Re: [sqlmap-users] Avoid doing 30 connections in time attack
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Avoid doing 30 connections in time attack
|
From: Rodrigo Z. S. <rod...@gm...> - 2017-02-14 16:20:13
|
I understand your point. But this will be a good thing. This was not the first time that I have problem with it. Because I only have X calls before the server crash, obvious I can't dump long data with it. But there are a lot of userful things like try to know if I can read/write file. I just need one (or some) call. Just to point one thing: You forget the human side. I can set a big --time-sec and I can, myself, see if it is true or false-positive. Thanks for this change, anyway. Will be userful. 2017-02-14 10:17 GMT-02:00 Miroslav Stampar <mir...@gm...>: > Hi. > > Obviously, don't use --threads in those kind of situations. Also, > --keep-alive could be a good choice together with (hidden) switch > --disable-precon. > > As of time-based SQLi. Well, without the (as Brandon mentioned) > statistical model, sqlmap will have a problem. Also, if application is > doing "sporadic" timeouts I am not sure how in the first place are you > expecting sqlmap to detect whether there was a deliberate delay or not. > > Anyway, I've pushed this moment a change where you can now use > --disable-stats just for this one thing you are looking for. As of whether > the sqlmap will now correctly perform tests (by using this option it is > strictly looking into the response times and doing a dumb delay inference - > if response time more than one given by --time-sec) I kind of doubt it. > > Bye > > On Mon, Feb 13, 2017 at 5:47 PM, Rodrigo Zanatta Silva < > rod...@gm...> wrote: > >> Yes, because every call I create an error in the server. So, I can only >> make X call before the pool of connections was full. Than I need to wait >> the server close this connections and try again. >> >> 2017-02-13 14:43 GMT-02:00 Brandon Perry <bpe...@gm...>: >> >>> >>> > On Feb 13, 2017, at 10:39 AM, Rodrigo Zanatta Silva < >>> rod...@gm...> wrote: >>> > >>> > How can I disable the sqlmap doing 30 connections before start doing >>> time attack? >>> >>> You have to build a statistical model of how quickly the requests >>> generally return to ensure accuracy during a timing attack. You can’t get >>> around this. A boolean-based timing attack is going to take a whole lot of >>> requests anyway, are you really worried about an extra 30? >>> >>> > >>> > There is a options or I need to find it in code? And where is this set? >>> > ------------------------------------------------------------ >>> ------------------ >>> > Check out the vibrant tech community on one of the world's most >>> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot______ >>> _________________________________________ >>> > sqlmap-users mailing list >>> > sql...@li... >>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
