sqlmap-users

[sqlmap-users] found another Bug

[<nig...@em...>]

sqlmap -u "http://xxxxxxx.xxx/update_thumb.php?e=263&s=6"  -a C:\pentest\sqlmap.0.9\txt\user-agents.txt --level 5 --risk 3 -f -b

 sqlmap/0.9-dev - automatic SQL injection and database takeover tool
 http://sqlmap.sourceforge.net

[*] starting at: 00:23:50

[00:23:50] [INFO] fetched random HTTP User-Agent header from file 'C:\pentest\sqlmap.0.9\txt\user-agents.txt':
Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.50
[00:23:50] [INFO] using 'C:\pentest\sqlmap.0.9\output\xxxxxx\session' as session file
[00:23:50] [INFO] testing connection to the target url
[00:23:51] [INFO] testing if the url is stable, wait a few seconds
[00:23:53] [INFO] url is stable          
many tests
[00:34:15] [INFO] GET parameter 's' is 'MySQL > 5.0.11 AND time-based blind' injectable
GET parameter 's' is vulnerable. Do you want to keep testing the others? [y/N] y    
more tests
[00:52:02] [INFO] testing 'Firebird AND error-based - WHERE clause'

[00:52:02] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversio
n repository. If the exception persists, please send by e-mail to sql...@li... the command line, the followi
ng text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get
back to you.
sqlmap version: 0.9-dev
Python version: 2.6.5
Operating system: nt
Traceback (most recent call last):
 File "C:\pentestsqlmap.0.9\sqlmap.py", line 79, in main
 start()
 File "C:\pentest\sqlmap.0.9\lib\controller\controller.py", line 352, in start
 injection = checkSqlInjection(place, parameter, value)
 File "C:\pentest\sqlmap.0.9\lib\controller\checks.py", line 165, in checkSqlInjection
 fstPayload = unescapeDbms(fstPayload, injection, dbms)
 File "C:\pentest\sqlmap.0.9\lib\controller\checks.py", line 65, in unescapeDbms
 payload = unescape(payload, dbms)
 File "C:\pentest\sqlmap.0.9\lib\controller\checks.py", line 53, in unescape
 return unescaper[dbms](string)
 File "C:\pentest\sqlmap.0.9\plugins\dbms\firebird\syntax.py", line 21, in unescape
 if isDBMSVersionAtLeast('2.1'):
 File "C:\pentest\sqlmap.0.9\lib\core\common.py", line 1752, in isDBMSVersionAtLeast
 value = float(value.replace(">", "")) + 0.01
ValueError: invalid literal for float(): 5.0.11

[*] shutting down at: 00:52:02

Re: [sqlmap-users] found another Bug

[Miroslav S. <mir...@gm...>]

hi nightman.

thank you for your commit and find it fixed in the latest commit.

kind regards.

On Tue, Dec 21, 2010 at 1:08 AM,  <nig...@em...> wrote:
> sqlmap -u "http://xxxxxxx.xxx/update_thumb.php?e=263&s=6"  -a C:\pentest\sqlmap.0.9\txt\user-agents.txt --level 5 --risk 3 -f -b
>
>  sqlmap/0.9-dev - automatic SQL injection and database takeover tool
>  http://sqlmap.sourceforge.net
>
> [*] starting at: 00:23:50
>
> [00:23:50] [INFO] fetched random HTTP User-Agent header from file 'C:\pentest\sqlmap.0.9\txt\user-agents.txt':
> Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.50
> [00:23:50] [INFO] using 'C:\pentest\sqlmap.0.9\output\xxxxxx\session' as session file
> [00:23:50] [INFO] testing connection to the target url
> [00:23:51] [INFO] testing if the url is stable, wait a few seconds
> [00:23:53] [INFO] url is stable
> many tests
> [00:34:15] [INFO] GET parameter 's' is 'MySQL > 5.0.11 AND time-based blind' injectable
> GET parameter 's' is vulnerable. Do you want to keep testing the others? [y/N] y
> more tests
> [00:52:02] [INFO] testing 'Firebird AND error-based - WHERE clause'
>
> [00:52:02] [CRITICAL] unhandled exception in sqlmap/0.9-dev, retry your run with the latest development version from the Subversio
> n repository. If the exception persists, please send by e-mail to sql...@li... the command line, the followi
> ng text and any information needed to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get
> back to you.
> sqlmap version: 0.9-dev
> Python version: 2.6.5
> Operating system: nt
> Traceback (most recent call last):
>  File "C:\pentestsqlmap.0.9\sqlmap.py", line 79, in main
>  start()
>  File "C:\pentest\sqlmap.0.9\lib\controller\controller.py", line 352, in start
>  injection = checkSqlInjection(place, parameter, value)
>  File "C:\pentest\sqlmap.0.9\lib\controller\checks.py", line 165, in checkSqlInjection
>  fstPayload = unescapeDbms(fstPayload, injection, dbms)
>  File "C:\pentest\sqlmap.0.9\lib\controller\checks.py", line 65, in unescapeDbms
>  payload = unescape(payload, dbms)
>  File "C:\pentest\sqlmap.0.9\lib\controller\checks.py", line 53, in unescape
>  return unescaper[dbms](string)
>  File "C:\pentest\sqlmap.0.9\plugins\dbms\firebird\syntax.py", line 21, in unescape
>  if isDBMSVersionAtLeast('2.1'):
>  File "C:\pentest\sqlmap.0.9\lib\core\common.py", line 1752, in isDBMSVersionAtLeast
>  value = float(value.replace(">", "")) + 0.01
> ValueError: invalid literal for float(): 5.0.11
>
> [*] shutting down at: 00:52:02
>
> ------------------------------------------------------------------------------
> Lotusphere 2011
> Register now for Lotusphere 2011 and learn how
> to connect the dots, take your collaborative environment
> to the next level, and enter the era of Social Business.
> http://p.sf.net/sfu/lotusphere-d2d
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia