Hi, I have several interesting findings. I have to run Sqlmap on my Windows machine because of my presentation. So current setup is like this: Webgoat running on my physical Arch Linux box with OpenJDK. Sqlmap running on Windows 7 64 bit in virtual machine virtualized with Virtualbox. Sqlmap connects to Webgoat through Virtualbox host-only network. I don't experience any delays when running in this setup. I can even retrieve some information like current user or list of dbss without safe url. But I am getting malformed results when trying to get list of tables, even with safe url. I will send you another traffic file. Thinking about that delay, I came upon an idea that name translation may slow down my Sqlmap running on Linux. I modified my request file to use 127.0.0.1 instead of localhost. Now it is really fast, but it can't detect the injection point :-D I am getting really confused now. So I will send you traffic file from my Windows host and also from my Linux host when using IP address instead of localhost. Is that ok for you? Thank you very much, Vojta
Dne 13.10.2015 v 21:14 Miroslav Stampar napsal(a): > > Problem is that request/responses are slow. Can't see why is this > happening. > > Can you please send also the traffic.txt (-t traffic.txt) for such run? > > I don't have a clue why a simple connection test takes this slow. > > Bye > > On Oct 13, 2015 9:12 PM, "Brandon Perry" <bperry.volat...@gmail.com > <mailto:bperry.volat...@gmail.com>> wrote: > > Nothing looks wrong in that pastebin? It retrieved the username of > SA just fine it seems. No garbled text is in the output. > > What were you expecting to happen? > > On Tue, Oct 13, 2015 at 2:08 PM, Vojtěch Polášek > <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: > > Hi, > http://pastebin.com/Q9RKsffG > I am running Arch Linux 64 bit and I am running Webgoat from > the single jar file. > I am using OpenJDK. > Thank you, > Vojta > > Dne 13.10.2015 v 18:54 Miroslav Stampar napsal(a): >> >> Yup. The master branch is a good branch. >> >> And you are having difficulties even if you use a >> --flush-session along with switches/options I've used? >> >> This is strange. I've run this numerous times in last few days. >> >> Can you please send a complete console output as I've sent >> for my runs? Also, on which OS do you run WebGoat? >> >> Bye >> >> On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <krec...@gmail.com >> <mailto:krec...@gmail.com>> wrote: >> >> Greetings, >> now it works but... >> I don't know what am I doing wrong, but it takes very >> looong time for Sqlmap to finish this run. In your >> output, it takes several seconds, for me it takes almost >> a hour to get this done. >> Also I found out that if I try to use --keep-alive, it is >> much faster, it takes about a minute, but it again >> returns garbled characters. No other optimization >> switches improve the speed. >> I am using same arguments as you, but from enumeration >> arguments I am using just --current-user, no --dump, >> --dbs etc. >> Just to be sure, I am pulling from Master branch, is this >> correct? >> Thank you very much for your efford, >> Vojtěch Polášek >> >> >> Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): >>> Hi. >>> >>> There has been a lot work here. Please update to the >>> latest revision and retry it again. >>> >>> One word of advice regarding WebGoat. It has a bad >>> routine that automatically closes the SQLi after it >>> finds certain keywords in requests. Basically, >>> afterwards it just says "* Congratulations. You have >>> successfully completed this lesson." and prevents >>> further injection. Hence, you'll need to use --safe-url >>> and --safe-freq to reset those. Please find details >>> further in pastebin links. >>> >>> Here you can find couple of different runs: >>> >>> --technique=B >>> http://pastebin.com/04z2x00S >>> >>> (no technique constraints) >>> http://pastebin.com/UhGQLyTp >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar >>> <miroslav.stam...@gmail.com >>> <mailto:miroslav.stam...@gmail.com>> wrote: >>> >>> Hi. >>> >>> There is still more work here to be done. Will let >>> you know. I am going to try to finish it today. >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek >>> <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: >>> >>> Greetings, >>> I have still problems exploiting HSQL databases. >>> current-user is still returning garbled >>> characters etc. >>> Is it still working for you? >>> Thanks, >>> Vojta >>> >>> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>>> >>>> I've used that same request file without any >>>> problems (with latest patches/revision). Will >>>> retest tomorrow. Please retry everything with >>>> --flush-session >>>> >>>> Bye >>>> >>>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" >>>> <krec...@gmail.com <mailto:krec...@gmail.com>> >>>> wrote: >>>> >>>> Greetings, >>>> thanks for your prompt response. >>>> Unfortunatelly, it is still not working as >>>> expected. >>>> There is problem with retrieving of current >>>> user and information from HSQL database in >>>> general. >>>> Moreover, when using following request file >>>> from the same application, Sqlmap >>>> identified backend database as Postgresql >>>> instead of HSQL. >>>> This request is from lesson about simple >>>> string SQL injection >>>> #begin request file >>>> POST /WebGoat/attack?Screen=36&menu=1100 >>>> HTTP/1.1 >>>> Host: localhost:8080 >>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; >>>> rv:39.0) Gecko/20100101 Firefox/39.0 >>>> Accept: */* >>>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>> Accept-Encoding: gzip, deflate >>>> Content-Type: >>>> application/x-www-form-urlencoded; >>>> charset=UTF-8 >>>> X-Requested-With: XMLHttpRequest >>>> Referer: >>>> http://localhost:8080/WebGoat/start.mvc >>>> Content-Length: 29 >>>> Connection: keep-alive >>>> Pragma: no-cache >>>> Cache-Control: no-cache >>>> Cookie: JSESSIONID=valid_cookie >>>> >>>> account_name=Smith&SUBMIT=Go! >>>> #end request >>>> Feel free to ask me for more debugging >>>> information, I will be glad to help you. >>>> Thanks for your work, >>>> Vojta >>>> Dne 9.10.2015 v 16:52 Miroslav Stampar >>>> napsal(a): >>>>> Fixed tons of bugs and pushed. Please >>>>> retry it again. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav >>>>> Stampar <miroslav.stam...@gmail.com >>>>> <mailto:miroslav.stam...@gmail.com>> wrote: >>>>> >>>>> Please wait a bit. There are tons of >>>>> bugs for HSQLDB in sqlmap. On it right >>>>> now. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 2:20 PM, >>>>> Miroslav Stampar >>>>> <miroslav.stam...@gmail.com >>>>> <mailto:miroslav.stam...@gmail.com>> >>>>> wrote: >>>>> >>>>> Hi again. >>>>> >>>>> Please update to the latest >>>>> revision and retry it again (with >>>>> --flush-session). >>>>> >>>>> Backend used is HSQLDB while the >>>>> sqlmap wrongly recognized it as >>>>> MySQL (because HSQLDB is MySQL >>>>> look-alike) >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 12:49 PM, >>>>> Vojtěch Polášek <krec...@gmail.com >>>>> <mailto:krec...@gmail.com>> wrote: >>>>> >>>>> Hi, >>>>> You can download Webgoat here: >>>>> >>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>> Just run java- jar >>>>> WebGoat-6.0.1-war-exec.jar >>>>> And you can login at >>>>> localhost:8080/WebGoat with >>>>> name webgoat and password webgoat >>>>> The request file posted >>>>> earlier is from Blind numeric >>>>> SQL injection lesson. >>>>> Application is written in Java >>>>> and runs on embedded Tomcat 7 >>>>> server. >>>>> I am using this command, where >>>>> "request" is request file >>>>> posted earlier and >>>>> valid_cookie is simply valid >>>>> cookie. >>>>> python2 /opt/sqlmap/sqlmap.py >>>>> -r request --level=5 --risk=3 >>>>> -o >>>>> --cookie="JSESSIONID=valid_cookie' >>>>> -v3 >>>>> As I stated earlier, sqlmap >>>>> finds the vulnerability but >>>>> can't exploit it, I tried >>>>> almost all tamper scripts, >>>>> even some combinations, but no >>>>> success. >>>>> I wanted to show exploitation >>>>> of Webgoat, because I would >>>>> like to use Sqlmap for testing >>>>> of commercial application >>>>> which is based on similar >>>>> technologies. >>>>> Thank you, >>>>> Vojta >>>>> >>>>> >>>>> Dne 9.10.2015 v 11:16 Miroslav >>>>> Stampar napsal(a): >>>>>> Hi. >>>>>> >>>>>> Can you please send a used >>>>>> sqlmap command along with the >>>>>> basic info on vulnerable >>>>>> environment (e.g. just a >>>>>> plain Webgoat, URL this and >>>>>> that)? >>>>>> >>>>>> Bye >>>>>> >>>>>> On Thu, Oct 8, 2015 at 10:52 >>>>>> PM, Vojtěch Polášek >>>>>> <krec...@gmail.com >>>>>> <mailto:krec...@gmail.com>> >>>>>> wrote: >>>>>> >>>>>> Greetings, >>>>>> I am running Webgoat from >>>>>> standalone jar file, so I >>>>>> can't see any logs. >>>>>> I will try to see some >>>>>> logs from inside the >>>>>> application. Anyway, I >>>>>> didn't expect this >>>>>> application to contain >>>>>> any kind of filtering. >>>>>> I hope to show Sqlmap in >>>>>> action to some people >>>>>> from a large company and >>>>>> I wanted to use something >>>>>> simple, therefore I am >>>>>> quite surprised. I have >>>>>> never seen this situation >>>>>> - found injection but no >>>>>> possibility of >>>>>> exploitation. >>>>>> The between tamper script >>>>>> didn't help. >>>>>> Any suggestions are welcomed. >>>>>> Thanks, >>>>>> Vojta >>>>>> >>>>>> Dne 8.10.2015 v 18:10 >>>>>> Brandon Perry napsal(a): >>>>>> > You should look in the >>>>>> logs of the web server >>>>>> and see what they say. >>>>>> > >>>>>> > I bet you need >>>>>> --tamper=between >>>>>> > >>>>>> > Sent from a phone >>>>>> > >>>>>> >> On Oct 8, 2015, at >>>>>> 10:33 AM, Vojtěch Polášek >>>>>> <krec...@gmail.com >>>>>> <mailto:krec...@gmail.com>> >>>>>> wrote: >>>>>> >> >>>>>> >> Greetings, >>>>>> >> I tried to verify >>>>>> Sqlmap's functionality by >>>>>> running it against Webgoat >>>>>> >> version 6.0.1. You can >>>>>> try it your self by using >>>>>> following request file. >>>>>> >> Just log in and >>>>>> replace cookie by valid one. >>>>>> >> ###start request file >>>>>> >> POST >>>>>> >>>>>> /WebGoat/attack?Screen=4&menu=1100 >>>>>> HTTP/1.1 >>>>>> >> Host: localhost:8080 >>>>>> >> User-Agent: >>>>>> Mozilla/5.0 (X11; Linux >>>>>> x86_64; rv:41.0) >>>>>> Gecko/20100101 >>>>>> >> Firefox/41.0 >>>>>> >> Accept: */* >>>>>> >> Accept-Language: >>>>>> cs,en-US;q=0.7,en;q=0.3 >>>>>> >> Accept-Encoding: gzip, >>>>>> deflate >>>>>> >> Content-Type: >>>>>> >>>>>> application/x-www-form-urlencoded; >>>>>> charset=UTF-8 >>>>>> >> X-Requested-With: >>>>>> XMLHttpRequest >>>>>> >> Referer: >>>>>> >>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>> >> Content-Length: 29 >>>>>> >> Cookie: JSESSIONID=replace >>>>>> >> Connection: keep-alive >>>>>> >> Pragma: no-cache >>>>>> >> Cache-Control: no-cache >>>>>> >> >>>>>> >> >>>>>> account_number=101&SUBMIT=Go! >>>>>> >> #end request file >>>>>> >> I am running git >>>>>> master of Sqlmap. >>>>>> >> Sqlmap detects SQL >>>>>> injection (boolean based >>>>>> blind Mysql), but no >>>>>> >> information gathering >>>>>> commands work (--dbs, >>>>>> --current-user...). I tried >>>>>> >> running with --hex or >>>>>> --no-cast, but no luck. >>>>>> >> What might be the problem? >>>>>> >> Thanks, >>>>>> >> Vojta >>>>>> >> >>>>>> >> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >> >>>>>> >>>>>> _______________________________________________ >>>>>> >> sqlmap-users mailing list >>>>>> >> >>>>>> >>>>>> sqlmap-users@lists.sourceforge.net >>>>>> >>>>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>>>> >> >>>>>> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> >>>>>> sqlmap-users@lists.sourceforge.net >>>>>> >>>>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>>>> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sqlmap-users@lists.sourceforge.net >>>>> >>>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>>> >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sqlmap-users@lists.sourceforge.net >>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> <mailto:sqlmap-users@lists.sourceforge.net> >>> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> <mailto:sqlmap-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
