Re: [sqlmap-users] detecting blind sql injection vulnerabilities in non-text output pages
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] detecting blind sql injection vulnerabilities in non-text output pages
|
From: Miroslav S. <mir...@gm...> - 2011-02-22 17:23:31
|
just to confirm that this should work now. we've made some image based testing pages and it works ok now. kr On Tue, Feb 22, 2011 at 12:34 PM, Miroslav Stampar <mir...@gm...> wrote: > hi again. > > in the latest commit (r3356) we've fixed some issues related to > non-HTML documents. > > please give it a try again and report observations. > > kr > > On Tue, Feb 22, 2011 at 9:59 AM, Miroslav Stampar > <mir...@gm...> wrote: >> just a quick info. >> >> right now we handle it like all data, except we don't unencode it - >> plain byte array (string in python). >> >> also, we do a "quick_ratio" on it (like for all pages), so no MD5 whatsoever. >> >> this all means that this should work out of box since (since r3122), >> at least I've expected it to work. >> >> kr >> >> On Tue, Feb 22, 2011 at 9:52 AM, Miroslav Stampar >> <mir...@gm...> wrote: >>> hi again. >>> >>> it seems that i've mixed some pears and apples. >>> >>> "How does sqlmap compair non-html responses? Does it calculate hashes or >>> does it just look on response size if the reply is not text/html? >>> >>> thanks! (using r3351)" >>> >>> right now we've done some initial support but we haven't tested it >>> throughly. this is a first voice that since that "initial" >>> implementation it doesn't work. >>> >>> we'll do some test pages and fix accordingly. >>> >>> kr >>> >>> On Tue, Feb 22, 2011 at 9:46 AM, Miroslav Stampar >>> <mir...@gm...> wrote: >>>> hi all. >>>> >>>> "response" is not just a response. >>>> >>>> response is usually a HTML document with links included toward other >>>> documents and/or images. >>>> >>>> so, for us to be able to "ratio" this we would need to do lots of more >>>> requests/responses than we do it right now. >>>> >>>> it would require times N more traffic and nobody wants that in default manner. >>>> >>>> we could consider doing some extra switch which would download all >>>> embedded data, but just imagine how much traffic/slow down that would >>>> result in some normal case. i am aware that this would help here and >>>> there but i am just waiting for some "smart pants" to NAG how this and >>>> this is slow. >>>> >>>> kr >>>> >>>> On Tue, Feb 22, 2011 at 3:24 AM, Andres Riancho >>>> <and...@gm...> wrote: >>>>> Bernardo, >>>>> >>>>> On Mon, Feb 21, 2011 at 7:43 PM, Bernardo Damele A. G. >>>>> <ber...@gm...> wrote: >>>>>> At the moment it has no support for these responses. It is in our todo though. >>>>> >>>>> What's the limitation? Why not handling all answers (disregarding of >>>>> the real content type) the same? It would be fairly simple to use >>>>> difflib.quick_ratio to compare any HTTP response body. I'm curious :) >>>>> >>>>>> Bernardo Damele A. G. >>>>>> >>>>>> This message was sent from a smartphone >>>>>> >>>>>> On 21 Feb 2011, at 21:56, "bu...@gm..." <bu...@gm...> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have a blind sql injection vulnerability that results in different >>>>>>> pictures (content type img/png - no html) depending if true or false. >>>>>>> The size of the picture in terms of bytes and resolution does not >>>>>>> change. The content and their hash (e.g. MD5) does. >>>>>>> >>>>>>> It seams that sqlmap is not able to detect the vulnerability. >>>>>>> I provided the backend dbms (Oracle) via --dbms and tried it also with >>>>>>> --level 5. >>>>>>> >>>>>>> How does sqlmap compair non-html responses? Does it calculate hashes or >>>>>>> does it just look on response size if the reply is not text/html? >>>>>>> >>>>>>> thanks! (using r3351) >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>>>>> Collect, index and harness all the fast moving IT data generated by your >>>>>>> applications, servers and devices whether physical, virtual or in the cloud. >>>>>>> Deliver compliance at lower cost and gain new business insights. >>>>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>>>> Collect, index and harness all the fast moving IT data generated by your >>>>>> applications, servers and devices whether physical, virtual or in the cloud. >>>>>> Deliver compliance at lower cost and gain new business insights. >>>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Andrés Riancho >>>>> Director of Web Security at Rapid7 LLC >>>>> Founder at Bonsai Information Security >>>>> Project Leader at w3af >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >>>>> Collect, index and harness all the fast moving IT data generated by your >>>>> applications, servers and devices whether physical, virtual or in the cloud. >>>>> Deliver compliance at lower cost and gain new business insights. >>>>> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail: miroslav.stampar (at) gmail.com >>>> Alternate: miroslav.stampar (at) mail.ru >>>> PGP Key ID: 0xB5397B1B >>>> Location: Zagreb, Croatia >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail: miroslav.stampar (at) gmail.com >>> Alternate: miroslav.stampar (at) mail.ru >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> Alternate: miroslav.stampar (at) mail.ru >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
