I can hardly call this "detection"; looks more like "intrusion" to me.
~~
# mitchell
On Tue, Jan 21, 2014 at 4:43 PM, l.g. wrote:
> Miroslav Stampar writes:
>
> >
> >
> > So you made a "DROP TABLE" payload :))
> > I am not sure if this is a joke or for real?!
> >
> > Kind regards,
> > Mirosla
It should be detected as "stacked" in your case (using timing attack - not
dropping tables).
Which DBMS are we talking here about and which OS is it running on (e.g.
MySQL on Linux)?
Bye
On Tue, Jan 21, 2014 at 3:43 PM, l.g. wrote:
> Miroslav Stampar writes:
>
> >
> >
> > So you made a "DROP
You're not wrong in that it is possible to create such payloads, but you do
realize how absolutely ridiculous and dangerous this is outside of your
test system, right? You'd like the tool to start destroying whole tables
at a time, in an automated fashion, just to see if there's a SQLi flaw?! I
c
Miroslav Stampar writes:
>
>
> So you made a "DROP TABLE" payload :))
> I am not sure if this is a joke or for real?!
>
> Kind regards,
> Miroslav Stampar
>
I just made a really simple vulnerable test webapplication with a datagrid
bound to a table and a textbox where the the user types str
So you made a "DROP TABLE" payload :))
I am not sure if this is a joke or for real?!
Kind regards,
Miroslav Stampar
On Tue, Jan 21, 2014 at 10:24 AM, l.g. wrote:
> writes:
>
> >
> > hi! In payloads.xml I substituted this snippet:
> >
> > -
> > -
> > -
> > -
> > drop table attack
> >
writes:
>
> hi! In payloads.xml I substituted this snippet:
>
> -
> -
> -
> -
> drop table attack
> 2
> 1
> 5
> 1
> 1
> c'); DROP TABLE [testTable] --
> -
> c'); DROP TABLE [testTable] --
> --
>
> -
> object
>
> -
> Microsoft SQL Server
>
>
hi! In payloads.xml I substituted this snippet:
-
-
-
-
drop table attack
2
1
5
1
1
c'); DROP TABLE [testTable] --
-
c'); DROP TABLE [testTable] --
--
-
object
-
Microsoft SQL Server
-
AND boolean-based blind - WHERE or HAVING clause
1
