Hi Moritz.
Please use proper/valud "cookie" value for doing it.
You've used:
--cookie="c7cf953095d6fb6587fd8c625c1ef9b8"
while you most probably wanted to do this:
--cookie="PHPSESSID=c7cf953095d6fb6587fd8c625c1ef9b8"
Also, you'll be able to retrieve cookie value after you login properly with
your regular Internet browser.
Kind regards,
Miroslav Stampar
On Wed, Jan 4, 2012 at 2:58 AM, Moritz Friedmann <[email protected]> wrote:
> hi,
>
> i want to check a site of my friend for vnl. i found a leak, but to come
> there you have to login. that's my problem: how can i scan this site with
> the login datas and the cookie?
>
> here is the post data:
> http://www.site.com/pages/logincheck.php
>
> POST /pages/logincheck.php HTTP/1.1
> Host: www.site.com
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101
> Firefox/8.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: de,en-us;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Connection: keep-alive
> Referer: http://www.site.com/logoutok.php
> Cookie: PHPSESSID=d4bb374119579bcb8b0a5b181219789c
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 82
>
> PHPSESSID=d4bb374119579bcb8b0a5b181219789c&username=moe&passwort=6876b24e5&x=0&y=0
> HTTP/1.1 302 Moved Temporarily
> Date: Mon, 02 Jan 2012 18:58:17 GMT
> Server: Apache
> X-Powered-By: PHP/5.2.17-0.dotdeb.0
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma: no-cache
> Location: ../login.php?err&n=moe
> Content-Length: 0
> Keep-Alive: timeout=15, max=83
> Connection: Keep-Alive
> Content-Type: text/html
> ------------------------------
>
> and here is my command: python ./sqlmap.py -u "
> http://www.site.com/community/profil/?id=1&PHPSESSID=c7cf953095d6fb6587fd8c625c1ef9b8&username=moe&passwort=68b76d24e5&x=0&y=0";
> --cookie "c7cf953095d6fb6587fd8c625c1ef9b8" -p "id" --dbs
>
>
> thanks in advance!
>
>
>
> --
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> sqlmap-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
