Re: [sqlmap-users] Little tip in predict outoup.
Brought to you by:
inquisb
From: Rodrigo Z. S. <rod...@gm...> - 2014-09-07 22:38:11
|
wow... More I read the manual, more I see I can't do it. The best option until now was use a TRUE and FALSE case. The predict-output ISN'T what I thought it was. Hum... What I want to do is just -> Do a great sql code and download a html page -> Run a function: u_char translate_page("html_page"). ->use the number, from 0 to 255 to continue doing any hack because this is the translated value. I just want to write this function and use all good things from the program. Although I can append some code in sql, I need to use the downloaded page. Any tip? 2014-09-07 16:34 GMT-03:00 Rodrigo Zanatta Silva < rod...@gm...>: > Hi friends. > > I found a sqlinject in one page before even know this great tool. This > work in a simple way: > > I can get any character from the table, than I convert to number and it > download a bank page. (I don't know how translate it to english). Anyway, > this page have a unique number. So, I list all 1 to 255 unique number. If > my sql download one page, I just compare the number and get the value. With > it, I can get anything (even files). > > But, the sqlmap have a good and very tested way to dump the database. My > was a crap. So, how can I translate this to the program? Although it CAN > download the database, I can make it more fast. The program get some > letters and test with great than a number. I can speed up because every > download WILL return one value. > > But, the ironic is that I will need use only one thread. Lol, this is > useless. What is my options :D > > Just to be clean, I do a sql command, it return, like, id=78, and download > one page (I cant get the URL of returned page). After I download it (40kb), > I do a small python command to parse the number (just get a text between > two text), than just compare in a case and get the value. > > Any tip? > |