Re: [sqlmap-users] Feature Request
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Feature Request
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-01-11 11:32:50
|
Hi Chris, You can tune txt/common-outputs.txt to your needs in order to make --predict-output more efficient for your test. Bernardo On 11 January 2012 11:29, Chris Oakley <chr...@gm...> wrote: > I think Ctrl+C is going to be the only way to do it reliably in Python. I > wasn't actually aware of the --predict-output switch and will have a play, > but from the description it does sound like it falls short a little. That > said, if there are higher priority features or bug fixes... it's not the end > of the world having to wait as it is :) - Chris > > > On 11 January 2012 08:56, Miroslav Stampar <mir...@gm...> > wrote: >> >> Hi again. >> >> Minor update. --predict-output switch will perform well only on start of >> outputs. So, it will greatly speed up the starting part with "Microsoft SQL >> Server" but the rest is done normally (won't go into detail why and how is >> this performed only for the beginning of the retrieved string). >> >> So, the idea with user contributed guesses is still on. >> >> Kind regards, >> Miroslav Stampar >> >> >> On Wed, Jan 11, 2012 at 9:28 AM, Miroslav Stampar >> <mir...@gm...> wrote: >>> >>> Hi Hans. >>> >>> Basically, you are right. --predict-output is a good replacement for this >>> kind cases, but I am not sure if it's enough for Ryan and Chris. >>> >>> Also, i'll need to take a look into it and maybe upgrade it a bit as >>> there hasn't been development on it for more than a year. >>> >>> Kind regards, >>> Miroslav Stampar >>> >>> On Jan 11, 2012 9:11 AM, "Hans Wurst" <wur...@go...> wrote: >>>> >>>> Hello everyone, >>>> >>>> Whats with --predict-output ?? >>>> Maybe you could use that. >>>> >>>> Cheers >>>> >>>> Am 11.01.2012 um 09:09 schrieb Miroslav Stampar >>>> <mir...@gm...>: >>>> >>>> Hi guys. >>>> >>>> This would be implemented long time ago only if Python wasn't such >>>> really bad about interrupting it's processes. Sadly, you can 'pause' >>>> (interrupt) them only by Ctrl+C. Now, I can put this there, but it will be >>>> clumsy at least. >>>> >>>> If you have other ideas how to deal with this problem, please tell >>>> >>>> Kind regards, >>>> Miroslav Stampar >>>> >>>> On Jan 10, 2012 5:50 PM, "Chris Oakley" <chr...@gm...> >>>> wrote: >>>>> >>>>> I'm sure that there are higher priorities than this, but I have to add >>>>> that this would be useful for me too. As an example, on a recent test I was >>>>> grabbing the banner of the DBMS as a quick POC for a client. >>>>> >>>>> The banner was as follows: >>>>> >>>>> Banner: >>>>> --- >>>>> Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) >>>>> Dec 16 2008 19:46:53 >>>>> Copyright (c) 1988-2003 Microsoft Corporation >>>>> Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) >>>>> --- >>>>> >>>>> This was a time based blind injection, so each of the above characters >>>>> took an average of 20 seconds to retrieve. It's perfectly obvious what the >>>>> "Microsoft Corporation" part is going to be, for example. When each >>>>> character takes many queries with wait commands to retrieve, this can be >>>>> quite heavy on the DBMS. >>>>> >>>>> Not a huge deal, but if this feature made it into a future release, I >>>>> certainly wouldn't complain. >>>>> >>>>> Regards >>>>> >>>>> Chris >>>>> >>>>> On 10 January 2012 16:42, ryan cartner <rya...@gm...> wrote: >>>>>> >>>>>> Not sure how difficult this would be to implement, or whether or not >>>>>> anyone elses workflow would benefit from it, but I thought I'd throw it out >>>>>> there. >>>>>> >>>>>> When sqlmap is retrieving characters for a string, it's often obvious >>>>>> what the string is long before sqlmap retrieves it all. Would be nice if I >>>>>> could stop it, submit a guess, and have sqlmap test that before continuing >>>>>> on. >>>>>> >>>>>> I imagine this would be kinda tough with threads but I haven't >>>>>> familiarized myself wtih the code enough to know. >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Write once. Port to many. >>>>>> Get the SDK and tools to simplify cross-platform app development. >>>>>> Create >>>>>> new or port existing apps to sell to consumers worldwide. Explore the >>>>>> Intel AppUpSM program developer opportunity. >>>>>> appdeveloper.intel.com/join >>>>>> http://p.sf.net/sfu/intel-appdev >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Write once. Port to many. >>>>> Get the SDK and tools to simplify cross-platform app development. >>>>> Create >>>>> new or port existing apps to sell to consumers worldwide. Explore the >>>>> Intel AppUpSM program developer opportunity. >>>>> appdeveloper.intel.com/join >>>>> http://p.sf.net/sfu/intel-appdev >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a >>>> complex >>>> infrastructure or vast IT resources to deliver seamless, secure access >>>> to >>>> virtual desktops. With this all-in-one solution, easily deploy virtual >>>> desktops for less than the cost of PCs and save 60% on VDI >>>> infrastructure >>>> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox >>>> >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm > > > > ------------------------------------------------------------------------------ > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex > infrastructure or vast IT resources to deliver seamless, secure access to > virtual desktops. With this all-in-one solution, easily deploy virtual > desktops for less than the cost of PCs and save 60% on VDI infrastructure > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
