SQL Injection Where User is Not DBA
Quite frequently when I pentest, I come across time-based blind sql injection points and find that the user is never the dba. This means I cannot access any data or get the admins password. I'm not sure if I can execute system commands, as I have not tried it, but does anyone know any way around this problem? Cuz it's alot better when I can tell the website admin "Here's all of your data" vs "You have a vunerability".
Re: SQL Injection Where User is Not DBA
Below link for a Article might be helpful for you:
In this excellent article, Mark Baggett covers a technique he's implemented in a brand new tool for making blind SQL injection penetration testing and ethical hacking far more efficient using dynamic character frequency tables. The article describes his approach, covers a new tool he's created, and features a video demo. Awesome stuff for a penetration tester's toolbox, Mark! --Ed
|All times are GMT +5.5. The time now is 11:15.|