izatt82 Posted May 9, 2012 Share Posted May 9, 2012 So basically the deal is I want to know if I should be worried. I am doing something like this .asp?ID=1' and I get back a blank page so I am assuming my only option is to do blind injection, but what else might this mean? If it doesn't work then I get a different message saying the session has ended so seems like there might be a hole there. I need schooled on sql injection. I haven't tried seeing if there is a WAF in place or encoding I just tried to do the basics and want to make sure I understand what the blank page means. Thanks guys Quote Link to comment Share on other sites More sharing options...
digip Posted May 9, 2012 Share Posted May 9, 2012 Blank page might just mean they have error handling set to blank pages, or there really is no data returned and instead of a 404, they just server a blank page. Search for Joe McCray on YouTUBE. He does a lot of talks on sqli and a great place to start. Quote Link to comment Share on other sites More sharing options...
izatt82 Posted May 9, 2012 Author Share Posted May 9, 2012 Yeah I have been watching him I finally got a 404 page which was different than the blank page. I am starting to find out that SQL injection is a real PITA when going up against a pretty solid setup. I used this and others like it and got the 404 page: if (select user) = 'sa' waitfor delay '0:0:10' but it did not wait for 10 secs so it might be filtering all this stuff. I actually hope I can't get into it that way I know my vendors shit is secure and we aren't getting screwed. Quote Link to comment Share on other sites More sharing options...
ghosthunter007 Posted October 13, 2012 Share Posted October 13, 2012 There is a pretty decent program from W3af and you can always start with 'x' OR 'x' ;# move in to using NMAP sql injection listing with brute force word list. Look at DVWA as well its solid training on SQL-Injection and XXS scripting. Quote Link to comment Share on other sites More sharing options...
operat0r_001 Posted October 25, 2012 Share Posted October 25, 2012 * sqlninja * Havij 1.15 - Advanced SQL Injection (windows ) * DbVisualizer 7.1.2 best tool ever for windows / sql servers supports mysql oracle db2 sqlite3 and mssql all without installing a bunch of crap ! (85 megs built with thinapp ) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.