Thread: [sqlmap-users] sqlmap dying when handling unicode
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Sebastian N. <seb...@sy...> - 2013-08-30 10:11:08
Attachments:
signature.asc
|
Hi there, sqlmap is dying, when it should handle unicode. What I am doing is the following: x is a parameter on a website, normally it contains base16(base64(binary hash)). I am testing this parameter by submitting an empty parameter x and --eval. In --eval I am concatenating my original values (u'\x...') with the payload, encode it as base64 and overwrite the parameter. Everything is working fine - IF and only if I overwrite every temporary variable. Apparently sqlmap is trying to concat the new variables to the list of parameters and failing because they are unicode. Maybe some checking could be done? Best regards, Sebastian Nerz [11:59:51] [CRITICAL] unhandled exception in sqlmap/1.0-dev-7cb3ea2, retry your run with the latest development version from the GitHub repository. If the exception persists, please send by e-mail to 'sql...@li...' or open a new issue at 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 1.0-dev-7cb3ea2 Python version: 2.7.4 Operating system: posix Command line: /home/snerz/Downloads/sqlmap/sqlmap.py --eval=** -l /tmp/sql5 --level=5 --risk=3 -p X --proxy=********************* --force-ssl --drop-set-cookie --answer=this URL=y,proceed=c Technique: None Back-end DBMS: None (identified) Traceback (most recent call last): File "/home/snerz/Downloads/sqlmap/sqlmap.py", line 95, in main start() File "/home/snerz/Downloads/sqlmap/lib/controller/controller.py", line 363, in start if not checkConnection(suppressOutput=conf.forms) or not checkString() or not checkRegexp(): File "/home/snerz/Downloads/sqlmap/lib/controller/checks.py", line 1195, in checkConnection page, _ = Request.queryPage(content=True, noteResponseTime=False) File "/home/snerz/Downloads/sqlmap/lib/request/connect.py", line 787, in queryPage get += "%s%s=%s" % (delimiter, name, value) TypeError: unsupported operand type(s) for +=: 'NoneType' and 'unicode' |
|
From: Miroslav S. <mir...@gm...> - 2013-08-30 10:15:25
|
Hi. Does your original case use GET parameters? That could be a bug in sqlmap (appending to GET while there is no GET in the first place). Kind regards, Miroslav Stampar On Fri, Aug 30, 2013 at 12:09 PM, Sebastian Nerz <seb...@sy...>wrote: > Hi there, > > sqlmap is dying, when it should handle unicode. What I am doing is the > following: > > x is a parameter on a website, normally it contains base16(base64(binary > hash)). I am testing this parameter by submitting an empty parameter x > and --eval. In --eval I am concatenating my original values (u'\x...') > with the payload, encode it as base64 and overwrite the parameter. > Everything is working fine - IF and only if I overwrite every temporary > variable. > Apparently sqlmap is trying to concat the new variables to the list of > parameters and failing because they are unicode. Maybe some checking > could be done? > > Best regards, > > Sebastian Nerz > > [11:59:51] [CRITICAL] unhandled exception in sqlmap/1.0-dev-7cb3ea2, > retry your run with the latest development version from the GitHub > repository. If the exception persists, please send by e-mail to > 'sql...@li...' or open a new issue at > 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following > text and any information required to reproduce the bug. The developers > will try to reproduce the bug, fix it accordingly and get back to you. > sqlmap version: 1.0-dev-7cb3ea2 > Python version: 2.7.4 > Operating system: posix > Command line: /home/snerz/Downloads/sqlmap/sqlmap.py --eval=** -l > /tmp/sql5 --level=5 --risk=3 -p X --proxy=********************* > --force-ssl --drop-set-cookie --answer=this URL=y,proceed=c > Technique: None > Back-end DBMS: None (identified) > Traceback (most recent call last): > File "/home/snerz/Downloads/sqlmap/sqlmap.py", line 95, in main > start() > File "/home/snerz/Downloads/sqlmap/lib/controller/controller.py", line > 363, in start > if not checkConnection(suppressOutput=conf.forms) or not > checkString() or not checkRegexp(): > File "/home/snerz/Downloads/sqlmap/lib/controller/checks.py", line > 1195, in checkConnection > page, _ = Request.queryPage(content=True, noteResponseTime=False) > File "/home/snerz/Downloads/sqlmap/lib/request/connect.py", line 787, > in queryPage > get += "%s%s=%s" % (delimiter, name, value) > TypeError: unsupported operand type(s) for +=: 'NoneType' and 'unicode' > > > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Sebastian N. <seb...@sy...> - 2013-08-30 10:17:08
Attachments:
signature.asc
|
Hi, Am 30.08.2013 12:15, schrieb Miroslav Stampar: > > Does your original case use GET parameters? That could be a bug in sqlmap > (appending to GET while there is no GET in the first place). No, it only contains COOKIE parameters. Kind regards, Sebastian Nerz > > Kind regards, > Miroslav Stampar > > > On Fri, Aug 30, 2013 at 12:09 PM, Sebastian Nerz <seb...@sy...>wrote: > >> Hi there, >> >> sqlmap is dying, when it should handle unicode. What I am doing is the >> following: >> >> x is a parameter on a website, normally it contains base16(base64(binary >> hash)). I am testing this parameter by submitting an empty parameter x >> and --eval. In --eval I am concatenating my original values (u'\x...') >> with the payload, encode it as base64 and overwrite the parameter. >> Everything is working fine - IF and only if I overwrite every temporary >> variable. >> Apparently sqlmap is trying to concat the new variables to the list of >> parameters and failing because they are unicode. Maybe some checking >> could be done? >> >> Best regards, >> >> Sebastian Nerz >> >> [11:59:51] [CRITICAL] unhandled exception in sqlmap/1.0-dev-7cb3ea2, >> retry your run with the latest development version from the GitHub >> repository. If the exception persists, please send by e-mail to >> 'sql...@li...' or open a new issue at >> 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following >> text and any information required to reproduce the bug. The developers >> will try to reproduce the bug, fix it accordingly and get back to you. >> sqlmap version: 1.0-dev-7cb3ea2 >> Python version: 2.7.4 >> Operating system: posix >> Command line: /home/snerz/Downloads/sqlmap/sqlmap.py --eval=** -l >> /tmp/sql5 --level=5 --risk=3 -p X --proxy=********************* >> --force-ssl --drop-set-cookie --answer=this URL=y,proceed=c >> Technique: None >> Back-end DBMS: None (identified) >> Traceback (most recent call last): >> File "/home/snerz/Downloads/sqlmap/sqlmap.py", line 95, in main >> start() >> File "/home/snerz/Downloads/sqlmap/lib/controller/controller.py", line >> 363, in start >> if not checkConnection(suppressOutput=conf.forms) or not >> checkString() or not checkRegexp(): >> File "/home/snerz/Downloads/sqlmap/lib/controller/checks.py", line >> 1195, in checkConnection >> page, _ = Request.queryPage(content=True, noteResponseTime=False) >> File "/home/snerz/Downloads/sqlmap/lib/request/connect.py", line 787, >> in queryPage >> get += "%s%s=%s" % (delimiter, name, value) >> TypeError: unsupported operand type(s) for +=: 'NoneType' and 'unicode' >> >> >> >> ------------------------------------------------------------------------------ >> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! >> Discover the easy way to master current and previous Microsoft technologies >> and advance your career. Get an incredible 1,500+ hours of step-by-step >> tutorial videos with LearnDevNow. Subscribe today and save! >> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > -- Sebastian Nerz Dipl.-Inform. IT-Security Consultant mailto:seb...@sy... ___________________________________________________________ SySS GmbH Wohlboldstraße 8 72072 Tübingen Germany Voice: +49 7071 407856-31 Fax: +49 7071 407856-19 WWW: http://www.syss.de PGP FP: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2 Geschaeftsfuehrer Sebastian Schreiber Registergericht: Amtsgericht Stuttgart / HRB 382420 Steuernummer: 86118 / 55809 |
|
From: Miroslav S. <mir...@gm...> - 2013-08-30 13:27:36
|
Hi. Can you please retry it now? Spotted a bug and fixed it. Kind regards, Miroslav Stampar On Fri, Aug 30, 2013 at 12:16 PM, Sebastian Nerz <seb...@sy...>wrote: > Hi, > > Am 30.08.2013 12:15, schrieb Miroslav Stampar: > > > > Does your original case use GET parameters? That could be a bug in sqlmap > > (appending to GET while there is no GET in the first place). > > No, it only contains COOKIE parameters. > > Kind regards, > > Sebastian Nerz > > > > > Kind regards, > > Miroslav Stampar > > > > > > On Fri, Aug 30, 2013 at 12:09 PM, Sebastian Nerz <seb...@sy... > >wrote: > > > >> Hi there, > >> > >> sqlmap is dying, when it should handle unicode. What I am doing is the > >> following: > >> > >> x is a parameter on a website, normally it contains base16(base64(binary > >> hash)). I am testing this parameter by submitting an empty parameter x > >> and --eval. In --eval I am concatenating my original values (u'\x...') > >> with the payload, encode it as base64 and overwrite the parameter. > >> Everything is working fine - IF and only if I overwrite every temporary > >> variable. > >> Apparently sqlmap is trying to concat the new variables to the list of > >> parameters and failing because they are unicode. Maybe some checking > >> could be done? > >> > >> Best regards, > >> > >> Sebastian Nerz > >> > >> [11:59:51] [CRITICAL] unhandled exception in sqlmap/1.0-dev-7cb3ea2, > >> retry your run with the latest development version from the GitHub > >> repository. If the exception persists, please send by e-mail to > >> 'sql...@li...' or open a new issue at > >> 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following > >> text and any information required to reproduce the bug. The developers > >> will try to reproduce the bug, fix it accordingly and get back to you. > >> sqlmap version: 1.0-dev-7cb3ea2 > >> Python version: 2.7.4 > >> Operating system: posix > >> Command line: /home/snerz/Downloads/sqlmap/sqlmap.py --eval=** -l > >> /tmp/sql5 --level=5 --risk=3 -p X --proxy=********************* > >> --force-ssl --drop-set-cookie --answer=this URL=y,proceed=c > >> Technique: None > >> Back-end DBMS: None (identified) > >> Traceback (most recent call last): > >> File "/home/snerz/Downloads/sqlmap/sqlmap.py", line 95, in main > >> start() > >> File "/home/snerz/Downloads/sqlmap/lib/controller/controller.py", line > >> 363, in start > >> if not checkConnection(suppressOutput=conf.forms) or not > >> checkString() or not checkRegexp(): > >> File "/home/snerz/Downloads/sqlmap/lib/controller/checks.py", line > >> 1195, in checkConnection > >> page, _ = Request.queryPage(content=True, noteResponseTime=False) > >> File "/home/snerz/Downloads/sqlmap/lib/request/connect.py", line 787, > >> in queryPage > >> get += "%s%s=%s" % (delimiter, name, value) > >> TypeError: unsupported operand type(s) for +=: 'NoneType' and 'unicode' > >> > >> > >> > >> > ------------------------------------------------------------------------------ > >> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > >> Discover the easy way to master current and previous Microsoft > technologies > >> and advance your career. Get an incredible 1,500+ hours of step-by-step > >> tutorial videos with LearnDevNow. Subscribe today and save! > >> > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > > -- > Sebastian Nerz > Dipl.-Inform. > IT-Security Consultant > > mailto:seb...@sy... > ___________________________________________________________ > > SySS GmbH > Wohlboldstraße 8 > 72072 Tübingen > Germany > Voice: +49 7071 407856-31 > Fax: +49 7071 407856-19 > WWW: http://www.syss.de > > PGP FP: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2 > > Geschaeftsfuehrer Sebastian Schreiber > Registergericht: Amtsgericht Stuttgart / HRB 382420 > Steuernummer: 86118 / 55809 > > > -- Miroslav Stampar http://about.me/stamparm |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X