Re: [sqlmap-users] Question about Stacked Queries

Thu, 11 Oct 2012 05:37:33 -0700 

Hi Daniel.

If sqlmap is not able to detect stacked queries (like in your case), then
it won't be able to use/exploit those commands from --sql-shell. Pretty
simple.

Just take a look into your list of "sqlmap identified the following
injection points..." for that same target and if there are things like
"boolean"/"time-based blind"... and no "stacked" then you have no luck. As
you've said "stacked queries could be executed".

If you want to be sure you can try to re-test the target with higher
--time-sec. For example, python sqlmap.py -u .... --flush-session
--time-sec=20. If that fails then you won't be able to use stacked queries
as you've expected.

Kind regards,
Miroslav Stampar

On Wed, Oct 10, 2012 at 4:52 PM, Daniel Calvo Castro <
daniel.ca...@kernelsecurity.es> wrote:

> Hi Miroslav, Bernardo, list members,
>
> As far I know ( please correct if i´m wrong ) reading a couple of
> times Bernardo´s Damele Advanced SQL Injection whitepaper , Stacked
> queries could be executed via Blind and MySQL with ASP.NET,but sqlmap
> show me via sql-shell:
>
> web server operating system: Windows 2008
> web application technology: ASP.NET, Microsoft IIS 7.5, ASP
> back-end DBMS: MySQL 5
> sql-shell> create database test2;create database test3;drop table test;
> [16:10:32] [WARNING] execution of custom SQL queries is only available
> when stacked queries are supported
>
> current-user of mysql is root with full privileges, the goal is to
> create a temporary table via stacked queries also well described in
> that great document, could someone point me in the right way?
>
> Thanks in advance
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to