Re: [sqlmap-users] Testing pages with "strange" characters
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Testing pages with "strange" characters
|
From: Miroslav S. <mir...@gm...> - 2010-12-29 15:24:37
|
...and, i've almost forgot to tell you that with the latest patch you'll definitely have more positives than before with all sorts of non-ASCII conformant charset pages. kr On Wed, Dec 29, 2010 at 4:20 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi all. > > I've stumbled upon a page with all cyrilic chars, high match ratio (lots of > javascript inside), and in normal situations you would normally use > --string. But, the problem was that I couldn't type a single cyrilic > character into console (they were replaced with ???, and I wouldn't change > my charset map just to type those in). > > In those cases --text-only is highly desirable and it helped a lot. No more > --string was needed. Also, I've realized that we've left a part in page > processing where we've filtered out all those "strange" characters and > replaced them with '?' - which probably led to a harder finding of a "blind > injectable" pages. > > So, by this latest fix, you'll be able to use --string method with those > "strange" chars (if you properly set your console) as in page response there > is no more replacing with '?'. Also, for all of you 'lazy' ones, use > --text-only wherever you stumble upon pages with strange charsets and with > really minor changes in blind response. > > Kind regards. > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
