Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: Time based Blind SQL injection
From: Yiannis Koukouras <ikoukouras () gmail com>
Date: Thu, 29 Mar 2012 21:04:00 +0200

Cool, I just wanted to be sure I didn't miss anything else...

Again thanx for sharing! :)

Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras

On Thu, Mar 29, 2012 at 4:50 PM, Danux <danuxx () gmail com> wrote:

Hi Yiannis,

The intent was to share a script as a result of a pen-test, since when
I was trying to use sqlmap and sqlninja does tools did not work for
me, and I was spending more time trying to figure out how to make them
work (possibly due to the lack of expertise on those tools). I did not
find a way to tell the tool to replace spaces with %09 but one person
in my blog (Miroslav) commented this related to sqlmap:

"There is a mechanism called tampering scripts (switch --tamper) and
in your case you could just use --tamper=space2randomblank (take a
look into ./sqlmap/tamper script for more tampering scripts beside
this space2randomblank.py one)"

So, that could be an option.

I added other features but nothing new and again, the intention is not
to replace sqlmap or sqlninja just to share the script.


On Thu, Mar 29, 2012 at 5:19 AM, Yiannis Koukouras <ikoukouras () gmail com>
wrote:

So, the only difference, from other tools out there, is the support of
TAB(%09)?

Am I missing something?

Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras

On Mar 13, 2012 5:04 AM, "Danux" <danuxx () gmail com> wrote:

Nothing new, just a different approach to automated the process of
blind injection based on time.

http://danuxx.blogspot.com/2012/03/time-based-blind-sql-injection.html

Hope you find it useful.


--
DanUx


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a
full practical examination in order to become certified.

http://www.iacertification.org

------------------------------------------------------------------------




--
DanUx



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]