Greetings, thanks for your prompt response. Unfortunatelly, it is still not working as expected. There is problem with retrieving of current user and information from HSQL database in general. Moreover, when using following request file from the same application, Sqlmap identified backend database as Postgresql instead of HSQL. This request is from lesson about simple string SQL injection #begin request file POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: */* Accept-Language: cs,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost:8080/WebGoat/start.mvc Content-Length: 29 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Cookie: JSESSIONID=valid_cookie
account_name=Smith&SUBMIT=Go! #end request Feel free to ask me for more debugging information, I will be glad to help you. Thanks for your work, Vojta Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): > Fixed tons of bugs and pushed. Please retry it again. > > Bye > > On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar > <miroslav.stam...@gmail.com <mailto:miroslav.stam...@gmail.com>> wrote: > > Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On > it right now. > > Bye > > On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar > <miroslav.stam...@gmail.com <mailto:miroslav.stam...@gmail.com>> > wrote: > > Hi again. > > Please update to the latest revision and retry it again (with > --flush-session). > > Backend used is HSQLDB while the sqlmap wrongly recognized it > as MySQL (because HSQLDB is MySQL look-alike) > > Bye > > On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek > <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: > > Hi, > You can download Webgoat here: > > https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar > Just run java- jar WebGoat-6.0.1-war-exec.jar > And you can login at localhost:8080/WebGoat with name > webgoat and password webgoat > The request file posted earlier is from Blind numeric SQL > injection lesson. > Application is written in Java and runs on embedded Tomcat > 7 server. > I am using this command, where "request" is request file > posted earlier and valid_cookie is simply valid cookie. > python2 /opt/sqlmap/sqlmap.py -r request --level=5 > --risk=3 -o --cookie="JSESSIONID=valid_cookie' -v3 > As I stated earlier, sqlmap finds the vulnerability but > can't exploit it, I tried almost all tamper scripts, even > some combinations, but no success. > I wanted to show exploitation of Webgoat, because I would > like to use Sqlmap for testing of commercial application > which is based on similar technologies. > Thank you, > Vojta > > > Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >> Hi. >> >> Can you please send a used sqlmap command along with the >> basic info on vulnerable environment (e.g. just a plain >> Webgoat, URL this and that)? >> >> Bye >> >> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek >> <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: >> >> Greetings, >> I am running Webgoat from standalone jar file, so I >> can't see any logs. >> I will try to see some logs from inside the >> application. Anyway, I >> didn't expect this application to contain any kind of >> filtering. >> I hope to show Sqlmap in action to some people from a >> large company and >> I wanted to use something simple, therefore I am >> quite surprised. I have >> never seen this situation - found injection but no >> possibility of >> exploitation. >> The between tamper script didn't help. >> Any suggestions are welcomed. >> Thanks, >> Vojta >> >> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >> > You should look in the logs of the web server and >> see what they say. >> > >> > I bet you need --tamper=between >> > >> > Sent from a phone >> > >> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek >> <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: >> >> >> >> Greetings, >> >> I tried to verify Sqlmap's functionality by >> running it against Webgoat >> >> version 6.0.1. You can try it your self by using >> following request file. >> >> Just log in and replace cookie by valid one. >> >> ###start request file >> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >> >> Host: localhost:8080 >> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; >> rv:41.0) Gecko/20100101 >> >> Firefox/41.0 >> >> Accept: */* >> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> >> Accept-Encoding: gzip, deflate >> >> Content-Type: application/x-www-form-urlencoded; >> charset=UTF-8 >> >> X-Requested-With: XMLHttpRequest >> >> Referer: http://localhost:8080/WebGoat/start.mvc >> >> Content-Length: 29 >> >> Cookie: JSESSIONID=replace >> >> Connection: keep-alive >> >> Pragma: no-cache >> >> Cache-Control: no-cache >> >> >> >> account_number=101&SUBMIT=Go! >> >> #end request file >> >> I am running git master of Sqlmap. >> >> Sqlmap detects SQL injection (boolean based blind >> Mysql), but no >> >> information gathering commands work (--dbs, >> --current-user...). I tried >> >> running with --hex or --no-cast, but no luck. >> >> What might be the problem? >> >> Thanks, >> >> Vojta >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> >> sqlmap-users mailing list >> >> sqlmap-users@lists.sourceforge.net >> <mailto:sqlmap-users@lists.sourceforge.net> >> >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> <mailto:sqlmap-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
