<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">Well actually I disagree
with that article.<br>
<br>
There have been multiple occasions of people hacking stuff with SQLmap
for example,<br>
without even using a random UA, and many of those cases were time or
boolean blind SQLi.<br>
<br>
Also the statement "it's hard to use", I'm not sure I agree with that
either. It's hard to use<br>
if you retrieve bit-by-bit manually, but who does that?<br>
<br>
Cheers<br>
antisnatchor<br>
<br>
<blockquote style="border: 0px none;"
cite="mid:CALx_OUARLnC9gyT4fqQ7LV5Q8DDGvjqmTuXZUdhLiS7EWrCWXw@mail.gmail.com"
type="cite">
<div style="margin-left:40px"><hr style="border:none 0;border-top:1px
dotted #B5B5B5;height:1px;margin:0;" class="__pbConvHr"><br></div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img
src="cid:part1.04040409.01010100@gmail.com"
photoaddress="lcamtuf@coredump.cx" photoname="Michal Zalewski"
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td
style="padding-left:5px;" valign="top"><a moz-do-not-send="true"
href="mailto:lcamtuf@coredump.cx" style="color:#2057EF
!important;text-decoration:none !important;">Michal Zalewski</a><br><font
color="#888888">July 3, 2013 5:59 PM</font></td></tr></tbody>
</table>
<div style="color:#888888;margin-left:35px;" __pbrmquotes="true"
class="__pbConvBody"><br><div><!----><br>The entire series is, ahem,
interesting, for reasons that I will leave<br>open to readers'
interpretation:<br><br><a class="moz-txt-link-freetext" href="http://blog.whitehatsec.com/interview-with-a-blackhat-part-1/">http://blog.whitehatsec.com/interview-with-a-blackhat-part-1/</a><br><br>/mz<br>_______________________________________________<br>Dailydave
mailing list<br><a class="moz-txt-link-abbreviated" href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br><a class="moz-txt-link-freetext" href="https://lists.immunityinc.com/mailman/listinfo/dailydave">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br></div><hr
style="border: none 0;border-top:1px dotted
#B5B5B5;height:1px;margin:15px 0 0 0;" class="__pbConvHr"><br></div>
<table style="padding-top: 5px;" class="__pbConvTable">
<tbody><tr><td style="padding-top:4px;" valign="top"><img
src="cid:part1.04040409.01010100@gmail.com"
photoaddress="dave@immunityinc.com" photoname="Dave Aitel"
name="compose-unknown-contact.jpg" height="25px" width="25px"></td><td
style="padding-left:5px;" valign="top"><a moz-do-not-send="true"
href="mailto:dave@immunityinc.com" style="color:#2057EF
!important;text-decoration:none !important;">Dave Aitel</a><br><font
color="#888888">July 3, 2013 4:07 PM</font></td></tr></tbody>
</table>
<div style="color:#888888;margin-left:35px;" __pbrmquotes="true"
class="__pbConvBody"><br>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="content-type">
So I've now watched all of the Covert Affairs seasons, and I have to
say, the writers got better as it went on and the show got a
grittier, more disillusioned feel. More like Homeland, and less like
Archer.<br>
<br>
But it's fantasy, of course. One of the characters (Auggie) is a
blind operative and he occasionally gets sent out on missions where
he runs about in strange cities and fights people and does other
various spy things that are fairly hard to do when you're blind.
They make it seem as plausible as, for example, the 5 foot, 100
pound Piper Perabo beating up various thugs (one per episode at
least - she's quite violent). <br>
<br>
<img name="image.jpg" moz-do-not-send="true"
src="cid:part3.05030008.08030902@gmail.com" alt="Auggie is blind"
height="169" width="300"> (Note how in this obviously fantasy CIA
picture
there is no tweed, nor khakis!)<br>
<br>
In this blog, RSnake and some random blackhat go into a few things:<br>
<a moz-do-not-send="true"
href="http://blog.whitehatsec.com/blind-sql-injection-what-is-it-good-for/">http://blog.whitehatsec.com/blind-sql-injection-what-is-it-good-for/</a><br>
<br>
One thing they point out is that one of the random BlackHats that
they're friends with does not really use Blind SQLi to penetrate
machines, and he doesn't know anyone who does. "Because it's
annoying". Tru dat.<br>
<br>
"""<br>
<span style="color: rgb(68, 68, 68); font-family: 'Open Sans',
Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing: normal;
line-height: 24px; orphans: auto; text-align: start; text-indent:
0px; text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); display: inline !important;
float: none;">Internally at WhiteHat we’ve had the long-standing
belief that blind SQL injection is rarely if ever actually used in
attacks. We hear a lot about blind SQL injection at conferences,
in papers and while talking with researchers, but we just don’t
hear about it being used. Sure, there may be one piece of
anecdotal evidence somewhere, but as a general class of attack it
doesn’t seem to be a favorite of attackers. The reason being? It’s
hard to use.</span><br>
"""<br>
<br>
I love that paragraph for so many reasons. Regardless, Immunity's
consulting arm uses only Blind SQLi for our penetration tests, both
for finding vulnerabilities, and for exploiting them. <br>
<br>
-dave<br>
[1] Miguel's talk: <a moz-do-not-send="true"
href="https://lists.immunityinc.com/pipermail/dailydave/2013-January/000299.html">https://lists.immunityinc.com/pipermail/dailydave/2013-January/000299.html</a>
<div>_______________________________________________<br>Dailydave
mailing list<br><a class="moz-txt-link-abbreviated" href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br><a class="moz-txt-link-freetext" href="https://lists.immunityinc.com/mailman/listinfo/dailydave">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br></div></div>
</blockquote>
</body></html>