Re: [sqlmap-users] --randomize not respected during warm up?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] --randomize not respected during warm up?
|
From: Miroslav S. <mir...@gm...> - 2017-02-28 12:12:54
|
Hi. It goes like this. Parameter is randomized, BUT, the parameter value holds the original form. This means that if your parameter is single digit, the following request will be a random value chosen from the [0-9]. This basically means that there is a chance that the following "random" value could be the same as the last one AND that you'll soon be left without any new values (after avg. 8-9 requests). Hence, use some larger "original" value for that same parameter you want to randomize :) Bye On Tue, Feb 28, 2017 at 12:32 AM, Brandon Perry <bpe...@gm...> wrote: > > > On Feb 27, 2017, at 4:28 PM, Brandon Perry <bpe...@gm...> > wrote: > > > > Hi, testing —randomize for the first time. > > > > I have an injection that is certainly boolean-injectable as I can > exploit by hand, but the content of the response can change if the url > requested seems to have been hit before. > > > > For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. If > I do it again, I get 150 bytes back from now on. > > > > If I append a garbage HTTP parameter and randomize the value in the > parameter, I always get 100 bytes back. > > > > It’s a weird injection, but sqlmap seems to think that the page contents > is changing during warm-up, even if I append a garbage parameter and tell > —randomize to randomize it. > > > > [16:20:14] [WARNING] target URL is not stable. sqlmap will base the page > comparison on a sequence matcher. If no dynamic nor injectable parameters > are detected, or in case of junk results, refer to user's manual paragraph > 'Page comparison' and provide a string or regular expression to match on > > > > I have verified by hand that changing the HTTP parameter value each > request results in the same data from the injection being returned from the > server. It seems —randomize isn’t being respected in the very beginning. > > > > Any thoughts? Hopefully this makes sense. > > Doing testing through burp suite, I see that the HTTP parameter is indeed > randomized, so I am not sure what’s up yet. > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
