Hi Marwat.
Thank you for your report. Please update to the latest revision r5022 and
retry it again.
Kind regards,
Miroslav Stampar
On Fri, Apr 27, 2012 at 1:14 AM, Marwat Knight <marwatkni...@yahoo.com>wrote:
> Hi all
>
> i am using sqlmap/1.0-dev (r5020) for a pentesting of a real web app.I
> found that sqlmap is not able to found a tricky vulnerability lies in the
> web app.
> the scenarion is like that..
> url; www.asdsad.com/page.asp?id=string
> sqlmap is able to found the error based injection in the parametre id but
> is not able to found stacked based which is also there.
> i tried every possible configuration but no success.
> at last i edit the /xml/payload.xml and it was found..
> Actually sqlmap payload was like that.
> id=string';wait for delay '0:0:5;-- AND 'asd'='asd
> which will cause internal server error (500)
> "ADODB.Command error '800a0d5d' Application uses a value of the wrong type
> for the current operation"
> i changed the payload.xml so that it also add # after the -- <comment>
> and it become able and also the error was dissapeared.
> the query becomes: id=string';wait for delay '0:0:5;-- # AND 'asd'='asd
> Actually the AND and stuff after that is causing the error.
> this query is also able too.:id=string';wait for delay '0:0:5;--
> So how about adding this.. may be it save 48 hour of anybody..
> "The sql server is 2000 sp2. web server is iis 6.0 and the technology is
> asp.net 2.0....
> So anyway many many thanks. sqlmap is a great tool and the developers
> rocks and big hearts guys. love
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
