Hi,
Update on IBM DB2 support: payload for time-based has been added[1]
last week as well as support for direct connection (-d switch).
[1] https://twitter.com/#!/sqlmap/status/85659702565937152
On 25 June 2011 11:04, Bernardo Damele A. G. wrote:
> Hi,
>
> The long awaited IBM DB2 support has
Hi Chris,
To me it works well:
--8<--
$ python sqlmap.py -u
"http://debian32/mutillidae/index.php?page=user-info.php"; --forms -p
view_user_name --risk 3 --level 3 --parse-errors --file-write
/etc/passwd --file-dest /tmp/test --flush-session
sqlmap/1.0-dev (r4217) - automatic SQL injection an
Hi
Thanks. It turns out I was being an idiot. With absolute paths I didn't realise
that this also includes the destination file name. With that included, it works
like a dream.
What I haven't managed to get going properly yet is the --os-cmd flag. The temp
stager file does appear, but is empty
Hi Chris,
No worries.
If you want command execution, sqlmap can handle it automatically also
when it's MySQL and you've got a writable folder within the document
root, --os-cmd and --os-shell. Also, --os-pwn can work in this
scenario too.
The file stager uploaded is 0KB because you provide invalid
Hi Marek,
On 5 July 2011 22:33, Stiefenhofer, Marek wrote:
> ...
> Miroslav posted some news about an ongoing SQLi ModSecurity challenge. I was
> curious and had a quick look at it. One of the vulnerable applications has
> an MS Access DB and can be UNION based injected.
Two of them are Access,
