Re: [sqlmap-users] [Critical] not authorized
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] [Critical] not authorized
|
From: Travis A. <tra...@gm...> - 2014-04-29 13:32:40
|
I'm using the conf file to kick everything off. The only thing modified in the conf is the URL and the data sent in the post request. ============================== Conf file ================================ # Target URL. # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 url = http://blah/login # Parse targets from Burp or WebScarab logs # Valid: Burp proxy (http://portswigger.net/suite/) requests log file path # or WebScarab proxy ( http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) # 'conversations/' folder path logFile = # Scan multiple targets enlisted in a given textual file bulkFile = # Load HTTP request from a file # Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme requestFile = # Rather than providing a target URL, let Google return target # hosts as result of your Google dork expression. For a list of Google # dorks see Johnny Long Google Hacking Database at # http://johnny.ihackstuff.com/ghdb.php. # Example: +ext:php +inurl:"&id=" +intext:"powered by " googleDork = # These options can be used to specify how to connect to the target URL. [Request] # Data string to be sent through POST. data = <?xml version="1.0" encoding="UTF-8"?><ns7:LoginInput sessionDiscriminator="blah" locale="en_US" role="" group="" password="monkey" username="monkey" xmlns:ns6=" http://blah.com/Schemas/Core/2008-03/Session" xmlns:ns2=" http://blah.com/Schemas/Soa/2006-03/Base" xmlns:ns5=" http://blah.com/Schemas/Core/2007-12/Session" xmlns=" http://blah.com/Schemas/Core/2006-03/Session" xmlns:ns8=" http://blah.com/Schemas/Core/2009-04/Session" xmlns:ns3=" http://blah.com/Schemas/Core/2007-01/Session" xmlns:ns7=" http://blah.com/Schemas/Core/2008-06/Session" xmlns:ns4=" http://blah.com/Schemas/Core/2007-06/Session" xmlns:ns10=" http://blah.com/Schemas/Core/2012-02/Session" xmlns:ns9=" http://blah.com/Schemas/Core/2010-04/Session"/> # Character used for splitting parameter values paramDel = ================================== Command line output =================================== [C:\tools\sqlmap-bd16bb7]python sqlmap.py -c sqlmap.conf sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 23:12:39 [23:12:39] [WARNING] using 'C:\Users\travis\.sqlmap\output' as the output directory [23:12:39] [INFO] testing connection to the target URL [23:12:39] [INFO] heuristics detected web page charset 'ascii' [23:12:39] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [23:12:39] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [23:12:39] [WARNING] HTTP error codes detected during run: 401 (Unauthorized) - 1 times [*] shutting down at 23:12:39 [C:\tools\sqlmap-bd16bb7] ================================= End =========================================== Let me know if anymore information is needed. Thanks for all the help. On Tue, Apr 29, 2014 at 1:51 AM, Miroslav Stampar < mir...@gm...> wrote: > Can you please send sqlmap console log and used parameters? > On Apr 28, 2014 10:42 PM, "Travis Altman" <tra...@gm...> wrote: > >> Wants me to provide the right http authentication type but the >> credentials are in the body of the post request. I'm intentionally >> providing bad credentials which does result in a "401 Unauthorized", not >> sure if sqlmap is triggering off of that. Also the body of the request is >> XML if that makes any difference. Any idea why this might be happening? >> >> >> ------------------------------------------------------------------------------ >> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >> Instantly run your Selenium tests across 300+ browser/OS combos. Get >> unparalleled scalability from the best Selenium testing platform >> available. >> Simple to use. Nothing to install. Get started now for free." >> http://p.sf.net/sfu/SauceLabs >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> |
