Hi all.
There has been noticeable changes in cookies mechanism (now you'll be asked
if you want to merge new cookies got by Set Cookie header value with your
optional --cookies supplied value - useful when session cookie is changed
all of a sudden inside the detection phase) with the last commit r4665.
Please report back if you notice any problems regarding it.
Kind regards,
Miroslav Stampar
On Tue, Jan 10, 2012 at 10:08 AM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> Hi Sean.
>
> A bit of information what's going on in your case.
>
> In scanning mode sqlmap is automatically dropping Set-Cookie header
> because that's a desired behavior. Imagine for example OR boolean injection
> testing on login page with acceptance of new cookie header. It would just
> not work because every page after the successful one with OR 1=1 would just
> appear the same (as authenticated).
>
> Nevertheless, in normal enumeration if technique is not OR boolean based
> one "Drop Set" cookie header is accepted normally without any problems
> (except if --drop-set-cookie switch is specified).
>
> Now, the real question goes like this. What's the part of sqlmap that is
> not playing as of your expectations? Detection or enumeration? Could you
> please be more specific here.
>
> Kind regards,
> Miroslav Stampar
>
> ---------- Forwarded message ----------
> From: Sean Verity <veritysr1...@gmail.com>
> Date: 9 January 2012 19:51
> Subject: Accept a New Cookie
> To: bernardo.dam...@gmail.com
>
>
> Hello,
>
> Great job on sqlmap! Saves me so much time at work.
>
> I've been using the 'cookie=' option quite a bit in some recent
> testing since the application I'm auditing relies heavily on
> authentication. The 'cookie=' option works great until my application
> attempts to refresh the session cookie.
>
> The application I'm auditing will invalidate the session cookie after
> 5 minutes. At which point, the application sends a new session cookie
> through a 'Set Cookie' header. Based on a review of Burp Suite logs,
> it appears that sqlmap is not accepting the new cookie. sqlmap
> continues to submit the original session cookie (which the application
> has invalidated), effectively terminating the authenticated sqlmap
> scan.
>
> I've reviewed my sqlmap.conf configuration file and the
> 'dropSetCookie' directive is set to 'false.'
>
> Example:
>
> ./sqlmap.py -u 'https://169.254.1.1/index.htm'
> --cookie='SESSID=1234567890ABCDEF' --proxy='http://127.0.0.1:8080'
> --risk=3 --level=5 -v 0
>
> Thanks!
>
> -Sean
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
