I'm using sqlmap/1.0-dev (r4149). The HTTP Host header is missing the port number when the target is on a non-standard port, such as http://target:8080.
Here is an example targeting OWASP's Insecure Web App (https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project). $ ./sqlmap.py --url "http://localhost:8080/insecure/public/Login.jsp?login=cjones&pass=chris"; --cookie "JSESSIONID=8A4000EFEEA92B193D8DF284F6D22777" --dbs -v 6 === [16:29:53] [TRAFFIC OUT] HTTP request [#1]: GET /insecure/public/Login.jsp?login=cjones&pass=chris HTTP/1.1 Accept-Encoding: identity Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: localhost Accept-language: en-us,en;q=0.5 Pragma: no-cache Cache-control: no-cache,no-store Cookie: JSESSIONID=8A4000EFEEA92B193D8DF284F6D22788 User-agent: sqlmap/1.0-dev (r4149) (http://sqlmap.sourceforge.net) Connection: close === That request goes to the correct place on port 8080 (a sniffer or MITM proxy shows this to be the case) but the Host header only says, "Host: localhost" rather than "Host: localhost:8080". In this case the web server (Apache-Coyote/1.1) is using the Host header to form the Location header in the reply to HTTP 302 redirect the user to another page after successfully logging in. Because the Host header is missing the port the Location header mistakenly says the host is localhost rather than localhost:8080, so sqlmap attempts to follow that link which is the wrong site (wrong port anyway). === HTTP/1.1 302 Moved Temporarily Set-Cookie: JSESSIONID=71B3FFFCA9EC2F65A998D3E555864109; Path=/insecure Location: http://localhost/insecure/secure/index.jsp Content-Type: text/html;charset=ISO-8859-1 Content-Length: 0 Date: Tue, 21 Jun 2011 16:21:57 GMT Server: Apache-Coyote/1.1 Connection: close === I also see the same behavior when using sqlmap against Hacme Casino (http://sourceforge.net/scm/?type=cvs&group_id=143089) which uses Mongrel 1.1.5 as its server. Hacme Casino is on port 3000. This is probably not a big deal in the real world because it's not clear if any other servers reference the Host header when making Location headers. Also, most people are probably targeting standard ports (80 and 443). But still, it would be great to get this fixed so we can continue to use sqlmap in our training labs (we have targets on non-standard ports). <semi-shameless plug> If you would like to see this behavior for yourself checkout the Web Security Dojo since it has sqlmap, InsecureWebApp, and Hacme Casino pre-installed (along with other goodies). http://dojo.mavensecurity.com I only mention that to aid in debugging sqlmap. :) </semi-shameless plug> -----------------------------------------------------<>< David Rhoades Maven Security Consulting Inc (www.MavenSecurity.com) Current Timezone: GMT-4 (Wilmington, DE) ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
