Re: [sqlmap-users] detecting blind sql injection vulnerabilities in non-text output pages
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2011-02-22 08:59:51
|
just a quick info. right now we handle it like all data, except we don't unencode it - plain byte array (string in python). also, we do a "quick_ratio" on it (like for all pages), so no MD5 whatsoever. this all means that this should work out of box since (since r3122), at least I've expected it to work. kr On Tue, Feb 22, 2011 at 9:52 AM, Miroslav Stampar <mir...@gm...> wrote: > hi again. > > it seems that i've mixed some pears and apples. > > "How does sqlmap compair non-html responses? Does it calculate hashes or > does it just look on response size if the reply is not text/html? > > thanks! (using r3351)" > > right now we've done some initial support but we haven't tested it > throughly. this is a first voice that since that "initial" > implementation it doesn't work. > > we'll do some test pages and fix accordingly. > > kr > > On Tue, Feb 22, 2011 at 9:46 AM, Miroslav Stampar > <mir...@gm...> wrote: >> hi all. >> >> "response" is not just a response. >> >> response is usually a HTML document with links included toward other >> documents and/or images. >> >> so, for us to be able to "ratio" this we would need to do lots of more >> requests/responses than we do it right now. >> >> it would require times N more traffic and nobody wants that in default manner. >> >> we could consider doing some extra switch which would download all >> embedded data, but just imagine how much traffic/slow down that would >> result in some normal case. i am aware that this would help here and >> there but i am just waiting for some "smart pants" to NAG how this and >> this is slow. >> >> kr >> >> On Tue, Feb 22, 2011 at 3:24 AM, Andres Riancho >> <and...@gm...> wrote: >>> Bernardo, >>> >>> On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G. >>> <ber...@gm...> wrote: >>>> At the moment it has no support for these responses. It is in our todo though. >>> >>> What's the limitation? Why not handling all answers (disregarding of >>> the real content type) the same? It would be fairly simple to use >>> difflib.quick_ratio to compare any HTTP response body. I'm curious :) >>> >>>> Bernardo Damele A. G. >>>> >>>> This message was sent from a smartphone >>>> >>>> On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote: >>>> >>>>> Hi, >>>>> >>>>> I have a blind sql injection vulnerability that results in different >>>>> pictures (content type img/png - no html) depending if true or false. >>>>> The size of the picture in terms of bytes and resolution does not >>>>> change. The content and their hash (e.g. MD5) does. >>>>> >>>>> It seams that sqlmap is not able to detect the vulnerability. >>>>> I provided the backend dbms (Oracle) via --dbms and tried it also with >>>>> --level 5. >>>>> >>>>> How does sqlmap compair non-html responses? Does it calculate hashes or >>>>> does it just look on response size if the reply is not text/html? >>>>> >>>>> thanks! (using r3351) >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>>> Collect, index and harness all the fast moving IT data generated by your >>>>> applications, servers and devices whether physical, virtual or in the cloud. >>>>> Deliver compliance at lower cost and gain new business insights. >>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> ------------------------------------------------------------------------------ >>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>> Collect, index and harness all the fast moving IT data generated by your >>>> applications, servers and devices whether physical, virtual or in the cloud. >>>> Deliver compliance at lower cost and gain new business insights. >>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> >>> -- >>> Andrés Riancho >>> Director of Web Security at Rapid7 LLC >>> Founder at Bonsai Information Security >>> Project Leader at w3af >>> >>> ------------------------------------------------------------------------------ >>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>> Collect, index and harness all the fast moving IT data generated by your >>> applications, servers and devices whether physical, virtual or in the cloud. >>> Deliver compliance at lower cost and gain new business insights. >>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> Alternate: miroslav.stampar (at) mail.ru >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |