sqlmap-users Mailing List for sqlmap (Page 44)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Miroslav S. <mir...@gm...> - 2013-01-22 21:17:47
|
Hi. Just double checked and everything works as expected. Could you please send your complete line you use? Kind regards, Miroslav Stampar p.s. have you enclosed URL with double quotes? On Tue, Jan 22, 2013 at 10:08 PM, Thunder Chunky <hac...@gm...>wrote: > Hi Guys, > > The current URL that I am testing has several parameters the issue is that > for the request to succeed all parameters need to be sent. > > URL = http://site.com/script?ex1=true&ex2=test&ex3=blah > > Unfortunately it appears that sqlmap splits the parameters and tests for > the injection on each one individually i.e. > > Test 1 = http://site.com/script?ex1=true ' UNION > Test 2 = http://site.com/script?ex2=test ' UNION > > Is there any way to make sqlmap perform the injection inline with the URL, > thus sending all parameters to avoid the 404? > > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnnow-d2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Thunder C. <hac...@gm...> - 2013-01-22 21:08:52
|
Hi Guys, The current URL that I am testing has several parameters the issue is that for the request to succeed all parameters need to be sent. URL = http://site.com/script?ex1=true&ex2=test&ex3=blah Unfortunately it appears that sqlmap splits the parameters and tests for the injection on each one individually i.e. Test 1 = http://site.com/script?ex1=true ' UNION Test 2 = http://site.com/script?ex2=test ' UNION Is there any way to make sqlmap perform the injection inline with the URL, thus sending all parameters to avoid the 404? |
|
From: Dennis <kor...@ya...> - 2013-01-18 13:28:50
|
Damn, I was too slow :) Am 18.01.2013 13:28, schrieb Miroslav Stampar: > > Hi. > > Try with --tamper=between. > > Kind regards, > Miroslav Stampar > > p.s. It's actually a Python, not Perl > > Dana 18.1.2013. 13:19 "wh...@po... <mailto:wh...@po...>" > <wh...@po... <mailto:wh...@po...>> je napisao/la: > > Hi all, > > my current test is a web application that redirects me to a > generic page, whenever < or > is present in a parameter - before > the query gets to the application logic. > The application is injectable with a blind injection (MSSQL, > proven by manual checking and also found by sqlmap). But if I try > e.g. --current-user, sqlmap uses a query > with greater than ">" in the where clause :-( > > Is it possible to use other queries (like only "=" or "!=" or > contains)? > I'm to lazy to program this myself - or try to understand the perl > - programs I used ages ago ;-) > > > Kind regards, > > Chris > > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET <http://ASP.NET>, MVC, AJAX, > Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and > experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap- |
|
From: Dennis <kor...@ya...> - 2013-01-18 12:34:58
|
use tamper scripts. --tamper=between should do the trick if I'm not mistaken. Cheers, Dennis Am 18.01.2013 12:54, schrieb wh...@po...: > Hi all, > > my current test is a web application that redirects me to a generic > page, whenever < or > is present in a parameter - before the query > gets to the application logic. > The application is injectable with a blind injection (MSSQL, proven by > manual checking and also found by sqlmap). But if I try e.g. > --current-user, sqlmap uses a query > with greater than ">" in the where clause :-( > > Is it possible to use other queries (like only "=" or "!=" or contains)? > I'm to lazy to program this myself - or try to understand the perl - > programs I used ages ago ;-) > > > Kind regards, > > Chris > > > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: <wh...@po...> - 2013-01-18 12:32:44
|
Hi Miroslav RTFM ;-) that did the trick, thanks! Chris Miroslav Stampar <mir...@gm...> hat am 18. Januar 2013 um 13:28 geschrieben: > > Hi. > > Try with --tamper=between. > > Kind regards, > Miroslav Stampar > > p.s. It's actually a Python, not Perl > > Dana 18.1.2013. 13:19 " wh...@po... <mailto:wh...@po...> " < > wh...@po... <mailto:wh...@po...> > je napisao/la: > > > Hi all, > > > > my current test is a web application that redirects me to a generic page, > > whenever < or > is present in a parameter - before the query gets to the > > application logic. > > The application is injectable with a blind injection (MSSQL, proven by > > manual checking and also found by sqlmap). But if I try e.g. --current-user, > > sqlmap uses a query > > with greater than ">" in the where clause :-( > > > > Is it possible to use other queries (like only "=" or "!=" or contains)? > > I'm to lazy to program this myself - or try to understand the perl - > > programs I used ages ago ;-) > > > > > > Kind regards, > > > > Chris > > > > > > ------------------------------------------------------------------------------ > > Master HTML5, CSS3, ASP.NET <http://ASP.NET> , MVC, AJAX, Knockout.js, > > Web API and > > much more. Get web development skills now with LearnDevNow - > > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > > SALE $99.99 this month only -- learn more at: > > http://p.sf.net/sfu/learnmore_122812 > > <http://p.sf.net/sfu/learnmore_122812> > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > <mailto:sql...@li...> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> > > > |
|
From: Miroslav S. <mir...@gm...> - 2013-01-18 12:28:29
|
Hi. Try with --tamper=between. Kind regards, Miroslav Stampar p.s. It's actually a Python, not Perl Dana 18.1.2013. 13:19 "wh...@po..." <wh...@po...> je napisao/la: > ** > Hi all, > > my current test is a web application that redirects me to a generic page, > whenever < or > is present in a parameter - before the query gets to the > application logic. > The application is injectable with a blind injection (MSSQL, proven by > manual checking and also found by sqlmap). But if I try e.g. > --current-user, sqlmap uses a query > with greater than ">" in the where clause :-( > > Is it possible to use other queries (like only "=" or "!=" or contains)? > I'm to lazy to program this myself - or try to understand the perl - > programs I used ages ago ;-) > > > Kind regards, > > Chris > > > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: <wh...@po...> - 2013-01-18 12:19:15
|
Hi all, my current test is a web application that redirects me to a generic page, whenever < or > is present in a parameter - before the query gets to the application logic. The application is injectable with a blind injection (MSSQL, proven by manual checking and also found by sqlmap). But if I try e.g. --current-user, sqlmap uses a query with greater than ">" in the where clause :-( Is it possible to use other queries (like only "=" or "!=" or contains)? I'm to lazy to program this myself - or try to understand the perl - programs I used ages ago ;-) Kind regards, Chris |
|
From: Stan S. <sep...@gm...> - 2013-01-16 15:01:21
|
I can not make it do it. I'm sure it's something that I'm doing as obviously it should work but I can not get it to output a text file :( I |
|
From: Miroslav S. <mir...@gm...> - 2013-01-16 13:59:25
|
Hi. Traffic file should be inside the folder where you run sqlmap.py. So, if you are running sqlmap.py from folder ABC, then traffic.txt should be located in that same directory. E.g.: C:\sqlmap> python sqlmap.py -u "..." ... -t traffic.txt .... C:\sqlmap>dir *.txt traffic.txt Kind regards, Miroslav Stampar On Wed, Jan 16, 2013 at 2:48 PM, Stan Smith <sep...@gm...> wrote: > I tried the traffic switch but there is no file created in rhe traffic > folder. Honoured 2 be speaking to you by the way. :) > > > ------------------------------------------------------------------------------ > Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery > and much more. Keep your Java skills current with LearnJavaNow - > 200+ hours of step-by-step video tutorials by Java experts. > SALE $49.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122612 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Stan S. <sep...@gm...> - 2013-01-16 13:48:25
|
I tried the traffic switch but there is no file created in rhe traffic folder. Honoured 2 be speaking to you by the way. :) |
|
From: Miroslav S. <mir...@gm...> - 2013-01-16 13:29:34
|
Hi. Well, you just append --fresh-queries -t traffic.txt to your normal sqlmap run (e.g. python sqlmap.py -u "www.target.com/vuln.php?id=1" .... -t traffic.txt --fresh-queries I am interested in resulting "traffic.txt" file inside running directory. Kind regards, Miroslav Stampar On Wed, Jan 16, 2013 at 2:23 PM, Stan Smith <sep...@gm...> wrote: > I can not seem to make it create the traffic file. :( > > But I am using the version which was in the .zip file that I had downloaded here today. 16/1/2013 > > https://github.com/sqlmapproject/sqlmap/zipball/master > > sqlmapproject-sqlmap-3464a70 > > I know that this is very little information to go on. Please advise me on how to provide you with more information. > > > > ------------------------------------------------------------------------------ > Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery > and much more. Keep your Java skills current with LearnJavaNow - > 200+ hours of step-by-step video tutorials by Java experts. > SALE $49.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122612 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Stan S. <sep...@gm...> - 2013-01-16 13:23:47
|
I can not seem to make it create the traffic file. :( But I am using the version which was in the .zip file that I had downloaded here today. 16/1/2013 https://github.com/sqlmapproject/sqlmap/zipball/master sqlmapproject-sqlmap-3464a70 I know that this is very little information to go on. Please advise me on how to provide you with more information. |
|
From: Miroslav S. <mir...@gm...> - 2013-01-16 12:06:57
|
Hi. Which version do you use? Technique? Maybe you could send a traffic file for that run (-t traffic.txt --fresh-queries). Bye Dana 16.1.2013. 11:57 "Stan Smith" <sep...@gm...> je napisao/la: > Having the same problem as described here with the currnt version of > SQLMap. > > http://www.question-defense.com/2011/10/03/sqlmap-wont-enumerate-databases > > Any suggestions? > > > ------------------------------------------------------------------------------ > Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery > and much more. Keep your Java skills current with LearnJavaNow - > 200+ hours of step-by-step video tutorials by Java experts. > SALE $49.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122612 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Stan S. <sep...@gm...> - 2013-01-16 10:56:38
|
Having the same problem as described here with the currnt version of SQLMap. http://www.question-defense.com/2011/10/03/sqlmap-wont-enumerate-databases Any suggestions? |
|
From: Anton S. <ant...@gm...> - 2013-01-13 19:24:11
|
Hi Miroslav, You've indeed made my morning (although it's night here, but that would sound awkward) :) Thank a a bunch to you personally and all those involved. Sincerely, Anton. On Sun, Jan 13, 2013 at 7:38 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi Anton. > > Let me give to you a late Christmas present [1] :) > > Bye > > Kind regards, > Miroslav Stampar > > [1] https://github.com/sqlmapproject/sqlmap/issues/48 > > On Fri, Jan 11, 2013 at 8:22 PM, Anton Sazonov <ant...@gm...>wrote: > >> Hello Miroslav and tanks for answering, >> >> Never meant to be the pushy one, just felt that once in a half-year >> reminder would stir things up :) >> >> Thanks for an unfortunately fitting analogy though. >> >> Anyway, I'm certainly not in position to push/alter your dev schedule, >> only really wanted to remind you and fellow developers. Just in case. It's >> been a long while, so do kindly understand my meaning. No offence intended >> whatsoever. I'm not paying you, nor do you owe me anything. I'm well aware >> of that. Again, sorry if I offended you or the devteam in some way. >> >> Let's write it off to the weekend and a six-pack. >> >> Cheers, >> Anton (the #48 issue guy). >> >> >> On Fri, Jan 11, 2013 at 11:13 PM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Hi Anton. >>> >>> I'll just use an analogy here. Everybody knows how (not paid) women >>> react when you are being too pushy :). She'll eventually probably loose >>> interest. >>> >>> Well, this was just an analogy. We'll do it eventually (maybe these >>> days, can't promise). >>> >>> Bye >>> Dana 11.1.2013. 19:41 "Anton Sazonov" <ant...@gm...> je >>> napisao/la: >>> >>>> Hello there and thanks a lot for a great product. >>>> >>>> I don't mean to be rude and/or insensitive, but is there any hope of >>>> fixing issue #48 (https://github.com/sqlmapproject/sqlmap/issues/48), >>>> specifically the possibility of injection into any HTTP header? >>>> >>>> Considering I likely first reported it half a year ago or so and it's >>>> still nowhere near the completion, what would be the optimistic timeframe? >>>> >>>> I do understand that I'm not a paying customer and you, the developers, >>>> do it in your free time, but still, it's actually more useful than >>>> colorizing output. >>>> >>>> Just some pointers as to whether to expect this feature to be >>>> implemented or not would be fine. >>>> >>>> Thanks, >>>> Anton. >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and >>>> much more. Get web development skills now with LearnDevNow - >>>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and >>>> experts. >>>> SALE $99.99 this month only -- learn more at: >>>> http://p.sf.net/sfu/learnmore_122812 >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >> > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2013-01-13 15:38:47
|
Hi Anton. Let me give to you a late Christmas present [1] :) Bye Kind regards, Miroslav Stampar [1] https://github.com/sqlmapproject/sqlmap/issues/48 On Fri, Jan 11, 2013 at 8:22 PM, Anton Sazonov <ant...@gm...>wrote: > Hello Miroslav and tanks for answering, > > Never meant to be the pushy one, just felt that once in a half-year > reminder would stir things up :) > > Thanks for an unfortunately fitting analogy though. > > Anyway, I'm certainly not in position to push/alter your dev schedule, > only really wanted to remind you and fellow developers. Just in case. It's > been a long while, so do kindly understand my meaning. No offence intended > whatsoever. I'm not paying you, nor do you owe me anything. I'm well aware > of that. Again, sorry if I offended you or the devteam in some way. > > Let's write it off to the weekend and a six-pack. > > Cheers, > Anton (the #48 issue guy). > > > On Fri, Jan 11, 2013 at 11:13 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi Anton. >> >> I'll just use an analogy here. Everybody knows how (not paid) women react >> when you are being too pushy :). She'll eventually probably loose interest. >> >> Well, this was just an analogy. We'll do it eventually (maybe these days, >> can't promise). >> >> Bye >> Dana 11.1.2013. 19:41 "Anton Sazonov" <ant...@gm...> je >> napisao/la: >> >>> Hello there and thanks a lot for a great product. >>> >>> I don't mean to be rude and/or insensitive, but is there any hope of >>> fixing issue #48 (https://github.com/sqlmapproject/sqlmap/issues/48), >>> specifically the possibility of injection into any HTTP header? >>> >>> Considering I likely first reported it half a year ago or so and it's >>> still nowhere near the completion, what would be the optimistic timeframe? >>> >>> I do understand that I'm not a paying customer and you, the developers, >>> do it in your free time, but still, it's actually more useful than >>> colorizing output. >>> >>> Just some pointers as to whether to expect this feature to be >>> implemented or not would be fine. >>> >>> Thanks, >>> Anton. >>> >>> >>> ------------------------------------------------------------------------------ >>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and >>> much more. Get web development skills now with LearnDevNow - >>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. >>> SALE $99.99 this month only -- learn more at: >>> http://p.sf.net/sfu/learnmore_122812 >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> > -- Miroslav Stampar http://about.me/stamparm |
|
From: Stephen S. <ss...@ss...> - 2013-01-12 03:09:57
|
If you really want it implemented, you could always learn Python and try doing it yourself. Good chance to expand your horizons, and if you're doing any kind of pentesting, knowing how to write scripts in Python probably isn't a bad skill. Thanks, Stephen On Sat, Jan 12, 2013 at 8:22 AM, Anton Sazonov <ant...@gm...>wrote: > Hello Miroslav and tanks for answering, > > Never meant to be the pushy one, just felt that once in a half-year > reminder would stir things up :) > > Thanks for an unfortunately fitting analogy though. > > Anyway, I'm certainly not in position to push/alter your dev schedule, > only really wanted to remind you and fellow developers. Just in case. It's > been a long while, so do kindly understand my meaning. No offence intended > whatsoever. I'm not paying you, nor do you owe me anything. I'm well aware > of that. Again, sorry if I offended you or the devteam in some way. > > Let's write it off to the weekend and a six-pack. > > Cheers, > Anton (the #48 issue guy). > > > On Fri, Jan 11, 2013 at 11:13 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi Anton. >> >> I'll just use an analogy here. Everybody knows how (not paid) women react >> when you are being too pushy :). She'll eventually probably loose interest. >> >> Well, this was just an analogy. We'll do it eventually (maybe these days, >> can't promise). >> >> Bye >> Dana 11.1.2013. 19:41 "Anton Sazonov" <ant...@gm...> je >> napisao/la: >> >>> Hello there and thanks a lot for a great product. >>> >>> I don't mean to be rude and/or insensitive, but is there any hope of >>> fixing issue #48 (https://github.com/sqlmapproject/sqlmap/issues/48), >>> specifically the possibility of injection into any HTTP header? >>> >>> Considering I likely first reported it half a year ago or so and it's >>> still nowhere near the completion, what would be the optimistic timeframe? >>> >>> I do understand that I'm not a paying customer and you, the developers, >>> do it in your free time, but still, it's actually more useful than >>> colorizing output. >>> >>> Just some pointers as to whether to expect this feature to be >>> implemented or not would be fine. >>> >>> Thanks, >>> Anton. >>> >>> >>> ------------------------------------------------------------------------------ >>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and >>> much more. Get web development skills now with LearnDevNow - >>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. >>> SALE $99.99 this month only -- learn more at: >>> http://p.sf.net/sfu/learnmore_122812 >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> > > > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Anton S. <ant...@gm...> - 2013-01-11 19:23:02
|
Hello Miroslav and tanks for answering, Never meant to be the pushy one, just felt that once in a half-year reminder would stir things up :) Thanks for an unfortunately fitting analogy though. Anyway, I'm certainly not in position to push/alter your dev schedule, only really wanted to remind you and fellow developers. Just in case. It's been a long while, so do kindly understand my meaning. No offence intended whatsoever. I'm not paying you, nor do you owe me anything. I'm well aware of that. Again, sorry if I offended you or the devteam in some way. Let's write it off to the weekend and a six-pack. Cheers, Anton (the #48 issue guy). On Fri, Jan 11, 2013 at 11:13 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi Anton. > > I'll just use an analogy here. Everybody knows how (not paid) women react > when you are being too pushy :). She'll eventually probably loose interest. > > Well, this was just an analogy. We'll do it eventually (maybe these days, > can't promise). > > Bye > Dana 11.1.2013. 19:41 "Anton Sazonov" <ant...@gm...> je > napisao/la: > >> Hello there and thanks a lot for a great product. >> >> I don't mean to be rude and/or insensitive, but is there any hope of >> fixing issue #48 (https://github.com/sqlmapproject/sqlmap/issues/48), >> specifically the possibility of injection into any HTTP header? >> >> Considering I likely first reported it half a year ago or so and it's >> still nowhere near the completion, what would be the optimistic timeframe? >> >> I do understand that I'm not a paying customer and you, the developers, >> do it in your free time, but still, it's actually more useful than >> colorizing output. >> >> Just some pointers as to whether to expect this feature to be implemented >> or not would be fine. >> >> Thanks, >> Anton. >> >> >> ------------------------------------------------------------------------------ >> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and >> much more. Get web development skills now with LearnDevNow - >> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. >> SALE $99.99 this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122812 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> |
|
From: Miroslav S. <mir...@gm...> - 2013-01-11 19:13:39
|
Hi Anton. I'll just use an analogy here. Everybody knows how (not paid) women react when you are being too pushy :). She'll eventually probably loose interest. Well, this was just an analogy. We'll do it eventually (maybe these days, can't promise). Bye Dana 11.1.2013. 19:41 "Anton Sazonov" <ant...@gm...> je napisao/la: > Hello there and thanks a lot for a great product. > > I don't mean to be rude and/or insensitive, but is there any hope of > fixing issue #48 (https://github.com/sqlmapproject/sqlmap/issues/48), > specifically the possibility of injection into any HTTP header? > > Considering I likely first reported it half a year ago or so and it's > still nowhere near the completion, what would be the optimistic timeframe? > > I do understand that I'm not a paying customer and you, the developers, do > it in your free time, but still, it's actually more useful than colorizing > output. > > Just some pointers as to whether to expect this feature to be implemented > or not would be fine. > > Thanks, > Anton. > > > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Anton S. <ant...@gm...> - 2013-01-11 18:40:46
|
Hello there and thanks a lot for a great product. I don't mean to be rude and/or insensitive, but is there any hope of fixing issue #48 (https://github.com/sqlmapproject/sqlmap/issues/48), specifically the possibility of injection into any HTTP header? Considering I likely first reported it half a year ago or so and it's still nowhere near the completion, what would be the optimistic timeframe? I do understand that I'm not a paying customer and you, the developers, do it in your free time, but still, it's actually more useful than colorizing output. Just some pointers as to whether to expect this feature to be implemented or not would be fine. Thanks, Anton. |
|
From: Bernardo D. A. G. <ber...@gm...> - 2013-01-10 00:29:39
|
Add to your command line --level 3. Refer to user's manual for further details on --level and --risk. Bernardo On 10 January 2013 00:27, Mr X0rcist <mr....@gm...> wrote: > Hi, > > I am trying to test SQLi in one of the cookie. I know it is in there. > > I have tried to run it like -u "https://url.com/?p1"&p2&p3 --cookie="c1;=v2 > c2=v2" -p c2 > > but it is giving me error something like no parameter in get string. > > I also tried to pass on whole get request loaded from file like > > -r file -p=c2 but still same kind of error. > > I dont want to waste time will sqlmap is testing against 8-10 GET > parameters, required by application to avoid error or redirection while SQLi > is in the cookie > > > Any advise will be appreciated. > > Thanks > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122712 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Mr X. <mr....@gm...> - 2013-01-10 00:27:53
|
Hi, I am trying to test SQLi in one of the cookie. I know it is in there. I have tried to run it like -u "https://url.com/?p1"&p2&p3 --cookie="c1;=v2 c2=v2" -p c2 but it is giving me error something like no parameter in get string. I also tried to pass on whole get request loaded from file like -r file -p=c2 but still same kind of error. I dont want to waste time will sqlmap is testing against 8-10 GET parameters, required by application to avoid error or redirection while SQLi is in the cookie Any advise will be appreciated. Thanks |
|
From: Bernardo D. A. G. <ber...@gm...> - 2013-01-07 17:42:16
|
Fixed now. Bernardo & Miroslav On 7 January 2013 17:20, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi Yuri, > > I noticed this too[1] few minutes ago. > We're working on a fix as I type. > > [1] https://github.com/sqlmapproject/sqlmap/issues/305#issuecomment-11960592 > > Bernardo > > > On 7 January 2013 16:50, Jerzy Yuri Kramarz <JY...@65...> wrote: >> Hi Guys, >> >> Great tool but for the first time ever I've managed to see the following >> error when testing oracle DB: >> >> sqlmap version: 1.0-dev-74552be >> Python version: 2.6.6 >> Operating system: posix >> Command line: ./sqlmap.py >> ***************************************************************** >> --cookie=********************************************************************* >> --dbms=oracle --level=5 --risk=5 --force-ssl --thread=1 --technique=T -p >> param --sql-query=SELECT UTL_INADDR.get_host_name FROM dual; >> Technique: TIME >> Back-end DBMS: Oracle (fingerprinted) >> Traceback (most recent call last): >> File "/opt/sqlmap-dev/_sqlmap.py", line 73, in main >> start() >> File "/opt/sqlmap-dev/lib/controller/controller.py", line 567, in start >> action() >> File "/opt/sqlmap-dev/lib/controller/action.py", line 135, in action >> conf.dumper.query(conf.query, conf.dbmsHandler.sqlQuery(conf.query)) >> File "/opt/sqlmap-dev/plugins/generic/custom.py", line 46, in sqlQuery >> output = inject.getValue(query, fromUser=True) >> File "/opt/sqlmap-dev/lib/request/inject.py", line 390, in getValue >> value = _goInferenceProxy(query, fromUser, batch, unpack, >> charsetType, firstChar, lastChar, dump) >> File "/opt/sqlmap-dev/lib/request/inject.py", line 269, in >> _goInferenceProxy >> outputs = _goInferenceFields(expression, expressionFields, >> expressionFieldsList, payload, charsetType=charsetType, >> firstChar=firstChar, lastChar=lastChar, dump=dump) >> File "/opt/sqlmap-dev/lib/request/inject.py", line 117, in >> _goInferenceFields >> output = _goInference(payload, expressionReplaced, charsetType, >> firstChar, lastChar, dump, field) >> File "/opt/sqlmap-dev/lib/request/inject.py", line 89, in _goInference >> count, value = bisection(payload, expression, length, charsetType, >> firstChar, lastChar, dump) >> File "/opt/sqlmap-dev/lib/techniques/blind/inference.py", line 120, in >> bisection >> length = min(length, lastChar or length) - firstChar >> TypeError: unsupported operand type(s) for -: 'NoneType' and 'int' >> >> >> ------------------------------------------------------------------------------ >> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >> MVPs and experts. SALE $99.99 this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122412 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Bernardo D. A. G. <ber...@gm...> - 2013-01-07 17:20:10
|
Hi Yuri, I noticed this too[1] few minutes ago. We're working on a fix as I type. [1] https://github.com/sqlmapproject/sqlmap/issues/305#issuecomment-11960592 Bernardo On 7 January 2013 16:50, Jerzy Yuri Kramarz <JY...@65...> wrote: > Hi Guys, > > Great tool but for the first time ever I've managed to see the following > error when testing oracle DB: > > sqlmap version: 1.0-dev-74552be > Python version: 2.6.6 > Operating system: posix > Command line: ./sqlmap.py > ***************************************************************** > --cookie=********************************************************************* > --dbms=oracle --level=5 --risk=5 --force-ssl --thread=1 --technique=T -p > param --sql-query=SELECT UTL_INADDR.get_host_name FROM dual; > Technique: TIME > Back-end DBMS: Oracle (fingerprinted) > Traceback (most recent call last): > File "/opt/sqlmap-dev/_sqlmap.py", line 73, in main > start() > File "/opt/sqlmap-dev/lib/controller/controller.py", line 567, in start > action() > File "/opt/sqlmap-dev/lib/controller/action.py", line 135, in action > conf.dumper.query(conf.query, conf.dbmsHandler.sqlQuery(conf.query)) > File "/opt/sqlmap-dev/plugins/generic/custom.py", line 46, in sqlQuery > output = inject.getValue(query, fromUser=True) > File "/opt/sqlmap-dev/lib/request/inject.py", line 390, in getValue > value = _goInferenceProxy(query, fromUser, batch, unpack, > charsetType, firstChar, lastChar, dump) > File "/opt/sqlmap-dev/lib/request/inject.py", line 269, in > _goInferenceProxy > outputs = _goInferenceFields(expression, expressionFields, > expressionFieldsList, payload, charsetType=charsetType, > firstChar=firstChar, lastChar=lastChar, dump=dump) > File "/opt/sqlmap-dev/lib/request/inject.py", line 117, in > _goInferenceFields > output = _goInference(payload, expressionReplaced, charsetType, > firstChar, lastChar, dump, field) > File "/opt/sqlmap-dev/lib/request/inject.py", line 89, in _goInference > count, value = bisection(payload, expression, length, charsetType, > firstChar, lastChar, dump) > File "/opt/sqlmap-dev/lib/techniques/blind/inference.py", line 120, in > bisection > length = min(length, lastChar or length) - firstChar > TypeError: unsupported operand type(s) for -: 'NoneType' and 'int' > > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122412 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Jerzy Y. K. <JY...@65...> - 2013-01-07 17:17:31
|
Hi Guys,
Great tool but for the first time ever I've managed to see the following
error when testing oracle DB:
sqlmap version: 1.0-dev-74552be
Python version: 2.6.6
Operating system: posix
Command line: ./sqlmap.py
*****************************************************************
--cookie=*********************************************************************
--dbms=oracle --level=5 --risk=5 --force-ssl --thread=1 --technique=T -p
param --sql-query=SELECT UTL_INADDR.get_host_name FROM dual;
Technique: TIME
Back-end DBMS: Oracle (fingerprinted)
Traceback (most recent call last):
File "/opt/sqlmap-dev/_sqlmap.py", line 73, in main
start()
File "/opt/sqlmap-dev/lib/controller/controller.py", line 567, in start
action()
File "/opt/sqlmap-dev/lib/controller/action.py", line 135, in action
conf.dumper.query(conf.query, conf.dbmsHandler.sqlQuery(conf.query))
File "/opt/sqlmap-dev/plugins/generic/custom.py", line 46, in sqlQuery
output = inject.getValue(query, fromUser=True)
File "/opt/sqlmap-dev/lib/request/inject.py", line 390, in getValue
value = _goInferenceProxy(query, fromUser, batch, unpack,
charsetType, firstChar, lastChar, dump)
File "/opt/sqlmap-dev/lib/request/inject.py", line 269, in
_goInferenceProxy
outputs = _goInferenceFields(expression, expressionFields,
expressionFieldsList, payload, charsetType=charsetType,
firstChar=firstChar, lastChar=lastChar, dump=dump)
File "/opt/sqlmap-dev/lib/request/inject.py", line 117, in
_goInferenceFields
output = _goInference(payload, expressionReplaced, charsetType,
firstChar, lastChar, dump, field)
File "/opt/sqlmap-dev/lib/request/inject.py", line 89, in _goInference
count, value = bisection(payload, expression, length, charsetType,
firstChar, lastChar, dump)
File "/opt/sqlmap-dev/lib/techniques/blind/inference.py", line 120, in
bisection
length = min(length, lastChar or length) - firstChar
TypeError: unsupported operand type(s) for -: 'NoneType' and 'int'
|
48 messages has been excluded from this view by a project administrator.
