Fixed tons of bugs and pushed. Please retry it again. Bye
On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar <miroslav.stam...@gmail.com > wrote: > Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it > right now. > > Bye > > On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < > miroslav.stam...@gmail.com> wrote: > >> Hi again. >> >> Please update to the latest revision and retry it again (with >> --flush-session). >> >> Backend used is HSQLDB while the sqlmap wrongly recognized it as MySQL >> (because HSQLDB is MySQL look-alike) >> >> Bye >> >> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek <krec...@gmail.com> >> wrote: >> >>> Hi, >>> You can download Webgoat here: >>> >>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>> And you can login at localhost:8080/WebGoat with name webgoat and >>> password webgoat >>> The request file posted earlier is from Blind numeric SQL injection >>> lesson. >>> Application is written in Java and runs on embedded Tomcat 7 server. >>> I am using this command, where "request" is request file posted earlier >>> and valid_cookie is simply valid cookie. >>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>> --cookie="JSESSIONID=valid_cookie' -v3 >>> As I stated earlier, sqlmap finds the vulnerability but can't exploit >>> it, I tried almost all tamper scripts, even some combinations, but no >>> success. >>> I wanted to show exploitation of Webgoat, because I would like to use >>> Sqlmap for testing of commercial application which is based on similar >>> technologies. >>> Thank you, >>> Vojta >>> >>> >>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>> >>> Hi. >>> >>> Can you please send a used sqlmap command along with the basic info on >>> vulnerable environment (e.g. just a plain Webgoat, URL this and that)? >>> >>> Bye >>> >>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <krec...@gmail.com> >>> wrote: >>> >>>> Greetings, >>>> I am running Webgoat from standalone jar file, so I can't see any logs. >>>> I will try to see some logs from inside the application. Anyway, I >>>> didn't expect this application to contain any kind of filtering. >>>> I hope to show Sqlmap in action to some people from a large company and >>>> I wanted to use something simple, therefore I am quite surprised. I have >>>> never seen this situation - found injection but no possibility of >>>> exploitation. >>>> The between tamper script didn't help. >>>> Any suggestions are welcomed. >>>> Thanks, >>>> Vojta >>>> >>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>> > You should look in the logs of the web server and see what they say. >>>> > >>>> > I bet you need --tamper=between >>>> > >>>> > Sent from a phone >>>> > >>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <krec...@gmail.com> >>>> wrote: >>>> >> >>>> >> Greetings, >>>> >> I tried to verify Sqlmap's functionality by running it against >>>> Webgoat >>>> >> version 6.0.1. You can try it your self by using following request >>>> file. >>>> >> Just log in and replace cookie by valid one. >>>> >> ###start request file >>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>> >> Host: localhost:8080 >>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >>>> >> Firefox/41.0 >>>> >> Accept: */* >>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>> >> Accept-Encoding: gzip, deflate >>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>> >> X-Requested-With: XMLHttpRequest >>>> >> Referer: http://localhost:8080/WebGoat/start.mvc >>>> >> Content-Length: 29 >>>> >> Cookie: JSESSIONID=replace >>>> >> Connection: keep-alive >>>> >> Pragma: no-cache >>>> >> Cache-Control: no-cache >>>> >> >>>> >> account_number=101&SUBMIT=Go! >>>> >> #end request file >>>> >> I am running git master of Sqlmap. >>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>> >> information gathering commands work (--dbs, --current-user...). I >>>> tried >>>> >> running with --hex or --no-cast, but no luck. >>>> >> What might be the problem? >>>> >> Thanks, >>>> >> Vojta >>>> >> >>>> >> >>>> ------------------------------------------------------------------------------ >>>> >> _______________________________________________ >>>> >> sqlmap-users mailing list >>>> >> sqlmap-users@lists.sourceforge.net >>>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sqlmap-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
