sqlmap-users Mailing List for sqlmap (Page 56)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: diego s. <die...@ho...> - 2012-06-30 06:20:56
|
03:08:54] [INFO] testing if current user is DBA
[03:08:54] [INFO] resumed: 0
[03:08:54] [WARNING] the functionality requested might not work because the session user is not a database administrator
[03:08:54] [INFO] checking if xp_cmdshell extended procedure is available, please wait..
[03:08:54] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[03:10:34] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4766), retry your run with the latest development version from the Subversion repository. If the exception persists, please send by e-mail to sql...@li... the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev (r4766)
Python version: 2.6.5
Operating system: posix
Command line: ./sqlmap.py -u **************************************************************** --os-pwn --msf-path /software/metasploit
Technique: STACKED
Back-end DBMS: Microsoft SQL Server (fingerprinted)
Traceback (most recent call last):
File "/pentest/database/sqlmap/_sqlmap.py", line 83, in main
start()
File "/pentest/database/sqlmap/lib/controller/controller.py", line 565, in start
action()
File "/pentest/database/sqlmap/lib/controller/action.py", line 142, in action
conf.dbmsHandler.osPwn()
File "/pentest/database/sqlmap/plugins/generic/takeover.py", line 161, in osPwn
self.initEnv(web=web)
File "/pentest/database/sqlmap/lib/takeover/abstraction.py", line 164, in initEnv
self.xpCmdshellInit()
File "/pentest/database/sqlmap/lib/takeover/xp_cmdshell.py", line 168, in xpCmdshellInit
self.__xpCmdshellConfigure(1)
File "/pentest/database/sqlmap/lib/takeover/xp_cmdshell.py", line 86, in __xpCmdshellConfigure
cmd = self.__xpCmdshellConfigure2005(mode)
File "/pentest/database/sqlmap/lib/takeover/xp_cmdshell.py", line 67, in __xpCmdshellConfigure2005
cmd = getSPLSnippet(DBMS.MSSQL, "configure_xp_cmdshell", ENABLE=str(mode))
File "/pentest/database/sqlmap/lib/core/common.py", line 1640, in getSPLSnippet
retVal = re.sub(r"%%%s%%" % _, variables[_], retVal, flags=re.I)
TypeError: sub() got an unexpected keyword argument 'flags'
[*] shutting down at 03:10:34
|
|
From: Miroslav S. <mir...@gm...> - 2012-06-28 11:58:04
|
Hi Ahmed. Thank you for your report and find it fixed with the latest commit. Kind regards, Miroslav Stampar On Thu, Jun 28, 2012 at 12:49 PM, Ahmed Shawky <ah...@is...> wrote: > Looks like sqlmap has an issue while using --random-agent with -g argument > as it always returns "unable to find results for your Google dork > expression" though it works fine without suppling --random-agent. > > root@ubuntu-bot:/pentest/sqlmap# git rev-parse --verify HEAD > f495cfa139902b06f46993a999a3df27d8bf0dea > > Thanks in advance. > > -- > > - Ahmed Shawky El-Antry > - lnxg33k owner "http://lnxg33k.wordpress.com" > - Isecur1ty team member"http://www.isecur1ty.org" > - Twitter @lnxg33k > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Ahmed S. <ah...@is...> - 2012-06-28 11:19:44
|
Looks like sqlmap has an issue while using --random-agent with -g argument as it always returns "unable to find results for your Google dork expression" though it works fine without suppling --random-agent. root@ubuntu-bot:/pentest/sqlmap# git rev-parse --verify HEAD f495cfa139902b06f46993a999a3df27d8bf0dea Thanks in advance. -- - Ahmed Shawky El-Antry - lnxg33k owner "http://lnxg33k.wordpress.com" - Isecur1ty team member"http://www.isecur1ty.org" - Twitter @lnxg33k |
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-06-27 18:14:04
|
Hi, The command to keep your git working copy is indeed 'git pull'. For Windows users I recommend the fancy GUI from GitHub, http://windows.github.com/. For Linux users git-core is the package you need. I found the Git cheatsheet written by Metasploit developers useful too, https://github.com/rapid7/metasploit-framework/wiki/Git-cheatsheet. The git-svn crash course might be of use for subversion users, http://git.or.cz/course/svn.html. Some details on how to manage pull requests (ndr: submit code patches) are also put together by Metasploit devs, https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment#wiki-pull. Bernardo On 27 June 2012 18:20, Hans Wurst <wur...@go...> wrote: > If you are on Windows and you used tortoiseSVN before then you might > like tortoiseGIT too. Very easy to use ;) > > http://code.google.com/p/tortoisegit/ > > Am 27.06.2012 um 19:12 schrieb "and...@gm..." <and...@gm...>: > >> Hi iago, >> >> Git pull is the svn up equivalent. >> >> Cheers, >> Andre >> -----Original Message----- >> From: Iago Sousa <146...@gm...> >> Date: Wed, 27 Jun 2012 14:02:41 >> To: Bernardo Damele A. G.<ber...@gm...> >> Cc: sqlmap users<sql...@li...> >> Subject: Re: [sqlmap-users] More updates on the project management >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Hans W. <wur...@go...> - 2012-06-27 17:20:34
|
If you are on Windows and you used tortoiseSVN before then you might like tortoiseGIT too. Very easy to use ;) http://code.google.com/p/tortoisegit/ Am 27.06.2012 um 19:12 schrieb "and...@gm..." <and...@gm...>: > Hi iago, > > Git pull is the svn up equivalent. > > Cheers, > Andre > -----Original Message----- > From: Iago Sousa <146...@gm...> > Date: Wed, 27 Jun 2012 14:02:41 > To: Bernardo Damele A. G.<ber...@gm...> > Cc: sqlmap users<sql...@li...> > Subject: Re: [sqlmap-users] More updates on the project management > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: <and...@gm...> - 2012-06-27 17:12:03
|
Hi iago, Git pull is the svn up equivalent. Cheers, Andre -----Original Message----- From: Iago Sousa <146...@gm...> Date: Wed, 27 Jun 2012 14:02:41 To: Bernardo Damele A. G.<ber...@gm...> Cc: sqlmap users<sql...@li...> Subject: Re: [sqlmap-users] More updates on the project management ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ |
|
From: Iago S. <146...@gm...> - 2012-06-27 17:02:52
|
How I can update git repository like svn with 'svn update'? On Wed, Jun 27, 2012 at 9:30 AM, Bernardo Damele A. G. < ber...@gm...> wrote: > Hi, > > Not only we have moved the development from Subversion to GitHub and > released publicly the Issues list on yesterday[1], we have also moved > the website from SourceForge[2] to GitHub[3] Pages with a new look - > it is always available at http://sqlmap.org. > > This mailing list is the *only* service kept on SourceForge, > https://lists.sourceforge.net/lists/listinfo/sqlmap-users. Archives > are as usual on Gmane, > http://news.gmane.org/gmane.comp.security.sqlmap. > > The files hosted on SourceForge, including sqlmap 0.9 are kept for > historical reasons and should no longer be used. You can download > sqlmap tarball from GitHub now[4] or, preferably, clone the Git > repository: > $ git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev > > [1] http://article.gmane.org/gmane.comp.security.sqlmap/2247 > [2] http://sqlmap.sourceforge.net > [3] https://github.com/sqlmapproject/sqlmap/tree/gh-pages > [4] https://github.com/sqlmapproject/sqlmap/tarball/master > > -- > Bernardo Damele A. G. > > Homepage: http://about.me/inquis > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Regards, Iago Sousa |
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-06-27 12:31:02
|
Hi, Not only we have moved the development from Subversion to GitHub and released publicly the Issues list on yesterday[1], we have also moved the website from SourceForge[2] to GitHub[3] Pages with a new look - it is always available at http://sqlmap.org. This mailing list is the *only* service kept on SourceForge, https://lists.sourceforge.net/lists/listinfo/sqlmap-users. Archives are as usual on Gmane, http://news.gmane.org/gmane.comp.security.sqlmap. The files hosted on SourceForge, including sqlmap 0.9 are kept for historical reasons and should no longer be used. You can download sqlmap tarball from GitHub now[4] or, preferably, clone the Git repository: $ git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev [1] http://article.gmane.org/gmane.comp.security.sqlmap/2247 [2] http://sqlmap.sourceforge.net [3] https://github.com/sqlmapproject/sqlmap/tree/gh-pages [4] https://github.com/sqlmapproject/sqlmap/tarball/master -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-06-26 16:05:15
|
Hi, Following the steps of other open source security tools like Metasploit Framework[1] and BeEF[2] and the persistent requests by some users, we have recently decided to move from our own managed Subversion (SVN) repository[3] to Git[4] and the obvious choice is GitHub[5]. All development on sqlmap is now managed though Git and the official repository is available to anyone at https://github.com/sqlmapproject/sqlmap. The Subversion repository[3] has been ported to GitHub flawlessly hence we retain the commits history. The main advantage of Git over SVN, in part also due to the success of GitHub users' friendly interface and social feel, is that anyone can fork[6] the official repository, modify the code, and send a pull request[7]: hopefully, in time, this will encourage you to contribute towards the development of sqlmap. In order to keep your copy of sqlmap always updated, we recommend you to clone locally the Git repository as follows: $ git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev Soon, we will adapt the sqlmap's switch --update to pull changes from the Git repository so you will be able to update to the latest development version any time by running either of the following two commands (in the meantime use the latter only): $ cd sqlmap-dev ; python sqlmap.py --update $ cd sqlmap-dev ; git pull The Subversion repository[3] will be dismissed on June 30. If you have an account on GitHub you can start watching the development clicking on https://github.com/sqlmapproject/sqlmap/toggle_watch too. As a bonus, we have also decided to open publicly our issues list - you can find it on https://github.com/sqlmapproject/sqlmap/issues: do not hesitate to report bugs and request features from the web interface as well. Please, help to spread the news! [1] https://community.rapid7.com/community/metasploit/blog/2011/11/10/git-while-the-gitting-is-good [2] https://github.com/beefproject/beef [3] https://svn.sqlmap.org/sqlmap/trunk/sqlmap [4] http://git-scm.com/ [5] https://github.com [6] https://github.com/sqlmapproject/sqlmap/fork_select [7] http://help.github.com/send-pull-requests/ -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-06-26 15:37:11
|
The hardware failure has been resolved now, the SVN is back up and running, however we won't be using it for long.. expect an update very soon (ndr: minutes). Bernardo On 26 June 2012 10:09, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi, > > The server hosting svn.sqlmap.org had an hardware failure last night > as a result I am taking a last snapshot of the disk and updated backup > copies of the Subversion repository. > Unfortunately, the web server process does not restart as the file > system has remounted in read-only mode. > > I will keep you posted and apologies for the downtime. > > -- > Bernardo Damele A. G. > > Homepage: http://about.me/inquis > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Robin W. <ro...@di...> - 2012-06-26 09:54:25
|
On 26 June 2012 10:48, Bernardo Damele A. G. <ber...@gm...> wrote: > In the meantime, we have --predict-output switch. You can tweak > upfront the txt/common-outputs.txt for speed improvements. > Refer to the user's manual for details. Unfortunately that doesn't help when it is in the middle of a run and you spot "site_userna" in the output. It takes to long to kill the script and add "site_username" to the list then restart it. That feature is useful however when you do know the format of the data you are expecting so can put some good guesses into it. Robin > Bernardo > > > On 26 June 2012 09:36, Robin Wood <ro...@di...> wrote: >> On 26 June 2012 08:10, Miroslav Stampar <mir...@gm...> wrote: >>> Hi Robin. >>> >>> You are an xyz-th user with this same request ;) >> >> Thought I might be. >> >>> Problem is that Python doesn't have a getch() mechanism (there are some >>> dirty hacks, but are really dirty, OS dependent and unstable) making it >>> clumsy for this feature. You would have to enter something and press Enter >>> for it to register input with current raw_input(). But, the problem is also >>> that with current mechanism thread waiting for input would be 'unkillable' >>> by the program as python also doesn't have mechanism for that too :) >> >> And figured that was probably the case. I've tried to do similar >> things with multi-threaded apps and always had problems. >> >>> Anyway, I can only promise that we'll spend some time on this one in next >>> week and see if something is doable (at least the dirty way). >> >> It would be good but not worth compromising good clean code to get it in. >> >> Robin >> >>> Kind regards, >>> Miroslav Stampar >>> >>> On Jun 25, 2012 7:32 PM, "Robin Wood" <ro...@di...> wrote: >>>> >>>> I was retrieving table names at the time but I guess it would help in >>>> other situations as well. >>>> >>>> Robin >>>> >>>> On Jun 25, 2012 6:07 PM, "Miroslav Stampar" <mir...@gm...> >>>> wrote: >>>>> >>>>> You forgot to mention which technique? >>>>> >>>>> Kind regards, >>>>> Miroslav Stampar >>>>> >>>>> On Mon, Jun 25, 2012 at 6:03 PM, Robin Wood <ro...@di...> wrote: >>>>>> >>>>>> I've just been testing a site which has to have the --no-cast option >>>>>> to retrieve data, it works great but it is very slow. Because of this >>>>>> I'd quite often guessed the data it was pulling down way before the >>>>>> command had finished, especially with table names. >>>>>> >>>>>> It would be really good if you could in some way pause the script and >>>>>> suggest what you think the value would be then have it test that, if >>>>>> you are right it moves on, if not it continues from where it left off. >>>>>> >>>>>> I guess this would be quite hard to implement as it would have to work >>>>>> across multiple threads but would be a really cool feature if it could >>>>>> be added. >>>>>> >>>>>> Robin >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Live Security Virtual Conference >>>>>> Exclusive live event will cover all the ways today's security and >>>>>> threat landscape has changed and how IT managers can respond. >>>>>> Discussions >>>>>> will include endpoint security, mobile security and the latest in >>>>>> malware >>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > -- > Bernardo Damele A. G. > > Homepage: http://about.me/inquis > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-06-26 09:48:18
|
In the meantime, we have --predict-output switch. You can tweak upfront the txt/common-outputs.txt for speed improvements. Refer to the user's manual for details. Bernardo On 26 June 2012 09:36, Robin Wood <ro...@di...> wrote: > On 26 June 2012 08:10, Miroslav Stampar <mir...@gm...> wrote: >> Hi Robin. >> >> You are an xyz-th user with this same request ;) > > Thought I might be. > >> Problem is that Python doesn't have a getch() mechanism (there are some >> dirty hacks, but are really dirty, OS dependent and unstable) making it >> clumsy for this feature. You would have to enter something and press Enter >> for it to register input with current raw_input(). But, the problem is also >> that with current mechanism thread waiting for input would be 'unkillable' >> by the program as python also doesn't have mechanism for that too :) > > And figured that was probably the case. I've tried to do similar > things with multi-threaded apps and always had problems. > >> Anyway, I can only promise that we'll spend some time on this one in next >> week and see if something is doable (at least the dirty way). > > It would be good but not worth compromising good clean code to get it in. > > Robin > >> Kind regards, >> Miroslav Stampar >> >> On Jun 25, 2012 7:32 PM, "Robin Wood" <ro...@di...> wrote: >>> >>> I was retrieving table names at the time but I guess it would help in >>> other situations as well. >>> >>> Robin >>> >>> On Jun 25, 2012 6:07 PM, "Miroslav Stampar" <mir...@gm...> >>> wrote: >>>> >>>> You forgot to mention which technique? >>>> >>>> Kind regards, >>>> Miroslav Stampar >>>> >>>> On Mon, Jun 25, 2012 at 6:03 PM, Robin Wood <ro...@di...> wrote: >>>>> >>>>> I've just been testing a site which has to have the --no-cast option >>>>> to retrieve data, it works great but it is very slow. Because of this >>>>> I'd quite often guessed the data it was pulling down way before the >>>>> command had finished, especially with table names. >>>>> >>>>> It would be really good if you could in some way pause the script and >>>>> suggest what you think the value would be then have it test that, if >>>>> you are right it moves on, if not it continues from where it left off. >>>>> >>>>> I guess this would be quite hard to implement as it would have to work >>>>> across multiple threads but would be a really cool feature if it could >>>>> be added. >>>>> >>>>> Robin >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Live Security Virtual Conference >>>>> Exclusive live event will cover all the ways today's security and >>>>> threat landscape has changed and how IT managers can respond. >>>>> Discussions >>>>> will include endpoint security, mobile security and the latest in >>>>> malware >>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-06-26 09:10:11
|
Hi, The server hosting svn.sqlmap.org had an hardware failure last night as a result I am taking a last snapshot of the disk and updated backup copies of the Subversion repository. Unfortunately, the web server process does not restart as the file system has remounted in read-only mode. I will keep you posted and apologies for the downtime. -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: Robin W. <ro...@di...> - 2012-06-26 08:36:43
|
On 26 June 2012 08:10, Miroslav Stampar <mir...@gm...> wrote: > Hi Robin. > > You are an xyz-th user with this same request ;) Thought I might be. > Problem is that Python doesn't have a getch() mechanism (there are some > dirty hacks, but are really dirty, OS dependent and unstable) making it > clumsy for this feature. You would have to enter something and press Enter > for it to register input with current raw_input(). But, the problem is also > that with current mechanism thread waiting for input would be 'unkillable' > by the program as python also doesn't have mechanism for that too :) And figured that was probably the case. I've tried to do similar things with multi-threaded apps and always had problems. > Anyway, I can only promise that we'll spend some time on this one in next > week and see if something is doable (at least the dirty way). It would be good but not worth compromising good clean code to get it in. Robin > Kind regards, > Miroslav Stampar > > On Jun 25, 2012 7:32 PM, "Robin Wood" <ro...@di...> wrote: >> >> I was retrieving table names at the time but I guess it would help in >> other situations as well. >> >> Robin >> >> On Jun 25, 2012 6:07 PM, "Miroslav Stampar" <mir...@gm...> >> wrote: >>> >>> You forgot to mention which technique? >>> >>> Kind regards, >>> Miroslav Stampar >>> >>> On Mon, Jun 25, 2012 at 6:03 PM, Robin Wood <ro...@di...> wrote: >>>> >>>> I've just been testing a site which has to have the --no-cast option >>>> to retrieve data, it works great but it is very slow. Because of this >>>> I'd quite often guessed the data it was pulling down way before the >>>> command had finished, especially with table names. >>>> >>>> It would be really good if you could in some way pause the script and >>>> suggest what you think the value would be then have it test that, if >>>> you are right it moves on, if not it continues from where it left off. >>>> >>>> I guess this would be quite hard to implement as it would have to work >>>> across multiple threads but would be a really cool feature if it could >>>> be added. >>>> >>>> Robin >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Live Security Virtual Conference >>>> Exclusive live event will cover all the ways today's security and >>>> threat landscape has changed and how IT managers can respond. >>>> Discussions >>>> will include endpoint security, mobile security and the latest in >>>> malware >>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2012-06-26 07:10:20
|
Hi Robin. You are an xyz-th user with this same request ;) Problem is that Python doesn't have a getch() mechanism (there are some dirty hacks, but are really dirty, OS dependent and unstable) making it clumsy for this feature. You would have to enter something and press Enter for it to register input with current raw_input(). But, the problem is also that with current mechanism thread waiting for input would be 'unkillable' by the program as python also doesn't have mechanism for that too :) Anyway, I can only promise that we'll spend some time on this one in next week and see if something is doable (at least the dirty way). Kind regards, Miroslav Stampar On Jun 25, 2012 7:32 PM, "Robin Wood" <ro...@di...> wrote: > I was retrieving table names at the time but I guess it would help in > other situations as well. > > Robin > On Jun 25, 2012 6:07 PM, "Miroslav Stampar" <mir...@gm...> > wrote: > >> You forgot to mention which technique? >> >> Kind regards, >> Miroslav Stampar >> >> On Mon, Jun 25, 2012 at 6:03 PM, Robin Wood <ro...@di...> wrote: >> >>> I've just been testing a site which has to have the --no-cast option >>> to retrieve data, it works great but it is very slow. Because of this >>> I'd quite often guessed the data it was pulling down way before the >>> command had finished, especially with table names. >>> >>> It would be really good if you could in some way pause the script and >>> suggest what you think the value would be then have it test that, if >>> you are right it moves on, if not it continues from where it left off. >>> >>> I guess this would be quite hard to implement as it would have to work >>> across multiple threads but would be a really cool feature if it could >>> be added. >>> >>> Robin >>> >>> >>> ------------------------------------------------------------------------------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. Discussions >>> will include endpoint security, mobile security and the latest in malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > |
|
From: B. <sto...@qq...> - 2012-06-26 02:53:39
|
I update to sqlmap/1.0-dev (r5135) now .but problems all the same . i use --technique=B --technique=T too . ------------------ 原始邮件 ------------------ 发件人: "Iago Sousa"<146...@gm...>; 发送时间: 2012年6月25日(星期一) 晚上7:15 收件人: "Bob"<sto...@qq...>; 主题: Re: 回复: 回复: [sqlmap-users] sqlmap always tell Connection timed out to thetarget url You can write here the cmdline? On Mon, Jun 25, 2012 at 3:06 AM, Bob <sto...@qq...> wrote: i update the sqlmap .but can't workable also . ------------------ 原始邮件 ------------------ 发件人: "Iago Sousa"<146...@gm...>; 发送时间: 2012年6月25日(星期一) 上午10:51 收件人: "Bob"<sto...@qq...>; 主题: Re: 回复: [sqlmap-users] sqlmap always tell Connection timed out to thetarget url And download the latest update because your sqlmap is out-to-date (the last commit show vector too) On Jun 24, 2012 11:49 PM, "Iago Sousa" <146...@gm...> wrote: Yes, did you tried change the technique? your output showd that is possible use boolean-based and time-based. > > On Jun 24, 2012 9:57 AM, "Bob" <sto...@qq...> wrote: > > > but i can visit site with http ... > > > ------------------ 原始邮件 ------------------ > 发件人: "Iago Sousa"<146...@gm...>; > 发送时间: 2... > > > > I think that the site is blocking your ip address. > > > On Jun 23, 2012 11:09 PM, "Bob" <stock.lots... -- Regards, Iago Sousa |
|
From: Brandon P. <bpe...@gm...> - 2012-06-26 02:32:41
|
I technique is the mechanism by which the SQL injection works, be it UNION, Blind, Stacked, or what have you. The technique alters how you may do what you are asking for. On Mon, Jun 25, 2012 at 12:32 PM, Robin Wood <ro...@di...> wrote: > I was retrieving table names at the time but I guess it would help in other > situations as well. > > Robin > > On Jun 25, 2012 6:07 PM, "Miroslav Stampar" <mir...@gm...> > wrote: >> >> You forgot to mention which technique? >> >> Kind regards, >> Miroslav Stampar >> >> On Mon, Jun 25, 2012 at 6:03 PM, Robin Wood <ro...@di...> wrote: >>> >>> I've just been testing a site which has to have the --no-cast option >>> to retrieve data, it works great but it is very slow. Because of this >>> I'd quite often guessed the data it was pulling down way before the >>> command had finished, especially with table names. >>> >>> It would be really good if you could in some way pause the script and >>> suggest what you think the value would be then have it test that, if >>> you are right it moves on, if not it continues from where it left off. >>> >>> I guess this would be quite hard to implement as it would have to work >>> across multiple threads but would be a really cool feature if it could >>> be added. >>> >>> Robin >>> >>> >>> ------------------------------------------------------------------------------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. Discussions >>> will include endpoint security, mobile security and the latest in malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Robin W. <ro...@di...> - 2012-06-25 17:32:43
|
I was retrieving table names at the time but I guess it would help in other situations as well. Robin On Jun 25, 2012 6:07 PM, "Miroslav Stampar" <mir...@gm...> wrote: > You forgot to mention which technique? > > Kind regards, > Miroslav Stampar > > On Mon, Jun 25, 2012 at 6:03 PM, Robin Wood <ro...@di...> wrote: > >> I've just been testing a site which has to have the --no-cast option >> to retrieve data, it works great but it is very slow. Because of this >> I'd quite often guessed the data it was pulling down way before the >> command had finished, especially with table names. >> >> It would be really good if you could in some way pause the script and >> suggest what you think the value would be then have it test that, if >> you are right it moves on, if not it continues from where it left off. >> >> I guess this would be quite hard to implement as it would have to work >> across multiple threads but would be a really cool feature if it could >> be added. >> >> Robin >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2012-06-25 17:07:33
|
You forgot to mention which technique? Kind regards, Miroslav Stampar On Mon, Jun 25, 2012 at 6:03 PM, Robin Wood <ro...@di...> wrote: > I've just been testing a site which has to have the --no-cast option > to retrieve data, it works great but it is very slow. Because of this > I'd quite often guessed the data it was pulling down way before the > command had finished, especially with table names. > > It would be really good if you could in some way pause the script and > suggest what you think the value would be then have it test that, if > you are right it moves on, if not it continues from where it left off. > > I guess this would be quite hard to implement as it would have to work > across multiple threads but would be a really cool feature if it could > be added. > > Robin > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Robin W. <ro...@di...> - 2012-06-25 17:00:52
|
I've just been testing a site which has to have the --no-cast option to retrieve data, it works great but it is very slow. Because of this I'd quite often guessed the data it was pulling down way before the command had finished, especially with table names. It would be really good if you could in some way pause the script and suggest what you think the value would be then have it test that, if you are right it moves on, if not it continues from where it left off. I guess this would be quite hard to implement as it would have to work across multiple threads but would be a really cool feature if it could be added. Robin |
|
From: James <ja...@ev...> - 2012-06-25 16:51:32
|
You shouldn't be attacking sites that aren't yours anyway. This is a federal crime and you've basically just admitted guilt on a public mailing list. Good job. On 06/25/2012 11:40 AM, Miroslav Stampar wrote: > Hi Bob. > > James and Iago are right. Please don't use mailing list to post real > target URLs. > > Kind regards, > Miroslav Stampar > > On Mon, Jun 25, 2012 at 2:19 PM, Iago Sousa <146...@gm... > <mailto:146...@gm...>> wrote: > > Yes, > In some places is illegal the usage of pentest without mutual > consent. (Or is opposite?) > > I advise, read the legal disclaimer in sqlmap's banner. > > And get it as a recommendation. Don't keep posting url vulns in > mailing list, only the traffic file if is required by Miroslav (in > private conversation) (to correct a bug or something like that). > > > On Mon, Jun 25, 2012 at 8:57 AM, James <ja...@ev... > <mailto:ja...@ev...>> wrote: > > Are you serious? > > DON'T POST VULNERABLE URLS ON THE MAILING LIST. > > This mailing list needs to move to something more censored if > people are going to be so stupid. > > > On 06/25/2012 04:02 AM, Bob wrote: >> http://www.alcosens.com/fsbClient/ezboard.jsp >> injectable parameter is: "searchWord" >> >> www.mobcstyle.com/goods/search.php >> <http://www.mobcstyle.com/goods/search.php>", using HTTP >> method GET. The injectable parameter is: "search_price_start >> >> "http://www.keyway.com.tw/pro_overview.php?_sn=2%27%20AND%208126=8126%20AND%20%27Cqlm%27=%27Cqlm" >> <http://www.keyway.com.tw/pro_overview.php?_sn=2%27%20AND%208126=8126%20AND%20%27Cqlm%27=%27Cqlm> >> >> >> is there anyone can use sqlmap find injected point? >> >> best regards >> Bob >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats.http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. > Discussions > will include endpoint security, mobile security and the latest > in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Regards, > Iago Sousa > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. > Discussions > will include endpoint security, mobile security and the latest in > malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Miroslav S. <mir...@gm...> - 2012-06-25 16:23:15
|
Hi Pedrito. Thank you for your submission. Few things: 1) Only these new tables have been included: adminstbl admintbl affiliateUsers hsa_user tblmanager tblmanagers tblproduct tblproducts tuser tusers userstbl usertbl 2) Tables like these are discarded: karbaran # target specific nom d'utilisateur # international letters are automatically rejected from our list personnes handicapes # doesn't look like common phpBB2.forum_users # db name is not allowed 3) You've mixed yours and ours so we had to make a diff list to see what's new and what's not 4) There is no real need for sending us more common table names as these were empirically chosen through our research (google ext:sql <- we've noted frequencies of all retrieved table names and chosen those most frequent <- more than couple of hundreds of cases) Kind regards On Thu, Jun 21, 2012 at 5:14 AM, Pedrito Perez <0ar...@gm...> wrote: > this is an small modification to the common tables.... you should add it > to the project.. > right now am working on a modification(common tables from spanish web > sites...) cause i think that theres only english common tables... > > > thanks for the software that you provide... > > and sorry for my bad grammar am colombian..... > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2012-06-25 16:06:05
|
Hi Pedrito. This one is very strange as you can see that the stack trace is practically empty (we can't conclude where the problem occurred). If the problem persists with the latest update please be so kind and provide me privately with some more information (e.g. traffic file got by using same command line and additional -t traffic.txt). Kind regards, Miroslav Stampar On Thu, Jun 21, 2012 at 5:32 AM, Pedrito Perez <0ar...@gm...> wrote: > > sqlmap/1.0-dev - automatic SQL injection and database takeover tool > http://www.sqlmap.org > > [!] legal disclaimer: usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Authors assume no liability and > are not responsible for any misuse or damage caused by this program > > [*] starting at 16:27:50 > > > [16:27:50] [INFO] using 'C:\Users\Admin\Desktop\sqlmap\output\ > www.dtvthai.com\session' as session file > > [16:27:50] [INFO] resuming back-end DBMS 'mysql 5.0' from session file > > [16:27:50] [INFO] testing connection to the target url > > [16:27:54] [INFO] heuristics detected web page charset 'ISO-8859-2' > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: GET > Parameter: Id > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: Id=3) AND 4216=4216 AND (6256=6256 > > Type: error-based > Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause > Payload: Id=3) AND (SELECT 2258 FROM(SELECT > COUNT(*),CONCAT(0x3a656c643a,(SELECT (CASE WHEN (2258=2258) THEN 1 ELSE 0 > END)),0x3a6a6a643a,FLOOR(RAND(0)*2))x FROM > INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (3553=3553 > > Type: UNION query > Title: MySQL UNION query (NULL) - 5 columns > Payload: Id=3) LIMIT 1,1 UNION ALL SELECT NULL, > CONCAT(0x3a656c643a,0x5877664a584155517a56,0x3a6a6a643a), NULL, NULL, NULL# > --- > > > [16:27:54] [INFO] the back-end DBMS is MySQL > web server operating system: FreeBSD or Linux FreeBSD 7.3 > web application technology: PHP 5.3.2, Apache 2.2.14 > back-end DBMS: MySQL 5.0 > > [16:27:54] [INFO] fetching database names > > > [16:27:54] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your > run with the latest development version from the Subversion repository. If > the exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the > bug, fix it accordingly and get back to you. > sqlmap version: 1.0-dev > Python version: 2.7.2 > Operating system: nt > Command line: C:\Users\Admin\Desktop\sqlmap\sqlmap.py -u > ******************************* --dbs > Technique: UNION > Back-end DBMS: MySQL (fingerprinted) > > [*] shutting down at 16:27:54 > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2012-06-25 16:03:32
|
Hi Pedrito. Thank you for your report and find it "patched" with the latest commit (r5137). Kind regards, Miroslav Stampar On Thu, Jun 21, 2012 at 6:49 PM, Pedrito Perez <0ar...@gm...> wrote: > [11:46:09] [INFO] testing connection to the target url > [11:46:13] [WARNING] unknown web page charset 'iso-5589-1'. Please report > by e-m > ail to sql...@li.... > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2012-06-25 15:47:02
|
Hi Shadow. Sorry for late reply. I believe that we've fixed this one couple of days ago. Kind regards, Miroslav Stampar On Sat, Jun 16, 2012 at 10:57 AM, Shadow Folder <sha...@gm...>wrote: > [01:03:40] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r5127), retry > your run with the latest development version from the Subversion > repository. If the exception persists, please send by e-mail to > sql...@li... the following text and any information > required to reproduce the bug. The developers will try to reproduce the > bug, fix it accordingly and get back to you. > sqlmap version: 1.0-dev (r5127) > Python version: 2.6.5 > Operating system: posix > Command line: ./sqlmap.py -u > ****************************************************************************************************************************************************** > --tor --random-agent -p hLids --technique=U -v 3 --current-user > Technique: UNION > Back-end DBMS: MySQL (fingerprinted) > Traceback (most recent call last): > File "/pentest/database/sqlmap/_sqlmap.py", line 81, in main > start() > File "/pentest/database/sqlmap/lib/controller/controller.py", line 573, > in start > action() > File "/pentest/database/sqlmap/lib/controller/action.py", line 64, in > action > conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser()) > File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line > 138, in getCurrentUser > kb.data.currentUser = unArrayizeValue(inject.getValue(query)) > File "/pentest/database/sqlmap/lib/request/inject.py", line 418, in > getValue > value = __goInband(query, expected, unpack, dump) > File "/pentest/database/sqlmap/lib/request/inject.py", line 365, in > __goInband > output = unionUse(expression, unpack=unpack, dump=dump) > File "/pentest/database/sqlmap/lib/techniques/union/use.py", line 343, > in unionUse > value = __oneShotUnionUse(expression, unpack) > File "/pentest/database/sqlmap/lib/techniques/union/use.py", line 69, in > __oneShotUnionUse > kb.unionDuplicates = vector[7] > IndexError: tuple index out of range > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
48 messages has been excluded from this view by a project administrator.
