For sure it is. sqlmap gives you a huge nagging message in such case
(network latency...blaballa).
Bye
On Mon, Dec 8, 2014 at 12:06 PM, Robin Wood <robin@digi.ninja> wrote:
> Wouldn't it be a bad idea trying to do a time based attack over Tor?
>
> Robin
>
> On 8 December 2014 at 11:00, Miroslav Stampar
> <miroslav.stam...@gmail.com> wrote:
> > Hi.
> >
> > 1) Shouldn't "waitfor delay '0:0:0'" make no delay?
> > 2) sqlmap says "false positive or unexploitable injection point
> detected".
> > Is there a possibility that the character > is filtered?
> > 3) Please run sqlmap with -v 3 and use the payloads that sqlmap tries to
> use
> > in "false positive check" phase. Then you'll see what fails.
> >
> > Bye
> >
> > On Mon, Dec 8, 2014 at 11:51 AM, hooshmand k <hooshman...@gmail.com>
> wrote:
> >>
> >> Hi,
> >>
> >> There is a website that vulnerable to SQL injection. I have checked and
> >> I'm sure there is blind sql injection vulnerability but the sqlmap
> could not
> >> find this.
> >> I tried this command:
> >> ./sqlmap.py -u 'target' -p search --tor --tor-type=SOCKS5
> --random-agent
> >> --risk 3 --level 3 --technique=T --dbms="MsSQL"
> >> and the output was something like this:
> >> [INFO] GET parameter 'search' seems to be 'Microsoft SQL Server/Sybase
> >> time-based blind' injectable
> >> [INFO] checking if the injection point on GET parameter 'search' is a
> >> false positive
> >> [WARNING] false positive or unexploitable injection point detected
> >> [WARNING] GET parameter 'search' is not injectable
> >>
> >>
> >> the "search" parameter is vulnerable to this payload: '); waitfor delay
> >> '0:0:0' --
> >>
> >> Did I make a mistake or the sqlmap did not find that?
> >>
> >> Best Regards
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> >> with Interactivity, Sharing, Native Excel Exports, App Integration &
> more
> >> Get technology previously reserved for billion-dollar corporations, FREE
> >>
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sqlmap-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
> >
> >
> ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > sqlmap-users mailing list
> > sqlmap-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
