Hi. There is still more work here to be done. Will let you know. I am going to try to finish it today.
Bye On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek <krec...@gmail.com> wrote: > Greetings, > I have still problems exploiting HSQL databases. current-user is still > returning garbled characters etc. > Is it still working for you? > Thanks, > Vojta > > Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): > > I've used that same request file without any problems (with latest > patches/revision). Will retest tomorrow. Please retry everything with > --flush-session > > Bye > On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <krec...@gmail.com> wrote: > >> Greetings, >> thanks for your prompt response. >> Unfortunatelly, it is still not working as expected. >> There is problem with retrieving of current user and information from >> HSQL database in general. >> Moreover, when using following request file from the same application, >> Sqlmap identified backend database as Postgresql instead of HSQL. >> This request is from lesson about simple string SQL injection >> #begin request file >> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >> Host: localhost:8080 >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 >> Firefox/39.0 >> Accept: */* >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> Accept-Encoding: gzip, deflate >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >> X-Requested-With: XMLHttpRequest >> Referer: http://localhost:8080/WebGoat/start.mvc >> Content-Length: 29 >> Connection: keep-alive >> Pragma: no-cache >> Cache-Control: no-cache >> Cookie: JSESSIONID=valid_cookie >> >> account_name=Smith&SUBMIT=Go! >> #end request >> Feel free to ask me for more debugging information, I will be glad to >> help you. >> Thanks for your work, >> Vojta >> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >> >> Fixed tons of bugs and pushed. Please retry it again. >> >> Bye >> >> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < >> <miroslav.stam...@gmail.com>miroslav.stam...@gmail.com> wrote: >> >>> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it >>> right now. >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >>> miroslav.stam...@gmail.com> wrote: >>> >>>> Hi again. >>>> >>>> Please update to the latest revision and retry it again (with >>>> --flush-session). >>>> >>>> Backend used is HSQLDB while the sqlmap wrongly recognized it as MySQL >>>> (because HSQLDB is MySQL look-alike) >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek < <krec...@gmail.com> >>>> krec...@gmail.com> wrote: >>>> >>>>> Hi, >>>>> You can download Webgoat here: >>>>> >>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>>> password webgoat >>>>> The request file posted earlier is from Blind numeric SQL injection >>>>> lesson. >>>>> Application is written in Java and runs on embedded Tomcat 7 server. >>>>> I am using this command, where "request" is request file posted >>>>> earlier and valid_cookie is simply valid cookie. >>>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>>> As I stated earlier, sqlmap finds the vulnerability but can't exploit >>>>> it, I tried almost all tamper scripts, even some combinations, but no >>>>> success. >>>>> I wanted to show exploitation of Webgoat, because I would like to use >>>>> Sqlmap for testing of commercial application which is based on similar >>>>> technologies. >>>>> Thank you, >>>>> Vojta >>>>> >>>>> >>>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>>> >>>>> Hi. >>>>> >>>>> Can you please send a used sqlmap command along with the basic info on >>>>> vulnerable environment (e.g. just a plain Webgoat, URL this and that)? >>>>> >>>>> Bye >>>>> >>>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek < <krec...@gmail.com> >>>>> krec...@gmail.com> wrote: >>>>> >>>>>> Greetings, >>>>>> I am running Webgoat from standalone jar file, so I can't see any >>>>>> logs. >>>>>> I will try to see some logs from inside the application. Anyway, I >>>>>> didn't expect this application to contain any kind of filtering. >>>>>> I hope to show Sqlmap in action to some people from a large company >>>>>> and >>>>>> I wanted to use something simple, therefore I am quite surprised. I >>>>>> have >>>>>> never seen this situation - found injection but no possibility of >>>>>> exploitation. >>>>>> The between tamper script didn't help. >>>>>> Any suggestions are welcomed. >>>>>> Thanks, >>>>>> Vojta >>>>>> >>>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>>> > You should look in the logs of the web server and see what they say. >>>>>> > >>>>>> > I bet you need --tamper=between >>>>>> > >>>>>> > Sent from a phone >>>>>> > >>>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek < <krec...@gmail.com> >>>>>> krec...@gmail.com> wrote: >>>>>> >> >>>>>> >> Greetings, >>>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>>> Webgoat >>>>>> >> version 6.0.1. You can try it your self by using following request >>>>>> file. >>>>>> >> Just log in and replace cookie by valid one. >>>>>> >> ###start request file >>>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>>> >> Host: localhost:8080 >>>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 >>>>>> >> Firefox/41.0 >>>>>> >> Accept: */* >>>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>> >> Accept-Encoding: gzip, deflate >>>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>> >> X-Requested-With: XMLHttpRequest >>>>>> >> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>> >> Content-Length: 29 >>>>>> >> Cookie: JSESSIONID=replace >>>>>> >> Connection: keep-alive >>>>>> >> Pragma: no-cache >>>>>> >> Cache-Control: no-cache >>>>>> >> >>>>>> >> account_number=101&SUBMIT=Go! >>>>>> >> #end request file >>>>>> >> I am running git master of Sqlmap. >>>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>>>> >> information gathering commands work (--dbs, --current-user...). I >>>>>> tried >>>>>> >> running with --hex or --no-cast, but no luck. >>>>>> >> What might be the problem? >>>>>> >> Thanks, >>>>>> >> Vojta >>>>>> >> >>>>>> >> >>>>>> ------------------------------------------------------------------------------ >>>>>> >> _______________________________________________ >>>>>> >> sqlmap-users mailing list >>>>>> >> <sqlmap-users@lists.sourceforge.net> >>>>>> sqlmap-users@lists.sourceforge.net >>>>>> >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> <sqlmap-users@lists.sourceforge.net> >>>>>> sqlmap-users@lists.sourceforge.net >>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sqlmap-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
