sqlmap-users — sqlmap users mailing list

Re: [sqlmap-users] Configure Output Directory

[Zaki A. <zak...@gm...>]

Danke, Miroslav! Can I issue a ticket for this feature?

Regards,
--
Zaki Akhmad

Re: [sqlmap-users] Configure Output Directory

[Miroslav S. <mir...@gm...>]

Hi Zaki.

Sorry to inform you but such option is not available.

If you want to do the dirty hack you can go it the "lib/core/common.py" and
do the changes inside the line (Line 937 in HEAD revision from our
repository):

paths.SQLMAP_OUTPUT_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "output")
->
paths.SQLMAP_OUTPUT_PATH = "/home/za/projects/sqlmap/result"

Kind regards,
Miroslav Stampar

On Wed, Jun 6, 2012 at 10:38 AM, Zaki Akhmad <zak...@gm...> wrote:

> Hello,
>
> Is it possible to configure the sqlmap's output directory to another
> path? Example I don't want sqlmap sqlmap store the output directory
> at
>
> /home/za/sqlmap/output/
> but to
> /home/za/projects/sqlmap/result/?
>
> One more. Is this output directory is configurable for each different
> scanning?
>
> Thanks,
>
> --
> Zaki Akhmad
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Configure Output Directory

[Zaki A. <zak...@gm...>]

Hello,

Is it possible to configure the sqlmap's output directory to another
path? Example I don't want sqlmap sqlmap store the output directory
at

/home/za/sqlmap/output/
but to
/home/za/projects/sqlmap/result/?

One more. Is this output directory is configurable for each different scanning?

Thanks,

-- 
Zaki Akhmad

[sqlmap-users] Error Sqlmap

[Nico M. <nic...@ho...>]

Estimates.

  I've been porbando sqlmap tool and I came out this error when doing a "DUMP" to a certain columns of a table here I hit the error:


sqlmap version: 0.8-rc4
Python version: 2.5.2
Operating system: linux2
Traceback (most recent call last):
  File "sqlmap.py", line 80, in main
    start()
  File "/pentest/database/sqlmap/lib/controller/controller.py", line 259, in start
    action()
  File "/pentest/database/sqlmap/lib/controller/action.py", line 114, in action
    dumper.dbTableValues(conf.dbmsHandler.dumpTable())
  File "/pentest/database/sqlmap/plugins/generic/enumeration.py", line 1320, in dumpTable
    value = inject.getValue(query, inband=False)
  File "/pentest/database/sqlmap/lib/request/inject.py", line 373, in getValue
    value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
  File "/pentest/database/sqlmap/lib/request/inject.py", line 123, in __goInferenceProxy
    output = resume(expression, payload)
  File "/pentest/database/sqlmap/lib/utils/resume.py", line 143, in resume
    if len(resumedValue) == int(length):
ValueError: invalid literal for int() with base 10: '\x1f\x11'

[*] shutting down at: 19:39:46


Sorry my English is very bad i¡m From Spain.

Thank U!


  		 	   		  

Re: [sqlmap-users] Code review :)

[Miroslav S. <mir...@gm...>]

Few quick answers:
1) pypy - no as we are focused mainly on an official Python runtime
2) "__functions__[hash_regex]" outside the for loop - will do, but the
benefits are really infinitesimally small (when comparing to the main
processing parts of that loop)
3) I'll for sure try something along that multiprocessing.Queue.
4) "I meant that if there are 100 threads sending stuff using that
method..." - this seems comprehensible. I believe that we'll just put a
constraint that --threads and --delay are not usable (it doesn't make much
sense to use e.g. --threads=10 --delay=10 <- oxymoron)

Kind regards,
Miroslav Stampar

On Tue, Jun 5, 2012 at 5:21 PM, Andres Riancho <and...@gm...>wrote:

> Miroslav,
>
> On Tue, Jun 5, 2012 at 6:40 AM, Miroslav Stampar
> <mir...@gm...> wrote:
> > Hi Andres.
> >
> > On Sat, Jun 2, 2012 at 11:19 PM, Andres Riancho <
> and...@gm...>
> > wrote:
> >>
> >> List,
> >>
> >>    During PHDays we had a really good idea with Miroslav: "I review
> >> sqlmap's code and send you some comments about it, and Miroslav will
> >> review some w3af code and do the same". So, while I had some spare
> >> minutes at the airport I performed some initial review:
> >>
> >> * I like the idea of using psyco, what's your experience with it? Do
> >> you guys recommend it?
> >
> > It was a good thing till it lasted (Python <= v2.6) but as it's official
> > page says "12 March 2012  Psyco is unmaintained and dead"
> > (http://psyco.sourceforge.net/), so it's advised to not use it.
>
> Oops! Have you tested pypy? Do you recommend it? :)
>
> >>
> >>
> >> * Liked the concept in "def smokeTest():", which sounds interesting to
> >> have also in w3af
> >
> > Ok
>
> While implementing this into w3af I realized that "nosetests" is
> actually doing all of that for me already, even the syntax error
> checks.
>
> dz0@dz0-laptop:~/workspace/w3af$ nosetests -s
> --doctest-result-variable=_test_res_ --rednose --with-doctest
> --doctest-tests plugins/discovery/netcraft.py
> X
>
> -----------------------------------------------------------------------------
> 1) ERROR: Failure: SyntaxError (invalid syntax (netcraft.py, line 107))
>
>   Traceback (most recent call last):
>
>  /usr/local/lib/python2.6/dist-packages/nose-0.11.4-py2.6.egg/nose/loader.py
> line 382 in loadTestsFromName
>      addr.filename, addr.module)
>
>  /usr/local/lib/python2.6/dist-packages/nose-0.11.4-py2.6.egg/nose/importer.py
> line 39 in importFromPath
>      return self.importFromDir(dir_path, fqname)
>
>  /usr/local/lib/python2.6/dist-packages/nose-0.11.4-py2.6.egg/nose/importer.py
> line 86 in importFromDir
>      mod = load_module(part_fqname, fh, filename, desc)
>   SyntaxError: invalid syntax (netcraft.py, line 107)
>
>
> >>
> >>
> >> * lib/core/testing.py : shouldn't most/all of this be migrated to
> >> unit-tests and run using "nosetests" or some other tool like that?
> >
> > In majority of cases it's impossible to use any of those python-based
> > testing tools if you need to run a testing program as an standalone
> > executable (not as a same program same module). We need to run it as a
> > standalone against testing environment (xml/livetests.xml) and parse the
> > output to see if it went ok. Look into this 'testing.py' as our way how
> to
> > deal with that problem (without using any 3rd party tools).
>
> Hmmm, ok, understood. In our case we have a w3afCore object that we
> can manipulate in unittests in order to run scans and check the
> results, this has been a great step forward since we now can run
> "nosetests" and it will tell us if the scan results are the expected
> ones AND if the unit-tests all passed. This will also fit very well in
> an environment that (if possible) we'll have that will be a continuous
> integration system for building / testing every night.
>
> >>
> >>
> >> * As Miroslav mentioned, we're using the same keepalive.py module,
> >> I'll have to run a diff between w3af's and sqlmap's and see what we
> >> changed; since we both made modifications to "make it work".
> >
> > Ok
> >>
> >>
> >> * Using rangehandler.py is a great idea for speeding up (A LOT) the
> >> extraction of information, it seems that you guys add it to the
> >> urlopener but don't use it?
> >
> > We use it in --null-connection (and implicitly in -o) for boolean-based
> > blind cases. If you take a look into lib/core/option.py you'll see that
> in
> > def __urllib2Opener() it's installed among other handlers. Also, if you
> take
> > a look into rangehandler.py you'll see that it's sole purpose is to
> properly
> > handle 206 and 416 HTTP codes related to those range-cases. Grep for
> > "kb.nullConnection" and you'll see how "Range" (or we call it "null
> > connection") method is used (extremely fast if available for
> boolean-based
> > blind cases)
> >>
> >>
> >> * Could you please explain me the first part of this if? "if
> >> conf.hostname in ('localhost', '127.0.0.1') or conf.ignoreProxy:" does
> >> it really make sense? Aren't you ignoring the user's wish?
> >
> > Python, as you know, uses an automatic extraction of proxy information
> from
> > current environment (e.g. http_proxy env variable). Now, in 99% of cases
> you
> > don't want your automatic proxy settings to affect your access to the
> > localhost (be real, in most of browser settings first thing on the ignore
> > proxy list are localhost/127.0.0.1). That way we are just dealing with
> major
> > number of users who would complain about accessing localhost web server
> and
> > not reaching it (because corporate proxy settings were used
> automatically)
> >>
> >>
> >> * heh, I also use gprof2dot for profiling, but instead of having it
> >> inside w3af, I simply call it from the command line and have it
> >> generate a PNG. Note, where is "start()" defined for this line?
> >> cProfile.run("start()", profileOutputFile)
> >
> > that start() is defined inside the lib/controller/controller.py (it
> > represents the first sqlmap call that starts setting up everything and
> runs
> > the tool's functionality). string "start()" represents an eval-like
> python
> > call that will be called from the main() perspective. if you take a look
> > into the main() you'll see that start() is reachable from there.
> >>
> >>
> >> * Read this comment:
> >>    """
> >>    # Set kb.partRun in case "common prediction" feature (a.k.a. "good
> >>    # samaritan") is used
> >>    """
> >>
> >> Good samaritan was a feature I added many years ago to w3af's sqlmap,
> >> and the name came from the idea that the user could help the blind sql
> >> injection process by completing the word that was being extracted.
> >> Example: "If sqlmap extracted -hello w- the user could type -orld- in
> >> the console and have it checked with a SELECT statement". According to
> >> the pieces of code I was able to find, that was replaced by a more
> >> automatic idea where a file feeds common strings to the process,
> >> correct? The idea sounds good, but maybe users still want to
> >> contribute to the process?
> >
> > I am interested how you managed to get the user's input while outputting
> the
> > results in the same time?
>
> Yeah, I had problems with that too. At this moment that's working in
> w3af for our console. Here is the code:
>
>    def _cmd_start(self, params):
>        '''
>        Start the core in a different thread, monitor keystrokes in
> the main thread.
>        @return: None
>        '''
>
>
> http://sourceforge.net/apps/trac/w3af/browser/trunk/core/ui/consoleUi/rootMenu.py
>
> > We've always had a problem where you have to
> > provide an user with that "raw_input" functionality and in the same time
> do
> > the output. Problem with Python is that it doesn't give you something
> like
> > "Keyboard Hooking" that would easify this all problem.
> >>
> >>
> >> * dataToStdout() is a handy function, but I think that you should
> >> consider migrating to something more generic like python's logging
> >> module. If in the future you want to provide options to storing the
> >> data in a file, or similar, it might come handy. In w3af we have the
> >> outputManag
> >
> > We are using both logging module and dataToStdout. dataToStdout can be
> > called from anywhere at any time and it will always output (in thread
> safe
> > manner) just the thing you've given to it. Logger as the other approach
> does
> > the output of the given text in an line manner (!) and that would be a
> very
> > bad thing especially when you want to output character by character.
> Also,
> > logger outputs everything in a message like structure (prepending e.g.
> > [CRITICAL]) and in lots of cases we don't want that. So, those two are
> > synergetic in a way and we need them both for a proper sqlmap run.
>
> Interesting needs you have indeed. (not sure why but that sentence
> came our in the way Yoda talks)
>
> >>
> >>
> >> - From our talks I understood that sqlmap used multiprocessing for
> >> cracking hashes (or something like that) but I can't find any
> >> reference to the multiprocessing module in the latest version. Could
> >> you point me in the right direction so I can analyze that code?
> >
> > lib/utils/hash.py
>
> I didn't had the latest version!
>
> Maybe you want to put the if before the hash calculation?
>
>            current = __functions__[hash_regex](password = word,
> uppercase = False, **kwargs)
>            count += 1
>
>            if not isinstance(word, basestring):
>                continue
>
> Also, the code could be sped up a little bit by taking this
> "__functions__[hash_regex]" outside the for loop
>
> Not sure about what I'm going to say next... but... given that all
> processes are going to read from the same wordlist object (which is
> fine), the wordlist has a "def next(self):" that is locked (which is
> required for multiprocessing to work) , don't you think that it might
> be the case in workstations with 4 cores where there is too much time
> spent waiting for the file lock to be released?
>
> Maybe you could have a multiprocessing.Queue inside wordlist that is
> loaded with 1000 values from the wordlist each time its size is 0?
>
> If you experiment with this, let me know the results.
>
> >>
> >>
> >> - Not sure how usable it is for you guys, but in some cases the
> >> charset is set in a meta tag; you're ignoring that here:
> >>    if contentType and (contentType.find('charset=') != -1):
> >>        charset = checkCharEncoding(contentType.split('charset=')[-1])
> >>
> >>        if charset:
> >>            page = getUnicode(page, charset)
> >
> > I am not sure if you are using the latest revision from our repository
> (go
> > to www.sqlmap.org for proper "svn checkout" line).
>
> Oops!
>
> > Those few lines go like this (in latest v1.0-dev):
> > ...
> >         if contentType and (contentType.find('charset=') != -1):
> >             httpCharset =
> > checkCharEncoding(contentType.split('charset=')[-1])
> >
> >         metaCharset =
> > checkCharEncoding(extractRegexResult(META_CHARSET_REGEX, page, re.DOTALL
> |
> > re.IGNORECASE))
> > ...
> > We are not ignoring the metaCharset. We are using them both (while
> > httpCharset has the higher priority) in following code.
> >>
> >>
> >>  See w3af's httpResponse.py for an example on how we're doing it.
> >>
> >> - Not thread safe?
> >>
> >>        if conf.delay is not None and isinstance(conf.delay, (int,
> >> float)) and conf.delay > 0:
> >>            time.sleep(conf.delay)
> >
> > But those few lines are IMHO irrelevant for any "thread-safe" manner.
> Thread
> > safe means that you have to be careful to prevent situations where
> something
> > critical could be changed in the same time as other thread is reading it
> (or
> > vice versa/similar) and this is really something of no interest in that
> > field.
>
> I meant that if there are 100 threads sending stuff using that method,
> all 100 requests will be sent to the wire "at the same time"; not
> respecting the users's delay configuration. Then, it will wait for
> conf.delay and send 100 more requests.
>
> > If you though that time.sleep() blocks the whole process, that's not the
> > case. It blocks only the current thread
> > (
> http://stackoverflow.com/questions/92928/time-sleep-sleeps-thread-or-process
> ),
> > so nothing to be worried in this field too.
> >>
> >>
> >>  Maybe move the "kb.locks.reqLock.acquire()" some lines before?
> >
> > No need
> >>
> >>
> >> - Doesn't this kill the keepalive.py handler? Should try to capture
> >> packets.
> >>
> >>            if not req.has_header("Connection"):
> >>                requestHeaders += "\nConnection: close"
> >
> > Those requestHeaders is just a "log entry" and it doesn't kill the
> > "keep-alive" functionality.
>
> Oh, I feel stupid, read too fast.
>
> >This was just a dirty hack where everything has
> > been declared (in log/traffic files) as connection close (to appear like
> to
> > the end user) as in that point you can't know if something is really
> > keep-alive or not (you can take a look into the header content and you
> won't
> > see a thing - it's handled by a keepalive handler in a low-level manner).
> > Now, we could do some dirty hacks to signal from keepalive handler if
> > something is really Keep-Alive (I am saying that because there are lots
> of
> > cases where Keep-Alive is just not possible or dropped in some point) and
> > properly do the logging stuff but this is of low priority this moment.
> >>
> >>
> >> I know that many of these are questions, but I hope they trigger some
> >> good ideas :)
> >
> > Thank you for your observations :)
> >>
> >>
> >> PS: I only used 2h for reading code. 2h left.
> >
> > :)
> >
> > I'll try to do mine this week. Prepare yourself.
>
> hehehe, ok :)
>
> >>
> >>
> >> Regards,
> >>
> >> --
> >> Andrés Riancho
> >> Project Leader at w3af - http://w3af.org/
> >> Web Application Attack and Audit Framework
> >> Twitter: @w3af
> >> GPG: 0x93C344F3
> >>
> > Kind regards,
> > Miroslav Stampar
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Live Security Virtual Conference
> >> Exclusive live event will cover all the ways today's security and
> >> threat landscape has changed and how IT managers can respond.
> Discussions
> >> will include endpoint security, mobile security and the latest in
> malware
> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sql...@li...
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Tweaking SQLMap Config

[Miroslav S. <mir...@gm...>]

Hi Chris.

This all looks kind of strange. At your place I would try running sqlmap
against:
./sqlmap.py -u "www.target.com/forgot_password.html?1*"

Putting that 1'=1 looks to me like a big no no (if you take a good look
into the response you'll see for yourself that putting it does not make any
sense).

If everything fails, please send me a traffic file for that run I've
proposed in upper lines.

Kind regards,
Miroslav Stampar

On Tue, Jun 5, 2012 at 10:04 PM, Chris Rowe <pip...@gm...>wrote:

> Hey guys, frustration is the name of the game.  I have burp pro telling me
> that it is a definite sql injection, but I cannot get sqlmap to find an
> injection point.  I have tried adding a * where the single quote is, using
> the ?1 as prefix and =1 as suffix, and tuning the level and risk.  I tried
> loading the entire request into a file for sqlmap.  If I add 2 quotes the
> error goes away.  Burp added the name of an arbitrarily supplied request
> parameter where the highlight is.   Check out this request and response.
>
> GET /forgot_password.html?1'=1 HTTP/1.1
> Host: XXXX.XXXXXXXX.com
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101
> Firefox/12.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> DNT: 1
> Referer: https://XXXXX.XXXXX.com/
> Connection: keep-alive
> Cache-Control: max-age=0
>
> HTTP/1.1 200 OK
> Date: Tue, 05 Jun 2012 19:26:42 GMT
> Server: Apache/2.2.3 (CentOS)
> X-Powered-By: PHP/5.1.6
> Content-Length: 385
> Connection: close
> Content-Type: text/html; charset=UTF-8
>
> Error in query: SELECT id from flag WHERE url='
> https://XXXXX.XXXXX.com/forgot_password.html?1'=1' AND author_id='' AND
> active='y' ORDER BY date_last_modified DESC, You have an error in your SQL
> syntax; check the manual that corresponds to your MySQL server version for
> the right syntax to use near '' AND author_id='' AND active='y' ORDER BY
> date_last_modified DESC' at line 1
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Tweaking SQLMap Config

[Chris R. <pip...@gm...>]

Hey guys, frustration is the name of the game.  I have burp pro telling me
that it is a definite sql injection, but I cannot get sqlmap to find an
injection point.  I have tried adding a * where the single quote is, using
the ?1 as prefix and =1 as suffix, and tuning the level and risk.  I tried
loading the entire request into a file for sqlmap.  If I add 2 quotes the
error goes away.  Burp added the name of an arbitrarily supplied request
parameter where the highlight is.   Check out this request and response.

GET /forgot_password.html?1'=1 HTTP/1.1
Host: XXXX.XXXXXXXX.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101
Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://XXXXX.XXXXX.com/
Connection: keep-alive
Cache-Control: max-age=0

HTTP/1.1 200 OK
Date: Tue, 05 Jun 2012 19:26:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 385
Connection: close
Content-Type: text/html; charset=UTF-8

Error in query: SELECT id from flag WHERE url='
https://XXXXX.XXXXX.com/forgot_password.html?1'=1' AND author_id='' AND
active='y' ORDER BY date_last_modified DESC, You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version for
the right syntax to use near '' AND author_id='' AND active='y' ORDER BY
date_last_modified DESC' at line 1

Re: [sqlmap-users] bulkfile and basic auth question

[Artjom <shi...@gm...>]

Works like a charm! Thank you!

On Mon, Jun 4, 2012 at 11:11 PM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi Artjom.
>
> Could you please retry it now with the latest r5106?
>
> Kind regards,
> Miroslav Stampar
>
>
> On Mon, Jun 4, 2012 at 5:35 PM, Artjom <shi...@gm...> wrote:
>
>> Thank you!
>>
>> On Mon, Jun 4, 2012 at 3:34 PM, Miroslav Stampar <
>> mir...@gm...> wrote:
>>
>>> Hi Artjom.
>>>
>>> You are right. It's an issue where the authentication was made only for
>>> the single url cases. Will fix this ASAP and report and you back.
>>>
>>> Kind regards,
>>> Miroslav Stampar
>>>
>>> On Wed, May 30, 2012 at 7:37 AM, Miroslav Stampar <
>>> mir...@gm...> wrote:
>>>
>>>> Hi.
>>>>
>>>> It's probably a bug. Will check it and report back.
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>> On May 29, 2012 9:21 PM, "Artjom" <shi...@gm...> wrote:
>>>>
>>>>>  Not sure if it's an issue or I am doing something wrong. The site
>>>>> requires basic auth. If I use "-u" and specify just one url, everything
>>>>> works. However if I use "-m" auth fails.
>>>>>
>>>>> Did I miss something in man?
>>>>>
>>>>> Artjom
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Live Security Virtual Conference
>>>>> Exclusive live event will cover all the ways today's security and
>>>>> threat landscape has changed and how IT managers can respond.
>>>>> Discussions
>>>>> will include endpoint security, mobile security and the latest in
>>>>> malware
>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>

Re: [sqlmap-users] Code review :)

[Andres R. <and...@gm...>]

Miroslav,

On Tue, Jun 5, 2012 at 6:40 AM, Miroslav Stampar
<mir...@gm...> wrote:
> Hi Andres.
>
> On Sat, Jun 2, 2012 at 11:19 PM, Andres Riancho <and...@gm...>
> wrote:
>>
>> List,
>>
>>    During PHDays we had a really good idea with Miroslav: "I review
>> sqlmap's code and send you some comments about it, and Miroslav will
>> review some w3af code and do the same". So, while I had some spare
>> minutes at the airport I performed some initial review:
>>
>> * I like the idea of using psyco, what's your experience with it? Do
>> you guys recommend it?
>
> It was a good thing till it lasted (Python <= v2.6) but as it's official
> page says "12 March 2012  Psyco is unmaintained and dead"
> (http://psyco.sourceforge.net/), so it's advised to not use it.

Oops! Have you tested pypy? Do you recommend it? :)

>>
>>
>> * Liked the concept in "def smokeTest():", which sounds interesting to
>> have also in w3af
>
> Ok

While implementing this into w3af I realized that "nosetests" is
actually doing all of that for me already, even the syntax error
checks.

dz0@dz0-laptop:~/workspace/w3af$ nosetests -s
--doctest-result-variable=_test_res_ --rednose --with-doctest
--doctest-tests plugins/discovery/netcraft.py
X
-----------------------------------------------------------------------------
1) ERROR: Failure: SyntaxError (invalid syntax (netcraft.py, line 107))

   Traceback (most recent call last):
    /usr/local/lib/python2.6/dist-packages/nose-0.11.4-py2.6.egg/nose/loader.py
line 382 in loadTestsFromName
      addr.filename, addr.module)
    /usr/local/lib/python2.6/dist-packages/nose-0.11.4-py2.6.egg/nose/importer.py
line 39 in importFromPath
      return self.importFromDir(dir_path, fqname)
    /usr/local/lib/python2.6/dist-packages/nose-0.11.4-py2.6.egg/nose/importer.py
line 86 in importFromDir
      mod = load_module(part_fqname, fh, filename, desc)
   SyntaxError: invalid syntax (netcraft.py, line 107)


>>
>>
>> * lib/core/testing.py : shouldn't most/all of this be migrated to
>> unit-tests and run using "nosetests" or some other tool like that?
>
> In majority of cases it's impossible to use any of those python-based
> testing tools if you need to run a testing program as an standalone
> executable (not as a same program same module). We need to run it as a
> standalone against testing environment (xml/livetests.xml) and parse the
> output to see if it went ok. Look into this 'testing.py' as our way how to
> deal with that problem (without using any 3rd party tools).

Hmmm, ok, understood. In our case we have a w3afCore object that we
can manipulate in unittests in order to run scans and check the
results, this has been a great step forward since we now can run
"nosetests" and it will tell us if the scan results are the expected
ones AND if the unit-tests all passed. This will also fit very well in
an environment that (if possible) we'll have that will be a continuous
integration system for building / testing every night.

>>
>>
>> * As Miroslav mentioned, we're using the same keepalive.py module,
>> I'll have to run a diff between w3af's and sqlmap's and see what we
>> changed; since we both made modifications to "make it work".
>
> Ok
>>
>>
>> * Using rangehandler.py is a great idea for speeding up (A LOT) the
>> extraction of information, it seems that you guys add it to the
>> urlopener but don't use it?
>
> We use it in --null-connection (and implicitly in -o) for boolean-based
> blind cases. If you take a look into lib/core/option.py you'll see that in
> def __urllib2Opener() it's installed among other handlers. Also, if you take
> a look into rangehandler.py you'll see that it's sole purpose is to properly
> handle 206 and 416 HTTP codes related to those range-cases. Grep for
> "kb.nullConnection" and you'll see how "Range" (or we call it "null
> connection") method is used (extremely fast if available for boolean-based
> blind cases)
>>
>>
>> * Could you please explain me the first part of this if? "if
>> conf.hostname in ('localhost', '127.0.0.1') or conf.ignoreProxy:" does
>> it really make sense? Aren't you ignoring the user's wish?
>
> Python, as you know, uses an automatic extraction of proxy information from
> current environment (e.g. http_proxy env variable). Now, in 99% of cases you
> don't want your automatic proxy settings to affect your access to the
> localhost (be real, in most of browser settings first thing on the ignore
> proxy list are localhost/127.0.0.1). That way we are just dealing with major
> number of users who would complain about accessing localhost web server and
> not reaching it (because corporate proxy settings were used automatically)
>>
>>
>> * heh, I also use gprof2dot for profiling, but instead of having it
>> inside w3af, I simply call it from the command line and have it
>> generate a PNG. Note, where is "start()" defined for this line?
>> cProfile.run("start()", profileOutputFile)
>
> that start() is defined inside the lib/controller/controller.py (it
> represents the first sqlmap call that starts setting up everything and runs
> the tool's functionality). string "start()" represents an eval-like python
> call that will be called from the main() perspective. if you take a look
> into the main() you'll see that start() is reachable from there.
>>
>>
>> * Read this comment:
>>    """
>>    # Set kb.partRun in case "common prediction" feature (a.k.a. "good
>>    # samaritan") is used
>>    """
>>
>> Good samaritan was a feature I added many years ago to w3af's sqlmap,
>> and the name came from the idea that the user could help the blind sql
>> injection process by completing the word that was being extracted.
>> Example: "If sqlmap extracted -hello w- the user could type -orld- in
>> the console and have it checked with a SELECT statement". According to
>> the pieces of code I was able to find, that was replaced by a more
>> automatic idea where a file feeds common strings to the process,
>> correct? The idea sounds good, but maybe users still want to
>> contribute to the process?
>
> I am interested how you managed to get the user's input while outputting the
> results in the same time?

Yeah, I had problems with that too. At this moment that's working in
w3af for our console. Here is the code:

    def _cmd_start(self, params):
        '''
        Start the core in a different thread, monitor keystrokes in
the main thread.
        @return: None
        '''

http://sourceforge.net/apps/trac/w3af/browser/trunk/core/ui/consoleUi/rootMenu.py

> We've always had a problem where you have to
> provide an user with that "raw_input" functionality and in the same time do
> the output. Problem with Python is that it doesn't give you something like
> "Keyboard Hooking" that would easify this all problem.
>>
>>
>> * dataToStdout() is a handy function, but I think that you should
>> consider migrating to something more generic like python's logging
>> module. If in the future you want to provide options to storing the
>> data in a file, or similar, it might come handy. In w3af we have the
>> outputManag
>
> We are using both logging module and dataToStdout. dataToStdout can be
> called from anywhere at any time and it will always output (in thread safe
> manner) just the thing you've given to it. Logger as the other approach does
> the output of the given text in an line manner (!) and that would be a very
> bad thing especially when you want to output character by character. Also,
> logger outputs everything in a message like structure (prepending e.g.
> [CRITICAL]) and in lots of cases we don't want that. So, those two are
> synergetic in a way and we need them both for a proper sqlmap run.

Interesting needs you have indeed. (not sure why but that sentence
came our in the way Yoda talks)

>>
>>
>> - From our talks I understood that sqlmap used multiprocessing for
>> cracking hashes (or something like that) but I can't find any
>> reference to the multiprocessing module in the latest version. Could
>> you point me in the right direction so I can analyze that code?
>
> lib/utils/hash.py

I didn't had the latest version!

Maybe you want to put the if before the hash calculation?

            current = __functions__[hash_regex](password = word,
uppercase = False, **kwargs)
            count += 1

            if not isinstance(word, basestring):
                continue

Also, the code could be sped up a little bit by taking this
"__functions__[hash_regex]" outside the for loop

Not sure about what I'm going to say next... but... given that all
processes are going to read from the same wordlist object (which is
fine), the wordlist has a "def next(self):" that is locked (which is
required for multiprocessing to work) , don't you think that it might
be the case in workstations with 4 cores where there is too much time
spent waiting for the file lock to be released?

Maybe you could have a multiprocessing.Queue inside wordlist that is
loaded with 1000 values from the wordlist each time its size is 0?

If you experiment with this, let me know the results.

>>
>>
>> - Not sure how usable it is for you guys, but in some cases the
>> charset is set in a meta tag; you're ignoring that here:
>>    if contentType and (contentType.find('charset=') != -1):
>>        charset = checkCharEncoding(contentType.split('charset=')[-1])
>>
>>        if charset:
>>            page = getUnicode(page, charset)
>
> I am not sure if you are using the latest revision from our repository (go
> to www.sqlmap.org for proper "svn checkout" line).

Oops!

> Those few lines go like this (in latest v1.0-dev):
> ...
>         if contentType and (contentType.find('charset=') != -1):
>             httpCharset =
> checkCharEncoding(contentType.split('charset=')[-1])
>
>         metaCharset =
> checkCharEncoding(extractRegexResult(META_CHARSET_REGEX, page, re.DOTALL |
> re.IGNORECASE))
> ...
> We are not ignoring the metaCharset. We are using them both (while
> httpCharset has the higher priority) in following code.
>>
>>
>>  See w3af's httpResponse.py for an example on how we're doing it.
>>
>> - Not thread safe?
>>
>>        if conf.delay is not None and isinstance(conf.delay, (int,
>> float)) and conf.delay > 0:
>>            time.sleep(conf.delay)
>
> But those few lines are IMHO irrelevant for any "thread-safe" manner. Thread
> safe means that you have to be careful to prevent situations where something
> critical could be changed in the same time as other thread is reading it (or
> vice versa/similar) and this is really something of no interest in that
> field.

I meant that if there are 100 threads sending stuff using that method,
all 100 requests will be sent to the wire "at the same time"; not
respecting the users's delay configuration. Then, it will wait for
conf.delay and send 100 more requests.

> If you though that time.sleep() blocks the whole process, that's not the
> case. It blocks only the current thread
> (http://stackoverflow.com/questions/92928/time-sleep-sleeps-thread-or-process),
> so nothing to be worried in this field too.
>>
>>
>>  Maybe move the "kb.locks.reqLock.acquire()" some lines before?
>
> No need
>>
>>
>> - Doesn't this kill the keepalive.py handler? Should try to capture
>> packets.
>>
>>            if not req.has_header("Connection"):
>>                requestHeaders += "\nConnection: close"
>
> Those requestHeaders is just a "log entry" and it doesn't kill the
> "keep-alive" functionality.

Oh, I feel stupid, read too fast.

>This was just a dirty hack where everything has
> been declared (in log/traffic files) as connection close (to appear like to
> the end user) as in that point you can't know if something is really
> keep-alive or not (you can take a look into the header content and you won't
> see a thing - it's handled by a keepalive handler in a low-level manner).
> Now, we could do some dirty hacks to signal from keepalive handler if
> something is really Keep-Alive (I am saying that because there are lots of
> cases where Keep-Alive is just not possible or dropped in some point) and
> properly do the logging stuff but this is of low priority this moment.
>>
>>
>> I know that many of these are questions, but I hope they trigger some
>> good ideas :)
>
> Thank you for your observations :)
>>
>>
>> PS: I only used 2h for reading code. 2h left.
>
> :)
>
> I'll try to do mine this week. Prepare yourself.

hehehe, ok :)

>>
>>
>> Regards,
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
> Kind regards,
> Miroslav Stampar
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [sqlmap-users] Code review :)

[Miroslav S. <mir...@gm...>]

Hi Andres.

On Sat, Jun 2, 2012 at 11:19 PM, Andres Riancho <and...@gm...>wrote:

> List,
>
>    During PHDays we had a really good idea with Miroslav: "I review
> sqlmap's code and send you some comments about it, and Miroslav will
> review some w3af code and do the same". So, while I had some spare
> minutes at the airport I performed some initial review:
>
> * I like the idea of using psyco, what's your experience with it? Do
> you guys recommend it?
>
It was a good thing till it lasted (Python <= v2.6) but as it's official
page says "12 March 2012  Psyco is unmaintained and dead" (
http://psyco.sourceforge.net/), so it's advised to not use it.

>
> * Liked the concept in "def smokeTest():", which sounds interesting to
> have also in w3af
>
Ok

>
> * lib/core/testing.py : shouldn't most/all of this be migrated to
> unit-tests and run using "nosetests" or some other tool like that?
>
In majority of cases it's impossible to use any of those python-based
testing tools if you need to run a testing program as an standalone
executable (not as a same program same module). We need to run it as a
standalone against testing environment (xml/livetests.xml) and parse the
output to see if it went ok. Look into this 'testing.py' as our way how to
deal with that problem (without using any 3rd party tools).

>
> * As Miroslav mentioned, we're using the same keepalive.py module,
> I'll have to run a diff between w3af's and sqlmap's and see what we
> changed; since we both made modifications to "make it work".
>
Ok

>
> * Using rangehandler.py is a great idea for speeding up (A LOT) the
> extraction of information, it seems that you guys add it to the
> urlopener but don't use it?
>
We use it in --null-connection (and implicitly in -o) for boolean-based
blind cases. If you take a look into lib/core/option.py you'll see that in
def __urllib2Opener() it's installed among other handlers. Also, if you
take a look into rangehandler.py you'll see that it's sole purpose is to
properly handle 206 and 416 HTTP codes related to those range-cases. Grep
for "kb.nullConnection" and you'll see how "Range" (or we call it "null
connection") method is used (extremely fast if available for boolean-based
blind cases)

>
> * Could you please explain me the first part of this if? "if
> conf.hostname in ('localhost', '127.0.0.1') or conf.ignoreProxy:" does
> it really make sense? Aren't you ignoring the user's wish?
>
Python, as you know, uses an automatic extraction of proxy information from
current environment (e.g. http_proxy env variable). Now, in 99% of cases
you don't want your automatic proxy settings to affect your access to the
localhost (be real, in most of browser settings first thing on the ignore
proxy list are localhost/127.0.0.1). That way we are just dealing with
major number of users who would complain about accessing localhost web
server and not reaching it (because corporate proxy settings were used
automatically)

>
> * heh, I also use gprof2dot for profiling, but instead of having it
> inside w3af, I simply call it from the command line and have it
> generate a PNG. Note, where is "start()" defined for this line?
> cProfile.run("start()", profileOutputFile)
>
that start() is defined inside the lib/controller/controller.py (it
represents the first sqlmap call that starts setting up everything and runs
the tool's functionality). string "start()" represents an eval-like python
call that will be called from the main() perspective. if you take a look
into the main() you'll see that start() is reachable from there.

>
> * Read this comment:
>    """
>    # Set kb.partRun in case "common prediction" feature (a.k.a. "good
>    # samaritan") is used
>    """
>
> Good samaritan was a feature I added many years ago to w3af's sqlmap,
> and the name came from the idea that the user could help the blind sql
> injection process by completing the word that was being extracted.
> Example: "If sqlmap extracted -hello w- the user could type -orld- in
> the console and have it checked with a SELECT statement". According to
> the pieces of code I was able to find, that was replaced by a more
> automatic idea where a file feeds common strings to the process,
> correct? The idea sounds good, but maybe users still want to
> contribute to the process?
>
I am interested how you managed to get the user's input while outputting
the results in the same time? We've always had a problem where you have to
provide an user with that "raw_input" functionality and in the same time do
the output. Problem with Python is that it doesn't give you something like
"Keyboard Hooking" that would easify this all problem.

>
> * dataToStdout() is a handy function, but I think that you should
> consider migrating to something more generic like python's logging
> module. If in the future you want to provide options to storing the
> data in a file, or similar, it might come handy. In w3af we have the
> outputManag
>
We are using both logging module and dataToStdout. dataToStdout can be
called from anywhere at any time and it will always output (in thread safe
manner) just the thing you've given to it. Logger as the other approach
does the output of the given text in an line manner (!) and that would be a
very bad thing especially when you want to output character by character.
Also, logger outputs everything in a message like structure (prepending
e.g. [CRITICAL]) and in lots of cases we don't want that. So, those two are
synergetic in a way and we need them both for a proper sqlmap run.

>
> - From our talks I understood that sqlmap used multiprocessing for
> cracking hashes (or something like that) but I can't find any
> reference to the multiprocessing module in the latest version. Could
> you point me in the right direction so I can analyze that code?
>
lib/utils/hash.py

>
> - Not sure how usable it is for you guys, but in some cases the
> charset is set in a meta tag; you're ignoring that here:
>    if contentType and (contentType.find('charset=') != -1):
>        charset = checkCharEncoding(contentType.split('charset=')[-1])
>
>        if charset:
>            page = getUnicode(page, charset)
>
I am not sure if you are using the latest revision from our repository (go
to www.sqlmap.org for proper "svn checkout" line).

Those few lines go like this (in latest v1.0-dev):
...
        if contentType and (contentType.find('charset=') != -1):
            httpCharset =
checkCharEncoding(contentType.split('charset=')[-1])

        metaCharset =
checkCharEncoding(extractRegexResult(META_CHARSET_REGEX, page, re.DOTALL |
re.IGNORECASE))
...
We are not ignoring the metaCharset. We are using them both (while
httpCharset has the higher priority) in following code.

>
>  See w3af's httpResponse.py for an example on how we're doing it.
>
> - Not thread safe?
>
>        if conf.delay is not None and isinstance(conf.delay, (int,
> float)) and conf.delay > 0:
>            time.sleep(conf.delay)
>
But those few lines are IMHO irrelevant for any "thread-safe" manner.
Thread safe means that you have to be careful to prevent situations where
something critical could be changed in the same time as other thread is
reading it (or vice versa/similar) and this is really something of no
interest in that field.

If you though that time.sleep() blocks the whole process, that's not the
case. It blocks only the current thread (
http://stackoverflow.com/questions/92928/time-sleep-sleeps-thread-or-process),
so nothing to be worried in this field too.

>
>  Maybe move the "kb.locks.reqLock.acquire()" some lines before?
>
No need

>
> - Doesn't this kill the keepalive.py handler? Should try to capture
> packets.
>
>            if not req.has_header("Connection"):
>                requestHeaders += "\nConnection: close"
>
Those requestHeaders is just a "log entry" and it doesn't kill the
"keep-alive" functionality. This was just a dirty hack where everything has
been declared (in log/traffic files) as connection close (to appear like to
the end user) as in that point you can't know if something is really
keep-alive or not (you can take a look into the header content and you
won't see a thing - it's handled by a keepalive handler in a low-level
manner). Now, we could do some dirty hacks to signal from keepalive handler
if something is really Keep-Alive (I am saying that because there are lots
of cases where Keep-Alive is just not possible or dropped in some point)
and properly do the logging stuff but this is of low priority this moment.

>
> I know that many of these are questions, but I hope they trigger some
> good ideas :)
>
Thank you for your observations :)

>
> PS: I only used 2h for reading code. 2h left.
>
:)

I'll try to do mine this week. Prepare yourself.

>
> Regards,

--
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
> Kind regards,
Miroslav Stampar

>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] bulkfile and basic auth question

[Miroslav S. <mir...@gm...>]

Hi Artjom.

Could you please retry it now with the latest r5106?

Kind regards,
Miroslav Stampar

On Mon, Jun 4, 2012 at 5:35 PM, Artjom <shi...@gm...> wrote:

> Thank you!
>
> On Mon, Jun 4, 2012 at 3:34 PM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> Hi Artjom.
>>
>> You are right. It's an issue where the authentication was made only for
>> the single url cases. Will fix this ASAP and report and you back.
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> On Wed, May 30, 2012 at 7:37 AM, Miroslav Stampar <
>> mir...@gm...> wrote:
>>
>>> Hi.
>>>
>>> It's probably a bug. Will check it and report back.
>>>
>>> Kind regards,
>>> Miroslav Stampar
>>> On May 29, 2012 9:21 PM, "Artjom" <shi...@gm...> wrote:
>>>
>>>>  Not sure if it's an issue or I am doing something wrong. The site
>>>> requires basic auth. If I use "-u" and specify just one url, everything
>>>> works. However if I use "-m" auth fails.
>>>>
>>>> Did I miss something in man?
>>>>
>>>> Artjom
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Live Security Virtual Conference
>>>> Exclusive live event will cover all the ways today's security and
>>>> threat landscape has changed and how IT managers can respond.
>>>> Discussions
>>>> will include endpoint security, mobile security and the latest in
>>>> malware
>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] bulkfile and basic auth question

[Artjom <shi...@gm...>]

Thank you!

On Mon, Jun 4, 2012 at 3:34 PM, Miroslav Stampar <mir...@gm...
> wrote:

> Hi Artjom.
>
> You are right. It's an issue where the authentication was made only for
> the single url cases. Will fix this ASAP and report and you back.
>
> Kind regards,
> Miroslav Stampar
>
> On Wed, May 30, 2012 at 7:37 AM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> Hi.
>>
>> It's probably a bug. Will check it and report back.
>>
>> Kind regards,
>> Miroslav Stampar
>> On May 29, 2012 9:21 PM, "Artjom" <shi...@gm...> wrote:
>>
>>>  Not sure if it's an issue or I am doing something wrong. The site
>>> requires basic auth. If I use "-u" and specify just one url, everything
>>> works. However if I use "-m" auth fails.
>>>
>>> Did I miss something in man?
>>>
>>> Artjom
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>

Re: [sqlmap-users] bulkfile and basic auth question

[Miroslav S. <mir...@gm...>]

Hi Artjom.

You are right. It's an issue where the authentication was made only for the
single url cases. Will fix this ASAP and report and you back.

Kind regards,
Miroslav Stampar

On Wed, May 30, 2012 at 7:37 AM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi.
>
> It's probably a bug. Will check it and report back.
>
> Kind regards,
> Miroslav Stampar
> On May 29, 2012 9:21 PM, "Artjom" <shi...@gm...> wrote:
>
>> Not sure if it's an issue or I am doing something wrong. The site
>> requires basic auth. If I use "-u" and specify just one url, everything
>> works. However if I use "-m" auth fails.
>>
>> Did I miss something in man?
>>
>> Artjom
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] problem with data retrieval

[<pip...@gm...>]

Thanks for your help Miroslav!  Now if oracle would just implement a xp_cmdshell function!
Sent from my HTC One™ X

----- Reply message -----
From: "Miroslav Stampar" <mir...@gm...>
To: "Chris Rowe" <pip...@gm...>
Cc: <sql...@li...>
Subject: [sqlmap-users] problem with data retrieval
Date: Mon, Jun 4, 2012 03:58


Hi Chris.

I am pretty sure that this was a false positive :)

First thing is that you've stumbled upon a rare beast of MySQL stacked :).
That was a first hint that something could be wrong.

Another thing is that in every case where you have a time or stacked based
injection we have a false positive test, but there is a slight chance that
false positive falls through it (really small). Now, if you see those
random garbage in those cases you have to KNOW that you've stumbled upon a
false positive.

Please, to make sure, just use --flush-session --time-sec=10 (or some other
value greater than default 5). You'll probably see that there won't be any
positives in that case.

Kind regards,
Miroslav Stampar

On Sat, Jun 2, 2012 at 9:11 PM, Chris Rowe <pip...@gm...>wrote:

> I am doing a test right now and I am receiving unusual output during data
> retrieval.  I have never seen this from sqlmap before.  I have tried using
> single or multi threads, --no-cast, and --hex options with no luck.  I am
> using sqlmap 1.0-dev r5100.  Could the data in the database be a different
> language that sqlmap can't read?  The clinet's site is primarily in
> arabic.  I need help!!  Thanks
> *
> Here is the output from the log file:*
>
> Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND 6574=6574--
>
>     Type: stacked queries
>     Title: MySQL < 5.0.12 stacked queries (heavy query)
>     Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
> BENCHMARK(10000000,MD5(0x504b774c));--
> ---
>
> current user:    None
>
> current database:    None
>
> current user is DBA:    None
>
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: User-Agent
> Parameter: User-Agent
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause (Generic
> comment)
>     Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND
> 6574=6574--
>
>     Type: stacked queries
>     Title: MySQL < 5.0.12 stacked queries (heavy query)
>     Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
> BENCHMARK(10000000,MD5(0x504b774c));--
> ---
>
> current user:    'x?'
>
> current database:    None
>
> current user is DBA:    None
>
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: User-Agent
> Parameter: User-Agent
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause (Generic
> comment)
>     Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND
> 6574=6574--
>
>     Type: stacked queries
>     Title: MySQL < 5.0.12 stacked queries (heavy query)
>     Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
> BENCHMARK(10000000,MD5(0x504b774c));--
> ---
>
> current user:    'x?'
>
> current database:    '??n x^}h'
>
> current user is DBA:    None
>
>
> *Here is the command line output during testing:*
>
> [13:37:28] [INFO] changes made by tampering scripts are not included in
> shown payload content(s)
> [13:37:28] [INFO] the back-end DBMS is MySQL
> web server operating system: Windows Vista
> web application technology: Apache, ASP.NET 4.0.30319, ASP.NET, Microsoft
> IIS 7.0
>
> back-end DBMS: MySQL 5
> [13:37:28] [INFO] fetching current user
> [13:37:28] [INFO] retrieving the length of query output
> [13:37:28] [INFO] retrieved:
> [13:37:32] [INFO] resumed: x?
> current user:    'x?'
>
> [13:37:32] [INFO] fetching current database
> [13:37:32] [INFO] retrieving the length of query output
> [13:37:32] [INFO] retrieved: 8
> [13:38:32] [INFO] retrieved: ??n  x^}h
> current database:    '??n x^}h'
>
> [13:38:32] [INFO] testing if current user is DBA
> [13:38:32] [INFO] fetching current user
> [13:38:32] [INFO] retrieving the length of query output
> [13:38:32] [INFO] retrieved: 6
> [13:38:58] [WARNING] there was a problem decoding value '??????' from
> expected hexadecimal form
>
> current user is DBA:    None
>
> [13:38:58] [INFO] fetching database users
> [13:38:58] [INFO] fetching number of database users
> [13:38:58] [INFO] retrieved: 48
> [13:39:08] [CRITICAL] unable to retrieve the number of database users
> [13:39:08] [WARNING] HTTP error codes detected during testing:
> 500 (Internal Server Error) - 23 times
>
> [*] shutting down at 13:39:08
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] There is an option to set 'as exact value' as default value

[Miroslav S. <mir...@gm...>]

Hi Iago.

There is a new switch now starting with r5103:
"--exact             Prefer usage of exact names for provided
identificators"

Kind regards,
Miroslav Stampar

On Wed, May 30, 2012 at 7:35 AM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi Iago.
>
> Sorry, but there is none. I would like to know if others would change that
> one too (or maybe put an --exact switch)?
>
> Kind regards,
> Miroslav Stampar
> On May 29, 2012 10:02 PM, "Iago Sousa" <146...@gm...> wrote:
>
>> Hello there,
>> So, always that I want to dump any information from server in sqlmap, the
>> program requests me if I want 'as like' or 'as exact' columns name.
>>
>> How to do to set 'as exact column name' as default?
>>
>> --
>> Regards,
>> Iago Sousa
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] problem with data retrieval

[Miroslav S. <mir...@gm...>]

Hi Chris.

I am pretty sure that this was a false positive :)

First thing is that you've stumbled upon a rare beast of MySQL stacked :).
That was a first hint that something could be wrong.

Another thing is that in every case where you have a time or stacked based
injection we have a false positive test, but there is a slight chance that
false positive falls through it (really small). Now, if you see those
random garbage in those cases you have to KNOW that you've stumbled upon a
false positive.

Please, to make sure, just use --flush-session --time-sec=10 (or some other
value greater than default 5). You'll probably see that there won't be any
positives in that case.

Kind regards,
Miroslav Stampar

On Sat, Jun 2, 2012 at 9:11 PM, Chris Rowe <pip...@gm...>wrote:

> I am doing a test right now and I am receiving unusual output during data
> retrieval.  I have never seen this from sqlmap before.  I have tried using
> single or multi threads, --no-cast, and --hex options with no luck.  I am
> using sqlmap 1.0-dev r5100.  Could the data in the database be a different
> language that sqlmap can't read?  The clinet's site is primarily in
> arabic.  I need help!!  Thanks
> *
> Here is the output from the log file:*
>
> Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND 6574=6574--
>
>     Type: stacked queries
>     Title: MySQL < 5.0.12 stacked queries (heavy query)
>     Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
> BENCHMARK(10000000,MD5(0x504b774c));--
> ---
>
> current user:    None
>
> current database:    None
>
> current user is DBA:    None
>
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: User-Agent
> Parameter: User-Agent
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause (Generic
> comment)
>     Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND
> 6574=6574--
>
>     Type: stacked queries
>     Title: MySQL < 5.0.12 stacked queries (heavy query)
>     Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
> BENCHMARK(10000000,MD5(0x504b774c));--
> ---
>
> current user:    'x?'
>
> current database:    None
>
> current user is DBA:    None
>
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: User-Agent
> Parameter: User-Agent
>     Type: boolean-based blind
>     Title: AND boolean-based blind - WHERE or HAVING clause (Generic
> comment)
>     Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND
> 6574=6574--
>
>     Type: stacked queries
>     Title: MySQL < 5.0.12 stacked queries (heavy query)
>     Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
> BENCHMARK(10000000,MD5(0x504b774c));--
> ---
>
> current user:    'x?'
>
> current database:    '??n x^}h'
>
> current user is DBA:    None
>
>
> *Here is the command line output during testing:*
>
> [13:37:28] [INFO] changes made by tampering scripts are not included in
> shown payload content(s)
> [13:37:28] [INFO] the back-end DBMS is MySQL
> web server operating system: Windows Vista
> web application technology: Apache, ASP.NET 4.0.30319, ASP.NET, Microsoft
> IIS 7.0
>
> back-end DBMS: MySQL 5
> [13:37:28] [INFO] fetching current user
> [13:37:28] [INFO] retrieving the length of query output
> [13:37:28] [INFO] retrieved:
> [13:37:32] [INFO] resumed: x?
> current user:    'x?'
>
> [13:37:32] [INFO] fetching current database
> [13:37:32] [INFO] retrieving the length of query output
> [13:37:32] [INFO] retrieved: 8
> [13:38:32] [INFO] retrieved: ??n  x^}h
> current database:    '??n x^}h'
>
> [13:38:32] [INFO] testing if current user is DBA
> [13:38:32] [INFO] fetching current user
> [13:38:32] [INFO] retrieving the length of query output
> [13:38:32] [INFO] retrieved: 6
> [13:38:58] [WARNING] there was a problem decoding value '??????' from
> expected hexadecimal form
>
> current user is DBA:    None
>
> [13:38:58] [INFO] fetching database users
> [13:38:58] [INFO] fetching number of database users
> [13:38:58] [INFO] retrieved: 48
> [13:39:08] [CRITICAL] unable to retrieve the number of database users
> [13:39:08] [WARNING] HTTP error codes detected during testing:
> 500 (Internal Server Error) - 23 times
>
> [*] shutting down at 13:39:08
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Code review :)

[Andres R. <and...@gm...>]

List,

   During PHDays we had a really good idea with Miroslav: "I review
sqlmap's code and send you some comments about it, and Miroslav will
review some w3af code and do the same". So, while I had some spare
minutes at the airport I performed some initial review:

* I like the idea of using psyco, what's your experience with it? Do
you guys recommend it?

* Liked the concept in "def smokeTest():", which sounds interesting to
have also in w3af

* lib/core/testing.py : shouldn't most/all of this be migrated to
unit-tests and run using "nosetests" or some other tool like that?

* As Miroslav mentioned, we're using the same keepalive.py module,
I'll have to run a diff between w3af's and sqlmap's and see what we
changed; since we both made modifications to "make it work".

* Using rangehandler.py is a great idea for speeding up (A LOT) the
extraction of information, it seems that you guys add it to the
urlopener but don't use it?

* Could you please explain me the first part of this if? "if
conf.hostname in ('localhost', '127.0.0.1') or conf.ignoreProxy:" does
it really make sense? Aren't you ignoring the user's wish?

* heh, I also use gprof2dot for profiling, but instead of having it
inside w3af, I simply call it from the command line and have it
generate a PNG. Note, where is "start()" defined for this line?
cProfile.run("start()", profileOutputFile)

* Read this comment:
   """
   # Set kb.partRun in case "common prediction" feature (a.k.a. "good
   # samaritan") is used
   """

Good samaritan was a feature I added many years ago to w3af's sqlmap,
and the name came from the idea that the user could help the blind sql
injection process by completing the word that was being extracted.
Example: "If sqlmap extracted -hello w- the user could type -orld- in
the console and have it checked with a SELECT statement". According to
the pieces of code I was able to find, that was replaced by a more
automatic idea where a file feeds common strings to the process,
correct? The idea sounds good, but maybe users still want to
contribute to the process?

* dataToStdout() is a handy function, but I think that you should
consider migrating to something more generic like python's logging
module. If in the future you want to provide options to storing the
data in a file, or similar, it might come handy. In w3af we have the
outputManag

- From our talks I understood that sqlmap used multiprocessing for
cracking hashes (or something like that) but I can't find any
reference to the multiprocessing module in the latest version. Could
you point me in the right direction so I can analyze that code?

- Not sure how usable it is for you guys, but in some cases the
charset is set in a meta tag; you're ignoring that here:
   if contentType and (contentType.find('charset=') != -1):
       charset = checkCharEncoding(contentType.split('charset=')[-1])

       if charset:
           page = getUnicode(page, charset)

 See w3af's httpResponse.py for an example on how we're doing it.

- Not thread safe?

       if conf.delay is not None and isinstance(conf.delay, (int,
float)) and conf.delay > 0:
           time.sleep(conf.delay)

 Maybe move the "kb.locks.reqLock.acquire()" some lines before?

- Doesn't this kill the keepalive.py handler? Should try to capture packets.

           if not req.has_header("Connection"):
               requestHeaders += "\nConnection: close"

I know that many of these are questions, but I hope they trigger some
good ideas :)

PS: I only used 2h for reading code. 2h left.

Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[sqlmap-users] problem with data retrieval

[Chris R. <pip...@gm...>]

I am doing a test right now and I am receiving unusual output during data
retrieval.  I have never seen this from sqlmap before.  I have tried using
single or multi threads, --no-cast, and --hex options with no luck.  I am
using sqlmap 1.0-dev r5100.  Could the data in the database be a different
language that sqlmap can't read?  The clinet's site is primarily in
arabic.  I need help!!  Thanks
*
Here is the output from the log file:*

Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND 6574=6574--

    Type: stacked queries
    Title: MySQL < 5.0.12 stacked queries (heavy query)
    Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
BENCHMARK(10000000,MD5(0x504b774c));--
---

current user:    None

current database:    None

current user is DBA:    None

sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: User-Agent
Parameter: User-Agent
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (Generic
comment)
    Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND
6574=6574--

    Type: stacked queries
    Title: MySQL < 5.0.12 stacked queries (heavy query)
    Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
BENCHMARK(10000000,MD5(0x504b774c));--
---

current user:    'x?'

current database:    None

current user is DBA:    None

sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: User-Agent
Parameter: User-Agent
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (Generic
comment)
    Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)') AND
6574=6574--

    Type: stacked queries
    Title: MySQL < 5.0.12 stacked queries (heavy query)
    Payload: sqlmap/1.0-dev (r5100) (http://www.sqlmap.org)'); SELECT
BENCHMARK(10000000,MD5(0x504b774c));--
---

current user:    'x?'

current database:    '??nx^}h'

current user is DBA:    None


*Here is the command line output during testing:*

[13:37:28] [INFO] changes made by tampering scripts are not included in
shown payload content(s)
[13:37:28] [INFO] the back-end DBMS is MySQL
web server operating system: Windows Vista
web application technology: Apache, ASP.NET 4.0.30319, ASP.NET, Microsoft
IIS 7.0

back-end DBMS: MySQL 5
[13:37:28] [INFO] fetching current user
[13:37:28] [INFO] retrieving the length of query output
[13:37:28] [INFO] retrieved:
[13:37:32] [INFO] resumed: x?
current user:    'x?'

[13:37:32] [INFO] fetching current database
[13:37:32] [INFO] retrieving the length of query output
[13:37:32] [INFO] retrieved: 8
[13:38:32] [INFO] retrieved: ??n  x^}h
current database:    '??nx^}h'

[13:38:32] [INFO] testing if current user is DBA
[13:38:32] [INFO] fetching current user
[13:38:32] [INFO] retrieving the length of query output
[13:38:32] [INFO] retrieved: 6
[13:38:58] [WARNING] there was a problem decoding value '??????' from
expected hexadecimal form

current user is DBA:    None

[13:38:58] [INFO] fetching database users
[13:38:58] [INFO] fetching number of database users
[13:38:58] [INFO] retrieved: 48
[13:39:08] [CRITICAL] unable to retrieve the number of database users
[13:39:08] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 23 times

[*] shutting down at 13:39:08

Re: [sqlmap-users] bulkfile and basic auth question

[Miroslav S. <mir...@gm...>]

Hi.

It's probably a bug. Will check it and report back.

Kind regards,
Miroslav Stampar
On May 29, 2012 9:21 PM, "Artjom" <shi...@gm...> wrote:

> Not sure if it's an issue or I am doing something wrong. The site requires
> basic auth. If I use "-u" and specify just one url, everything works.
> However if I use "-m" auth fails.
>
> Did I miss something in man?
>
> Artjom
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] There is an option to set 'as exact value' as default value

[Miroslav S. <mir...@gm...>]

Hi Iago.

Sorry, but there is none. I would like to know if others would change that
one too (or maybe put an --exact switch)?

Kind regards,
Miroslav Stampar
On May 29, 2012 10:02 PM, "Iago Sousa" <146...@gm...> wrote:

> Hello there,
> So, always that I want to dump any information from server in sqlmap, the
> program requests me if I want 'as like' or 'as exact' columns name.
>
> How to do to set 'as exact column name' as default?
>
> --
> Regards,
> Iago Sousa
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

[sqlmap-users] There is an option to set 'as exact value' as default value

[Iago S. <146...@gm...>]

Hello there,
So, always that I want to dump any information from server in sqlmap, the
program requests me if I want 'as like' or 'as exact' columns name.

How to do to set 'as exact column name' as default?

-- 
Regards,
Iago Sousa

[sqlmap-users] bulkfile and basic auth question

[Artjom <shi...@gm...>]

Not sure if it's an issue or I am doing something wrong. The site requires
basic auth. If I use "-u" and specify just one url, everything works.
However if I use "-m" auth fails.

Did I miss something in man?

Artjom

Re: [sqlmap-users] Threads optimization

[Miroslav S. <mir...@gm...>]

Hi Marco.

Thank you for your advice.

You are probably talking about BOOLEAN based technique.

Now, we've chosen an approach that will be most optimal from coding aspect.
Also, currently other techniques (error and union) are used far more often
than inference ones (boolean and time-based).

Why is that an optimal approach? Because in boolean technique in
multithreading mode sqlmap is using an generic retrieval of any SQL query
result - 1) retrieve result length 2) distribute among multiple threads.
Now, doing something like lots of 1s and do multithreaded lots of 2s would
screw our internal approach. Believe me, this all has to be VERY generic to
work on all DBMSes for all cases. Implementing your approach would just put
too much effort (rewriting whole sqlmap, not just that enumeration of table
names) with too little positive effects.

Kind regards,
Miroslav Stampar

On Tue, May 29, 2012 at 9:02 AM, Marco Mirandola <mm...@gm...> wrote:

> Great Miroslav
>
> I give you some advice on optimizing the use of multithreads...
>
> Currently in multi threads sqlMap works like this:
> - To enum tables (1 thread)
> - Retrieve length table 'I' (1 thread)
> - Retrieve name table 'I' (multiple threads)
>  - Retrieve length table 'II' (1 thread)
> - Retrieve name table 'II' (multi-threads)
> - Retrieve length table 'III' (1 thread)
> - Retrieve name table 'III' (multi-threads)
> ...
> - Retrieve length table 'n' (1 thread)
> - Retrieve name table 'n' (multiple threads)
>
> when working on a single thread latency is too much, you could optimize it:
>  - To enum tables (1 thread)
> *- Retrieve the length of all tables (multi-threads)*
> - Retrieve name table 'I' (multiple threads)
> - Retrieve name table 'II' (multi-threads)
>  - Retrieve name table 'III' (multi-threads)
> ...
> - Retrieve name table 'n' (multiple threads)
>
> Best regards 8-D
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

[sqlmap-users] Threads optimization

[Marco M. <mm...@gm...>]

Great Miroslav

I give you some advice on optimizing the use of multithreads...

Currently in multi threads sqlMap works like this:
- To enum tables (1 thread)
- Retrieve length table 'I' (1 thread)
- Retrieve name table 'I' (multiple threads)
- Retrieve length table 'II' (1 thread)
- Retrieve name table 'II' (multi-threads)
- Retrieve length table 'III' (1 thread)
- Retrieve name table 'III' (multi-threads)
...
- Retrieve length table 'n' (1 thread)
- Retrieve name table 'n' (multiple threads)

when working on a single thread latency is too much, you could optimize it:
- To enum tables (1 thread)
*- Retrieve the length of all tables (multi-threads)*
- Retrieve name table 'I' (multiple threads)
- Retrieve name table 'II' (multi-threads)
- Retrieve name table 'III' (multi-threads)
...
- Retrieve name table 'n' (multiple threads)

Best regards 8-D

Re: [sqlmap-users] Select SSL type?

[Miroslav S. <mir...@gm...>]

Hi Patrick.

This is a known/reported issue a month old. It's related to Python's
problems connecting to newer SSL/TLS versions.

We have it on our TODO list for further research. It would be helpful if
you could send a site with those characteristics.

Kind regards,
Miroslav Stampar

On Mon, May 28, 2012 at 4:22 PM, Patrick Webster <pa...@au...>wrote:

> Hi Miroslav / Bernardo,
>
> Just come up against a host that refuses to talk SSL - TLS only :)
>
> It would seem sqlmap does ssl only?
>
> Thanks,
> -Patrick
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm