Re: [sqlmap-users] New SQL Server blind test
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] New SQL Server blind test
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 01:48:02
|
Steve.
i owe you an apology and congrats - it appears that you've found a new
injection vector.
it's looks like an SQL abomination, and I can't still believe, but it
appears that this really works:
SELECT * FROM users WHERE id=1 IF(1=1) WAITFOR DELAY '0:0:1'
i repeat, it looks like an SQL abomination but it works. i've just
tried with SSMS.
kr
p.s. i am still shocked :)
p.p.s. you are directly going into doc/THANKS :)
On Tue, Jan 18, 2011 at 2:33 AM, Steve Pinkham <ste...@gm...> wrote:
> On 01/17/2011 06:48 PM, Bernardo Damele A. G. wrote:
>> Steve,
>>
>>
>> Are you saying that a query like:
>>
>> SELECT foo FROM table WHERE id=1 WAITFOR DELAY '0:0:10'
>>
>> is MSSQL-syntatically correct and works? If so, odd news :)
>
> Yes, sometimes interesting discoveries come from not knowing any better,
> and flinging poo at the app. ;-)
>
> Unfortunately, I dont' have a MS test lab available, but I can confirm
> that the injection works just fine on this SQL Server 2008 / ASP classic
> application, and can't think of another reason why it would.
>
> First I tested in burp, with post data:
> id=asdf'IF('1'%3d'1')+WAITFOR+DELAY+'0:0:20&pwd=asdf
> there is a 23 second delay with the app, and with
> id=asdf'IF('1'%3d'2')+WAITFOR+DELAY+'0:0:20&pwd=asdf
> there is a 3 second delay.
>
> After adding the patch, sqlmap has so far extracted enough of the
> version details and banner to be sure the patch works on this particular
> app.
>
> I wish I had a bunch of SQL server versions to test it on, but I don't
> at the moment. Anyone else have a MSDN subscription or test lab already
> built who can verify this is repeatable?
>
> --
> | Steven Pinkham, Security Consultant |
> | http://www.mavensecurity.com |
> | GPG public key ID CD31CAFB |
>
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
