Re: [sqlmap-users] Change Payload ,Insert problem
Brought to you by:
inquisb
From: a d. <deh...@gm...> - 2015-02-09 20:38:31
|
So this admin user has not insert access , but how to be sure ? is there any command ? On Mon, Feb 9, 2015 at 7:35 PM, Miroslav Stampar <mir...@gm... > wrote: > You can't do that in sqlmap and I am pretty sure that it wouldn't suite > your needs too. > > Also, if there are other techniques available sqlmap will use it for sure > instead of stacking for data retrieval. That "statistical model..." message > just confused you. It is there so sqlmap would successfully run stacked > statements in the first place. Afterwards (after e.g. INSERT) it runs the > fastest available technique for data retrieval. > > Bye the way, result of INSERT statement is always NULL. Those are basics. > > Bye > On Feb 9, 2015 2:59 PM, "a dehqan" <deh...@gm...> wrote: > >> no I want stack query ,but not to use timebase injection detection as >> this use : >> >> id=6&rid=1'; WAITFOR DELAY '0:0:5'-- >> >> I want stack query with other kinds of detection . >> >> >> >> >> On Mon, Feb 9, 2015 at 3:49 PM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Really not sure what are you trying to do. Do you want that >>> "error-based" query to be part of "stacked-query" or what? >>> >>> Bye >>> >>> On Mon, Feb 9, 2015 at 12:24 AM, a dehqan <deh...@gm...> wrote: >>> >>>> Maybe my question isn't clear , let me try again : >>>> >>>> I need to change stack query to not using timebase detection ? >>>> >>>> >>>> Sqlmap detect injection there by error base type too, like this : >>>> >>>> >>>> Payload: req=6&senderid=1' AND 9622=CONVERT(INT,(SELECT >>>> CHAR(113)+CHAR(101)+CHAR(111)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN >>>> (9622=9622) THEN CHAR(49) ELSE CHAR(48) >>>> END))+CHAR(113)+CHAR(98)+CHAR(102)+CHAR(100)+CHAR(113))) AND 'PkmV'='PkmV >>>> >>>> How can i have this payload with type of stack query >>>> >>>> Regards >>>> >>>> On Mon, Feb 9, 2015 at 2:42 AM, a dehqan <deh...@gm...> wrote: >>>> >>>>> Guys is there any chance ? >>>>> >>>>> Thanks in advance >>>>> >>>>> On Thu, Feb 5, 2015 at 7:31 PM, a dehqan <deh...@gm...> wrote: >>>>> >>>>>> I mean how may i have custom payload : >>>>>> >>>>>> Payload: req=6&senderid=1' AND 9622=CONVERT(INT,(SELECT >>>>>> CHAR(113)+CHAR(101)+CHAR(111)+CHAR(99)+CHAR(113)+(SELECT (CASE WHEN >>>>>> (9622=9622) THEN CHAR(49) ELSE CHAR(48) >>>>>> END))+CHAR(113)+CHAR(98)+CHAR(102)+CHAR(100)+CHAR(113))) AND 'PkmV'='PkmV >>>>>> >>>>>> On Thu, Feb 5, 2015 at 4:42 PM, a dehqan <deh...@gm...> wrote: >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> sqlmap gave me shell with injection type of stack queries ,but >>>>>>> Payload is like this : >>>>>>> >>>>>>> id=6&rid=1'; WAITFOR DELAY '0:0:5'-- >>>>>>> >>>>>>> When i want insert with admin user sqlmap returns NULL and fails , >>>>>>> Only says this before trying : >>>>>>> >>>>>>> [WARNING] time-based comparison requires larger statistical model, >>>>>>> please wait.............................. >>>>>>> >>>>>>> Maybe i should change Payload , with what switch i can change >>>>>>> payload ? >>>>>>> >>>>>>> >>>>>>> Regards >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Dive into the World of Parallel Programming. The Go Parallel Website, >>>> sponsored by Intel and developed in partnership with Slashdot Media, is >>>> your >>>> hub for all things parallel software development, from weekly thought >>>> leadership blogs to news, videos, case studies, tutorials and more. >>>> Take a >>>> look and join the conversation now. http://goparallel.sourceforge.net/ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> |