Yup. The master branch is a good branch. And you are having difficulties even if you use a --flush-session along with switches/options I've used?
This is strange. I've run this numerous times in last few days. Can you please send a complete console output as I've sent for my runs? Also, on which OS do you run WebGoat? Bye On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <krec...@gmail.com> wrote: > Greetings, > now it works but... > I don't know what am I doing wrong, but it takes very looong time for > Sqlmap to finish this run. In your output, it takes several seconds, for me > it takes almost a hour to get this done. > Also I found out that if I try to use --keep-alive, it is much faster, it > takes about a minute, but it again returns garbled characters. No other > optimization switches improve the speed. > I am using same arguments as you, but from enumeration arguments I am > using just --current-user, no --dump, --dbs etc. > Just to be sure, I am pulling from Master branch, is this correct? > Thank you very much for your efford, > Vojtěch Polášek > > > Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): > > Hi. > > There has been a lot work here. Please update to the latest revision and > retry it again. > > One word of advice regarding WebGoat. It has a bad routine that > automatically closes the SQLi after it finds certain keywords in requests. > Basically, afterwards it just says "* Congratulations. You have > successfully completed this lesson." and prevents further injection. Hence, > you'll need to use --safe-url and --safe-freq to reset those. Please find > details further in pastebin links. > > Here you can find couple of different runs: > > --technique=B > http://pastebin.com/04z2x00S > > (no technique constraints) > http://pastebin.com/UhGQLyTp > > Bye > > On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar < > miroslav.stam...@gmail.com> wrote: > >> Hi. >> >> There is still more work here to be done. Will let you know. I am going >> to try to finish it today. >> >> Bye >> >> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek <krec...@gmail.com> >> wrote: >> >>> Greetings, >>> I have still problems exploiting HSQL databases. current-user is still >>> returning garbled characters etc. >>> Is it still working for you? >>> Thanks, >>> Vojta >>> >>> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>> >>> I've used that same request file without any problems (with latest >>> patches/revision). Will retest tomorrow. Please retry everything with >>> --flush-session >>> >>> Bye >>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" <krec...@gmail.com> wrote: >>> >>>> Greetings, >>>> thanks for your prompt response. >>>> Unfortunatelly, it is still not working as expected. >>>> There is problem with retrieving of current user and information from >>>> HSQL database in general. >>>> Moreover, when using following request file from the same application, >>>> Sqlmap identified backend database as Postgresql instead of HSQL. >>>> This request is from lesson about simple string SQL injection >>>> #begin request file >>>> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >>>> Host: localhost:8080 >>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 >>>> Firefox/39.0 >>>> Accept: */* >>>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>> Accept-Encoding: gzip, deflate >>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>> X-Requested-With: XMLHttpRequest >>>> Referer: http://localhost:8080/WebGoat/start.mvc >>>> Content-Length: 29 >>>> Connection: keep-alive >>>> Pragma: no-cache >>>> Cache-Control: no-cache >>>> Cookie: JSESSIONID=valid_cookie >>>> >>>> account_name=Smith&SUBMIT=Go! >>>> #end request >>>> Feel free to ask me for more debugging information, I will be glad to >>>> help you. >>>> Thanks for your work, >>>> Vojta >>>> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>>> >>>> Fixed tons of bugs and pushed. Please retry it again. >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < >>>> miroslav.stam...@gmail.com> wrote: >>>> >>>>> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it >>>>> right now. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >>>>> miroslav.stam...@gmail.com> wrote: >>>>> >>>>>> Hi again. >>>>>> >>>>>> Please update to the latest revision and retry it again (with >>>>>> --flush-session). >>>>>> >>>>>> Backend used is HSQLDB while the sqlmap wrongly recognized it as >>>>>> MySQL (because HSQLDB is MySQL look-alike) >>>>>> >>>>>> Bye >>>>>> >>>>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek <krec...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> You can download Webgoat here: >>>>>>> >>>>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>>>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>>>>> password webgoat >>>>>>> The request file posted earlier is from Blind numeric SQL injection >>>>>>> lesson. >>>>>>> Application is written in Java and runs on embedded Tomcat 7 server. >>>>>>> I am using this command, where "request" is request file posted >>>>>>> earlier and valid_cookie is simply valid cookie. >>>>>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>>>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>>>>> As I stated earlier, sqlmap finds the vulnerability but can't >>>>>>> exploit it, I tried almost all tamper scripts, even some combinations, >>>>>>> but >>>>>>> no success. >>>>>>> I wanted to show exploitation of Webgoat, because I would like to >>>>>>> use Sqlmap for testing of commercial application which is based on >>>>>>> similar >>>>>>> technologies. >>>>>>> Thank you, >>>>>>> Vojta >>>>>>> >>>>>>> >>>>>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>>>>> >>>>>>> Hi. >>>>>>> >>>>>>> Can you please send a used sqlmap command along with the basic info >>>>>>> on vulnerable environment (e.g. just a plain Webgoat, URL this and >>>>>>> that)? >>>>>>> >>>>>>> Bye >>>>>>> >>>>>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek <krec...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Greetings, >>>>>>>> I am running Webgoat from standalone jar file, so I can't see any >>>>>>>> logs. >>>>>>>> I will try to see some logs from inside the application. Anyway, I >>>>>>>> didn't expect this application to contain any kind of filtering. >>>>>>>> I hope to show Sqlmap in action to some people from a large company >>>>>>>> and >>>>>>>> I wanted to use something simple, therefore I am quite surprised. I >>>>>>>> have >>>>>>>> never seen this situation - found injection but no possibility of >>>>>>>> exploitation. >>>>>>>> The between tamper script didn't help. >>>>>>>> Any suggestions are welcomed. >>>>>>>> Thanks, >>>>>>>> Vojta >>>>>>>> >>>>>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>>>>> > You should look in the logs of the web server and see what they >>>>>>>> say. >>>>>>>> > >>>>>>>> > I bet you need --tamper=between >>>>>>>> > >>>>>>>> > Sent from a phone >>>>>>>> > >>>>>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek <krec...@gmail.com> >>>>>>>> wrote: >>>>>>>> >> >>>>>>>> >> Greetings, >>>>>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>>>>> Webgoat >>>>>>>> >> version 6.0.1. You can try it your self by using following >>>>>>>> request file. >>>>>>>> >> Just log in and replace cookie by valid one. >>>>>>>> >> ###start request file >>>>>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>>>>> >> Host: localhost:8080 >>>>>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) >>>>>>>> Gecko/20100101 >>>>>>>> >> Firefox/41.0 >>>>>>>> >> Accept: */* >>>>>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>>>> >> Accept-Encoding: gzip, deflate >>>>>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>>>> >> X-Requested-With: XMLHttpRequest >>>>>>>> >> Referer: http://localhost:8080/WebGoat/start.mvc >>>>>>>> >> Content-Length: 29 >>>>>>>> >> Cookie: JSESSIONID=replace >>>>>>>> >> Connection: keep-alive >>>>>>>> >> Pragma: no-cache >>>>>>>> >> Cache-Control: no-cache >>>>>>>> >> >>>>>>>> >> account_number=101&SUBMIT=Go! >>>>>>>> >> #end request file >>>>>>>> >> I am running git master of Sqlmap. >>>>>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>>>>>> >> information gathering commands work (--dbs, --current-user...). >>>>>>>> I tried >>>>>>>> >> running with --hex or --no-cast, but no luck. >>>>>>>> >> What might be the problem? >>>>>>>> >> Thanks, >>>>>>>> >> Vojta >>>>>>>> >> >>>>>>>> >> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >> _______________________________________________ >>>>>>>> >> sqlmap-users mailing list >>>>>>>> >> sqlmap-users@lists.sourceforge.net >>>>>>>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Miroslav Stampar >>>>>>> http://about.me/stamparm >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sqlmap-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
