Re: [sqlmap-users] detecting blind sql injection vulnerabilities in non-text output pages

[Miroslav S. <mir...@gm...>]

hi all.

"response" is not just a response.

response is usually a HTML document with links included toward other
documents and/or images.

so, for us to be able to "ratio" this we would need to do lots of more
requests/responses than we do it right now.

it would require times N more traffic and nobody wants that in default manner.

we could consider doing some extra switch which would download all
embedded data, but just imagine how much traffic/slow down that would
result in some normal case. i am aware that this would help here and
there but i am just waiting for some "smart pants" to NAG how this and
this is slow.

kr

On Tue, Feb 22, 2011 at 3:24 AM, Andres Riancho
<and...@gm...> wrote:
> Bernardo,
>
> On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G.
> <ber...@gm...> wrote:
>> At the moment it has no support for these responses. It is in our todo though.
>
> What's the limitation? Why not handling all answers (disregarding of
> the real content type) the same? It would be fairly simple to use
> difflib.quick_ratio to compare any HTTP response body. I'm curious :)
>
>> Bernardo Damele A. G.
>>
>> This message was sent from a smartphone
>>
>> On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote:
>>
>>> Hi,
>>>
>>> I have a blind sql injection vulnerability that results in different
>>> pictures (content type img/png - no html) depending if true or false.
>>> The size of the picture in terms of bytes and resolution does not
>>> change. The content and their hash (e.g. MD5) does.
>>>
>>> It seams that sqlmap is not able to detect the vulnerability.
>>> I provided the backend dbms (Oracle) via --dbms and tried it also with
>>> --level 5.
>>>
>>> How does sqlmap compair non-html responses? Does it calculate hashes or
>>> does it just look on response size if the reply is not text/html?
>>>
>>> thanks! (using r3351)
>>>
>>> ------------------------------------------------------------------------------
>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk
>>> Collect, index and harness all the fast moving IT data generated by your
>>> applications, servers and devices whether physical, virtual or in the cloud.
>>> Deliver compliance at lower cost and gain new business insights.
>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>> ------------------------------------------------------------------------------
>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk
>> Collect, index and harness all the fast moving IT data generated by your
>> applications, servers and devices whether physical, virtual or in the cloud.
>> Deliver compliance at lower cost and gain new business insights.
>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
>
> ------------------------------------------------------------------------------
> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk
> Collect, index and harness all the fast moving IT data generated by your
> applications, servers and devices whether physical, virtual or in the cloud.
> Deliver compliance at lower cost and gain new business insights.
> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
Alternate: miroslav.stampar (at) mail.ru
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia