diff --git a/doc/FAQ.sgml b/doc/FAQ.sgml index f68ca5ce7..fc7007eb9 100644 --- a/doc/FAQ.sgml +++ b/doc/FAQ.sgml @@ -101,9 +101,127 @@ some money"> to the developers via PayPal.

No. -How sqlmap decides this and that? +When sqlmap will switch to the Python 3?

-TODO +Currently there is no huge pressure on Python projects to switch to the new +version of Python interpreter, as the process of switching, especially on +larger projects can be cumbersome (due to the few backward incompatibilities). +The switch will take place eventually, but currently it's a very low priority task. + +What does "WARNING unknown charset '...'" mean? + +

+sqlmap needs to properly decode page content to be able to properly +detect and deal with internationalized characters. In some cases web developers +are doing mistakes when declaring used web page charset (e.g. iso_8859 instead +of standardized name iso-8859), which can cause problems. As a failsafe mechanism +we've incorporated heuristic detection engine +, +so in most cases sqlmap will deal with this kind of problems automatically. +Nevertheless, you are strongly advised to report us back those typographic "mistakes" +so we could handle them manually inside the code. + +

+Question(s): + + + + +How to use sqlmap with mod_rewrite enabled? + +

+Just put * to the place where sqlmap should check for injections in URI +itself. In example: ./sqlmap.py -u "www.site.com/id1/1*/id2/2" sqlmap +will try to inject the payloads just at that place marked with * character. + +

+Question(s): + + + + +Why is sqlmap not able to get password hashes in some cases? + +

+You most probably don't have enough permissions for querying on a system +table containing password hashes. + +

+Question(s): + + +What is --text-only switch? + +

+Switch --text-only is used for removing non-textual data (tags, +javascripts, styles,...) from the retrieved page content to further +improve detection capabilities. + +

+Question(s): + + +sqlmap is retrieving weird characters for even simplest data (e.g. --banner)? + +

+If everything you retrieve from the target is garbled, then you are +most probably dealing with false positive blind injection. Please +report the problem to the . + +

+Question(s): + + + +I am getting "CRITICAL connection timed" while I am able to browse +the site normally? + +

+There are few IDSes that filter out all sqlmap requests based on default +User-Agent HTTP header used (e.g. "User-agent: sqlmap/1.0-dev"). To prevent this +kind of situations you are advised to use switch --random-agent. +If you are getting those kind of messages for all targets then you +most probably need to properly set up your proxy settings (switches --proxy +and/or --ignore-proxy) + +

+Question(s): + + +Is it possible to use "INSERT/UPDATE" SQL commands via --sql-query +and/or --sql-shell? + +

+It is possible to use those commands, but only if the stacked injection is supported +by the vulnerable target. + +

+Question(s): + + +I am getting "finally: SyntaxError: invalid syntax" when trying to run sqlmap? + +

+You are most probably using outdated version of Python. sqlmap is generally +supported by Python versions in range 2.5, 2.6 and 2.7, while you are strongly +advised to use versions 2.6 and 2.7. + +

+Question(s): + + +sqlmap is not able to detect/exploit injection while Havij/Pangolin is? + +

+Currently there are only two of us working on a pure good will and donating our +free time to the community. If you are not willing to help us achive better tool +you are strongly advised to buy most probably better commercial tool(s) and just +forget about the sqlmap. Our promise is that we won't miss you as you are most +probably "script kiddie". + +

+Question(s): +