Hi.
Please update to the latest revision and try to run with (hidden) switch
--ignore-401.
Kind regards,
Miroslav Stampar
On Tue, Apr 29, 2014 at 3:32 PM, Travis Altman <travisalt...@gmail.com>wrote:
> I'm using the conf file to kick everything off. The only thing modified
> in the conf is the URL and the data sent in the post request.
>
> ============================== Conf file ================================
>
> # Target URL.
> # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
> url = http://blah/login
>
> # Parse targets from Burp or WebScarab logs
> # Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
> # or WebScarab proxy (
> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
> # 'conversations/' folder path
> logFile =
>
> # Scan multiple targets enlisted in a given textual file
> bulkFile =
>
> # Load HTTP request from a file
> # Example (file content): POST /login.jsp HTTP/1.1\nHost:
> example.com\nUser-Agent:
> Mozilla/4.0\n\nuserid=joe&password=guessme
> requestFile =
>
> # Rather than providing a target URL, let Google return target
> # hosts as result of your Google dork expression. For a list of Google
> # dorks see Johnny Long Google Hacking Database at
> # http://johnny.ihackstuff.com/ghdb.php.
> # Example: +ext:php +inurl:"&id=" +intext:"powered by "
> googleDork =
>
>
> # These options can be used to specify how to connect to the target URL.
> [Request]
>
> # Data string to be sent through POST.
> data = <?xml version="1.0" encoding="UTF-8"?><ns7:LoginInput
> sessionDiscriminator="blah" locale="en_US" role="" group=""
> password="monkey" username="monkey" xmlns:ns6="
> http://blah.com/Schemas/Core/2008-03/Session"; xmlns:ns2="
> http://blah.com/Schemas/Soa/2006-03/Base"; xmlns:ns5="
> http://blah.com/Schemas/Core/2007-12/Session"; xmlns="
> http://blah.com/Schemas/Core/2006-03/Session"; xmlns:ns8="
> http://blah.com/Schemas/Core/2009-04/Session"; xmlns:ns3="
> http://blah.com/Schemas/Core/2007-01/Session"; xmlns:ns7="
> http://blah.com/Schemas/Core/2008-06/Session"; xmlns:ns4="
> http://blah.com/Schemas/Core/2007-06/Session"; xmlns:ns10="
> http://blah.com/Schemas/Core/2012-02/Session"; xmlns:ns9="
> http://blah.com/Schemas/Core/2010-04/Session"/>
>
> # Character used for splitting parameter values
> paramDel =
>
> ================================== Command line output
> ===================================
>
> [C:\tools\sqlmap-bd16bb7]python sqlmap.py -c sqlmap.conf
>
> sqlmap/1.0-dev - automatic SQL injection and database takeover tool
> http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 23:12:39
>
> [23:12:39] [WARNING] using 'C:\Users\travis\.sqlmap\output' as the output
> directory
> [23:12:39] [INFO] testing connection to the target URL
> [23:12:39] [INFO] heuristics detected web page charset 'ascii'
> [23:12:39] [CRITICAL] not authorized, try to provide right HTTP
> authentication type and valid credentials (401)
> [23:12:39] [CRITICAL] not authorized, try to provide right HTTP
> authentication type and valid credentials (401)
> [23:12:39] [WARNING] HTTP error codes detected during run:
> 401 (Unauthorized) - 1 times
>
> [*] shutting down at 23:12:39
>
>
> [C:\tools\sqlmap-bd16bb7]
>
> ================================= End
> ===========================================
>
> Let me know if anymore information is needed. Thanks for all the help.
>
>
> On Tue, Apr 29, 2014 at 1:51 AM, Miroslav Stampar <
> miroslav.stam...@gmail.com> wrote:
>
>> Can you please send sqlmap console log and used parameters?
>> On Apr 28, 2014 10:42 PM, "Travis Altman" <travisalt...@gmail.com> wrote:
>>
>>> Wants me to provide the right http authentication type but the
>>> credentials are in the body of the post request. I'm intentionally
>>> providing bad credentials which does result in a "401 Unauthorized", not
>>> sure if sqlmap is triggering off of that. Also the body of the request is
>>> XML if that makes any difference. Any idea why this might be happening?
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>>> unparalleled scalability from the best Selenium testing platform
>>> available.
>>> Simple to use. Nothing to install. Get started now for free."
>>> http://p.sf.net/sfu/SauceLabs
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
