Miroslav Stampar wrote: > quote from that same paragraph: > > " > 10.5.5 504 Gateway Timeout > > The server, while acting as a gateway or proxy, did not receive a > timely response from the upstream server specified by the URI (e.g. > HTTP, FTP, LDAP) or some other auxiliary server (e.g. DNS) it needed > to access in attempting to complete the request. > " > > it clearly says that 504 is a general timeout without specific > "cause". it says that it can be caused by remote server, DNS,...
Yes I read the paragraph that I linked. ;) > thing is that we don't know what's causing it (neither that 504 says > the source as stated from that paragraph) and we need to treat it as > any other timeout. also, i don't see any problems with that approach. You probably misunderstood me or I was not clear enough. The important thing was "the response came not from the upstream target specified in -u and should not interpreted as such" If sqlmap would treat 504 'as any other timeout' then I wouldn't have posted the link because that is what I'm expecting - sqlmap should treat 504 like timeouts, but it does not seam to treat it as a timeout at all: test on a _non_ existing domain with proxy while the proxy returns 504 +html page (status page): [INFO] testing connection to the target url [INFO] heuristics detected web page charset 'ascii' [WARNING] the web server responded with an HTTP error code which could interfere with the results of the tests [INFO] testing if the url is stable, wait a few seconds [WARNING] url is not stable, sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] >From this output I guess sqlmap interprets the html page from the proxy (504 status page) as if it were the page from the target and starts testing. The question is, why does it start testing when it doesn't reach the target? It probably should look like this: [INFO] testing connection to the target url [CRITICAL] unable to connect to the target url (504 - Gateway Timeout), sqlmap is going to retry the request [CRITICAL] unable to connect to the target url (504 - Gateway Timeout, sqlmap is going to retry the request [*] shutting down... sqlmap should not interpret the html page from the proxy as an html page from a target if the proxy returns 504 (the reason does not really matter). In future everyone will return 504 to avoid sqlmap scans ;) ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
