Thread: [sqlmap-users] suggestion - per character verify option
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Steve P. <ste...@gm...> - 2011-01-17 23:17:21
Attachments:
smime.p7s
|
First off, I'm loving the newest versions of sqlmap.. It's even better than ever, and by far my favourite tool in the space. Now that time-based injection is better supported, one of the side effects is that the quality of results has gone down for me. For example on a site I'm testing, the banner results are: Microsoft SQL Seryer 2008 (RTM) - 10.0A1600.22 (X64) Where is should probably be Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) And this is with a 20 second delay! One way to increase the quality with little speed overhead would be an option to verify the character result of the blind binary search using an equals query and restarting just that character if the answer is not correct. This should only add one request per character, and be much more time efficient than using a longer delay, using a safe url in between every request, or other mitigations that would increase the result quality at higher cost. Any thoughts? -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Miroslav S. <mir...@gm...> - 2011-01-17 23:31:43
|
Hi Steve. We can consider some mechanisms to improve it, but first of all keep it real. We are talking about a most delicate sql injection technique which is highly prone to "outside entropy". It's precision is directly inversely proportional to the time needed to retrieve all data, and nobody wants to wait for some "useful" data "too long". So, IMHO, I am aware that here and there some character can go wrong (either caused by line used or some change of the web servers load) but still info retrieved is prone to personal filtration (in this case everybody is aware that that 'A' there is a junk character). KR On Tue, Jan 18, 2011 at 12:17 AM, Steve Pinkham <ste...@gm...> wrote: > First off, I'm loving the newest versions of sqlmap.. It's even better > than ever, and by far my favourite tool in the space. > > Now that time-based injection is better supported, one of the side > effects is that the quality of results has gone down for me. For > example on a site I'm testing, the banner results are: > > Microsoft SQL Seryer 2008 (RTM) - 10.0A1600.22 (X64) > Where is should probably be > Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) > > And this is with a 20 second delay! > > One way to increase the quality with little speed overhead would be an > option to verify the character result of the blind binary search using > an equals query and restarting just that character if the answer is not > correct. > > This should only add one request per character, and be much more time > efficient than using a longer delay, using a safe url in between every > request, or other mitigations that would increase the result quality at > higher cost. > > Any thoughts? > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2011-01-17 23:34:41
|
...but still, i must say that this is quite good idea: "One way to increase the quality with little speed overhead would be an option to verify the character result of the blind binary search using an equals query and restarting just that character if the answer is not correct." and we'll try to implement it kr On Tue, Jan 18, 2011 at 12:31 AM, Miroslav Stampar <mir...@gm...> wrote: > Hi Steve. > > We can consider some mechanisms to improve it, but first of all keep it real. > > We are talking about a most delicate sql injection technique which is > highly prone to "outside entropy". It's precision is directly > inversely proportional to the time needed to retrieve all data, and > nobody wants to wait for some "useful" data "too long". > > So, IMHO, I am aware that here and there some character can go wrong > (either caused by line used or some change of the web servers load) > but still info retrieved is prone to personal filtration (in this case > everybody is aware that that 'A' there is a junk character). > > KR > > On Tue, Jan 18, 2011 at 12:17 AM, Steve Pinkham <ste...@gm...> wrote: >> First off, I'm loving the newest versions of sqlmap.. It's even better >> than ever, and by far my favourite tool in the space. >> >> Now that time-based injection is better supported, one of the side >> effects is that the quality of results has gone down for me. For >> example on a site I'm testing, the banner results are: >> >> Microsoft SQL Seryer 2008 (RTM) - 10.0A1600.22 (X64) >> Where is should probably be >> Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) >> >> And this is with a 20 second delay! >> >> One way to increase the quality with little speed overhead would be an >> option to verify the character result of the blind binary search using >> an equals query and restarting just that character if the answer is not >> correct. >> >> This should only add one request per character, and be much more time >> efficient than using a longer delay, using a safe url in between every >> request, or other mitigations that would increase the result quality at >> higher cost. >> >> Any thoughts? >> -- >> | Steven Pinkham, Security Consultant | >> | http://www.mavensecurity.com | >> | GPG public key ID CD31CAFB | >> >> >> ------------------------------------------------------------------------------ >> Protect Your Site and Customers from Malware Attacks >> Learn about various malware tactics and how to avoid them. Understand >> malware threats, the impact they can have on your business, and how you >> can protect your company and customers by using code signing. >> http://p.sf.net/sfu/oracle-sfdevnl >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Andres R. <and...@gm...> - 2011-01-18 10:48:38
|
+1 ! -- Andres Riancho El ene 17, 2011 8:34 p.m., "Miroslav Stampar" <mir...@gm...> escribió: ...but still, i must say that this is quite good idea: "One way to increase the quality with little speed overhead would be an option to verify the charac... and we'll try to implement it kr On Tue, Jan 18, 2011 at 12:31 AM, Miroslav Stampar <mir...@gm...> wrote: > Hi Steve. ... |
|
From: Miroslav S. <mir...@gm...> - 2011-01-31 16:09:07
|
Hi. Implemented (r3154). Now every character retrieved via time-based inference is "fast" verified after it has been retrieved (if unequal there is a time delay and the retrieval is repeated for that character). That "validation" is also prone to errors, but I must admit that with it quality of data retrieval (in time based techniques) is going way up. KR On Tue, Jan 18, 2011 at 12:34 AM, Miroslav Stampar <mir...@gm...> wrote: > ...but still, i must say that this is quite good idea: > > "One way to increase the quality with little speed overhead would be an > option to verify the character result of the blind binary search using > an equals query and restarting just that character if the answer is not > correct." > > and we'll try to implement it > > kr > > On Tue, Jan 18, 2011 at 12:31 AM, Miroslav Stampar > <mir...@gm...> wrote: >> Hi Steve. >> >> We can consider some mechanisms to improve it, but first of all keep it real. >> >> We are talking about a most delicate sql injection technique which is >> highly prone to "outside entropy". It's precision is directly >> inversely proportional to the time needed to retrieve all data, and >> nobody wants to wait for some "useful" data "too long". >> >> So, IMHO, I am aware that here and there some character can go wrong >> (either caused by line used or some change of the web servers load) >> but still info retrieved is prone to personal filtration (in this case >> everybody is aware that that 'A' there is a junk character). >> >> KR >> >> On Tue, Jan 18, 2011 at 12:17 AM, Steve Pinkham <ste...@gm...> wrote: >>> First off, I'm loving the newest versions of sqlmap.. It's even better >>> than ever, and by far my favourite tool in the space. >>> >>> Now that time-based injection is better supported, one of the side >>> effects is that the quality of results has gone down for me. For >>> example on a site I'm testing, the banner results are: >>> >>> Microsoft SQL Seryer 2008 (RTM) - 10.0A1600.22 (X64) >>> Where is should probably be >>> Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) >>> >>> And this is with a 20 second delay! >>> >>> One way to increase the quality with little speed overhead would be an >>> option to verify the character result of the blind binary search using >>> an equals query and restarting just that character if the answer is not >>> correct. >>> >>> This should only add one request per character, and be much more time >>> efficient than using a longer delay, using a safe url in between every >>> request, or other mitigations that would increase the result quality at >>> higher cost. >>> >>> Any thoughts? >>> -- >>> | Steven Pinkham, Security Consultant | >>> | http://www.mavensecurity.com | >>> | GPG public key ID CD31CAFB | >>> >>> >>> ------------------------------------------------------------------------------ >>> Protect Your Site and Customers from Malware Attacks >>> Learn about various malware tactics and how to avoid them. Understand >>> malware threats, the impact they can have on your business, and how you >>> can protect your company and customers by using code signing. >>> http://p.sf.net/sfu/oracle-sfdevnl >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Andres R. <and...@gm...> - 2011-01-31 16:13:08
|
On Mon, Jan 31, 2011 at 1:08 PM, Miroslav Stampar <mir...@gm...> wrote: > Hi. > > Implemented (r3154). You guys rock. > Now every character retrieved via time-based inference is "fast" > verified after it has been retrieved (if unequal there is a time delay > and the retrieval is repeated for that character). That "validation" > is also prone to errors, but I must admit that with it quality of data > retrieval (in time based techniques) is going way up. > > KR > > On Tue, Jan 18, 2011 at 12:34 AM, Miroslav Stampar > <mir...@gm...> wrote: >> ...but still, i must say that this is quite good idea: >> >> "One way to increase the quality with little speed overhead would be an >> option to verify the character result of the blind binary search using >> an equals query and restarting just that character if the answer is not >> correct." >> >> and we'll try to implement it >> >> kr >> >> On Tue, Jan 18, 2011 at 12:31 AM, Miroslav Stampar >> <mir...@gm...> wrote: >>> Hi Steve. >>> >>> We can consider some mechanisms to improve it, but first of all keep it real. >>> >>> We are talking about a most delicate sql injection technique which is >>> highly prone to "outside entropy". It's precision is directly >>> inversely proportional to the time needed to retrieve all data, and >>> nobody wants to wait for some "useful" data "too long". >>> >>> So, IMHO, I am aware that here and there some character can go wrong >>> (either caused by line used or some change of the web servers load) >>> but still info retrieved is prone to personal filtration (in this case >>> everybody is aware that that 'A' there is a junk character). >>> >>> KR >>> >>> On Tue, Jan 18, 2011 at 12:17 AM, Steve Pinkham <ste...@gm...> wrote: >>>> First off, I'm loving the newest versions of sqlmap.. It's even better >>>> than ever, and by far my favourite tool in the space. >>>> >>>> Now that time-based injection is better supported, one of the side >>>> effects is that the quality of results has gone down for me. For >>>> example on a site I'm testing, the banner results are: >>>> >>>> Microsoft SQL Seryer 2008 (RTM) - 10.0A1600.22 (X64) >>>> Where is should probably be >>>> Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) >>>> >>>> And this is with a 20 second delay! >>>> >>>> One way to increase the quality with little speed overhead would be an >>>> option to verify the character result of the blind binary search using >>>> an equals query and restarting just that character if the answer is not >>>> correct. >>>> >>>> This should only add one request per character, and be much more time >>>> efficient than using a longer delay, using a safe url in between every >>>> request, or other mitigations that would increase the result quality at >>>> higher cost. >>>> >>>> Any thoughts? >>>> -- >>>> | Steven Pinkham, Security Consultant | >>>> | http://www.mavensecurity.com | >>>> | GPG public key ID CD31CAFB | >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Protect Your Site and Customers from Malware Attacks >>>> Learn about various malware tactics and how to avoid them. Understand >>>> malware threats, the impact they can have on your business, and how you >>>> can protect your company and customers by using code signing. >>>> http://p.sf.net/sfu/oracle-sfdevnl >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af |
|
From: Miroslav S. <mir...@gm...> - 2011-01-31 16:19:17
|
:) On Mon, Jan 31, 2011 at 5:12 PM, Andres Riancho <and...@gm...> wrote: > On Mon, Jan 31, 2011 at 1:08 PM, Miroslav Stampar > <mir...@gm...> wrote: >> Hi. >> >> Implemented (r3154). > > You guys rock. > >> Now every character retrieved via time-based inference is "fast" >> verified after it has been retrieved (if unequal there is a time delay >> and the retrieval is repeated for that character). That "validation" >> is also prone to errors, but I must admit that with it quality of data >> retrieval (in time based techniques) is going way up. >> >> KR >> >> On Tue, Jan 18, 2011 at 12:34 AM, Miroslav Stampar >> <mir...@gm...> wrote: >>> ...but still, i must say that this is quite good idea: >>> >>> "One way to increase the quality with little speed overhead would be an >>> option to verify the character result of the blind binary search using >>> an equals query and restarting just that character if the answer is not >>> correct." >>> >>> and we'll try to implement it >>> >>> kr >>> >>> On Tue, Jan 18, 2011 at 12:31 AM, Miroslav Stampar >>> <mir...@gm...> wrote: >>>> Hi Steve. >>>> >>>> We can consider some mechanisms to improve it, but first of all keep it real. >>>> >>>> We are talking about a most delicate sql injection technique which is >>>> highly prone to "outside entropy". It's precision is directly >>>> inversely proportional to the time needed to retrieve all data, and >>>> nobody wants to wait for some "useful" data "too long". >>>> >>>> So, IMHO, I am aware that here and there some character can go wrong >>>> (either caused by line used or some change of the web servers load) >>>> but still info retrieved is prone to personal filtration (in this case >>>> everybody is aware that that 'A' there is a junk character). >>>> >>>> KR >>>> >>>> On Tue, Jan 18, 2011 at 12:17 AM, Steve Pinkham <ste...@gm...> wrote: >>>>> First off, I'm loving the newest versions of sqlmap.. It's even better >>>>> than ever, and by far my favourite tool in the space. >>>>> >>>>> Now that time-based injection is better supported, one of the side >>>>> effects is that the quality of results has gone down for me. For >>>>> example on a site I'm testing, the banner results are: >>>>> >>>>> Microsoft SQL Seryer 2008 (RTM) - 10.0A1600.22 (X64) >>>>> Where is should probably be >>>>> Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) >>>>> >>>>> And this is with a 20 second delay! >>>>> >>>>> One way to increase the quality with little speed overhead would be an >>>>> option to verify the character result of the blind binary search using >>>>> an equals query and restarting just that character if the answer is not >>>>> correct. >>>>> >>>>> This should only add one request per character, and be much more time >>>>> efficient than using a longer delay, using a safe url in between every >>>>> request, or other mitigations that would increase the result quality at >>>>> higher cost. >>>>> >>>>> Any thoughts? >>>>> -- >>>>> | Steven Pinkham, Security Consultant | >>>>> | http://www.mavensecurity.com | >>>>> | GPG public key ID CD31CAFB | >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Protect Your Site and Customers from Malware Attacks >>>>> Learn about various malware tactics and how to avoid them. Understand >>>>> malware threats, the impact they can have on your business, and how you >>>>> can protect your company and customers by using code signing. >>>>> http://p.sf.net/sfu/oracle-sfdevnl >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>> Mobile: +385921010204 (HR 0921010204) >>>> PGP Key ID: 0xB5397B1B >>>> Location: Zagreb, Croatia >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> >> ------------------------------------------------------------------------------ >> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! >> Finally, a world-class log management solution at an even better price-free! >> Download using promo code Free_Logger_4_Dev2Dev. Offer expires >> February 28th, so secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsight-sfd2d >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Andrés Riancho > Director of Web Security at Rapid7 LLC > Founder at Bonsai Information Security > Project Leader at w3af > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Steve P. <ste...@gm...> - 2011-01-31 16:49:21
Attachments:
smime.p7s
|
On 01/31/2011 11:08 AM, Miroslav Stampar wrote: > Hi. > > Implemented (r3154). > > Now every character retrieved via time-based inference is "fast" > verified after it has been retrieved (if unequal there is a time delay > and the retrieval is repeated for that character). That "validation" > is also prone to errors, but I must admit that with it quality of data > retrieval (in time based techniques) is going way up. > > KR Awesome work, thanks. We're about to push out the next revision of our Web Security Dojo project which includes the latest SVN version of sqlmap. Are there any show-stoppers you are aware of in r3157 that I should wait for a version in the near future instead? -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-01-31 16:55:17
|
If you can hold on a week that would be better as we are in the process of fixing some major bugs these days. Bernardo Damele A. G. This message was sent from a smartphone On 31 Jan 2011, at 16:50, Steve Pinkham <ste...@gm...> wrote: > On 01/31/2011 11:08 AM, Miroslav Stampar wrote: >> Hi. >> >> Implemented (r3154). >> >> Now every character retrieved via time-based inference is "fast" >> verified after it has been retrieved (if unequal there is a time delay >> and the retrieval is repeated for that character). That "validation" >> is also prone to errors, but I must admit that with it quality of data >> retrieval (in time based techniques) is going way up. >> >> KR > > Awesome work, thanks. > > We're about to push out the next revision of our Web Security Dojo > project which includes the latest SVN version of sqlmap. > > Are there any show-stoppers you are aware of in r3157 that I should wait > for a version in the near future instead? > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X