Hi there, I just updated to the last revision (4365) and tried to attack a Microsoft SQL Server 2005 via AND/OR time-based blind or MS stacked queries.
The module which analysed which dba is there gets stuck with MSSQL (if I force --dbms=mssql). Otherwise it finds a Postgres-DB (which obviously can't be because of the attack vector). I think there might be something broken. I reverted to #4233 which is working and correctly detects MSSQL. Greetings, Christian ----snip---- GET parameter 'meetingKey' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 47 HTTP(s) requests: --- Place: GET Parameter: meetingKey Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: passcode=&meetingKey='; WAITFOR DELAY '0:0:5';-- AND 'yUTW'='yUTW Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: passcode=&meetingKey=' WAITFOR DELAY '0:0:5'-- AND 'PowX'='PowX --- [17:33:51] [INFO] testing Microsoft SQL Server [17:33:51] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries [17:34:12] [INFO] confirming Microsoft SQL Server <stuck here, Wireshark shows useless attack vectors (just the Waitfor Delay)> ----snip---- ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users