Hi Christian,

Can you please rerun with the latest development version from
subversion with --flush-session -v3 -t traffic.log and provide us with
traffic.log file privately in order to debug this possible bug?

Thank you.

Bernardo


On 24 August 2011 16:58, Christian Rothländer
<christian.rothlaen...@cr.sy.gs> wrote:
> Hi there,
>
> I just updated to the last revision (4365) and tried to attack a Microsoft 
> SQL Server 2005 via AND/OR time-based blind or MS stacked queries.
>
> The module which analysed which dba is there gets stuck with MSSQL (if I 
> force --dbms=mssql). Otherwise it finds a Postgres-DB (which obviously can't 
> be because of the attack vector). I think there
> might be something broken.
>
> I reverted to #4233 which is working and correctly detects MSSQL.
>
> Greetings,
> Christian
>
>
> ----snip----
>
> GET parameter 'meetingKey' is vulnerable. Do you want to keep testing the 
> others? [y/N]
> sqlmap identified the following injection points with a total of 47 HTTP(s) 
> requests:
> ---
> Place: GET
> Parameter: meetingKey
>    Type: stacked queries
>    Title: Microsoft SQL Server/Sybase stacked queries
>    Payload: passcode=&meetingKey='; WAITFOR DELAY '0:0:5';-- AND 'yUTW'='yUTW
>
>    Type: AND/OR time-based blind
>    Title: Microsoft SQL Server/Sybase time-based blind
>    Payload: passcode=&meetingKey=' WAITFOR DELAY '0:0:5'-- AND 'PowX'='PowX
> ---
>
> [17:33:51] [INFO] testing Microsoft SQL Server
> [17:33:51] [WARNING] it is very important not to stress the network adapter's 
> bandwidth during usage of time-based queries
> [17:34:12] [INFO] confirming Microsoft SQL Server
> <stuck here, Wireshark shows useless attack vectors (just the Waitfor Delay)>
>
> ----snip----
>
>
> ------------------------------------------------------------------------------
> Doing More with Less: The Next Generation Virtual Desktop
> What are the key obstacles that have prevented many mid-market businesses
> from deploying virtual desktops?   How do next-generation virtual desktops
> provide companies an easier-to-deploy, easier-to-manage and more affordable
> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable

------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop 
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops?   How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to