Hi there,

I just updated to the last revision (4365) and tried to attack a Microsoft SQL 
Server 2005 via AND/OR time-based blind or MS stacked queries.

The module which analysed which dba is there gets stuck with MSSQL (if I force 
--dbms=mssql). Otherwise it finds a Postgres-DB (which obviously can't be 
because of the attack vector). I think there
might be something broken.

I reverted to #4233 which is working and correctly detects MSSQL.

Greetings,
Christian


----snip----

GET parameter 'meetingKey' is vulnerable. Do you want to keep testing the 
others? [y/N]
sqlmap identified the following injection points with a total of 47 HTTP(s) 
requests:
---
Place: GET
Parameter: meetingKey
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: passcode=&meetingKey='; WAITFOR DELAY '0:0:5';-- AND 'yUTW'='yUTW

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: passcode=&meetingKey=' WAITFOR DELAY '0:0:5'-- AND 'PowX'='PowX
---

[17:33:51] [INFO] testing Microsoft SQL Server
[17:33:51] [WARNING] it is very important not to stress the network adapter's 
bandwidth during usage of time-based queries
[17:34:12] [INFO] confirming Microsoft SQL Server
<stuck here, Wireshark shows useless attack vectors (just the Waitfor Delay)>

----snip----


------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop 
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops?   How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to