sqlmap-users

[sqlmap-users] Time--test

[Sam E. <dr...@bu...>]

I have manually confirmed a simple 'waitfor%20delay'0:0:20'-  sql 
injection vector in a site test, but when I try to replicate this with 
SQLMap using the '--time-test' option it does not even perform any 'wait 
for delay' type vectors as shown in the usage options. I set the verbosity 
to v3 and looking at the logs only the standard injection methods are 
tried, even though I specify the time test option and I know that it is a 
valid injection vector. I have tried this many times on different sites to 
no avail. Am I missing something?

Sam.

Re: [sqlmap-users] Time--test

[Bernardo D. A. G. <ber...@gm...>]

Sam,

On Wed, Feb 10, 2010 at 22:32, Sam Elliot <dr...@bu...> wrote:
> I have manually confirmed a simple 'waitfor%20delay'0:0:20'-  sql
> injection vector in a site test, but when I try to replicate this with
> SQLMap using the '--time-test' option it does not even perform any 'wait
> for delay' type vectors as shown in the usage options.
> ...

By (weak) design, sqlmap tries specified --stacked-test, --time-test
and --union-test only if beforehand it detected a boolean based blind
sql injection. This is wrong and will be fixed starting from March.

Regards,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F