One of the things that any new person who is dealing with JMeter is facing that if you save a jmx project which is executed before the run results is not saved.
So if you didn’t know this you may lose your run results and you have to repeat again.
One of the best ways to save your run data is using “Simple Data Writer” it not only make you able to save your run data but also enable you to use the data file on any listner or graph you want or need.
CSV is one of the file extensions you can use to save your run results as the following example.
In the above example the results table will be saved to a .CSV file which is good in case you want only the data shown in the table but if you want more the Simple data writter will be a better option.
What are JTL files?
JMeter can create text files containing the results of a test run.
These are normally called JTL files, as that is the default extension – but any extension can be used.
Simple Data Writer
You can configure the results save configuration the more you save the more listners you can use.
I used to select them all , sometimes this leads to larger size data file but this is safer to use in different graphs and listners as i will show you later.
Lets add simple data writter to thread group and disable all the other listners and execute test as the following.
After the run is finished i’m going to open the jtl file in the following listners :
View Results Tree
Active Threads over time graph
Hits per second graph
As shown above the results data saved using Simple Data Writer can be used in any of the default JMeter listners and also extra listners which can be added to JMeter in the feature , .JTL extension is the default saving extensions which can be re-saved to CSV file if needed , see the following Wiki Page
Do not use the following instructions to exploit others websites / services , Usage of WP-Scan for attacking targets without prior mutual consent is illegal.
WordPress now powers 30 percent of the web, according to data from web technology survey firm W3Techs.
WordPress is important framework and as the aove statistics it is widely used thats why securing a web site based on WordPress framework is something obvious.
What is WP-Scan ?
WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.
You can install it via Docker with the following commands :
docker pull wpscanteam/wpscan
Scan WordPress Site
docker run -it –rm wpscanteam/wpscan –url Website URL
Using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings.
Only Display Vulnerable Plugins
docker run -it –rm wpscanteam/wpscan –url Site URL –enumerate vp
Enumerate User Name
docker run -it –rm wpscanteam/wpscan –url Site URL –enumerate
Do not use the following instructions to exploit others websites / services , Usage of SQL Map for attacking targets without prior mutual consent is illegal.
According to the Open Web Application Security Project (OWASP), injection attacks are first on the list of the top 10 web vulnerabilities. Diving into these, SQL injections are responsible for a big chunk of this. Exploitation of SQL injections is trivial.
SQL Map is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
We’re going to use SQL Map in 2 examples one for testing a Get request and the other for testing a POST request also listing some extra commands that will be useful in further steps.
Type the following command
sqlmap.py -u “Target URL”
as the following picture
If the database engine is identified you have the choice to use the specific payloads for the identified db or use all the available payloads
According to previous screen shots , SQL map identified the parameter “id” as a vulnerable parameter and also listed the used patterns and their types.
3) Exploit POST Request
In this case we need to capture / intercept the post request and save it to text file then use SQL Map to exploit it , you can use any HTTP interceptor like “Fiddler” or “BurpSuite” or use the developer tool of your browser as the following examples.
Use the following credentials to login
User Name : admin , Password : admin
before you sign in make sure you’re going to intercept the login request as the above examples
Save the raw post request in .txt file and move it to SQL map folder root
Type the following command to start the exploit
sqlmap.py -r filename.txt
In this case we have 2 vulnerable parameters , you have to choose which parameter you want to continue testing with as the above screen shot.
4) Useful Commands
sqlmap.py -r filename.txt –dbs
When the session user has read access to the system table containing information about available databases, it is possible to enumerate the list of databases.
sqlmap.py -r filename.txt –dump-all
It is possible to dump all databases tables entries at once that the session user has read access on.