Hi, http://pastebin.com/Q9RKsffG I am running Arch Linux 64 bit and I am running Webgoat from the single jar file. I am using OpenJDK. Thank you, Vojta
Dne 13.10.2015 v 18:54 Miroslav Stampar napsal(a): > > Yup. The master branch is a good branch. > > And you are having difficulties even if you use a --flush-session > along with switches/options I've used? > > This is strange. I've run this numerous times in last few days. > > Can you please send a complete console output as I've sent for my > runs? Also, on which OS do you run WebGoat? > > Bye > > On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <krec...@gmail.com > <mailto:krec...@gmail.com>> wrote: > > Greetings, > now it works but... > I don't know what am I doing wrong, but it takes very looong time > for Sqlmap to finish this run. In your output, it takes several > seconds, for me it takes almost a hour to get this done. > Also I found out that if I try to use --keep-alive, it is much > faster, it takes about a minute, but it again returns garbled > characters. No other optimization switches improve the speed. > I am using same arguments as you, but from enumeration arguments I > am using just --current-user, no --dump, --dbs etc. > Just to be sure, I am pulling from Master branch, is this correct? > Thank you very much for your efford, > Vojtěch Polášek > > > Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): >> Hi. >> >> There has been a lot work here. Please update to the latest >> revision and retry it again. >> >> One word of advice regarding WebGoat. It has a bad routine that >> automatically closes the SQLi after it finds certain keywords in >> requests. Basically, afterwards it just says "* Congratulations. >> You have successfully completed this lesson." and prevents >> further injection. Hence, you'll need to use --safe-url and >> --safe-freq to reset those. Please find details further in >> pastebin links. >> >> Here you can find couple of different runs: >> >> --technique=B >> http://pastebin.com/04z2x00S >> >> (no technique constraints) >> http://pastebin.com/UhGQLyTp >> >> Bye >> >> On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar >> <miroslav.stam...@gmail.com <mailto:miroslav.stam...@gmail.com>> >> wrote: >> >> Hi. >> >> There is still more work here to be done. Will let you know. >> I am going to try to finish it today. >> >> Bye >> >> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek >> <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: >> >> Greetings, >> I have still problems exploiting HSQL databases. >> current-user is still returning garbled characters etc. >> Is it still working for you? >> Thanks, >> Vojta >> >> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>> >>> I've used that same request file without any problems >>> (with latest patches/revision). Will retest tomorrow. >>> Please retry everything with --flush-session >>> >>> Bye >>> >>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" >>> <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: >>> >>> Greetings, >>> thanks for your prompt response. >>> Unfortunatelly, it is still not working as expected. >>> There is problem with retrieving of current user and >>> information from HSQL database in general. >>> Moreover, when using following request file from the >>> same application, Sqlmap identified backend database >>> as Postgresql instead of HSQL. >>> This request is from lesson about simple string SQL >>> injection >>> #begin request file >>> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >>> Host: localhost:8080 >>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) >>> Gecko/20100101 Firefox/39.0 >>> Accept: */* >>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>> Accept-Encoding: gzip, deflate >>> Content-Type: application/x-www-form-urlencoded; >>> charset=UTF-8 >>> X-Requested-With: XMLHttpRequest >>> Referer: http://localhost:8080/WebGoat/start.mvc >>> Content-Length: 29 >>> Connection: keep-alive >>> Pragma: no-cache >>> Cache-Control: no-cache >>> Cookie: JSESSIONID=valid_cookie >>> >>> account_name=Smith&SUBMIT=Go! >>> #end request >>> Feel free to ask me for more debugging information, >>> I will be glad to help you. >>> Thanks for your work, >>> Vojta >>> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>>> Fixed tons of bugs and pushed. Please retry it again. >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar >>>> <miroslav.stam...@gmail.com >>>> <mailto:miroslav.stam...@gmail.com>> wrote: >>>> >>>> Please wait a bit. There are tons of bugs for >>>> HSQLDB in sqlmap. On it right now. >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav >>>> Stampar <miroslav.stam...@gmail.com >>>> <mailto:miroslav.stam...@gmail.com>> wrote: >>>> >>>> Hi again. >>>> >>>> Please update to the latest revision and >>>> retry it again (with --flush-session). >>>> >>>> Backend used is HSQLDB while the sqlmap >>>> wrongly recognized it as MySQL (because >>>> HSQLDB is MySQL look-alike) >>>> >>>> Bye >>>> >>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch >>>> Polášek <krec...@gmail.com >>>> <mailto:krec...@gmail.com>> wrote: >>>> >>>> Hi, >>>> You can download Webgoat here: >>>> >>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>> Just run java- jar >>>> WebGoat-6.0.1-war-exec.jar >>>> And you can login at >>>> localhost:8080/WebGoat with name >>>> webgoat and password webgoat >>>> The request file posted earlier is from >>>> Blind numeric SQL injection lesson. >>>> Application is written in Java and runs >>>> on embedded Tomcat 7 server. >>>> I am using this command, where >>>> "request" is request file posted >>>> earlier and valid_cookie is simply >>>> valid cookie. >>>> python2 /opt/sqlmap/sqlmap.py -r >>>> request --level=5 --risk=3 -o >>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>> As I stated earlier, sqlmap finds the >>>> vulnerability but can't exploit it, I >>>> tried almost all tamper scripts, even >>>> some combinations, but no success. >>>> I wanted to show exploitation of >>>> Webgoat, because I would like to use >>>> Sqlmap for testing of commercial >>>> application which is based on similar >>>> technologies. >>>> Thank you, >>>> Vojta >>>> >>>> >>>> Dne 9.10.2015 v 11:16 Miroslav Stampar >>>> napsal(a): >>>>> Hi. >>>>> >>>>> Can you please send a used sqlmap >>>>> command along with the basic info on >>>>> vulnerable environment (e.g. just a >>>>> plain Webgoat, URL this and that)? >>>>> >>>>> Bye >>>>> >>>>> On Thu, Oct 8, 2015 at 10:52 PM, >>>>> Vojtěch Polášek <krec...@gmail.com >>>>> <mailto:krec...@gmail.com>> wrote: >>>>> >>>>> Greetings, >>>>> I am running Webgoat from >>>>> standalone jar file, so I can't >>>>> see any logs. >>>>> I will try to see some logs from >>>>> inside the application. Anyway, I >>>>> didn't expect this application to >>>>> contain any kind of filtering. >>>>> I hope to show Sqlmap in action to >>>>> some people from a large company and >>>>> I wanted to use something simple, >>>>> therefore I am quite surprised. I have >>>>> never seen this situation - found >>>>> injection but no possibility of >>>>> exploitation. >>>>> The between tamper script didn't help. >>>>> Any suggestions are welcomed. >>>>> Thanks, >>>>> Vojta >>>>> >>>>> Dne 8.10.2015 v 18:10 Brandon >>>>> Perry napsal(a): >>>>> > You should look in the logs of >>>>> the web server and see what they say. >>>>> > >>>>> > I bet you need --tamper=between >>>>> > >>>>> > Sent from a phone >>>>> > >>>>> >> On Oct 8, 2015, at 10:33 AM, >>>>> Vojtěch Polášek <krec...@gmail.com >>>>> <mailto:krec...@gmail.com>> wrote: >>>>> >> >>>>> >> Greetings, >>>>> >> I tried to verify Sqlmap's >>>>> functionality by running it >>>>> against Webgoat >>>>> >> version 6.0.1. You can try it >>>>> your self by using following >>>>> request file. >>>>> >> Just log in and replace cookie >>>>> by valid one. >>>>> >> ###start request file >>>>> >> POST >>>>> /WebGoat/attack?Screen=4&menu=1100 >>>>> HTTP/1.1 >>>>> >> Host: localhost:8080 >>>>> >> User-Agent: Mozilla/5.0 (X11; >>>>> Linux x86_64; rv:41.0) Gecko/20100101 >>>>> >> Firefox/41.0 >>>>> >> Accept: */* >>>>> >> Accept-Language: >>>>> cs,en-US;q=0.7,en;q=0.3 >>>>> >> Accept-Encoding: gzip, deflate >>>>> >> Content-Type: >>>>> application/x-www-form-urlencoded; >>>>> charset=UTF-8 >>>>> >> X-Requested-With: XMLHttpRequest >>>>> >> Referer: >>>>> http://localhost:8080/WebGoat/start.mvc >>>>> >> Content-Length: 29 >>>>> >> Cookie: JSESSIONID=replace >>>>> >> Connection: keep-alive >>>>> >> Pragma: no-cache >>>>> >> Cache-Control: no-cache >>>>> >> >>>>> >> account_number=101&SUBMIT=Go! >>>>> >> #end request file >>>>> >> I am running git master of Sqlmap. >>>>> >> Sqlmap detects SQL injection >>>>> (boolean based blind Mysql), but no >>>>> >> information gathering commands >>>>> work (--dbs, --current-user...). I >>>>> tried >>>>> >> running with --hex or >>>>> --no-cast, but no luck. >>>>> >> What might be the problem? >>>>> >> Thanks, >>>>> >> Vojta >>>>> >> >>>>> >> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >> >>>>> >>>>> _______________________________________________ >>>>> >> sqlmap-users mailing list >>>>> >> >>>>> sqlmap-users@lists.sourceforge.net >>>>> >>>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>>> >> >>>>> >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sqlmap-users@lists.sourceforge.net >>>>> >>>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>>> >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sqlmap-users@lists.sourceforge.net >>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> <mailto:sqlmap-users@lists.sourceforge.net> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> <mailto:sqlmap-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
