Re: [sqlmap-users] New SQL Server blind test
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] New SQL Server blind test
|
From: Steve P. <ste...@gm...> - 2011-01-18 02:11:54
|
On 01/17/2011 08:47 PM, Miroslav Stampar wrote: > Steve. > > i owe you an apology and congrats - it appears that you've found a new > injection vector. > > it's looks like an SQL abomination, and I can't still believe, but it > appears that this really works: > > SELECT * FROM users WHERE id=1 IF(1=1) WAITFOR DELAY '0:0:1' > > i repeat, it looks like an SQL abomination but it works. i've just > tried with SSMS. > > kr > > p.s. i am still shocked :) > p.p.s. you are directly going into doc/THANKS :) > You're welcome. If sqlmap wasn't so easy to add new vectors to, I probably never would have shared that this works, just for not knowing no one else knew it works ;-) Thanks for an excellent product. (both of you, and all the other contributors over the years) -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
