sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-24 10:33:47 +03:00
Code Issues Packages Projects Releases Wiki Activity
Automatic SQL injection and database takeover tool
10,079 Commits 4 Branches 117 Tags 97 MiB
Python 98.2%
C 0.7%
Shell 0.6%
HTML 0.3%
Perl 0.1%
07a2f56d71
Go to file
ckingn 07a2f56d71
Update sqlmapapi.yaml 
SparkLabs Forum

https://www.sparklabs.com/forum/

Password caching
https://www.sparklabs.com/forum/viewtopic.php?t=3215

Page 1 of 1
Password caching
Posted: Tue May 16, 2023 10:20 pm
by Shabang
I'm testing setting "defaults write com.viscosityvpn.Viscosity KeyChainSupport -bool false" for Viscosity and "auth-nocache" in the connection config.

Then after waiting for the renegotiation to kick in, I'm seeing a credential prompt with the password field still filled in. Pressing enter is the only thing required to continue the connection.

I would think most people setting those two options would want to require the user to actually enter the password again. Does it work like this intentionally, am I missing something?
Re: Password caching
Posted: Wed May 17, 2023 8:50 am
by James
Hi Shabang,

Thanks for the report, it appears you've discovered a regression in a recent update. It appears that in some conditions Viscosity may still load existing saved login details from the Keychain even with the KeyChainSupport setting disabled. This should now be fixed in the latest beta version:
https://www.sparklabs.com/support/kb/ar ... -versions/

It likely hasn't been discovered until now as saving to the Keychain is still correctly disabled. So you'll only encounter it if the login details have already been saved to the Keychain prior to changing the setting.

Cheers,
James
Re: Password caching
Posted: Wed May 17, 2023 6:29 pm
by Shabang
Ok, thanks for confirming. Although looks like I didn't have any saved credentials in my keychain for Viscosity. I'm testing now with the new beta.

I think it would also be a nice feature to have the ability to allow saving the p12 file password, but not the user credentials. That way an encrypted file could be distributed to the user, who then could save the file password in the keychain, but they would still be prevented saving their own username and password.
Re: Password caching
Posted: Wed May 17, 2023 6:46 pm
by Shabang
I confirmed it in Catalina and Ventura, I'm still seeing the password field filled even without previous credentials in the keychain.
All times are UTC+10:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/
2023-06-11 07:59:06 -06:00
.github Minor update 2023-02-20 15:17:09 +01:00
data add support to leverage CVE-2014-6577 for Oracle DNS data exfiltration (#5410) 2023-05-25 11:27:15 +02:00
doc Update README-tr-TR.md (#5393) 2023-04-17 13:23:36 +02:00
extra Periodic recloak 2023-02-20 15:20:15 +01:00
lib Fixes #5434 2023-06-06 11:23:17 +02:00
plugins Fixes #5431 2023-06-03 22:49:43 +02:00
tamper Implements tamper script if2case (#5301) 2023-02-01 13:53:19 +01:00
thirdparty Fixes #5409 2023-05-01 09:46:06 +02:00
.gitattributes Minor update 2019-03-19 15:23:11 +01:00
.gitignore Trivial update 2019-04-18 14:48:50 +02:00
.pylintrc Further pleasing pylint gods 2019-06-01 13:42:57 +02:00
LICENSE Year and version bump 2023-01-02 23:24:59 +01:00
README.md Slovak translation (#5366) 2023-03-20 11:55:17 +01:00
sqlmap.conf Another update for #5295 2023-01-24 12:00:23 +01:00
sqlmap.py Fixes #5404 2023-04-24 14:45:19 +02:00
sqlmapapi.py Year and version bump 2023-01-02 23:24:59 +01:00
sqlmapapi.yaml Update sqlmapapi.yaml 2023-06-11 07:59:06 -06:00

README.md

sqlmap

.github/workflows/tests.yml Python 2.6|2.7|3.x License Twitter

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.

Screenshots

Screenshot

You can visit the collection of screenshots demonstrating some of the features on the wiki.

Installation

You can download the latest tarball by clicking here or latest zipball by clicking here.

Preferably, you can download sqlmap by cloning the Git repository:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

sqlmap works out of the box with Python version 2.6, 2.7 and 3.x on any platform.

Usage

To get a list of basic options and switches use:

python sqlmap.py -h

To get a list of all options and switches use:

python sqlmap.py -hh

You can find a sample run here. To get an overview of sqlmap capabilities, a list of supported features, and a description of all options and switches, along with examples, you are advised to consult the user's manual.

Links

Translations