Re: [sqlmap-users] detecting blind sql injection vulnerabilities in non-text output pages
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2011-02-22 08:52:27
|
hi again. it seems that i've mixed some pears and apples. "How does sqlmap compair non-html responses? Does it calculate hashes or does it just look on response size if the reply is not text/html? thanks! (using r3351)" right now we've done some initial support but we haven't tested it throughly. this is a first voice that since that "initial" implementation it doesn't work. we'll do some test pages and fix accordingly. kr On Tue, Feb 22, 2011 at 9:46 AM, Miroslav Stampar <mir...@gm...> wrote: > hi all. > > "response" is not just a response. > > response is usually a HTML document with links included toward other > documents and/or images. > > so, for us to be able to "ratio" this we would need to do lots of more > requests/responses than we do it right now. > > it would require times N more traffic and nobody wants that in default manner. > > we could consider doing some extra switch which would download all > embedded data, but just imagine how much traffic/slow down that would > result in some normal case. i am aware that this would help here and > there but i am just waiting for some "smart pants" to NAG how this and > this is slow. > > kr > > On Tue, Feb 22, 2011 at 3:24 AM, Andres Riancho > <and...@gm...> wrote: >> Bernardo, >> >> On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G. >> <ber...@gm...> wrote: >>> At the moment it has no support for these responses. It is in our todo though. >> >> What's the limitation? Why not handling all answers (disregarding of >> the real content type) the same? It would be fairly simple to use >> difflib.quick_ratio to compare any HTTP response body. I'm curious :) >> >>> Bernardo Damele A. G. >>> >>> This message was sent from a smartphone >>> >>> On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote: >>> >>>> Hi, >>>> >>>> I have a blind sql injection vulnerability that results in different >>>> pictures (content type img/png - no html) depending if true or false. >>>> The size of the picture in terms of bytes and resolution does not >>>> change. The content and their hash (e.g. MD5) does. >>>> >>>> It seams that sqlmap is not able to detect the vulnerability. >>>> I provided the backend dbms (Oracle) via --dbms and tried it also with >>>> --level 5. >>>> >>>> How does sqlmap compair non-html responses? Does it calculate hashes or >>>> does it just look on response size if the reply is not text/html? >>>> >>>> thanks! (using r3351) >>>> >>>> ------------------------------------------------------------------------------ >>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>> Collect, index and harness all the fast moving IT data generated by your >>>> applications, servers and devices whether physical, virtual or in the cloud. >>>> Deliver compliance at lower cost and gain new business insights. >>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> ------------------------------------------------------------------------------ >>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>> Collect, index and harness all the fast moving IT data generated by your >>> applications, servers and devices whether physical, virtual or in the cloud. >>> Deliver compliance at lower cost and gain new business insights. >>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Andrés Riancho >> Director of Web Security at Rapid7 LLC >> Founder at Bonsai Information Security >> Project Leader at w3af >> >> ------------------------------------------------------------------------------ >> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >> Collect, index and harness all the fast moving IT data generated by your >> applications, servers and devices whether physical, virtual or in the cloud. >> Deliver compliance at lower cost and gain new business insights. >> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |