sqlmap-users

[sqlmap-users] Garbled output

[fuzion <ad...@nu...>]

I was testing a script with the lastest svn r346 (and a few revisions
prior) and I keep getting garbled output:

[19:40:39] [INPUT] there were multiple injection points, please select
the one to use to go ahead:
[0] place: POST, parameter: email, type: stringdouble (default)
[1] place: User-Agent, parameter: User-Agent, type: numeric
[q] Quit
Choice: 0
[19:40:46] [INFO] testing for parenthesis on injectable parameter
[19:40:46] [INFO] the injectable parameter requires 3 parenthesis
[19:40:46] [INFO] testing MySQL
[19:40:46] [INFO] confirming MySQL
[19:40:46] [INFO] query: SELECT 9 FROM information_schema.TABLES LIMIT 0, 1
[19:40:46] [INFO] retrieved: ow♂_K/{oX=WY{Y⌂vz_L~gm;o⌂1~W
[19:40:52] [ERROR] user aborted

Here's the command I used:
sqlmap.py -u "http://site/forgot.php" --method=POST
--data="email=1&location=%2Fforgot%2Ephp" --dbms=mysql

Any idea what's causing this? It's the same DB I've always used for testing...


-- 
http://www.nukeit.org

Re: [sqlmap-users] Garbled output

[fuzion <ad...@nu...>]

Addendum:

I just noticed that my -u was "http://serverip:80/forgot.php"
When I remove the port :80 it doesn't even show that it's injectable...

-- 
http://www.nukeit.org

Re: [sqlmap-users] Garbled output

[Bernardo D. A. G. <ber...@gm...>]

Hi,

On Wed, Jan 21, 2009 at 01:45, fuzion <ad...@nu...> wrote:
> ...
> [19:40:46] [INFO] testing for parenthesis on injectable parameter
> [19:40:46] [INFO] the injectable parameter requires 3 parenthesis
> [19:40:46] [INFO] testing MySQL
> [19:40:46] [INFO] confirming MySQL
> [19:40:46] [INFO] query: SELECT 9 FROM information_schema.TABLES LIMIT 0, 1
> [19:40:46] [INFO] retrieved: ow♂_K/{oX=WY{Y⌂vz_L~gm;o⌂1~W
> [19:40:52] [ERROR] user aborted

It looks like the site is extremely unstable in its HTTP response
contents. Try to provide a --string or a --regexp to match on. Refer
to sqlmap user's manual (doc/README.pdf) 'Page comparison' paragraph
for details.

Regards,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] Garbled output

[fuzion <ad...@nu...>]

Interesting idea, but it sqlmap is running on the same machine hosting apache :)

On Wed, Jan 21, 2009 at 3:24 AM, Bernardo Damele A. G.
<ber...@gm...> wrote:
> Hi,
>
> On Wed, Jan 21, 2009 at 01:45, fuzion <ad...@nu...> wrote:
>> ...
>> [19:40:46] [INFO] testing for parenthesis on injectable parameter
>> [19:40:46] [INFO] the injectable parameter requires 3 parenthesis
>> [19:40:46] [INFO] testing MySQL
>> [19:40:46] [INFO] confirming MySQL
>> [19:40:46] [INFO] query: SELECT 9 FROM information_schema.TABLES LIMIT 0, 1
>> [19:40:46] [INFO] retrieved: ow♂_K/{oX=WY{Y⌂vz_L~gm;o⌂1~W
>> [19:40:52] [ERROR] user aborted
>
> It looks like the site is extremely unstable in its HTTP response
> contents. Try to provide a --string or a --regexp to match on. Refer
> to sqlmap user's manual (doc/README.pdf) 'Page comparison' paragraph
> for details.
>
> Regards,
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
> PGP Key ID: 0x05F5A30F
>



-- 
http://www.nukeit.org

Re: [sqlmap-users] Garbled output

[Bernardo D. A. G. <ber...@gm...>]

That has nothing to do. Again, it might be caused by the page content
dinamicity based on the information you provided.

On Wed, Jan 21, 2009 at 09:39, fuzion <ad...@nu...> wrote:
> Interesting idea, but it sqlmap is running on the same machine hosting apache :)
>
> On Wed, Jan 21, 2009 at 3:24 AM, Bernardo Damele A. G.
> <ber...@gm...> wrote:
>> Hi,
>>
>> On Wed, Jan 21, 2009 at 01:45, fuzion <ad...@nu...> wrote:
>>> ...
>>> [19:40:46] [INFO] testing for parenthesis on injectable parameter
>>> [19:40:46] [INFO] the injectable parameter requires 3 parenthesis
>>> [19:40:46] [INFO] testing MySQL
>>> [19:40:46] [INFO] confirming MySQL
>>> [19:40:46] [INFO] query: SELECT 9 FROM information_schema.TABLES LIMIT 0, 1
>>> [19:40:46] [INFO] retrieved: ow♂_K/{oX=WY{Y⌂vz_L~gm;o⌂1~W
>>> [19:40:52] [ERROR] user aborted
>>
>> It looks like the site is extremely unstable in its HTTP response
>> contents. Try to provide a --string or a --regexp to match on. Refer
>> to sqlmap user's manual (doc/README.pdf) 'Page comparison' paragraph
>> for details.
>>
>> Regards,
>> --
>> Bernardo Damele A. G.
>>
>> E-mail / Jabber: bernardo.damele (at) gmail.com
>> Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
>> PGP Key ID: 0x05F5A30F
>>
>
>
>
> --
> http://www.nukeit.org
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F