmap was able to confirm the existence of column name password
> (with --colums)
>
> When running something like:
> - --technique=U --union-cols=13 --union-char=1
>
> sqlmap requested something *like*:
>
> ...id=-123 union all select
> 1,2,3,4,5,6,CHR(58)&CHR(111)&CHR(58),8,9,10,11,12,13 from
> MSysAccessObjects%00
>
> which results in the following error message (shown in the html page):
>
> The Microsoft Jet database engine cannot find the input table or query
> 'MSysAccessObjects'. Make sure it exists and that its name is spelled
> correctly.
>
> So if sqlmap would accept a known tablename on the command line that
> it would use to detect/confirm the union based sqli vuln, instead of
> using "MSysAccessObjects" this would make sqlmap more useful
> (or simply use the table name specified in -T or previously
> bruteforced to detect union-based sqli).
>
> thanks!
>
> PS: I did *not* run sqlmap with special --risk/--level because I don't
> want to send several unneeded http requests if the vulnerability is
> already confirmed (manually). I'm using sqlmap mainly for exploitation
> (not so much for detection) and would appreciate if the user could
> tell sqlmap how to exploit a certain sqli (something that is already
> partially given with --technique, --union-cols, --union-chars).
>
> I did use 1.0-dev-d1ae62b.
>
> ref:
> http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
>
> http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-webappsecurity-testing-web.html
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJRSL3LAAoJEJeRHQyF0ukMFLsP/3OdDtcE5K+6AttmQhmadyum
> 0/yDLbtTS06W6iW1iguuvPL/Kva6gURynOrwEh/eD+AOPVVBUD6vjjHx9Z8R4XLO
> 8OrOWqQ6xe7ppjsU3ThXy550vFD/n62DgNjsM/JkwTFicSki4+JYwbmE9CPjfSfk
> mRmLadOP4/iU7m+s3bv6f58jTUO6YdPOqR3yEWuES5k+sL+7QDDPPk8fEqbvKuxw
> JK2yYsa5ZmP78GW9s7Gg1BjnMI51G3NbNI0ZdZllFm2APwSw9R+13YzXwtp0V6oJ
> L+SDZJ0ZIJLEw133F/eoASVTQMZICz/K494KmXWlv68ac9TLmrvRGcis7o6FdGE1
> lUa5LC7ddNE7Z21g83miC4CaG4JUqXxQ2kdW1HW7joLGHl+Gi45gr0A+t6QmRVOl
> njOM/2O3wBDfaif68Equ9+Bm1JK5DzVEwu0mMBUrKNEfynR1PvU6/T7R/f1Ogu8p
> 8H32HtwGQLowwNYbHz3SMk0ecY9lVOAhIAA6afz0YTuyh777cVJCq7YmgTXBUlpQ
> zqEO72FGTyObOnbYhGE8dN6TdfsCk0Fdl5VJC3TTHoLRtRuQC7WzxZktwETl6Jxy
> dOjG2MpjMdtu3zR07WzuroRdrgFhnonb1Wq7BWDDKgB6kFrH80GMYt0hpNJ9mY0c
> 0p/jGfV1aHnEBhy3KpXe
> =Q1R5
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Upcoming sqlmap 1.0 stable release

[Sergio M. <sm...@wp...>]

Congratulations !!! You are doing a great job, thanks a lot.
El 21/03/2013 08:34, "Dennis" <kor...@ya...> escribió:

> Yeah, great news! Thanks for all the hard and amazing work!
>
> Cheers,
> Dennis
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] Upcoming sqlmap 1.0 stable release

[Dennis <kor...@ya...>]

Yeah, great news! Thanks for all the hard and amazing work!

Cheers,
Dennis

[sqlmap-users] Getting server path

[Bruno G. <gar...@gm...>]

Hello,
I'm testing a vuln on a site, and the MySQL error printed in the site when
adding a " ' " doesn't print the path where the php is running, so let's
say I want to upload a file to a directory using --file-write and
--file-dest, and I don't know the path that way.
Is there any way of getting where the php is running on the computer?

Thanks.

Re: [sqlmap-users] Upcoming sqlmap 1.0 stable release

[buawig <bu...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> and i believe i can also say great support.

I totally agree! (I especially like your response time.)

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRSjyqAAoJEJeRHQyF0ukM1lIQALOXfk5Wgnff1zRSyv2y+X0i
YHYPjE9lQCo9Wt7hnsRUB75gPL3UYUv70T+QaLILh1CyULnEuj/pw1/fxuTccsBZ
hQxOKnnaFRbDCPndPG7Kt4zt5OSckB4ZMB7zUunrEWHxHfpBHqSSERBKdFtzOy6K
QI2o4hSjDpgr4pOpueVk15XaD0orf+2GT3duIyLSqk7IlTO/k7g7j5Y9/p/Duzzf
2UcfysgBjMc0fEHtO0WOk2YYHjIvPdQIDaLgv54Miqw/V6loomc1+wnESGS99Brd
GrtCJCJEWTbrwRXYYP9BEEGlsxmkvLHuSY9iYlFK16ifd+xLJxgwsrQhW3Ncztw5
UDi8AGho2nLYFFuooXIjcYdOsJkzG3OLabgcArgOqjNrsYfd2ZerWME31Bt8CrIG
R/JGy446PzY+bhSwEDx+/jeCBs4Roz8pZ1OwKBUjY3wEGZ3iviKJMNUVjIMnSNYU
BXjXSQ8qN2Z6pI3flz4NdQlwV1Pe+9hDHtBOB4ET3S12dWvoFLcFxQNWOmyfPHm5
eXkZ0H6XdVmCqdL5jRdGT1lMrPwKFyIql8rOsakknC6tjzzK3FKAoDBl6afO+4kM
ZmNh1Chwax7Mp01OXB+wSoXbk3IWXTLQiWyiPDinene7JRKer9tcGEwueVV7wgeI
vlOCVD6hO1UKqdgbfcuk
=X+kz
-----END PGP SIGNATURE-----