Re: [sqlmap-users] Another 2 little change
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Another 2 little change
|
From: Bernardo D. A. G. <ber...@gm...> - 2013-11-19 00:30:12
|
Hi Marco, On 14 November 2013 11:31, Marco Mirandola <mm...@gm...> wrote: > Hello everyone > > I thought of 2 small modifications to the source: > 1) If the selected query came out only one record in this case: > > [12:16:30] [INFO] the SQL query provided has more than one field. sqlmap > will no > w unpack it into distinct queries to be able to retrieve the output even if > we a > re going blind > [12:16:30] [INFO] retrieved: 1 > the SQL query provided can return 1 entries. How many entries do you want to > ret > rieve? > [a] All (default) > [#] Specific number > [q] Quit > is superfluous to the choices Done, https://github.com/sqlmapproject/sqlmap/commit/59b6791faa25fa36c72f9b1cae61d5107ecafeba. > 2) Especially in cases of brute force attacks as "based blind" would be > appropriate for speedy extraction follow the following rules: > - In the case of an account after the '@' if the letter after is a 'l' try > with the next 'ocalhost'. > - In the case of an email after an '@' and 'h' try with the next 'otmail.', > Or '@ g' try 'mail.com', all this to gain time and not slaughter the server > requests . (you should have a file with the main domains so that the program > verification). These cases are too specific to those email providers and the MySQL >= 5 users' table. Nonetheless, we do have a number of switches that you may find useful to speed the enumeration process - these are documented here, https://github.com/sqlmapproject/sqlmap/wiki/Usage#optimization. Specifically to your need, you can tweak the txt/common-outputs.txt file with common output under the relevant label (in the form [label]). This is documented under https://github.com/sqlmapproject/sqlmap/wiki/Usage#output-prediction. > - If a field is a hash (and that you might as noticing only after 1 or 2 > extractions of the field), you can restrict only the hexadecimal digits I am not sure this is a good idea and would work well under all circumstances. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
