Hello,
I encountered a situation where --batch ended up prematurely ending a scan of a
website. The reason is because there was an invalid link on the site's HTML
document, that confused sqlmap into exiting. Here's the output which I think
should explain it better:
root@apj351:~# ./sqlmap.py --random-agent --threads=5 -u
'http://XXXXXXXXXXXXXXXXXX/' --crawl=5 --batch
sqlmap/1.0-dev (r5058) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Authors assume no liability and are
not responsible for any misuse or damage caused by this program
[*] starting at 08:06:59
[08:06:59] [INFO] fetched random HTTP User-Agent header from file
'/opt/sqlmap/txt/user-agents.txt': Opera/9.80 (X11; Linux x86_64; U; en-GB)
Presto/2.2.15 Version/10.01
[08:06:59] [INFO] starting crawler
[08:06:59] [INFO] searching for links with depth 1
[08:07:00] [INFO] heuristics detected web page charset 'ascii'
[08:07:00] [INFO] searching for links with depth 2
[08:07:00] [INFO] starting 5 threads
[08:07:02] [INFO] 3/57 links visited (5%)
[08:07:02] [INFO] heuristics detected web page charset 'utf-8'
[08:07:12] [INFO] 28/57 links visited (49%)
[08:07:12] [INFO] heuristics detected web page charset 'ISO-8859-2'
[08:07:22] [INFO] searching for links with depth 3
[08:07:22] [INFO] starting 5 threads
[08:07:47] [INFO] searching for links with depth 4
[08:07:47] [INFO] starting 5 threads
[08:08:14] [INFO] searching for links with depth 5
[08:08:14] [INFO] starting 5 threads
[08:08:41] [INFO] sqlmap got a total of 20 targets
[08:08:41] [INFO] url 1:
GET http:/XXXXXXXXXXXXXXXXXX/YYYYYYYYYYY.aspx?selected=03. Something somsething
something (Yadda yadda)
do you want to test this url? [Y/n/q]
> Y
[08:08:41] [INFO] testing url
http:/XXXXXXXXXXXXXXXXXX/YYYYYYYYYYY.aspx?selected=03. Something somsething
something (Yadda yadda)
[08:08:41] [WARNING] it appears that you have provided tainted parameter values
('selected=03. Something somsething something (Yadda yadda)') with most
probably leftover chars from manual sql injection tests (;()') or non-valid
numerical value. Please, always use only valid parameter values so sqlmap could
be able to properly run
[08:08:41] [INFO] Are you sure you want to continue? [y/N] N
[*] shutting down at 08:08:41
I think in addition to --batch, it would be useful to have something like --yes
which just assumes "yes" for any prompt that comes up. It is just an idea, but
I thought it might be useful since --batch is most often used in
non-interactive scripts where the user might not catch what happened.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
