I've used that same request file without any problems (with latest patches/revision). Will retest tomorrow. Please retry everything with --flush-session
Bye On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <krec...@gmail.com> wrote: > Greetings, > thanks for your prompt response. > Unfortunatelly, it is still not working as expected. > There is problem with retrieving of current user and information from HSQL > database in general. > Moreover, when using following request file from the same application, > Sqlmap identified backend database as Postgresql instead of HSQL. > This request is from lesson about simple string SQL injection > #begin request file > POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 > Host: localhost:8080 > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 > Firefox/39.0 > Accept: */* > Accept-Language: cs,en-US;q=0.7,en;q=0.3 > Accept-Encoding: gzip, deflate > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > X-Requested-With: XMLHttpRequest > Referer: http://localhost:8080/WebGoat/start.mvc > Content-Length: 29 > Connection: keep-alive > Pragma: no-cache > Cache-Control: no-cache > Cookie: JSESSIONID=valid_cookie > > account_name=Smith&SUBMIT=Go! > #end request > Feel free to ask me for more debugging information, I will be glad to help > you. > Thanks for your work, > Vojta > Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): > > Fixed tons of bugs and pushed. Please retry it again. > > Bye > > On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < > miroslav.stam...@gmail.com> wrote: > >> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it >> right now. >> >> Bye >> >> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >> miroslav.stam...@gmail.com> wrote: >> >>> Hi again. >>> >>> Please update to the latest revision and retry it again (with >>> --flush-session). >>> >>> Backend used is HSQLDB while the sqlmap wrongly recognized it as MySQL >>> (because HSQLDB is MySQL look-alike) >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek <krec...@gmail.com> >>> wrote: >>> >>>> Hi, >>>> You can download Webgoat here: >>>> >>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>> password webgoat >>>> The request file posted earlier is from Blind numeric SQL injection >>>> lesson. >>>> Application is written in Java and runs on embedded Tomcat 7 server. >>>> I am using this command, where "request" is request file posted earlier >>>> and valid_cookie is simply valid cookie. >>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>> As I stated earlier, sqlmap finds the vulnerability but can't exploit >>>> it, I tried almost all tamper scripts, even some combinations, but no >>>> success. >>>> I wanted to show exploitation of Webgoat, because I would like to use >>>> Sqlmap for testing of commercial application which is based on similar >>>> technologies. >>>> Thank you, >>>> Vojta >>>> >>>> >>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>> >>>> Hi. >>>> >>>> Can you please send a used sqlmap command along with the basic info on >>>> vulnerable environment (e.g. just a plain Webgoat, URL this and that)? >>>> >>>> Bye >>>> >>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <krec...@gmail.com> >>>> wrote: >>>> >>>>> Greetings, >>>>> I am running Webgoat from standalone jar file, so I can't see any logs. >>>>> I will try to see some logs from inside the application. Anyway, I >>>>> didn't expect this application to contain any kind of filtering. >>>>> I hope to show Sqlmap in action to some people from a large company and >>>>> I wanted to use something simple, therefore I am quite surprised. I >>>>> have >>>>> never seen this situation - found injection but no possibility of >>>>> exploitation. >>>>> The between tamper script didn't help. >>>>> Any suggestions are welcomed. >>>>> Thanks, >>>>> Vojta >>>>> >>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>> > You should look in the logs of the web server and see what they say. >>>>> > >>>>> > I bet you need --tamper=between >>>>> > >>>>> > Sent from a phone >>>>> > >>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <krec...@gmail.com> >>>>> wrote: >>>>> >> >>>>> >> Greetings, >>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>> Webgoat >>>>> >> version 6.0.1. You can try it your self by using following request >>>>> file. >>>>> >> Just log in and replace cookie by valid one. >>>>> >> ###start request file >>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>> >> Host: localhost:8080 >>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >>>>> >> Firefox/41.0 >>>>> >> Accept: */* >>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>> >> Accept-Encoding: gzip, deflate >>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>> >> X-Requested-With: XMLHttpRequest >>>>> >> Referer: http://localhost:8080/WebGoat/start.mvc >>>>> >> Content-Length: 29 >>>>> >> Cookie: JSESSIONID=replace >>>>> >> Connection: keep-alive >>>>> >> Pragma: no-cache >>>>> >> Cache-Control: no-cache >>>>> >> >>>>> >> account_number=101&SUBMIT=Go! >>>>> >> #end request file >>>>> >> I am running git master of Sqlmap. >>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>>> >> information gathering commands work (--dbs, --current-user...). I >>>>> tried >>>>> >> running with --hex or --no-cast, but no luck. >>>>> >> What might be the problem? >>>>> >> Thanks, >>>>> >> Vojta >>>>> >> >>>>> >> >>>>> ------------------------------------------------------------------------------ >>>>> >> _______________________________________________ >>>>> >> sqlmap-users mailing list >>>>> >> sqlmap-users@lists.sourceforge.net >>>>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sqlmap-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sqlmap-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
