Daniel,
First of all, thanks for your email! =)
On Sun, Nov 16, 2008 at 6:21 PM, Daniele Bellucci
<[EMAIL PROTECTED]> wrote:
> Hi Andres,
>
> i just look inside: core/controllers/sql_tools/blind_sqli_response_diff.py.
> I don't know w3af code, but i've seen the following vectors:
> OR rndNum = rndNum
> AND rndNum = rndNum
>
>
> Ok these looks good, but i think is not enough for blind sql injection.
> What about appending the comment string ( -- / # )?
If I append a -- or a # , then I should also guess the correct amount
of parenthesis. Examples:
Original: select * from users where (a = $id);
Injected 1: select * from users where (a = 1 and 1 = 1); ---> syntax ok
Injected 2: select * from users where (a = 1 and 1 = 1--); --->
invalid syntax
So..., adding a comment isn't always the best. Could you please think
about an example where 1 AND 1=1 wouldn't work, and 1 AND 1=1-- would?
> Another suggestion:
> i think it would be fine to move each fuzz vectors from .py source
> code (such as the above plugin for
> testing Blind SQL Injection) to a text file to let w3af user customize it.
That's a good idea, and some others have proposed the same. I'll think
about it. Thanks!
> regards.
>
>
>
> On Sat, Nov 15, 2008 at 2:29 AM, Andres Riancho
> <[EMAIL PROTECTED]> wrote:
>> List,
>>
>> I just committed some changes to the SVN that add the detection of
>> blind SQL injections using time delays. For those who didn't know, the
>> detection was previously done by comparing true (1 OR 1=1) and false
>> (1 AND 1=2) pages. At this moment the delay technique works with
>> MSSQL, MYSQL and POSTGRES. I would be thankful if anyone can test the
>> blindSqli script with some of those databases to confirm that they
>> work as expected outside my lab, and that they don't generate false
>> positives over the Internet.
>>
>> The whole logic for the vulnerability detection is in
>> "core/controllers/sql_tools/blind_sqli_time_delay.py", but many other
>> files have been changed, so don't be afraid if you get a 30+ file
>> modification on your "svn up" to revision 2015.
>>
>> Also, if someone knows how to generate time delays in Oracle (I
>> need a generic thing that works with oracle 8 to 11) or some other
>> databases (DB2? Informix?) please send it to me! I've been googling
>> but nothing interesting came up ([0] is not interesting).
>>
>> All your feedback is welcome, happy testing! =)
>>
>> [0] http://pentestmonkey.net/blog/oracle-sql-injection-cheat-sheet/
>>
>> Cheers,
>> --
>> Andres Riancho
>> http://w3af.sourceforge.net/
>> Web Application Attack and Audit Framework
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> W3af-develop mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
W3af-develop mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-develop
