Eric,
On Fri, Nov 6, 2009 at 2:23 PM, Eric H <eri...@gm...> wrote:
> I'm not terribly experienced with Python or I'd implement this myself - it
> seems like it would be very simple.
>
> During brute-force blind SQL injection (while enumerating a single character
> at a time), I frequently know what the DB/table/column name is within the
> first 3 or 4 characters or have a pretty good idea what the next character
> is.
>
> During that input loop, if the program were simply to accept keyboard input,
> tag that character and immediately try that specific character on the next
> iteration... It would double or triple the speed I could enumerate table
> values WHILE decreasing the load on the server during testing. Relying on
> the good old fashioned human pattern matching is a low-tech solution, but
> seems to have a high reward for a small amount of work.
>
> I'll eat my shoe if this feature is already implemented and I just missed
> it.
This is already implemented in the sqlmap modification that I did for
w3af. If you want you can take it from there,
Cheers,
> Thanks!
>
> Eric
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
|
