Hi Devon
With the latest commit (r5077) you won't be asked any more for that "you've
probably...tainted..." in "multiple target mode".
That simply means that check will be only conducted if user has explicitly
used -u parameter and not in those more advanced modes (-g, -m,...)
Kind regards,
Miroslav Stampar
On Thu, May 24, 2012 at 5:22 PM, Devon <devon.mitch...@aol.com> wrote:
> Hello,
>
> I encountered a situation where --batch ended up prematurely ending a scan
> of a website. The reason is because there was an invalid link on the
> site's HTML document, that confused sqlmap into exiting. Here's the output
> which I think should explain it better:
>
> root@apj351:~# ./sqlmap.py --random-agent --threads=5 -u '
> http://XXXXXXXXXXXXXXXXXX/' --crawl=5 --batch
>
> sqlmap/1.0-dev (r5058) - automatic SQL injection and database takeover
> tool
> http://www.sqlmap.org
>
> [!] legal disclaimer: usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Authors assume no liability and
> are not responsible for any misuse or damage caused by this program
>
> [*] starting at 08:06:59
>
> [08:06:59] [INFO] fetched random HTTP User-Agent header from file
> '/opt/sqlmap/txt/user-agents.txt': Opera/9.80 (X11; Linux x86_64; U; en-GB)
> Presto/2.2.15 Version/10.01
> [08:06:59] [INFO] starting crawler
> [08:06:59] [INFO] searching for links with depth 1
> [08:07:00] [INFO] heuristics detected web page charset 'ascii'
> [08:07:00] [INFO] searching for links with depth 2
> [08:07:00] [INFO] starting 5 threads
> [08:07:02] [INFO] 3/57 links visited (5%)
> [08:07:02] [INFO] heuristics detected web page charset 'utf-8'
> [08:07:12] [INFO] 28/57 links visited (49%)
> [08:07:12] [INFO] heuristics detected web page charset 'ISO-8859-2'
> [08:07:22] [INFO] searching for links with depth 3
> [08:07:22] [INFO] starting 5 threads
> [08:07:47] [INFO] searching for links with depth 4
> [08:07:47] [INFO] starting 5 threads
> [08:08:14] [INFO] searching for links with depth 5
> [08:08:14] [INFO] starting 5 threads
> [08:08:41] [INFO] sqlmap got a total of 20 targets
> [08:08:41] [INFO] url 1:
> GET http:/XXXXXXXXXXXXXXXXXX/YYYYYYYYYYY.aspx?selected=03. Something
> somsething something (Yadda yadda)
> do you want to test this url? [Y/n/q]
> > Y
> [08:08:41] [INFO] testing url
> http:/XXXXXXXXXXXXXXXXXX/YYYYYYYYYYY.aspx?selected=03. Something somsething
> something (Yadda yadda)
> [08:08:41] [WARNING] it appears that you have provided tainted parameter
> values ('selected=03. Something somsething something (Yadda yadda)') with
> most probably leftover chars from manual sql injection tests (;()') or
> non-valid numerical value. Please, always use only valid parameter values
> so sqlmap could be able to properly run
> [08:08:41] [INFO] Are you sure you want to continue? [y/N] N
>
> [*] shutting down at 08:08:41
>
>
> I think in addition to --batch, it would be useful to have something like
> --yes which just assumes "yes" for any prompt that comes up. It is just an
> idea, but I thought it might be useful since --batch is most often used in
> non-interactive scripts where the user might not catch what happened.
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
