Re: [sqlmap-users] my stand on sqlmap
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] my stand on sqlmap
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-06-01 10:18:21
|
Joe, On Tue, Jun 1, 2010 at 10:46, Joe "Pragmatk" <pra...@gm...> wrote: > ... > - - Does sqlmap support exporting to some sort of binary-safe export > format (sqlite, csv, .sql format, heck - even urlencoded or > c-string-escaped)? I found the text-only output options greatly > disappointing :-( Recently we merged into trunk a patch to save results to a XML file (-x switch). This is still in early development, but for basic cases, it works. As usual, bug reports are welcome. The XML is validated against a XSD file (xml/sqlmap.xsd) too. We recently added support to fetch unicode data, this included lots of enhancements in terms of dealing with files (session, log, .csv dump file, etc) too. CSV files are created when you --dump tables, you can see their path with --verbose is >= 1. > - --- Is there an easy way to extend this sparse selection of test cases, > or will I have to set up my own patch repo for modifications? Detection engine is weak. It will be rewritten from scratch in the upcoming months. You (all!) can supply your patches any time, we really appreciate that and encourage you to send them all. No need to comment the code (appreciated though), we can dig into it ourselves. > - --- multi-threading is - of course - very nice, but does sqlmap support > "persistent" http connections (reuse of existing tcp-connections using > the Keep-Alive HTTP-header)? I implemented this for my own tool and the > speed gain was enormous. Last time I asked about this, both the > developers and I were unable to find a Python module that supported this > relatively simple feature. We fixed a couple of major bugs in multi-threading and improved it quite a lot since the release of 0.8. I recommend you always give a try to the development version from subversion repository. To answer your question, as far as I know Python urllib2 library does not support effectively Keep-Alive, we will research more in this direction. > - --- Has the off-by-one when resuming blind queries been fixed? Automatic saving to session file works in real time when multi-threading is not specified. Vice versa if multi-threading is specified (--threads > 1), the query output is stored in the session file once the whole output is fetched. Resume always work, regardless of the technique used by sqlmap to retrieve the data. The off-by-one should be also fixed now. > I think the post exploitation-stuff that you have implemented, > especially the tie-in with msf, is really cool. Respect! Thanks. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
