Re: [sqlmap-users] [FeatureReq] Smart proximity based queries on table names etc
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] [FeatureReq] Smart proximity based queries on table names etc
|
From: Miroslav S. <mir...@gm...> - 2010-04-15 09:36:53
|
Hi. Implemented by your request :). Try the latest SVN version. Kind regards. On Thu, Apr 15, 2010 at 12:07 AM, Ole Rasmussen <ol...@gm...> wrote: > Many DBs are often designed such that table/db names are coherent. > Something often seen is that every table name is prefixed with some > string describing somewhat the relations in the table. An example: > > DB table1: > data_catalogs > data_catalogs_log > data_catalyst > data_emails > data_emails_old > > I don't know if SqlMap takes proximity of the last found table names > into account when enumerating - if it doesn't that could greatly speed > up enumerating table names like in the above example. > When SqlMap acquires the name 'data_catalogs' it could start the next > query by checking if the first letter is 'd' (which it is in the above > example), circumventing the need to do the binary relation search. If > the letter isn't 'd' then all we lost is adding a single query, but we > save a lot of queries if it is. Next time (if the letter was 'd') it > would check if the letter was 'a', then 't' and so on. > This would of course only work if the data is fetched in sorted order, > but I haven't encountered a case where it isn't yet - I guess it must > be sorted in INFORMATION tables in MySql? If it is then I think this > only underlines why you should implement the suggested proximity > queries. It might also be advantageous to exploit that the information > is sorted even without proximity queries; if we just received a table > name starting with 'd' then we know the next table name starts with at > least 'd' as well - I'm not sure if SqlMap already exploits this? > > Regards, > Ole > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
