Thanks for the replies. Yes it'll have to be in private. When I relaunch,
do you need me to do it from scratch (as in flush session) or is it ok to
just use the traffic logging options with the injection already found?
On 21 December 2011 15:31, Bernardo Damele A. G.
<bernardo.dam...@gmail.com>wrote:
> Hi Chris,
>
> On 21 December 2011 14:56, Chris Oakley <christopher.oak...@gmail.com>
> wrote:
> > Hi All
> >
> > I have a time based blind injection on a machine running Windows Server
> > 2003, IIS 6 and SQL Server 2000. The user is running as DBA. I should
> be
> > able to enable xp_cmdshell, and indeed:
>
> Indeed.
>
> > ...
> > As you can see, no output is returned (is this because of the injection
> type
> > I wonder?).
>
> No, it has nothing to do with the injection type. SQL payloads used by
> sqlmap has been written and the core has been engineered in a way that
> regardless of the technique used, sqlmap is able to retrieve the
> queries' output.
> The issue is somewhere else.
>
> > I've tried the various out of bounds methods with BT and msf too, but
> this
> > seems to fail at various stages.
> >
> > Could it be that the database server is separate from the web server and
> is
> > totally isolated from the outside world by egress rules?
>
> This could be, but it looks to me that you're mixing xp_cmdshell/bug
> with network rules. I think that the issue here is about xp_cmdshell.
>
> Could you please relaunch with -v 3 --parse-errors -t traffic.log and
> send us (privately if you prefer) the whole output and the log file?
>
> Thank you.
> Bernardo
>
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)
> PGP Key ID: Unavailable
>
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
