sqlmap-users

[sqlmap-users] bug: -g uses wrong session file

[Kasper F. <th...@ma...>]

Hello sqlmap users.

It seems that sqlmap i using the wrong session file if a hosts on the 
google dorks are vulnerable and the vulnerability is used. The next 
vulnerable host will use the same session file!

[12:14:17] [INFO] testing url <A>/index.php?id=67,0,0,1,0,0
[12:14:17] [INFO] using 
'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file
[12:14:17] [INFO] testing connection to the target url
...
[12:14:20] [INFO] testing if the url is stable, wait a few seconds
[12:14:27] [WARNING] url is not stable, sqlmap will base the page 
comparison on a sequence matcher, if no dynamic nor injectable 
parameters are detected, refer to user's manual paragraph 'Page 
comparison' and provide a string or regular expression to match on
[12:14:27] [INFO] testing sql injection on GET parameter 'id' with 0 
parenthesis
...
...

[12:19:46] [INFO] GET parameter 'id' is double quoted string injectable 
with 3 parenthesis
do you want to exploit this SQL injection? [Y/n] y
[12:20:36] [INFO] testing for parenthesis on injectable parameter
[12:21:00] [INFO] the injectable parameter requires 3 parenthesis
[12:21:00] [INFO] testing MySQL
[12:21:08] [WARNING] the back-end DMBS is not MySQL
[12:21:08] [INFO] testing Oracle
[12:21:17] [WARNING] the back-end DMBS is not Oracle
[12:21:17] [INFO] testing PostgreSQL
[12:21:26] [WARNING] the back-end DMBS is not PostgreSQL
[12:21:26] [INFO] testing Microsoft SQL Server
[12:21:34] [INFO] confirming Microsoft SQL Server
[12:21:43] [INFO] the back-end DBMS is Microsoft SQL Server

web application technology: Apache 1.3.41, PHP 5.2.13
back-end DBMS: Microsoft SQL Server 2000

...
...

GET <B>/edb_og_internet/hardware/index.php?id=32
do you want to test this url? [Y/n/q]
 > y
[12:25:10] [INFO] testing url <B>/edb_og_internet/hardware/index.php?id=32
[12:25:10] [INFO] using 
'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file

I have anonyminized the hosts.

/Kasper

Re: [sqlmap-users] bug: -g uses wrong session file

[Miroslav S. <mir...@gm...>]

Hi.

Thank you for your report. Please, update your sqlmap to the latest
version to have it fixed.

Kind regards.

On Mon, Mar 15, 2010 at 12:32 PM, Kasper Føns <th...@ma...> wrote:
> Hello sqlmap users.
>
> It seems that sqlmap i using the wrong session file if a hosts on the
> google dorks are vulnerable and the vulnerability is used. The next
> vulnerable host will use the same session file!
>
> [12:14:17] [INFO] testing url <A>/index.php?id=67,0,0,1,0,0
> [12:14:17] [INFO] using
> 'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file
> [12:14:17] [INFO] testing connection to the target url
> ...
> [12:14:20] [INFO] testing if the url is stable, wait a few seconds
> [12:14:27] [WARNING] url is not stable, sqlmap will base the page
> comparison on a sequence matcher, if no dynamic nor injectable
> parameters are detected, refer to user's manual paragraph 'Page
> comparison' and provide a string or regular expression to match on
> [12:14:27] [INFO] testing sql injection on GET parameter 'id' with 0
> parenthesis
> ...
> ...
>
> [12:19:46] [INFO] GET parameter 'id' is double quoted string injectable
> with 3 parenthesis
> do you want to exploit this SQL injection? [Y/n] y
> [12:20:36] [INFO] testing for parenthesis on injectable parameter
> [12:21:00] [INFO] the injectable parameter requires 3 parenthesis
> [12:21:00] [INFO] testing MySQL
> [12:21:08] [WARNING] the back-end DMBS is not MySQL
> [12:21:08] [INFO] testing Oracle
> [12:21:17] [WARNING] the back-end DMBS is not Oracle
> [12:21:17] [INFO] testing PostgreSQL
> [12:21:26] [WARNING] the back-end DMBS is not PostgreSQL
> [12:21:26] [INFO] testing Microsoft SQL Server
> [12:21:34] [INFO] confirming Microsoft SQL Server
> [12:21:43] [INFO] the back-end DBMS is Microsoft SQL Server
>
> web application technology: Apache 1.3.41, PHP 5.2.13
> back-end DBMS: Microsoft SQL Server 2000
>
> ...
> ...
>
> GET <B>/edb_og_internet/hardware/index.php?id=32
> do you want to test this url? [Y/n/q]
>  > y
> [12:25:10] [INFO] testing url <B>/edb_og_internet/hardware/index.php?id=32
> [12:25:10] [INFO] using
> 'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file
>
> I have anonyminized the hosts.
>
> /Kasper
>
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

Re: [sqlmap-users] bug: -g uses wrong session file

[Kasper F. <th...@ma...>]

Hi.

I didn't even get to send the new scan. I haven't checked yet, but nice 
to see it fixed so fast.

/Kasper

On 15-03-2010 13:01, Miroslav Stampar wrote:
> Hi.
>
> Thank you for your report. Please, update your sqlmap to the latest
> version to have it fixed.
>
> Kind regards.
>
> On Mon, Mar 15, 2010 at 12:32 PM, Kasper Føns<th...@ma...>  wrote:
>    
>> Hello sqlmap users.
>>
>> It seems that sqlmap i using the wrong session file if a hosts on the
>> google dorks are vulnerable and the vulnerability is used. The next
>> vulnerable host will use the same session file!
>>
>> [12:14:17] [INFO] testing url<A>/index.php?id=67,0,0,1,0,0
>> [12:14:17] [INFO] using
>> 'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file
>> [12:14:17] [INFO] testing connection to the target url
>> ...
>> [12:14:20] [INFO] testing if the url is stable, wait a few seconds
>> [12:14:27] [WARNING] url is not stable, sqlmap will base the page
>> comparison on a sequence matcher, if no dynamic nor injectable
>> parameters are detected, refer to user's manual paragraph 'Page
>> comparison' and provide a string or regular expression to match on
>> [12:14:27] [INFO] testing sql injection on GET parameter 'id' with 0
>> parenthesis
>> ...
>> ...
>>
>> [12:19:46] [INFO] GET parameter 'id' is double quoted string injectable
>> with 3 parenthesis
>> do you want to exploit this SQL injection? [Y/n] y
>> [12:20:36] [INFO] testing for parenthesis on injectable parameter
>> [12:21:00] [INFO] the injectable parameter requires 3 parenthesis
>> [12:21:00] [INFO] testing MySQL
>> [12:21:08] [WARNING] the back-end DMBS is not MySQL
>> [12:21:08] [INFO] testing Oracle
>> [12:21:17] [WARNING] the back-end DMBS is not Oracle
>> [12:21:17] [INFO] testing PostgreSQL
>> [12:21:26] [WARNING] the back-end DMBS is not PostgreSQL
>> [12:21:26] [INFO] testing Microsoft SQL Server
>> [12:21:34] [INFO] confirming Microsoft SQL Server
>> [12:21:43] [INFO] the back-end DBMS is Microsoft SQL Server
>>
>> web application technology: Apache 1.3.41, PHP 5.2.13
>> back-end DBMS: Microsoft SQL Server 2000
>>
>> ...
>> ...
>>
>> GET<B>/edb_og_internet/hardware/index.php?id=32
>> do you want to test this url? [Y/n/q]
>>   >  y
>> [12:25:10] [INFO] testing url<B>/edb_og_internet/hardware/index.php?id=32
>> [12:25:10] [INFO] using
>> 'C:\Users\foens\Desktop\sqlmap\output\<A>\session' as session file
>>
>> I have anonyminized the hosts.
>>
>> /Kasper
>>
>> ------------------------------------------------------------------------------
>> Download Intel&#174; Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>      
>
>
>