Re: [sqlmap-users] detecting blind sql injection vulnerabilities in non-text output pages

[Miroslav S. <mir...@gm...>]

hi again.

in the latest commit (r3356) we've fixed some issues related to
non-HTML documents.

please give it a try again and report observations.

kr

On Tue, Feb 22, 2011 at 9:59 AM, Miroslav Stampar
<mir...@gm...> wrote:
> just a quick info.
>
> right now we handle it like all data, except we don't unencode it -
> plain byte array (string in python).
>
> also, we do a "quick_ratio" on it (like for all pages), so no MD5 whatsoever.
>
> this all means that this should work out of box since (since r3122),
> at least I've expected it to work.
>
> kr
>
> On Tue, Feb 22, 2011 at 9:52 AM, Miroslav Stampar
> <mir...@gm...> wrote:
>> hi again.
>>
>> it seems that i've mixed some pears and apples.
>>
>> "How does sqlmap compair non-html responses? Does it calculate hashes or
>> does it just look on response size if the reply is not text/html?
>>
>> thanks! (using r3351)"
>>
>> right now we've done some initial support but we haven't tested it
>> throughly. this is a first voice that since that "initial"
>> implementation it doesn't work.
>>
>> we'll do some test pages and fix accordingly.
>>
>> kr
>>
>> On Tue, Feb 22, 2011 at 9:46 AM, Miroslav Stampar
>> <mir...@gm...> wrote:
>>> hi all.
>>>
>>> "response" is not just a response.
>>>
>>> response is usually a HTML document with links included toward other
>>> documents and/or images.
>>>
>>> so, for us to be able to "ratio" this we would need to do lots of more
>>> requests/responses than we do it right now.
>>>
>>> it would require times N more traffic and nobody wants that in default manner.
>>>
>>> we could consider doing some extra switch which would download all
>>> embedded data, but just imagine how much traffic/slow down that would
>>> result in some normal case. i am aware that this would help here and
>>> there but i am just waiting for some "smart pants" to NAG how this and
>>> this is slow.
>>>
>>> kr
>>>
>>> On Tue, Feb 22, 2011 at 3:24 AM, Andres Riancho
>>> <and...@gm...> wrote:
>>>> Bernardo,
>>>>
>>>> On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G.
>>>> <ber...@gm...> wrote:
>>>>> At the moment it has no support for these responses. It is in our todo though.
>>>>
>>>> What's the limitation? Why not handling all answers (disregarding of
>>>> the real content type) the same? It would be fairly simple to use
>>>> difflib.quick_ratio to compare any HTTP response body. I'm curious :)
>>>>
>>>>> Bernardo Damele A. G.
>>>>>
>>>>> This message was sent from a smartphone
>>>>>
>>>>> On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have a blind sql injection vulnerability that results in different
>>>>>> pictures (content type img/png - no html) depending if true or false.
>>>>>> The size of the picture in terms of bytes and resolution does not
>>>>>> change. The content and their hash (e.g. MD5) does.
>>>>>>
>>>>>> It seams that sqlmap is not able to detect the vulnerability.
>>>>>> I provided the backend dbms (Oracle) via --dbms and tried it also with
>>>>>> --level 5.
>>>>>>
>>>>>> How does sqlmap compair non-html responses? Does it calculate hashes or
>>>>>> does it just look on response size if the reply is not text/html?
>>>>>>
>>>>>> thanks! (using r3351)
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk
>>>>>> Collect, index and harness all the fast moving IT data generated by your
>>>>>> applications, servers and devices whether physical, virtual or in the cloud.
>>>>>> Deliver compliance at lower cost and gain new business insights.
>>>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev
>>>>>> _______________________________________________
>>>>>> sqlmap-users mailing list
>>>>>> sql...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk
>>>>> Collect, index and harness all the fast moving IT data generated by your
>>>>> applications, servers and devices whether physical, virtual or in the cloud.
>>>>> Deliver compliance at lower cost and gain new business insights.
>>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Andrés Riancho
>>>> Director of Web Security at Rapid7 LLC
>>>> Founder at Bonsai Information Security
>>>> Project Leader at w3af
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk
>>>> Collect, index and harness all the fast moving IT data generated by your
>>>> applications, servers and devices whether physical, virtual or in the cloud.
>>>> Deliver compliance at lower cost and gain new business insights.
>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail: miroslav.stampar (at) gmail.com
>>> Alternate: miroslav.stampar (at) mail.ru
>>> PGP Key ID: 0xB5397B1B
>>> Location: Zagreb, Croatia
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail: miroslav.stampar (at) gmail.com
>> Alternate: miroslav.stampar (at) mail.ru
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail: miroslav.stampar (at) gmail.com
> Alternate: miroslav.stampar (at) mail.ru
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
Alternate: miroslav.stampar (at) mail.ru
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia