Re: [sqlmap-users] Comparative precomputation
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Comparative precomputation
|
From: Andres R. <and...@gm...> - 2013-02-20 14:12:15
|
Miroslav, On Wed, Feb 20, 2013 at 4:15 AM, Miroslav Stampar <mir...@gm...> wrote: > Hi. > > In theory this works, in practice it doesn't. We already overturned 2-3 guys > proposing this. Today's pages are too dynamic (banners, promos, etc.). But sqlmap already supports comparing pages with minor differences (using difflib, correct?) > Also, > you would need a parameter value with a big covering range (lots of > different values). 256 different rows for a table doesn't seem to be something difficult to find; while not possible in all cases I agree. > Also, whoever wrote this don't have a clue about this subject: ' The > attacker would then take a checksum of the returned html data'. This is > being done in kiddish scripts. Real SQLi tool knows that checksum is faaar > from reliable. See difflib above. > Anyway, answer is no. I think you're disregarding a good idea (if correctly implemented it provides a 8-times performance improvement) way too fast. Implementation is going to be difficult, but the benefits are great, > Kind regards, > Miroslav Stampar > > On Feb 20, 2013 2:11 AM, "Julius Kivimäki" <jul...@gm...> > wrote: >> >> Should probably look into adding this, >> http://www.blackhatlibrary.net/SQL_injection/Blind/Comparative_precomputation >> >> ------------------------------------------------------------------------------ >> Everyone hates slow websites. So do we. >> Make your web apps faster with AppDynamics >> Download AppDynamics Lite for free today: >> http://p.sf.net/sfu/appdyn_d2d_feb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
