You should look in the logs of the web server and see what they say. I bet you need --tamper=between
Sent from a phone > On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <krec...@gmail.com> wrote: > > Greetings, > I tried to verify Sqlmap's functionality by running it against Webgoat > version 6.0.1. You can try it your self by using following request file. > Just log in and replace cookie by valid one. > ###start request file > POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 > Host: localhost:8080 > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 > Firefox/41.0 > Accept: */* > Accept-Language: cs,en-US;q=0.7,en;q=0.3 > Accept-Encoding: gzip, deflate > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > X-Requested-With: XMLHttpRequest > Referer: http://localhost:8080/WebGoat/start.mvc > Content-Length: 29 > Cookie: JSESSIONID=replace > Connection: keep-alive > Pragma: no-cache > Cache-Control: no-cache > > account_number=101&SUBMIT=Go! > #end request file > I am running git master of Sqlmap. > Sqlmap detects SQL injection (boolean based blind Mysql), but no > information gathering commands work (--dbs, --current-user...). I tried > running with --hex or --no-cast, but no luck. > What might be the problem? > Thanks, > Vojta > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users ------------------------------------------------------------------------------ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
