Re: [sqlmap-users] hmm
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] hmm
|
From: <ja...@ev...> - 2010-05-20 11:30:10
|
Yeah, Thats the weird thing. Stacked SHOULD be enabled. Also no UNION ability. I guess im boned. :) The injection doesnt respond to any errors.. Thats actually how i found it. Feeding "'" to an arg gave me a blank page which is usually good. I suppose it could be a false negative. I will inspect further. Also; A general message to the SQLmap users: Have you noted that SQLMap misses a lot of vulns? Simple ones like windowsistrash.asp?id=1';waitfor delay '00:00:15' And also more complex POST vulns? I've been using SQLNinja on the advice of my friend Bert and it appears to pwn windoze better than SQLmap... Bernardo -- Any clue on this? I can provide a few examples of sites in private where SQLNinja succeded and SQLMap failed to detect the GET or POST vuln. Im always using SVN too, btw. If anyone else has noticed this.. please reply.. lets squash this bug... James @ EV6.net On Thu, 20 May 2010 12:19:45 +0100, "Bernardo Damele A. G." <ber...@gm...> wrote: > James, > > On Thu, May 20, 2010 at 06:14, <ja...@ev...> wrote: >> ... >> Im currently attempting to attack an interesting setup.. A >> RedHat(Apache) >> >> box with a PHP front end linked to a MS SQL db. > > It's a quite common setup. I've seen also Windows/Apache/PHP(or Perl) > with back-end MSSQL or MySQL recently. > >> Since its Apache+Linux it >> >> doesnt support stacked queries.. > > Mmmh, PHP does support stacked queries when the back-end is MSSQL. Try > yourself with a SQL payload like ; WAITFOR DELAY '0:2:00';-- > >> Its also slow as dog crap going up a hill >> >> with the blind injection. Does anyone know of a way to use the OPENROWSET >> >> type attack without stacked queries? > > You can try with UNION ALL SELECT 'foobar' FROM OPENROWSET... > >> Or basically have any ideas how I can >> >> get enough proof of data from this box relatively quick? > > If it is affected by an error-based SQL injection also, something like > AND 1=(SELECT ...) might do the trick otherwise a UNION query SQL > injection can help, if vulnerable. > > Cheers, |
