Thank you very much, this sounds great. I will be able to show this Sqlmap feature and that's good. I will try it as soon as possible. Vojta
Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): > Hi. > > There has been a lot work here. Please update to the latest revision > and retry it again. > > One word of advice regarding WebGoat. It has a bad routine that > automatically closes the SQLi after it finds certain keywords in > requests. Basically, afterwards it just says "* Congratulations. You > have successfully completed this lesson." and prevents further > injection. Hence, you'll need to use --safe-url and --safe-freq to > reset those. Please find details further in pastebin links. > > Here you can find couple of different runs: > > --technique=B > http://pastebin.com/04z2x00S > > (no technique constraints) > http://pastebin.com/UhGQLyTp > > Bye > > On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar > <miroslav.stam...@gmail.com <mailto:miroslav.stam...@gmail.com>> wrote: > > Hi. > > There is still more work here to be done. Will let you know. I am > going to try to finish it today. > > Bye > > On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek > <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: > > Greetings, > I have still problems exploiting HSQL databases. current-user > is still returning garbled characters etc. > Is it still working for you? > Thanks, > Vojta > > Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >> >> I've used that same request file without any problems (with >> latest patches/revision). Will retest tomorrow. Please retry >> everything with --flush-session >> >> Bye >> >> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <krec...@gmail.com >> <mailto:krec...@gmail.com>> wrote: >> >> Greetings, >> thanks for your prompt response. >> Unfortunatelly, it is still not working as expected. >> There is problem with retrieving of current user and >> information from HSQL database in general. >> Moreover, when using following request file from the same >> application, Sqlmap identified backend database as >> Postgresql instead of HSQL. >> This request is from lesson about simple string SQL injection >> #begin request file >> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >> Host: localhost:8080 >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) >> Gecko/20100101 Firefox/39.0 >> Accept: */* >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >> Accept-Encoding: gzip, deflate >> Content-Type: application/x-www-form-urlencoded; >> charset=UTF-8 >> X-Requested-With: XMLHttpRequest >> Referer: http://localhost:8080/WebGoat/start.mvc >> Content-Length: 29 >> Connection: keep-alive >> Pragma: no-cache >> Cache-Control: no-cache >> Cookie: JSESSIONID=valid_cookie >> >> account_name=Smith&SUBMIT=Go! >> #end request >> Feel free to ask me for more debugging information, I >> will be glad to help you. >> Thanks for your work, >> Vojta >> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>> Fixed tons of bugs and pushed. Please retry it again. >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar >>> <miroslav.stam...@gmail.com >>> <mailto:miroslav.stam...@gmail.com>> wrote: >>> >>> Please wait a bit. There are tons of bugs for HSQLDB >>> in sqlmap. On it right now. >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar >>> <miroslav.stam...@gmail.com >>> <mailto:miroslav.stam...@gmail.com>> wrote: >>> >>> Hi again. >>> >>> Please update to the latest revision and retry >>> it again (with --flush-session). >>> >>> Backend used is HSQLDB while the sqlmap wrongly >>> recognized it as MySQL (because HSQLDB is MySQL >>> look-alike) >>> >>> Bye >>> >>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek >>> <krec...@gmail.com <mailto:krec...@gmail.com>> >>> wrote: >>> >>> Hi, >>> You can download Webgoat here: >>> >>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>> And you can login at localhost:8080/WebGoat >>> with name webgoat and password webgoat >>> The request file posted earlier is from >>> Blind numeric SQL injection lesson. >>> Application is written in Java and runs on >>> embedded Tomcat 7 server. >>> I am using this command, where "request" is >>> request file posted earlier and valid_cookie >>> is simply valid cookie. >>> python2 /opt/sqlmap/sqlmap.py -r request >>> --level=5 --risk=3 -o >>> --cookie="JSESSIONID=valid_cookie' -v3 >>> As I stated earlier, sqlmap finds the >>> vulnerability but can't exploit it, I tried >>> almost all tamper scripts, even some >>> combinations, but no success. >>> I wanted to show exploitation of Webgoat, >>> because I would like to use Sqlmap for >>> testing of commercial application which is >>> based on similar technologies. >>> Thank you, >>> Vojta >>> >>> >>> Dne 9.10.2015 v 11:16 Miroslav Stampar >>> napsal(a): >>>> Hi. >>>> >>>> Can you please send a used sqlmap command >>>> along with the basic info on vulnerable >>>> environment (e.g. just a plain Webgoat, URL >>>> this and that)? >>>> >>>> Bye >>>> >>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch >>>> Polášek <krec...@gmail.com >>>> <mailto:krec...@gmail.com>> wrote: >>>> >>>> Greetings, >>>> I am running Webgoat from standalone >>>> jar file, so I can't see any logs. >>>> I will try to see some logs from inside >>>> the application. Anyway, I >>>> didn't expect this application to >>>> contain any kind of filtering. >>>> I hope to show Sqlmap in action to some >>>> people from a large company and >>>> I wanted to use something simple, >>>> therefore I am quite surprised. I have >>>> never seen this situation - found >>>> injection but no possibility of >>>> exploitation. >>>> The between tamper script didn't help. >>>> Any suggestions are welcomed. >>>> Thanks, >>>> Vojta >>>> >>>> Dne 8.10.2015 v 18:10 Brandon Perry >>>> napsal(a): >>>> > You should look in the logs of the >>>> web server and see what they say. >>>> > >>>> > I bet you need --tamper=between >>>> > >>>> > Sent from a phone >>>> > >>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch >>>> Polášek <krec...@gmail.com >>>> <mailto:krec...@gmail.com>> wrote: >>>> >> >>>> >> Greetings, >>>> >> I tried to verify Sqlmap's >>>> functionality by running it against Webgoat >>>> >> version 6.0.1. You can try it your >>>> self by using following request file. >>>> >> Just log in and replace cookie by >>>> valid one. >>>> >> ###start request file >>>> >> POST >>>> /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>> >> Host: localhost:8080 >>>> >> User-Agent: Mozilla/5.0 (X11; Linux >>>> x86_64; rv:41.0) Gecko/20100101 >>>> >> Firefox/41.0 >>>> >> Accept: */* >>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>> >> Accept-Encoding: gzip, deflate >>>> >> Content-Type: >>>> application/x-www-form-urlencoded; >>>> charset=UTF-8 >>>> >> X-Requested-With: XMLHttpRequest >>>> >> Referer: >>>> http://localhost:8080/WebGoat/start.mvc >>>> >> Content-Length: 29 >>>> >> Cookie: JSESSIONID=replace >>>> >> Connection: keep-alive >>>> >> Pragma: no-cache >>>> >> Cache-Control: no-cache >>>> >> >>>> >> account_number=101&SUBMIT=Go! >>>> >> #end request file >>>> >> I am running git master of Sqlmap. >>>> >> Sqlmap detects SQL injection >>>> (boolean based blind Mysql), but no >>>> >> information gathering commands work >>>> (--dbs, --current-user...). I tried >>>> >> running with --hex or --no-cast, but >>>> no luck. >>>> >> What might be the problem? >>>> >> Thanks, >>>> >> Vojta >>>> >> >>>> >> >>>> >>>> ------------------------------------------------------------------------------ >>>> >> >>>> _______________________________________________ >>>> >> sqlmap-users mailing list >>>> >> sqlmap-users@lists.sourceforge.net >>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>> >> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sqlmap-users@lists.sourceforge.net >>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> <mailto:sqlmap-users@lists.sourceforge.net> >>> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> <mailto:sqlmap-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
