Re: [sqlmap-users] [Critical] not authorized
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2014-04-29 21:28:06
|
Hi. Please update to the latest revision and try to run with (hidden) switch --ignore-401. Kind regards, Miroslav Stampar On Tue, Apr 29, 2014 at 3:32 PM, Travis Altman <tra...@gm...>wrote: > I'm using the conf file to kick everything off. The only thing modified > in the conf is the URL and the data sent in the post request. > > ============================== Conf file ================================ > > # Target URL. > # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 > url = http://blah/login > > # Parse targets from Burp or WebScarab logs > # Valid: Burp proxy (http://portswigger.net/suite/) requests log file path > # or WebScarab proxy ( > http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) > # 'conversations/' folder path > logFile = > > # Scan multiple targets enlisted in a given textual file > bulkFile = > > # Load HTTP request from a file > # Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: > Mozilla/4.0\n\nuserid=joe&password=guessme > requestFile = > > # Rather than providing a target URL, let Google return target > # hosts as result of your Google dork expression. For a list of Google > # dorks see Johnny Long Google Hacking Database at > # http://johnny.ihackstuff.com/ghdb.php. > # Example: +ext:php +inurl:"&id=" +intext:"powered by " > googleDork = > > > # These options can be used to specify how to connect to the target URL. > [Request] > > # Data string to be sent through POST. > data = <?xml version="1.0" encoding="UTF-8"?><ns7:LoginInput > sessionDiscriminator="blah" locale="en_US" role="" group="" > password="monkey" username="monkey" xmlns:ns6=" > http://blah.com/Schemas/Core/2008-03/Session" xmlns:ns2=" > http://blah.com/Schemas/Soa/2006-03/Base" xmlns:ns5=" > http://blah.com/Schemas/Core/2007-12/Session" xmlns=" > http://blah.com/Schemas/Core/2006-03/Session" xmlns:ns8=" > http://blah.com/Schemas/Core/2009-04/Session" xmlns:ns3=" > http://blah.com/Schemas/Core/2007-01/Session" xmlns:ns7=" > http://blah.com/Schemas/Core/2008-06/Session" xmlns:ns4=" > http://blah.com/Schemas/Core/2007-06/Session" xmlns:ns10=" > http://blah.com/Schemas/Core/2012-02/Session" xmlns:ns9=" > http://blah.com/Schemas/Core/2010-04/Session"/> > > # Character used for splitting parameter values > paramDel = > > ================================== Command line output > =================================== > > [C:\tools\sqlmap-bd16bb7]python sqlmap.py -c sqlmap.conf > > sqlmap/1.0-dev - automatic SQL injection and database takeover tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 23:12:39 > > [23:12:39] [WARNING] using 'C:\Users\travis\.sqlmap\output' as the output > directory > [23:12:39] [INFO] testing connection to the target URL > [23:12:39] [INFO] heuristics detected web page charset 'ascii' > [23:12:39] [CRITICAL] not authorized, try to provide right HTTP > authentication type and valid credentials (401) > [23:12:39] [CRITICAL] not authorized, try to provide right HTTP > authentication type and valid credentials (401) > [23:12:39] [WARNING] HTTP error codes detected during run: > 401 (Unauthorized) - 1 times > > [*] shutting down at 23:12:39 > > > [C:\tools\sqlmap-bd16bb7] > > ================================= End > =========================================== > > Let me know if anymore information is needed. Thanks for all the help. > > > On Tue, Apr 29, 2014 at 1:51 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> Can you please send sqlmap console log and used parameters? >> On Apr 28, 2014 10:42 PM, "Travis Altman" <tra...@gm...> wrote: >> >>> Wants me to provide the right http authentication type but the >>> credentials are in the body of the post request. I'm intentionally >>> providing bad credentials which does result in a "401 Unauthorized", not >>> sure if sqlmap is triggering off of that. Also the body of the request is >>> XML if that makes any difference. Any idea why this might be happening? >>> >>> >>> ------------------------------------------------------------------------------ >>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >>> Instantly run your Selenium tests across 300+ browser/OS combos. Get >>> unparalleled scalability from the best Selenium testing platform >>> available. >>> Simple to use. Nothing to install. Get started now for free." >>> http://p.sf.net/sfu/SauceLabs >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> > -- Miroslav Stampar http://about.me/stamparm |