Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQL Injection - Waitfor delay

From: "rajat swarup" <rajats () gmail com>
Date: Mon, 13 Oct 2008 14:07:56 -0400
On Mon, Oct 13, 2008 at 9:42 AM, xelerated <xelerated () gmail com> wrote:


Hi all,
I am trying to find more information about a SQL Injection using
"waitfor delay".


http://spidynamics.com/whitepapers/Blind_SQLInjection.pdf
The last I checked this pdf file was gone...but just search for it on
Google ...you'll find it.


So far, no one that I have asked in the pen test and security field
feels its a vulnerability, but my client does think its a big deal but
there really is very little information that I can find on it.
I hear rumors that using the waitfor delay can help enumerate a
database, but again, I'm not sure about that.

Id like to pull on the vast knowledge of this list to see if that
counts in a test as a SQL Inject, and if its a big deal if you can use
it.


If you have a blind SQL injection point it does!  There are a ton of
tools that'll help you automate blind SQL exploitation like absinthe,
sqlmap, sqlbrute, sqlninja and many many more.

HTH,
Rajat.
--
Rajat Swarup

http://rajatswarup.blogspot.com/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: