sqlmap-users

[sqlmap-users] GET parameters not being recognised

[Ryan D. <rya...@gm...>]

Hello,
While trying to run SQLMap on Windows Vista (PE version) I get the
following error:

C:\Users\user\Desktop\sqlmap\sqlmap>sqlmap.exe --auth-type=BASIC
--auth-cred=user:password@ -u
http://localhost/pentest/module.php?ModuleName=com.rating.actions&RatingActionInput
Name=ggg&ProductReviewText=ggg&ProductRatingVoteValue=2&action=acExecRate&ProductID=1

    sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
                      and Daniele Bellucci <dan...@gm...>

[*] starting at: 13:13:10

[13:13:10] [INFO] testing connection to the target url
[13:13:13] [INFO] testing if the url is stable, wait a few seconds
[13:13:18] [INFO] url is stable
[13:13:18] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[13:13:21] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[13:13:21] [INFO] testing if Cookie parameter
'MIPHPF_SESSION-1631451101' is dynamic
[13:13:23] [WARNING] Cookie parameter 'MIPHPF_SESSION-1631451101' is not dynamic
[13:13:23] [INFO] testing if GET parameter 'ModuleName' is dynamic
[13:13:27] [WARNING] GET parameter 'ModuleName' is not dynamic

[*] shutting down at: 13:13:27

'RatingActionInputName' is not recognized as an internal or external command,
operable program or batch file.
'ProductReviewText' is not recognized as an internal or external command,
operable program or batch file.
'ProductRatingVoteValue' is not recognized as an internal or external command,
operable program or batch file.
'action' is not recognized as an internal or external command,
operable program or batch file.
'ProductID' is not recognized as an internal or external command,
operable program or batch file.

Any help much apretiated.

Ryan

Re: [sqlmap-users] GET parameters not being recognised

[Andres R. <and...@gm...>]

Ryan,

On Tue, Jul 14, 2009 at 9:21 AM, Ryan Dewhurst<rya...@gm...> wrote:
> Hello,
> While trying to run SQLMap on Windows Vista (PE version) I get the
> following error:
>
> C:\Users\user\Desktop\sqlmap\sqlmap>sqlmap.exe --auth-type=BASIC
> --auth-cred=user:password@ -u
> http://localhost/pentest/module.php?ModuleName=com.rating.actions&RatingActionInput
> Name=ggg&ProductReviewText=ggg&ProductRatingVoteValue=2&action=acExecRate&ProductID=1

You should use quotes around the URL:

sqlmap.exe --auth-type=BASIC --auth-cred=user:password@ -u
"http://localhost/pentest/module.php?ModuleName=com.rating.actions&RatingActionInputName=ggg&ProductReviewText=ggg&ProductRatingVoteValue=2&action=acExecRate&ProductID=1"

At least that will work on Linux.
>    sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
>                      and Daniele Bellucci <dan...@gm...>
>
> [*] starting at: 13:13:10
>
> [13:13:10] [INFO] testing connection to the target url
> [13:13:13] [INFO] testing if the url is stable, wait a few seconds
> [13:13:18] [INFO] url is stable
> [13:13:18] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
> [13:13:21] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> [13:13:21] [INFO] testing if Cookie parameter
> 'MIPHPF_SESSION-1631451101' is dynamic
> [13:13:23] [WARNING] Cookie parameter 'MIPHPF_SESSION-1631451101' is not dynamic
> [13:13:23] [INFO] testing if GET parameter 'ModuleName' is dynamic
> [13:13:27] [WARNING] GET parameter 'ModuleName' is not dynamic
>
> [*] shutting down at: 13:13:27
>
> 'RatingActionInputName' is not recognized as an internal or external command,
> operable program or batch file.
> 'ProductReviewText' is not recognized as an internal or external command,
> operable program or batch file.
> 'ProductRatingVoteValue' is not recognized as an internal or external command,
> operable program or batch file.
> 'action' is not recognized as an internal or external command,
> operable program or batch file.
> 'ProductID' is not recognized as an internal or external command,
> operable program or batch file.
>
> Any help much apretiated.
>
> Ryan
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited time,
> vendors submitting new applications to BlackBerry App World(TM) will have
> the opportunity to enter the BlackBerry Developer Challenge. See full prize
> details at: http://p.sf.net/sfu/Challenge
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/

Re: [sqlmap-users] GET parameters not being recognised

[Ryan D. <rya...@gm...>]

2009/7/14 Andres Riancho <and...@gm...>:
> Ryan,
>
> On Tue, Jul 14, 2009 at 9:21 AM, Ryan Dewhurst<rya...@gm...> wrote:
>> Hello,
>> While trying to run SQLMap on Windows Vista (PE version) I get the
>> following error:
>>
>> C:\Users\user\Desktop\sqlmap\sqlmap>sqlmap.exe --auth-type=BASIC
>> --auth-cred=user:password@ -u
>> http://localhost/pentest/module.php?ModuleName=com.rating.actions&RatingActionInput
>> Name=ggg&ProductReviewText=ggg&ProductRatingVoteValue=2&action=acExecRate&ProductID=1
>
> You should use quotes around the URL:
>
> sqlmap.exe --auth-type=BASIC --auth-cred=user:password@ -u
> "http://localhost/pentest/module.php?ModuleName=com.rating.actions&RatingActionInputName=ggg&ProductReviewText=ggg&ProductRatingVoteValue=2&action=acExecRate&ProductID=1"
>
> At least that will work on Linux.

Aye that worked! Thanks Andres.

>>    sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...>
>>                      and Daniele Bellucci <dan...@gm...>
>>
>> [*] starting at: 13:13:10
>>
>> [13:13:10] [INFO] testing connection to the target url
>> [13:13:13] [INFO] testing if the url is stable, wait a few seconds
>> [13:13:18] [INFO] url is stable
>> [13:13:18] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
>> [13:13:21] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
>> [13:13:21] [INFO] testing if Cookie parameter
>> 'MIPHPF_SESSION-1631451101' is dynamic
>> [13:13:23] [WARNING] Cookie parameter 'MIPHPF_SESSION-1631451101' is not dynamic
>> [13:13:23] [INFO] testing if GET parameter 'ModuleName' is dynamic
>> [13:13:27] [WARNING] GET parameter 'ModuleName' is not dynamic
>>
>> [*] shutting down at: 13:13:27
>>
>> 'RatingActionInputName' is not recognized as an internal or external command,
>> operable program or batch file.
>> 'ProductReviewText' is not recognized as an internal or external command,
>> operable program or batch file.
>> 'ProductRatingVoteValue' is not recognized as an internal or external command,
>> operable program or batch file.
>> 'action' is not recognized as an internal or external command,
>> operable program or batch file.
>> 'ProductID' is not recognized as an internal or external command,
>> operable program or batch file.
>>
>> Any help much apretiated.
>>
>> Ryan
>>
>> ------------------------------------------------------------------------------
>> Enter the BlackBerry Developer Challenge
>> This is your chance to win up to $100,000 in prizes! For a limited time,
>> vendors submitting new applications to BlackBerry App World(TM) will have
>> the opportunity to enter the BlackBerry Developer Challenge. See full prize
>> details at: http://p.sf.net/sfu/Challenge
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>