sqlmap-users

[sqlmap-users] --randomize not respected during warm up?

[Brandon P. <bpe...@gm...>]

Hi, testing —randomize for the first time.

I have an injection that is certainly boolean-injectable as I can exploit by hand, but the content of the response can change if the url requested seems to have been hit before.

For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. If I do it again, I get 150 bytes back from now on.

If I append a garbage HTTP parameter and randomize the value in the parameter, I always get 100 bytes back.

It’s a weird injection, but sqlmap seems to think that the page contents is changing during warm-up, even if I append a garbage parameter and tell —randomize to randomize it.

[16:20:14] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on

I have verified by hand that changing the HTTP parameter value each request results in the same data from the injection being returned from the server. It seems —randomize isn’t being respected in the very beginning.

Any thoughts? Hopefully this makes sense.

Re: [sqlmap-users] --randomize not respected during warm up?

[Brandon P. <bpe...@gm...>]

> On Feb 27, 2017, at 4:28 PM, Brandon Perry <bpe...@gm...> wrote:
> 
> Hi, testing —randomize for the first time.
> 
> I have an injection that is certainly boolean-injectable as I can exploit by hand, but the content of the response can change if the url requested seems to have been hit before.
> 
> For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. If I do it again, I get 150 bytes back from now on.
> 
> If I append a garbage HTTP parameter and randomize the value in the parameter, I always get 100 bytes back.
> 
> It’s a weird injection, but sqlmap seems to think that the page contents is changing during warm-up, even if I append a garbage parameter and tell —randomize to randomize it.
> 
> [16:20:14] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
> 
> I have verified by hand that changing the HTTP parameter value each request results in the same data from the injection being returned from the server. It seems —randomize isn’t being respected in the very beginning.
> 
> Any thoughts? Hopefully this makes sense.

Doing testing through burp suite, I see that the HTTP parameter is indeed randomized, so I am not sure what’s up yet.

Re: [sqlmap-users] --randomize not respected during warm up?

[Miroslav S. <mir...@gm...>]

Hi.

It goes like this. Parameter is randomized, BUT, the parameter value holds
the original form. This means that if your parameter is single digit, the
following request will be a random value chosen from the [0-9]. This
basically means that there is a chance that the following "random" value
could be the same as the last one AND that you'll soon be left without any
new values (after avg. 8-9 requests).

Hence, use some larger "original" value for that same parameter you want to
randomize :)

Bye

On Tue, Feb 28, 2017 at 12:32 AM, Brandon Perry <bpe...@gm...>
wrote:

>
> > On Feb 27, 2017, at 4:28 PM, Brandon Perry <bpe...@gm...>
> wrote:
> >
> > Hi, testing —randomize for the first time.
> >
> > I have an injection that is certainly boolean-injectable as I can
> exploit by hand, but the content of the response can change if the url
> requested seems to have been hit before.
> >
> > For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned. If
> I do it again, I get 150 bytes back from now on.
> >
> > If I append a garbage HTTP parameter and randomize the value in the
> parameter, I always get 100 bytes back.
> >
> > It’s a weird injection, but sqlmap seems to think that the page contents
> is changing during warm-up, even if I append a garbage parameter and tell
> —randomize to randomize it.
> >
> > [16:20:14] [WARNING] target URL is not stable. sqlmap will base the page
> comparison on a sequence matcher. If no dynamic nor injectable parameters
> are detected, or in case of junk results, refer to user's manual paragraph
> 'Page comparison' and provide a string or regular expression to match on
> >
> > I have verified by hand that changing the HTTP parameter value each
> request results in the same data from the injection being returned from the
> server. It seems —randomize isn’t being respected in the very beginning.
> >
> > Any thoughts? Hopefully this makes sense.
>
> Doing testing through burp suite, I see that the HTTP parameter is indeed
> randomized, so I am not sure what’s up yet.
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] --randomize not respected during warm up?

[Miroslav S. <mir...@gm...>]

p.s. with the latest commit I've (at least) prevented that the last value
is the same as the following "randomized" (e..g. original 1 -> random 1 <-
because, this one is chosen as randint(1,9) and there was a chance that it
will get the original value)

On Tue, Feb 28, 2017 at 1:12 PM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi.
>
> It goes like this. Parameter is randomized, BUT, the parameter value holds
> the original form. This means that if your parameter is single digit, the
> following request will be a random value chosen from the [0-9]. This
> basically means that there is a chance that the following "random" value
> could be the same as the last one AND that you'll soon be left without any
> new values (after avg. 8-9 requests).
>
> Hence, use some larger "original" value for that same parameter you want
> to randomize :)
>
> Bye
>
> On Tue, Feb 28, 2017 at 12:32 AM, Brandon Perry <bpe...@gm...
> > wrote:
>
>>
>> > On Feb 27, 2017, at 4:28 PM, Brandon Perry <bpe...@gm...>
>> wrote:
>> >
>> > Hi, testing —randomize for the first time.
>> >
>> > I have an injection that is certainly boolean-injectable as I can
>> exploit by hand, but the content of the response can change if the url
>> requested seems to have been hit before.
>> >
>> > For instance, if I do GET /fdsa/1%20or%201=1, 100 bytes are returned.
>> If I do it again, I get 150 bytes back from now on.
>> >
>> > If I append a garbage HTTP parameter and randomize the value in the
>> parameter, I always get 100 bytes back.
>> >
>> > It’s a weird injection, but sqlmap seems to think that the page
>> contents is changing during warm-up, even if I append a garbage parameter
>> and tell —randomize to randomize it.
>> >
>> > [16:20:14] [WARNING] target URL is not stable. sqlmap will base the
>> page comparison on a sequence matcher. If no dynamic nor injectable
>> parameters are detected, or in case of junk results, refer to user's manual
>> paragraph 'Page comparison' and provide a string or regular expression to
>> match on
>> >
>> > I have verified by hand that changing the HTTP parameter value each
>> request results in the same data from the injection being returned from the
>> server. It seems —randomize isn’t being respected in the very beginning.
>> >
>> > Any thoughts? Hopefully this makes sense.
>>
>> Doing testing through burp suite, I see that the HTTP parameter is indeed
>> randomized, so I am not sure what’s up yet.
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
Miroslav Stampar
http://about.me/stamparm