Re: [sqlmap-users] detecting blind sql injection vulnerabilities in non-text output pages
Brought to you by:
inquisb
From: Andres R. <and...@gm...> - 2011-02-22 02:25:16
|
Bernardo, On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G. <ber...@gm...> wrote: > At the moment it has no support for these responses. It is in our todo though. What's the limitation? Why not handling all answers (disregarding of the real content type) the same? It would be fairly simple to use difflib.quick_ratio to compare any HTTP response body. I'm curious :) > Bernardo Damele A. G. > > This message was sent from a smartphone > > On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote: > >> Hi, >> >> I have a blind sql injection vulnerability that results in different >> pictures (content type img/png - no html) depending if true or false. >> The size of the picture in terms of bytes and resolution does not >> change. The content and their hash (e.g. MD5) does. >> >> It seams that sqlmap is not able to detect the vulnerability. >> I provided the backend dbms (Oracle) via --dbms and tried it also with >> --level 5. >> >> How does sqlmap compair non-html responses? Does it calculate hashes or >> does it just look on response size if the reply is not text/html? >> >> thanks! (using r3351) >> >> ------------------------------------------------------------------------------ >> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >> Collect, index and harness all the fast moving IT data generated by your >> applications, servers and devices whether physical, virtual or in the cloud. >> Deliver compliance at lower cost and gain new business insights. >> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > ------------------------------------------------------------------------------ > Index, Search & Analyze Logs and other IT data in Real-Time with Splunk > Collect, index and harness all the fast moving IT data generated by your > applications, servers and devices whether physical, virtual or in the cloud. > Deliver compliance at lower cost and gain new business insights. > Free Software Download: http://p.sf.net/sfu/splunk-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af |