sqlmap-users Mailing List for sqlmap (Page 6)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users — sqlmap users mailing list
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
(11) |
Nov
(24) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(23) |
Feb
(17) |
Mar
(13) |
Apr
(48) |
May
(22) |
Jun
(18) |
Jul
(22) |
Aug
(13) |
Sep
(23) |
Oct
(6) |
Nov
(11) |
Dec
(25) |
| 2010 |
Jan
(21) |
Feb
(33) |
Mar
(61) |
Apr
(47) |
May
(48) |
Jun
(30) |
Jul
(24) |
Aug
(37) |
Sep
(52) |
Oct
(59) |
Nov
(32) |
Dec
(57) |
| 2011 |
Jan
(166) |
Feb
(93) |
Mar
(65) |
Apr
(117) |
May
(87) |
Jun
(124) |
Jul
(102) |
Aug
(78) |
Sep
(65) |
Oct
(22) |
Nov
(71) |
Dec
(79) |
| 2012 |
Jan
(93) |
Feb
(55) |
Mar
(45) |
Apr
(49) |
May
(56) |
Jun
(93) |
Jul
(95) |
Aug
(42) |
Sep
(26) |
Oct
(36) |
Nov
(32) |
Dec
(46) |
| 2013 |
Jan
(36) |
Feb
(78) |
Mar
(38) |
Apr
(57) |
May
(35) |
Jun
(39) |
Jul
(23) |
Aug
(33) |
Sep
(28) |
Oct
(38) |
Nov
(22) |
Dec
(16) |
| 2014 |
Jan
(33) |
Feb
(23) |
Mar
(41) |
Apr
(29) |
May
(12) |
Jun
(20) |
Jul
(21) |
Aug
(23) |
Sep
(18) |
Oct
(34) |
Nov
(12) |
Dec
(39) |
| 2015 |
Jan
(2) |
Feb
(51) |
Mar
(10) |
Apr
(28) |
May
(9) |
Jun
(22) |
Jul
(32) |
Aug
(35) |
Sep
(29) |
Oct
(50) |
Nov
(8) |
Dec
(2) |
| 2016 |
Jan
(8) |
Feb
(2) |
Mar
(3) |
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
(12) |
Sep
|
Oct
|
Nov
(1) |
Dec
(19) |
| 2017 |
Jan
|
Feb
(18) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Brandon P. <bpe...@gm...> - 2015-10-13 19:11:51
|
Nothing looks wrong in that pastebin? It retrieved the username of SA just fine it seems. No garbled text is in the output. What were you expecting to happen? On Tue, Oct 13, 2015 at 2:08 PM, Vojtěch Polášek <kr...@gm...> wrote: > Hi, > http://pastebin.com/Q9RKsffG > I am running Arch Linux 64 bit and I am running Webgoat from the single > jar file. > I am using OpenJDK. > Thank you, > Vojta > > Dne 13.10.2015 v 18:54 Miroslav Stampar napsal(a): > > Yup. The master branch is a good branch. > > And you are having difficulties even if you use a --flush-session along > with switches/options I've used? > > This is strange. I've run this numerous times in last few days. > > Can you please send a complete console output as I've sent for my runs? > Also, on which OS do you run WebGoat? > > Bye > On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <kr...@gm...> wrote: > >> Greetings, >> now it works but... >> I don't know what am I doing wrong, but it takes very looong time for >> Sqlmap to finish this run. In your output, it takes several seconds, for me >> it takes almost a hour to get this done. >> Also I found out that if I try to use --keep-alive, it is much faster, it >> takes about a minute, but it again returns garbled characters. No other >> optimization switches improve the speed. >> I am using same arguments as you, but from enumeration arguments I am >> using just --current-user, no --dump, --dbs etc. >> Just to be sure, I am pulling from Master branch, is this correct? >> Thank you very much for your efford, >> Vojtěch Polášek >> >> >> Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): >> >> Hi. >> >> There has been a lot work here. Please update to the latest revision and >> retry it again. >> >> One word of advice regarding WebGoat. It has a bad routine that >> automatically closes the SQLi after it finds certain keywords in requests. >> Basically, afterwards it just says "* Congratulations. You have >> successfully completed this lesson." and prevents further injection. Hence, >> you'll need to use --safe-url and --safe-freq to reset those. Please find >> details further in pastebin links. >> >> Here you can find couple of different runs: >> >> --technique=B >> http://pastebin.com/04z2x00S >> >> (no technique constraints) >> http://pastebin.com/UhGQLyTp >> >> Bye >> >> On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar < >> <mir...@gm...>mir...@gm...> wrote: >> >>> Hi. >>> >>> There is still more work here to be done. Will let you know. I am going >>> to try to finish it today. >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek <kr...@gm...> >>> wrote: >>> >>>> Greetings, >>>> I have still problems exploiting HSQL databases. current-user is still >>>> returning garbled characters etc. >>>> Is it still working for you? >>>> Thanks, >>>> Vojta >>>> >>>> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>>> >>>> I've used that same request file without any problems (with latest >>>> patches/revision). Will retest tomorrow. Please retry everything with >>>> --flush-session >>>> >>>> Bye >>>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" < <kr...@gm...> >>>> kr...@gm...> wrote: >>>> >>>>> Greetings, >>>>> thanks for your prompt response. >>>>> Unfortunatelly, it is still not working as expected. >>>>> There is problem with retrieving of current user and information from >>>>> HSQL database in general. >>>>> Moreover, when using following request file from the same application, >>>>> Sqlmap identified backend database as Postgresql instead of HSQL. >>>>> This request is from lesson about simple string SQL injection >>>>> #begin request file >>>>> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >>>>> Host: localhost:8080 >>>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 >>>>> Firefox/39.0 >>>>> Accept: */* >>>>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>> Accept-Encoding: gzip, deflate >>>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>> X-Requested-With: XMLHttpRequest >>>>> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>> http://localhost:8080/WebGoat/start.mvc >>>>> Content-Length: 29 >>>>> Connection: keep-alive >>>>> Pragma: no-cache >>>>> Cache-Control: no-cache >>>>> Cookie: JSESSIONID=valid_cookie >>>>> >>>>> account_name=Smith&SUBMIT=Go! >>>>> #end request >>>>> Feel free to ask me for more debugging information, I will be glad to >>>>> help you. >>>>> Thanks for your work, >>>>> Vojta >>>>> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>>>> >>>>> Fixed tons of bugs and pushed. Please retry it again. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < >>>>> <mir...@gm...>mir...@gm...> wrote: >>>>> >>>>>> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it >>>>>> right now. >>>>>> >>>>>> Bye >>>>>> >>>>>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >>>>>> <mir...@gm...>mir...@gm...> wrote: >>>>>> >>>>>>> Hi again. >>>>>>> >>>>>>> Please update to the latest revision and retry it again (with >>>>>>> --flush-session). >>>>>>> >>>>>>> Backend used is HSQLDB while the sqlmap wrongly recognized it as >>>>>>> MySQL (because HSQLDB is MySQL look-alike) >>>>>>> >>>>>>> Bye >>>>>>> >>>>>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek < >>>>>>> <kr...@gm...>kr...@gm...> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> You can download Webgoat here: >>>>>>>> >>>>>>>> <https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar> >>>>>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>>>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>>>>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>>>>>> password webgoat >>>>>>>> The request file posted earlier is from Blind numeric SQL injection >>>>>>>> lesson. >>>>>>>> Application is written in Java and runs on embedded Tomcat 7 server. >>>>>>>> I am using this command, where "request" is request file posted >>>>>>>> earlier and valid_cookie is simply valid cookie. >>>>>>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>>>>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>>>>>> As I stated earlier, sqlmap finds the vulnerability but can't >>>>>>>> exploit it, I tried almost all tamper scripts, even some combinations, but >>>>>>>> no success. >>>>>>>> I wanted to show exploitation of Webgoat, because I would like to >>>>>>>> use Sqlmap for testing of commercial application which is based on similar >>>>>>>> technologies. >>>>>>>> Thank you, >>>>>>>> Vojta >>>>>>>> >>>>>>>> >>>>>>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>>>>>> >>>>>>>> Hi. >>>>>>>> >>>>>>>> Can you please send a used sqlmap command along with the basic info >>>>>>>> on vulnerable environment (e.g. just a plain Webgoat, URL this and that)? >>>>>>>> >>>>>>>> Bye >>>>>>>> >>>>>>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek < >>>>>>>> <kr...@gm...>kr...@gm...> wrote: >>>>>>>> >>>>>>>>> Greetings, >>>>>>>>> I am running Webgoat from standalone jar file, so I can't see any >>>>>>>>> logs. >>>>>>>>> I will try to see some logs from inside the application. Anyway, I >>>>>>>>> didn't expect this application to contain any kind of filtering. >>>>>>>>> I hope to show Sqlmap in action to some people from a large >>>>>>>>> company and >>>>>>>>> I wanted to use something simple, therefore I am quite surprised. >>>>>>>>> I have >>>>>>>>> never seen this situation - found injection but no possibility of >>>>>>>>> exploitation. >>>>>>>>> The between tamper script didn't help. >>>>>>>>> Any suggestions are welcomed. >>>>>>>>> Thanks, >>>>>>>>> Vojta >>>>>>>>> >>>>>>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>>>>>> > You should look in the logs of the web server and see what they >>>>>>>>> say. >>>>>>>>> > >>>>>>>>> > I bet you need --tamper=between >>>>>>>>> > >>>>>>>>> > Sent from a phone >>>>>>>>> > >>>>>>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek < >>>>>>>>> <kr...@gm...>kr...@gm...> wrote: >>>>>>>>> >> >>>>>>>>> >> Greetings, >>>>>>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>>>>>> Webgoat >>>>>>>>> >> version 6.0.1. You can try it your self by using following >>>>>>>>> request file. >>>>>>>>> >> Just log in and replace cookie by valid one. >>>>>>>>> >> ###start request file >>>>>>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>>>>>> >> Host: localhost:8080 >>>>>>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) >>>>>>>>> Gecko/20100101 >>>>>>>>> >> Firefox/41.0 >>>>>>>>> >> Accept: */* >>>>>>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>>>>> >> Accept-Encoding: gzip, deflate >>>>>>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>>>>> >> X-Requested-With: XMLHttpRequest >>>>>>>>> >> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>>>>> >> Content-Length: 29 >>>>>>>>> >> Cookie: JSESSIONID=replace >>>>>>>>> >> Connection: keep-alive >>>>>>>>> >> Pragma: no-cache >>>>>>>>> >> Cache-Control: no-cache >>>>>>>>> >> >>>>>>>>> >> account_number=101&SUBMIT=Go! >>>>>>>>> >> #end request file >>>>>>>>> >> I am running git master of Sqlmap. >>>>>>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>>>>>>> >> information gathering commands work (--dbs, --current-user...). >>>>>>>>> I tried >>>>>>>>> >> running with --hex or --no-cast, but no luck. >>>>>>>>> >> What might be the problem? >>>>>>>>> >> Thanks, >>>>>>>>> >> Vojta >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> >> _______________________________________________ >>>>>>>>> >> sqlmap-users mailing list >>>>>>>>> >> <sql...@li...> >>>>>>>>> sql...@li... >>>>>>>>> >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> _______________________________________________ >>>>>>>>> sqlmap-users mailing list >>>>>>>>> <sql...@li...> >>>>>>>>> sql...@li... >>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Miroslav Stampar >>>>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> <sql...@li...> >>>>>>>> sql...@li... >>>>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Miroslav Stampar >>>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Vojtěch P. <kr...@gm...> - 2015-10-13 19:08:40
|
Hi, http://pastebin.com/Q9RKsffG I am running Arch Linux 64 bit and I am running Webgoat from the single jar file. I am using OpenJDK. Thank you, Vojta Dne 13.10.2015 v 18:54 Miroslav Stampar napsal(a): > > Yup. The master branch is a good branch. > > And you are having difficulties even if you use a --flush-session > along with switches/options I've used? > > This is strange. I've run this numerous times in last few days. > > Can you please send a complete console output as I've sent for my > runs? Also, on which OS do you run WebGoat? > > Bye > > On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <kr...@gm... > <mailto:kr...@gm...>> wrote: > > Greetings, > now it works but... > I don't know what am I doing wrong, but it takes very looong time > for Sqlmap to finish this run. In your output, it takes several > seconds, for me it takes almost a hour to get this done. > Also I found out that if I try to use --keep-alive, it is much > faster, it takes about a minute, but it again returns garbled > characters. No other optimization switches improve the speed. > I am using same arguments as you, but from enumeration arguments I > am using just --current-user, no --dump, --dbs etc. > Just to be sure, I am pulling from Master branch, is this correct? > Thank you very much for your efford, > Vojtěch Polášek > > > Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): >> Hi. >> >> There has been a lot work here. Please update to the latest >> revision and retry it again. >> >> One word of advice regarding WebGoat. It has a bad routine that >> automatically closes the SQLi after it finds certain keywords in >> requests. Basically, afterwards it just says "* Congratulations. >> You have successfully completed this lesson." and prevents >> further injection. Hence, you'll need to use --safe-url and >> --safe-freq to reset those. Please find details further in >> pastebin links. >> >> Here you can find couple of different runs: >> >> --technique=B >> http://pastebin.com/04z2x00S >> >> (no technique constraints) >> http://pastebin.com/UhGQLyTp >> >> Bye >> >> On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar >> <mir...@gm... <mailto:mir...@gm...>> >> wrote: >> >> Hi. >> >> There is still more work here to be done. Will let you know. >> I am going to try to finish it today. >> >> Bye >> >> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek >> <kr...@gm... <mailto:kr...@gm...>> wrote: >> >> Greetings, >> I have still problems exploiting HSQL databases. >> current-user is still returning garbled characters etc. >> Is it still working for you? >> Thanks, >> Vojta >> >> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>> >>> I've used that same request file without any problems >>> (with latest patches/revision). Will retest tomorrow. >>> Please retry everything with --flush-session >>> >>> Bye >>> >>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" >>> <kr...@gm... <mailto:kr...@gm...>> wrote: >>> >>> Greetings, >>> thanks for your prompt response. >>> Unfortunatelly, it is still not working as expected. >>> There is problem with retrieving of current user and >>> information from HSQL database in general. >>> Moreover, when using following request file from the >>> same application, Sqlmap identified backend database >>> as Postgresql instead of HSQL. >>> This request is from lesson about simple string SQL >>> injection >>> #begin request file >>> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >>> Host: localhost:8080 >>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) >>> Gecko/20100101 Firefox/39.0 >>> Accept: */* >>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>> Accept-Encoding: gzip, deflate >>> Content-Type: application/x-www-form-urlencoded; >>> charset=UTF-8 >>> X-Requested-With: XMLHttpRequest >>> Referer: http://localhost:8080/WebGoat/start.mvc >>> Content-Length: 29 >>> Connection: keep-alive >>> Pragma: no-cache >>> Cache-Control: no-cache >>> Cookie: JSESSIONID=valid_cookie >>> >>> account_name=Smith&SUBMIT=Go! >>> #end request >>> Feel free to ask me for more debugging information, >>> I will be glad to help you. >>> Thanks for your work, >>> Vojta >>> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>>> Fixed tons of bugs and pushed. Please retry it again. >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar >>>> <mir...@gm... >>>> <mailto:mir...@gm...>> wrote: >>>> >>>> Please wait a bit. There are tons of bugs for >>>> HSQLDB in sqlmap. On it right now. >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav >>>> Stampar <mir...@gm... >>>> <mailto:mir...@gm...>> wrote: >>>> >>>> Hi again. >>>> >>>> Please update to the latest revision and >>>> retry it again (with --flush-session). >>>> >>>> Backend used is HSQLDB while the sqlmap >>>> wrongly recognized it as MySQL (because >>>> HSQLDB is MySQL look-alike) >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch >>>> Polášek <kr...@gm... >>>> <mailto:kr...@gm...>> wrote: >>>> >>>> Hi, >>>> You can download Webgoat here: >>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>> Just run java- jar >>>> WebGoat-6.0.1-war-exec.jar >>>> And you can login at >>>> localhost:8080/WebGoat with name >>>> webgoat and password webgoat >>>> The request file posted earlier is from >>>> Blind numeric SQL injection lesson. >>>> Application is written in Java and runs >>>> on embedded Tomcat 7 server. >>>> I am using this command, where >>>> "request" is request file posted >>>> earlier and valid_cookie is simply >>>> valid cookie. >>>> python2 /opt/sqlmap/sqlmap.py -r >>>> request --level=5 --risk=3 -o >>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>> As I stated earlier, sqlmap finds the >>>> vulnerability but can't exploit it, I >>>> tried almost all tamper scripts, even >>>> some combinations, but no success. >>>> I wanted to show exploitation of >>>> Webgoat, because I would like to use >>>> Sqlmap for testing of commercial >>>> application which is based on similar >>>> technologies. >>>> Thank you, >>>> Vojta >>>> >>>> >>>> Dne 9.10.2015 v 11:16 Miroslav Stampar >>>> napsal(a): >>>>> Hi. >>>>> >>>>> Can you please send a used sqlmap >>>>> command along with the basic info on >>>>> vulnerable environment (e.g. just a >>>>> plain Webgoat, URL this and that)? >>>>> >>>>> Bye >>>>> >>>>> On Thu, Oct 8, 2015 at 10:52 PM, >>>>> Vojtěch Polášek <kr...@gm... >>>>> <mailto:kr...@gm...>> wrote: >>>>> >>>>> Greetings, >>>>> I am running Webgoat from >>>>> standalone jar file, so I can't >>>>> see any logs. >>>>> I will try to see some logs from >>>>> inside the application. Anyway, I >>>>> didn't expect this application to >>>>> contain any kind of filtering. >>>>> I hope to show Sqlmap in action to >>>>> some people from a large company and >>>>> I wanted to use something simple, >>>>> therefore I am quite surprised. I have >>>>> never seen this situation - found >>>>> injection but no possibility of >>>>> exploitation. >>>>> The between tamper script didn't help. >>>>> Any suggestions are welcomed. >>>>> Thanks, >>>>> Vojta >>>>> >>>>> Dne 8.10.2015 v 18:10 Brandon >>>>> Perry napsal(a): >>>>> > You should look in the logs of >>>>> the web server and see what they say. >>>>> > >>>>> > I bet you need --tamper=between >>>>> > >>>>> > Sent from a phone >>>>> > >>>>> >> On Oct 8, 2015, at 10:33 AM, >>>>> Vojtěch Polášek <kr...@gm... >>>>> <mailto:kr...@gm...>> wrote: >>>>> >> >>>>> >> Greetings, >>>>> >> I tried to verify Sqlmap's >>>>> functionality by running it >>>>> against Webgoat >>>>> >> version 6.0.1. You can try it >>>>> your self by using following >>>>> request file. >>>>> >> Just log in and replace cookie >>>>> by valid one. >>>>> >> ###start request file >>>>> >> POST >>>>> /WebGoat/attack?Screen=4&menu=1100 >>>>> HTTP/1.1 >>>>> >> Host: localhost:8080 >>>>> >> User-Agent: Mozilla/5.0 (X11; >>>>> Linux x86_64; rv:41.0) Gecko/20100101 >>>>> >> Firefox/41.0 >>>>> >> Accept: */* >>>>> >> Accept-Language: >>>>> cs,en-US;q=0.7,en;q=0.3 >>>>> >> Accept-Encoding: gzip, deflate >>>>> >> Content-Type: >>>>> application/x-www-form-urlencoded; >>>>> charset=UTF-8 >>>>> >> X-Requested-With: XMLHttpRequest >>>>> >> Referer: >>>>> http://localhost:8080/WebGoat/start.mvc >>>>> >> Content-Length: 29 >>>>> >> Cookie: JSESSIONID=replace >>>>> >> Connection: keep-alive >>>>> >> Pragma: no-cache >>>>> >> Cache-Control: no-cache >>>>> >> >>>>> >> account_number=101&SUBMIT=Go! >>>>> >> #end request file >>>>> >> I am running git master of Sqlmap. >>>>> >> Sqlmap detects SQL injection >>>>> (boolean based blind Mysql), but no >>>>> >> information gathering commands >>>>> work (--dbs, --current-user...). I >>>>> tried >>>>> >> running with --hex or >>>>> --no-cast, but no luck. >>>>> >> What might be the problem? >>>>> >> Thanks, >>>>> >> Vojta >>>>> >> >>>>> >> >>>>> ------------------------------------------------------------------------------ >>>>> >> >>>>> _______________________________________________ >>>>> >> sqlmap-users mailing list >>>>> >> >>>>> sql...@li... >>>>> <mailto:sql...@li...> >>>>> >> >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> <mailto:sql...@li...> >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> <mailto:sql...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> <mailto:sql...@li...> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Miroslav S. <mir...@gm...> - 2015-10-13 16:54:51
|
Yup. The master branch is a good branch. And you are having difficulties even if you use a --flush-session along with switches/options I've used? This is strange. I've run this numerous times in last few days. Can you please send a complete console output as I've sent for my runs? Also, on which OS do you run WebGoat? Bye On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <kr...@gm...> wrote: > Greetings, > now it works but... > I don't know what am I doing wrong, but it takes very looong time for > Sqlmap to finish this run. In your output, it takes several seconds, for me > it takes almost a hour to get this done. > Also I found out that if I try to use --keep-alive, it is much faster, it > takes about a minute, but it again returns garbled characters. No other > optimization switches improve the speed. > I am using same arguments as you, but from enumeration arguments I am > using just --current-user, no --dump, --dbs etc. > Just to be sure, I am pulling from Master branch, is this correct? > Thank you very much for your efford, > Vojtěch Polášek > > > Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): > > Hi. > > There has been a lot work here. Please update to the latest revision and > retry it again. > > One word of advice regarding WebGoat. It has a bad routine that > automatically closes the SQLi after it finds certain keywords in requests. > Basically, afterwards it just says "* Congratulations. You have > successfully completed this lesson." and prevents further injection. Hence, > you'll need to use --safe-url and --safe-freq to reset those. Please find > details further in pastebin links. > > Here you can find couple of different runs: > > --technique=B > http://pastebin.com/04z2x00S > > (no technique constraints) > http://pastebin.com/UhGQLyTp > > Bye > > On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi. >> >> There is still more work here to be done. Will let you know. I am going >> to try to finish it today. >> >> Bye >> >> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek <kr...@gm...> >> wrote: >> >>> Greetings, >>> I have still problems exploiting HSQL databases. current-user is still >>> returning garbled characters etc. >>> Is it still working for you? >>> Thanks, >>> Vojta >>> >>> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>> >>> I've used that same request file without any problems (with latest >>> patches/revision). Will retest tomorrow. Please retry everything with >>> --flush-session >>> >>> Bye >>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <kr...@gm...> wrote: >>> >>>> Greetings, >>>> thanks for your prompt response. >>>> Unfortunatelly, it is still not working as expected. >>>> There is problem with retrieving of current user and information from >>>> HSQL database in general. >>>> Moreover, when using following request file from the same application, >>>> Sqlmap identified backend database as Postgresql instead of HSQL. >>>> This request is from lesson about simple string SQL injection >>>> #begin request file >>>> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >>>> Host: localhost:8080 >>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 >>>> Firefox/39.0 >>>> Accept: */* >>>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>> Accept-Encoding: gzip, deflate >>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>> X-Requested-With: XMLHttpRequest >>>> Referer: http://localhost:8080/WebGoat/start.mvc >>>> Content-Length: 29 >>>> Connection: keep-alive >>>> Pragma: no-cache >>>> Cache-Control: no-cache >>>> Cookie: JSESSIONID=valid_cookie >>>> >>>> account_name=Smith&SUBMIT=Go! >>>> #end request >>>> Feel free to ask me for more debugging information, I will be glad to >>>> help you. >>>> Thanks for your work, >>>> Vojta >>>> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>>> >>>> Fixed tons of bugs and pushed. Please retry it again. >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it >>>>> right now. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >>>>> mir...@gm...> wrote: >>>>> >>>>>> Hi again. >>>>>> >>>>>> Please update to the latest revision and retry it again (with >>>>>> --flush-session). >>>>>> >>>>>> Backend used is HSQLDB while the sqlmap wrongly recognized it as >>>>>> MySQL (because HSQLDB is MySQL look-alike) >>>>>> >>>>>> Bye >>>>>> >>>>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek <kr...@gm...> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> You can download Webgoat here: >>>>>>> >>>>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>>>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>>>>> password webgoat >>>>>>> The request file posted earlier is from Blind numeric SQL injection >>>>>>> lesson. >>>>>>> Application is written in Java and runs on embedded Tomcat 7 server. >>>>>>> I am using this command, where "request" is request file posted >>>>>>> earlier and valid_cookie is simply valid cookie. >>>>>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>>>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>>>>> As I stated earlier, sqlmap finds the vulnerability but can't >>>>>>> exploit it, I tried almost all tamper scripts, even some combinations, but >>>>>>> no success. >>>>>>> I wanted to show exploitation of Webgoat, because I would like to >>>>>>> use Sqlmap for testing of commercial application which is based on similar >>>>>>> technologies. >>>>>>> Thank you, >>>>>>> Vojta >>>>>>> >>>>>>> >>>>>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>>>>> >>>>>>> Hi. >>>>>>> >>>>>>> Can you please send a used sqlmap command along with the basic info >>>>>>> on vulnerable environment (e.g. just a plain Webgoat, URL this and that)? >>>>>>> >>>>>>> Bye >>>>>>> >>>>>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <kr...@gm...> >>>>>>> wrote: >>>>>>> >>>>>>>> Greetings, >>>>>>>> I am running Webgoat from standalone jar file, so I can't see any >>>>>>>> logs. >>>>>>>> I will try to see some logs from inside the application. Anyway, I >>>>>>>> didn't expect this application to contain any kind of filtering. >>>>>>>> I hope to show Sqlmap in action to some people from a large company >>>>>>>> and >>>>>>>> I wanted to use something simple, therefore I am quite surprised. I >>>>>>>> have >>>>>>>> never seen this situation - found injection but no possibility of >>>>>>>> exploitation. >>>>>>>> The between tamper script didn't help. >>>>>>>> Any suggestions are welcomed. >>>>>>>> Thanks, >>>>>>>> Vojta >>>>>>>> >>>>>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>>>>> > You should look in the logs of the web server and see what they >>>>>>>> say. >>>>>>>> > >>>>>>>> > I bet you need --tamper=between >>>>>>>> > >>>>>>>> > Sent from a phone >>>>>>>> > >>>>>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm...> >>>>>>>> wrote: >>>>>>>> >> >>>>>>>> >> Greetings, >>>>>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>>>>> Webgoat >>>>>>>> >> version 6.0.1. You can try it your self by using following >>>>>>>> request file. >>>>>>>> >> Just log in and replace cookie by valid one. >>>>>>>> >> ###start request file >>>>>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>>>>> >> Host: localhost:8080 >>>>>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) >>>>>>>> Gecko/20100101 >>>>>>>> >> Firefox/41.0 >>>>>>>> >> Accept: */* >>>>>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>>>> >> Accept-Encoding: gzip, deflate >>>>>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>>>> >> X-Requested-With: XMLHttpRequest >>>>>>>> >> Referer: http://localhost:8080/WebGoat/start.mvc >>>>>>>> >> Content-Length: 29 >>>>>>>> >> Cookie: JSESSIONID=replace >>>>>>>> >> Connection: keep-alive >>>>>>>> >> Pragma: no-cache >>>>>>>> >> Cache-Control: no-cache >>>>>>>> >> >>>>>>>> >> account_number=101&SUBMIT=Go! >>>>>>>> >> #end request file >>>>>>>> >> I am running git master of Sqlmap. >>>>>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>>>>>> >> information gathering commands work (--dbs, --current-user...). >>>>>>>> I tried >>>>>>>> >> running with --hex or --no-cast, but no luck. >>>>>>>> >> What might be the problem? >>>>>>>> >> Thanks, >>>>>>>> >> Vojta >>>>>>>> >> >>>>>>>> >> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >> _______________________________________________ >>>>>>>> >> sqlmap-users mailing list >>>>>>>> >> sql...@li... >>>>>>>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> sql...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Miroslav Stampar >>>>>>> http://about.me/stamparm >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Vojtěch P. <kr...@gm...> - 2015-10-13 16:50:19
|
Greetings, now it works but... I don't know what am I doing wrong, but it takes very looong time for Sqlmap to finish this run. In your output, it takes several seconds, for me it takes almost a hour to get this done. Also I found out that if I try to use --keep-alive, it is much faster, it takes about a minute, but it again returns garbled characters. No other optimization switches improve the speed. I am using same arguments as you, but from enumeration arguments I am using just --current-user, no --dump, --dbs etc. Just to be sure, I am pulling from Master branch, is this correct? Thank you very much for your efford, Vojtěch Polášek Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): > Hi. > > There has been a lot work here. Please update to the latest revision > and retry it again. > > One word of advice regarding WebGoat. It has a bad routine that > automatically closes the SQLi after it finds certain keywords in > requests. Basically, afterwards it just says "* Congratulations. You > have successfully completed this lesson." and prevents further > injection. Hence, you'll need to use --safe-url and --safe-freq to > reset those. Please find details further in pastebin links. > > Here you can find couple of different runs: > > --technique=B > http://pastebin.com/04z2x00S > > (no technique constraints) > http://pastebin.com/UhGQLyTp > > Bye > > On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar > <mir...@gm... <mailto:mir...@gm...>> wrote: > > Hi. > > There is still more work here to be done. Will let you know. I am > going to try to finish it today. > > Bye > > On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek > <kr...@gm... <mailto:kr...@gm...>> wrote: > > Greetings, > I have still problems exploiting HSQL databases. current-user > is still returning garbled characters etc. > Is it still working for you? > Thanks, > Vojta > > Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >> >> I've used that same request file without any problems (with >> latest patches/revision). Will retest tomorrow. Please retry >> everything with --flush-session >> >> Bye >> >> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <kr...@gm... >> <mailto:kr...@gm...>> wrote: >> >> Greetings, >> thanks for your prompt response. >> Unfortunatelly, it is still not working as expected. >> There is problem with retrieving of current user and >> information from HSQL database in general. >> Moreover, when using following request file from the same >> application, Sqlmap identified backend database as >> Postgresql instead of HSQL. >> This request is from lesson about simple string SQL injection >> #begin request file >> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >> Host: localhost:8080 >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) >> Gecko/20100101 Firefox/39.0 >> Accept: */* >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> Accept-Encoding: gzip, deflate >> Content-Type: application/x-www-form-urlencoded; >> charset=UTF-8 >> X-Requested-With: XMLHttpRequest >> Referer: http://localhost:8080/WebGoat/start.mvc >> Content-Length: 29 >> Connection: keep-alive >> Pragma: no-cache >> Cache-Control: no-cache >> Cookie: JSESSIONID=valid_cookie >> >> account_name=Smith&SUBMIT=Go! >> #end request >> Feel free to ask me for more debugging information, I >> will be glad to help you. >> Thanks for your work, >> Vojta >> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>> Fixed tons of bugs and pushed. Please retry it again. >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar >>> <mir...@gm... >>> <mailto:mir...@gm...>> wrote: >>> >>> Please wait a bit. There are tons of bugs for HSQLDB >>> in sqlmap. On it right now. >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar >>> <mir...@gm... >>> <mailto:mir...@gm...>> wrote: >>> >>> Hi again. >>> >>> Please update to the latest revision and retry >>> it again (with --flush-session). >>> >>> Backend used is HSQLDB while the sqlmap wrongly >>> recognized it as MySQL (because HSQLDB is MySQL >>> look-alike) >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek >>> <kr...@gm... <mailto:kr...@gm...>> >>> wrote: >>> >>> Hi, >>> You can download Webgoat here: >>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>> And you can login at localhost:8080/WebGoat >>> with name webgoat and password webgoat >>> The request file posted earlier is from >>> Blind numeric SQL injection lesson. >>> Application is written in Java and runs on >>> embedded Tomcat 7 server. >>> I am using this command, where "request" is >>> request file posted earlier and valid_cookie >>> is simply valid cookie. >>> python2 /opt/sqlmap/sqlmap.py -r request >>> --level=5 --risk=3 -o >>> --cookie="JSESSIONID=valid_cookie' -v3 >>> As I stated earlier, sqlmap finds the >>> vulnerability but can't exploit it, I tried >>> almost all tamper scripts, even some >>> combinations, but no success. >>> I wanted to show exploitation of Webgoat, >>> because I would like to use Sqlmap for >>> testing of commercial application which is >>> based on similar technologies. >>> Thank you, >>> Vojta >>> >>> >>> Dne 9.10.2015 v 11:16 Miroslav Stampar >>> napsal(a): >>>> Hi. >>>> >>>> Can you please send a used sqlmap command >>>> along with the basic info on vulnerable >>>> environment (e.g. just a plain Webgoat, URL >>>> this and that)? >>>> >>>> Bye >>>> >>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch >>>> Polášek <kr...@gm... >>>> <mailto:kr...@gm...>> wrote: >>>> >>>> Greetings, >>>> I am running Webgoat from standalone >>>> jar file, so I can't see any logs. >>>> I will try to see some logs from inside >>>> the application. Anyway, I >>>> didn't expect this application to >>>> contain any kind of filtering. >>>> I hope to show Sqlmap in action to some >>>> people from a large company and >>>> I wanted to use something simple, >>>> therefore I am quite surprised. I have >>>> never seen this situation - found >>>> injection but no possibility of >>>> exploitation. >>>> The between tamper script didn't help. >>>> Any suggestions are welcomed. >>>> Thanks, >>>> Vojta >>>> >>>> Dne 8.10.2015 v 18:10 Brandon Perry >>>> napsal(a): >>>> > You should look in the logs of the >>>> web server and see what they say. >>>> > >>>> > I bet you need --tamper=between >>>> > >>>> > Sent from a phone >>>> > >>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch >>>> Polášek <kr...@gm... >>>> <mailto:kr...@gm...>> wrote: >>>> >> >>>> >> Greetings, >>>> >> I tried to verify Sqlmap's >>>> functionality by running it against Webgoat >>>> >> version 6.0.1. You can try it your >>>> self by using following request file. >>>> >> Just log in and replace cookie by >>>> valid one. >>>> >> ###start request file >>>> >> POST >>>> /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>> >> Host: localhost:8080 >>>> >> User-Agent: Mozilla/5.0 (X11; Linux >>>> x86_64; rv:41.0) Gecko/20100101 >>>> >> Firefox/41.0 >>>> >> Accept: */* >>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>> >> Accept-Encoding: gzip, deflate >>>> >> Content-Type: >>>> application/x-www-form-urlencoded; >>>> charset=UTF-8 >>>> >> X-Requested-With: XMLHttpRequest >>>> >> Referer: >>>> http://localhost:8080/WebGoat/start.mvc >>>> >> Content-Length: 29 >>>> >> Cookie: JSESSIONID=replace >>>> >> Connection: keep-alive >>>> >> Pragma: no-cache >>>> >> Cache-Control: no-cache >>>> >> >>>> >> account_number=101&SUBMIT=Go! >>>> >> #end request file >>>> >> I am running git master of Sqlmap. >>>> >> Sqlmap detects SQL injection >>>> (boolean based blind Mysql), but no >>>> >> information gathering commands work >>>> (--dbs, --current-user...). I tried >>>> >> running with --hex or --no-cast, but >>>> no luck. >>>> >> What might be the problem? >>>> >> Thanks, >>>> >> Vojta >>>> >> >>>> >> >>>> ------------------------------------------------------------------------------ >>>> >> >>>> _______________________________________________ >>>> >> sqlmap-users mailing list >>>> >> sql...@li... >>>> <mailto:sql...@li...> >>>> >> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> <mailto:sql...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> <mailto:sql...@li...> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Vojtěch P. <kr...@gm...> - 2015-10-13 11:22:45
|
Thank you very much, this sounds great. I will be able to show this Sqlmap feature and that's good. I will try it as soon as possible. Vojta Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): > Hi. > > There has been a lot work here. Please update to the latest revision > and retry it again. > > One word of advice regarding WebGoat. It has a bad routine that > automatically closes the SQLi after it finds certain keywords in > requests. Basically, afterwards it just says "* Congratulations. You > have successfully completed this lesson." and prevents further > injection. Hence, you'll need to use --safe-url and --safe-freq to > reset those. Please find details further in pastebin links. > > Here you can find couple of different runs: > > --technique=B > http://pastebin.com/04z2x00S > > (no technique constraints) > http://pastebin.com/UhGQLyTp > > Bye > > On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar > <mir...@gm... <mailto:mir...@gm...>> wrote: > > Hi. > > There is still more work here to be done. Will let you know. I am > going to try to finish it today. > > Bye > > On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek > <kr...@gm... <mailto:kr...@gm...>> wrote: > > Greetings, > I have still problems exploiting HSQL databases. current-user > is still returning garbled characters etc. > Is it still working for you? > Thanks, > Vojta > > Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >> >> I've used that same request file without any problems (with >> latest patches/revision). Will retest tomorrow. Please retry >> everything with --flush-session >> >> Bye >> >> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <kr...@gm... >> <mailto:kr...@gm...>> wrote: >> >> Greetings, >> thanks for your prompt response. >> Unfortunatelly, it is still not working as expected. >> There is problem with retrieving of current user and >> information from HSQL database in general. >> Moreover, when using following request file from the same >> application, Sqlmap identified backend database as >> Postgresql instead of HSQL. >> This request is from lesson about simple string SQL injection >> #begin request file >> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >> Host: localhost:8080 >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) >> Gecko/20100101 Firefox/39.0 >> Accept: */* >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> Accept-Encoding: gzip, deflate >> Content-Type: application/x-www-form-urlencoded; >> charset=UTF-8 >> X-Requested-With: XMLHttpRequest >> Referer: http://localhost:8080/WebGoat/start.mvc >> Content-Length: 29 >> Connection: keep-alive >> Pragma: no-cache >> Cache-Control: no-cache >> Cookie: JSESSIONID=valid_cookie >> >> account_name=Smith&SUBMIT=Go! >> #end request >> Feel free to ask me for more debugging information, I >> will be glad to help you. >> Thanks for your work, >> Vojta >> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>> Fixed tons of bugs and pushed. Please retry it again. >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar >>> <mir...@gm... >>> <mailto:mir...@gm...>> wrote: >>> >>> Please wait a bit. There are tons of bugs for HSQLDB >>> in sqlmap. On it right now. >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar >>> <mir...@gm... >>> <mailto:mir...@gm...>> wrote: >>> >>> Hi again. >>> >>> Please update to the latest revision and retry >>> it again (with --flush-session). >>> >>> Backend used is HSQLDB while the sqlmap wrongly >>> recognized it as MySQL (because HSQLDB is MySQL >>> look-alike) >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek >>> <kr...@gm... <mailto:kr...@gm...>> >>> wrote: >>> >>> Hi, >>> You can download Webgoat here: >>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>> And you can login at localhost:8080/WebGoat >>> with name webgoat and password webgoat >>> The request file posted earlier is from >>> Blind numeric SQL injection lesson. >>> Application is written in Java and runs on >>> embedded Tomcat 7 server. >>> I am using this command, where "request" is >>> request file posted earlier and valid_cookie >>> is simply valid cookie. >>> python2 /opt/sqlmap/sqlmap.py -r request >>> --level=5 --risk=3 -o >>> --cookie="JSESSIONID=valid_cookie' -v3 >>> As I stated earlier, sqlmap finds the >>> vulnerability but can't exploit it, I tried >>> almost all tamper scripts, even some >>> combinations, but no success. >>> I wanted to show exploitation of Webgoat, >>> because I would like to use Sqlmap for >>> testing of commercial application which is >>> based on similar technologies. >>> Thank you, >>> Vojta >>> >>> >>> Dne 9.10.2015 v 11:16 Miroslav Stampar >>> napsal(a): >>>> Hi. >>>> >>>> Can you please send a used sqlmap command >>>> along with the basic info on vulnerable >>>> environment (e.g. just a plain Webgoat, URL >>>> this and that)? >>>> >>>> Bye >>>> >>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch >>>> Polášek <kr...@gm... >>>> <mailto:kr...@gm...>> wrote: >>>> >>>> Greetings, >>>> I am running Webgoat from standalone >>>> jar file, so I can't see any logs. >>>> I will try to see some logs from inside >>>> the application. Anyway, I >>>> didn't expect this application to >>>> contain any kind of filtering. >>>> I hope to show Sqlmap in action to some >>>> people from a large company and >>>> I wanted to use something simple, >>>> therefore I am quite surprised. I have >>>> never seen this situation - found >>>> injection but no possibility of >>>> exploitation. >>>> The between tamper script didn't help. >>>> Any suggestions are welcomed. >>>> Thanks, >>>> Vojta >>>> >>>> Dne 8.10.2015 v 18:10 Brandon Perry >>>> napsal(a): >>>> > You should look in the logs of the >>>> web server and see what they say. >>>> > >>>> > I bet you need --tamper=between >>>> > >>>> > Sent from a phone >>>> > >>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch >>>> Polášek <kr...@gm... >>>> <mailto:kr...@gm...>> wrote: >>>> >> >>>> >> Greetings, >>>> >> I tried to verify Sqlmap's >>>> functionality by running it against Webgoat >>>> >> version 6.0.1. You can try it your >>>> self by using following request file. >>>> >> Just log in and replace cookie by >>>> valid one. >>>> >> ###start request file >>>> >> POST >>>> /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>> >> Host: localhost:8080 >>>> >> User-Agent: Mozilla/5.0 (X11; Linux >>>> x86_64; rv:41.0) Gecko/20100101 >>>> >> Firefox/41.0 >>>> >> Accept: */* >>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>> >> Accept-Encoding: gzip, deflate >>>> >> Content-Type: >>>> application/x-www-form-urlencoded; >>>> charset=UTF-8 >>>> >> X-Requested-With: XMLHttpRequest >>>> >> Referer: >>>> http://localhost:8080/WebGoat/start.mvc >>>> >> Content-Length: 29 >>>> >> Cookie: JSESSIONID=replace >>>> >> Connection: keep-alive >>>> >> Pragma: no-cache >>>> >> Cache-Control: no-cache >>>> >> >>>> >> account_number=101&SUBMIT=Go! >>>> >> #end request file >>>> >> I am running git master of Sqlmap. >>>> >> Sqlmap detects SQL injection >>>> (boolean based blind Mysql), but no >>>> >> information gathering commands work >>>> (--dbs, --current-user...). I tried >>>> >> running with --hex or --no-cast, but >>>> no luck. >>>> >> What might be the problem? >>>> >> Thanks, >>>> >> Vojta >>>> >> >>>> >> >>>> ------------------------------------------------------------------------------ >>>> >> >>>> _______________________________________________ >>>> >> sqlmap-users mailing list >>>> >> sql...@li... >>>> <mailto:sql...@li...> >>>> >> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> <mailto:sql...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> <mailto:sql...@li...> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-10-13 11:07:29
|
Hi. There has been a lot work here. Please update to the latest revision and retry it again. One word of advice regarding WebGoat. It has a bad routine that automatically closes the SQLi after it finds certain keywords in requests. Basically, afterwards it just says "* Congratulations. You have successfully completed this lesson." and prevents further injection. Hence, you'll need to use --safe-url and --safe-freq to reset those. Please find details further in pastebin links. Here you can find couple of different runs: --technique=B http://pastebin.com/04z2x00S (no technique constraints) http://pastebin.com/UhGQLyTp Bye On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > There is still more work here to be done. Will let you know. I am going to > try to finish it today. > > Bye > > On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek <kr...@gm...> > wrote: > >> Greetings, >> I have still problems exploiting HSQL databases. current-user is still >> returning garbled characters etc. >> Is it still working for you? >> Thanks, >> Vojta >> >> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >> >> I've used that same request file without any problems (with latest >> patches/revision). Will retest tomorrow. Please retry everything with >> --flush-session >> >> Bye >> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <kr...@gm...> wrote: >> >>> Greetings, >>> thanks for your prompt response. >>> Unfortunatelly, it is still not working as expected. >>> There is problem with retrieving of current user and information from >>> HSQL database in general. >>> Moreover, when using following request file from the same application, >>> Sqlmap identified backend database as Postgresql instead of HSQL. >>> This request is from lesson about simple string SQL injection >>> #begin request file >>> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >>> Host: localhost:8080 >>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 >>> Firefox/39.0 >>> Accept: */* >>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>> Accept-Encoding: gzip, deflate >>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>> X-Requested-With: XMLHttpRequest >>> Referer: http://localhost:8080/WebGoat/start.mvc >>> Content-Length: 29 >>> Connection: keep-alive >>> Pragma: no-cache >>> Cache-Control: no-cache >>> Cookie: JSESSIONID=valid_cookie >>> >>> account_name=Smith&SUBMIT=Go! >>> #end request >>> Feel free to ask me for more debugging information, I will be glad to >>> help you. >>> Thanks for your work, >>> Vojta >>> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>> >>> Fixed tons of bugs and pushed. Please retry it again. >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < >>> <mir...@gm...>mir...@gm...> wrote: >>> >>>> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it >>>> right now. >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> Hi again. >>>>> >>>>> Please update to the latest revision and retry it again (with >>>>> --flush-session). >>>>> >>>>> Backend used is HSQLDB while the sqlmap wrongly recognized it as MySQL >>>>> (because HSQLDB is MySQL look-alike) >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek < <kr...@gm...> >>>>> kr...@gm...> wrote: >>>>> >>>>>> Hi, >>>>>> You can download Webgoat here: >>>>>> >>>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>>>> password webgoat >>>>>> The request file posted earlier is from Blind numeric SQL injection >>>>>> lesson. >>>>>> Application is written in Java and runs on embedded Tomcat 7 server. >>>>>> I am using this command, where "request" is request file posted >>>>>> earlier and valid_cookie is simply valid cookie. >>>>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>>>> As I stated earlier, sqlmap finds the vulnerability but can't exploit >>>>>> it, I tried almost all tamper scripts, even some combinations, but no >>>>>> success. >>>>>> I wanted to show exploitation of Webgoat, because I would like to use >>>>>> Sqlmap for testing of commercial application which is based on similar >>>>>> technologies. >>>>>> Thank you, >>>>>> Vojta >>>>>> >>>>>> >>>>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>>>> >>>>>> Hi. >>>>>> >>>>>> Can you please send a used sqlmap command along with the basic info >>>>>> on vulnerable environment (e.g. just a plain Webgoat, URL this and that)? >>>>>> >>>>>> Bye >>>>>> >>>>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek < >>>>>> <kr...@gm...>kr...@gm...> wrote: >>>>>> >>>>>>> Greetings, >>>>>>> I am running Webgoat from standalone jar file, so I can't see any >>>>>>> logs. >>>>>>> I will try to see some logs from inside the application. Anyway, I >>>>>>> didn't expect this application to contain any kind of filtering. >>>>>>> I hope to show Sqlmap in action to some people from a large company >>>>>>> and >>>>>>> I wanted to use something simple, therefore I am quite surprised. I >>>>>>> have >>>>>>> never seen this situation - found injection but no possibility of >>>>>>> exploitation. >>>>>>> The between tamper script didn't help. >>>>>>> Any suggestions are welcomed. >>>>>>> Thanks, >>>>>>> Vojta >>>>>>> >>>>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>>>> > You should look in the logs of the web server and see what they >>>>>>> say. >>>>>>> > >>>>>>> > I bet you need --tamper=between >>>>>>> > >>>>>>> > Sent from a phone >>>>>>> > >>>>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek < >>>>>>> <kr...@gm...>kr...@gm...> wrote: >>>>>>> >> >>>>>>> >> Greetings, >>>>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>>>> Webgoat >>>>>>> >> version 6.0.1. You can try it your self by using following >>>>>>> request file. >>>>>>> >> Just log in and replace cookie by valid one. >>>>>>> >> ###start request file >>>>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>>>> >> Host: localhost:8080 >>>>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) >>>>>>> Gecko/20100101 >>>>>>> >> Firefox/41.0 >>>>>>> >> Accept: */* >>>>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>>> >> Accept-Encoding: gzip, deflate >>>>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>>> >> X-Requested-With: XMLHttpRequest >>>>>>> >> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>>> >> Content-Length: 29 >>>>>>> >> Cookie: JSESSIONID=replace >>>>>>> >> Connection: keep-alive >>>>>>> >> Pragma: no-cache >>>>>>> >> Cache-Control: no-cache >>>>>>> >> >>>>>>> >> account_number=101&SUBMIT=Go! >>>>>>> >> #end request file >>>>>>> >> I am running git master of Sqlmap. >>>>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>>>>> >> information gathering commands work (--dbs, --current-user...). I >>>>>>> tried >>>>>>> >> running with --hex or --no-cast, but no luck. >>>>>>> >> What might be the problem? >>>>>>> >> Thanks, >>>>>>> >> Vojta >>>>>>> >> >>>>>>> >> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> >> _______________________________________________ >>>>>>> >> sqlmap-users mailing list >>>>>>> >> <sql...@li...> >>>>>>> sql...@li... >>>>>>> >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> <sql...@li...> >>>>>>> sql...@li... >>>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-10-13 08:18:19
|
Hi. There is still more work here to be done. Will let you know. I am going to try to finish it today. Bye On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek <kr...@gm...> wrote: > Greetings, > I have still problems exploiting HSQL databases. current-user is still > returning garbled characters etc. > Is it still working for you? > Thanks, > Vojta > > Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): > > I've used that same request file without any problems (with latest > patches/revision). Will retest tomorrow. Please retry everything with > --flush-session > > Bye > On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <kr...@gm...> wrote: > >> Greetings, >> thanks for your prompt response. >> Unfortunatelly, it is still not working as expected. >> There is problem with retrieving of current user and information from >> HSQL database in general. >> Moreover, when using following request file from the same application, >> Sqlmap identified backend database as Postgresql instead of HSQL. >> This request is from lesson about simple string SQL injection >> #begin request file >> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >> Host: localhost:8080 >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 >> Firefox/39.0 >> Accept: */* >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> Accept-Encoding: gzip, deflate >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >> X-Requested-With: XMLHttpRequest >> Referer: http://localhost:8080/WebGoat/start.mvc >> Content-Length: 29 >> Connection: keep-alive >> Pragma: no-cache >> Cache-Control: no-cache >> Cookie: JSESSIONID=valid_cookie >> >> account_name=Smith&SUBMIT=Go! >> #end request >> Feel free to ask me for more debugging information, I will be glad to >> help you. >> Thanks for your work, >> Vojta >> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >> >> Fixed tons of bugs and pushed. Please retry it again. >> >> Bye >> >> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < >> <mir...@gm...>mir...@gm...> wrote: >> >>> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it >>> right now. >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> Hi again. >>>> >>>> Please update to the latest revision and retry it again (with >>>> --flush-session). >>>> >>>> Backend used is HSQLDB while the sqlmap wrongly recognized it as MySQL >>>> (because HSQLDB is MySQL look-alike) >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek < <kr...@gm...> >>>> kr...@gm...> wrote: >>>> >>>>> Hi, >>>>> You can download Webgoat here: >>>>> >>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>>> password webgoat >>>>> The request file posted earlier is from Blind numeric SQL injection >>>>> lesson. >>>>> Application is written in Java and runs on embedded Tomcat 7 server. >>>>> I am using this command, where "request" is request file posted >>>>> earlier and valid_cookie is simply valid cookie. >>>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>>> As I stated earlier, sqlmap finds the vulnerability but can't exploit >>>>> it, I tried almost all tamper scripts, even some combinations, but no >>>>> success. >>>>> I wanted to show exploitation of Webgoat, because I would like to use >>>>> Sqlmap for testing of commercial application which is based on similar >>>>> technologies. >>>>> Thank you, >>>>> Vojta >>>>> >>>>> >>>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>>> >>>>> Hi. >>>>> >>>>> Can you please send a used sqlmap command along with the basic info on >>>>> vulnerable environment (e.g. just a plain Webgoat, URL this and that)? >>>>> >>>>> Bye >>>>> >>>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek < <kr...@gm...> >>>>> kr...@gm...> wrote: >>>>> >>>>>> Greetings, >>>>>> I am running Webgoat from standalone jar file, so I can't see any >>>>>> logs. >>>>>> I will try to see some logs from inside the application. Anyway, I >>>>>> didn't expect this application to contain any kind of filtering. >>>>>> I hope to show Sqlmap in action to some people from a large company >>>>>> and >>>>>> I wanted to use something simple, therefore I am quite surprised. I >>>>>> have >>>>>> never seen this situation - found injection but no possibility of >>>>>> exploitation. >>>>>> The between tamper script didn't help. >>>>>> Any suggestions are welcomed. >>>>>> Thanks, >>>>>> Vojta >>>>>> >>>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>>> > You should look in the logs of the web server and see what they say. >>>>>> > >>>>>> > I bet you need --tamper=between >>>>>> > >>>>>> > Sent from a phone >>>>>> > >>>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek < <kr...@gm...> >>>>>> kr...@gm...> wrote: >>>>>> >> >>>>>> >> Greetings, >>>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>>> Webgoat >>>>>> >> version 6.0.1. You can try it your self by using following request >>>>>> file. >>>>>> >> Just log in and replace cookie by valid one. >>>>>> >> ###start request file >>>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>>> >> Host: localhost:8080 >>>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >>>>>> >> Firefox/41.0 >>>>>> >> Accept: */* >>>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>> >> Accept-Encoding: gzip, deflate >>>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>> >> X-Requested-With: XMLHttpRequest >>>>>> >> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>> >> Content-Length: 29 >>>>>> >> Cookie: JSESSIONID=replace >>>>>> >> Connection: keep-alive >>>>>> >> Pragma: no-cache >>>>>> >> Cache-Control: no-cache >>>>>> >> >>>>>> >> account_number=101&SUBMIT=Go! >>>>>> >> #end request file >>>>>> >> I am running git master of Sqlmap. >>>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>>>> >> information gathering commands work (--dbs, --current-user...). I >>>>>> tried >>>>>> >> running with --hex or --no-cast, but no luck. >>>>>> >> What might be the problem? >>>>>> >> Thanks, >>>>>> >> Vojta >>>>>> >> >>>>>> >> >>>>>> ------------------------------------------------------------------------------ >>>>>> >> _______________________________________________ >>>>>> >> sqlmap-users mailing list >>>>>> >> <sql...@li...> >>>>>> sql...@li... >>>>>> >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> <sql...@li...> >>>>>> sql...@li... >>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Vojtěch P. <kr...@gm...> - 2015-10-13 08:14:02
|
Greetings, I have still problems exploiting HSQL databases. current-user is still returning garbled characters etc. Is it still working for you? Thanks, Vojta Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): > > I've used that same request file without any problems (with latest > patches/revision). Will retest tomorrow. Please retry everything with > --flush-session > > Bye > > On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <kr...@gm... > <mailto:kr...@gm...>> wrote: > > Greetings, > thanks for your prompt response. > Unfortunatelly, it is still not working as expected. > There is problem with retrieving of current user and information > from HSQL database in general. > Moreover, when using following request file from the same > application, Sqlmap identified backend database as Postgresql > instead of HSQL. > This request is from lesson about simple string SQL injection > #begin request file > POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 > Host: localhost:8080 > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) > Gecko/20100101 Firefox/39.0 > Accept: */* > Accept-Language: cs,en-US;q=0.7,en;q=0.3 > Accept-Encoding: gzip, deflate > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > X-Requested-With: XMLHttpRequest > Referer: http://localhost:8080/WebGoat/start.mvc > Content-Length: 29 > Connection: keep-alive > Pragma: no-cache > Cache-Control: no-cache > Cookie: JSESSIONID=valid_cookie > > account_name=Smith&SUBMIT=Go! > #end request > Feel free to ask me for more debugging information, I will be glad > to help you. > Thanks for your work, > Vojta > Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >> Fixed tons of bugs and pushed. Please retry it again. >> >> Bye >> >> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar >> <mir...@gm... <mailto:mir...@gm...>> >> wrote: >> >> Please wait a bit. There are tons of bugs for HSQLDB in >> sqlmap. On it right now. >> >> Bye >> >> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar >> <mir...@gm... >> <mailto:mir...@gm...>> wrote: >> >> Hi again. >> >> Please update to the latest revision and retry it again >> (with --flush-session). >> >> Backend used is HSQLDB while the sqlmap wrongly >> recognized it as MySQL (because HSQLDB is MySQL look-alike) >> >> Bye >> >> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek >> <kr...@gm... <mailto:kr...@gm...>> wrote: >> >> Hi, >> You can download Webgoat here: >> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >> Just run java- jar WebGoat-6.0.1-war-exec.jar >> And you can login at localhost:8080/WebGoat with name >> webgoat and password webgoat >> The request file posted earlier is from Blind numeric >> SQL injection lesson. >> Application is written in Java and runs on embedded >> Tomcat 7 server. >> I am using this command, where "request" is request >> file posted earlier and valid_cookie is simply valid >> cookie. >> python2 /opt/sqlmap/sqlmap.py -r request --level=5 >> --risk=3 -o --cookie="JSESSIONID=valid_cookie' -v3 >> As I stated earlier, sqlmap finds the vulnerability >> but can't exploit it, I tried almost all tamper >> scripts, even some combinations, but no success. >> I wanted to show exploitation of Webgoat, because I >> would like to use Sqlmap for testing of commercial >> application which is based on similar technologies. >> Thank you, >> Vojta >> >> >> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>> Hi. >>> >>> Can you please send a used sqlmap command along with >>> the basic info on vulnerable environment (e.g. just >>> a plain Webgoat, URL this and that)? >>> >>> Bye >>> >>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek >>> <kr...@gm... <mailto:kr...@gm...>> wrote: >>> >>> Greetings, >>> I am running Webgoat from standalone jar file, >>> so I can't see any logs. >>> I will try to see some logs from inside the >>> application. Anyway, I >>> didn't expect this application to contain any >>> kind of filtering. >>> I hope to show Sqlmap in action to some people >>> from a large company and >>> I wanted to use something simple, therefore I am >>> quite surprised. I have >>> never seen this situation - found injection but >>> no possibility of >>> exploitation. >>> The between tamper script didn't help. >>> Any suggestions are welcomed. >>> Thanks, >>> Vojta >>> >>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>> > You should look in the logs of the web server >>> and see what they say. >>> > >>> > I bet you need --tamper=between >>> > >>> > Sent from a phone >>> > >>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek >>> <kr...@gm... <mailto:kr...@gm...>> >>> wrote: >>> >> >>> >> Greetings, >>> >> I tried to verify Sqlmap's functionality by >>> running it against Webgoat >>> >> version 6.0.1. You can try it your self by >>> using following request file. >>> >> Just log in and replace cookie by valid one. >>> >> ###start request file >>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>> >> Host: localhost:8080 >>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; >>> rv:41.0) Gecko/20100101 >>> >> Firefox/41.0 >>> >> Accept: */* >>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>> >> Accept-Encoding: gzip, deflate >>> >> Content-Type: >>> application/x-www-form-urlencoded; charset=UTF-8 >>> >> X-Requested-With: XMLHttpRequest >>> >> Referer: http://localhost:8080/WebGoat/start.mvc >>> >> Content-Length: 29 >>> >> Cookie: JSESSIONID=replace >>> >> Connection: keep-alive >>> >> Pragma: no-cache >>> >> Cache-Control: no-cache >>> >> >>> >> account_number=101&SUBMIT=Go! >>> >> #end request file >>> >> I am running git master of Sqlmap. >>> >> Sqlmap detects SQL injection (boolean based >>> blind Mysql), but no >>> >> information gathering commands work (--dbs, >>> --current-user...). I tried >>> >> running with --hex or --no-cast, but no luck. >>> >> What might be the problem? >>> >> Thanks, >>> >> Vojta >>> >> >>> >> >>> ------------------------------------------------------------------------------ >>> >> _______________________________________________ >>> >> sqlmap-users mailing list >>> >> sql...@li... >>> <mailto:sql...@li...> >>> >> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> <mailto:sql...@li...> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Rodrigo Z. S. <rod...@gm...> - 2015-10-13 04:49:25
|
I am studying a case of SQL in Oracle. If I did a select and it result the number N, I get the response for that. So if I did a complex call and it result 42, I can use the way the sqlmap use to check it: sqlmap test: 42>10 = true sqlmap test 42>50 = false .... But before doing various call, I can get this result with only one call. But the result for 42 is null. What I need to do is: if (result=42) return 10 if (result=41) return 4 if (result=40) return 7 ... So... I am trying how can I do this. Everything I tried to make a simple IF or a CASE failed. I study the syntax here <http://docs.oracle.com/cd/E11882_01/appdev.112/e25519/case_statement.htm#LNPLS01304> but not is working. Is it possible do this: CASE complex_sql_return_number WHEN 0 THEN 1; WHEN 1 THEN 42; ELSE 100 END Any ideas? |
|
From: Vojtěch P. <kr...@gm...> - 2015-10-10 09:39:33
|
Hello, Here are some debugging information. This is output of Sqlmap running, exploiting and trying to get current db user: http://cloud.vojtapolasek.eu/index.php/s/cCBLy5MGR46pXOe And this is the traffic file: http://cloud.vojtapolasek.eu/index.php/s/jheCneiJfxzrLGV I used: sqlmap -r request --level=5 --risk=3 -o -v3 --cookie="JSESSIONID=valid_cookie" --current-user I deleted whole output directory for localhost before. I hope it helps, Vojta Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): > > I've used that same request file without any problems (with latest > patches/revision). Will retest tomorrow. Please retry everything with > --flush-session > > Bye > > On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <kr...@gm... > <mailto:kr...@gm...>> wrote: > > Greetings, > thanks for your prompt response. > Unfortunatelly, it is still not working as expected. > There is problem with retrieving of current user and information > from HSQL database in general. > Moreover, when using following request file from the same > application, Sqlmap identified backend database as Postgresql > instead of HSQL. > This request is from lesson about simple string SQL injection > #begin request file > POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 > Host: localhost:8080 > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) > Gecko/20100101 Firefox/39.0 > Accept: */* > Accept-Language: cs,en-US;q=0.7,en;q=0.3 > Accept-Encoding: gzip, deflate > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > X-Requested-With: XMLHttpRequest > Referer: http://localhost:8080/WebGoat/start.mvc > Content-Length: 29 > Connection: keep-alive > Pragma: no-cache > Cache-Control: no-cache > Cookie: JSESSIONID=valid_cookie > > account_name=Smith&SUBMIT=Go! > #end request > Feel free to ask me for more debugging information, I will be glad > to help you. > Thanks for your work, > Vojta > Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >> Fixed tons of bugs and pushed. Please retry it again. >> >> Bye >> >> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar >> <mir...@gm... <mailto:mir...@gm...>> >> wrote: >> >> Please wait a bit. There are tons of bugs for HSQLDB in >> sqlmap. On it right now. >> >> Bye >> >> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar >> <mir...@gm... >> <mailto:mir...@gm...>> wrote: >> >> Hi again. >> >> Please update to the latest revision and retry it again >> (with --flush-session). >> >> Backend used is HSQLDB while the sqlmap wrongly >> recognized it as MySQL (because HSQLDB is MySQL look-alike) >> >> Bye >> >> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek >> <kr...@gm... <mailto:kr...@gm...>> wrote: >> >> Hi, >> You can download Webgoat here: >> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >> Just run java- jar WebGoat-6.0.1-war-exec.jar >> And you can login at localhost:8080/WebGoat with name >> webgoat and password webgoat >> The request file posted earlier is from Blind numeric >> SQL injection lesson. >> Application is written in Java and runs on embedded >> Tomcat 7 server. >> I am using this command, where "request" is request >> file posted earlier and valid_cookie is simply valid >> cookie. >> python2 /opt/sqlmap/sqlmap.py -r request --level=5 >> --risk=3 -o --cookie="JSESSIONID=valid_cookie' -v3 >> As I stated earlier, sqlmap finds the vulnerability >> but can't exploit it, I tried almost all tamper >> scripts, even some combinations, but no success. >> I wanted to show exploitation of Webgoat, because I >> would like to use Sqlmap for testing of commercial >> application which is based on similar technologies. >> Thank you, >> Vojta >> >> >> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>> Hi. >>> >>> Can you please send a used sqlmap command along with >>> the basic info on vulnerable environment (e.g. just >>> a plain Webgoat, URL this and that)? >>> >>> Bye >>> >>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek >>> <kr...@gm... <mailto:kr...@gm...>> wrote: >>> >>> Greetings, >>> I am running Webgoat from standalone jar file, >>> so I can't see any logs. >>> I will try to see some logs from inside the >>> application. Anyway, I >>> didn't expect this application to contain any >>> kind of filtering. >>> I hope to show Sqlmap in action to some people >>> from a large company and >>> I wanted to use something simple, therefore I am >>> quite surprised. I have >>> never seen this situation - found injection but >>> no possibility of >>> exploitation. >>> The between tamper script didn't help. >>> Any suggestions are welcomed. >>> Thanks, >>> Vojta >>> >>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>> > You should look in the logs of the web server >>> and see what they say. >>> > >>> > I bet you need --tamper=between >>> > >>> > Sent from a phone >>> > >>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek >>> <kr...@gm... <mailto:kr...@gm...>> >>> wrote: >>> >> >>> >> Greetings, >>> >> I tried to verify Sqlmap's functionality by >>> running it against Webgoat >>> >> version 6.0.1. You can try it your self by >>> using following request file. >>> >> Just log in and replace cookie by valid one. >>> >> ###start request file >>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>> >> Host: localhost:8080 >>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; >>> rv:41.0) Gecko/20100101 >>> >> Firefox/41.0 >>> >> Accept: */* >>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>> >> Accept-Encoding: gzip, deflate >>> >> Content-Type: >>> application/x-www-form-urlencoded; charset=UTF-8 >>> >> X-Requested-With: XMLHttpRequest >>> >> Referer: http://localhost:8080/WebGoat/start.mvc >>> >> Content-Length: 29 >>> >> Cookie: JSESSIONID=replace >>> >> Connection: keep-alive >>> >> Pragma: no-cache >>> >> Cache-Control: no-cache >>> >> >>> >> account_number=101&SUBMIT=Go! >>> >> #end request file >>> >> I am running git master of Sqlmap. >>> >> Sqlmap detects SQL injection (boolean based >>> blind Mysql), but no >>> >> information gathering commands work (--dbs, >>> --current-user...). I tried >>> >> running with --hex or --no-cast, but no luck. >>> >> What might be the problem? >>> >> Thanks, >>> >> Vojta >>> >> >>> >> >>> ------------------------------------------------------------------------------ >>> >> _______________________________________________ >>> >> sqlmap-users mailing list >>> >> sql...@li... >>> <mailto:sql...@li...> >>> >> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> <mailto:sql...@li...> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Miroslav S. <mir...@gm...> - 2015-10-09 23:35:40
|
I've used that same request file without any problems (with latest patches/revision). Will retest tomorrow. Please retry everything with --flush-session Bye On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <kr...@gm...> wrote: > Greetings, > thanks for your prompt response. > Unfortunatelly, it is still not working as expected. > There is problem with retrieving of current user and information from HSQL > database in general. > Moreover, when using following request file from the same application, > Sqlmap identified backend database as Postgresql instead of HSQL. > This request is from lesson about simple string SQL injection > #begin request file > POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 > Host: localhost:8080 > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 > Firefox/39.0 > Accept: */* > Accept-Language: cs,en-US;q=0.7,en;q=0.3 > Accept-Encoding: gzip, deflate > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > X-Requested-With: XMLHttpRequest > Referer: http://localhost:8080/WebGoat/start.mvc > Content-Length: 29 > Connection: keep-alive > Pragma: no-cache > Cache-Control: no-cache > Cookie: JSESSIONID=valid_cookie > > account_name=Smith&SUBMIT=Go! > #end request > Feel free to ask me for more debugging information, I will be glad to help > you. > Thanks for your work, > Vojta > Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): > > Fixed tons of bugs and pushed. Please retry it again. > > Bye > > On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it >> right now. >> >> Bye >> >> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Hi again. >>> >>> Please update to the latest revision and retry it again (with >>> --flush-session). >>> >>> Backend used is HSQLDB while the sqlmap wrongly recognized it as MySQL >>> (because HSQLDB is MySQL look-alike) >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek <kr...@gm...> >>> wrote: >>> >>>> Hi, >>>> You can download Webgoat here: >>>> >>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>> password webgoat >>>> The request file posted earlier is from Blind numeric SQL injection >>>> lesson. >>>> Application is written in Java and runs on embedded Tomcat 7 server. >>>> I am using this command, where "request" is request file posted earlier >>>> and valid_cookie is simply valid cookie. >>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>> As I stated earlier, sqlmap finds the vulnerability but can't exploit >>>> it, I tried almost all tamper scripts, even some combinations, but no >>>> success. >>>> I wanted to show exploitation of Webgoat, because I would like to use >>>> Sqlmap for testing of commercial application which is based on similar >>>> technologies. >>>> Thank you, >>>> Vojta >>>> >>>> >>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>> >>>> Hi. >>>> >>>> Can you please send a used sqlmap command along with the basic info on >>>> vulnerable environment (e.g. just a plain Webgoat, URL this and that)? >>>> >>>> Bye >>>> >>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <kr...@gm...> >>>> wrote: >>>> >>>>> Greetings, >>>>> I am running Webgoat from standalone jar file, so I can't see any logs. >>>>> I will try to see some logs from inside the application. Anyway, I >>>>> didn't expect this application to contain any kind of filtering. >>>>> I hope to show Sqlmap in action to some people from a large company and >>>>> I wanted to use something simple, therefore I am quite surprised. I >>>>> have >>>>> never seen this situation - found injection but no possibility of >>>>> exploitation. >>>>> The between tamper script didn't help. >>>>> Any suggestions are welcomed. >>>>> Thanks, >>>>> Vojta >>>>> >>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>> > You should look in the logs of the web server and see what they say. >>>>> > >>>>> > I bet you need --tamper=between >>>>> > >>>>> > Sent from a phone >>>>> > >>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm...> >>>>> wrote: >>>>> >> >>>>> >> Greetings, >>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>> Webgoat >>>>> >> version 6.0.1. You can try it your self by using following request >>>>> file. >>>>> >> Just log in and replace cookie by valid one. >>>>> >> ###start request file >>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>> >> Host: localhost:8080 >>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >>>>> >> Firefox/41.0 >>>>> >> Accept: */* >>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>> >> Accept-Encoding: gzip, deflate >>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>> >> X-Requested-With: XMLHttpRequest >>>>> >> Referer: http://localhost:8080/WebGoat/start.mvc >>>>> >> Content-Length: 29 >>>>> >> Cookie: JSESSIONID=replace >>>>> >> Connection: keep-alive >>>>> >> Pragma: no-cache >>>>> >> Cache-Control: no-cache >>>>> >> >>>>> >> account_number=101&SUBMIT=Go! >>>>> >> #end request file >>>>> >> I am running git master of Sqlmap. >>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>>> >> information gathering commands work (--dbs, --current-user...). I >>>>> tried >>>>> >> running with --hex or --no-cast, but no luck. >>>>> >> What might be the problem? >>>>> >> Thanks, >>>>> >> Vojta >>>>> >> >>>>> >> >>>>> ------------------------------------------------------------------------------ >>>>> >> _______________________________________________ >>>>> >> sqlmap-users mailing list >>>>> >> sql...@li... >>>>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Vojtěch P. <kr...@gm...> - 2015-10-09 23:16:57
|
Greetings, thanks for your prompt response. Unfortunatelly, it is still not working as expected. There is problem with retrieving of current user and information from HSQL database in general. Moreover, when using following request file from the same application, Sqlmap identified backend database as Postgresql instead of HSQL. This request is from lesson about simple string SQL injection #begin request file POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: */* Accept-Language: cs,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost:8080/WebGoat/start.mvc Content-Length: 29 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Cookie: JSESSIONID=valid_cookie account_name=Smith&SUBMIT=Go! #end request Feel free to ask me for more debugging information, I will be glad to help you. Thanks for your work, Vojta Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): > Fixed tons of bugs and pushed. Please retry it again. > > Bye > > On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar > <mir...@gm... <mailto:mir...@gm...>> wrote: > > Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On > it right now. > > Bye > > On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar > <mir...@gm... <mailto:mir...@gm...>> > wrote: > > Hi again. > > Please update to the latest revision and retry it again (with > --flush-session). > > Backend used is HSQLDB while the sqlmap wrongly recognized it > as MySQL (because HSQLDB is MySQL look-alike) > > Bye > > On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek > <kr...@gm... <mailto:kr...@gm...>> wrote: > > Hi, > You can download Webgoat here: > https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar > Just run java- jar WebGoat-6.0.1-war-exec.jar > And you can login at localhost:8080/WebGoat with name > webgoat and password webgoat > The request file posted earlier is from Blind numeric SQL > injection lesson. > Application is written in Java and runs on embedded Tomcat > 7 server. > I am using this command, where "request" is request file > posted earlier and valid_cookie is simply valid cookie. > python2 /opt/sqlmap/sqlmap.py -r request --level=5 > --risk=3 -o --cookie="JSESSIONID=valid_cookie' -v3 > As I stated earlier, sqlmap finds the vulnerability but > can't exploit it, I tried almost all tamper scripts, even > some combinations, but no success. > I wanted to show exploitation of Webgoat, because I would > like to use Sqlmap for testing of commercial application > which is based on similar technologies. > Thank you, > Vojta > > > Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >> Hi. >> >> Can you please send a used sqlmap command along with the >> basic info on vulnerable environment (e.g. just a plain >> Webgoat, URL this and that)? >> >> Bye >> >> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek >> <kr...@gm... <mailto:kr...@gm...>> wrote: >> >> Greetings, >> I am running Webgoat from standalone jar file, so I >> can't see any logs. >> I will try to see some logs from inside the >> application. Anyway, I >> didn't expect this application to contain any kind of >> filtering. >> I hope to show Sqlmap in action to some people from a >> large company and >> I wanted to use something simple, therefore I am >> quite surprised. I have >> never seen this situation - found injection but no >> possibility of >> exploitation. >> The between tamper script didn't help. >> Any suggestions are welcomed. >> Thanks, >> Vojta >> >> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >> > You should look in the logs of the web server and >> see what they say. >> > >> > I bet you need --tamper=between >> > >> > Sent from a phone >> > >> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek >> <kr...@gm... <mailto:kr...@gm...>> wrote: >> >> >> >> Greetings, >> >> I tried to verify Sqlmap's functionality by >> running it against Webgoat >> >> version 6.0.1. You can try it your self by using >> following request file. >> >> Just log in and replace cookie by valid one. >> >> ###start request file >> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >> >> Host: localhost:8080 >> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; >> rv:41.0) Gecko/20100101 >> >> Firefox/41.0 >> >> Accept: */* >> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> >> Accept-Encoding: gzip, deflate >> >> Content-Type: application/x-www-form-urlencoded; >> charset=UTF-8 >> >> X-Requested-With: XMLHttpRequest >> >> Referer: http://localhost:8080/WebGoat/start.mvc >> >> Content-Length: 29 >> >> Cookie: JSESSIONID=replace >> >> Connection: keep-alive >> >> Pragma: no-cache >> >> Cache-Control: no-cache >> >> >> >> account_number=101&SUBMIT=Go! >> >> #end request file >> >> I am running git master of Sqlmap. >> >> Sqlmap detects SQL injection (boolean based blind >> Mysql), but no >> >> information gathering commands work (--dbs, >> --current-user...). I tried >> >> running with --hex or --no-cast, but no luck. >> >> What might be the problem? >> >> Thanks, >> >> Vojta >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> >> sqlmap-users mailing list >> >> sql...@li... >> <mailto:sql...@li...> >> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> <mailto:sql...@li...> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-10-09 14:52:49
|
Fixed tons of bugs and pushed. Please retry it again. Bye On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar <mir...@gm... > wrote: > Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it > right now. > > Bye > > On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi again. >> >> Please update to the latest revision and retry it again (with >> --flush-session). >> >> Backend used is HSQLDB while the sqlmap wrongly recognized it as MySQL >> (because HSQLDB is MySQL look-alike) >> >> Bye >> >> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek <kr...@gm...> >> wrote: >> >>> Hi, >>> You can download Webgoat here: >>> >>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>> And you can login at localhost:8080/WebGoat with name webgoat and >>> password webgoat >>> The request file posted earlier is from Blind numeric SQL injection >>> lesson. >>> Application is written in Java and runs on embedded Tomcat 7 server. >>> I am using this command, where "request" is request file posted earlier >>> and valid_cookie is simply valid cookie. >>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>> --cookie="JSESSIONID=valid_cookie' -v3 >>> As I stated earlier, sqlmap finds the vulnerability but can't exploit >>> it, I tried almost all tamper scripts, even some combinations, but no >>> success. >>> I wanted to show exploitation of Webgoat, because I would like to use >>> Sqlmap for testing of commercial application which is based on similar >>> technologies. >>> Thank you, >>> Vojta >>> >>> >>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>> >>> Hi. >>> >>> Can you please send a used sqlmap command along with the basic info on >>> vulnerable environment (e.g. just a plain Webgoat, URL this and that)? >>> >>> Bye >>> >>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <kr...@gm...> >>> wrote: >>> >>>> Greetings, >>>> I am running Webgoat from standalone jar file, so I can't see any logs. >>>> I will try to see some logs from inside the application. Anyway, I >>>> didn't expect this application to contain any kind of filtering. >>>> I hope to show Sqlmap in action to some people from a large company and >>>> I wanted to use something simple, therefore I am quite surprised. I have >>>> never seen this situation - found injection but no possibility of >>>> exploitation. >>>> The between tamper script didn't help. >>>> Any suggestions are welcomed. >>>> Thanks, >>>> Vojta >>>> >>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>> > You should look in the logs of the web server and see what they say. >>>> > >>>> > I bet you need --tamper=between >>>> > >>>> > Sent from a phone >>>> > >>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm...> >>>> wrote: >>>> >> >>>> >> Greetings, >>>> >> I tried to verify Sqlmap's functionality by running it against >>>> Webgoat >>>> >> version 6.0.1. You can try it your self by using following request >>>> file. >>>> >> Just log in and replace cookie by valid one. >>>> >> ###start request file >>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>> >> Host: localhost:8080 >>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >>>> >> Firefox/41.0 >>>> >> Accept: */* >>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>> >> Accept-Encoding: gzip, deflate >>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>> >> X-Requested-With: XMLHttpRequest >>>> >> Referer: http://localhost:8080/WebGoat/start.mvc >>>> >> Content-Length: 29 >>>> >> Cookie: JSESSIONID=replace >>>> >> Connection: keep-alive >>>> >> Pragma: no-cache >>>> >> Cache-Control: no-cache >>>> >> >>>> >> account_number=101&SUBMIT=Go! >>>> >> #end request file >>>> >> I am running git master of Sqlmap. >>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>> >> information gathering commands work (--dbs, --current-user...). I >>>> tried >>>> >> running with --hex or --no-cast, but no luck. >>>> >> What might be the problem? >>>> >> Thanks, >>>> >> Vojta >>>> >> >>>> >> >>>> ------------------------------------------------------------------------------ >>>> >> _______________________________________________ >>>> >> sqlmap-users mailing list >>>> >> sql...@li... >>>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-10-09 13:55:56
|
Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it right now. Bye On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar <mir...@gm... > wrote: > Hi again. > > Please update to the latest revision and retry it again (with > --flush-session). > > Backend used is HSQLDB while the sqlmap wrongly recognized it as MySQL > (because HSQLDB is MySQL look-alike) > > Bye > > On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek <kr...@gm...> > wrote: > >> Hi, >> You can download Webgoat here: >> >> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >> Just run java- jar WebGoat-6.0.1-war-exec.jar >> And you can login at localhost:8080/WebGoat with name webgoat and >> password webgoat >> The request file posted earlier is from Blind numeric SQL injection >> lesson. >> Application is written in Java and runs on embedded Tomcat 7 server. >> I am using this command, where "request" is request file posted earlier >> and valid_cookie is simply valid cookie. >> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >> --cookie="JSESSIONID=valid_cookie' -v3 >> As I stated earlier, sqlmap finds the vulnerability but can't exploit it, >> I tried almost all tamper scripts, even some combinations, but no success. >> I wanted to show exploitation of Webgoat, because I would like to use >> Sqlmap for testing of commercial application which is based on similar >> technologies. >> Thank you, >> Vojta >> >> >> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >> >> Hi. >> >> Can you please send a used sqlmap command along with the basic info on >> vulnerable environment (e.g. just a plain Webgoat, URL this and that)? >> >> Bye >> >> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <kr...@gm...> >> wrote: >> >>> Greetings, >>> I am running Webgoat from standalone jar file, so I can't see any logs. >>> I will try to see some logs from inside the application. Anyway, I >>> didn't expect this application to contain any kind of filtering. >>> I hope to show Sqlmap in action to some people from a large company and >>> I wanted to use something simple, therefore I am quite surprised. I have >>> never seen this situation - found injection but no possibility of >>> exploitation. >>> The between tamper script didn't help. >>> Any suggestions are welcomed. >>> Thanks, >>> Vojta >>> >>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>> > You should look in the logs of the web server and see what they say. >>> > >>> > I bet you need --tamper=between >>> > >>> > Sent from a phone >>> > >>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm...> >>> wrote: >>> >> >>> >> Greetings, >>> >> I tried to verify Sqlmap's functionality by running it against Webgoat >>> >> version 6.0.1. You can try it your self by using following request >>> file. >>> >> Just log in and replace cookie by valid one. >>> >> ###start request file >>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>> >> Host: localhost:8080 >>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >>> >> Firefox/41.0 >>> >> Accept: */* >>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>> >> Accept-Encoding: gzip, deflate >>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>> >> X-Requested-With: XMLHttpRequest >>> >> Referer: http://localhost:8080/WebGoat/start.mvc >>> >> Content-Length: 29 >>> >> Cookie: JSESSIONID=replace >>> >> Connection: keep-alive >>> >> Pragma: no-cache >>> >> Cache-Control: no-cache >>> >> >>> >> account_number=101&SUBMIT=Go! >>> >> #end request file >>> >> I am running git master of Sqlmap. >>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>> >> information gathering commands work (--dbs, --current-user...). I >>> tried >>> >> running with --hex or --no-cast, but no luck. >>> >> What might be the problem? >>> >> Thanks, >>> >> Vojta >>> >> >>> >> >>> ------------------------------------------------------------------------------ >>> >> _______________________________________________ >>> >> sqlmap-users mailing list >>> >> sql...@li... >>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-10-09 12:20:13
|
Hi again. Please update to the latest revision and retry it again (with --flush-session). Backend used is HSQLDB while the sqlmap wrongly recognized it as MySQL (because HSQLDB is MySQL look-alike) Bye On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek <kr...@gm...> wrote: > Hi, > You can download Webgoat here: > > https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar > Just run java- jar WebGoat-6.0.1-war-exec.jar > And you can login at localhost:8080/WebGoat with name webgoat and password > webgoat > The request file posted earlier is from Blind numeric SQL injection lesson. > Application is written in Java and runs on embedded Tomcat 7 server. > I am using this command, where "request" is request file posted earlier > and valid_cookie is simply valid cookie. > python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o > --cookie="JSESSIONID=valid_cookie' -v3 > As I stated earlier, sqlmap finds the vulnerability but can't exploit it, > I tried almost all tamper scripts, even some combinations, but no success. > I wanted to show exploitation of Webgoat, because I would like to use > Sqlmap for testing of commercial application which is based on similar > technologies. > Thank you, > Vojta > > > Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): > > Hi. > > Can you please send a used sqlmap command along with the basic info on > vulnerable environment (e.g. just a plain Webgoat, URL this and that)? > > Bye > > On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <kr...@gm...> > wrote: > >> Greetings, >> I am running Webgoat from standalone jar file, so I can't see any logs. >> I will try to see some logs from inside the application. Anyway, I >> didn't expect this application to contain any kind of filtering. >> I hope to show Sqlmap in action to some people from a large company and >> I wanted to use something simple, therefore I am quite surprised. I have >> never seen this situation - found injection but no possibility of >> exploitation. >> The between tamper script didn't help. >> Any suggestions are welcomed. >> Thanks, >> Vojta >> >> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >> > You should look in the logs of the web server and see what they say. >> > >> > I bet you need --tamper=between >> > >> > Sent from a phone >> > >> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm...> >> wrote: >> >> >> >> Greetings, >> >> I tried to verify Sqlmap's functionality by running it against Webgoat >> >> version 6.0.1. You can try it your self by using following request >> file. >> >> Just log in and replace cookie by valid one. >> >> ###start request file >> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >> >> Host: localhost:8080 >> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >> >> Firefox/41.0 >> >> Accept: */* >> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> >> Accept-Encoding: gzip, deflate >> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >> >> X-Requested-With: XMLHttpRequest >> >> Referer: http://localhost:8080/WebGoat/start.mvc >> >> Content-Length: 29 >> >> Cookie: JSESSIONID=replace >> >> Connection: keep-alive >> >> Pragma: no-cache >> >> Cache-Control: no-cache >> >> >> >> account_number=101&SUBMIT=Go! >> >> #end request file >> >> I am running git master of Sqlmap. >> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >> >> information gathering commands work (--dbs, --current-user...). I tried >> >> running with --hex or --no-cast, but no luck. >> >> What might be the problem? >> >> Thanks, >> >> Vojta >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> >> sqlmap-users mailing list >> >> sql...@li... >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Robin W. <ro...@di...> - 2015-10-09 11:21:12
|
Have you tried to manually extract some data? If not then give it a try, from doing it you'll be able to work out if you need any tampering or if there are any other special requirements. Robin On 9 October 2015 at 11:49, Vojtěch Polášek <kr...@gm...> wrote: > Hi, > You can download Webgoat here: > https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar > Just run java- jar WebGoat-6.0.1-war-exec.jar > And you can login at localhost:8080/WebGoat with name webgoat and password > webgoat > The request file posted earlier is from Blind numeric SQL injection lesson. > Application is written in Java and runs on embedded Tomcat 7 server. > I am using this command, where "request" is request file posted earlier and > valid_cookie is simply valid cookie. > python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o > --cookie="JSESSIONID=valid_cookie' -v3 > As I stated earlier, sqlmap finds the vulnerability but can't exploit it, I > tried almost all tamper scripts, even some combinations, but no success. > I wanted to show exploitation of Webgoat, because I would like to use Sqlmap > for testing of commercial application which is based on similar > technologies. > Thank you, > Vojta > > > Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): > > Hi. > > Can you please send a used sqlmap command along with the basic info on > vulnerable environment (e.g. just a plain Webgoat, URL this and that)? > > Bye > > On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <kr...@gm...> wrote: >> >> Greetings, >> I am running Webgoat from standalone jar file, so I can't see any logs. >> I will try to see some logs from inside the application. Anyway, I >> didn't expect this application to contain any kind of filtering. >> I hope to show Sqlmap in action to some people from a large company and >> I wanted to use something simple, therefore I am quite surprised. I have >> never seen this situation - found injection but no possibility of >> exploitation. >> The between tamper script didn't help. >> Any suggestions are welcomed. >> Thanks, >> Vojta >> >> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >> > You should look in the logs of the web server and see what they say. >> > >> > I bet you need --tamper=between >> > >> > Sent from a phone >> > >> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm...> wrote: >> >> >> >> Greetings, >> >> I tried to verify Sqlmap's functionality by running it against Webgoat >> >> version 6.0.1. You can try it your self by using following request >> >> file. >> >> Just log in and replace cookie by valid one. >> >> ###start request file >> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >> >> Host: localhost:8080 >> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >> >> Firefox/41.0 >> >> Accept: */* >> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> >> Accept-Encoding: gzip, deflate >> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >> >> X-Requested-With: XMLHttpRequest >> >> Referer: http://localhost:8080/WebGoat/start.mvc >> >> Content-Length: 29 >> >> Cookie: JSESSIONID=replace >> >> Connection: keep-alive >> >> Pragma: no-cache >> >> Cache-Control: no-cache >> >> >> >> account_number=101&SUBMIT=Go! >> >> #end request file >> >> I am running git master of Sqlmap. >> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >> >> information gathering commands work (--dbs, --current-user...). I tried >> >> running with --hex or --no-cast, but no luck. >> >> What might be the problem? >> >> Thanks, >> >> Vojta >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> >> sqlmap-users mailing list >> >> sql...@li... >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Vojtěch P. <kr...@gm...> - 2015-10-09 10:49:54
|
Hi, You can download Webgoat here: https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar Just run java- jar WebGoat-6.0.1-war-exec.jar And you can login at localhost:8080/WebGoat with name webgoat and password webgoat The request file posted earlier is from Blind numeric SQL injection lesson. Application is written in Java and runs on embedded Tomcat 7 server. I am using this command, where "request" is request file posted earlier and valid_cookie is simply valid cookie. python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o --cookie="JSESSIONID=valid_cookie' -v3 As I stated earlier, sqlmap finds the vulnerability but can't exploit it, I tried almost all tamper scripts, even some combinations, but no success. I wanted to show exploitation of Webgoat, because I would like to use Sqlmap for testing of commercial application which is based on similar technologies. Thank you, Vojta Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): > Hi. > > Can you please send a used sqlmap command along with the basic info on > vulnerable environment (e.g. just a plain Webgoat, URL this and that)? > > Bye > > On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <kr...@gm... > <mailto:kr...@gm...>> wrote: > > Greetings, > I am running Webgoat from standalone jar file, so I can't see any > logs. > I will try to see some logs from inside the application. Anyway, I > didn't expect this application to contain any kind of filtering. > I hope to show Sqlmap in action to some people from a large > company and > I wanted to use something simple, therefore I am quite surprised. > I have > never seen this situation - found injection but no possibility of > exploitation. > The between tamper script didn't help. > Any suggestions are welcomed. > Thanks, > Vojta > > Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): > > You should look in the logs of the web server and see what they say. > > > > I bet you need --tamper=between > > > > Sent from a phone > > > >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm... > <mailto:kr...@gm...>> wrote: > >> > >> Greetings, > >> I tried to verify Sqlmap's functionality by running it against > Webgoat > >> version 6.0.1. You can try it your self by using following > request file. > >> Just log in and replace cookie by valid one. > >> ###start request file > >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 > >> Host: localhost:8080 > >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 > >> Firefox/41.0 > >> Accept: */* > >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 > >> Accept-Encoding: gzip, deflate > >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > >> X-Requested-With: XMLHttpRequest > >> Referer: http://localhost:8080/WebGoat/start.mvc > >> Content-Length: 29 > >> Cookie: JSESSIONID=replace > >> Connection: keep-alive > >> Pragma: no-cache > >> Cache-Control: no-cache > >> > >> account_number=101&SUBMIT=Go! > >> #end request file > >> I am running git master of Sqlmap. > >> Sqlmap detects SQL injection (boolean based blind Mysql), but no > >> information gathering commands work (--dbs, --current-user...). > I tried > >> running with --hex or --no-cast, but no luck. > >> What might be the problem? > >> Thanks, > >> Vojta > >> > >> > ------------------------------------------------------------------------------ > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > <mailto:sql...@li...> > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-10-09 09:17:30
|
p.s. you can always use something like http://testphp.vulnweb.com/artists.php?artist=1 for a quick test/show off On Fri, Oct 9, 2015 at 11:16 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > Can you please send a used sqlmap command along with the basic info on > vulnerable environment (e.g. just a plain Webgoat, URL this and that)? > > Bye > > On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <kr...@gm...> > wrote: > >> Greetings, >> I am running Webgoat from standalone jar file, so I can't see any logs. >> I will try to see some logs from inside the application. Anyway, I >> didn't expect this application to contain any kind of filtering. >> I hope to show Sqlmap in action to some people from a large company and >> I wanted to use something simple, therefore I am quite surprised. I have >> never seen this situation - found injection but no possibility of >> exploitation. >> The between tamper script didn't help. >> Any suggestions are welcomed. >> Thanks, >> Vojta >> >> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >> > You should look in the logs of the web server and see what they say. >> > >> > I bet you need --tamper=between >> > >> > Sent from a phone >> > >> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm...> >> wrote: >> >> >> >> Greetings, >> >> I tried to verify Sqlmap's functionality by running it against Webgoat >> >> version 6.0.1. You can try it your self by using following request >> file. >> >> Just log in and replace cookie by valid one. >> >> ###start request file >> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >> >> Host: localhost:8080 >> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >> >> Firefox/41.0 >> >> Accept: */* >> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> >> Accept-Encoding: gzip, deflate >> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >> >> X-Requested-With: XMLHttpRequest >> >> Referer: http://localhost:8080/WebGoat/start.mvc >> >> Content-Length: 29 >> >> Cookie: JSESSIONID=replace >> >> Connection: keep-alive >> >> Pragma: no-cache >> >> Cache-Control: no-cache >> >> >> >> account_number=101&SUBMIT=Go! >> >> #end request file >> >> I am running git master of Sqlmap. >> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >> >> information gathering commands work (--dbs, --current-user...). I tried >> >> running with --hex or --no-cast, but no luck. >> >> What might be the problem? >> >> Thanks, >> >> Vojta >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> >> sqlmap-users mailing list >> >> sql...@li... >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2015-10-09 09:16:47
|
Hi. Can you please send a used sqlmap command along with the basic info on vulnerable environment (e.g. just a plain Webgoat, URL this and that)? Bye On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <kr...@gm...> wrote: > Greetings, > I am running Webgoat from standalone jar file, so I can't see any logs. > I will try to see some logs from inside the application. Anyway, I > didn't expect this application to contain any kind of filtering. > I hope to show Sqlmap in action to some people from a large company and > I wanted to use something simple, therefore I am quite surprised. I have > never seen this situation - found injection but no possibility of > exploitation. > The between tamper script didn't help. > Any suggestions are welcomed. > Thanks, > Vojta > > Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): > > You should look in the logs of the web server and see what they say. > > > > I bet you need --tamper=between > > > > Sent from a phone > > > >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm...> wrote: > >> > >> Greetings, > >> I tried to verify Sqlmap's functionality by running it against Webgoat > >> version 6.0.1. You can try it your self by using following request file. > >> Just log in and replace cookie by valid one. > >> ###start request file > >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 > >> Host: localhost:8080 > >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 > >> Firefox/41.0 > >> Accept: */* > >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 > >> Accept-Encoding: gzip, deflate > >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > >> X-Requested-With: XMLHttpRequest > >> Referer: http://localhost:8080/WebGoat/start.mvc > >> Content-Length: 29 > >> Cookie: JSESSIONID=replace > >> Connection: keep-alive > >> Pragma: no-cache > >> Cache-Control: no-cache > >> > >> account_number=101&SUBMIT=Go! > >> #end request file > >> I am running git master of Sqlmap. > >> Sqlmap detects SQL injection (boolean based blind Mysql), but no > >> information gathering commands work (--dbs, --current-user...). I tried > >> running with --hex or --no-cast, but no luck. > >> What might be the problem? > >> Thanks, > >> Vojta > >> > >> > ------------------------------------------------------------------------------ > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Brandon P. <bpe...@gm...> - 2015-10-09 02:50:20
|
> On Oct 8, 2015, at 3:52 PM, Vojtěch Polášek <kr...@gm...> wrote: > > Greetings, > I am running Webgoat from standalone jar file, so I can't see any logs. > I will try to see some logs from inside the application. Anyway, I > didn't expect this application to contain any kind of filtering. > I hope to show Sqlmap in action to some people from a large company and > I wanted to use something simple, therefore I am quite surprised. I have > never seen this situation - found injection but no possibility of > exploitation. > The between tamper script didn't help. > Any suggestions are welcomed. It is relatively common for sqlmap to detect a SQL injection, but then fail during data exfil because part of the syntax used in the data exfil payloads are transformed or blocked on the backed, < and > are very commonly transformed to > or < specifically, which is where the between tamper script is useful. There are a lot of tamper scripts, maybe it’s a space (space2comment), not the < or > characters. Try different techniques if available. I have no idea about the internals of webgoat. > Thanks, > Vojta > > Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >> You should look in the logs of the web server and see what they say. >> >> I bet you need --tamper=between >> >> Sent from a phone >> >>> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm...> wrote: >>> >>> Greetings, >>> I tried to verify Sqlmap's functionality by running it against Webgoat >>> version 6.0.1. You can try it your self by using following request file. >>> Just log in and replace cookie by valid one. >>> ###start request file >>> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>> Host: localhost:8080 >>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >>> Firefox/41.0 >>> Accept: */* >>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>> Accept-Encoding: gzip, deflate >>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>> X-Requested-With: XMLHttpRequest >>> Referer: http://localhost:8080/WebGoat/start.mvc >>> Content-Length: 29 >>> Cookie: JSESSIONID=replace >>> Connection: keep-alive >>> Pragma: no-cache >>> Cache-Control: no-cache >>> >>> account_number=101&SUBMIT=Go! >>> #end request file >>> I am running git master of Sqlmap. >>> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>> information gathering commands work (--dbs, --current-user...). I tried >>> running with --hex or --no-cast, but no luck. >>> What might be the problem? >>> Thanks, >>> Vojta >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Vojtěch P. <kr...@gm...> - 2015-10-08 20:52:37
|
Greetings, I am running Webgoat from standalone jar file, so I can't see any logs. I will try to see some logs from inside the application. Anyway, I didn't expect this application to contain any kind of filtering. I hope to show Sqlmap in action to some people from a large company and I wanted to use something simple, therefore I am quite surprised. I have never seen this situation - found injection but no possibility of exploitation. The between tamper script didn't help. Any suggestions are welcomed. Thanks, Vojta Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): > You should look in the logs of the web server and see what they say. > > I bet you need --tamper=between > > Sent from a phone > >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm...> wrote: >> >> Greetings, >> I tried to verify Sqlmap's functionality by running it against Webgoat >> version 6.0.1. You can try it your self by using following request file. >> Just log in and replace cookie by valid one. >> ###start request file >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >> Host: localhost:8080 >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >> Firefox/41.0 >> Accept: */* >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> Accept-Encoding: gzip, deflate >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >> X-Requested-With: XMLHttpRequest >> Referer: http://localhost:8080/WebGoat/start.mvc >> Content-Length: 29 >> Cookie: JSESSIONID=replace >> Connection: keep-alive >> Pragma: no-cache >> Cache-Control: no-cache >> >> account_number=101&SUBMIT=Go! >> #end request file >> I am running git master of Sqlmap. >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >> information gathering commands work (--dbs, --current-user...). I tried >> running with --hex or --no-cast, but no luck. >> What might be the problem? >> Thanks, >> Vojta >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Brandon P. <bpe...@gm...> - 2015-10-08 16:10:11
|
You should look in the logs of the web server and see what they say. I bet you need --tamper=between Sent from a phone > On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <kr...@gm...> wrote: > > Greetings, > I tried to verify Sqlmap's functionality by running it against Webgoat > version 6.0.1. You can try it your self by using following request file. > Just log in and replace cookie by valid one. > ###start request file > POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 > Host: localhost:8080 > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 > Firefox/41.0 > Accept: */* > Accept-Language: cs,en-US;q=0.7,en;q=0.3 > Accept-Encoding: gzip, deflate > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > X-Requested-With: XMLHttpRequest > Referer: http://localhost:8080/WebGoat/start.mvc > Content-Length: 29 > Cookie: JSESSIONID=replace > Connection: keep-alive > Pragma: no-cache > Cache-Control: no-cache > > account_number=101&SUBMIT=Go! > #end request file > I am running git master of Sqlmap. > Sqlmap detects SQL injection (boolean based blind Mysql), but no > information gathering commands work (--dbs, --current-user...). I tried > running with --hex or --no-cast, but no luck. > What might be the problem? > Thanks, > Vojta > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Vojtěch P. <kr...@gm...> - 2015-10-08 15:33:31
|
Greetings, I tried to verify Sqlmap's functionality by running it against Webgoat version 6.0.1. You can try it your self by using following request file. Just log in and replace cookie by valid one. ###start request file POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: */* Accept-Language: cs,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost:8080/WebGoat/start.mvc Content-Length: 29 Cookie: JSESSIONID=replace Connection: keep-alive Pragma: no-cache Cache-Control: no-cache account_number=101&SUBMIT=Go! #end request file I am running git master of Sqlmap. Sqlmap detects SQL injection (boolean based blind Mysql), but no information gathering commands work (--dbs, --current-user...). I tried running with --hex or --no-cast, but no luck. What might be the problem? Thanks, Vojta |
|
From: bogdan <bog...@ou...> - 2015-10-07 09:35:05
|
------------------------------------------------------------------------------ Full-scale, agent-less Infrastructure Monitoring from a single dashboard Integrate with 40+ ManageEngine ITSM Solutions for complete visibility Physical-Virtual-Cloud Infrastructure monitoring from one console Real user monitoring with APM Insights and performance trend reports Learn More http://pubads.g.doubleclick.net/gampad/clk?id=247754911&iu=/4140 |
|
From: bogdan <bog...@ou...> - 2015-10-07 09:30:45
|
Thanks for your reply "Miroslav Stampar", i understood. 07.10.2015 13:05, Miroslav Stampar пишет: > sqlmap has to find a SQLi. It can't just dump data without knowing > anything about the SQLi. Every SQLi technique has different rules for > data dumping. > > I would suggest that you run (if you want to be stricter with your > given cases): > > python sqlmap.py -u "http://hello.com/index.php?id=1" --technique=BU > --prefix="" --suffix="-- -" --union-cols=5 > python sqlmap.py -u "http://world.com/index.php?page=3" --technique=BU > --prefix="" --suffix="-- -" --union-cols=5 > > Bye > > On Wed, Oct 7, 2015 at 11:47 AM, bogdan <bog...@ou... > <mailto:bog...@ou...>> wrote: > > Hello! > > I have a list of vulners UnionBased urls(example): > > http://hello.com/index.php?id=-1+and+union+all+select+1,2,3,[point],4,5-- > http://world.com/index.php?page=3+and+union+all+select+1,2,3,4,[point]-- > > How can i to load one url of this list to sqlmap and dumping structure > of database, without finding injecting point? > > Sorry, for my bad English, and Thanks! > > ------------------------------------------------------------------------------ > Full-scale, agent-less Infrastructure Monitoring from a single > dashboard > Integrate with 40+ ManageEngine ITSM Solutions for complete visibility > Physical-Virtual-Cloud Infrastructure monitoring from one console > Real user monitoring with APM Insights and performance trend reports > Learn More > http://pubads.g.doubleclick.net/gampad/clk?id=247754911&iu=/4140 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
48 messages has been excluded from this view by a project administrator.
