Hi Christian, Can you please rerun with the latest development version from subversion with --flush-session -v3 -t traffic.log and provide us with traffic.log file privately in order to debug this possible bug?
Thank you. Bernardo On 24 August 2011 16:58, Christian Rothländer <christian.rothlaen...@cr.sy.gs> wrote: > Hi there, > > I just updated to the last revision (4365) and tried to attack a Microsoft > SQL Server 2005 via AND/OR time-based blind or MS stacked queries. > > The module which analysed which dba is there gets stuck with MSSQL (if I > force --dbms=mssql). Otherwise it finds a Postgres-DB (which obviously can't > be because of the attack vector). I think there > might be something broken. > > I reverted to #4233 which is working and correctly detects MSSQL. > > Greetings, > Christian > > > ----snip---- > > GET parameter 'meetingKey' is vulnerable. Do you want to keep testing the > others? [y/N] > sqlmap identified the following injection points with a total of 47 HTTP(s) > requests: > --- > Place: GET > Parameter: meetingKey > Type: stacked queries > Title: Microsoft SQL Server/Sybase stacked queries > Payload: passcode=&meetingKey='; WAITFOR DELAY '0:0:5';-- AND 'yUTW'='yUTW > > Type: AND/OR time-based blind > Title: Microsoft SQL Server/Sybase time-based blind > Payload: passcode=&meetingKey=' WAITFOR DELAY '0:0:5'-- AND 'PowX'='PowX > --- > > [17:33:51] [INFO] testing Microsoft SQL Server > [17:33:51] [WARNING] it is very important not to stress the network adapter's > bandwidth during usage of time-based queries > [17:34:12] [INFO] confirming Microsoft SQL Server > <stuck here, Wireshark shows useless attack vectors (just the Waitfor Delay)> > > ----snip---- > > > ------------------------------------------------------------------------------ > Doing More with Less: The Next Generation Virtual Desktop > What are the key obstacles that have prevented many mid-market businesses > from deploying virtual desktops? How do next-generation virtual desktops > provide companies an easier-to-deploy, easier-to-manage and more affordable > virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
