> On Oct 8, 2015, at 3:52 PM, Vojtěch Polášek <krec...@gmail.com> wrote: > > Greetings, > I am running Webgoat from standalone jar file, so I can't see any logs. > I will try to see some logs from inside the application. Anyway, I > didn't expect this application to contain any kind of filtering. > I hope to show Sqlmap in action to some people from a large company and > I wanted to use something simple, therefore I am quite surprised. I have > never seen this situation - found injection but no possibility of > exploitation. > The between tamper script didn't help. > Any suggestions are welcomed.
It is relatively common for sqlmap to detect a SQL injection, but then fail during data exfil because part of the syntax used in the data exfil payloads are transformed or blocked on the backed, < and > are very commonly transformed to > or < specifically, which is where the between tamper script is useful. There are a lot of tamper scripts, maybe it’s a space (space2comment), not the < or > characters. Try different techniques if available. I have no idea about the internals of webgoat. > Thanks, > Vojta > > Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >> You should look in the logs of the web server and see what they say. >> >> I bet you need --tamper=between >> >> Sent from a phone >> >>> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <krec...@gmail.com> wrote: >>> >>> Greetings, >>> I tried to verify Sqlmap's functionality by running it against Webgoat >>> version 6.0.1. You can try it your self by using following request file. >>> Just log in and replace cookie by valid one. >>> ###start request file >>> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>> Host: localhost:8080 >>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >>> Firefox/41.0 >>> Accept: */* >>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>> Accept-Encoding: gzip, deflate >>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>> X-Requested-With: XMLHttpRequest >>> Referer: http://localhost:8080/WebGoat/start.mvc >>> Content-Length: 29 >>> Cookie: JSESSIONID=replace >>> Connection: keep-alive >>> Pragma: no-cache >>> Cache-Control: no-cache >>> >>> account_number=101&SUBMIT=Go! >>> #end request file >>> I am running git master of Sqlmap. >>> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>> information gathering commands work (--dbs, --current-user...). I tried >>> running with --hex or --no-cast, but no luck. >>> What might be the problem? >>> Thanks, >>> Vojta >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
