p.s. with the last update (r4153) only run with non-80 ports will result in :port scheme (which is comformant to http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).
this should be the best way to solve this issue. thank you for your report kr On Tue, Jun 21, 2011 at 10:48 PM, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > hi David. > > it should be "patched" with the latest commit. > > thing is that some web servers don't act good with Host:port scheme, > hence the behavior you've noticed. this is prone to changes and we are > opened for suggestions. > > kr > > On Tue, Jun 21, 2011 at 10:39 PM, David Rhoades > <david.rhoa...@mavensecurity.com> wrote: >> I'm using sqlmap/1.0-dev (r4149). >> The HTTP Host header is missing the port number when the target is on a >> non-standard port, such as http://target:8080. >> >> Here is an example targeting OWASP's Insecure Web App >> (https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project). >> >> $ ./sqlmap.py --url >> "http://localhost:8080/insecure/public/Login.jsp?login=cjones&pass=chris"; >> --cookie "JSESSIONID=8A4000EFEEA92B193D8DF284F6D22777" --dbs -v 6 >> >> === >> [16:29:53] [TRAFFIC OUT] HTTP request [#1]: >> GET /insecure/public/Login.jsp?login=cjones&pass=chris HTTP/1.1 >> Accept-Encoding: identity >> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >> Host: localhost >> Accept-language: en-us,en;q=0.5 >> Pragma: no-cache >> Cache-control: no-cache,no-store >> Cookie: JSESSIONID=8A4000EFEEA92B193D8DF284F6D22788 >> User-agent: sqlmap/1.0-dev (r4149) (http://sqlmap.sourceforge.net) >> Connection: close >> === >> >> That request goes to the correct place on port 8080 (a sniffer or MITM proxy >> shows this to be the case) but the Host header only says, "Host: localhost" >> rather than "Host: localhost:8080". In this case the web server >> (Apache-Coyote/1.1) is using the Host header to form the Location header in >> the reply to HTTP 302 redirect the user to another page after successfully >> logging in. Because the Host header is missing the port the Location header >> mistakenly says the host is localhost rather than localhost:8080, so sqlmap >> attempts to follow that link which is the wrong site (wrong port anyway). >> >> === >> HTTP/1.1 302 Moved Temporarily >> Set-Cookie: JSESSIONID=71B3FFFCA9EC2F65A998D3E555864109; Path=/insecure >> Location: http://localhost/insecure/secure/index.jsp >> Content-Type: text/html;charset=ISO-8859-1 >> Content-Length: 0 >> Date: Tue, 21 Jun 2011 16:21:57 GMT >> Server: Apache-Coyote/1.1 >> Connection: close >> === >> >> I also see the same behavior when using sqlmap against Hacme Casino >> (http://sourceforge.net/scm/?type=cvs&group_id=143089) which uses Mongrel >> 1.1.5 as its server. Hacme Casino is on port 3000. >> >> This is probably not a big deal in the real world because it's not clear if >> any other servers reference the Host header when making Location headers. >> Also, most people are probably targeting standard ports (80 and 443). But >> still, it would be great to get this fixed so we can continue to use sqlmap >> in our training labs (we have targets on non-standard ports). >> >> <semi-shameless plug> >> If you would like to see this behavior for yourself checkout the Web >> Security Dojo since it has sqlmap, InsecureWebApp, and Hacme Casino >> pre-installed (along with other goodies). http://dojo.mavensecurity.com >> I only mention that to aid in debugging sqlmap. :) >> </semi-shameless plug> >> >> -----------------------------------------------------<>< >> David Rhoades >> Maven Security Consulting Inc (www.MavenSecurity.com) >> Current Timezone: GMT-4 (Wilmington, DE) >> >> >> >> ------------------------------------------------------------------------------ >> EditLive Enterprise is the world's most technically advanced content >> authoring tool. Experience the power of Track Changes, Inline Image >> Editing and ensure content is compliant with Accessibility Checking. >> http://p.sf.net/sfu/ephox-dev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar (@stamparm) > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
