Re: [sqlmap-users] [Critical] not authorized
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] [Critical] not authorized
|
From: Miroslav S. <mir...@gm...> - 2014-04-30 19:26:33
|
Hi. Please update to the latest revision and retry it again. Bye On Wed, Apr 30, 2014 at 4:19 PM, Travis Altman <tra...@gm...>wrote: > Miroslav, > > Thanks for the update and help, the --ignore-401 worked perfectly. > Another question, sqlmap does not appear to be able to parse the XML that > I have as data in the post request, can sqlmap parse XML as input today? > Below is the output of me running it and it tries to chop out the xml tag. > > ======================= output ============================== > > [C:\tools\sqlmap-bd16bb7\sqlmap-dev]python sqlmap.py -c sqlmap.conf > --ignore-401 > > > sqlmap/1.0-dev-2e96e3c - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual > consent is illegal. It is the end user's responsibility to obey all > applicable > local, state and federal laws. Developers assume no liability and are not > respon > sible for any misuse or damage caused by this program > > [*] starting at 15:11:23 > > [15:11:23] [WARNING] using 'C:\Users\travis\.sqlmap\output' as the output > direct > ory > [15:11:23] [INFO] testing connection to the target URL > [15:11:23] [INFO] heuristics detected web page charset 'ascii' > [15:11:23] [WARNING] the web server responded with an HTTP error code > (401) whic > h could interfere with the results of the tests > [15:11:23] [INFO] testing if the target URL is stable. This can take a > couple of > seconds > [15:11:31] [INFO] target URL is stable > [15:11:31] [INFO] testing if POST parameter '<?xmlversion' is dynamic > [15:11:33] [INFO] confirming that POST parameter '<?xmlversion' is dynamic > [15:11:33] [INFO] POST parameter '<?xmlversion' is dynamic > [15:11:34] [WARNING] heuristic (basic) test shows that POST parameter > '<?xmlvers > ion' might not be injectable > [15:11:34] [INFO] testing for SQL injection on POST parameter > '<?xmlversion' > [15:11:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > [15:11:37] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING > clause > ' > [15:11:38] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING > clause' > [15:11:39] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - > WHERE o > r HAVING clause' > [15:11:41] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause > (XMLT > ype)' > [15:11:42] [INFO] testing 'MySQL inline queries' > [15:11:43] [INFO] testing 'PostgreSQL inline queries' > [15:11:43] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' > [15:11:43] [INFO] testing 'Oracle inline queries' > [15:11:43] [INFO] testing 'SQLite inline queries' > [15:11:44] [INFO] testing 'MySQL > 5.0.11 stacked queries' > [15:11:44] [CRITICAL] there is considerable lagging in connection > response(s). P > lease use as high value for option '--time-sec' as possible (e.g. 10 or > more) > [15:11:47] [INFO] testing 'PostgreSQL > 8.1 stacked queries' > [15:11:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' > [15:11:50] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' > [15:11:52] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' > [15:11:53] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' > [15:11:55] [INFO] testing 'Oracle AND time-based blind' > [15:11:57] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' > [15:12:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' > [15:12:13] [WARNING] using unescaped version of the test because of zero > knowled > ge of the back-end DBMS. You can try to explicitly set it using option > '--dbms' > [15:12:29] [WARNING] POST parameter '<?xmlversion' is not injectable > [15:12:29] [CRITICAL] all tested parameters appear to be not injectable. > Try to > increase '--level'/'--risk' values to perform more tests. Please retry > with the > switch '--text-only' (along with --technique=BU) as this case looks like a > perfe > ct candidate (low textual content along with inability of comparison > engine to d > etect at least one dynamic parameter). Also, you can try to rerun by > providing e > ither a valid value for option '--string' (or '--regexp') > [15:12:29] [WARNING] HTTP error codes detected during run: > 401 (Unauthorized) - 220 times > > [*] shutting down at 15:12:29 > > > ========================== end =========================== > > Thanks for all your help. > > > On Tue, Apr 29, 2014 at 5:27 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi. >> >> Please update to the latest revision and try to run with (hidden) switch >> --ignore-401. >> >> Kind regards, >> Miroslav Stampar >> >> >> On Tue, Apr 29, 2014 at 3:32 PM, Travis Altman <tra...@gm...>wrote: >> >>> I'm using the conf file to kick everything off. The only thing modified >>> in the conf is the URL and the data sent in the post request. >>> >>> ============================== Conf file >>> ================================ >>> >>> # Target URL. >>> # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 >>> url = http://blah/login >>> >>> # Parse targets from Burp or WebScarab logs >>> # Valid: Burp proxy (http://portswigger.net/suite/) requests log file >>> path >>> # or WebScarab proxy ( >>> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) >>> # 'conversations/' folder path >>> logFile = >>> >>> # Scan multiple targets enlisted in a given textual file >>> bulkFile = >>> >>> # Load HTTP request from a file >>> # Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: >>> Mozilla/4.0\n\nuserid=joe&password=guessme >>> requestFile = >>> >>> # Rather than providing a target URL, let Google return target >>> # hosts as result of your Google dork expression. For a list of Google >>> # dorks see Johnny Long Google Hacking Database at >>> # http://johnny.ihackstuff.com/ghdb.php. >>> # Example: +ext:php +inurl:"&id=" +intext:"powered by " >>> googleDork = >>> >>> >>> # These options can be used to specify how to connect to the target URL. >>> [Request] >>> >>> # Data string to be sent through POST. >>> data = <?xml version="1.0" encoding="UTF-8"?><ns7:LoginInput >>> sessionDiscriminator="blah" locale="en_US" role="" group="" >>> password="monkey" username="monkey" xmlns:ns6=" >>> http://blah.com/Schemas/Core/2008-03/Session" xmlns:ns2=" >>> http://blah.com/Schemas/Soa/2006-03/Base" xmlns:ns5=" >>> http://blah.com/Schemas/Core/2007-12/Session" xmlns=" >>> http://blah.com/Schemas/Core/2006-03/Session" xmlns:ns8=" >>> http://blah.com/Schemas/Core/2009-04/Session" xmlns:ns3=" >>> http://blah.com/Schemas/Core/2007-01/Session" xmlns:ns7=" >>> http://blah.com/Schemas/Core/2008-06/Session" xmlns:ns4=" >>> http://blah.com/Schemas/Core/2007-06/Session" xmlns:ns10=" >>> http://blah.com/Schemas/Core/2012-02/Session" xmlns:ns9=" >>> http://blah.com/Schemas/Core/2010-04/Session"/> >>> >>> # Character used for splitting parameter values >>> paramDel = >>> >>> ================================== Command line output >>> =================================== >>> >>> [C:\tools\sqlmap-bd16bb7]python sqlmap.py -c sqlmap.conf >>> >>> sqlmap/1.0-dev - automatic SQL injection and database takeover tool >>> http://sqlmap.org >>> >>> [!] legal disclaimer: Usage of sqlmap for attacking targets without >>> prior mutual consent is illegal. It is the end user's responsibility to >>> obey all applicable local, state and federal laws. Developers assume no >>> liability and are not responsible for any misuse or damage caused by this >>> program >>> >>> [*] starting at 23:12:39 >>> >>> [23:12:39] [WARNING] using 'C:\Users\travis\.sqlmap\output' as the >>> output directory >>> [23:12:39] [INFO] testing connection to the target URL >>> [23:12:39] [INFO] heuristics detected web page charset 'ascii' >>> [23:12:39] [CRITICAL] not authorized, try to provide right HTTP >>> authentication type and valid credentials (401) >>> [23:12:39] [CRITICAL] not authorized, try to provide right HTTP >>> authentication type and valid credentials (401) >>> [23:12:39] [WARNING] HTTP error codes detected during run: >>> 401 (Unauthorized) - 1 times >>> >>> [*] shutting down at 23:12:39 >>> >>> >>> [C:\tools\sqlmap-bd16bb7] >>> >>> ================================= End >>> =========================================== >>> >>> Let me know if anymore information is needed. Thanks for all the help. >>> >>> >>> On Tue, Apr 29, 2014 at 1:51 AM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> Can you please send sqlmap console log and used parameters? >>>> On Apr 28, 2014 10:42 PM, "Travis Altman" <tra...@gm...> >>>> wrote: >>>> >>>>> Wants me to provide the right http authentication type but the >>>>> credentials are in the body of the post request. I'm intentionally >>>>> providing bad credentials which does result in a "401 Unauthorized", not >>>>> sure if sqlmap is triggering off of that. Also the body of the request is >>>>> XML if that makes any difference. Any idea why this might be happening? >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >>>>> Instantly run your Selenium tests across 300+ browser/OS combos. Get >>>>> unparalleled scalability from the best Selenium testing platform >>>>> available. >>>>> Simple to use. Nothing to install. Get started now for free." >>>>> http://p.sf.net/sfu/SauceLabs >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > -- Miroslav Stampar http://about.me/stamparm |
