[sqlmap-users] detecting blind sql injection vulnerabilities in non-text output pages
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] detecting blind sql injection vulnerabilities in non-text output pages
|
From: <bu...@gm...> - 2011-02-21 21:55:51
|
Hi, I have a blind sql injection vulnerability that results in different pictures (content type img/png - no html) depending if true or false. The size of the picture in terms of bytes and resolution does not change. The content and their hash (e.g. MD5) does. It seams that sqlmap is not able to detect the vulnerability. I provided the backend dbms (Oracle) via --dbms and tried it also with --level 5. How does sqlmap compair non-html responses? Does it calculate hashes or does it just look on response size if the reply is not text/html? thanks! (using r3351) |
