Hi Miroslav, On 04/15/2013 11:45 AM, Miroslav Stampar wrote: > Hi Dirk. > > Now that crash should be "patched". > > Could you please retry it now and say if the latest revision suits your needs?
cool, thx. Works! However (sorry): One needs to omit the cookie in the request header, otherwise it just uses the one supplied by the request. Then: It doesn't change the cookie. Maybe I was interpreting that not correctly but my point was using the load-cookies option to direct sqlmap to change cookies once in a while (whenever that's gonna be). This is to circumvent restrictions one can encounter otherwise.... Cheers, Dirk > > Kind regards, > Miroslav Stampar > > > On Mon, Apr 15, 2013 at 11:36 AM, Dirk Wetter <s...@drwetter.org > <mailto:s...@drwetter.org>> wrote: > > > > On 04/14/2013 01:14 AM, Miroslav Stampar wrote: > > Nevertheless, with the latest commit that check should be "neutralized" > now. Could you please retry it now? > > thx, Miroslav. I tried (b6fee63) but this time the cookie parser lib > hiccups, using the same file: > > /usr/lib64/python2.7/_MozillaCookieJar.py:109: UserWarning: cookielib bug! > Traceback (most recent call last): > File "/usr/lib64/python2.7/_MozillaCookieJar.py", line 82, in > _really_load > assert domain_specified == initial_dot > AssertionError > > _warn_unhandled_exception() > [11:13:26] [CRITICAL] there was a problem loading cookies file ('invalid > Netscape format cookies file '/tmp/sqlmapcj-pbP7P1': > '<FQDN>\tTRUE\t<PATH>\tTRUE\t9999999999\tJSESSIONID\t6ADFAA167AA89CF993061E5CACEF46C9'') > > the 999.. looks strange to me. > > > > > > > On Sun, Apr 14, 2013 at 12:59 AM, Miroslav Stampar > <miroslav.stam...@gmail.com <mailto:miroslav.stam...@gmail.com> > <mailto:miroslav.stam...@gmail.com <mailto:miroslav.stam...@gmail.com>>> > wrote: > > > > Hi Dirk. > > > > Well, I would say that you have an expired cookie. Do you see that > value 0? That value should be a valid UNIX time representing time of cookie > expiration. Also, I've just tested that cookie of yours and sqlmap says: > "[WARNING] cookie '....' has expired" > > > > that's true but IMO 0 represents just a session cookie. Example: > > prompt% wget -q -O /dev/null --keep-session-cookies > --save-cookies=/dev/stdout bing.com <http://bing.com> > # HTTP cookie file. > # Generated by Wget on 2013-04-15 11:23:13. > # Edit at your own risk. > > .bing.com <http://bing.com> TRUE / FALSE 1429089794 > SRCHUSR AUTOREDIR=0&GEOVAR=&DOB=20130415 > .bing.com <http://bing.com> TRUE / FALSE 1429089794 > SRCHD D=2781203&MS=2781203&AF=NOFORM > .bing.com <http://bing.com> TRUE / FALSE 1429089794 > OrigMUID > 333995A69E06630B2EB491169F016314%2cfc3b876c239e43d4bfc1544927289abe > .bing.com <http://bing.com> TRUE / FALSE 1429089794 > MUID 333995A69E06630B2EB491169F016314 > .bing.com <http://bing.com> TRUE / FALSE 0 _SS > SID=B954CB7EDF8643CABAD8013F27A241E7 > .bing.com <http://bing.com> TRUE / FALSE 0 _HOP > .bing.com <http://bing.com> TRUE / FALSE 0 _FS > NU=1 > .bing.com <http://bing.com> TRUE / FALSE 1429089794 > _FP EM=1 > www.bing.com <http://www.bing.com> FALSE / FALSE 1429089794 > SRCHUID V=2&GUID=975091780DFF407DA9DD07139FD97C4D > www.bing.com <http://www.bing.com> FALSE / FALSE 1429089794 > MUIDB 333995A69E06630B2EB491169F016314 > > prompt% > > Same parser problem btw if I edit the cookie file and put 1429089794 unix > time instead of 0 in there. > > Ok: With the prev rev ed5599f it reads this file ok (no session cookies > but cookies w/ expiration date) and uses the last > cookie only for the first 120 tries. > > Cheers, Dirk > > > > > > Kind regards, > > Miroslav Stampar > > > > > > On Sat, Apr 13, 2013 at 12:54 PM, Dirk Wetter <s...@drwetter.org > <mailto:s...@drwetter.org> <mailto:s...@drwetter.org > <mailto:s...@drwetter.org>>> wrote: > > > > > > Hi Miroslav, > > > > thx for your prompt answer. > > > > On 04/12/2013 07:45 PM, Miroslav Stampar wrote: > > > Hi Dirk. > > > > > > Could you please get the latest revision and retry it again? > > ed5599f: almost the same: with cookie in the header sqlmap > takes only this one. > > The slight difference seems to be that in the case where I > didn't supply a cookie > > sqlmap doesn't use any cookie at all, i.e. now not the one from > the server anymore. > > > > > > There was a situation where info messages have been wrongly > written that original response contained Set-Cookie in situations like yours. > > > > > > In case that everything stays as it is, I'll need to ask you > to provide more details. For example, cookie file would be great. > > > > sure, here you go: > > > > --snip > > # Netscape HTTP Cookie File > > <FQDN> \t FALSE \t <path> \t TRUE \t 0 \t JSESSIONID > \t <Cookie> > > [..] > > --snap > > > > They are all session cookies. For easier reading here I put > some blanks in the line > > above, in "cookie-file" there aren't any though. Cookies were > generated with > > stompy and a shell script (looks he same as with > > wget -S -O /dev/null --keep-session-cookies > --save-cookies=<file> <URL>) > > > > Again: sqlmap doesn't hiccup/complain while eating my cookies > file ;-) > > > > > > > > Also, please make sure that the cookie file contains proper > cookie(s) - domain name should be the same as a domain of target, cookie > needs to have a proper valid time, etc. > > > > see above. > > > > Cheers, > > > > Dirk > > > > > > > > > > > On Fri, Apr 12, 2013 at 4:50 PM, Dirk Wetter > <s...@drwetter.org <mailto:s...@drwetter.org> <mailto:s...@drwetter.org > <mailto:s...@drwetter.org>> <mailto:s...@drwetter.org > <mailto:s...@drwetter.org> <mailto:s...@drwetter.org > <mailto:s...@drwetter.org>>>> wrote: > > > > > > Hi Miroslav, > > > > > > yes unfortunately. > > > > > > If I omit the cookie line in the request header > completely, sqlmap > > > seems to take the first cookie issued by the server with > set-cookie (and > > > put's it silently in). > > > > > > Cheers, > > > > > > Dirk > > > > > > > > > > > > On 04/12/2013 03:24 PM, Miroslav Stampar wrote: > > > > Hi. > > > > > > > > And this is also happening if you are skipping "Cookie: > JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7" from the original request? > > > > > > > > Kind regards, > > > > Miroslav Stampar > > > > > > > > > > > > On Fri, Apr 12, 2013 at 3:10 PM, Dirk Wetter > <s...@drwetter.org <mailto:s...@drwetter.org> <mailto:s...@drwetter.org > <mailto:s...@drwetter.org>> <mailto:s...@drwetter.org > <mailto:s...@drwetter.org> <mailto:s...@drwetter.org > <mailto:s...@drwetter.org>>> <mailto:s...@drwetter.org > <mailto:s...@drwetter.org> <mailto:s...@drwetter.org > <mailto:s...@drwetter.org>> <mailto:s...@drwetter.org > <mailto:s...@drwetter.org> <mailto:s...@drwetter.org > <mailto:s...@drwetter.org>>>>> wrote: > > > > > > > > > > > > Hi folks, > > > > > > > > .... that doesn't work for me. It always uses the > cookie supplied > > > > (below in $REQUEST, or if I omit the line in > $REQUEST the one > > > > from the 1st server reply is being used) > > > > > > > > So what is wrong in here: > > > > > > > > cd > ~/networking/tools/sqlmap/sqlmap-dev1.0-dev-ea12cce > > > > ./sqlmap.py --ignore-proxy --force-ssl --beep \ > > > > --threads=8 -v 6 --load-cookies=$WD/cookie-file \ > > > > --level=2 --risk=2 -r $REQUEST > > > > > > > > The content of the file $REQUEST is: > > > > > > > > POST <URL> HTTP/1.1 > > > > Host: <HOST> > > > > User-Agent: Mozilla/5.0 (Windows; U; Windows NT > 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko) > > > > Chrome/0.2.149.6 <http://0.2.149.6> > <http://0.2.149.6> <http://0.2.149.6> <http://0.2.149.6> Safari/525.13 > > > > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > > > > Accept-Language: en-US,en;q=0.5 > > > > Accept-Encoding: gzip, deflate > > > > Referer: <Referer> > > > > Cookie: JSESSIONID=C2E79FD79E967D3E3BA52EE67F8824D7 > > > > Connection: keep-alive > > > > Content-Type: application/x-www-form-urlencoded > > > > Content-Length: 67 > > > > > > > > <abunchofpostparams> > > > > > > > > > > > > No hints that cookie-file is not in correct format > (I've been through this, > > > > at least I think I so ;) ). > > > > > > > > Any insight would be much appreciated. > > > > > > > > > > > > Cheers, > > > > > > > > Dirk > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Precog is a next-generation analytics platform > capable of advanced > > > > analytics on semi-structured data. The platform > includes APIs for building > > > > apps and a phenomenal toolset for data science. > Developers can use > > > > our toolset for easy data analysis & visualization. > Get a free account! > > > > > http://www2.precog.com/precogplatform/slashdotnewsletter > > > > _______________________________________________ > > > > sqlmap-users mailing list > > > > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > <mailto:sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net>> > <mailto:sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > <mailto:sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net>>> > <mailto:sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > <mailto:sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net>> > <mailto:sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > <mailto:sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net>>>> > > > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > > > > > > > > > > > -- > > > > Miroslav Stampar > > > > http://about.me/stamparm > > > > > > > > > > > > > > > -- > > > Miroslav Stampar > > > http://about.me/stamparm > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
