syntaxgeek / gason Goto Github PK

05-Apr-2012 21:03:04 CustomPlugin.sqlmap.sqlmapGUI Execute
SEVERE: null
java.io.IOException: Cannot run program "D:\tools\db\sqlmap-0.9\sqlmap\sqlmap.py
": CreateProcess error=193, %1 is not a valid Win32 application
        at java.lang.ProcessBuilder.start(Unknown Source)
        at CustomPlugin.sqlmap.sqlmapTab.<init>(Unknown Source)
        at CustomPlugin.sqlmap.sqlmapGUI.Execute(Unknown Source)
        at CustomPlugin.sqlmap.sqlmapGUI.bnt_runActionPerformed(Unknown Source)
        at CustomPlugin.sqlmap.sqlmapGUI.access$2400(Unknown Source)
        at CustomPlugin.sqlmap.sqlmapGUI$55.actionPerformed(Unknown Source)
        at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
        at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
        at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Sour
ce)
        at java.awt.Component.processMouseEvent(Unknown Source)
        at javax.swing.JComponent.processMouseEvent(Unknown Source)
        at java.awt.Component.processEvent(Unknown Source)
        at java.awt.Container.processEvent(Unknown Source)
        at java.awt.Component.dispatchEventImpl(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Window.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
        at java.awt.EventQueue.access$000(Unknown Source)
        at java.awt.EventQueue$1.run(Unknown Source)
        at java.awt.EventQueue$1.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessControlContext$1.doIntersectionPrivilege(Unknown
Source)
        at java.security.AccessControlContext$1.doIntersectionPrivilege(Unknown
Source)
        at java.awt.EventQueue$2.run(Unknown Source)
        at java.awt.EventQueue$2.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessControlContext$1.doIntersectionPrivilege(Unknown
Source)
        at java.awt.EventQueue.dispatchEvent(Unknown Source)
        at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
        at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.io.IOException: CreateProcess error=193, %1 is not a valid Win32
 application
        at java.lang.ProcessImpl.create(Native Method)
        at java.lang.ProcessImpl.<init>(Unknown Source)
        at java.lang.ProcessImpl.start(Unknown Source)
        ... 42 more

---------------------------------------

Doesn't look like that function will execute a .py file under windows.

Couldn't find a way to manipulate the bin path string to read 'python 
d:\tools\...\sqlmap.py' or similar.

Instead created a sqlmap.bat file with the following contents as a workaround:

cd d:\tools\db\sqlmap-0.9\sqlmap\
python sqlmap.py %*

What is the expected output? What do you see instead?
i can't make the cammand "python.exe" run on my windows ! 
but without "python.exe path/sqlmap.py -u url... --dbs 
it works like charm . 
So the Creator or the Developer can modify and make it convinient to the users 
to Edit and add their own manual commands ! then it would be Fantastic 

What version of the product are you using? On what operating system?

version : v0.9.6
OS : Windows (8)

Please provide any additional information below.

I mean , can you make it possible to add a Edit option in the "Command" Field , 
By double Clicking users can edit as per their requirements ! just how it's 
down for  "Parameters to test " Field . 

Thank You , If you consider my issues and make modifications . i will be 
waiting for issue to be resolve . 

Exception in thread "main" java.lang.NoClassDefFoundError: burp/LoadBurp
Caused by: java.lang.ClassNotFoundException: burp.LoadBurp
        at java.net.URLClassLoader$1.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
Could not find the main class: burp.LoadBurp.  Program will exit.

What steps will reproduce the problem?
1. Open the GUI.


What version of the product are you using? On what operating system?
0.9.5

Please provide any additional information below.
The width of the listbox is insufficient leading to entries which are not 
displayed completely. The Layout does not lead to resize of the components.

In windows, using a work around (could be due to execution via a .bat file?) 
the following occurs.

It runs fine but then appears to stop (see screenshot):

[22:06:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

The scroll is all the way to the bottom but SQLMap is awaiting user input. 
However, the prompt hasn't been written to the Burpsuite tab.

Pressing Enter within the tab gets the console to move onto:

GET parameter 'cat' is vulnerable. Do you want to keep testing the others? 
[y/N] sqlmap identified the following injection points with a total of 44 
HTTP(s) requests:
etc

What steps will reproduce the problem?
1. Use Burp to capture an request (with params)
2. Send request to wrapper.
3. click on the list of parameters

What is the expected output? What do you see instead?
The expected behaviour would be parsing all parameters used either in GET or 
POST-Requests.
The actual code reflects only GET-Parameter-Parsing, any POST-Params are simply 
ignored.

On a click on the list of params a NullPointerException is thrown.

Please provide any additional information below:
Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException
        at CustomPlugin.sqlmap.sqlmapGUI.lst_paramsMouseClicked(sqlmapGUI.java:1321)
        at CustomPlugin.sqlmap.sqlmapGUI.access$1800(sqlmapGUI.java:49)
        at CustomPlugin.sqlmap.sqlmapGUI$47.mouseClicked(sqlmapGUI.java:1124)
        at java.awt.AWTEventMulticaster.mouseClicked(Unknown Source)
        at java.awt.Component.processMouseEvent(Unknown Source)
        at javax.swing.JComponent.processMouseEvent(Unknown Source)
        at java.awt.Component.processEvent(Unknown Source)
        at java.awt.Container.processEvent(Unknown Source)
        at java.awt.Component.dispatchEventImpl(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Window.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
        at java.awt.EventQueue.access$000(Unknown Source)
        at java.awt.EventQueue$3.run(Unknown Source)
        at java.awt.EventQueue$3.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
        at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
        at java.awt.EventQueue$4.run(Unknown Source)
        at java.awt.EventQueue$4.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
        at java.awt.EventQueue.dispatchEvent(Unknown Source)
        at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
        at java.awt.EventDispatchThread.run(Unknown Source)

A service that I would like to attack uses HTTP Basic Authentication. 

I did not find a way to add the credentials in your plugin or add header fields 
like I am able to when using the command line version: --auth-type=basic 
--auth-cred=user:password OR --header="Authorization: Basic 
QWxhZGRpbjpvcGVuIHNlc2FtZQ=="