hi Christian. there was a "silent" bug inside which caused buggy waiting for console input without any warning in cases like yours (no warning waiting after "[INFO] confirming Microsoft SQL Server").
i've fixed that one in the latest commit, so it would be great if you could retest and see if that was the same bug you've encountered. kind regards On Wed, Aug 24, 2011 at 5:58 PM, Christian Rothländer <christian.rothlaen...@cr.sy.gs> wrote: > Hi there, > > I just updated to the last revision (4365) and tried to attack a Microsoft > SQL Server 2005 via AND/OR time-based blind or MS stacked queries. > > The module which analysed which dba is there gets stuck with MSSQL (if I > force --dbms=mssql). Otherwise it finds a Postgres-DB (which obviously can't > be because of the attack vector). I think there > might be something broken. > > I reverted to #4233 which is working and correctly detects MSSQL. > > Greetings, > Christian > > > ----snip---- > > GET parameter 'meetingKey' is vulnerable. Do you want to keep testing the > others? [y/N] > sqlmap identified the following injection points with a total of 47 HTTP(s) > requests: > --- > Place: GET > Parameter: meetingKey > Type: stacked queries > Title: Microsoft SQL Server/Sybase stacked queries > Payload: passcode=&meetingKey='; WAITFOR DELAY '0:0:5';-- AND 'yUTW'='yUTW > > Type: AND/OR time-based blind > Title: Microsoft SQL Server/Sybase time-based blind > Payload: passcode=&meetingKey=' WAITFOR DELAY '0:0:5'-- AND 'PowX'='PowX > --- > > [17:33:51] [INFO] testing Microsoft SQL Server > [17:33:51] [WARNING] it is very important not to stress the network adapter's > bandwidth during usage of time-based queries > [17:34:12] [INFO] confirming Microsoft SQL Server > <stuck here, Wireshark shows useless attack vectors (just the Waitfor Delay)> > > ----snip---- > > > ------------------------------------------------------------------------------ > Doing More with Less: The Next Generation Virtual Desktop > What are the key obstacles that have prevented many mid-market businesses > from deploying virtual desktops? How do next-generation virtual desktops > provide companies an easier-to-deploy, easier-to-manage and more affordable > virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
