.

Tomcat authentication with sqlmap

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Jun 07, 2010 6:05 pm

Tomcat authentication with sqlmap

Hi,

I am having an hard time authenticating sqlmap to a Tomcat 6 server (in my lab).

This command works well:
wget "http://192.168.1.57:8080/WebGoat/attack?Screen=137&menu=1200&stage=1" --http-user=guest --http-password=guest


But when I run this command:
./sqlmap.py -u "http://192.168.1.57:8080/WebGoat/attack?Screen=137&menu=1200&stage=1" --auth-cred="guest:guest" --auth-type="Basic"


I get the following error:
[19:02:11] [INFO] using '/pentest/database/sqlmap/output/192.168.1.57/session' as session file
[19:02:11] [INFO] testing connection to the target url
[19:02:11] [ERROR] not authorized, try to provide right HTTP authentication type and valid credentials


I tried many, many things, but I can't find the right command...  ???

Anyone while I am TRYING HARDER?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Jun 07, 2010 6:28 pm

Re: Tomcat authentication with sqlmap

Stupid question, could the authentication be something other than Basic?  Perhaps Digest? 

Could the User Agent play into as well?
~~~~~~~~~~~~~~
Ketchup
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Jun 07, 2010 6:34 pm

Re: Tomcat authentication with sqlmap

I also tried Digest and it didn't solved my problem.

Let me try the user agent...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Jun 07, 2010 6:43 pm

Re: Tomcat authentication with sqlmap

I just tried this:
./sqlmap.py -u "http://192.168.1.57:8080/WebGoat/attack?Screen=137&menu=1200&stage=1" --auth-cred="guest:guest" --auth-type="Basic" --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15"


...and it didn't work.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Jun 07, 2010 7:00 pm

Re: Tomcat authentication with sqlmap

Tomcat 6 uses "Digest" and not "Basic" authentication as described there: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords

I am moving slowly toward the solution...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Jun 07, 2010 8:17 pm

Re: Tomcat authentication with sqlmap

try --auth-type="Digest"
~~~~~~~~~~~~~~
Ketchup
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jun 08, 2010 6:56 am

Re: Tomcat authentication with sqlmap

Thanks ketchup but I have tested (and now I just it for all my tests) it even before posting on this forum.

I will keep trying today...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Jun 08, 2010 7:17 am

Re: Tomcat authentication with sqlmap

I would try to capture some traffic during authentication with both wget and sqlmap, to see what they are doing differently. 
~~~~~~~~~~~~~~
Ketchup
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jun 08, 2010 2:26 pm

Re: Tomcat authentication with sqlmap

I am getting closer now. I authenticated manually with my web browser, then I copied the session cookie from the browser and used it in sqlmap:

./sqlmap.py -u "http://192.168.1.57:8080/WebGoat/attack?Screen=137&menu=1200&stage=1" --cookie "JSESSIONID=HPCBGONANJBGFJFHGOKDMCGJ"


The output is:
[19:02:11] [INFO] using '/pentest/database/sqlmap/output/192.168.1.57/session' as session file
[19:02:11] [INFO] testing connection to the target url
[19:02:11] [INFO] url is stable
[19:02:11] [INFO] testing if Cookie parameter 'JSESSIONID' is dynamic

[19:02:11] [ERROR] not authorized, try to provide right HTTP authentication type and valid credentials


So it does work now, other then this annoying test with the cookie. I will keep trying tomorrow...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

slackerxxl

Newbie
Newbie

Posts: 2

Joined: Fri Dec 10, 2010 8:16 am

Post Fri Dec 10, 2010 8:19 am

Re: Tomcat authentication with sqlmap

Did you find a solution? I'm having the same problem.
<<

slackerxxl

Newbie
Newbie

Posts: 2

Joined: Fri Dec 10, 2010 8:16 am

Post Fri Dec 10, 2010 8:28 am

Re: Tomcat authentication with sqlmap

The cookie auth gets sqlmap to check for injection and report if injection works but after that it stops. So I don't know if you thought you had figured it out above, but that was not a working solution.

xxx:sqlmap xxx$ python sqlmap.py -u "http://127.0.0.1:8080/WebGoat/attack?Screen=58&menu=1200" --data "account_number=101" --method=POST --cookie="JSESSIONID=6CE6368E5570B4227B520DAE391203CF" --current-db

   sqlmap/0.8 - automatic SQL injection and database takeover tool
   http://sqlmap.sourceforge.net
   
[*] starting at: 14:22:14

[14:22:15] [INFO] using '/Users/xxx/Documents/Hacking/Tools/sqlmap/output/127.0.0.1/session' as session file
[14:22:15] [INFO] resuming match ratio '0.999' from session file
[14:22:15] [INFO] testing connection to the target url
[14:22:15] [INFO] testing if the url is stable, wait a few seconds
[14:22:16] [INFO] url is stable
[14:22:16] [INFO] testing if POST parameter 'account_number' is dynamic
[14:22:17] [INFO] confirming that POST parameter 'account_number' is dynamic
[14:22:18] [INFO] POST parameter 'account_number' is dynamic
[14:22:18] [INFO] testing sql injection on POST parameter 'account_number' with 0 parenthesis
[14:22:18] [INFO] testing unescaped numeric injection on POST parameter 'account_number'
[14:22:18] [INFO] confirming unescaped numeric injection on POST parameter 'account_number'
[14:22:19] [INFO] POST parameter 'account_number' is unescaped numeric injectable with 0 parenthesis
[14:22:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[14:22:19] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[14:22:19] [INFO] testing if Cookie parameter 'JSESSIONID' is dynamic
[14:22:19] [ERROR] not authorized, try to provide right HTTP authentication type and valid credentials

[*] shutting down at: 14:22:19
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Dec 10, 2010 8:50 am

Re: Tomcat authentication with sqlmap

Just out of curiousity without me having to get too deep into it, have you tried changing your values? For example, look at the error you're getting:

[14:22:19] [INFO] testing if Cookie parameter 'JSESSIONID' is dynamic
[14:22:19] [ERROR] not authorized, try to provide right HTTP authentication type and valid credentials

Have you tried changing this? My inference is this:

Tomcat --> check to make sure things are dynamic (meaning this value has changed)

  Code:
if
  field = static
then
  this shouldn't be
  exit
fi


I don't have Webgoat running to tinker, but my guess is, WebGoat is seeing something it doesn't like - something that is supposed to change and hasn't:

http://www.coderanch.com/t/152524/java- ... n-tracking

I suggest checking out:

Stinger (http://www2.owasp.org/index.php/Testing ... -DV-013%29)

Testing command injection (http://www2.owasp.org/index.php/Testing ... -DV-013%29)

and "session identifier strength" (http://www2.owasp.org/index.php/How_to_ ... _WebScarab)

In order to understand JSESSIONID in cookies and what you might be missing
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Dec 10, 2010 8:52 am

Re: Tomcat authentication with sqlmap

Also take note, that webgoat is broken for certain tests:

http://code.google.com/p/webgoat/issues/detail?id=18
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Dec 10, 2010 8:56 am

Re: Tomcat authentication with sqlmap

Wow, it's been a while now (about 6 months).

I remember spending quite some time on this problem, and it didn't work out. I remember using wireshark and trying to compare a manual (successful) query and the ones sent by sqlmap. I also remember running out of time (it was for a demo at work).

I got around it by using sqlcheck.sh instead. It was good enough for what I wanted to do.

That being said, I am still very much interested to see if someone can find a solution using this tool!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software