Thread: [sqlmap-users] --load-cookies
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Dirk W. <sp...@dr...> - 2013-04-12 13:13:45
|
Hi folks, .... that doesn't work for me. It always uses the cookie supplied (below in $REQUEST, or if I omit the line in $REQUEST the one from the 1st server reply is being used) So what is wrong in here: cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce ./sqlmap.py --ignore-proxy --force-ssl --beep \ --threads=8 -v 6 --load-cookies=$WD/cookie-file \ --level=2 --risk=2 -r $REQUEST The content of the file $REQUEST is: POST <URL> HTTP/1.1 Host: <HOST> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.6 Safari/525.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: <Referer> Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 67 <abunchofpostparams> No hints that cookie-file is not in correct format (I've been through this, at least I think I so ;) ). Any insight would be much appreciated. Cheers, Dirk |
|
From: Miroslav S. <mir...@gm...> - 2013-04-12 13:24:49
|
Hi. And this is also happening if you are skipping "Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request? Kind regards, Miroslav Stampar On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr...> wrote: > > Hi folks, > > .... that doesn't work for me. It always uses the cookie supplied > (below in $REQUEST, or if I omit the line in $REQUEST the one > from the 1st server reply is being used) > > So what is wrong in here: > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce > ./sqlmap.py --ignore-proxy --force-ssl --beep \ > --threads=8 -v 6 --load-cookies=$WD/cookie-file \ > --level=2 --risk=2 -r $REQUEST > > The content of the file $REQUEST is: > > POST <URL> HTTP/1.1 > Host: <HOST> > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) > AppleWebKit/525.13 (KHTML, like Gecko) > Chrome/0.2.149.6 Safari/525.13 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Referer: <Referer> > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7 > Connection: keep-alive > Content-Type: application/x-www-form-urlencoded > Content-Length: 67 > > <abunchofpostparams> > > > No hints that cookie-file is not in correct format (I've been through this, > at least I think I so ;) ). > > Any insight would be much appreciated. > > > Cheers, > > Dirk > > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Dirk W. <sp...@dr...> - 2013-04-12 14:52:00
|
Hi Miroslav, yes unfortunately. If I omit the cookie line in the request header completely, sqlmap seems to take the first cookie issued by the server with set-cookie (and put's it silently in). Cheers, Dirk On 04/12/2013 03:24 PM, Miroslav Stampar wrote: > Hi. > > And this is also happening if you are skipping "Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request? > > Kind regards, > Miroslav Stampar > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...>> wrote: > > > Hi folks, > > .... that doesn't work for me. It always uses the cookie supplied > (below in $REQUEST, or if I omit the line in $REQUEST the one > from the 1st server reply is being used) > > So what is wrong in here: > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce > ./sqlmap.py --ignore-proxy --force-ssl --beep \ > --threads=8 -v 6 --load-cookies=$WD/cookie-file \ > --level=2 --risk=2 -r $REQUEST > > The content of the file $REQUEST is: > > POST <URL> HTTP/1.1 > Host: <HOST> > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko) > Chrome/0.2.149.6 <http://0.2.149.6> Safari/525.13 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Referer: <Referer> > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7 > Connection: keep-alive > Content-Type: application/x-www-form-urlencoded > Content-Length: 67 > > <abunchofpostparams> > > > No hints that cookie-file is not in correct format (I've been through this, > at least I think I so ;) ). > > Any insight would be much appreciated. > > > Cheers, > > Dirk > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > sqlmap-users mailing list > sql...@li... <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2013-04-12 17:45:36
|
Hi Dirk. Could you please get the latest revision and retry it again? There was a situation where info messages have been wrongly written that original response contained Set-Cookie in situations like yours. In case that everything stays as it is, I'll need to ask you to provide more details. For example, cookie file would be great. Also, please make sure that the cookie file contains proper cookie(s) - domain name should be the same as a domain of target, cookie needs to have a proper valid time, etc. Kind regards, Miroslav Stampar On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr...> wrote: > Hi Miroslav, > > yes unfortunately. > > If I omit the cookie line in the request header completely, sqlmap > seems to take the first cookie issued by the server with set-cookie (and > put's it silently in). > > Cheers, > > Dirk > > > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote: > > Hi. > > > > And this is also happening if you are skipping "Cookie: > JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request? > > > > Kind regards, > > Miroslav Stampar > > > > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr... <mailto: > sp...@dr...>> wrote: > > > > > > Hi folks, > > > > .... that doesn't work for me. It always uses the cookie supplied > > (below in $REQUEST, or if I omit the line in $REQUEST the one > > from the 1st server reply is being used) > > > > So what is wrong in here: > > > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce > > ./sqlmap.py --ignore-proxy --force-ssl --beep \ > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \ > > --level=2 --risk=2 -r $REQUEST > > > > The content of the file $REQUEST is: > > > > POST <URL> HTTP/1.1 > > Host: <HOST> > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) > AppleWebKit/525.13 (KHTML, like Gecko) > > Chrome/0.2.149.6 <http://0.2.149.6> Safari/525.13 > > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > > Accept-Language: en-US,en;q=0.5 > > Accept-Encoding: gzip, deflate > > Referer: <Referer> > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7 > > Connection: keep-alive > > Content-Type: application/x-www-form-urlencoded > > Content-Length: 67 > > > > <abunchofpostparams> > > > > > > No hints that cookie-file is not in correct format (I've been > through this, > > at least I think I so ;) ). > > > > Any insight would be much appreciated. > > > > > > Cheers, > > > > Dirk > > > > > > > ------------------------------------------------------------------------------ > > Precog is a next-generation analytics platform capable of advanced > > analytics on semi-structured data. The platform includes APIs for > building > > apps and a phenomenal toolset for data science. Developers can use > > our toolset for easy data analysis & visualization. Get a free > account! > > http://www2.precog.com/precogplatform/slashdotnewsletter > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... <mailto: > sql...@li...> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Dirk W. <sp...@dr...> - 2013-04-13 10:55:11
|
Hi Miroslav, thx for your prompt answer. On 04/12/2013 07:45 PM, Miroslav Stampar wrote: > Hi Dirk. > > Could you please get the latest revision and retry it again? ed5599f: almost the same: with cookie in the header sqlmap takes only this one. The slight difference seems to be that in the case where I didn't supply a cookie sqlmap doesn't use any cookie at all, i.e. now not the one from the server anymore. > > There was a situation where info messages have been wrongly written that original response contained Set-Cookie in situations like yours. > > In case that everything stays as it is, I'll need to ask you to provide more details. For example, cookie file would be great. sure, here you go: --snip # Netscape HTTP Cookie File <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t <Cookie> [..] --snap They are all session cookies. For easier reading here I put some blanks in the line above, in "cookie-file" there aren't any though. Cookies were generated with stompy and a shell script (looks he same as with wget -S -O /dev/null --keep-session-cookies --save-cookies=<file> <URL>) Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-) > > Also, please make sure that the cookie file contains proper cookie(s) - domain name should be the same as a domain of target, cookie needs to have a proper valid time, etc. see above. Cheers, Dirk > > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...>> wrote: > > Hi Miroslav, > > yes unfortunately. > > If I omit the cookie line in the request header completely, sqlmap > seems to take the first cookie issued by the server with set-cookie (and > put's it silently in). > > Cheers, > > Dirk > > > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote: > > Hi. > > > > And this is also happening if you are skipping "Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request? > > > > Kind regards, > > Miroslav Stampar > > > > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> wrote: > > > > > > Hi folks, > > > > .... that doesn't work for me. It always uses the cookie supplied > > (below in $REQUEST, or if I omit the line in $REQUEST the one > > from the 1st server reply is being used) > > > > So what is wrong in here: > > > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce > > ./sqlmap.py --ignore-proxy --force-ssl --beep \ > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \ > > --level=2 --risk=2 -r $REQUEST > > > > The content of the file $REQUEST is: > > > > POST <URL> HTTP/1.1 > > Host: <HOST> > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko) > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> Safari/525.13 > > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > > Accept-Language: en-US,en;q=0.5 > > Accept-Encoding: gzip, deflate > > Referer: <Referer> > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7 > > Connection: keep-alive > > Content-Type: application/x-www-form-urlencoded > > Content-Length: 67 > > > > <abunchofpostparams> > > > > > > No hints that cookie-file is not in correct format (I've been through this, > > at least I think I so ;) ). > > > > Any insight would be much appreciated. > > > > > > Cheers, > > > > Dirk > > > > > > ------------------------------------------------------------------------------ > > Precog is a next-generation analytics platform capable of advanced > > analytics on semi-structured data. The platform includes APIs for building > > apps and a phenomenal toolset for data science. Developers can use > > our toolset for easy data analysis & visualization. Get a free account! > > http://www2.precog.com/precogplatform/slashdotnewsletter > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2013-04-13 22:59:30
|
Hi Dirk. Well, I would say that you have an expired cookie. Do you see that value 0? That value should be a valid UNIX time representing time of cookie expiration. Also, I've just tested that cookie of yours and sqlmap says: "[WARNING] cookie '....' has expired" Kind regards, Miroslav Stampar On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...> wrote: > > Hi Miroslav, > > thx for your prompt answer. > > On 04/12/2013 07:45 PM, Miroslav Stampar wrote: > > Hi Dirk. > > > > Could you please get the latest revision and retry it again? > ed5599f: almost the same: with cookie in the header sqlmap takes only this > one. > The slight difference seems to be that in the case where I didn't supply a > cookie > sqlmap doesn't use any cookie at all, i.e. now not the one from the server > anymore. > > > > There was a situation where info messages have been wrongly written that > original response contained Set-Cookie in situations like yours. > > > > In case that everything stays as it is, I'll need to ask you to provide > more details. For example, cookie file would be great. > > sure, here you go: > > --snip > # Netscape HTTP Cookie File > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t > <Cookie> > [..] > --snap > > They are all session cookies. For easier reading here I put some blanks in > the line > above, in "cookie-file" there aren't any though. Cookies were generated > with > stompy and a shell script (looks he same as with > wget -S -O /dev/null --keep-session-cookies --save-cookies=<file> <URL>) > > Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-) > > > > > Also, please make sure that the cookie file contains proper cookie(s) - > domain name should be the same as a domain of target, cookie needs to have > a proper valid time, etc. > > see above. > > Cheers, > > Dirk > > > > > > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr... <mailto: > sp...@dr...>> wrote: > > > > Hi Miroslav, > > > > yes unfortunately. > > > > If I omit the cookie line in the request header completely, sqlmap > > seems to take the first cookie issued by the server with set-cookie > (and > > put's it silently in). > > > > Cheers, > > > > Dirk > > > > > > > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote: > > > Hi. > > > > > > And this is also happening if you are skipping "Cookie: > JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request? > > > > > > Kind regards, > > > Miroslav Stampar > > > > > > > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr...<mailto: > sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> > wrote: > > > > > > > > > Hi folks, > > > > > > .... that doesn't work for me. It always uses the cookie > supplied > > > (below in $REQUEST, or if I omit the line in $REQUEST the one > > > from the 1st server reply is being used) > > > > > > So what is wrong in here: > > > > > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \ > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \ > > > --level=2 --risk=2 -r $REQUEST > > > > > > The content of the file $REQUEST is: > > > > > > POST <URL> HTTP/1.1 > > > Host: <HOST> > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) > AppleWebKit/525.13 (KHTML, like Gecko) > > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> > Safari/525.13 > > > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > > > Accept-Language: en-US,en;q=0.5 > > > Accept-Encoding: gzip, deflate > > > Referer: <Referer> > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7 > > > Connection: keep-alive > > > Content-Type: application/x-www-form-urlencoded > > > Content-Length: 67 > > > > > > <abunchofpostparams> > > > > > > > > > No hints that cookie-file is not in correct format (I've been > through this, > > > at least I think I so ;) ). > > > > > > Any insight would be much appreciated. > > > > > > > > > Cheers, > > > > > > Dirk > > > > > > > > > > ------------------------------------------------------------------------------ > > > Precog is a next-generation analytics platform capable of > advanced > > > analytics on semi-structured data. The platform includes APIs > for building > > > apps and a phenomenal toolset for data science. Developers can > use > > > our toolset for easy data analysis & visualization. Get a free > account! > > > http://www2.precog.com/precogplatform/slashdotnewsletter > > > _______________________________________________ > > > sqlmap-users mailing list > > > sql...@li... <mailto: > sql...@li...> <mailto: > sql...@li... <mailto: > sql...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > > > > > > -- > > > Miroslav Stampar > > > http://about.me/stamparm > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2013-04-13 23:14:47
|
Nevertheless, with the latest commit that check should be "neutralized" now. Could you please retry it now? Kind regards, Miroslav Stampar On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi Dirk. > > Well, I would say that you have an expired cookie. Do you see that value > 0? That value should be a valid UNIX time representing time of cookie > expiration. Also, I've just tested that cookie of yours and sqlmap says: > "[WARNING] cookie '....' has expired" > > Kind regards, > Miroslav Stampar > > > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...> wrote: > >> >> Hi Miroslav, >> >> thx for your prompt answer. >> >> On 04/12/2013 07:45 PM, Miroslav Stampar wrote: >> > Hi Dirk. >> > >> > Could you please get the latest revision and retry it again? >> ed5599f: almost the same: with cookie in the header sqlmap takes only >> this one. >> The slight difference seems to be that in the case where I didn't supply >> a cookie >> sqlmap doesn't use any cookie at all, i.e. now not the one from the >> server anymore. >> > >> > There was a situation where info messages have been wrongly written >> that original response contained Set-Cookie in situations like yours. >> > >> > In case that everything stays as it is, I'll need to ask you to provide >> more details. For example, cookie file would be great. >> >> sure, here you go: >> >> --snip >> # Netscape HTTP Cookie File >> <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t >> <Cookie> >> [..] >> --snap >> >> They are all session cookies. For easier reading here I put some blanks >> in the line >> above, in "cookie-file" there aren't any though. Cookies were generated >> with >> stompy and a shell script (looks he same as with >> wget -S -O /dev/null --keep-session-cookies --save-cookies=<file> <URL>) >> >> Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-) >> >> > >> > Also, please make sure that the cookie file contains proper cookie(s) - >> domain name should be the same as a domain of target, cookie needs to have >> a proper valid time, etc. >> >> see above. >> >> Cheers, >> >> Dirk >> >> > >> > >> > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr...<mailto: >> sp...@dr...>> wrote: >> > >> > Hi Miroslav, >> > >> > yes unfortunately. >> > >> > If I omit the cookie line in the request header completely, sqlmap >> > seems to take the first cookie issued by the server with set-cookie >> (and >> > put's it silently in). >> > >> > Cheers, >> > >> > Dirk >> > >> > >> > >> > On 04/12/2013 03:24 PM, Miroslav Stampar wrote: >> > > Hi. >> > > >> > > And this is also happening if you are skipping "Cookie: >> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request? >> > > >> > > Kind regards, >> > > Miroslav Stampar >> > > >> > > >> > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr...<mailto: >> sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> >> wrote: >> > > >> > > >> > > Hi folks, >> > > >> > > .... that doesn't work for me. It always uses the cookie >> supplied >> > > (below in $REQUEST, or if I omit the line in $REQUEST the one >> > > from the 1st server reply is being used) >> > > >> > > So what is wrong in here: >> > > >> > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce >> > > ./sqlmap.py --ignore-proxy --force-ssl --beep \ >> > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \ >> > > --level=2 --risk=2 -r $REQUEST >> > > >> > > The content of the file $REQUEST is: >> > > >> > > POST <URL> HTTP/1.1 >> > > Host: <HOST> >> > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) >> AppleWebKit/525.13 (KHTML, like Gecko) >> > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> >> Safari/525.13 >> > > Accept: >> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> > > Accept-Language: en-US,en;q=0.5 >> > > Accept-Encoding: gzip, deflate >> > > Referer: <Referer> >> > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7 >> > > Connection: keep-alive >> > > Content-Type: application/x-www-form-urlencoded >> > > Content-Length: 67 >> > > >> > > <abunchofpostparams> >> > > >> > > >> > > No hints that cookie-file is not in correct format (I've been >> through this, >> > > at least I think I so ;) ). >> > > >> > > Any insight would be much appreciated. >> > > >> > > >> > > Cheers, >> > > >> > > Dirk >> > > >> > > >> > > >> ------------------------------------------------------------------------------ >> > > Precog is a next-generation analytics platform capable of >> advanced >> > > analytics on semi-structured data. The platform includes APIs >> for building >> > > apps and a phenomenal toolset for data science. Developers >> can use >> > > our toolset for easy data analysis & visualization. Get a >> free account! >> > > http://www2.precog.com/precogplatform/slashdotnewsletter >> > > _______________________________________________ >> > > sqlmap-users mailing list >> > > sql...@li... <mailto: >> sql...@li...> <mailto: >> sql...@li... <mailto: >> sql...@li...>> >> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > >> > > >> > > >> > > >> > > -- >> > > Miroslav Stampar >> > > http://about.me/stamparm >> > >> > >> > >> > >> > -- >> > Miroslav Stampar >> > http://about.me/stamparm >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
|
From: Dirk W. <sp...@dr...> - 2013-04-15 09:36:54
|
On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> Nevertheless, with the latest commit that check should be "neutralized" now. Could you please retry it now?
thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib hiccups, using the same file:
/usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
Traceback (most recent call last):
File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in _really_load
assert domain_specified == initial_dot
AssertionError
_warn_unhandled_exception()
[11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1': '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
the 999.. looks strange to me.
>
>
> On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote:
>
> Hi Dirk.
>
> Well, I would say that you have an expired cookie. Do you see that value 0? That value should be a valid UNIX time representing time of cookie expiration. Also, I've just tested that cookie of yours and sqlmap says: "[WARNING] cookie '....' has expired"
>
that's true but IMO 0 represents just a session cookie. Example:
prompt% wget -q -O /dev/null --keep-session-cookies --save-cookies=/dev/stdout bing.com
# HTTP cookie file.
# Generated by Wget on 2013-04-15 11:23:13.
# Edit at your own risk.
.bing.com TRUE / FALSE 1429089794 SRCHUSR AUTOREDIR=0&GEOVAR=&DOB=20130415
.bing.com TRUE / FALSE 1429089794 SRCHD D=2781203&MS=2781203&AF=NOFORM
.bing.com TRUE / FALSE 1429089794 OrigMUID 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
.bing.com TRUE / FALSE 1429089794 MUID 333995A69E06630B2EB491169F016314
.bing.com TRUE / FALSE 0 _SS SID=B954CB7EDF8643CABAD8013F27A241E7
.bing.com TRUE / FALSE 0 _HOP
.bing.com TRUE / FALSE 0 _FS NU=1
.bing.com TRUE / FALSE 1429089794 _FP EM=1
www.bing.com FALSE / FALSE 1429089794 SRCHUID V=2&GUID=975091780DFF407DA9DD07139FD97C4D
www.bing.com FALSE / FALSE 1429089794 MUIDB 333995A69E06630B2EB491169F016314
prompt%
Same parser problem btw if I edit the cookie file and put 1429089794 unix time instead of 0 in there.
Ok: With the prev rev ed5599f it reads this file ok (no session cookies but cookies w/ expiration date) and uses the last
cookie only for the first 120 tries.
Cheers, Dirk
>
> Kind regards,
> Miroslav Stampar
>
>
> On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...>> wrote:
>
>
> Hi Miroslav,
>
> thx for your prompt answer.
>
> On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> > Hi Dirk.
> >
> > Could you please get the latest revision and retry it again?
> ed5599f: almost the same: with cookie in the header sqlmap takes only this one.
> The slight difference seems to be that in the case where I didn't supply a cookie
> sqlmap doesn't use any cookie at all, i.e. now not the one from the server anymore.
> >
> > There was a situation where info messages have been wrongly written that original response contained Set-Cookie in situations like yours.
> >
> > In case that everything stays as it is, I'll need to ask you to provide more details. For example, cookie file would be great.
>
> sure, here you go:
>
> --snip
> # Netscape HTTP Cookie File
> <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t <Cookie>
> [..]
> --snap
>
> They are all session cookies. For easier reading here I put some blanks in the line
> above, in "cookie-file" there aren't any though. Cookies were generated with
> stompy and a shell script (looks he same as with
> wget -S -O /dev/null --keep-session-cookies --save-cookies=<file> <URL>)
>
> Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-)
>
> >
> > Also, please make sure that the cookie file contains proper cookie(s) - domain name should be the same as a domain of target, cookie needs to have a proper valid time, etc.
>
> see above.
>
> Cheers,
>
> Dirk
>
> >
> >
> > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> wrote:
> >
> > Hi Miroslav,
> >
> > yes unfortunately.
> >
> > If I omit the cookie line in the request header completely, sqlmap
> > seems to take the first cookie issued by the server with set-cookie (and
> > put's it silently in).
> >
> > Cheers,
> >
> > Dirk
> >
> >
> >
> > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> > > Hi.
> > >
> > > And this is also happening if you are skipping "Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
> > >
> > > Kind regards,
> > > Miroslav Stampar
> > >
> > >
> > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
> > >
> > >
> > > Hi folks,
> > >
> > > .... that doesn't work for me. It always uses the cookie supplied
> > > (below in $REQUEST, or if I omit the line in $REQUEST the one
> > > from the 1st server reply is being used)
> > >
> > > So what is wrong in here:
> > >
> > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
> > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
> > > --level=2 --risk=2 -r $REQUEST
> > >
> > > The content of the file $REQUEST is:
> > >
> > > POST <URL> HTTP/1.1
> > > Host: <HOST>
> > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> Safari/525.13
> > > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > > Accept-Language: en-US,en;q=0.5
> > > Accept-Encoding: gzip, deflate
> > > Referer: <Referer>
> > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
> > > Connection: keep-alive
> > > Content-Type: application/x-www-form-urlencoded
> > > Content-Length: 67
> > >
> > > <abunchofpostparams>
> > >
> > >
> > > No hints that cookie-file is not in correct format (I've been through this,
> > > at least I think I so ;) ).
> > >
> > > Any insight would be much appreciated.
> > >
> > >
> > > Cheers,
> > >
> > > Dirk
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Precog is a next-generation analytics platform capable of advanced
> > > analytics on semi-structured data. The platform includes APIs for building
> > > apps and a phenomenal toolset for data science. Developers can use
> > > our toolset for easy data analysis & visualization. Get a free account!
> > > http://www2.precog.com/precogplatform/slashdotnewsletter
> > > _______________________________________________
> > > sqlmap-users mailing list
> > > sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>>>
> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> > >
> > >
> > >
> > >
> > > --
> > > Miroslav Stampar
> > > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
|
|
From: Miroslav S. <mir...@gm...> - 2013-04-15 09:45:28
|
Hi Dirk.
Now that crash should be "patched".
Could you please retry it now and say if the latest revision suits your
needs?
Kind regards,
Miroslav Stampar
On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr...> wrote:
>
>
> On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> > Nevertheless, with the latest commit that check should be "neutralized"
> now. Could you please retry it now?
>
> thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib
> hiccups, using the same file:
>
> /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
> Traceback (most recent call last):
> File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in
> _really_load
> assert domain_specified == initial_dot
> AssertionError
>
> _warn_unhandled_exception()
> [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid
> Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
> '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>
> the 999.. looks strange to me.
>
> >
> >
> > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <
> mir...@gm... <mailto:mir...@gm...>> wrote:
> >
> > Hi Dirk.
> >
> > Well, I would say that you have an expired cookie. Do you see that
> value 0? That value should be a valid UNIX time representing time of cookie
> expiration. Also, I've just tested that cookie of yours and sqlmap says:
> "[WARNING] cookie '....' has expired"
> >
>
> that's true but IMO 0 represents just a session cookie. Example:
>
> prompt% wget -q -O /dev/null --keep-session-cookies
> --save-cookies=/dev/stdout bing.com
> # HTTP cookie file.
> # Generated by Wget on 2013-04-15 11:23:13.
> # Edit at your own risk.
>
> .bing.com TRUE / FALSE 1429089794 SRCHUSR
> AUTOREDIR=0&GEOVAR=&DOB=20130415
> .bing.com TRUE / FALSE 1429089794 SRCHD
> D=2781203&MS=2781203&AF=NOFORM
> .bing.com TRUE / FALSE 1429089794 OrigMUID
> 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
> .bing.com TRUE / FALSE 1429089794 MUID
> 333995A69E06630B2EB491169F016314
> .bing.com TRUE / FALSE 0 _SS
> SID=B954CB7EDF8643CABAD8013F27A241E7
> .bing.com TRUE / FALSE 0 _HOP
> .bing.com TRUE / FALSE 0 _FS NU=1
> .bing.com TRUE / FALSE 1429089794 _FP EM=1
> www.bing.com FALSE / FALSE 1429089794 SRCHUID
> V=2&GUID=975091780DFF407DA9DD07139FD97C4D
> www.bing.com FALSE / FALSE 1429089794 MUIDB
> 333995A69E06630B2EB491169F016314
>
> prompt%
>
> Same parser problem btw if I edit the cookie file and put 1429089794 unix
> time instead of 0 in there.
>
> Ok: With the prev rev ed5599f it reads this file ok (no session cookies
> but cookies w/ expiration date) and uses the last
> cookie only for the first 120 tries.
>
> Cheers, Dirk
>
>
> >
> > Kind regards,
> > Miroslav Stampar
> >
> >
> > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr...<mailto:
> sp...@dr...>> wrote:
> >
> >
> > Hi Miroslav,
> >
> > thx for your prompt answer.
> >
> > On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> > > Hi Dirk.
> > >
> > > Could you please get the latest revision and retry it again?
> > ed5599f: almost the same: with cookie in the header sqlmap takes
> only this one.
> > The slight difference seems to be that in the case where I
> didn't supply a cookie
> > sqlmap doesn't use any cookie at all, i.e. now not the one from
> the server anymore.
> > >
> > > There was a situation where info messages have been wrongly
> written that original response contained Set-Cookie in situations like
> yours.
> > >
> > > In case that everything stays as it is, I'll need to ask you
> to provide more details. For example, cookie file would be great.
> >
> > sure, here you go:
> >
> > --snip
> > # Netscape HTTP Cookie File
> > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID
> \t <Cookie>
> > [..]
> > --snap
> >
> > They are all session cookies. For easier reading here I put some
> blanks in the line
> > above, in "cookie-file" there aren't any though. Cookies were
> generated with
> > stompy and a shell script (looks he same as with
> > wget -S -O /dev/null --keep-session-cookies
> --save-cookies=<file> <URL>)
> >
> > Again: sqlmap doesn't hiccup/complain while eating my cookies
> file ;-)
> >
> > >
> > > Also, please make sure that the cookie file contains proper
> cookie(s) - domain name should be the same as a domain of target, cookie
> needs to have a proper valid time, etc.
> >
> > see above.
> >
> > Cheers,
> >
> > Dirk
> >
> > >
> > >
> > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>>> wrote:
> > >
> > > Hi Miroslav,
> > >
> > > yes unfortunately.
> > >
> > > If I omit the cookie line in the request header
> completely, sqlmap
> > > seems to take the first cookie issued by the server with
> set-cookie (and
> > > put's it silently in).
> > >
> > > Cheers,
> > >
> > > Dirk
> > >
> > >
> > >
> > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> > > > Hi.
> > > >
> > > > And this is also happening if you are skipping "Cookie:
> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
> > > >
> > > > Kind regards,
> > > > Miroslav Stampar
> > > >
> > > >
> > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <
> sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr...<mailto:
> sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...>
> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
> > > >
> > > >
> > > > Hi folks,
> > > >
> > > > .... that doesn't work for me. It always uses the
> cookie supplied
> > > > (below in $REQUEST, or if I omit the line in
> $REQUEST the one
> > > > from the 1st server reply is being used)
> > > >
> > > > So what is wrong in here:
> > > >
> > > > cd
> ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
> > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
> > > > --level=2 --risk=2 -r $REQUEST
> > > >
> > > > The content of the file $REQUEST is:
> > > >
> > > > POST <URL> HTTP/1.1
> > > > Host: <HOST>
> > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2;
> en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> > > > Chrome/0.2.149.6 <http://0.2.149.6> <
> http://0.2.149.6> <http://0.2.149.6> Safari/525.13
> > > > Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > > > Accept-Language: en-US,en;q=0.5
> > > > Accept-Encoding: gzip, deflate
> > > > Referer: <Referer>
> > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
> > > > Connection: keep-alive
> > > > Content-Type: application/x-www-form-urlencoded
> > > > Content-Length: 67
> > > >
> > > > <abunchofpostparams>
> > > >
> > > >
> > > > No hints that cookie-file is not in correct format
> (I've been through this,
> > > > at least I think I so ;) ).
> > > >
> > > > Any insight would be much appreciated.
> > > >
> > > >
> > > > Cheers,
> > > >
> > > > Dirk
> > > >
> > > >
> > > >
> ------------------------------------------------------------------------------
> > > > Precog is a next-generation analytics platform
> capable of advanced
> > > > analytics on semi-structured data. The platform
> includes APIs for building
> > > > apps and a phenomenal toolset for data science.
> Developers can use
> > > > our toolset for easy data analysis & visualization.
> Get a free account!
> > > >
> http://www2.precog.com/precogplatform/slashdotnewsletter
> > > > _______________________________________________
> > > > sqlmap-users mailing list
> > > > sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>> <mailto:
> sql...@li... <mailto:
> sql...@li...> <mailto:
> sql...@li... <mailto:
> sql...@li...>>>
> > > >
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Miroslav Stampar
> > > > http://about.me/stamparm
> > >
> > >
> > >
> > >
> > > --
> > > Miroslav Stampar
> > > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
--
Miroslav Stampar
http://about.me/stamparm
|
|
From: Dirk W. <sp...@dr...> - 2013-04-15 10:19:25
|
Hi Miroslav,
On 04/15/2013 11:45 AM, Miroslav Stampar wrote:
> Hi Dirk.
>
> Now that crash should be "patched".
>
> Could you please retry it now and say if the latest revision suits your needs?
cool, thx. Works!
However (sorry):
One needs to omit the cookie in the request header, otherwise it just uses the one
supplied by the request.
Then: It doesn't change the cookie. Maybe I was interpreting that not correctly
but my point was using the load-cookies option to direct sqlmap to change
cookies once in a while (whenever that's gonna be). This is to circumvent
restrictions one can encounter otherwise....
Cheers,
Dirk
>
> Kind regards,
> Miroslav Stampar
>
>
> On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...>> wrote:
>
>
>
> On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> > Nevertheless, with the latest commit that check should be "neutralized" now. Could you please retry it now?
>
> thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib hiccups, using the same file:
>
> /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
> Traceback (most recent call last):
> File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in _really_load
> assert domain_specified == initial_dot
> AssertionError
>
> _warn_unhandled_exception()
> [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid Netscape format cookies file '/tmp/sqlmapcj-pbP7P1': '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
>
> the 999.. looks strange to me.
>
> >
> >
> > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...> <mailto:mir...@gm... <mailto:mir...@gm...>>> wrote:
> >
> > Hi Dirk.
> >
> > Well, I would say that you have an expired cookie. Do you see that value 0? That value should be a valid UNIX time representing time of cookie expiration. Also, I've just tested that cookie of yours and sqlmap says: "[WARNING] cookie '....' has expired"
> >
>
> that's true but IMO 0 represents just a session cookie. Example:
>
> prompt% wget -q -O /dev/null --keep-session-cookies --save-cookies=/dev/stdout bing.com <http://bing.com>
> # HTTP cookie file.
> # Generated by Wget on 2013-04-15 11:23:13.
> # Edit at your own risk.
>
> .bing.com <http://bing.com> TRUE / FALSE 1429089794 SRCHUSR AUTOREDIR=0&GEOVAR=&DOB=20130415
> .bing.com <http://bing.com> TRUE / FALSE 1429089794 SRCHD D=2781203&MS=2781203&AF=NOFORM
> .bing.com <http://bing.com> TRUE / FALSE 1429089794 OrigMUID 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
> .bing.com <http://bing.com> TRUE / FALSE 1429089794 MUID 333995A69E06630B2EB491169F016314
> .bing.com <http://bing.com> TRUE / FALSE 0 _SS SID=B954CB7EDF8643CABAD8013F27A241E7
> .bing.com <http://bing.com> TRUE / FALSE 0 _HOP
> .bing.com <http://bing.com> TRUE / FALSE 0 _FS NU=1
> .bing.com <http://bing.com> TRUE / FALSE 1429089794 _FP EM=1
> www.bing.com <http://www.bing.com> FALSE / FALSE 1429089794 SRCHUID V=2&GUID=975091780DFF407DA9DD07139FD97C4D
> www.bing.com <http://www.bing.com> FALSE / FALSE 1429089794 MUIDB 333995A69E06630B2EB491169F016314
>
> prompt%
>
> Same parser problem btw if I edit the cookie file and put 1429089794 unix time instead of 0 in there.
>
> Ok: With the prev rev ed5599f it reads this file ok (no session cookies but cookies w/ expiration date) and uses the last
> cookie only for the first 120 tries.
>
> Cheers, Dirk
>
>
> >
> > Kind regards,
> > Miroslav Stampar
> >
> >
> > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> wrote:
> >
> >
> > Hi Miroslav,
> >
> > thx for your prompt answer.
> >
> > On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> > > Hi Dirk.
> > >
> > > Could you please get the latest revision and retry it again?
> > ed5599f: almost the same: with cookie in the header sqlmap takes only this one.
> > The slight difference seems to be that in the case where I didn't supply a cookie
> > sqlmap doesn't use any cookie at all, i.e. now not the one from the server anymore.
> > >
> > > There was a situation where info messages have been wrongly written that original response contained Set-Cookie in situations like yours.
> > >
> > > In case that everything stays as it is, I'll need to ask you to provide more details. For example, cookie file would be great.
> >
> > sure, here you go:
> >
> > --snip
> > # Netscape HTTP Cookie File
> > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t <Cookie>
> > [..]
> > --snap
> >
> > They are all session cookies. For easier reading here I put some blanks in the line
> > above, in "cookie-file" there aren't any though. Cookies were generated with
> > stompy and a shell script (looks he same as with
> > wget -S -O /dev/null --keep-session-cookies --save-cookies=<file> <URL>)
> >
> > Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-)
> >
> > >
> > > Also, please make sure that the cookie file contains proper cookie(s) - domain name should be the same as a domain of target, cookie needs to have a proper valid time, etc.
> >
> > see above.
> >
> > Cheers,
> >
> > Dirk
> >
> > >
> > >
> > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>> wrote:
> > >
> > > Hi Miroslav,
> > >
> > > yes unfortunately.
> > >
> > > If I omit the cookie line in the request header completely, sqlmap
> > > seems to take the first cookie issued by the server with set-cookie (and
> > > put's it silently in).
> > >
> > > Cheers,
> > >
> > > Dirk
> > >
> > >
> > >
> > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> > > > Hi.
> > > >
> > > > And this is also happening if you are skipping "Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
> > > >
> > > > Kind regards,
> > > > Miroslav Stampar
> > > >
> > > >
> > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter <sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>> <mailto:sp...@dr... <mailto:sp...@dr...> <mailto:sp...@dr... <mailto:sp...@dr...>>>>> wrote:
> > > >
> > > >
> > > > Hi folks,
> > > >
> > > > .... that doesn't work for me. It always uses the cookie supplied
> > > > (below in $REQUEST, or if I omit the line in $REQUEST the one
> > > > from the 1st server reply is being used)
> > > >
> > > > So what is wrong in here:
> > > >
> > > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
> > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
> > > > --level=2 --risk=2 -r $REQUEST
> > > >
> > > > The content of the file $REQUEST is:
> > > >
> > > > POST <URL> HTTP/1.1
> > > > Host: <HOST>
> > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> > > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> Safari/525.13
> > > > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > > > Accept-Language: en-US,en;q=0.5
> > > > Accept-Encoding: gzip, deflate
> > > > Referer: <Referer>
> > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
> > > > Connection: keep-alive
> > > > Content-Type: application/x-www-form-urlencoded
> > > > Content-Length: 67
> > > >
> > > > <abunchofpostparams>
> > > >
> > > >
> > > > No hints that cookie-file is not in correct format (I've been through this,
> > > > at least I think I so ;) ).
> > > >
> > > > Any insight would be much appreciated.
> > > >
> > > >
> > > > Cheers,
> > > >
> > > > Dirk
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > Precog is a next-generation analytics platform capable of advanced
> > > > analytics on semi-structured data. The platform includes APIs for building
> > > > apps and a phenomenal toolset for data science. Developers can use
> > > > our toolset for easy data analysis & visualization. Get a free account!
> > > > http://www2.precog.com/precogplatform/slashdotnewsletter
> > > > _______________________________________________
> > > > sqlmap-users mailing list
> > > > sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>> <mailto:sql...@li... <mailto:sql...@li...> <mailto:sql...@li... <mailto:sql...@li...>>>>
> > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Miroslav Stampar
> > > > http://about.me/stamparm
> > >
> > >
> > >
> > >
> > > --
> > > Miroslav Stampar
> > > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X