HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 58 guests and 3 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow Tomcat authentication with sqlmap
EH-Net
May 18, 2013, 09:35:56 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Tomcat authentication with sqlmap  (Read 11002 times)
0 Members and 1 Guest are viewing this topic.
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« on: June 07, 2010, 06:05:47 PM »
Hi,

I am having an hard time authenticating sqlmap to a Tomcat 6 server (in my lab).

This command works well:
Quote
wget "http://192.168.1.57:8080/WebGoat/attack?Screen=137&menu=1200&stage=1" --http-user=guest --http-password=guest

But when I run this command:
Quote
./sqlmap.py -u "http://192.168.1.57:8080/WebGoat/attack?Screen=137&menu=1200&stage=1" --auth-cred="guest:guest" --auth-type="Basic"

I get the following error:
Quote
[19:02:11] [INFO] using '/pentest/database/sqlmap/output/192.168.1.57/session' as session file
[19:02:11] [INFO] testing connection to the target url
[19:02:11] [ERROR] not authorized, try to provide right HTTP authentication type and valid credentials

I tried many, many things, but I can't find the right command...  Huh

Anyone while I am TRYING HARDER?
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #1 on: June 07, 2010, 06:28:03 PM »
Stupid question, could the authentication be something other than Basic?   Perhaps Digest?   

Could the User Agent play into as well?
Logged
~~~~~~~~~~~~~~
Ketchup
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« Reply #2 on: June 07, 2010, 06:34:26 PM »
I also tried Digest and it didn't solved my problem.

Let me try the user agent...
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« Reply #3 on: June 07, 2010, 06:43:58 PM »
I just tried this:
Quote
./sqlmap.py -u "http://192.168.1.57:8080/WebGoat/attack?Screen=137&menu=1200&stage=1" --auth-cred="guest:guest" --auth-type="Basic" --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15"

...and it didn't work.
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« Reply #4 on: June 07, 2010, 07:00:45 PM »
Tomcat 6 uses "Digest" and not "Basic" authentication as described there: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords

I am moving slowly toward the solution...
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #5 on: June 07, 2010, 08:17:34 PM »
try --auth-type="Digest"
Logged
~~~~~~~~~~~~~~
Ketchup
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« Reply #6 on: June 08, 2010, 06:56:22 AM »
Thanks ketchup but I have tested (and now I just it for all my tests) it even before posting on this forum.

I will keep trying today...
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #7 on: June 08, 2010, 07:17:40 AM »
I would try to capture some traffic during authentication with both wget and sqlmap, to see what they are doing differently.   
Logged
~~~~~~~~~~~~~~
Ketchup
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« Reply #8 on: June 08, 2010, 02:26:56 PM »
I am getting closer now. I authenticated manually with my web browser, then I copied the session cookie from the browser and used it in sqlmap:

Quote
./sqlmap.py -u "http://192.168.1.57:8080/WebGoat/attack?Screen=137&menu=1200&stage=1" --cookie "JSESSIONID=HPCBGONANJBGFJFHGOKDMCGJ"

The output is:
Quote
[19:02:11] [INFO] using '/pentest/database/sqlmap/output/192.168.1.57/session' as session file
[19:02:11] [INFO] testing connection to the target url
[19:02:11] [INFO] url is stable
[19:02:11] [INFO] testing if Cookie parameter 'JSESSIONID' is dynamic
[19:02:11] [ERROR] not authorized, try to provide right HTTP authentication type and valid credentials

So it does work now, other then this annoying test with the cookie. I will keep trying tomorrow...
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
slackerxxl
Newbie
*
Offline Offline

Posts: 2


View Profile
« Reply #9 on: December 10, 2010, 07:19:39 AM »
Did you find a solution? I'm having the same problem.
Logged
slackerxxl
Newbie
*
Offline Offline

Posts: 2


View Profile
« Reply #10 on: December 10, 2010, 07:28:41 AM »
The cookie auth gets sqlmap to check for injection and report if injection works but after that it stops. So I don't know if you thought you had figured it out above, but that was not a working solution.

Quote
xxx:sqlmap xxx$ python sqlmap.py -u "http://127.0.0.1:8080/WebGoat/attack?Screen=58&menu=1200" --data "account_number=101" --method=POST --cookie="JSESSIONID=6CE6368E5570B4227B520DAE391203CF" --current-db

    sqlmap/0.8 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
    
  • starting at: 14:22:14
    • [14:22:15]
[INFO] using '/Users/xxx/Documents/Hacking/Tools/sqlmap/output/127.0.0.1/session' as session file
[14:22:15] [INFO] resuming match ratio '0.999' from session file
[14:22:15] [INFO] testing connection to the target url
[14:22:15] [INFO] testing if the url is stable, wait a few seconds
[14:22:16] [INFO] url is stable
[14:22:16] [INFO] testing if POST parameter 'account_number' is dynamic
[14:22:17] [INFO] confirming that POST parameter 'account_number' is dynamic
[14:22:18] [INFO] POST parameter 'account_number' is dynamic
[14:22:18] [INFO] testing sql injection on POST parameter 'account_number' with 0 parenthesis
[14:22:18] [INFO] testing unescaped numeric injection on POST parameter 'account_number'
[14:22:18] [INFO] confirming unescaped numeric injection on POST parameter 'account_number'
[14:22:19] [INFO] POST parameter 'account_number' is unescaped numeric injectable with 0 parenthesis
[14:22:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[14:22:19] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[14:22:19] [INFO] testing if Cookie parameter 'JSESSIONID' is dynamic
[14:22:19] [ERROR] not authorized, try to provide right HTTP authentication type and valid credentials

  • shutting down at: 14:22:19
Logged
sil
Hero Member
*****
Offline Offline

Posts: 549



View Profile WWW
« Reply #11 on: December 10, 2010, 07:50:20 AM »
Just out of curiousity without me having to get too deep into it, have you tried changing your values? For example, look at the error you're getting:

[14:22:19] [INFO] testing if Cookie parameter 'JSESSIONID' is dynamic
[14:22:19] [ERROR] not authorized, try to provide right HTTP authentication type and valid credentials

Have you tried changing this? My inference is this:

Tomcat --> check to make sure things are dynamic (meaning this value has changed)

Code:
if
  field = static
then
  this shouldn't be
  exit
fi

I don't have Webgoat running to tinker, but my guess is, WebGoat is seeing something it doesn't like - something that is supposed to change and hasn't:

http://www.coderanch.com/t/152524/java-Architect-SCEA/certification/Risk-session-tracking

I suggest checking out:

Stinger (http://www2.owasp.org/index.php/Testing_for_Command_Injection_%28OWASP-DV-013%29)

Testing command injection (http://www2.owasp.org/index.php/Testing_for_Command_Injection_%28OWASP-DV-013%29)

and "session identifier strength" (http://www2.owasp.org/index.php/How_to_test_session_identifier_strength_with_WebScarab)

In order to understand JSESSIONID in cookies and what you might be missing
Logged
http://www.infiltrated.net/mgz/puppylecter.jpg
sil
Hero Member
*****
Offline Offline

Posts: 549



View Profile WWW
« Reply #12 on: December 10, 2010, 07:52:12 AM »
Also take note, that webgoat is broken for certain tests:

http://code.google.com/p/webgoat/issues/detail?id=18
Logged
http://www.infiltrated.net/mgz/puppylecter.jpg
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« Reply #13 on: December 10, 2010, 07:56:55 AM »
Wow, it's been a while now (about 6 months).

I remember spending quite some time on this problem, and it didn't work out. I remember using wireshark and trying to compare a manual (successful) query and the ones sent by sqlmap. I also remember running out of time (it was for a demo at work).

I got around it by using sqlcheck.sh instead. It was good enough for what I wanted to do.

That being said, I am still very much interested to see if someone can find a solution using this tool!
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.073 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.