Hi, continuing using Sqlmap from Windows machine, now I am able to get everything without garbled characters and even without using safe url. Vojta
Dne 13.10.2015 v 21:14 Miroslav Stampar napsal(a): > > Problem is that request/responses are slow. Can't see why is this > happening. > > Can you please send also the traffic.txt (-t traffic.txt) for such run? > > I don't have a clue why a simple connection test takes this slow. > > Bye > > On Oct 13, 2015 9:12 PM, "Brandon Perry" <bperry.volat...@gmail.com > <mailto:bperry.volat...@gmail.com>> wrote: > > Nothing looks wrong in that pastebin? It retrieved the username of > SA just fine it seems. No garbled text is in the output. > > What were you expecting to happen? > > On Tue, Oct 13, 2015 at 2:08 PM, Vojtěch Polášek > <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: > > Hi, > http://pastebin.com/Q9RKsffG > I am running Arch Linux 64 bit and I am running Webgoat from > the single jar file. > I am using OpenJDK. > Thank you, > Vojta > > Dne 13.10.2015 v 18:54 Miroslav Stampar napsal(a): >> >> Yup. The master branch is a good branch. >> >> And you are having difficulties even if you use a >> --flush-session along with switches/options I've used? >> >> This is strange. I've run this numerous times in last few days. >> >> Can you please send a complete console output as I've sent >> for my runs? Also, on which OS do you run WebGoat? >> >> Bye >> >> On Oct 13, 2015 6:50 PM, "Vojtěch Polášek" <krec...@gmail.com >> <mailto:krec...@gmail.com>> wrote: >> >> Greetings, >> now it works but... >> I don't know what am I doing wrong, but it takes very >> looong time for Sqlmap to finish this run. In your >> output, it takes several seconds, for me it takes almost >> a hour to get this done. >> Also I found out that if I try to use --keep-alive, it is >> much faster, it takes about a minute, but it again >> returns garbled characters. No other optimization >> switches improve the speed. >> I am using same arguments as you, but from enumeration >> arguments I am using just --current-user, no --dump, >> --dbs etc. >> Just to be sure, I am pulling from Master branch, is this >> correct? >> Thank you very much for your efford, >> Vojtěch Polášek >> >> >> Dne 13.10.2015 v 13:07 Miroslav Stampar napsal(a): >>> Hi. >>> >>> There has been a lot work here. Please update to the >>> latest revision and retry it again. >>> >>> One word of advice regarding WebGoat. It has a bad >>> routine that automatically closes the SQLi after it >>> finds certain keywords in requests. Basically, >>> afterwards it just says "* Congratulations. You have >>> successfully completed this lesson." and prevents >>> further injection. Hence, you'll need to use --safe-url >>> and --safe-freq to reset those. Please find details >>> further in pastebin links. >>> >>> Here you can find couple of different runs: >>> >>> --technique=B >>> http://pastebin.com/04z2x00S >>> >>> (no technique constraints) >>> http://pastebin.com/UhGQLyTp >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:18 AM, Miroslav Stampar >>> <miroslav.stam...@gmail.com >>> <mailto:miroslav.stam...@gmail.com>> wrote: >>> >>> Hi. >>> >>> There is still more work here to be done. Will let >>> you know. I am going to try to finish it today. >>> >>> Bye >>> >>> On Tue, Oct 13, 2015 at 10:13 AM, Vojtěch Polášek >>> <krec...@gmail.com <mailto:krec...@gmail.com>> wrote: >>> >>> Greetings, >>> I have still problems exploiting HSQL databases. >>> current-user is still returning garbled >>> characters etc. >>> Is it still working for you? >>> Thanks, >>> Vojta >>> >>> Dne 10.10.2015 v 01:35 Miroslav Stampar napsal(a): >>>> >>>> I've used that same request file without any >>>> problems (with latest patches/revision). Will >>>> retest tomorrow. Please retry everything with >>>> --flush-session >>>> >>>> Bye >>>> >>>> On Oct 10, 2015 1:17 AM, "Vojtěch Polášek" >>>> <krec...@gmail.com <mailto:krec...@gmail.com>> >>>> wrote: >>>> >>>> Greetings, >>>> thanks for your prompt response. >>>> Unfortunatelly, it is still not working as >>>> expected. >>>> There is problem with retrieving of current >>>> user and information from HSQL database in >>>> general. >>>> Moreover, when using following request file >>>> from the same application, Sqlmap >>>> identified backend database as Postgresql >>>> instead of HSQL. >>>> This request is from lesson about simple >>>> string SQL injection >>>> #begin request file >>>> POST /WebGoat/attack?Screen=36&menu=1100 >>>> HTTP/1.1 >>>> Host: localhost:8080 >>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; >>>> rv:39.0) Gecko/20100101 Firefox/39.0 >>>> Accept: */* >>>> Accept-Language: cs,en-US;q=0.7,en;q=0.3 >>>> Accept-Encoding: gzip, deflate >>>> Content-Type: >>>> application/x-www-form-urlencoded; >>>> charset=UTF-8 >>>> X-Requested-With: XMLHttpRequest >>>> Referer: >>>> http://localhost:8080/WebGoat/start.mvc >>>> Content-Length: 29 >>>> Connection: keep-alive >>>> Pragma: no-cache >>>> Cache-Control: no-cache >>>> Cookie: JSESSIONID=valid_cookie >>>> >>>> account_name=Smith&SUBMIT=Go! >>>> #end request >>>> Feel free to ask me for more debugging >>>> information, I will be glad to help you. >>>> Thanks for your work, >>>> Vojta >>>> Dne 9.10.2015 v 16:52 Miroslav Stampar >>>> napsal(a): >>>>> Fixed tons of bugs and pushed. Please >>>>> retry it again. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 3:55 PM, Miroslav >>>>> Stampar <miroslav.stam...@gmail.com >>>>> <mailto:miroslav.stam...@gmail.com>> wrote: >>>>> >>>>> Please wait a bit. There are tons of >>>>> bugs for HSQLDB in sqlmap. On it right >>>>> now. >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 2:20 PM, >>>>> Miroslav Stampar >>>>> <miroslav.stam...@gmail.com >>>>> <mailto:miroslav.stam...@gmail.com>> >>>>> wrote: >>>>> >>>>> Hi again. >>>>> >>>>> Please update to the latest >>>>> revision and retry it again (with >>>>> --flush-session). >>>>> >>>>> Backend used is HSQLDB while the >>>>> sqlmap wrongly recognized it as >>>>> MySQL (because HSQLDB is MySQL >>>>> look-alike) >>>>> >>>>> Bye >>>>> >>>>> On Fri, Oct 9, 2015 at 12:49 PM, >>>>> Vojtěch Polášek <krec...@gmail.com >>>>> <mailto:krec...@gmail.com>> wrote: >>>>> >>>>> Hi, >>>>> You can download Webgoat here: >>>>> >>>>> https://webgoat.atlassian.net/builds/browse/WEB-WGM/latestSuccessful/artifact/shared/WebGoat-Embedded-Tomcat/WebGoat-6.0.1-war-exec.jar >>>>> Just run java- jar >>>>> WebGoat-6.0.1-war-exec.jar >>>>> And you can login at >>>>> localhost:8080/WebGoat with >>>>> name webgoat and password webgoat >>>>> The request file posted >>>>> earlier is from Blind numeric >>>>> SQL injection lesson. >>>>> Application is written in Java >>>>> and runs on embedded Tomcat 7 >>>>> server. >>>>> I am using this command, where >>>>> "request" is request file >>>>> posted earlier and >>>>> valid_cookie is simply valid >>>>> cookie. >>>>> python2 /opt/sqlmap/sqlmap.py >>>>> -r request --level=5 --risk=3 >>>>> -o >>>>> --cookie="JSESSIONID=valid_cookie' >>>>> -v3 >>>>> As I stated earlier, sqlmap >>>>> finds the vulnerability but >>>>> can't exploit it, I tried >>>>> almost all tamper scripts, >>>>> even some combinations, but no >>>>> success. >>>>> I wanted to show exploitation >>>>> of Webgoat, because I would >>>>> like to use Sqlmap for testing >>>>> of commercial application >>>>> which is based on similar >>>>> technologies. >>>>> Thank you, >>>>> Vojta >>>>> >>>>> >>>>> Dne 9.10.2015 v 11:16 Miroslav >>>>> Stampar napsal(a): >>>>>> Hi. >>>>>> >>>>>> Can you please send a used >>>>>> sqlmap command along with the >>>>>> basic info on vulnerable >>>>>> environment (e.g. just a >>>>>> plain Webgoat, URL this and >>>>>> that)? >>>>>> >>>>>> Bye >>>>>> >>>>>> On Thu, Oct 8, 2015 at 10:52 >>>>>> PM, Vojtěch Polášek >>>>>> <krec...@gmail.com >>>>>> <mailto:krec...@gmail.com>> >>>>>> wrote: >>>>>> >>>>>> Greetings, >>>>>> I am running Webgoat from >>>>>> standalone jar file, so I >>>>>> can't see any logs. >>>>>> I will try to see some >>>>>> logs from inside the >>>>>> application. Anyway, I >>>>>> didn't expect this >>>>>> application to contain >>>>>> any kind of filtering. >>>>>> I hope to show Sqlmap in >>>>>> action to some people >>>>>> from a large company and >>>>>> I wanted to use something >>>>>> simple, therefore I am >>>>>> quite surprised. I have >>>>>> never seen this situation >>>>>> - found injection but no >>>>>> possibility of >>>>>> exploitation. >>>>>> The between tamper script >>>>>> didn't help. >>>>>> Any suggestions are welcomed. >>>>>> Thanks, >>>>>> Vojta >>>>>> >>>>>> Dne 8.10.2015 v 18:10 >>>>>> Brandon Perry napsal(a): >>>>>> > You should look in the >>>>>> logs of the web server >>>>>> and see what they say. >>>>>> > >>>>>> > I bet you need >>>>>> --tamper=between >>>>>> > >>>>>> > Sent from a phone >>>>>> > >>>>>> >> On Oct 8, 2015, at >>>>>> 10:33 AM, Vojtěch Polášek >>>>>> <krec...@gmail.com >>>>>> <mailto:krec...@gmail.com>> >>>>>> wrote: >>>>>> >> >>>>>> >> Greetings, >>>>>> >> I tried to verify >>>>>> Sqlmap's functionality by >>>>>> running it against Webgoat >>>>>> >> version 6.0.1. You can >>>>>> try it your self by using >>>>>> following request file. >>>>>> >> Just log in and >>>>>> replace cookie by valid one. >>>>>> >> ###start request file >>>>>> >> POST >>>>>> >>>>>> /WebGoat/attack?Screen=4&menu=1100 >>>>>> HTTP/1.1 >>>>>> >> Host: localhost:8080 >>>>>> >> User-Agent: >>>>>> Mozilla/5.0 (X11; Linux >>>>>> x86_64; rv:41.0) >>>>>> Gecko/20100101 >>>>>> >> Firefox/41.0 >>>>>> >> Accept: */* >>>>>> >> Accept-Language: >>>>>> cs,en-US;q=0.7,en;q=0.3 >>>>>> >> Accept-Encoding: gzip, >>>>>> deflate >>>>>> >> Content-Type: >>>>>> >>>>>> application/x-www-form-urlencoded; >>>>>> charset=UTF-8 >>>>>> >> X-Requested-With: >>>>>> XMLHttpRequest >>>>>> >> Referer: >>>>>> >>>>>> http://localhost:8080/WebGoat/start.mvc >>>>>> >> Content-Length: 29 >>>>>> >> Cookie: JSESSIONID=replace >>>>>> >> Connection: keep-alive >>>>>> >> Pragma: no-cache >>>>>> >> Cache-Control: no-cache >>>>>> >> >>>>>> >> >>>>>> account_number=101&SUBMIT=Go! >>>>>> >> #end request file >>>>>> >> I am running git >>>>>> master of Sqlmap. >>>>>> >> Sqlmap detects SQL >>>>>> injection (boolean based >>>>>> blind Mysql), but no >>>>>> >> information gathering >>>>>> commands work (--dbs, >>>>>> --current-user...). I tried >>>>>> >> running with --hex or >>>>>> --no-cast, but no luck. >>>>>> >> What might be the problem? >>>>>> >> Thanks, >>>>>> >> Vojta >>>>>> >> >>>>>> >> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >> >>>>>> >>>>>> _______________________________________________ >>>>>> >> sqlmap-users mailing list >>>>>> >> >>>>>> >>>>>> sqlmap-users@lists.sourceforge.net >>>>>> >>>>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>>>> >> >>>>>> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> >>>>>> sqlmap-users@lists.sourceforge.net >>>>>> >>>>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>>>> >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sqlmap-users@lists.sourceforge.net >>>>> >>>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>>> >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sqlmap-users@lists.sourceforge.net >>>> <mailto:sqlmap-users@lists.sourceforge.net> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> <mailto:sqlmap-users@lists.sourceforge.net> >>> >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> <mailto:sqlmap-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
