Re: [sqlmap-users] Microsoft SQL 2008
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Microsoft SQL 2008
|
From: Miroslav S. <mir...@gm...> - 2011-02-14 13:58:03
|
i am pretty sure that this is false positive. all simptoms are here. if you could send me URI privately just to see what's going on myself it would be great. kr On Mon, Feb 14, 2011 at 2:35 PM, Johnny Venter <Joh...@zo...> wrote: > Thanks for the info, I used the first option (a) and it still found an > injection point. > However, in one iteration; it identified the back-end server as MySQL and > then as MS SQL 2008. > I can connect via --sql-shell; but no information is returned. I get output > similar to "?~t|r8p?@?~?xx?n?zt". > Could this happen when the db server and web server are on two separate > systems? > Any help/input is greatly appreciated. > Miro, I am working on the "--string" option (b) and will report the results. > > Thanks, J > > > > On Feb 12, 2011, at 2:31 AM, Miroslav Stampar wrote: > > hi. > > this is either some case of false positive or dynamicity problem. > > to resolve this either: > > a) try --flush-session --text-only > or > b) --flush-session --string .... > please, find one string that is characteristic only to the TRUE page > and use it with --string parameter > > if a) and b) fail to find any injection then the problem is most > definitely false positive. in that case please report with more > details. > > kr > > On Sat, Feb 12, 2011 at 1:27 AM, Johnny Venter <Joh...@zo...> > wrote: > > Here is a sample of output I receive when I request "--current-user": > > ?~t|r8p?@?~?xx?n?zt > > I am using version 0.9-dev. > > Boolean based blind is the type of injection that was found. > > On Feb 11, 2011, at 5:41 PM, Miroslav Stampar wrote: > > hi Johnny. > > it's not normal behavior :) > > you haven't told which version are you using? > > kr > > On Fri, Feb 11, 2011 at 9:42 PM, Johnny Venter <Joh...@zo...> > wrote: > > Whenever I try to enumerate information from a vulnerable web app (with SQL > 2008 back-end), the information is garbled/unreadable. > > I am using SQLi blind method. Is there something I can do to convert the > returned data or is this normal? > > > Thanks, J > > ------------------------------------------------------------------------------ > > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > > Pinpoint memory and threading errors before they happen. > > Find and fix more than 250 security defects in the development cycle. > > Locate bottlenecks in serial and parallel code that limit performance. > > http://p.sf.net/sfu/intel-dev2devfeb > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > > Alternate: miroslav.stampar (at) mail.ru > > PGP Key ID: 0xB5397B1B > > Location: Zagreb, Croatia > > ------------------------------------------------------------------------------ > > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > > Pinpoint memory and threading errors before they happen. > > Find and fix more than 250 security defects in the development cycle. > > Locate bottlenecks in serial and parallel code that limit performance. > > http://p.sf.net/sfu/intel-dev2devfeb > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
