Re: [sqlmap-users] --randomize not respected during warm up?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] --randomize not respected during warm up?
|
From: Miroslav S. <mir...@gm...> - 2017-02-28 12:18:01
|
p.s. with the latest commit I've (at least) prevented that the last value is the same as the following "randomized" (e..g. original 1 -> random 1 <- because, this one is chosen as randint(1,9) and there was a chance that it will get the original value) On Tue, Feb 28, 2017 at 1:12 PM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > It goes like this. Parameter is randomized, BUT, the parameter value holds > the original form. This means that if your parameter is single digit, the > following request will be a random value chosen from the [0-9]. This > basically means that there is a chance that the following "random" value > could be the same as the last one AND that you'll soon be left without any > new values (after avg. 8-9 requests). > > Hence, use some larger "original" value for that same parameter you want > to randomize :) > > Bye > > On Tue, Feb 28, 2017 at 12:32 AM, Brandon Perry <bpe...@gm... > > wrote: > >> >> > On Feb 27, 2017, at 4:28 PM, Brandon Perry <bpe...@gm...> >> wrote: >> > >> > Hi, testing —randomize for the first time. >> > >> > I have an injection that is certainly boolean-injectable as I can >> exploit by hand, but the content of the response can change if the url >> requested seems to have been hit before. >> > >> > For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. >> If I do it again, I get 150 bytes back from now on. >> > >> > If I append a garbage HTTP parameter and randomize the value in the >> parameter, I always get 100 bytes back. >> > >> > It’s a weird injection, but sqlmap seems to think that the page >> contents is changing during warm-up, even if I append a garbage parameter >> and tell —randomize to randomize it. >> > >> > [16:20:14] [WARNING] target URL is not stable. sqlmap will base the >> page comparison on a sequence matcher. If no dynamic nor injectable >> parameters are detected, or in case of junk results, refer to user's manual >> paragraph 'Page comparison' and provide a string or regular expression to >> match on >> > >> > I have verified by hand that changing the HTTP parameter value each >> request results in the same data from the injection being returned from the >> server. It seems —randomize isn’t being respected in the very beginning. >> > >> > Any thoughts? Hopefully this makes sense. >> >> Doing testing through burp suite, I see that the HTTP parameter is indeed >> randomized, so I am not sure what’s up yet. >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
