Penetration Testing mailing list archives
Re: SQL Injection - Waitfor delay
From: "rajat swarup" <rajats () gmail com>
Date: Mon, 13 Oct 2008 14:07:56 -0400
On Mon, Oct 13, 2008 at 9:42 AM, xelerated <xelerated () gmail com> wrote:
Hi all, I am trying to find more information about a SQL Injection using "waitfor delay".
http://spidynamics.com/whitepapers/Blind_SQLInjection.pdf The last I checked this pdf file was gone...but just search for it on Google ...you'll find it.
So far, no one that I have asked in the pen test and security field feels its a vulnerability, but my client does think its a big deal but there really is very little information that I can find on it. I hear rumors that using the waitfor delay can help enumerate a database, but again, I'm not sure about that. Id like to pull on the vast knowledge of this list to see if that counts in a test as a SQL Inject, and if its a big deal if you can use it.
If you have a blind SQL injection point it does! There are a ton of tools that'll help you automate blind SQL exploitation like absinthe, sqlmap, sqlbrute, sqlninja and many many more. HTH, Rajat. -- Rajat Swarup http://rajatswarup.blogspot.com/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- SQL Injection - Waitfor delay xelerated (Oct 13)
- Re: SQL Injection - Waitfor delay rajat swarup (Oct 13)
- Re: SQL Injection - Waitfor delay Krugger (Oct 14)
- Re: SQL Injection - Waitfor delay p1g (Oct 16)
- Re: SQL Injection - Waitfor delay Anthony Cicalla (Oct 16)
- Re: SQL Injection - Waitfor delay Haroon Meer (Oct 16)
- Re: SQL Injection - Waitfor delay xelerated (Oct 16)
- Re: SQL Injection - Waitfor delay Robin Wood (Oct 16)
- <Possible follow-ups>
- Re: SQL Injection - Waitfor delay Parity (Oct 14)
- Re: SQL Injection - Waitfor delay Anthony Cicalla (Oct 15)