Problem is that request/responses are slow. Can't see why is this happening.
Can you please send also the traffic.txt (-t traffic.txt) for such run? I don't have a clue why a simple connection test takes this slow. Bye On Oct 13, 2015 9:12 PM, "Brandon Perry" <bperry.volat...@gmail.com> wrote: > Nothing looks wrong in that pastebin? It retrieved the username of SA just > fine it seems. No garbled text is in the output. > > What were you expecting to happen? > > On Tue, Oct 13, 2015 at 2:08 PM, Vojtěch Polášek <krec...@gmail.com> > wrote: > >> Hi, >> http://pastebin.com/Q9RKsffG >> I am running Arch Linux 64 bit and I am running Webgoat from the single >> jar file. >> I am using OpenJDK. >> Thank you, >> Vojta >> >> Dne 13.10.2015 v 18:54 Miroslav Stampar napsal(a): >> >> Yup. The master branch is a good branch. >> >> And you are having difficulties even if you use a --flush-session along >> with switches/options I've used? >> >> This is strange. I've run this numerous times in last few days. >> >> Can you please send a complete console output as I've sent for my runs? >> Also, on which OS do you run WebGoat? >> >> Bye >> On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <krec...@gmail.com> wrote: >> >>> Greetings, >>> now it works but... >>> I don't know what am I doing wrong, but it takes very looong time for >>> Sqlmap to finish this run. In your output, it takes several seconds, for me >>> it takes almost a hour to get this done. >>> Also I found out that if I try to use --keep-alive, it is much faster, >>> it takes about a minute, but it again returns garbled characters. No other >>> optimization switches improve the speed. >>> I am using same arguments as you, but from enumeration arguments I am >>> using just --current-user, no --dump, --dbs etc. >>> Just to be sure, I am pulling from Master branch, is this correct? >>> Thank you very much for your efford, >>> Vojtěch Polášek >>> >>> >>> Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): >>> >>> Hi. >>> >>> There has been a lot work here. Please update to the latest revision and >>> retry it again. >>> >>> One word of advice regarding WebGoat. It has a bad routine that >>> automatically closes the SQLi after it finds certain keywords in requests. >>> Basically, afterwards it just says "* Congratulations. You have >>> successfully completed this lesson." and prevents further injection. Hence, >>> you'll need to use --safe-url and --safe-freq to reset those. Please find >>> details further in pastebin links. >>> >>> Here you can find couple of different runs: >>> >>> --technique=B >>> http://pastebin.com/04z2x00S >>> >>> (no technique constraints) >>> http://pastebin.com/UhGQLyTp >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar < >>> <miroslav.stam...@gmail.com>miroslav.stam...@gmail.com> wrote: >>> >>>> Hi. >>>> >>>> There is still more work here to be done. Will let you know. I am going >>>> to try to finish it today. >>>> >>>> Bye >>>> >>>> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek <krec...@gmail.com> >>>> wrote: >>>> >>>>> Greetings, >>>>> I have still problems exploiting HSQL databases. current-user is still >>>>> returning garbled characters etc. >>>>> Is it still working for you? >>>>> Thanks, >>>>> Vojta >>>>> >>>>> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>>>> >>>>> I've used that same request file without any problems (with latest >>>>> patches/revision). Will retest tomorrow. Please retry everything with >>>>> --flush-session >>>>> >>>>> Bye >>>>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" < <krec...@gmail.com> >>>>> krec...@gmail.com> wrote: >>>>> >>>>>> Greetings, >>>>>> thanks for your prompt response. >>>>>> Unfortunatelly, it is still not working as expected. >>>>>> There is problem with retrieving of current user and information from >>>>>> HSQL database in general. >>>>>> Moreover, when using following request file from the same >>>>>> application, Sqlmap identified backend database as Postgresql instead of >>>>>> HSQL. >>>>>> This request is from lesson about simple string SQL injection >>>>>> #begin request file >>>>>> POST /WebGoat/attack?Screen=36&menu=1100 HTTP/1.1 >>>>>> Host: localhost:8080 >>>>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 >>>>>> Firefox/39.0 >>>>>> Accept: */* >>>>>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>> Accept-Encoding: gzip, deflate >>>>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>> X-Requested-With: XMLHttpRequest >>>>>> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>> Content-Length: 29 >>>>>> Connection: keep-alive >>>>>> Pragma: no-cache >>>>>> Cache-Control: no-cache >>>>>> Cookie: JSESSIONID=valid_cookie >>>>>> >>>>>> account_name=Smith&SUBMIT=Go! >>>>>> #end request >>>>>> Feel free to ask me for more debugging information, I will be glad to >>>>>> help you. >>>>>> Thanks for your work, >>>>>> Vojta >>>>>> Dne 9.10.2015 v 16:52 Miroslav Stampar napsal(a): >>>>>> >>>>>> Fixed tons of bugs and pushed. Please retry it again. >>>>>> >>>>>> Bye >>>>>> >>>>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav Stampar < >>>>>> <miroslav.stam...@gmail.com>miroslav.stam...@gmail.com> wrote: >>>>>> >>>>>>> Please wait a bit. There are tons of bugs for HSQLDB in sqlmap. On >>>>>>> it right now. >>>>>>> >>>>>>> Bye >>>>>>> >>>>>>> On Fri, Oct 9, 2015 at 2:20 PM, Miroslav Stampar < >>>>>>> <miroslav.stam...@gmail.com>miroslav.stam...@gmail.com> wrote: >>>>>>> >>>>>>>> Hi again. >>>>>>>> >>>>>>>> Please update to the latest revision and retry it again (with >>>>>>>> --flush-session). >>>>>>>> >>>>>>>> Backend used is HSQLDB while the sqlmap wrongly recognized it as >>>>>>>> MySQL (because HSQLDB is MySQL look-alike) >>>>>>>> >>>>>>>> Bye >>>>>>>> >>>>>>>> On Fri, Oct 9, 2015 at 12:49 PM, Vojtěch Polášek < >>>>>>>> <krec...@gmail.com>krec...@gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> You can download Webgoat here: >>>>>>>>> >>>>>>>>> <https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar> >>>>>>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>>>>>> Just run java- jar WebGoat-6.0.1-war-exec.jar >>>>>>>>> And you can login at localhost:8080/WebGoat with name webgoat and >>>>>>>>> password webgoat >>>>>>>>> The request file posted earlier is from Blind numeric SQL >>>>>>>>> injection lesson. >>>>>>>>> Application is written in Java and runs on embedded Tomcat 7 >>>>>>>>> server. >>>>>>>>> I am using this command, where "request" is request file posted >>>>>>>>> earlier and valid_cookie is simply valid cookie. >>>>>>>>> python2 /opt/sqlmap/sqlmap.py -r request --level=5 --risk=3 -o >>>>>>>>> --cookie="JSESSIONID=valid_cookie' -v3 >>>>>>>>> As I stated earlier, sqlmap finds the vulnerability but can't >>>>>>>>> exploit it, I tried almost all tamper scripts, even some >>>>>>>>> combinations, but >>>>>>>>> no success. >>>>>>>>> I wanted to show exploitation of Webgoat, because I would like to >>>>>>>>> use Sqlmap for testing of commercial application which is based on >>>>>>>>> similar >>>>>>>>> technologies. >>>>>>>>> Thank you, >>>>>>>>> Vojta >>>>>>>>> >>>>>>>>> >>>>>>>>> Dne 9.10.2015 v 11:16 Miroslav Stampar napsal(a): >>>>>>>>> >>>>>>>>> Hi. >>>>>>>>> >>>>>>>>> Can you please send a used sqlmap command along with the basic >>>>>>>>> info on vulnerable environment (e.g. just a plain Webgoat, URL this >>>>>>>>> and >>>>>>>>> that)? >>>>>>>>> >>>>>>>>> Bye >>>>>>>>> >>>>>>>>> On Thu, Oct 8, 2015 at 10:52 PM, Vojtěch Polášek < >>>>>>>>> <krec...@gmail.com>krec...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Greetings, >>>>>>>>>> I am running Webgoat from standalone jar file, so I can't see any >>>>>>>>>> logs. >>>>>>>>>> I will try to see some logs from inside the application. Anyway, I >>>>>>>>>> didn't expect this application to contain any kind of filtering. >>>>>>>>>> I hope to show Sqlmap in action to some people from a large >>>>>>>>>> company and >>>>>>>>>> I wanted to use something simple, therefore I am quite surprised. >>>>>>>>>> I have >>>>>>>>>> never seen this situation - found injection but no possibility of >>>>>>>>>> exploitation. >>>>>>>>>> The between tamper script didn't help. >>>>>>>>>> Any suggestions are welcomed. >>>>>>>>>> Thanks, >>>>>>>>>> Vojta >>>>>>>>>> >>>>>>>>>> Dne 8.10.2015 v 18:10 Brandon Perry napsal(a): >>>>>>>>>> > You should look in the logs of the web server and see what they >>>>>>>>>> say. >>>>>>>>>> > >>>>>>>>>> > I bet you need --tamper=between >>>>>>>>>> > >>>>>>>>>> > Sent from a phone >>>>>>>>>> > >>>>>>>>>> >> On Oct 8, 2015, at 10:33 AM, Vojtěch Polášek < >>>>>>>>>> <krec...@gmail.com>krec...@gmail.com> wrote: >>>>>>>>>> >> >>>>>>>>>> >> Greetings, >>>>>>>>>> >> I tried to verify Sqlmap's functionality by running it against >>>>>>>>>> Webgoat >>>>>>>>>> >> version 6.0.1. You can try it your self by using following >>>>>>>>>> request file. >>>>>>>>>> >> Just log in and replace cookie by valid one. >>>>>>>>>> >> ###start request file >>>>>>>>>> >> POST /WebGoat/attack?Screen=4&menu=1100 HTTP/1.1 >>>>>>>>>> >> Host: localhost:8080 >>>>>>>>>> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) >>>>>>>>>> Gecko/20100101 >>>>>>>>>> >> Firefox/41.0 >>>>>>>>>> >> Accept: */* >>>>>>>>>> >> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>>>>>>>> >> Accept-Encoding: gzip, deflate >>>>>>>>>> >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>>>>>>>> >> X-Requested-With: XMLHttpRequest >>>>>>>>>> >> Referer: <http://localhost:8080/WebGoat/start.mvc> >>>>>>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>>>>>> >> Content-Length: 29 >>>>>>>>>> >> Cookie: JSESSIONID=replace >>>>>>>>>> >> Connection: keep-alive >>>>>>>>>> >> Pragma: no-cache >>>>>>>>>> >> Cache-Control: no-cache >>>>>>>>>> >> >>>>>>>>>> >> account_number=101&SUBMIT=Go! >>>>>>>>>> >> #end request file >>>>>>>>>> >> I am running git master of Sqlmap. >>>>>>>>>> >> Sqlmap detects SQL injection (boolean based blind Mysql), but >>>>>>>>>> no >>>>>>>>>> >> information gathering commands work (--dbs, >>>>>>>>>> --current-user...). I tried >>>>>>>>>> >> running with --hex or --no-cast, but no luck. >>>>>>>>>> >> What might be the problem? >>>>>>>>>> >> Thanks, >>>>>>>>>> >> Vojta >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> >> _______________________________________________ >>>>>>>>>> >> sqlmap-users mailing list >>>>>>>>>> >> <sqlmap-users@lists.sourceforge.net> >>>>>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>>>>> >> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> _______________________________________________ >>>>>>>>>> sqlmap-users mailing list >>>>>>>>>> <sqlmap-users@lists.sourceforge.net> >>>>>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Miroslav Stampar >>>>>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> sqlmap-users mailing list >>>>>>>>> <sqlmap-users@lists.sourceforge.net> >>>>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Miroslav Stampar >>>>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Miroslav Stampar >>>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> <http://about.me/stamparm>http://about.me/stamparm >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sqlmap-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sqlmap-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
