Bug 12981

Summary: Error in /usr/bin/sqlmap shell script.
Product: Mageia Reporter: PC LX <mageia>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: mga4-32-ok mga4-64-ok advisory
Source RPM: sqlmap-0.9-9.mga4.src.rpm CVE:
Status comment:

Description PC LX 2014-03-10 12:44:56 CET 
The shell script /usr/bin/sqlmap is not passing the command line parameters to the python script.

The fix is simple. In /usr/bin/sqlmap, the line:

./sqlmap.py ""

should instead be:

./sqlmap.py "$@"


Extra information:

$ rpm -qf /usr/bin/sqlmap
sqlmap-0.9-9.mga4
$ cat /usr/bin/sqlmap
#!/bin/sh
cd /usr/share/sqlmap
./sqlmap.py ""
David Walser 2014-03-10 19:57:43 CET

Assignee: bugsquad => guillomovitch

Comment 1 Guillaume Rousse 2014-03-12 21:17:04 CET 
Indeed.

I just submitted sqlmap-0.9-9.1.mga4 in updates_testing, that should fix the issue.
Comment 2 Guillaume Rousse 2014-03-19 20:20:54 CET 
How to test:
'sqlmap' and 'sqlmap -h' result in the same output, because '-h' option is not passed.

Suggested advisory:
===================

A bug in the wrapper script provided in sqlmap package prevented it to work properly, sqlmap-0.9-9.1.mga4 release fixes the issue.

Assignee: guillomovitch => qa-bugs

Comment 3 David GEIGER 2014-03-21 17:53:02 CET 
Tested mga4_32,

Testing complete for sqlmap-0.9-9.1.mga4, seems work here, I confirm the fix of bug :

Before:

[david@localhost ~]$ cat /usr/bin/sqlmap
#!/bin/sh
cd /usr/share/sqlmap
./sqlmap.py ""

[david@localhost ~]$ sqlmap -h

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

Usage: python ./sqlmap.py [options]

sqlmap.py: error: missing a mandatory parameter ('-d', '-u', '-l', '-r', '-g', '-c', '--wizard' or '--update'), -h for help

--------------------------------------------------------------------------------

After:

[david@localhost ~]$ cat /usr/bin/sqlmap
#!/bin/sh
cd /usr/share/sqlmap
./sqlmap.py "$@"

[david@localhost ~]$ sqlmap -h

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

Usage: python ./sqlmap.py [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)

  Target:
    At least one of these options has to be specified to set the source to
    get target urls from.
.......................
.......................

  Miscellaneous:
    --beep              Alert when sql injection found
    --check-payload     IDS detection testing of injection payloads
    --cleanup           Clean up the DBMS by sqlmap specific UDF and tables
    --forms             Parse and test forms on target url
    --gpage=GOOGLEPAGE  Use Google dork results from specified page number
    --page-rank         Display page rank (PR) for Google dork results
    --parse-errors      Parse DBMS error messages from response pages
    --replicate         Replicate dumped data into a sqlite3 database
    --tor               Use default Tor (Vidalia/Privoxy/Polipo) proxy address
    --wizard            Simple wizard interface for beginner users

CC: (none) => geiger.david68210
Whiteboard: (none) => mga4-32-ok

Comment 4 David GEIGER 2014-03-21 18:02:16 CET 
Tested mga4_64,

Testing complete for sqlmap-0.9-9.1.mga4, seems work here, I confirm the fix of bug :

Before:

[david@localhost ~]$ cat /usr/bin/sqlmap
#!/bin/sh
cd /usr/share/sqlmap
./sqlmap.py ""

[david@localhost ~]$ sqlmap -h

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

Usage: python ./sqlmap.py [options]

sqlmap.py: error: missing a mandatory parameter ('-d', '-u', '-l', '-r', '-g', '-c', '--wizard' or '--update'), -h for help

--------------------------------------------------------------------------------

After:

[david@localhost ~]$ cat /usr/bin/sqlmap
#!/bin/sh
cd /usr/share/sqlmap
./sqlmap.py "$@"

[david@localhost ~]$ sqlmap -h

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

Usage: python ./sqlmap.py [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)

  Target:
    At least one of these options has to be specified to set the source to
    get target urls from.

.........................
.........................

  Miscellaneous:
    --beep              Alert when sql injection found
    --check-payload     IDS detection testing of injection payloads
    --cleanup           Clean up the DBMS by sqlmap specific UDF and tables
    --forms             Parse and test forms on target url
    --gpage=GOOGLEPAGE  Use Google dork results from specified page number
    --page-rank         Display page rank (PR) for Google dork results
    --parse-errors      Parse DBMS error messages from response pages
    --replicate         Replicate dumped data into a sqlite3 database
    --tor               Use default Tor (Vidalia/Privoxy/Polipo) proxy address
    --wizard            Simple wizard interface for beginner users

Whiteboard: mga4-32-ok => mga4-32-ok mga4-64-ok

Comment 5 Dave Hodgins 2014-03-23 21:53:12 CET 
Advisory committed to svn. Validating the update.

Someone from the sysadmin team please push 12670.adv to updates.

Whiteboard: mga4-32-ok mga4-64-ok => mga4-32-ok mga4-64-ok advisory
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Thomas Backlund 2014-03-24 08:43:24 CET 
Update pushed:
http://advisories.mageia.org/MGAA-2014-0089.html

CC: (none) => tmb
Status: NEW => RESOLVED
Resolution: (none) => FIXED