Penetration Testing mailing list archives
Re: Time based Blind SQL injection
From: "Danux" <danuxx () gmail com>
Date: Fri, 30 Mar 2012 15:39:29 +0000
Try GDSSecurity from github.com I have never used it though. Good luck! Sent via Danux's cloud -----Original Message----- From: martin.mngoma () gmail com Date: Fri, 30 Mar 2012 09:07:43 To: Yiannis Koukouras<ikoukouras () gmail com>; <listbounce () securityfocus com>; Danux<danuxx () gmail com> Reply-To: martin.mngoma () gmail com Cc: <webappsec () securityfocus com>; PenTest<pen-test () securityfocus com> Subject: Re: Time based Blind SQL injection Hi guys Just off the topic, can any of you help me. I need a vulnerability scanner that can scan WCF web services (silver light technologies )as acunetix does not support wcf yet. All help will be appreciated Thanks Martin Sent from my BlackBerry® wireless device -----Original Message----- From: Yiannis Koukouras <ikoukouras () gmail com> Sender: listbounce () securityfocus com Date: Thu, 29 Mar 2012 21:04:00 To: Danux<danuxx () gmail com> Cc: <webappsec () securityfocus com>; PenTest<pen-test () securityfocus com> Subject: Re: Time based Blind SQL injection Cool, I just wanted to be sure I didn't miss anything else... Again thanx for sharing! :) Ioannis (Yiannis) Koukouras CISSP, CISA, CISM, OSCP MSc in Computer Systems Security BEng in Electronic Engineering http://www.linkedin.com/in/ikoukouras On Thu, Mar 29, 2012 at 4:50 PM, Danux <danuxx () gmail com> wrote:
Hi Yiannis, The intent was to share a script as a result of a pen-test, since when I was trying to use sqlmap and sqlninja does tools did not work for me, and I was spending more time trying to figure out how to make them work (possibly due to the lack of expertise on those tools). I did not find a way to tell the tool to replace spaces with %09 but one person in my blog (Miroslav) commented this related to sqlmap: "There is a mechanism called tampering scripts (switch --tamper) and in your case you could just use --tamper=space2randomblank (take a look into ./sqlmap/tamper script for more tampering scripts beside this space2randomblank.py one)" So, that could be an option. I added other features but nothing new and again, the intention is not to replace sqlmap or sqlninja just to share the script. On Thu, Mar 29, 2012 at 5:19 AM, Yiannis Koukouras <ikoukouras () gmail com> wrote:So, the only difference, from other tools out there, is the support of TAB(%09)? Am I missing something? Ioannis (Yiannis) Koukouras CISSP, CISA, CISM, OSCP MSc in Computer Systems Security BEng in Electronic Engineering http://www.linkedin.com/in/ikoukouras On Mar 13, 2012 5:04 AM, "Danux" <danuxx () gmail com> wrote:Nothing new, just a different approach to automated the process of blind injection based on time. http://danuxx.blogspot.com/2012/03/time-based-blind-sql-injection.html Hope you find it useful. -- DanUx ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org -------------------------------------------------------------------------- DanUx
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Time based Blind SQL injection Danux (Mar 12)
- Re: Time based Blind SQL injection Yiannis Koukouras (Mar 29)
- Message not available
- Re: Time based Blind SQL injection Danux (Mar 29)
- Re: Time based Blind SQL injection Yiannis Koukouras (Mar 29)
- Re: Time based Blind SQL injection martin . mngoma (Mar 30)
- Re: Time based Blind SQL injection Danux (Mar 30)
- Re: Time based Blind SQL injection Danux (Mar 29)