hi David. it should be "patched" with the latest commit.
thing is that some web servers don't act good with Host:port scheme, hence the behavior you've noticed. this is prone to changes and we are opened for suggestions. kr On Tue, Jun 21, 2011 at 10:39 PM, David Rhoades <david.rhoa...@mavensecurity.com> wrote: > I'm using sqlmap/1.0-dev (r4149). > The HTTP Host header is missing the port number when the target is on a > non-standard port, such as http://target:8080. > > Here is an example targeting OWASP's Insecure Web App > (https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project). > > $ ./sqlmap.py --url > "http://localhost:8080/insecure/public/Login.jsp?login=cjones&pass=chris"; > --cookie "JSESSIONID=8A4000EFEEA92B193D8DF284F6D22777" --dbs -v 6 > > === > [16:29:53] [TRAFFIC OUT] HTTP request [#1]: > GET /insecure/public/Login.jsp?login=cjones&pass=chris HTTP/1.1 > Accept-Encoding: identity > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: localhost > Accept-language: en-us,en;q=0.5 > Pragma: no-cache > Cache-control: no-cache,no-store > Cookie: JSESSIONID=8A4000EFEEA92B193D8DF284F6D22788 > User-agent: sqlmap/1.0-dev (r4149) (http://sqlmap.sourceforge.net) > Connection: close > === > > That request goes to the correct place on port 8080 (a sniffer or MITM proxy > shows this to be the case) but the Host header only says, "Host: localhost" > rather than "Host: localhost:8080". In this case the web server > (Apache-Coyote/1.1) is using the Host header to form the Location header in > the reply to HTTP 302 redirect the user to another page after successfully > logging in. Because the Host header is missing the port the Location header > mistakenly says the host is localhost rather than localhost:8080, so sqlmap > attempts to follow that link which is the wrong site (wrong port anyway). > > === > HTTP/1.1 302 Moved Temporarily > Set-Cookie: JSESSIONID=71B3FFFCA9EC2F65A998D3E555864109; Path=/insecure > Location: http://localhost/insecure/secure/index.jsp > Content-Type: text/html;charset=ISO-8859-1 > Content-Length: 0 > Date: Tue, 21 Jun 2011 16:21:57 GMT > Server: Apache-Coyote/1.1 > Connection: close > === > > I also see the same behavior when using sqlmap against Hacme Casino > (http://sourceforge.net/scm/?type=cvs&group_id=143089) which uses Mongrel > 1.1.5 as its server. Hacme Casino is on port 3000. > > This is probably not a big deal in the real world because it's not clear if > any other servers reference the Host header when making Location headers. > Also, most people are probably targeting standard ports (80 and 443). But > still, it would be great to get this fixed so we can continue to use sqlmap > in our training labs (we have targets on non-standard ports). > > <semi-shameless plug> > If you would like to see this behavior for yourself checkout the Web > Security Dojo since it has sqlmap, InsecureWebApp, and Hacme Casino > pre-installed (along with other goodies). http://dojo.mavensecurity.com > I only mention that to aid in debugging sqlmap. :) > </semi-shameless plug> > > -----------------------------------------------------<>< > David Rhoades > Maven Security Consulting Inc (www.MavenSecurity.com) > Current Timezone: GMT-4 (Wilmington, DE) > > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
