Re: [sqlmap-users] --randomize not respected during warm up?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

p.s. with the latest commit I've (at least) prevented that the last value
is the same as the following "randomized" (e..g. original 1 -> random 1 <-
because, this one is chosen as randint(1,9) and there was a chance that it
will get the original value)

On Tue, Feb 28, 2017 at 1:12 PM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi.
>
> It goes like this. Parameter is randomized, BUT, the parameter value holds
> the original form. This means that if your parameter is single digit, the
> following request will be a random value chosen from the [0-9]. This
> basically means that there is a chance that the following "random" value
> could be the same as the last one AND that you'll soon be left without any
> new values (after avg. 8-9 requests).
>
> Hence, use some larger "original" value for that same parameter you want
> to randomize :)
>
> Bye
>
> On Tue, Feb 28, 2017 at 12:32 AM, Brandon Perry <bpe...@gm...
> > wrote:
>
>>
>> > On Feb 27, 2017, at 4:28 PM, Brandon Perry <bpe...@gm...>
>> wrote:
>> >
>> > Hi, testing —randomize for the first time.
>> >
>> > I have an injection that is certainly boolean-injectable as I can
>> exploit by hand, but the content of the response can change if the url
>> requested seems to have been hit before.
>> >
>> > For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned.
>> If I do it again, I get 150 bytes back from now on.
>> >
>> > If I append a garbage HTTP parameter and randomize the value in the
>> parameter, I always get 100 bytes back.
>> >
>> > It’s a weird injection, but sqlmap seems to think that the page
>> contents is changing during warm-up, even if I append a garbage parameter
>> and tell —randomize to randomize it.
>> >
>> > [16:20:14] [WARNING] target URL is not stable. sqlmap will base the
>> page comparison on a sequence matcher. If no dynamic nor injectable
>> parameters are detected, or in case of junk results, refer to user's manual
>> paragraph 'Page comparison' and provide a string or regular expression to
>> match on
>> >
>> > I have verified by hand that changing the HTTP parameter value each
>> request results in the same data from the injection being returned from the
>> server. It seems —randomize isn’t being respected in the very beginning.
>> >
>> > Any thoughts? Hopefully this makes sense.
>>
>> Doing testing through burp suite, I see that the HTTP parameter is indeed
>> randomized, so I am not sure what’s up yet.
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>

-- 
Miroslav Stampar
http://about.me/stamparm