Re: [sqlmap-users] Feature Suggestion: Live keyboard input
Brought to you by:
inquisb
From: Andres R. <and...@gm...> - 2009-11-06 17:41:48
|
Eric, On Fri, Nov 6, 2009 at 2:23 PM, Eric H <eri...@gm...> wrote: > I'm not terribly experienced with Python or I'd implement this myself - it > seems like it would be very simple. > > During brute-force blind SQL injection (while enumerating a single character > at a time), I frequently know what the DB/table/column name is within the > first 3 or 4 characters or have a pretty good idea what the next character > is. > > During that input loop, if the program were simply to accept keyboard input, > tag that character and immediately try that specific character on the next > iteration... It would double or triple the speed I could enumerate table > values WHILE decreasing the load on the server during testing. Relying on > the good old fashioned human pattern matching is a low-tech solution, but > seems to have a high reward for a small amount of work. > > I'll eat my shoe if this feature is already implemented and I just missed > it. This is already implemented in the sqlmap modification that I did for w3af. If you want you can take it from there, Cheers, > Thanks! > > Eric > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ |