Re: [sqlmap-users] Microsoft SQL 2008
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Microsoft SQL 2008
|
From: Johnny V. <Joh...@zo...> - 2011-02-14 13:35:35
|
Thanks for the info, I used the first option (a) and it still found an injection point. However, in one iteration; it identified the back-end server as MySQL and then as MS SQL 2008. I can connect via --sql-shell; but no information is returned. I get output similar to "?~t|r8p?@?~?xx?n?zt". Could this happen when the db server and web server are on two separate systems? Any help/input is greatly appreciated. Miro, I am working on the "--string" option (b) and will report the results. Thanks, J On Feb 12, 2011, at 2:31 AM, Miroslav Stampar wrote: > hi. > > this is either some case of false positive or dynamicity problem. > > to resolve this either: > > a) try --flush-session --text-only > or > b) --flush-session --string .... > please, find one string that is characteristic only to the TRUE page > and use it with --string parameter > > if a) and b) fail to find any injection then the problem is most > definitely false positive. in that case please report with more > details. > > kr > > On Sat, Feb 12, 2011 at 1:27 AM, Johnny Venter <Joh...@zo...> wrote: >> Here is a sample of output I receive when I request "--current-user": >> >> ?~t|r8p?@?~?xx?n?zt >> >> I am using version 0.9-dev. >> >> Boolean based blind is the type of injection that was found. >> >> On Feb 11, 2011, at 5:41 PM, Miroslav Stampar wrote: >> >>> hi Johnny. >>> >>> it's not normal behavior :) >>> >>> you haven't told which version are you using? >>> >>> kr >>> >>> On Fri, Feb 11, 2011 at 9:42 PM, Johnny Venter <Joh...@zo...> wrote: >>>> Whenever I try to enumerate information from a vulnerable web app (with SQL 2008 back-end), the information is garbled/unreadable. >>>> >>>> I am using SQLi blind method. Is there something I can do to convert the returned data or is this normal? >>>> >>>> >>>> Thanks, J >>>> >>>> ------------------------------------------------------------------------------ >>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >>>> Pinpoint memory and threading errors before they happen. >>>> Find and fix more than 250 security defects in the development cycle. >>>> Locate bottlenecks in serial and parallel code that limit performance. >>>> http://p.sf.net/sfu/intel-dev2devfeb >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail: miroslav.stampar (at) gmail.com >>> Alternate: miroslav.stampar (at) mail.ru >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >>> ------------------------------------------------------------------------------ >>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: >>> Pinpoint memory and threading errors before they happen. >>> Find and fix more than 250 security defects in the development cycle. >>> Locate bottlenecks in serial and parallel code that limit performance. >>> http://p.sf.net/sfu/intel-dev2devfeb >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
