search

mushorg / glastopf

Web Application Honeypot
http://glastopf.org
551 stars 172 forks source link

Help! Where does glastopf store comments? #295

Closed monsterhunterboy98 closed 5 years ago

monsterhunterboy98 commented 5 years ago

I don't seem to get an login error message after entering random username & passwords. The page simply refreshes?

image

I am currently exploring around the glastopf direcotries as i just installed it... May I know where does glastopf store all the incoming "blog comments". If I'm not mistaken, once a comment go entered through a form it is normally inserted into a mysql database? My apologies for my lack of understanding I am new to linux

image

glaslos commented 5 years ago

The login for is not supposed to show an error as we want it seem like you logged it (returning a 200 status code). The comment is probably in request_raw. Glastopf is not supported anymore, please use https://github.com/mushorg/snare

monsterhunterboy98 commented 5 years ago

The login for is not supposed to show an error as we want it seem like you logged it (returning a 200 status code). The comment is probably in request_raw. Glastopf is not supported anymore, please use https://github.com/mushorg/snare

Thank you for your reply! Is glastopf able to emulate a successfully SQL injection attack by injecting it at the login inputs on the page?

glaslos commented 5 years ago

yes, but it depends on the type of SQL injection. SNARE has much better SQLi support

monsterhunterboy98 commented 5 years ago

yes, but it depends on the type of SQL injection. SNARE has much better SQLi support

-Thank you so much for your reply. I attempted to inject "%' OR '1'='1'" at the Login field and the page simply refreshes. Until now I am still unable to emulate an successful sql injection attack through the login fields.

-I ran sqlmap and attempted to inject SQL queries at the URL and I kept on getting "Internal Server Error" are you able to help me on this? I attempted the same thing on DVWA it respond accordingly to what I injected but Glastopf output the follwing: image

SQLmap: image

Do you think I should just use snare and stop using glastopf?

glaslos commented 5 years ago

Yes, please use SNARE, I don't have the time to support Glastopf anymore and to be honest there is no reason considering we have SNARE :)

monsterhunterboy98 commented 5 years ago

alright so sorry for bothering you..

one LAST quick question. There is a Login form in the glastopf page. Is there a default account where I can used to login where it will redirect me to an "logged in" user page does that exist in glastopf? Is there a default admin account where I can used to authenticate against the login form or it just a field for surface attacks? Cause right now all I am getting is the returned 200 status code.

Really thank you for your help