Miroslav,
Thanks for the update and help, the --ignore-401 worked perfectly. Another
question, sqlmap does not appear to be able to parse the XML that I have as
data in the post request, can sqlmap parse XML as input today? Below is
the output of me running it and it tries to chop out the xml tag.
======================= output ==============================
[C:\tools\sqlmap-bd16bb7\sqlmap-dev]python sqlmap.py -c sqlmap.conf
--ignore-401
sqlmap/1.0-dev-2e96e3c - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual
consent is illegal. It is the end user's responsibility to obey all
applicable
local, state and federal laws. Developers assume no liability and are not
respon
sible for any misuse or damage caused by this program
[*] starting at 15:11:23
[15:11:23] [WARNING] using 'C:\Users\travis\.sqlmap\output' as the output
direct
ory
[15:11:23] [INFO] testing connection to the target URL
[15:11:23] [INFO] heuristics detected web page charset 'ascii'
[15:11:23] [WARNING] the web server responded with an HTTP error code (401)
whic
h could interfere with the results of the tests
[15:11:23] [INFO] testing if the target URL is stable. This can take a
couple of
seconds
[15:11:31] [INFO] target URL is stable
[15:11:31] [INFO] testing if POST parameter '<?xmlversion' is dynamic
[15:11:33] [INFO] confirming that POST parameter '<?xmlversion' is dynamic
[15:11:33] [INFO] POST parameter '<?xmlversion' is dynamic
[15:11:34] [WARNING] heuristic (basic) test shows that POST parameter
'<?xmlvers
ion' might not be injectable
[15:11:34] [INFO] testing for SQL injection on POST parameter '<?xmlversion'
[15:11:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:11:37] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause
'
[15:11:38] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
clause'
[15:11:39] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
WHERE o
r HAVING clause'
[15:11:41] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause
(XMLT
ype)'
[15:11:42] [INFO] testing 'MySQL inline queries'
[15:11:43] [INFO] testing 'PostgreSQL inline queries'
[15:11:43] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:11:43] [INFO] testing 'Oracle inline queries'
[15:11:43] [INFO] testing 'SQLite inline queries'
[15:11:44] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:11:44] [CRITICAL] there is considerable lagging in connection
response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or
more)
[15:11:47] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:11:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:11:50] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:11:52] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:11:53] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[15:11:55] [INFO] testing 'Oracle AND time-based blind'
[15:11:57] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:12:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:12:13] [WARNING] using unescaped version of the test because of zero
knowled
ge of the back-end DBMS. You can try to explicitly set it using option
'--dbms'
[15:12:29] [WARNING] POST parameter '<?xmlversion' is not injectable
[15:12:29] [CRITICAL] all tested parameters appear to be not injectable.
Try to
increase '--level'/'--risk' values to perform more tests. Please retry with
the
switch '--text-only' (along with --technique=BU) as this case looks like a
perfe
ct candidate (low textual content along with inability of comparison engine
to d
etect at least one dynamic parameter). Also, you can try to rerun by
providing e
ither a valid value for option '--string' (or '--regexp')
[15:12:29] [WARNING] HTTP error codes detected during run:
401 (Unauthorized) - 220 times
[*] shutting down at 15:12:29
========================== end ===========================
Thanks for all your help.
On Tue, Apr 29, 2014 at 5:27 PM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> Hi.
>
> Please update to the latest revision and try to run with (hidden) switch
> --ignore-401.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Tue, Apr 29, 2014 at 3:32 PM, Travis Altman <travisalt...@gmail.com>wrote:
>
>> I'm using the conf file to kick everything off. The only thing modified
>> in the conf is the URL and the data sent in the post request.
>>
>> ============================== Conf file
>> ================================
>>
>> # Target URL.
>> # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
>> url = http://blah/login
>>
>> # Parse targets from Burp or WebScarab logs
>> # Valid: Burp proxy (http://portswigger.net/suite/) requests log file
>> path
>> # or WebScarab proxy (
>> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
>> # 'conversations/' folder path
>> logFile =
>>
>> # Scan multiple targets enlisted in a given textual file
>> bulkFile =
>>
>> # Load HTTP request from a file
>> # Example (file content): POST /login.jsp HTTP/1.1\nHost:
>> example.com\nUser-Agent:
>> Mozilla/4.0\n\nuserid=joe&password=guessme
>> requestFile =
>>
>> # Rather than providing a target URL, let Google return target
>> # hosts as result of your Google dork expression. For a list of Google
>> # dorks see Johnny Long Google Hacking Database at
>> # http://johnny.ihackstuff.com/ghdb.php.
>> # Example: +ext:php +inurl:"&id=" +intext:"powered by "
>> googleDork =
>>
>>
>> # These options can be used to specify how to connect to the target URL.
>> [Request]
>>
>> # Data string to be sent through POST.
>> data = <?xml version="1.0" encoding="UTF-8"?><ns7:LoginInput
>> sessionDiscriminator="blah" locale="en_US" role="" group=""
>> password="monkey" username="monkey" xmlns:ns6="
>> http://blah.com/Schemas/Core/2008-03/Session"; xmlns:ns2="
>> http://blah.com/Schemas/Soa/2006-03/Base"; xmlns:ns5="
>> http://blah.com/Schemas/Core/2007-12/Session"; xmlns="
>> http://blah.com/Schemas/Core/2006-03/Session"; xmlns:ns8="
>> http://blah.com/Schemas/Core/2009-04/Session"; xmlns:ns3="
>> http://blah.com/Schemas/Core/2007-01/Session"; xmlns:ns7="
>> http://blah.com/Schemas/Core/2008-06/Session"; xmlns:ns4="
>> http://blah.com/Schemas/Core/2007-06/Session"; xmlns:ns10="
>> http://blah.com/Schemas/Core/2012-02/Session"; xmlns:ns9="
>> http://blah.com/Schemas/Core/2010-04/Session"/>
>>
>> # Character used for splitting parameter values
>> paramDel =
>>
>> ================================== Command line output
>> ===================================
>>
>> [C:\tools\sqlmap-bd16bb7]python sqlmap.py -c sqlmap.conf
>>
>> sqlmap/1.0-dev - automatic SQL injection and database takeover tool
>> http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
>> mutual consent is illegal. It is the end user's responsibility to obey all
>> applicable local, state and federal laws. Developers assume no liability
>> and are not responsible for any misuse or damage caused by this program
>>
>> [*] starting at 23:12:39
>>
>> [23:12:39] [WARNING] using 'C:\Users\travis\.sqlmap\output' as the output
>> directory
>> [23:12:39] [INFO] testing connection to the target URL
>> [23:12:39] [INFO] heuristics detected web page charset 'ascii'
>> [23:12:39] [CRITICAL] not authorized, try to provide right HTTP
>> authentication type and valid credentials (401)
>> [23:12:39] [CRITICAL] not authorized, try to provide right HTTP
>> authentication type and valid credentials (401)
>> [23:12:39] [WARNING] HTTP error codes detected during run:
>> 401 (Unauthorized) - 1 times
>>
>> [*] shutting down at 23:12:39
>>
>>
>> [C:\tools\sqlmap-bd16bb7]
>>
>> ================================= End
>> ===========================================
>>
>> Let me know if anymore information is needed. Thanks for all the help.
>>
>>
>> On Tue, Apr 29, 2014 at 1:51 AM, Miroslav Stampar <
>> miroslav.stam...@gmail.com> wrote:
>>
>>> Can you please send sqlmap console log and used parameters?
>>> On Apr 28, 2014 10:42 PM, "Travis Altman" <travisalt...@gmail.com>
>>> wrote:
>>>
>>>> Wants me to provide the right http authentication type but the
>>>> credentials are in the body of the post request. I'm intentionally
>>>> providing bad credentials which does result in a "401 Unauthorized", not
>>>> sure if sqlmap is triggering off of that. Also the body of the request is
>>>> XML if that makes any difference. Any idea why this might be happening?
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>>>> unparalleled scalability from the best Selenium testing platform
>>>> available.
>>>> Simple to use. Nothing to install. Get started now for free."
>>>> http://p.sf.net/sfu/SauceLabs
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sqlmap-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
