Hi, You can download Webgoat here: https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar Just run java- jar WebGoat-6.0.1-war-exec.jar And you can login at localhost:8080/WebGoat with name webgoat and password webgoat The request file posted earlier is from Blind numeric SQL injection lesson. Application is written in Java and runs on embedded Tomcat 7 server. I am using this command, where "request" is request file posted earlier and valid_cookie is simply valid cookie. python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o --cookie="JSESSIONID=valid_cookie' -v3 As I stated earlier, sqlmap finds the vulnerability but can't exploit it, I tried almost all tamper scripts, even some combinations, but no success. I wanted to show exploitation of Webgoat, because I would like to use Sqlmap for testing of commercial application which is based on similar technologies. Thank you, Vojta
Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): > Hi. > > Can you please send a used sqlmap command along with the basic info on > vulnerable environment (e.g. just a plain Webgoat, URL this and that)? > > Bye > > On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <krec...@gmail.com > <mailto:krec...@gmail.com>> wrote: > > Greetings, > I am running Webgoat from standalone jar file, so I can't see any > logs. > I will try to see some logs from inside the application. Anyway, I > didn't expect this application to contain any kind of filtering. > I hope to show Sqlmap in action to some people from a large > company and > I wanted to use something simple, therefore I am quite surprised. > I have > never seen this situation - found injection but no possibility of > exploitation. > The between tamper script didn't help. > Any suggestions are welcomed. > Thanks, > Vojta > > Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): > > You should look in the logs of the web server and see what they say. > > > > I bet you need --tamper=between > > > > Sent from a phone > > > >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <krec...@gmail.com > <mailto:krec...@gmail.com>> wrote: > >> > >> Greetings, > >> I tried to verify Sqlmap's functionality by running it against > Webgoat > >> version 6.0.1. You can try it your self by using following > request file. > >> Just log in and replace cookie by valid one. > >> ###start request file > >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 > >> Host: localhost:8080 > >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 > >> Firefox/41.0 > >> Accept: */* > >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 > >> Accept-Encoding: gzip, deflate > >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > >> X-Requested-With: XMLHttpRequest > >> Referer: http://localhost:8080/WebGoat/start.mvc > >> Content-Length: 29 > >> Cookie: JSESSIONID=replace > >> Connection: keep-alive > >> Pragma: no-cache > >> Cache-Control: no-cache > >> > >> account_number=101&SUBMIT=Go! > >> #end request file > >> I am running git master of Sqlmap. > >> Sqlmap detects SQL injection (boolean based blind Mysql), but no > >> information gathering commands work (--dbs, --current-user...). > I tried > >> running with --hex or --no-cast, but no luck. > >> What might be the problem? > >> Thanks, > >> Vojta > >> > >> > > ------------------------------------------------------------------------------ > >> _______________________________________________ > >> sqlmap-users mailing list > >> sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
