SQL Injection Where User is Not DBA

SystemOverride's Avatar, Join Date: Dec 2011
Newbie Member
Quite frequently when I pentest, I come across time-based blind sql injection points and find that the user is never the dba. This means I cannot access any data or get the admins password. I'm not sure if I can execute system commands, as I have not tried it, but does anyone know any way around this problem? Cuz it's alot better when I can tell the website admin "Here's all of your data" vs "You have a vunerability".
0
ritsmontu's Avatar
Banned
Below link for a Article might be helpful for you:

In this excellent article, Mark Baggett covers a technique he's implemented in a brand new tool for making blind SQL injection penetration testing and ethical hacking far more efficient using dynamic character frequency tables. The article describes his approach, covers a new tool he's created, and features a video demo. Awesome stuff for a penetration tester's toolbox, Mark! --Ed

http://pen-testing.sans.org/blog/201...ient-new-tool#

Last edited by ritsmontu; 28Dec2011 at 16:04..