p.s. you can always use something like http://testphp.vulnweb.com/artists.php?artist=1 for a quick test/show off
On Fri, Oct 9, 2015 at 11:16 AM, Miroslav Stampar < miroslav.stam...@gmail.com> wrote: > Hi. > > Can you please send a used sqlmap command along with the basic info on > vulnerable environment (e.g. just a plain Webgoat, URL this and that)? > > Bye > > On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <krec...@gmail.com> > wrote: > >> Greetings, >> I am running Webgoat from standalone jar file, so I can't see any logs. >> I will try to see some logs from inside the application. Anyway, I >> didn't expect this application to contain any kind of filtering. >> I hope to show Sqlmap in action to some people from a large company and >> I wanted to use something simple, therefore I am quite surprised. I have >> never seen this situation - found injection but no possibility of >> exploitation. >> The between tamper script didn't help. >> Any suggestions are welcomed. >> Thanks, >> Vojta >> >> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >> > You should look in the logs of the web server and see what they say. >> > >> > I bet you need --tamper=between >> > >> > Sent from a phone >> > >> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <krec...@gmail.com> >> wrote: >> >> >> >> Greetings, >> >> I tried to verify Sqlmap's functionality by running it against Webgoat >> >> version 6.0.1. You can try it your self by using following request >> file. >> >> Just log in and replace cookie by valid one. >> >> ###start request file >> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >> >> Host: localhost:8080 >> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >> >> Firefox/41.0 >> >> Accept: */* >> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> >> Accept-Encoding: gzip, deflate >> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >> >> X-Requested-With: XMLHttpRequest >> >> Referer: http://localhost:8080/WebGoat/start.mvc >> >> Content-Length: 29 >> >> Cookie: JSESSIONID=replace >> >> Connection: keep-alive >> >> Pragma: no-cache >> >> Cache-Control: no-cache >> >> >> >> account_number=101&SUBMIT=Go! >> >> #end request file >> >> I am running git master of Sqlmap. >> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >> >> information gathering commands work (--dbs, --current-user...). I tried >> >> running with --hex or --no-cast, but no luck. >> >> What might be the problem? >> >> Thanks, >> >> Vojta >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> >> sqlmap-users mailing list >> >> sqlmap-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
