sqlmap-users

[sqlmap-users] Match ratio threshold too low by default?

[Matthijs K. <mat...@st...>]

(Please CC me, I'm not subscribed)

Hi folks,

I've just been fiddling around with sqlmap a bit, and I had some
problems with sqlmap claiming that some parameter is not dynamic, while
I'm certain it is.

After a bit of sourcegrepping, I found that the dynamicness is tested
using a comparions with a threshold. In my particular  case, the
parameter was dynamic, but affected the resulting page only in a single
small spot. The comparator therefore said the similarity ratio was
0.996, whereas less than 0.9 is required.

This 0.9 is currently hardcoded in MATCH_RATIO in core/settings.py,
though there is a comment to make this a commandline option. Doing this
would probably increase the utility of sqlmap for cases such as mine.
However, to actually let users know about this option and how it can
help, the "is not dynamic" error message should probably include the
actual ratio and a hint to this new commandline option.

I hope you can get this change into a next version.

Gr.

Matthijs

Re: [sqlmap-users] Match ratio threshold too low by default?

[Miroslav S. <mir...@gm...>]

On Mon, Aug 9, 2010 at 12:51 PM, Matthijs Kooijman <mat...@st...> wrote:
> (Please CC me, I'm not subscribed)
>
> Hi folks,
>
> I've just been fiddling around with sqlmap a bit, and I had some
> problems with sqlmap claiming that some parameter is not dynamic, while
> I'm certain it is.
>
> After a bit of sourcegrepping, I found that the dynamicness is tested
> using a comparions with a threshold. In my particular  case, the
> parameter was dynamic, but affected the resulting page only in a single
> small spot. The comparator therefore said the similarity ratio was
> 0.996, whereas less than 0.9 is required.
>
> This 0.9 is currently hardcoded in MATCH_RATIO in core/settings.py,
> though there is a comment to make this a commandline option.

Hi.

Everything is clear here, but one thing. Could you please point me to
the part (file and line number) where (or was) "there is a comment to
make this a commandline option"?

Kind regards.

Doing this
> would probably increase the utility of sqlmap for cases such as mine.
> However, to actually let users know about this option and how it can
> help, the "is not dynamic" error message should probably include the
> actual ratio and a hint to this new commandline option.
>
> I hope you can get this change into a next version.
>
> Gr.
>
> Matthijs
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkxf3bkACgkQz0nQ5oovr7wrRwCeIizHKG58nGqHUfJMJKogaTrF
> xPIAoIidSQEcPtFjtR4dZBdp/DSQ95K+
> =tl6U
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

Re: [sqlmap-users] Match ratio threshold too low by default?

[Matthijs K. <mat...@st...>]

Hi Miroslav,

> Everything is clear here, but one thing. Could you please point me to
> the part (file and line number) where (or was) "there is a comment to
> make this a commandline option"?
From /usr/share/sqlmap/lib/core/settings.py:


    # TODO: port to command line/configuration file options?
    SECONDS           = 5
    RETRIES           = 3
    MATCH_RATIO       = 0.999

Gr.

Matthijs

Re: [sqlmap-users] Match ratio threshold too low by default?

[Miroslav S. <mir...@gm...>]

Dear Matthijs.

There is no such thing in there. I double checked all revisions. So,
you've probably done something wrong.

As there is a possibility that sun has burned my brains these days,
please send a description how you've reached that version with that
TODO comment and I'll gladly try to reproduce it.

Best regards.

p.s. Have you considered a possibility that you've written it there
(locally) by yourself?

On Tue, Aug 10, 2010 at 8:42 AM, Matthijs Kooijman <mat...@st...> wrote:
> Hi Miroslav,
>
>> Everything is clear here, but one thing. Could you please point me to
>> the part (file and line number) where (or was) "there is a comment to
>> make this a commandline option"?
> From /usr/share/sqlmap/lib/core/settings.py:
>
>
>    # TODO: port to command line/configuration file options?
>    SECONDS           = 5
>    RETRIES           = 3
>    MATCH_RATIO       = 0.999
>
> Gr.
>
> Matthijs
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkxg9OUACgkQz0nQ5oovr7yufACghHgxpqxpNQoztQTtq/TsvQlA
> H/EAoMM2XxUoOJN4B+Su7V9/DiAuHIwD
> =m++Y
> -----END PGP SIGNATURE-----
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B

Re: [sqlmap-users] Match ratio threshold too low by default?

[Matthijs K. <mat...@st...>]

Hi Miroslav,

> As there is a possibility that sun has burned my brains these days,
> please send a description how you've reached that version with that
> TODO comment and I'll gladly try to reproduce it.
This is from the 0.6.4 Debian package. I've checked the source package,
it's in there as well, and there seem to be no relevant Debian specific
patches).

I tried to have a look around in your SVN repository, but there's no
online browse tool, and access was denied to anything but trunk, so I
didn't spend much time on that.

> p.s. Have you considered a possibility that you've written it there
> (locally) by yourself?
Yup, I'm sure of that.

One more look at request.py in trunk, shows that this todo was just
implemented by someone already:

https://svn.sqlmap.org/sqlmap/trunk/sqlmap/lib/request/comparison.py

I'm not completely sure what the new code does (there seems to be some
ratio auto-detection) and if it would adequately handle my case (with a
very small change), so perhaps someone can have a look at that.

Gr.

Matthijs

Re: [sqlmap-users] Match ratio threshold too low by default?

[Miroslav S. <mir...@gm...>]

Ok. Now we look at the same code. That conf.matchRatio is a setting we
use now for MATCH_RATIO you mentioned before.

All in all, now if you check out latest development version from our
repository (svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap
sqlmap-dev), you'll see that there is a new option --ratio which is
exactly what you requested.

Best regards

On Tue, Aug 10, 2010 at 5:39 PM, Matthijs Kooijman <mat...@st...> wrote:
> Hi Miroslav,
>
>> As there is a possibility that sun has burned my brains these days,
>> please send a description how you've reached that version with that
>> TODO comment and I'll gladly try to reproduce it.
> This is from the 0.6.4 Debian package. I've checked the source package,
> it's in there as well, and there seem to be no relevant Debian specific
> patches).
>
> I tried to have a look around in your SVN repository, but there's no
> online browse tool, and access was denied to anything but trunk, so I
> didn't spend much time on that.
>
>> p.s. Have you considered a possibility that you've written it there
>> (locally) by yourself?
> Yup, I'm sure of that.
>
> One more look at request.py in trunk, shows that this todo was just
> implemented by someone already:
>
> https://svn.sqlmap.org/sqlmap/trunk/sqlmap/lib/request/comparison.py
>
> I'm not completely sure what the new code does (there seems to be some
> ratio auto-detection) and if it would adequately handle my case (with a
> very small change), so perhaps someone can have a look at that.
>
> Gr.
>
> Matthijs
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkxhcpgACgkQz0nQ5oovr7zKMwCeM5Kjw6q04ZhZ1qnuGncatKDf
> QUQAoKkmbg5RDTaFsATl+QPbIlYqucvE
> =Q2BN
> -----END PGP SIGNATURE-----
>
>



-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B