Re: [sqlmap-users] Rate of attack with top level --level and --risk
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Rate of attack with top level --level and --risk
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-01-12 12:03:07
|
If the target was not vulnerable to any SQL injection, you provided --level 5 and --risk 3 together and there were a lot of GET/POST/Cookie parameters, then yes, potentially thousands of requests. I can calculate it for you if you assert the above and give me the exact number of parameters. Bernardo On 12 January 2011 12:00, Chris Oakley <chr...@gm...> wrote: > Thanks for that Bernardo. I understand that it's dynamic, but would it be > in the realms of possibility for (over the Internet to a responsive machine) >> 200,000 requests to be made by sqlmap over an 8 hour period? This would > be testing multiple post and cookie values and lots of blind testing. This > apparently happened to a server recently, but I didn't run sqlmap through a > proxy. I'm trying to narrow down which tool was responsible so that I can > slow things down in the future. > > Chris. > > On 12 January 2011 11:45, Bernardo Damele A. G. <ber...@gm...> > wrote: >> >> Chris, >> >> It varies a lot. It depends whether or not the target URL is over the >> Internet, the machine is responsive, there's no lag, etc. >> It also depends on the parameter vulnerabilities. Say it's a simple >> injection, sqlmap will spot it easily and quick with very little >> number of requests. The number of requests the new detection engine >> does is dynamic, it varies according to the results it gets from the >> request/responses/delays received up until a certain moment. >> >> I recommend you run it once with default level and risk values and -v >> 3 and once with level and risk increased to maximum to get an idea. >> >> Bernardo >> >> >> On 12 January 2011 11:40, Chris Oakley <chr...@gm...> >> wrote: >> > Hi there >> > >> > With --level=5 and --risk=3 enabled, what kind of traffic does sqlmap >> > send, >> > say, per hour? I meant to look at this through a proxy but if anyone >> > has a >> > rough figure without me setting that up it'd be appreciated. >> > >> > Chris >> > >> > >> > ------------------------------------------------------------------------------ >> > Protect Your Site and Customers from Malware Attacks >> > Learn about various malware tactics and how to avoid them. Understand >> > malware threats, the impact they can have on your business, and how you >> > can protect your company and customers by using code signing. >> > http://p.sf.net/sfu/oracle-sfdevnl >> > _______________________________________________ >> > sqlmap-users mailing list >> > sql...@li... >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > >> > >> >> >> >> -- >> Bernardo Damele A. G. >> >> E-mail / Jabber: bernardo.damele (at) gmail.com >> Mobile: +447788962949 (UK 07788962949) >> PGP Key ID: 0x05F5A30F > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
