Re: [sqlmap-users] suggestion - per character verify option
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] suggestion - per character verify option
|
From: Miroslav S. <mir...@gm...> - 2011-01-31 16:09:07
|
Hi. Implemented (r3154). Now every character retrieved via time-based inference is "fast" verified after it has been retrieved (if unequal there is a time delay and the retrieval is repeated for that character). That "validation" is also prone to errors, but I must admit that with it quality of data retrieval (in time based techniques) is going way up. KR On Tue, Jan 18, 2011 at 12:34 AM, Miroslav Stampar <mir...@gm...> wrote: > ...but still, i must say that this is quite good idea: > > "One way to increase the quality with little speed overhead would be an > option to verify the character result of the blind binary search using > an equals query and restarting just that character if the answer is not > correct." > > and we'll try to implement it > > kr > > On Tue, Jan 18, 2011 at 12:31 AM, Miroslav Stampar > <mir...@gm...> wrote: >> Hi Steve. >> >> We can consider some mechanisms to improve it, but first of all keep it real. >> >> We are talking about a most delicate sql injection technique which is >> highly prone to "outside entropy". It's precision is directly >> inversely proportional to the time needed to retrieve all data, and >> nobody wants to wait for some "useful" data "too long". >> >> So, IMHO, I am aware that here and there some character can go wrong >> (either caused by line used or some change of the web servers load) >> but still info retrieved is prone to personal filtration (in this case >> everybody is aware that that 'A' there is a junk character). >> >> KR >> >> On Tue, Jan 18, 2011 at 12:17 AM, Steve Pinkham <ste...@gm...> wrote: >>> First off, I'm loving the newest versions of sqlmap.. It's even better >>> than ever, and by far my favourite tool in the space. >>> >>> Now that time-based injection is better supported, one of the side >>> effects is that the quality of results has gone down for me. For >>> example on a site I'm testing, the banner results are: >>> >>> Microsoft SQL Seryer 2008 (RTM) - 10.0A1600.22 (X64) >>> Where is should probably be >>> Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) >>> >>> And this is with a 20 second delay! >>> >>> One way to increase the quality with little speed overhead would be an >>> option to verify the character result of the blind binary search using >>> an equals query and restarting just that character if the answer is not >>> correct. >>> >>> This should only add one request per character, and be much more time >>> efficient than using a longer delay, using a safe url in between every >>> request, or other mitigations that would increase the result quality at >>> higher cost. >>> >>> Any thoughts? >>> -- >>> | Steven Pinkham, Security Consultant | >>> | http://www.mavensecurity.com | >>> | GPG public key ID CD31CAFB | >>> >>> >>> ------------------------------------------------------------------------------ >>> Protect Your Site and Customers from Malware Attacks >>> Learn about various malware tactics and how to avoid them. Understand >>> malware threats, the impact they can have on your business, and how you >>> can protect your company and customers by using code signing. >>> http://p.sf.net/sfu/oracle-sfdevnl >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
