1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SQL Injection Where User is Not DBA

Discussion in 'Ethical hacking' started by SystemOverride, Dec 23, 2011.

  1. SystemOverride

    SystemOverride New Member

    Joined:
    Dec 23, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Quite frequently when I pentest, I come across time-based blind sql injection points and find that the user is never the dba. This means I cannot access any data or get the admins password. I'm not sure if I can execute system commands, as I have not tried it, but does anyone know any way around this problem? Cuz it's alot better when I can tell the website admin "Here's all of your data" vs "You have a vunerability".
     
  2. ritsmontu

    ritsmontu New Member

    Joined:
    Dec 21, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    Senior Consultant AT&T U-Verse
    Location:
    Chennai-India
    Below link for a Article might be helpful for you:

    In this excellent article, Mark Baggett covers a technique he's implemented in a brand new tool for making blind SQL injection penetration testing and ethical hacking far more efficient using dynamic character frequency tables. The article describes his approach, covers a new tool he's created, and features a video demo. Awesome stuff for a penetration tester's toolbox, Mark! --Ed

    http://pen-testing.sans.org/blog/2011/10/31/making-blind-sql-injection-more-efficient-new-tool#
     
    Last edited: Dec 28, 2011

Share This Page