Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking (http://www.go4expert.com/forums/ethical-hacking-forum/)
-   -   SQL Injection Where User is Not DBA (http://www.go4expert.com/forums/sql-injection-user-dba-t27421/)

SystemOverride 23Dec2011 08:49

SQL Injection Where User is Not DBA
 
Quite frequently when I pentest, I come across time-based blind sql injection points and find that the user is never the dba. This means I cannot access any data or get the admins password. I'm not sure if I can execute system commands, as I have not tried it, but does anyone know any way around this problem? Cuz it's alot better when I can tell the website admin "Here's all of your data" vs "You have a vunerability".

ritsmontu 28Dec2011 16:02

Re: SQL Injection Where User is Not DBA
 
Below link for a Article might be helpful for you:

In this excellent article, Mark Baggett covers a technique he's implemented in a brand new tool for making blind SQL injection penetration testing and ethical hacking far more efficient using dynamic character frequency tables. The article describes his approach, covers a new tool he's created, and features a video demo. Awesome stuff for a penetration tester's toolbox, Mark! --Ed

http://pen-testing.sans.org/blog/201...ient-new-tool#


All times are GMT +5.5. The time now is 11:15.