On 04/14/2013 01:14 AM, Miroslav Stampar wrote:
> Nevertheless, with the latest commit that check should be "neutralized" now.
> Could you please retry it now?
thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib hiccups,
using the same file:
/usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug!
Traceback (most recent call last):
File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in _really_load
assert domain_specified == initial_dot
AssertionError
_warn_unhandled_exception()
[11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid
Netscape format cookies file '/tmp/sqlmapcj-pbP7P1':
'<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'')
the 999.. looks strange to me.
>
>
> On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar
> <[email protected] <mailto:[email protected]>> wrote:
>
> Hi Dirk.
>
> Well, I would say that you have an expired cookie. Do you see that value
> 0? That value should be a valid UNIX time representing time of cookie
> expiration. Also, I've just tested that cookie of yours and sqlmap says:
> "[WARNING] cookie '....' has expired"
>
that's true but IMO 0 represents just a session cookie. Example:
prompt% wget -q -O /dev/null --keep-session-cookies --save-cookies=/dev/stdout
bing.com
# HTTP cookie file.
# Generated by Wget on 2013-04-15 11:23:13.
# Edit at your own risk.
.bing.com TRUE / FALSE 1429089794 SRCHUSR
AUTOREDIR=0&GEOVAR=&DOB=20130415
.bing.com TRUE / FALSE 1429089794 SRCHD
D=2781203&MS=2781203&AF=NOFORM
.bing.com TRUE / FALSE 1429089794 OrigMUID
333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe
.bing.com TRUE / FALSE 1429089794 MUID
333995A69E06630B2EB491169F016314
.bing.com TRUE / FALSE 0 _SS
SID=B954CB7EDF8643CABAD8013F27A241E7
.bing.com TRUE / FALSE 0 _HOP
.bing.com TRUE / FALSE 0 _FS NU=1
.bing.com TRUE / FALSE 1429089794 _FP EM=1
www.bing.com FALSE / FALSE 1429089794 SRCHUID
V=2&GUID=975091780DFF407DA9DD07139FD97C4D
www.bing.com FALSE / FALSE 1429089794 MUIDB
333995A69E06630B2EB491169F016314
prompt%
Same parser problem btw if I edit the cookie file and put 1429089794 unix time
instead of 0 in there.
Ok: With the prev rev ed5599f it reads this file ok (no session cookies but
cookies w/ expiration date) and uses the last
cookie only for the first 120 tries.
Cheers, Dirk
>
> Kind regards,
> Miroslav Stampar
>
>
> On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <[email protected]
> <mailto:[email protected]>> wrote:
>
>
> Hi Miroslav,
>
> thx for your prompt answer.
>
> On 04/12/2013 07:45 PM, Miroslav Stampar wrote:
> > Hi Dirk.
> >
> > Could you please get the latest revision and retry it again?
> ed5599f: almost the same: with cookie in the header sqlmap takes only
> this one.
> The slight difference seems to be that in the case where I didn't
> supply a cookie
> sqlmap doesn't use any cookie at all, i.e. now not the one from the
> server anymore.
> >
> > There was a situation where info messages have been wrongly written
> that original response contained Set-Cookie in situations like yours.
> >
> > In case that everything stays as it is, I'll need to ask you to
> provide more details. For example, cookie file would be great.
>
> sure, here you go:
>
> --snip
> # Netscape HTTP Cookie File
> <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID \t
> <Cookie>
> [..]
> --snap
>
> They are all session cookies. For easier reading here I put some
> blanks in the line
> above, in "cookie-file" there aren't any though. Cookies were
> generated with
> stompy and a shell script (looks he same as with
> wget -S -O /dev/null --keep-session-cookies --save-cookies=<file>
> <URL>)
>
> Again: sqlmap doesn't hiccup/complain while eating my cookies file ;-)
>
> >
> > Also, please make sure that the cookie file contains proper
> cookie(s) - domain name should be the same as a domain of target, cookie
> needs to have a proper valid time, etc.
>
> see above.
>
> Cheers,
>
> Dirk
>
> >
> >
> > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter <[email protected]
> <mailto:[email protected]> <mailto:[email protected]
> <mailto:[email protected]>>> wrote:
> >
> > Hi Miroslav,
> >
> > yes unfortunately.
> >
> > If I omit the cookie line in the request header completely,
> sqlmap
> > seems to take the first cookie issued by the server with
> set-cookie (and
> > put's it silently in).
> >
> > Cheers,
> >
> > Dirk
> >
> >
> >
> > On 04/12/2013 03:24 PM, Miroslav Stampar wrote:
> > > Hi.
> > >
> > > And this is also happening if you are skipping "Cookie:
> JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request?
> > >
> > > Kind regards,
> > > Miroslav Stampar
> > >
> > >
> > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter
> <[email protected] <mailto:[email protected]> <mailto:[email protected]
> <mailto:[email protected]>> <mailto:[email protected]
> <mailto:[email protected]> <mailto:[email protected]
> <mailto:[email protected]>>>> wrote:
> > >
> > >
> > > Hi folks,
> > >
> > > .... that doesn't work for me. It always uses the cookie
> supplied
> > > (below in $REQUEST, or if I omit the line in $REQUEST the
> one
> > > from the 1st server reply is being used)
> > >
> > > So what is wrong in here:
> > >
> > > cd ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce
> > > ./sqlmap.py --ignore-proxy --force-ssl --beep \
> > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \
> > > --level=2 --risk=2 -r $REQUEST
> > >
> > > The content of the file $REQUEST is:
> > >
> > > POST <URL> HTTP/1.1
> > > Host: <HOST>
> > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2;
> en-US) AppleWebKit/525.13 (KHTML, like Gecko)
> > > Chrome/0.2.149.6 <http://0.2.149.6> <http://0.2.149.6>
> <http://0.2.149.6> Safari/525.13
> > > Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > > Accept-Language: en-US,en;q=0.5
> > > Accept-Encoding: gzip, deflate
> > > Referer: <Referer>
> > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7
> > > Connection: keep-alive
> > > Content-Type: application/x-www-form-urlencoded
> > > Content-Length: 67
> > >
> > > <abunchofpostparams>
> > >
> > >
> > > No hints that cookie-file is not in correct format (I've
> been through this,
> > > at least I think I so ;) ).
> > >
> > > Any insight would be much appreciated.
> > >
> > >
> > > Cheers,
> > >
> > > Dirk
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> > > Precog is a next-generation analytics platform capable of
> advanced
> > > analytics on semi-structured data. The platform includes
> APIs for building
> > > apps and a phenomenal toolset for data science.
> Developers can use
> > > our toolset for easy data analysis & visualization. Get a
> free account!
> > > http://www2.precog.com/precogplatform/slashdotnewsletter
> > > _______________________________________________
> > > sqlmap-users mailing list
> > > [email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]>>
> <mailto:[email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]>>>
> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> > >
> > >
> > >
> > >
> > > --
> > > Miroslav Stampar
> > > http://about.me/stamparm
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
