Re: [sqlmap-users] Problem with using Webscarab conversations
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Problem with using Webscarab conversations
|
From: Miroslav S. <mir...@gm...> - 2011-01-31 09:35:23
|
Hi. Are you positive that the site is injectable? Have you tried to exploit it manually? You can try to use advanced payloads with switches --level (e.g. 3) and --risk (e.g. 3). If you need help you can contact me privately. KR On Sun, Jan 30, 2011 at 9:13 PM, Antonios Atlasis <ant...@gm...> wrote: > Hi Miroslav, > > first of all, please let me apologize for my late response. > > I downloaded the latest svn tonight and I tested against webscarab > conversation using the batch mode. It does seem to process them but it does > not detect the existing SQLi. > > Please let me know if you want any further information. > > Antonios > > 2011/1/20 Miroslav Stampar <mir...@gm...> >> >> hi. >> >> with last commit you can find support for WebScarab log files. if you >> find any "problems" related please report. >> >> only one warning: you won't be able to process POST requests as >> WebScarab "smartly" stores their bodies in separate files. >> >> kr >> >> On Thu, Jan 20, 2011 at 12:32 PM, Miroslav Stampar >> <mir...@gm...> wrote: >> > hi Antonios. >> > >> > no worry. gonna fix it probably today. >> > >> > kr >> > >> > On Thu, Jan 20, 2011 at 12:22 PM, Antonios Atlasis >> > <ant...@gm...> wrote: >> >> Thanks for your reply. >> >> >> >> The problem is that the free version of Burpsuite does not allow to >> >> save the >> >> spidering results; this is why I rely on webscarab. >> >> >> >> Thanks again >> >> >> >> Antonios >> >> . >> >> 2011/1/20 Miroslav Stampar <mir...@gm...> >> >>> >> >>> LOL >> >>> >> >>> we've stated that we support WebScarab logs, while we don't :) >> >>> >> >>> thx for reporting. >> >>> >> >>> we'll see what we can do. in the mean time you can try to use Burp >> >>> which logs we should support most definitely. >> >>> >> >>> kr >> >>> >> >>> On Wed, Jan 19, 2011 at 10:19 PM, Miroslav Stampar >> >>> <mir...@gm...> wrote: >> >>> > Downloading right now. Will report back. >> >>> > >> >>> > KR >> >>> > >> >>> > On Wed, Jan 19, 2011 at 9:28 PM, Antonios Atlasis >> >>> > <ant...@gm...> wrote: >> >>> >> Hi Miroslav and thanks for your answer, >> >>> >> >> >>> >> I did reproduce the results a couple of times and you can easily do >> >>> >> so. >> >>> >> >> >>> >> My target is the ctf6 lampsec security (you can downloaded from >> >>> >> http://sourceforge.net/projects/lampsecurity/). >> >>> >> >> >>> >> After a very fast browsing, I crawled the rest of the site using >> >>> >> Webscarab. >> >>> >> >> >>> >> I run the command sqlmap --batch -v 2 -l >> >>> >> ../webscarab-logs/conversations/ >> >>> >> >> >>> >> sqlmap failed to find any sqli. >> >>> >> >> >>> >> Then I run sqlmap -u http://192.168.163.128/index.php?id=4 (one >> >>> >> of >> >>> >> the >> >>> >> vulnerable urls) and it does find the sqli vulnerability. >> >>> >> >> >>> >> please let me know if you want me to send you any logs. >> >>> >> >> >>> >> Regards >> >>> >> >> >>> >> Antonios >> >>> >> >> >>> >> 2011/1/18 Miroslav Stampar <mir...@gm...> >> >>> >>> >> >>> >>> Hi Antonios. >> >>> >>> >> >>> >>> main question is: are you able to reproduce this kind of behavior >> >>> >>> again? >> >>> >>> >> >>> >>> if yes, then sqlmap really has some "bug" and it would be great if >> >>> >>> you >> >>> >>> could (maybe privately) provide is with further details from used >> >>> >>> logs. >> >>> >>> >> >>> >>> if no, thing that comes to my mind and that can screw things up is >> >>> >>> "dynamicity". we've worked hard to make a good >> >>> >>> comparison/detection >> >>> >>> engine together with dynamicity removal, but still, pages with >> >>> >>> lots of >> >>> >>> garbaged styles/tags/scripts... can screw things up, especially >> >>> >>> when >> >>> >>> only a small part of the page is affected by injection itself. >> >>> >>> hence >> >>> >>> there are switches like --string and --text-only (removes all >> >>> >>> tags/scripts/styles and retrieves only pure text) that can do >> >>> >>> miracles >> >>> >>> in those kind of cases. >> >>> >>> >> >>> >>> KR >> >>> >>> >> >>> >>> On Tue, Jan 18, 2011 at 10:04 PM, Antonios Atlasis >> >>> >>> <ant...@gm...> wrote: >> >>> >>> > >> >>> >>> > Hello to the list, >> >>> >>> > >> >>> >>> > after spidering a site that is vulnerable to SQLi with >> >>> >>> > Webscarab, I >> >>> >>> > fed >> >>> >>> > its >> >>> >>> > conversations directory to sqlmap using the -l option. >> >>> >>> > sqlmap didn't find any SQLi vulnerable. >> >>> >>> > >> >>> >>> > Then, I fed a vulnerable URL to sqlmap with the -u option (which >> >>> >>> > URL >> >>> >>> > was >> >>> >>> > also included in the webscarab conversations and it had also >> >>> >>> > been >> >>> >>> > tested >> >>> >>> > before with sqlmap), and sqlmap did found this time the specific >> >>> >>> > SQLi >> >>> >>> > vulnerability. >> >>> >>> > >> >>> >>> > Has anyone else observed a problem using Webscarab >> >>> >>> > conversations? Is >> >>> >>> > there >> >>> >>> > any tip or trick that I can use in order to solve this problem? >> >>> >>> > >> >>> >>> > Thanks in advance >> >>> >>> > >> >>> >>> > Antonios >> >>> >>> > >> >>> >>> > >> >>> >>> > >> >>> >>> > >> >>> >>> > ------------------------------------------------------------------------------ >> >>> >>> > Protect Your Site and Customers from Malware Attacks >> >>> >>> > Learn about various malware tactics and how to avoid them. >> >>> >>> > Understand >> >>> >>> > malware threats, the impact they can have on your business, and >> >>> >>> > how >> >>> >>> > you >> >>> >>> > can protect your company and customers by using code signing. >> >>> >>> > http://p.sf.net/sfu/oracle-sfdevnl >> >>> >>> > _______________________________________________ >> >>> >>> > sqlmap-users mailing list >> >>> >>> > sql...@li... >> >>> >>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >>> >>> > >> >>> >>> > >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> -- >> >>> >>> Miroslav Stampar >> >>> >>> >> >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >> >>> >>> Mobile: +385921010204 (HR 0921010204) >> >>> >>> PGP Key ID: 0xB5397B1B >> >>> >>> Location: Zagreb, Croatia >> >>> >> >> >>> >> >> >>> >> >> >>> > >> >>> > >> >>> > >> >>> > -- >> >>> > Miroslav Stampar >> >>> > >> >>> > E-mail / Jabber: miroslav.stampar (at) gmail.com >> >>> > Mobile: +385921010204 (HR 0921010204) >> >>> > PGP Key ID: 0xB5397B1B >> >>> > Location: Zagreb, Croatia >> >>> > >> >>> >> >>> >> >>> >> >>> -- >> >>> Miroslav Stampar >> >>> >> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >> >>> Mobile: +385921010204 (HR 0921010204) >> >>> PGP Key ID: 0xB5397B1B >> >>> Location: Zagreb, Croatia >> >> >> >> >> > >> > >> > >> > -- >> > Miroslav Stampar >> > >> > E-mail / Jabber: miroslav.stampar (at) gmail.com >> > Mobile: +385921010204 (HR 0921010204) >> > PGP Key ID: 0xB5397B1B >> > Location: Zagreb, Croatia >> > >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia > > > > -- > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
