Nothing looks wrong in that pastebin? It retrieved the username of SA just fine it seems. No garbled text is in the output.
What were you expecting to happen? On Tue, Oct 13, 2015 at 2:08 PM, Vojtěch Polášek <krec...@gmail.com> wrote: > Hi, > http://pastebin.com/Q9RKsffG > I am running Arch Linux 64 bit and I am running Webgoat from the single > jar file. > I am using OpenJDK. > Thank you, > Vojta > > Dne 13.10.2015 v 18:54 Miroslav Stampar napsal(a): > > Yup. The master branch is a good branch. > > And you are having difficulties even if you use a --flush-session along > with switches/options I've used? > > This is strange. I've run this numerous times in last few days. > > Can you please send a complete console output as I've sent for my runs? > Also, on which OS do you run WebGoat? > > Bye > On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <krec...@gmail.com> wrote: > >> Greetings, >> now it works but... >> I don't know what am I doing wrong, but it takes very looong time for >> Sqlmap to finish this run. In your output, it takes several seconds, for me >> it takes almost a hour to get this done. >> Also I found out that if I try to use --keep-alive, it is much faster, it >> takes about a minute, but it again returns garbled characters. No other >> optimization switches improve the speed. >> I am using same arguments as you, but from enumeration arguments I am >> using just --current-user, no --dump, --dbs etc. >> Just to be sure, I am pulling from Master branch, is this correct? >> Thank you very much for your efford, >> Vojtěch Polášek >> >> >> Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): >> >> Hi. >> >> There has been a lot work here. Please update to the latest revision and >> retry it again. >> >> One word of advice regarding WebGoat. It has a bad routine that >> automatically closes the SQLi after it finds certain keywords in requests. >> Basically, afterwards it just says "* Congratulations. You have >> successfully completed this lesson." and prevents further injection. Hence, >> you'll need to use --safe-url and --safe-freq to reset those. Please find >> details further in pastebin links. >> >> Here you can find couple of different runs: >> >> --technique=B >> http://pastebin.com/04z2x00S >> >> (no technique constraints) >> http://pastebin.com/UhGQLyTp >> >> Bye >> >> On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar < >> <miroslav.stam...@gmail.com>miroslav.stam...@gmail.com> wrote: >> >>> Hi. >>> >>> There is still more work here to be done. Will let you know. I am going >>> to try to finish it today. >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek <krec...@gmail.com> >>> wrote: >>> >>>> Greetings, >>>> I have still problems exploiting HSQL databases. current-user is still >>>> returning garbled characters etc. >>>> Is it still working for you? >>>> Thanks, >>>> Vojta >>>> >>>> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>>> >>>> I've used that same request file without any problems (with latest >>>> patches/revision). Will retest tomorrow. Please retry everything with >>>> --flush-session >>>> >>>> Bye >>>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" < <krec...@gmail.com> >>>> krec...@gmail.com> wrote: >>>> >>>>> Greetings, >>>>> thanks for your prompt response. >>>>> Unfortunatelly, it is still not working as expected. >>>>> There is problem with retrieving of current user and information from >>>>> HSQL database in general. >>>>> Moreover, when using following request file from the same application, >>>>> Sqlmap identified backend database as Postgresql instead of HSQL. >>>>> This request is from lesson about simple string SQL injection >>>>> #begin request file >>>>> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >>>>> Host: localhost:8080 >>>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 >>>>> Firefox/39.0 >>>>> Accept: */* >>>>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>> Accept-Encoding: gzip, deflate >>>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>> X-Requested-With: XMLHttpRequest >>>>> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>> http://localhost:8080/WebGoat/start.mvc >>>>> Content-Length: 29 >>>>> Connection: keep-alive >>>>> Pragma: no-cache >>>>> Cache-Control: no-cache >>>>> Cookie: JSESSIONID=valid_cookie >>>>> >>>>> account_name=Smith&SUBMIT=Go! >>>>> #end request >>>>> Feel free to ask me for more debugging information, I will be glad to >>>>> help you. >>>>> Thanks for your work, >>>>> Vojta >>>>> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>>>> >>>>> Fixed tons of bugs and pushed. Please retry it again. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < >>>>> <miroslav.stam...@gmail.com>miroslav.stam...@gmail.com> wrote: >>>>> >>>>>> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On it >>>>>> right now. >>>>>> >>>>>> Bye >>>>>> >>>>>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >>>>>> <miroslav.stam...@gmail.com>miroslav.stam...@gmail.com> wrote: >>>>>> >>>>>>> Hi again. >>>>>>> >>>>>>> Please update to the latest revision and retry it again (with >>>>>>> --flush-session). >>>>>>> >>>>>>> Backend used is HSQLDB while the sqlmap wrongly recognized it as >>>>>>> MySQL (because HSQLDB is MySQL look-alike) >>>>>>> >>>>>>> Bye >>>>>>> >>>>>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek < >>>>>>> <krec...@gmail.com>krec...@gmail.com> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> You can download Webgoat here: >>>>>>>> >>>>>>>> <https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar> >>>>>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>>>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>>>>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>>>>>> password webgoat >>>>>>>> The request file posted earlier is from Blind numeric SQL injection >>>>>>>> lesson. >>>>>>>> Application is written in Java and runs on embedded Tomcat 7 server. >>>>>>>> I am using this command, where "request" is request file posted >>>>>>>> earlier and valid_cookie is simply valid cookie. >>>>>>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>>>>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>>>>>> As I stated earlier, sqlmap finds the vulnerability but can't >>>>>>>> exploit it, I tried almost all tamper scripts, even some combinations, >>>>>>>> but >>>>>>>> no success. >>>>>>>> I wanted to show exploitation of Webgoat, because I would like to >>>>>>>> use Sqlmap for testing of commercial application which is based on >>>>>>>> similar >>>>>>>> technologies. >>>>>>>> Thank you, >>>>>>>> Vojta >>>>>>>> >>>>>>>> >>>>>>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>>>>>> >>>>>>>> Hi. >>>>>>>> >>>>>>>> Can you please send a used sqlmap command along with the basic info >>>>>>>> on vulnerable environment (e.g. just a plain Webgoat, URL this and >>>>>>>> that)? >>>>>>>> >>>>>>>> Bye >>>>>>>> >>>>>>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek < >>>>>>>> <krec...@gmail.com>krec...@gmail.com> wrote: >>>>>>>> >>>>>>>>> Greetings, >>>>>>>>> I am running Webgoat from standalone jar file, so I can't see any >>>>>>>>> logs. >>>>>>>>> I will try to see some logs from inside the application. Anyway, I >>>>>>>>> didn't expect this application to contain any kind of filtering. >>>>>>>>> I hope to show Sqlmap in action to some people from a large >>>>>>>>> company and >>>>>>>>> I wanted to use something simple, therefore I am quite surprised. >>>>>>>>> I have >>>>>>>>> never seen this situation - found injection but no possibility of >>>>>>>>> exploitation. >>>>>>>>> The between tamper script didn't help. >>>>>>>>> Any suggestions are welcomed. >>>>>>>>> Thanks, >>>>>>>>> Vojta >>>>>>>>> >>>>>>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>>>>>> > You should look in the logs of the web server and see what they >>>>>>>>> say. >>>>>>>>> > >>>>>>>>> > I bet you need --tamper=between >>>>>>>>> > >>>>>>>>> > Sent from a phone >>>>>>>>> > >>>>>>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek < >>>>>>>>> <krec...@gmail.com>krec...@gmail.com> wrote: >>>>>>>>> >> >>>>>>>>> >> Greetings, >>>>>>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>>>>>> Webgoat >>>>>>>>> >> version 6.0.1. You can try it your self by using following >>>>>>>>> request file. >>>>>>>>> >> Just log in and replace cookie by valid one. >>>>>>>>> >> ###start request file >>>>>>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>>>>>> >> Host: localhost:8080 >>>>>>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) >>>>>>>>> Gecko/20100101 >>>>>>>>> >> Firefox/41.0 >>>>>>>>> >> Accept: */* >>>>>>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>>>>> >> Accept-Encoding: gzip, deflate >>>>>>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>>>>> >> X-Requested-With: XMLHttpRequest >>>>>>>>> >> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>>>>> >> Content-Length: 29 >>>>>>>>> >> Cookie: JSESSIONID=replace >>>>>>>>> >> Connection: keep-alive >>>>>>>>> >> Pragma: no-cache >>>>>>>>> >> Cache-Control: no-cache >>>>>>>>> >> >>>>>>>>> >> account_number=101&SUBMIT=Go! >>>>>>>>> >> #end request file >>>>>>>>> >> I am running git master of Sqlmap. >>>>>>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but no >>>>>>>>> >> information gathering commands work (--dbs, --current-user...). >>>>>>>>> I tried >>>>>>>>> >> running with --hex or --no-cast, but no luck. >>>>>>>>> >> What might be the problem? >>>>>>>>> >> Thanks, >>>>>>>>> >> Vojta >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> >> _______________________________________________ >>>>>>>>> >> sqlmap-users mailing list >>>>>>>>> >> <sqlmap-users@lists.sourceforge.net> >>>>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>>>> >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> _______________________________________________ >>>>>>>>> sqlmap-users mailing list >>>>>>>>> <sqlmap-users@lists.sourceforge.net> >>>>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Miroslav Stampar >>>>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> <sqlmap-users@lists.sourceforge.net> >>>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Miroslav Stampar >>>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sqlmap-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sqlmap-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
