Re: [sqlmap-users] Problems with time based sql inj.
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Problems with time based sql inj.
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-04-06 08:55:14
|
Hi David, On Mon, Apr 5, 2010 at 21:38, David Guimaraes <sk...@gm...> wrote: > ... > I've tried several ways to circumvent this form to gain unauthorized access, > but i not get success in the handling of sql injection. However, nessus > reported that the field is vulnerable to Time-Based Sql Injection by > manipulating the parameter j_username with the following query: > > j_username = ';%20select%20pg_sleep%20(10)-- > > Tested the failure, I noticed that you can only make a time-based blind sql > injection. But even passing the parameter --time-test for the sqlmap, and > setting the option in sqlmap.conf timetest to true, does not make sqlmap > test time-based sql inj. sqlmap at first has to detect a boolean-based blind sql injection to be able to proceed testing for time based blind sql injection (with, --time-test, yes). This is a design flaw of the tool and will be fixed in the next months while we will be working on the refactoring of the detection engine. At the moment you can't use sqlmap to exploit this kind of sql injection. By the way, this is detailed in the user's manual[1]. [1] http://sqlmap.sourceforge.net/doc/README.html#ss5.5 Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
