sqlmap-users — sqlmap users mailing list

[sqlmap-users] Is there dump resume in sqlmap?

[anonymous a. <tm...@2c...>]

<div>Or it starts from the beginning?</div>

Re: [sqlmap-users] svn update usernam and password

[Miroslav S. <mir...@gm...>]

Hi.

It's happening no matter if it's Backtrack or not. From my observations it
happens after addition of a new file into repository.

As said, long time unresolved known issue.

Kr
On 12.9.2011. 21:04, "Sherif El-Deeb" <arc...@gm...> wrote:

Re: [sqlmap-users] svn update usernam and password

[Avery R. <as...@ya...>]

Your are correct, thanks for the explanation too.

Sent from my iPhone

On Sep 12, 2011, at 3:03 PM, Sherif El-Deeb <arc...@gm...> wrote:

> I think this is happening because for some reason the sqlmap included
> in BackTrack "you're using backtrack, right?" is getting its updates
> from "https://svn.sqlmap.org/sqlmap/" whereas it should be from
> "https://svn.sqlmap.org/sqlmap/trunk/sqlmap"
> 
> 
> On Mon, Sep 12, 2011 at 9:56 PM, Avery Rozar <as...@ya...> wrote:
>> Sweet, that worked.. Thanks very much!
>> 
>> Sent from my iPhone
>> 
>> On Sep 12, 2011, at 2:53 PM, Sherif El-Deeb <arc...@gm...> wrote:
>> 
>>> remove the old directory, do a clean svn checkout will solve your problem
>>> 
>>> # rm -rf sqlmap
>>> # svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
>>> 
>>> On Mon, Sep 12, 2011 at 8:54 PM, Avery Rozar <as...@ya...> wrote:
>>>> 
>>>> Hello all,
>>>> I'm trying to run an update but keep getting a username and password request, where do I find this? I though it was simply the un and password I created to join this list, but that's not working... Thanks much!!
>>>> ------------------------------------------------------------------------------
>>>> Doing More with Less: The Next Generation Virtual Desktop
>>>> What are the key obstacles that have prevented many mid-market businesses
>>>> from deploying virtual desktops?   How do next-generation virtual desktops
>>>> provide companies an easier-to-deploy, easier-to-manage and more affordable
>>>> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>> 
>> 

Re: [sqlmap-users] svn update usernam and password

[Sherif El-D. <arc...@gm...>]

I think this is happening because for some reason the sqlmap included
in BackTrack "you're using backtrack, right?" is getting its updates
from "https://svn.sqlmap.org/sqlmap/" whereas it should be from
"https://svn.sqlmap.org/sqlmap/trunk/sqlmap"


On Mon, Sep 12, 2011 at 9:56 PM, Avery Rozar <as...@ya...> wrote:
> Sweet, that worked.. Thanks very much!
>
> Sent from my iPhone
>
> On Sep 12, 2011, at 2:53 PM, Sherif El-Deeb <arc...@gm...> wrote:
>
>> remove the old directory, do a clean svn checkout will solve your problem
>>
>> # rm -rf sqlmap
>> # svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
>>
>> On Mon, Sep 12, 2011 at 8:54 PM, Avery Rozar <as...@ya...> wrote:
>>>
>>> Hello all,
>>> I'm trying to run an update but keep getting a username and password request, where do I find this? I though it was simply the un and password I created to join this list, but that's not working... Thanks much!!
>>> ------------------------------------------------------------------------------
>>> Doing More with Less: The Next Generation Virtual Desktop
>>> What are the key obstacles that have prevented many mid-market businesses
>>> from deploying virtual desktops?   How do next-generation virtual desktops
>>> provide companies an easier-to-deploy, easier-to-manage and more affordable
>>> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>

Re: [sqlmap-users] svn update usernam and password

[Miroslav S. <mir...@gm...>]

Thx for this :)

Known issue

Kind regards
On 12.9.2011. 20:57, "Avery Rozar" <as...@ya...> wrote:
> Sweet, that worked.. Thanks very much!
>
> Sent from my iPhone
>
> On Sep 12, 2011, at 2:53 PM, Sherif El-Deeb <arc...@gm...> wrote:
>
>> remove the old directory, do a clean svn checkout will solve your problem
>>
>> # rm -rf sqlmap
>> # svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
>>
>> On Mon, Sep 12, 2011 at 8:54 PM, Avery Rozar <as...@ya...> wrote:
>>>
>>> Hello all,
>>> I'm trying to run an update but keep getting a username and password
request, where do I find this? I though it was simply the un and password I
created to join this list, but that's not working... Thanks much!!
>>>
------------------------------------------------------------------------------
>>> Doing More with Less: The Next Generation Virtual Desktop
>>> What are the key obstacles that have prevented many mid-market
businesses
>>> from deploying virtual desktops? How do next-generation virtual desktops
>>> provide companies an easier-to-deploy, easier-to-manage and more
affordable
>>> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>
>
------------------------------------------------------------------------------
> Doing More with Less: The Next Generation Virtual Desktop
> What are the key obstacles that have prevented many mid-market businesses
> from deploying virtual desktops? How do next-generation virtual desktops
> provide companies an easier-to-deploy, easier-to-manage and more
affordable
> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] svn update usernam and password

[Avery R. <as...@ya...>]

Sweet, that worked.. Thanks very much!

Sent from my iPhone

On Sep 12, 2011, at 2:53 PM, Sherif El-Deeb <arc...@gm...> wrote:

> remove the old directory, do a clean svn checkout will solve your problem
> 
> # rm -rf sqlmap
> # svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
> 
> On Mon, Sep 12, 2011 at 8:54 PM, Avery Rozar <as...@ya...> wrote:
>> 
>> Hello all,
>> I'm trying to run an update but keep getting a username and password request, where do I find this? I though it was simply the un and password I created to join this list, but that's not working... Thanks much!!
>> ------------------------------------------------------------------------------
>> Doing More with Less: The Next Generation Virtual Desktop
>> What are the key obstacles that have prevented many mid-market businesses
>> from deploying virtual desktops?   How do next-generation virtual desktops
>> provide companies an easier-to-deploy, easier-to-manage and more affordable
>> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> 

Re: [sqlmap-users] svn update usernam and password

[Sherif El-D. <arc...@gm...>]

remove the old directory, do a clean svn checkout will solve your problem

# rm -rf sqlmap
# svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

On Mon, Sep 12, 2011 at 8:54 PM, Avery Rozar <as...@ya...> wrote:
>
> Hello all,
> I'm trying to run an update but keep getting a username and password request, where do I find this? I though it was simply the un and password I created to join this list, but that's not working... Thanks much!!
> ------------------------------------------------------------------------------
> Doing More with Less: The Next Generation Virtual Desktop
> What are the key obstacles that have prevented many mid-market businesses
> from deploying virtual desktops?   How do next-generation virtual desktops
> provide companies an easier-to-deploy, easier-to-manage and more affordable
> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] svn update usernam and password

[Wil R. <wil...@gm...>]

Check your options. I've only been asked to supply username and password when I entered the wrong thing. For "Update" you shouldn't need anything.

Sent from my iPhone

On Sep 12, 2011, at 10:54 AM, Avery Rozar <as...@ya...> wrote:

> Hello all,
> I'm trying to run an update but keep getting a username and password request, where do I find this? I though it was simply the un and password I created to join this list, but that's not working... Thanks much!!
> ------------------------------------------------------------------------------
> Doing More with Less: The Next Generation Virtual Desktop 
> What are the key obstacles that have prevented many mid-market businesses
> from deploying virtual desktops?   How do next-generation virtual desktops
> provide companies an easier-to-deploy, easier-to-manage and more affordable
> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

[sqlmap-users] svn update usernam and password

[Avery R. <as...@ya...>]

Hello all,
I'm trying to run an update but keep getting a username and password request, where do I find this? I though it was simply the un and password I created to join this list, but that's not working... Thanks much!!

[sqlmap-users] critical unhandled exception error

[Martin D. <mar...@ho...>]

error code attached as an png image 		 	   		  
critical unhandled exception error
http://skydrive.live.com/redir.aspx?cid=1adf7a7447782df4&page=browse&resid=1ADF7A7447782DF4!231&type=5&Bpub=SDX.Photos&Bsrc=Photomail&authkey=ScvJMudQ0cg%24

Re: [sqlmap-users] bug or whatever

[Bernardo D. A. G. <ber...@gm...>]

This has been fixed some time ago.

Bernardo


On 29 August 2011 19:13,  <ks...@so...> wrote:
> hello kids!
> recently got this bug
>
> -------------
> [19:58:45] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4358), retry
> your run with the latest development version from the Subversion
> repository. If the exception persists, please send by e-mail to
> sql...@li... the following text and any information
> required to reproduce the bug. The developers will try to reproduce the
> bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev (r4358)
> Python version: 2.6.6
> Operating system: posix
> Command line: sqlmap.py -m urls.txt --batch --privileges --random-agent
> Technique: UNION
> Back-end DBMS: Microsoft SQL Server (identified)
> Traceback (most recent call last):
>  File "sqlmap.py", line 86, in main
>    start()
>  File "/mnt/1/sqlmap/sqlmap-dev/lib/controller/controller.py", line 460,
> in start
>    injection = checkSqlInjection(place, parameter, value)
>  File "/mnt/1/sqlmap/sqlmap-dev/lib/controller/checks.py", line 408, in
> checkSqlInjection
>    reqPayload, vector = unionTest(comment, place, parameter, value,
> prefix, suffix)
>  File "/mnt/1/sqlmap/sqlmap-dev/lib/techniques/union/test.py", line 290,
> in unionTest
>    validPayload, vector = __unionTestByCharBruteforce(comment, place,
> parameter, value, prefix, suffix)
>  File "/mnt/1/sqlmap/sqlmap-dev/lib/techniques/union/test.py", line 257,
> in __unionTestByCharBruteforce
>    count = __findUnionCharCount(comment, place, parameter, value, prefix,
> suffix)
>  File "/mnt/1/sqlmap/sqlmap-dev/lib/techniques/union/test.py", line 150,
> in __findUnionCharCount
>    if not re.search(r'>\s*%s\s*<' % kb.uChar, page):
>  File "/usr/lib/python2.6/re.py", line 142, in search
>    return _compile(pattern, flags).search(string)
> TypeError: expected string or buffer
>
> ---------------
>
>
> system - debian.
>
>  Use proxychain to divert sqlmap traffic to socks.
> (http://proxychains.sourceforge.net/)
>
> when socks die i got this exeption.
>
> cheers.
>
>
>
> ------------------------------------------------------------------------------
> Doing More with Less: The Next Generation Virtual Desktop
> What are the key obstacles that have prevented many mid-market businesses
> from deploying virtual desktops?   How do next-generation virtual desktops
> provide companies an easier-to-deploy, easier-to-manage and more affordable
> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable

Re: [sqlmap-users] (no subject)

[Bernardo D. A. G. <ber...@gm...>]

You can also follow twitter.com/sqlmap and svn log.

Bernardo


On 11 September 2011 17:10, Miroslav Stampar <mir...@gm...> wrote:
> hi Derick.
>
> you can take a look at CHANGELOG for some quick info on new things:
> https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/ChangeLog
>
> kind regards
>
> On Sat, Sep 10, 2011 at 9:24 AM, Derick Nyarko <nya...@ya...> wrote:
>> Okay cool. what's new in Sqlmap. can someone show me?
>> ------------------------------------------------------------------------------
>> Malware Security Report: Protecting Your Business, Customers, and the
>> Bottom Line. Protect your business and customers by understanding the
>> threat from malware and how it can impact your online business.
>> http://www.accelacomm.com/jaw/sfnl/114/51427462/
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
> ------------------------------------------------------------------------------
> Using storage to extend the benefits of virtualization and iSCSI
> Virtualization increases hardware utilization and delivers a new level of
> agility. Learn what those decisions are and how to modernize your storage
> and backup environments for virtualization.
> http://www.accelacomm.com/jaw/sfnl/114/51434361/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable

Re: [sqlmap-users] Bug Report (Rev 4365)

[Miroslav S. <mir...@gm...>]

hi Christian.

there was a "silent" bug inside which caused buggy waiting for console
input without any warning in cases like yours (no warning waiting
after "[INFO] confirming Microsoft SQL Server").

i've fixed that one in the latest commit, so it would be great if you
could retest and see if that was the same bug you've encountered.

kind regards

On Wed, Aug 24, 2011 at 5:58 PM, Christian Rothländer
<Chr...@cr...> wrote:
> Hi there,
>
> I just updated to the last revision (4365) and tried to attack a Microsoft SQL Server 2005 via AND/OR time-based blind or MS stacked queries.
>
> The module which analysed which dba is there gets stuck with MSSQL (if I force --dbms=mssql). Otherwise it finds a Postgres-DB (which obviously can't be because of the attack vector). I think there
> might be something broken.
>
> I reverted to #4233 which is working and correctly detects MSSQL.
>
> Greetings,
> Christian
>
>
> ----snip----
>
> GET parameter 'meetingKey' is vulnerable. Do you want to keep testing the others? [y/N]
> sqlmap identified the following injection points with a total of 47 HTTP(s) requests:
> ---
> Place: GET
> Parameter: meetingKey
>    Type: stacked queries
>    Title: Microsoft SQL Server/Sybase stacked queries
>    Payload: passcode=&meetingKey='; WAITFOR DELAY '0:0:5';-- AND 'yUTW'='yUTW
>
>    Type: AND/OR time-based blind
>    Title: Microsoft SQL Server/Sybase time-based blind
>    Payload: passcode=&meetingKey=' WAITFOR DELAY '0:0:5'-- AND 'PowX'='PowX
> ---
>
> [17:33:51] [INFO] testing Microsoft SQL Server
> [17:33:51] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries
> [17:34:12] [INFO] confirming Microsoft SQL Server
> <stuck here, Wireshark shows useless attack vectors (just the Waitfor Delay)>
>
> ----snip----
>
>
> ------------------------------------------------------------------------------
> Doing More with Less: The Next Generation Virtual Desktop
> What are the key obstacles that have prevented many mid-market businesses
> from deploying virtual desktops?   How do next-generation virtual desktops
> provide companies an easier-to-deploy, easier-to-manage and more affordable
> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Sqlmap on Windows?

[Bernardo D. A. G. <ber...@gm...>]

Hi,

You are likely using Python 2.5. Install Python 2.7 and rerun.

Regards,
Bernardo


On 12 September 2011 14:32, anonymous anonymous <tm...@2c...> wrote:
> Windows Server 2003, checked out from svn and "python sqlmap.py" prints:
>
> C:\Documents and Settings\PHIL\My Documents\sqlmap-dev>python sqlmap.py
>   File "sqlmap.py", line 96
>     except exceptionsTuple, e:
>                           ^
> SyntaxError: invalid syntax
> ------------------------------------------------------------------------------
> Doing More with Less: The Next Generation Virtual Desktop
> What are the key obstacles that have prevented many mid-market businesses
> from deploying virtual desktops?   How do next-generation virtual desktops
> provide companies an easier-to-deploy, easier-to-manage and more affordable
> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable

Re: [sqlmap-users] Not save dump after Ctrl+C

[Bernardo D. A. G. <ber...@gm...>]

Hi,

Back-end database management system? Technique used to dump?
An output of -v 3 --flush-session running with sqlmap updated from svn
would be of help to debug this possible bug.

Thank you.

Bernardo


On 27 August 2011 15:03, anonymous anonymous <tm...@2c...> wrote:
> Subject. The latest revision.
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable

[sqlmap-users] Sqlmap on Windows?

[anonymous a. <tm...@2c...>]

<div>Windows Server 2003, checked out from svn and "python sqlmap.py" prints:</div><div> </div><div><div>C:\Documents and Settings\PHIL\My Documents\sqlmap-dev&gt;python sqlmap.py</div><div>  File "sqlmap.py", line 96</div><div>    except exceptionsTuple, e:</div><div>                          ^</div><div>SyntaxError: invalid syntax</div></div>

Re: [sqlmap-users] Bug Report (Rev 4365)

[Bernardo D. A. G. <ber...@gm...>]

Hi Christian,

Can you please rerun with the latest development version from
subversion with --flush-session -v3 -t traffic.log and provide us with
traffic.log file privately in order to debug this possible bug?

Thank you.

Bernardo


On 24 August 2011 16:58, Christian Rothländer
<Chr...@cr...> wrote:
> Hi there,
>
> I just updated to the last revision (4365) and tried to attack a Microsoft SQL Server 2005 via AND/OR time-based blind or MS stacked queries.
>
> The module which analysed which dba is there gets stuck with MSSQL (if I force --dbms=mssql). Otherwise it finds a Postgres-DB (which obviously can't be because of the attack vector). I think there
> might be something broken.
>
> I reverted to #4233 which is working and correctly detects MSSQL.
>
> Greetings,
> Christian
>
>
> ----snip----
>
> GET parameter 'meetingKey' is vulnerable. Do you want to keep testing the others? [y/N]
> sqlmap identified the following injection points with a total of 47 HTTP(s) requests:
> ---
> Place: GET
> Parameter: meetingKey
>    Type: stacked queries
>    Title: Microsoft SQL Server/Sybase stacked queries
>    Payload: passcode=&meetingKey='; WAITFOR DELAY '0:0:5';-- AND 'yUTW'='yUTW
>
>    Type: AND/OR time-based blind
>    Title: Microsoft SQL Server/Sybase time-based blind
>    Payload: passcode=&meetingKey=' WAITFOR DELAY '0:0:5'-- AND 'PowX'='PowX
> ---
>
> [17:33:51] [INFO] testing Microsoft SQL Server
> [17:33:51] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries
> [17:34:12] [INFO] confirming Microsoft SQL Server
> <stuck here, Wireshark shows useless attack vectors (just the Waitfor Delay)>
>
> ----snip----
>
>
> ------------------------------------------------------------------------------
> Doing More with Less: The Next Generation Virtual Desktop
> What are the key obstacles that have prevented many mid-market businesses
> from deploying virtual desktops?   How do next-generation virtual desktops
> provide companies an easier-to-deploy, easier-to-manage and more affordable
> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable

Re: [sqlmap-users] unexpected troubles SQLMap 0.9

[Miroslav S. <mir...@gm...>]

hi Preth.

this should be fixed in v1.0-dev version from our repository. please
check it out by issuing this:
$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

kind regards

On Wed, Aug 24, 2011 at 2:25 AM, Preth Hoonker <pre...@gm...> wrote:
> Hi, i have some unexpected troubles with the latest version of SQLMap (0.9).
> I hope this can help you to keep developing your t00l :)
>
> -------------------- error log --------------------------------
> [19:14:37] [CRITICAL] unhandled exception in sqlmap/0.9, retry your run with
> the latest development version from the Subversion repository. If the
> exception persists, please send by e-mail to
> sql...@li... the following text and any information
> required to reproduce the bug. The developers will try to reproduce the bug,
> fix it accordingly and get back to you.
> sqlmap version: 0.9 (r3630)
> Python version: 2.7.1+
> Operating system: posix
> Command line: ./sqlmap.py -u
> **************************************************************************************
> --file-read=/etc/passwd
> Technique: STACKED
> Back-end DBMS: PostgreSQL (fingerprinted)
> Traceback (most recent call last):
>   File "./sqlmap.py", line 82, in main
>     start()
>   File
> "/home/preth00nker/Descargas/sqlmap-latest/sqlmap/lib/controller/controller.py",
> line 447, in start
>     action()
>   File
> "/home/preth00nker/Descargas/sqlmap-latest/sqlmap/lib/controller/action.py",
> line 123, in action
>     conf.dumper.rFile(conf.rFile, conf.dbmsHandler.readFile(conf.rFile))
>   File
> "/home/preth00nker/Descargas/sqlmap-latest/sqlmap/plugins/generic/filesystem.py",
> line 301, in readFile
>     fileContent = self.__unhexString(fileContent)
>   File
> "/home/preth00nker/Descargas/sqlmap-latest/sqlmap/plugins/generic/filesystem.py",
> line 43, in __unhexString
>     if len(hexStr) % 2 != 0:
> TypeError: object of type 'NoneType' has no len()
>
> [*] shutting down at: 19:14:37
>
>
> -------------------- eof --------------------------------
>
> greets
>
> ------------------------------------------------------------------------------
> Doing More with Less: The Next Generation Virtual Desktop
> What are the key obstacles that have prevented many mid-market businesses
> from deploying virtual desktops?   How do next-generation virtual desktops
> provide companies an easier-to-deploy, easier-to-manage and more affordable
> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] question about --os-cmd

[Miroslav S. <mir...@gm...>]

hi ryan.

short answer is permissions (most often file write ones)

long answer is:
1) --os-shell/--os-cmd/--os-pwn (STACKED INJECTION CASE)
 A) for MYSQL (rare in real life), PGSQL current DBMS user has to have
UDF create/exec permissions
 B) MSSQL current DBMS user has to be able to run
master.dbo.xp_cmdshell (EXEC permissions, function has to be enabled -
sqlmap can try to enable it automatically, function has to exist)
2) --os-shell/--os-cmd/--os-pwn (NON-STACKED INJECTION CASE)
 A) for MYSQL current DBMS user has to have file write permissions to
a reachable web directory

kind regards

On Sat, Sep 10, 2011 at 8:11 AM, ryan cartner <rya...@gm...> wrote:
> what are the actual requirements for --os-cmd/shell/pwn ? I'm trying to
> figure out how they work specifically. As far as I can tell you just need
> write access to a folder in the web root. Is this true? Is there a way to
> check your filesystem priviledges?
> ------------------------------------------------------------------------------
> Malware Security Report: Protecting Your Business, Customers, and the
> Bottom Line. Protect your business and customers by understanding the
> threat from malware and how it can impact your online business.
> http://www.accelacomm.com/jaw/sfnl/114/51427462/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] (no subject)

[Miroslav S. <mir...@gm...>]

hi Derick.

you can take a look at CHANGELOG for some quick info on new things:
https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/ChangeLog

kind regards

On Sat, Sep 10, 2011 at 9:24 AM, Derick Nyarko <nya...@ya...> wrote:
> Okay cool. what's new in Sqlmap. can someone show me?
> ------------------------------------------------------------------------------
> Malware Security Report: Protecting Your Business, Customers, and the
> Bottom Line. Protect your business and customers by understanding the
> threat from malware and how it can impact your online business.
> http://www.accelacomm.com/jaw/sfnl/114/51427462/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] (no subject)

[Derick N. <nya...@ya...>]

Okay cool. what's new in Sqlmap. can someone show me?

[sqlmap-users] question about --os-cmd

[ryan c. <rya...@gm...>]

what are the actual requirements for --os-cmd/shell/pwn ? I'm trying to
figure out how they work specifically. As far as I can tell you just need
write access to a folder in the web root. Is this true? Is there a way to
check your filesystem priviledges?

Re: [sqlmap-users] python script to read partial file downloads from the sqlmap session

[Ahmed S. <ah...@is...>]

AFAIK sqlmap uses into DUMPFILE and the speed of grabbing files within this
function depends on the used technique it self during the injection

On Fri, Sep 9, 2011 at 6:17 PM, ryan cartner <rya...@gm...> wrote:

> Using --file-read on some injections can take a long time if the file must
> be retrieved one character at a time. Currently there is no easy way to view
> a partially downloaded file. This python script will do that. Simply run
> sqlmap with --file-read and once you've read part of the file, run the
> script like this:
>
> python ./partialfile.py -s ./output/www.something.com/session -f
> global.asa
>
> it will grab the hex stream out of the sqlmap session file, convert it, and
> spit it back out :)
> Unfortunately this workaround is incompatible with --threads for two
> reasons. First, sqlmap doesn't write out to the session file until either
> it's finished or it receives sigint. second, in all my testing I haven't
> been able to get it to take sigint (ctrl-c) when --threads is being used.
> If anybody can figure out a fix for this i'm all ears :)
>
> #!/usr/bin/python
>
> import optparse, re, binascii
>
> parser = optparse.OptionParser()
> parser.add_option('-s', help='sqlmap session file', dest='ses', nargs=1)
> parser.add_option('-f', help='the filename of the file you are
> downloading', dest=dl', nargs=1)
> (opts, args) = parser.parse_args()
>
> if opts.ses is None or opts.dl is None:
> print "Both a session file and the name of the file you are downloading are
> required."
>  parser.print_help()
> exit(-1)
>  print "Session file: " + opts.ses
> pritn "Downloaded file: " + opts.dl
>
> f = open(opts.ses).read()
> m = re.compile(opts.dl+"\'\)\)\]\[(.+?)$").search(f).group(1)
>
> if len(m) % 2 != 0
> m=m[0:-1]
>
> print binascii.unhexlify(m)
>
>
>
> ------------------------------------------------------------------------------
> Why Cloud-Based Security and Archiving Make Sense
> Osterman Research conducted this study that outlines how and why cloud
> computing security and archiving is rapidly being adopted across the IT
> space for its ease of implementation, lower cost, and increased
> reliability. Learn more. http://www.accelacomm.com/jaw/sfnl/114/51425301/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 

   - Ahmed Shawky El-Antry
   - lnxg33k owner "http://lnxg33k.wordpress.com"
   - Isecur1ty team member"http://www.isecur1ty.org"
   - Twitter @lnxg33k

[sqlmap-users] python script to read partial file downloads from the sqlmap session

[ryan c. <rya...@gm...>]

Using --file-read on some injections can take a long time if the file must
be retrieved one character at a time. Currently there is no easy way to view
a partially downloaded file. This python script will do that. Simply run
sqlmap with --file-read and once you've read part of the file, run the
script like this:

python ./partialfile.py -s ./output/www.something.com/session -f global.asa

it will grab the hex stream out of the sqlmap session file, convert it, and
spit it back out :)
Unfortunately this workaround is incompatible with --threads for two
reasons. First, sqlmap doesn't write out to the session file until either
it's finished or it receives sigint. second, in all my testing I haven't
been able to get it to take sigint (ctrl-c) when --threads is being used.
If anybody can figure out a fix for this i'm all ears :)

#!/usr/bin/python

import optparse, re, binascii

parser = optparse.OptionParser()
parser.add_option('-s', help='sqlmap session file', dest='ses', nargs=1)
parser.add_option('-f', help='the filename of the file you are downloading',
dest=dl', nargs=1)
(opts, args) = parser.parse_args()

if opts.ses is None or opts.dl is None:
print "Both a session file and the name of the file you are downloading are
required."
parser.print_help()
exit(-1)
print "Session file: " + opts.ses
pritn "Downloaded file: " + opts.dl

f = open(opts.ses).read()
m = re.compile(opts.dl+"\'\)\)\]\[(.+?)$").search(f).group(1)

if len(m) % 2 != 0
m=m[0:-1]

print binascii.unhexlify(m)

Re: [sqlmap-users] --file-read with boolean blind

[Miroslav S. <mir...@gm...>]

hi ryan.

it's because sqlmap doesn't know if it's ASCII or BINARY file at the other hand.

hence, HEXing is the safest way to do it (especially for e.g. UNION
based technique).

kind regards

On Fri, Sep 9, 2011 at 3:04 PM, ryan cartner <rya...@gm...> wrote:
> why does --file-read retrieve a hex stream when downloading an ascii file?
>
>
> ------------------------------------------------------------------------------
> Why Cloud-Based Security and Archiving Make Sense
> Osterman Research conducted this study that outlines how and why cloud
> computing security and archiving is rapidly being adopted across the IT
> space for its ease of implementation, lower cost, and increased
> reliability. Learn more. http://www.accelacomm.com/jaw/sfnl/114/51425301/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar
http://about.me/stamparm