Hi.
Please update to the latest revision and retry it again.
Bye
On Wed, Apr 30, 2014 at 4:19 PM, Travis Altman <travisalt...@gmail.com>wrote:
> Miroslav,
>
> Thanks for the update and help, the --ignore-401 worked perfectly.
> Another question, sqlmap does not appear to be able to parse the XML that
> I have as data in the post request, can sqlmap parse XML as input today?
> Below is the output of me running it and it tries to chop out the xml tag.
>
> ======================= output ==============================
>
> [C:\tools\sqlmap-bd16bb7\sqlmap-dev]python sqlmap.py -c sqlmap.conf
> --ignore-401
>
>
> sqlmap/1.0-dev-2e96e3c - automatic SQL injection and database takeover
> tool
> http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual
> consent is illegal. It is the end user's responsibility to obey all
> applicable
> local, state and federal laws. Developers assume no liability and are not
> respon
> sible for any misuse or damage caused by this program
>
> [*] starting at 15:11:23
>
> [15:11:23] [WARNING] using 'C:\Users\travis\.sqlmap\output' as the output
> direct
> ory
> [15:11:23] [INFO] testing connection to the target URL
> [15:11:23] [INFO] heuristics detected web page charset 'ascii'
> [15:11:23] [WARNING] the web server responded with an HTTP error code
> (401) whic
> h could interfere with the results of the tests
> [15:11:23] [INFO] testing if the target URL is stable. This can take a
> couple of
> seconds
> [15:11:31] [INFO] target URL is stable
> [15:11:31] [INFO] testing if POST parameter '<?xmlversion' is dynamic
> [15:11:33] [INFO] confirming that POST parameter '<?xmlversion' is dynamic
> [15:11:33] [INFO] POST parameter '<?xmlversion' is dynamic
> [15:11:34] [WARNING] heuristic (basic) test shows that POST parameter
> '<?xmlvers
> ion' might not be injectable
> [15:11:34] [INFO] testing for SQL injection on POST parameter
> '<?xmlversion'
> [15:11:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [15:11:37] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
> clause
> '
> [15:11:38] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING
> clause'
> [15:11:39] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
> WHERE o
> r HAVING clause'
> [15:11:41] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause
> (XMLT
> ype)'
> [15:11:42] [INFO] testing 'MySQL inline queries'
> [15:11:43] [INFO] testing 'PostgreSQL inline queries'
> [15:11:43] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
> [15:11:43] [INFO] testing 'Oracle inline queries'
> [15:11:43] [INFO] testing 'SQLite inline queries'
> [15:11:44] [INFO] testing 'MySQL > 5.0.11 stacked queries'
> [15:11:44] [CRITICAL] there is considerable lagging in connection
> response(s). P
> lease use as high value for option '--time-sec' as possible (e.g. 10 or
> more)
> [15:11:47] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
> [15:11:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
> [15:11:50] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
> [15:11:52] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
> [15:11:53] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
> [15:11:55] [INFO] testing 'Oracle AND time-based blind'
> [15:11:57] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
> [15:12:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
> [15:12:13] [WARNING] using unescaped version of the test because of zero
> knowled
> ge of the back-end DBMS. You can try to explicitly set it using option
> '--dbms'
> [15:12:29] [WARNING] POST parameter '<?xmlversion' is not injectable
> [15:12:29] [CRITICAL] all tested parameters appear to be not injectable.
> Try to
> increase '--level'/'--risk' values to perform more tests. Please retry
> with the
> switch '--text-only' (along with --technique=BU) as this case looks like a
> perfe
> ct candidate (low textual content along with inability of comparison
> engine to d
> etect at least one dynamic parameter). Also, you can try to rerun by
> providing e
> ither a valid value for option '--string' (or '--regexp')
> [15:12:29] [WARNING] HTTP error codes detected during run:
> 401 (Unauthorized) - 220 times
>
> [*] shutting down at 15:12:29
>
>
> ========================== end ===========================
>
> Thanks for all your help.
>
>
> On Tue, Apr 29, 2014 at 5:27 PM, Miroslav Stampar <
> miroslav.stam...@gmail.com> wrote:
>
>> Hi.
>>
>> Please update to the latest revision and try to run with (hidden) switch
>> --ignore-401.
>>
>> Kind regards,
>> Miroslav Stampar
>>
>>
>> On Tue, Apr 29, 2014 at 3:32 PM, Travis Altman <travisalt...@gmail.com>wrote:
>>
>>> I'm using the conf file to kick everything off. The only thing modified
>>> in the conf is the URL and the data sent in the post request.
>>>
>>> ============================== Conf file
>>> ================================
>>>
>>> # Target URL.
>>> # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
>>> url = http://blah/login
>>>
>>> # Parse targets from Burp or WebScarab logs
>>> # Valid: Burp proxy (http://portswigger.net/suite/) requests log file
>>> path
>>> # or WebScarab proxy (
>>> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
>>> # 'conversations/' folder path
>>> logFile =
>>>
>>> # Scan multiple targets enlisted in a given textual file
>>> bulkFile =
>>>
>>> # Load HTTP request from a file
>>> # Example (file content): POST /login.jsp HTTP/1.1\nHost:
>>> example.com\nUser-Agent:
>>> Mozilla/4.0\n\nuserid=joe&password=guessme
>>> requestFile =
>>>
>>> # Rather than providing a target URL, let Google return target
>>> # hosts as result of your Google dork expression. For a list of Google
>>> # dorks see Johnny Long Google Hacking Database at
>>> # http://johnny.ihackstuff.com/ghdb.php.
>>> # Example: +ext:php +inurl:"&id=" +intext:"powered by "
>>> googleDork =
>>>
>>>
>>> # These options can be used to specify how to connect to the target URL.
>>> [Request]
>>>
>>> # Data string to be sent through POST.
>>> data = <?xml version="1.0" encoding="UTF-8"?><ns7:LoginInput
>>> sessionDiscriminator="blah" locale="en_US" role="" group=""
>>> password="monkey" username="monkey" xmlns:ns6="
>>> http://blah.com/Schemas/Core/2008-03/Session"; xmlns:ns2="
>>> http://blah.com/Schemas/Soa/2006-03/Base"; xmlns:ns5="
>>> http://blah.com/Schemas/Core/2007-12/Session"; xmlns="
>>> http://blah.com/Schemas/Core/2006-03/Session"; xmlns:ns8="
>>> http://blah.com/Schemas/Core/2009-04/Session"; xmlns:ns3="
>>> http://blah.com/Schemas/Core/2007-01/Session"; xmlns:ns7="
>>> http://blah.com/Schemas/Core/2008-06/Session"; xmlns:ns4="
>>> http://blah.com/Schemas/Core/2007-06/Session"; xmlns:ns10="
>>> http://blah.com/Schemas/Core/2012-02/Session"; xmlns:ns9="
>>> http://blah.com/Schemas/Core/2010-04/Session"/>
>>>
>>> # Character used for splitting parameter values
>>> paramDel =
>>>
>>> ================================== Command line output
>>> ===================================
>>>
>>> [C:\tools\sqlmap-bd16bb7]python sqlmap.py -c sqlmap.conf
>>>
>>> sqlmap/1.0-dev - automatic SQL injection and database takeover tool
>>> http://sqlmap.org
>>>
>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without
>>> prior mutual consent is illegal. It is the end user's responsibility to
>>> obey all applicable local, state and federal laws. Developers assume no
>>> liability and are not responsible for any misuse or damage caused by this
>>> program
>>>
>>> [*] starting at 23:12:39
>>>
>>> [23:12:39] [WARNING] using 'C:\Users\travis\.sqlmap\output' as the
>>> output directory
>>> [23:12:39] [INFO] testing connection to the target URL
>>> [23:12:39] [INFO] heuristics detected web page charset 'ascii'
>>> [23:12:39] [CRITICAL] not authorized, try to provide right HTTP
>>> authentication type and valid credentials (401)
>>> [23:12:39] [CRITICAL] not authorized, try to provide right HTTP
>>> authentication type and valid credentials (401)
>>> [23:12:39] [WARNING] HTTP error codes detected during run:
>>> 401 (Unauthorized) - 1 times
>>>
>>> [*] shutting down at 23:12:39
>>>
>>>
>>> [C:\tools\sqlmap-bd16bb7]
>>>
>>> ================================= End
>>> ===========================================
>>>
>>> Let me know if anymore information is needed. Thanks for all the help.
>>>
>>>
>>> On Tue, Apr 29, 2014 at 1:51 AM, Miroslav Stampar <
>>> miroslav.stam...@gmail.com> wrote:
>>>
>>>> Can you please send sqlmap console log and used parameters?
>>>> On Apr 28, 2014 10:42 PM, "Travis Altman" <travisalt...@gmail.com>
>>>> wrote:
>>>>
>>>>> Wants me to provide the right http authentication type but the
>>>>> credentials are in the body of the post request. I'm intentionally
>>>>> providing bad credentials which does result in a "401 Unauthorized", not
>>>>> sure if sqlmap is triggering off of that. Also the body of the request is
>>>>> XML if that makes any difference. Any idea why this might be happening?
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>>>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>>>>> unparalleled scalability from the best Selenium testing platform
>>>>> available.
>>>>> Simple to use. Nothing to install. Get started now for free."
>>>>> http://p.sf.net/sfu/SauceLabs
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sqlmap-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
