Re: [sqlmap-users] New SQL Server blind test
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] New SQL Server blind test
|
From: Steve P. <ste...@gm...> - 2011-01-18 01:34:02
|
On 01/17/2011 06:48 PM, Bernardo Damele A. G. wrote:
> Steve,
>
>
> Are you saying that a query like:
>
> SELECT foo FROM table WHERE id=1 WAITFOR DELAY '0:0:10'
>
> is MSSQL-syntatically correct and works? If so, odd news :)
Yes, sometimes interesting discoveries come from not knowing any better,
and flinging poo at the app. ;-)
Unfortunately, I dont' have a MS test lab available, but I can confirm
that the injection works just fine on this SQL Server 2008 / ASP classic
application, and can't think of another reason why it would.
First I tested in burp, with post data:
id=asdf'IF('1'%3d'1')+WAITFOR+DELAY+'0:0:20&pwd=asdf
there is a 23 second delay with the app, and with
id=asdf'IF('1'%3d'2')+WAITFOR+DELAY+'0:0:20&pwd=asdf
there is a 3 second delay.
After adding the patch, sqlmap has so far extracted enough of the
version details and banner to be sure the patch works on this particular
app.
I wish I had a bunch of SQL server versions to test it on, but I don't
at the moment. Anyone else have a MSDN subscription or test lab already
built who can verify this is repeatable?
--
| Steven Pinkham, Security Consultant |
| http://www.mavensecurity.com |
| GPG public key ID CD31CAFB |
|
