Re: Time based Blind SQL injection



Try GDSSecurity from github.com I have never used it though.

Good luck!
Sent via Danux's cloud

-----Original Message-----
From: martin.mngoma@xxxxxxxxx
Date: Fri, 30 Mar 2012 09:07:43
To: Yiannis Koukouras<ikoukouras@xxxxxxxxx>; <listbounce@xxxxxxxxxxxxxxxxx>; Danux<danuxx@xxxxxxxxx>
Reply-To: martin.mngoma@xxxxxxxxx
Cc: <webappsec@xxxxxxxxxxxxxxxxx>; PenTest<pen-test@xxxxxxxxxxxxxxxxx>
Subject: Re: Time based Blind SQL injection

Hi guys

Just off the topic, can any of you help me.

I need a vulnerability scanner that can scan WCF web services (silver light technologies )as acunetix does not support wcf yet.

All help will be appreciated

Thanks
Martin
Sent from my BlackBerry® wireless device

-----Original Message-----
From: Yiannis Koukouras <ikoukouras@xxxxxxxxx>
Sender: listbounce@xxxxxxxxxxxxxxxxx
Date: Thu, 29 Mar 2012 21:04:00
To: Danux<danuxx@xxxxxxxxx>
Cc: <webappsec@xxxxxxxxxxxxxxxxx>; PenTest<pen-test@xxxxxxxxxxxxxxxxx>
Subject: Re: Time based Blind SQL injection

Cool, I just wanted to be sure I didn't miss anything else...

Again thanx for sharing! :)

Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras

On Thu, Mar 29, 2012 at 4:50 PM, Danux <danuxx@xxxxxxxxx> wrote:

Hi Yiannis,

The intent was to share a script as a result of a pen-test, since when
I was trying to use sqlmap and sqlninja does tools did not work for
me, and I was spending more time trying to figure out how to make them
work (possibly due to the lack of expertise on those tools). I did not
find a way to tell the tool to replace spaces with %09 but one person
in my blog (Miroslav) commented this related to sqlmap:

"There is a mechanism called tampering scripts (switch --tamper) and
in your case you could just use --tamper=space2randomblank (take a
look into ./sqlmap/tamper script for more tampering scripts beside
this space2randomblank.py one)"

So, that could be an option.

I added other features but nothing new and again, the intention is not
to replace sqlmap or sqlninja just to share the script.


On Thu, Mar 29, 2012 at 5:19 AM, Yiannis Koukouras <ikoukouras@xxxxxxxxx>
wrote:

So, the only difference, from other tools out there, is the support of
TAB(%09)?

Am I missing something?

Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras

On Mar 13, 2012 5:04 AM, "Danux" <danuxx@xxxxxxxxx> wrote:

Nothing new, just a different approach to automated the process of
blind injection based on time.

http://danuxx.blogspot.com/2012/03/time-based-blind-sql-injection.html

Hope you find it useful.


--
DanUx


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a
full practical examination in order to become certified.

http://www.iacertification.org

------------------------------------------------------------------------




--
DanUx

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Time based Blind SQL injection
    ... I need a vulnerability scanner that can scan WCF web services as acunetix does not support wcf yet. ... in my blog commented this related to sqlmap: ... look into ./sqlmap/tamper script for more tampering scripts beside ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Time based Blind SQL injection
    ... in my blog commented this related to sqlmap: ... look into ./sqlmap/tamper script for more tampering scripts beside ... to replace sqlmap or sqlninja just to share the script. ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Time based Blind SQL injection
    ... MSc in Computer Systems Security ... BEng in Electronic Engineering ... look into ./sqlmap/tamper script for more tampering scripts beside ... Information Assurance Certification Review Board ...
    (Pen-Test)