Thread: [sqlmap-users] redirection handling
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: buawig <bu...@gm...> - 2012-03-13 17:10:53
|
Hi, when testing URLs that result in redirects sqlmap offers three possibilities: [1] Follow the redirection (default) [2] Stay on the original page [3] Ignore If I answer with > 2 or with > 3 it still sends requests to the URL found in the Location: header. Is there a way to prevent these requests to the URL specified in the Location: header? Sqlmap should only query the url specified in -u parameter and analyze the responses - no follow up requests. thanks, buawig |
|
From: Miroslav S. <mir...@gm...> - 2012-03-14 14:16:48
|
Hi. To sum things up here: 1) "Follow the redirection" should be clear what it does 2) "Stay on the original page" uses the original URL and jumps there (useful if there were some changes resulting in changes on the original page - e.g. some session cookie was set resulting in "differentiation" of the original page) 3) "Ignore" uses the redirection page itself (usually blank or simple one with few lines) as the one for extracting the results (useful for boolean based injections as those pages are usually dramatically different than the originals) About the "no follow up requests". There are indeed lots of cases when it's useful to just imitate what browser does - follow the redirection to whatever destination it goes. Also, "Ignore" should be suitable for your case when you don't want sqlmap to follow the redirection. Also, with the latest revision (r4864), -t traffic.txt should work properly with that [3] Ignore option (no more non-existing requests) Kind regards, Miroslav Stampar On Tue, Mar 13, 2012 at 6:07 PM, buawig <bu...@gm...> wrote: > Hi, > > when testing URLs that result in redirects sqlmap offers three > possibilities: > > [1] Follow the redirection (default) > [2] Stay on the original page > [3] Ignore > > If I answer with > > 2 > or with > > 3 > > it still sends requests to the URL found in the Location: header. > > Is there a way to prevent these requests to the URL specified in the > Location: header? > > Sqlmap should only query the url specified in -u parameter and analyze > the responses - no follow up requests. > > thanks, > buawig > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: buawig <bu...@gm...> - 2012-03-14 17:45:13
|
> Also, "Ignore" should be suitable for your > case when you don't want sqlmap to follow the redirection. This still does not work for me. If I choose "[3] Ignore". sqlmap still sends requests to the redirection Location. There are even scenarios where sqlmap doesn't detect an sqli due to this behaviour, if the content on redirecton site A is the same as the content on redirection site B. I worked around this issue by creating a static DNS entry for site B + putting some random stuff on the requested redirection page (just that sqlmap sees a difference between A and B). I'm using r4864. |
|
From: Miroslav S. <mir...@gm...> - 2012-03-14 19:26:51
|
Found a problematic part. Will fix it tomorrow. Kind regards, Miroslav Stampar On Wed, Mar 14, 2012 at 6:42 PM, buawig <bu...@gm...> wrote: > > Also, "Ignore" should be suitable for your > > case when you don't want sqlmap to follow the redirection. > > This still does not work for me. > If I choose "[3] Ignore". sqlmap still sends requests to the redirection > Location. > There are even scenarios where sqlmap doesn't detect an sqli due to this > behaviour, if the content on redirecton site A is the same as the > content on redirection site B. > I worked around this issue by creating a static DNS entry for site B + > putting some random stuff on the requested redirection page (just that > sqlmap sees a difference between A and B). > > I'm using r4864. > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2012-03-15 12:41:47
|
Hi buawig. Could you please retry it now with the latest revision (r4874)? Kind regards, Miroslav Stampar On Wed, Mar 14, 2012 at 8:26 PM, Miroslav Stampar < mir...@gm...> wrote: > Found a problematic part. Will fix it tomorrow. > > Kind regards, > Miroslav Stampar > > On Wed, Mar 14, 2012 at 6:42 PM, buawig <bu...@gm...> wrote: > >> > Also, "Ignore" should be suitable for your >> > case when you don't want sqlmap to follow the redirection. >> >> This still does not work for me. >> If I choose "[3] Ignore". sqlmap still sends requests to the redirection >> Location. >> There are even scenarios where sqlmap doesn't detect an sqli due to this >> behaviour, if the content on redirecton site A is the same as the >> content on redirection site B. >> I worked around this issue by creating a static DNS entry for site B + >> putting some random stuff on the requested redirection page (just that >> sqlmap sees a difference between A and B). >> >> I'm using r4864. >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
|
From: buawig <bu...@gm...> - 2012-03-15 18:57:27
|
Hi Miroslav, > Could you please retry it now with the latest revision (r4874)? now with r4882, sqlmap doesn't make any follow up requests anymore when choosing [3] Ignore. It is not able to retrieve data (blind), but when providing info via the --string option data retrieval works fine. thanks! |
|
From: Miroslav S. <mir...@gm...> - 2012-03-15 20:04:13
|
Hi again. Could you please retry it now with the latest r4884? There were few related fixes in the mean time. Kind regards, Miroslav Stampar On Thu, Mar 15, 2012 at 7:54 PM, buawig <bu...@gm...> wrote: > Hi Miroslav, > > > Could you please retry it now with the latest revision (r4874)? > > now with r4882, sqlmap doesn't make any follow up requests anymore when > choosing [3] Ignore. > It is not able to retrieve data (blind), but when providing info via the > --string option data retrieval works fine. > > thanks! > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: buawig <bu...@gm...> - 2012-03-15 23:47:52
|
Hi Miroslav, > Could you please retry it now with the latest r4884? There were few related > fixes in the mean time. I tested r4884, but it still needs --string to retrieve data, if this was what you were asking for. kind regards |
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-03-16 17:27:48
|
Hi, Could you update now and send full output of -v3 -t traffic.log masking sensible data? This would help us to debug this potential comparison issue as we are pretty confident that it is not 302 redirect related anymore. Thank you. Bernardo On 15 March 2012 23:44, buawig <bu...@gm...> wrote: > Hi Miroslav, > >> Could you please retry it now with the latest r4884? There were few related >> fixes in the mean time. > > I tested r4884, but it still needs --string to retrieve data, if this > was what you were asking for. > > kind regards > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: buawig <bu...@gm...> - 2012-03-16 21:46:12
|
> Could you update now and send full output of -v3 -t traffic.log > masking sensible data? This would help us to debug this potential > comparison issue as we are pretty confident that it is not 302 > redirect related anymore. Hi, I'm sorry but I no longer have access to the tested system, but there where three different possible locations in the response to detect the difference: 1. 'Location' HTTP header: present but empty vs. present and non-empty 2. 'Content-Length' HTTP header: length A vs. length B 3. Body" <a href=""> vs. <a href="http://..."> hope this helps |
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-03-19 14:36:42
|
Hi, In your case, --null-connection might have worked (comparison based on "Content-Length" header). If the body has such a minimal difference between True and False, sqlmap algorithm is not (yet) able to pick this up therefore comparison based upon --string or other detection switches is necessary. We are working on improving the detection engine. Bernardo On 16 March 2012 21:43, buawig <bu...@gm...> wrote: >> Could you update now and send full output of -v3 -t traffic.log >> masking sensible data? This would help us to debug this potential >> comparison issue as we are pretty confident that it is not 302 >> redirect related anymore. > > Hi, > I'm sorry but I no longer have access to the tested system, > but there where three different possible locations in the response to > detect the difference: > 1. 'Location' HTTP header: present but empty vs. present and non-empty > 2. 'Content-Length' HTTP header: length A vs. length B > 3. Body" <a href=""> vs. <a href="http://..."> > > hope this helps > > > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X