Hello, Here are some debugging information. This is output of Sqlmap running, exploiting and trying to get current db user: http://cloud.vojtapolasek.eu/index.php/s/cCBLy5MGR46pXOe And this is the traffic file: http://cloud.vojtapolasek.eu/index.php/s/jheCneiJfxzrLGV I used: sqlmap -r request --level=5 --risk=3 -o -v3 --cookie="JSESSIONID=valid_cookie" --current-user I deleted whole output directory for localhost before. I hope it helps, Vojta
Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): > > I've used that same request file without any problems (with latest > patches/revision). Will retest tomorrow. Please retry everything with > --flush-session > > Bye > > On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <krec...@gmail.com > <mailto:krec...@gmail.com>> wrote: > > Greetings, > thanks for your prompt response. > Unfortunatelly, it is still not working as expected. > There is problem with retrieving of current user and information > from HSQL database in general. > Moreover, when using following request file from the same > application, Sqlmap identified backend database as Postgresql > instead of HSQL. > This request is from lesson about simple string SQL injection > #begin request file > POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 > Host: localhost:8080 > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) > Gecko/20100101 Firefox/39.0 > Accept: */* > Accept-Language: cs,en-US;q=0.7,en;q=0.3 > Accept-Encoding: gzip, deflate > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > X-Requested-With: XMLHttpRequest > Referer: http://localhost:8080/WebGoat/start.mvc > Content-Length: 29 > Connection: keep-alive > Pragma: no-cache > Cache-Control: no-cache > Cookie: JSESSIONID=valid_cookie > > account_name=Smith&SUBMIT=Go! > #end request > Feel free to ask me for more debugging information, I will be glad > to help you. > Thanks for your work, > Vojta > Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >> Fixed tons of bugs and pushed. Please retry it again. >> >> Bye >> >> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar >> <miroslav.stam...@gmail.com <mailto:miroslav.stam...@gmail.com>> >> wrote: >> >> Please wait a bit. There are tons of bugs for HSQLDB in >> sqlmap. On it right now. >> >> Bye >> >> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar >> <miroslav.stam...@gmail.com >> <mailto:miroslav.stam...@gmail.com>> wrote: >> >> Hi again. >> >> Please update to the latest revision and retry it again >> (with --flush-session). >> >> Backend used is HSQLDB while the sqlmap wrongly >> recognized it as MySQL (because HSQLDB is MySQL look-alike) >> >> Bye >> >> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek >> <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: >> >> Hi, >> You can download Webgoat here: >> >> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >> Just run java- jar WebGoat-6.0.1-war-exec.jar >> And you can login at localhost:8080/WebGoat with name >> webgoat and password webgoat >> The request file posted earlier is from Blind numeric >> SQL injection lesson. >> Application is written in Java and runs on embedded >> Tomcat 7 server. >> I am using this command, where "request" is request >> file posted earlier and valid_cookie is simply valid >> cookie. >> python2 /opt/sqlmap/sqlmap.py -r request --level=5 >> --risk=3 -o --cookie="JSESSIONID=valid_cookie' -v3 >> As I stated earlier, sqlmap finds the vulnerability >> but can't exploit it, I tried almost all tamper >> scripts, even some combinations, but no success. >> I wanted to show exploitation of Webgoat, because I >> would like to use Sqlmap for testing of commercial >> application which is based on similar technologies. >> Thank you, >> Vojta >> >> >> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>> Hi. >>> >>> Can you please send a used sqlmap command along with >>> the basic info on vulnerable environment (e.g. just >>> a plain Webgoat, URL this and that)? >>> >>> Bye >>> >>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek >>> <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: >>> >>> Greetings, >>> I am running Webgoat from standalone jar file, >>> so I can't see any logs. >>> I will try to see some logs from inside the >>> application. Anyway, I >>> didn't expect this application to contain any >>> kind of filtering. >>> I hope to show Sqlmap in action to some people >>> from a large company and >>> I wanted to use something simple, therefore I am >>> quite surprised. I have >>> never seen this situation - found injection but >>> no possibility of >>> exploitation. >>> The between tamper script didn't help. >>> Any suggestions are welcomed. >>> Thanks, >>> Vojta >>> >>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>> > You should look in the logs of the web server >>> and see what they say. >>> > >>> > I bet you need --tamper=between >>> > >>> > Sent from a phone >>> > >>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek >>> <krec...@gmail.com <mailto:krec...@gmail.com>> >>> wrote: >>> >> >>> >> Greetings, >>> >> I tried to verify Sqlmap's functionality by >>> running it against Webgoat >>> >> version 6.0.1. You can try it your self by >>> using following request file. >>> >> Just log in and replace cookie by valid one. >>> >> ###start request file >>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>> >> Host: localhost:8080 >>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; >>> rv:41.0) Gecko/20100101 >>> >> Firefox/41.0 >>> >> Accept: */* >>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>> >> Accept-Encoding: gzip, deflate >>> >> Content-Type: >>> application/x-www-form-urlencoded; charset=UTF-8 >>> >> X-Requested-With: XMLHttpRequest >>> >> Referer: http://localhost:8080/WebGoat/start.mvc >>> >> Content-Length: 29 >>> >> Cookie: JSESSIONID=replace >>> >> Connection: keep-alive >>> >> Pragma: no-cache >>> >> Cache-Control: no-cache >>> >> >>> >> account_number=101&SUBMIT=Go! >>> >> #end request file >>> >> I am running git master of Sqlmap. >>> >> Sqlmap detects SQL injection (boolean based >>> blind Mysql), but no >>> >> information gathering commands work (--dbs, >>> --current-user...). I tried >>> >> running with --hex or --no-cast, but no luck. >>> >> What might be the problem? >>> >> Thanks, >>> >> Vojta >>> >> >>> >> >>> >>> ------------------------------------------------------------------------------ >>> >> _______________________________________________ >>> >> sqlmap-users mailing list >>> >> sqlmap-users@lists.sourceforge.net >>> <mailto:sqlmap-users@lists.sourceforge.net> >>> >> >>> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> <mailto:sqlmap-users@lists.sourceforge.net> >>> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> <mailto:sqlmap-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
